Google Git
Sign in
chromium / chromium / src / 205191a32c9db91062c5342e901b2da2d67a49e5 / . / components / certificate_transparency / chrome_ct_policy_enforcer_unittest.cc
blob: 1128d791c613f4b6f32bbd5a8e5e58229130f683 [file] [log] [blame]
// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
#include <array>
#include <map>
#include <memory>
#include <string>
#include <utility>
#include "base/build_time.h"
#include "base/memory/scoped_refptr.h"
#include "base/strings/strcat.h"
#include "base/strings/string_number_conversions.h"
#include "base/test/scoped_feature_list.h"
#include "base/test/simple_test_clock.h"
#include "base/time/time.h"
#include "base/version.h"
#include "components/certificate_transparency/ct_known_logs.h"
#include "crypto/hash.h"
#include "crypto/keypair.h"
#include "crypto/test_support.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/x509_certificate.h"
#include "net/cert/x509_util.h"
#include "net/log/net_log_with_source.h"
#include "net/test/cert_test_util.h"
#include "net/test/ct_test_util.h"
#include "net/test/test_data_directory.h"
#include "testing/gmock/include/gmock/gmock.h"
#include "testing/gtest/include/gtest/gtest.h"
using certificate_transparency::LogInfo;
using net::NetLogWithSource;
using net::X509Certificate;
using net::ct::CTPolicyCompliance;
using net::ct::SCTList;
using net::ct::SignedCertificateTimestamp;
namespace certificate_transparency {
namespace {
// A log ID for test purposes.
const char kTestLogID[] =
"\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51"
"\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4";
static_assert(std::size(kTestLogID) - 1 == crypto::hash::kSha256Size,
"Incorrect log ID length.");
// A Static CT API extension that encodes a leaf index with value 42:
// See https://github.com/C2SP/C2SP/blob/main/static-ct-api.md#sct-extension
const uint8_t kExtensionWithLeafIndex[] = {0x00, 0x00, 0x05, 0x00,
0x00, 0x00, 0x00, 0x2a};
// Another valid extension that encodes the leaf index in the second position.
const uint8_t kExtensionWithLeafIndex2[] = {0x01, 0x00, 0x05, 0x00, 0x00, 0x00,
0x00, 0x63, 0x00, 0x00, 0x05, 0x00,
0x00, 0x00, 0x00, 0x63};
// A Static CT API SCT extension that doesn't have a leaf index:
const uint8_t kExtensionWithoutLeafIndex[] = {0x05, 0x00, 0x05, 0x00,
0x00, 0x00, 0x00, 0x2a};
// An extension that has multiple leaf indexes.
const uint8_t kExtensionWithMultipleLeafIndexes[] = {
0x01, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x63, 0x00, 0x00, 0x05, 0x00,
0x00, 0x00, 0x00, 0x63, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x63};
} // namespace
class ChromeCTPolicyEnforcerTest : public ::testing::Test {
public:
void SetUp() override {
test_now_ = base::Time::Now();
std::string der_test_cert(net::ct::GetDerEncodedX509Cert());
chain_ =
X509Certificate::CreateFromBytes(base::as_byte_span(der_test_cert));
ASSERT_TRUE(chain_.get());
test_log_id_ = std::string(kTestLogID, crypto::hash::kSha256Size);
another_log_id_.assign(crypto::hash::kSha256Size, 1);
}
scoped_refptr<ChromeCTPolicyEnforcer> MakeChromeCTPolicyEnforcer(
std::vector<std::pair<std::string, base::Time>> disqualified_logs,
std::map<std::string, LogInfo> log_info) {
return base::MakeRefCounted<ChromeCTPolicyEnforcer>(
test_now_, std::move(disqualified_logs), std::move(log_info),
/*enable_static_ct_api_enforcement=*/true);
}
scoped_refptr<ChromeCTPolicyEnforcer> MakeChromeCTPolicyEnforcer(
std::vector<std::pair<std::string, base::Time>> disqualified_logs,
std::map<std::string, LogInfo> log_info,
bool enable_static_ct_api_enforcement) {
return base::MakeRefCounted<ChromeCTPolicyEnforcer>(
test_now_, std::move(disqualified_logs), std::move(log_info),
enable_static_ct_api_enforcement);
}
void FillListWithSCTsOfOrigin(
SignedCertificateTimestamp::Origin desired_origin,
size_t num_scts,
const std::vector<std::string>& desired_log_keys,
SCTList* verified_scts) {
for (size_t i = 0; i < num_scts; ++i) {
scoped_refptr<SignedCertificateTimestamp> sct(
new SignedCertificateTimestamp());
sct->origin = desired_origin;
if (i < desired_log_keys.size())
sct->log_id = desired_log_keys[i];
else
sct->log_id =
std::string(crypto::hash::kSha256Size, static_cast<char>(i));
EXPECT_TRUE(base::Time::FromUTCExploded({2022, 4, 0, 15, 0, 0, 0, 0},
&sct->timestamp));
verified_scts->push_back(sct);
}
}
void AddDisqualifiedLogSCT(
SignedCertificateTimestamp::Origin desired_origin,
bool timestamp_after_disqualification_date,
std::pair<std::string, base::Time>* disqualified_log,
SCTList* verified_scts) {
static const char kTestRetiredLogID[] =
"\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e"
