Roll src/third_party/WebKit d9c6159:8139f33 (svn 201974:201975)
[chromium-blink-merge.git] / net / cert / cert_policy_enforcer_unittest.cc
blobbf706dd9b9458f05006b15e481b6943dec8819fe
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/cert_policy_enforcer.h"
7 #include <string>
9 #include "base/memory/scoped_ptr.h"
10 #include "base/version.h"
11 #include "net/base/test_data_directory.h"
12 #include "net/cert/ct_ev_whitelist.h"
13 #include "net/cert/ct_verify_result.h"
14 #include "net/cert/x509_certificate.h"
15 #include "net/test/cert_test_util.h"
16 #include "net/test/ct_test_util.h"
17 #include "testing/gmock/include/gmock/gmock.h"
18 #include "testing/gtest/include/gtest/gtest.h"
20 namespace net {
22 namespace {
24 class DummyEVCertsWhitelist : public ct::EVCertsWhitelist {
25 public:
26 DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response)
27 : canned_is_valid_(is_valid_response),
28 canned_contains_response_(contains_hash_response) {}
30 bool IsValid() const override { return canned_is_valid_; }
32 bool ContainsCertificateHash(
33 const std::string& certificate_hash) const override {
34 return canned_contains_response_;
37 base::Version Version() const override { return base::Version(); }
39 protected:
40 ~DummyEVCertsWhitelist() override {}
42 private:
43 bool canned_is_valid_;
44 bool canned_contains_response_;
47 class CertPolicyEnforcerTest : public ::testing::Test {
48 public:
49 void SetUp() override {
50 policy_enforcer_.reset(new CertPolicyEnforcer);
52 std::string der_test_cert(ct::GetDerEncodedX509Cert());
53 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(),
54 der_test_cert.size());
55 ASSERT_TRUE(chain_.get());
58 void FillResultWithSCTsOfOrigin(
59 ct::SignedCertificateTimestamp::Origin desired_origin,
60 int num_scts,
61 ct::CTVerifyResult* result) {
62 for (int i = 0; i < num_scts; ++i) {
63 scoped_refptr<ct::SignedCertificateTimestamp> sct(
64 new ct::SignedCertificateTimestamp());
65 sct->origin = desired_origin;
66 result->verified_scts.push_back(sct);
70 void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
71 const base::Time& start,
72 const base::Time& end,
73 size_t required_scts) {
74 scoped_refptr<X509Certificate> cert(
75 new X509Certificate("subject", "issuer", start, end));
76 ct::CTVerifyResult result;
77 for (size_t i = 0; i < required_scts - 1; ++i) {
78 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
79 1, &result);
80 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
81 cert.get(), nullptr, result, BoundNetLog()))
82 << " for: " << (end - start).InDays() << " and " << required_scts
83 << " scts=" << result.verified_scts.size() << " i=" << i;
85 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
86 &result);
87 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
88 cert.get(), nullptr, result, BoundNetLog()))
89 << " for: " << (end - start).InDays() << " and " << required_scts
90 << " scts=" << result.verified_scts.size();
93 protected:
94 scoped_ptr<CertPolicyEnforcer> policy_enforcer_;
95 scoped_refptr<X509Certificate> chain_;
98 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
99 ct::CTVerifyResult result;
100 FillResultWithSCTsOfOrigin(
101 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
103 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
104 result, BoundNetLog()));
107 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
108 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
109 ct::CTVerifyResult result;
110 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
111 &result);
113 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
114 result, BoundNetLog()));
117 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
118 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
119 new DummyEVCertsWhitelist(true, false));
120 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
121 // However, as there are only two logs, two SCTs will be required - supply one
122 // to guarantee the test fails.
123 ct::CTVerifyResult result;
124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
125 &result);
127 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
128 chain_.get(), non_including_whitelist.get(), result, BoundNetLog()));
130 // ... but should be OK if whitelisted.
131 scoped_refptr<ct::EVCertsWhitelist> whitelist(
132 new DummyEVCertsWhitelist(true, true));
133 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
134 chain_.get(), whitelist.get(), result, BoundNetLog()));
137 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
138 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
139 "subject", "issuer", base::Time(), base::Time::Now()));
140 ct::CTVerifyResult result;
141 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
142 &result);
143 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
144 no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));
145 // ... but should be OK if whitelisted.
146 scoped_refptr<ct::EVCertsWhitelist> whitelist(
147 new DummyEVCertsWhitelist(true, true));
148 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
149 chain_.get(), whitelist.get(), result, BoundNetLog()));
152 TEST_F(CertPolicyEnforcerTest,
153 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
154 // Test multiple validity periods
155 const struct TestData {
156 base::Time validity_start;
157 base::Time validity_end;
158 size_t scts_required;
159 } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs.
160 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
161 base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}),
163 {// Cert valid for exactly 15 months, needs 3 SCTs.
164 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
165 base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}),
167 {// Cert valid for over 15 months, needs 3 SCTs.
168 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
169 base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}),
171 {// Cert valid for exactly 27 months, needs 3 SCTs.
172 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
173 base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}),
175 {// Cert valid for over 27 months, needs 4 SCTs.
176 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
177 base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}),
179 {// Cert valid for exactly 39 months, needs 4 SCTs.
180 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
181 base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}),
183 {// Cert valid for over 39 months, needs 5 SCTs.
184 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
185 base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}),
186 5}};
188 for (size_t i = 0; i < arraysize(kTestData); ++i) {
189 SCOPED_TRACE(i);
190 CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
191 kTestData[i].validity_start, kTestData[i].validity_end,
192 kTestData[i].scts_required);
196 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
197 scoped_refptr<ct::EVCertsWhitelist> whitelist(
198 new DummyEVCertsWhitelist(true, true));
200 ct::CTVerifyResult result;
201 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
202 &result);
203 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
204 chain_.get(), whitelist.get(), result, BoundNetLog()));
207 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
208 scoped_refptr<ct::EVCertsWhitelist> whitelist(
209 new DummyEVCertsWhitelist(false, true));
211 ct::CTVerifyResult result;
212 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
213 &result);
214 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
215 chain_.get(), whitelist.get(), result, BoundNetLog()));
218 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) {
219 ct::CTVerifyResult result;
220 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
221 &result);
222 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
223 chain_.get(), nullptr, result, BoundNetLog()));
226 } // namespace
228 } // namespace net