1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/cert_policy_enforcer.h"
9 #include "base/memory/scoped_ptr.h"
10 #include "base/version.h"
11 #include "net/base/test_data_directory.h"
12 #include "net/cert/ct_ev_whitelist.h"
13 #include "net/cert/ct_verify_result.h"
14 #include "net/cert/x509_certificate.h"
15 #include "net/test/cert_test_util.h"
16 #include "net/test/ct_test_util.h"
17 #include "testing/gmock/include/gmock/gmock.h"
18 #include "testing/gtest/include/gtest/gtest.h"
24 class DummyEVCertsWhitelist
: public ct::EVCertsWhitelist
{
26 DummyEVCertsWhitelist(bool is_valid_response
, bool contains_hash_response
)
27 : canned_is_valid_(is_valid_response
),
28 canned_contains_response_(contains_hash_response
) {}
30 bool IsValid() const override
{ return canned_is_valid_
; }
32 bool ContainsCertificateHash(
33 const std::string
& certificate_hash
) const override
{
34 return canned_contains_response_
;
37 base::Version
Version() const override
{ return base::Version(); }
40 ~DummyEVCertsWhitelist() override
{}
43 bool canned_is_valid_
;
44 bool canned_contains_response_
;
47 class CertPolicyEnforcerTest
: public ::testing::Test
{
49 void SetUp() override
{
50 policy_enforcer_
.reset(new CertPolicyEnforcer
);
52 std::string
der_test_cert(ct::GetDerEncodedX509Cert());
53 chain_
= X509Certificate::CreateFromBytes(der_test_cert
.data(),
54 der_test_cert
.size());
55 ASSERT_TRUE(chain_
.get());
58 void FillResultWithSCTsOfOrigin(
59 ct::SignedCertificateTimestamp::Origin desired_origin
,
61 ct::CTVerifyResult
* result
) {
62 for (int i
= 0; i
< num_scts
; ++i
) {
63 scoped_refptr
<ct::SignedCertificateTimestamp
> sct(
64 new ct::SignedCertificateTimestamp());
65 sct
->origin
= desired_origin
;
66 result
->verified_scts
.push_back(sct
);
70 void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
71 const base::Time
& start
,
72 const base::Time
& end
,
73 size_t required_scts
) {
74 scoped_refptr
<X509Certificate
> cert(
75 new X509Certificate("subject", "issuer", start
, end
));
76 ct::CTVerifyResult result
;
77 for (size_t i
= 0; i
< required_scts
- 1; ++i
) {
78 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED
,
80 EXPECT_FALSE(policy_enforcer_
->DoesConformToCTEVPolicy(
81 cert
.get(), nullptr, result
, BoundNetLog()))
82 << " for: " << (end
- start
).InDays() << " and " << required_scts
83 << " scts=" << result
.verified_scts
.size() << " i=" << i
;
85 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED
, 1,
87 EXPECT_TRUE(policy_enforcer_
->DoesConformToCTEVPolicy(
88 cert
.get(), nullptr, result
, BoundNetLog()))
89 << " for: " << (end
- start
).InDays() << " and " << required_scts
90 << " scts=" << result
.verified_scts
.size();
94 scoped_ptr
<CertPolicyEnforcer
> policy_enforcer_
;
95 scoped_refptr
<X509Certificate
> chain_
;
98 TEST_F(CertPolicyEnforcerTest
, ConformsToCTEVPolicyWithNonEmbeddedSCTs
) {
99 ct::CTVerifyResult result
;
100 FillResultWithSCTsOfOrigin(
101 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION
, 2, &result
);
103 EXPECT_TRUE(policy_enforcer_
->DoesConformToCTEVPolicy(chain_
.get(), nullptr,
104 result
, BoundNetLog()));
107 TEST_F(CertPolicyEnforcerTest
, ConformsToCTEVPolicyWithEmbeddedSCTs
) {
108 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
109 ct::CTVerifyResult result
;
110 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED
, 5,
113 EXPECT_TRUE(policy_enforcer_
->DoesConformToCTEVPolicy(chain_
.get(), nullptr,
114 result
, BoundNetLog()));
117 TEST_F(CertPolicyEnforcerTest
, DoesNotConformToCTEVPolicyNotEnoughSCTs
) {
118 scoped_refptr
<ct::EVCertsWhitelist
> non_including_whitelist(
119 new DummyEVCertsWhitelist(true, false));
120 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
121 // However, as there are only two logs, two SCTs will be required - supply one
122 // to guarantee the test fails.