"\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00";
static_assert(std::size(kTestRetiredLogID) - 1 == crypto::hash::kSha256Size,
"Incorrect log ID length.");
base::Time retirement_time;
ASSERT_TRUE(base::Time::FromUTCExploded({2022, 4, 0, 16, 0, 0, 0, 0},
&retirement_time));
*disqualified_log =
std::make_pair(std::string(kTestRetiredLogID, 32), retirement_time);
scoped_refptr<SignedCertificateTimestamp> sct(
new SignedCertificateTimestamp());
sct->origin = desired_origin;
sct->log_id = std::string(kTestRetiredLogID, crypto::hash::kSha256Size);
if (timestamp_after_disqualification_date) {
sct->timestamp = retirement_time + base::Hours(1);
} else {
sct->timestamp = retirement_time - base::Hours(1);
}
verified_scts->push_back(sct);
}
void FillListWithSCTsOfOrigin(
SignedCertificateTimestamp::Origin desired_origin,
size_t num_scts,
SCTList* verified_scts) {
std::vector<std::string> desired_log_ids;
desired_log_ids.push_back(test_log_id_);
FillListWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids,
verified_scts);
}
base::Time CreateTime(const base::Time::Exploded& exploded) {
base::Time result;
if (!base::Time::FromUTCExploded(exploded, &result)) {
ADD_FAILURE() << "Failed FromUTCExploded";
}
return result;
}
void FillOperatorHistoryWithDiverseOperators(
SCTList scts,
std::map<std::string, LogInfo>* log_info) {
for (size_t i = 0; i < scts.size(); i++) {
OperatorHistoryEntry entry;
entry.current_operator = "Operator " + base::NumberToString(i);
LogInfo info;
info.operator_history = entry;
info.log_type = network::mojom::CTLogInfo::LogType::kRFC6962;
(*log_info)[scts[i]->log_id] = info;
}
}
protected:
base::Time test_now_;
scoped_refptr<X509Certificate> chain_;
std::string test_log_id_;
std::string another_log_id_;
base::test::ScopedFeatureList scoped_feature_list_;
};
TEST_F(ChromeCTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughFreshSCTs) {
SCTList scts;
std::pair<std::string, base::Time> disqualified_log;
std::map<std::string, LogInfo> log_info;
// The results should be the same before and after disqualification,
// regardless of the delivery method.
// Two SCTs from TLS, one of them from a disqualified log before the
// disqualification time.
scts.clear();
log_info.clear();
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
1, &scts);
AddDisqualifiedLogSCT(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
false, &disqualified_log, &scts);
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer({disqualified_log}, log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
// Two SCTs from TLS, one of them from a disqualified log after the
// disqualification time.
scts.clear();
log_info.clear();
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
1, &scts);
AddDisqualifiedLogSCT(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
true, &disqualified_log, &scts);
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
policy_enforcer = MakeChromeCTPolicyEnforcer({disqualified_log}, log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
// Two embedded SCTs, one of them from a disqualified log before the
// disqualification time.
scts.clear();
log_info.clear();
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED, 1, &scts);
AddDisqualifiedLogSCT(SignedCertificateTimestamp::SCT_EMBEDDED, false,
&disqualified_log, &scts);
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
policy_enforcer = MakeChromeCTPolicyEnforcer({disqualified_log}, log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
// Two embedded SCTs, one of them from a disqualified log after the
// disqualification time.
scts.clear();
log_info.clear();
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED, 1, &scts);
AddDisqualifiedLogSCT(SignedCertificateTimestamp::SCT_EMBEDDED, true,
&disqualified_log, &scts);
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
policy_enforcer = MakeChromeCTPolicyEnforcer({disqualified_log}, log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest,
ConformsToCTPolicyWithMixOfEmbeddedAndNonEmbedded) {
SCTList scts;
std::pair<std::string, base::Time> disqualified_log;
std::map<std::string, LogInfo> log_info;
// One SCT from TLS, one Embedded SCT from before disqualification time.
scts.clear();
log_info.clear();
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
1, &scts);
AddDisqualifiedLogSCT(SignedCertificateTimestamp::SCT_EMBEDDED, false,
&disqualified_log, &scts);
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer({disqualified_log}, log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
// One SCT from TLS, one Embedded SCT from after disqualification time.