123 ct::CTVerifyResult result
;
124 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED
, 1,
127 EXPECT_FALSE(policy_enforcer_
->DoesConformToCTEVPolicy(
128 chain_
.get(), non_including_whitelist
.get(), result
, BoundNetLog()));
130 // ... but should be OK if whitelisted.
131 scoped_refptr
<ct::EVCertsWhitelist
> whitelist(
132 new DummyEVCertsWhitelist(true, true));
133 EXPECT_TRUE(policy_enforcer_
->DoesConformToCTEVPolicy(
134 chain_
.get(), whitelist
.get(), result
, BoundNetLog()));
137 TEST_F(CertPolicyEnforcerTest
, DoesNotConformToPolicyInvalidDates
) {
138 scoped_refptr
<X509Certificate
> no_valid_dates_cert(new X509Certificate(
139 "subject", "issuer", base::Time(), base::Time::Now()));
140 ct::CTVerifyResult result
;
141 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED
, 5,
143 EXPECT_FALSE(policy_enforcer_
->DoesConformToCTEVPolicy(
144 no_valid_dates_cert
.get(), nullptr, result
, BoundNetLog()));
145 // ... but should be OK if whitelisted.
146 scoped_refptr
<ct::EVCertsWhitelist
> whitelist(
147 new DummyEVCertsWhitelist(true, true));
148 EXPECT_TRUE(policy_enforcer_
->DoesConformToCTEVPolicy(
149 chain_
.get(), whitelist
.get(), result
, BoundNetLog()));
152 TEST_F(CertPolicyEnforcerTest
,
153 ConformsToPolicyExactNumberOfSCTsForValidityPeriod
) {
154 // Test multiple validity periods
155 const struct TestData
{
156 base::Time validity_start
;
157 base::Time validity_end
;
158 size_t scts_required
;
159 } kTestData
[] = {{// Cert valid for 14 months, needs 2 SCTs.
160 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
161 base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}),
163 {// Cert valid for exactly 15 months, needs 3 SCTs.
164 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
165 base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}),
167 {// Cert valid for over 15 months, needs 3 SCTs.
168 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
169 base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}),
171 {// Cert valid for exactly 27 months, needs 3 SCTs.
172 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
173 base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}),
175 {// Cert valid for over 27 months, needs 4 SCTs.
176 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
177 base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}),
179 {// Cert valid for exactly 39 months, needs 4 SCTs.
180 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
181 base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}),
183 {// Cert valid for over 39 months, needs 5 SCTs.
184 base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
185 base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}),
188 for (size_t i
= 0; i
< arraysize(kTestData
); ++i
) {
190 CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
191 kTestData
[i
].validity_start
, kTestData
[i
].validity_end
,
192 kTestData
[i
].scts_required
);
196 TEST_F(CertPolicyEnforcerTest
, ConformsToPolicyByEVWhitelistPresence
) {
197 scoped_refptr
<ct::EVCertsWhitelist
> whitelist(
198 new DummyEVCertsWhitelist(true, true));
200 ct::CTVerifyResult result
;
201 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED
, 1,
203 EXPECT_TRUE(policy_enforcer_
->DoesConformToCTEVPolicy(
204 chain_
.get(), whitelist
.get(), result
, BoundNetLog()));
207 TEST_F(CertPolicyEnforcerTest
, IgnoresInvalidEVWhitelist
) {
208 scoped_refptr
<ct::EVCertsWhitelist
> whitelist(
209 new DummyEVCertsWhitelist(false, true));
211 ct::CTVerifyResult result
;
212 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED
, 1,
214 EXPECT_FALSE(policy_enforcer_
->DoesConformToCTEVPolicy(
215 chain_
.get(), whitelist
.get(), result
, BoundNetLog()));
218 TEST_F(CertPolicyEnforcerTest
, IgnoresNullEVWhitelist
) {
219 ct::CTVerifyResult result
;
220 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED
, 1,
222 EXPECT_FALSE(policy_enforcer_
->DoesConformToCTEVPolicy(
223 chain_
.get(), nullptr, result
, BoundNetLog()));