// The embedded SCT is still counted towards the diversity requirement even
// though it is disqualified.
scts.clear();
log_info.clear();
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
1, &scts);
AddDisqualifiedLogSCT(SignedCertificateTimestamp::SCT_EMBEDDED, true,
&disqualified_log, &scts);
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
policy_enforcer = MakeChromeCTPolicyEnforcer({disqualified_log}, log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, ConformsToCTPolicyWithNonEmbeddedSCTs) {
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
2, &scts);
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, EnforcementDisabledByBinaryAge) {
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
2, &scts);
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY,
policy_enforcer->CheckCompliance(chain_.get(), scts,
base::Time::Now() + base::Days(71),
NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, ConformsToCTPolicyWithEmbeddedSCTs) {
// |chain_| is valid for 10 years - over 180 days - so requires 3 SCTs.
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED, 3, &scts);
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest,
ConformsToCTPolicyWithPooledNonEmbeddedSCTs) {
SCTList scts;
std::vector<std::string> desired_logs;
// One log, delivered via OCSP.
desired_logs.clear();
desired_logs.push_back(test_log_id_);
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE,
desired_logs.size(), desired_logs, &scts);
// Another log, delivered via TLS.
desired_logs.clear();
desired_logs.push_back(another_log_id_);
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
desired_logs.size(), desired_logs, &scts);
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, ConformsToCTPolicyWithPooledEmbeddedSCTs) {
SCTList scts;
std::vector<std::string> desired_logs;
// One log, delivered embedded.
desired_logs.clear();
desired_logs.push_back(test_log_id_);
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED,
desired_logs.size(), desired_logs, &scts);
// Another log, delivered via OCSP.
desired_logs.clear();
desired_logs.push_back(another_log_id_);
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE,
desired_logs.size(), desired_logs, &scts);
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, DoesNotConformToCTPolicyNotEnoughSCTs) {
// |chain_| is valid for 10 years - over 180 days - so requires 3 SCTs.
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED, 2, &scts);
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest,
ConformsWithDisqualifiedLogBeforeDisqualificationDate) {
SCTList scts;
std::vector<std::string> desired_log_ids;
desired_log_ids.push_back(test_log_id_);
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED, 1,
desired_log_ids, &scts);
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED, 1,
std::vector<std::string>(), &scts);
std::pair<std::string, base::Time> disqualified_log;
AddDisqualifiedLogSCT(SignedCertificateTimestamp::SCT_EMBEDDED,
/*timestamp_after_disqualification_date=*/false,
&disqualified_log, &scts);
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer({disqualified_log}, log_info);
// |chain_| is valid for 10 years - over 180 days - so requires 3 SCTs.
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest,
DoesNotConformWithDisqualifiedLogAfterDisqualificationDate) {
SCTList scts;
// Add required - 1 valid SCTs.
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED, 2, &scts);
std::pair<std::string, base::Time> disqualified_log;
AddDisqualifiedLogSCT(SignedCertificateTimestamp::SCT_EMBEDDED,
/*timestamp_after_disqualification_date=*/true,
&disqualified_log, &scts);
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer({disqualified_log}, log_info);
// |chain_| is valid for 10 years - over 180 days - so requires 3 SCTs.
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest,
DoesNotConformWithIssuanceDateAfterDisqualificationDate) {
SCTList scts;
std::pair<std::string, base::Time> disqualified_log;
AddDisqualifiedLogSCT(SignedCertificateTimestamp::SCT_EMBEDDED,
/*timestamp_after_disqualification_date=*/true,
&disqualified_log, &scts);
// Add required - 1 valid SCTs.
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED, 2, &scts);
// Make sure all SCTs are after the disqualification date.
for (size_t i = 1; i < scts.size(); ++i) {
scts[i]->timestamp = scts[0]->timestamp;
}
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer({disqualified_log}, log_info);
// |chain_| is valid for 10 years - over 180 days - so requires 3 SCTs.
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, IsLogDisqualifiedTimestamp) {
// Clear the log list and add 2 disqualified logs, one with a disqualification
// date in the past and one in the future.
const char kModifiedTestLogID[] =
"\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51"
"\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\x4f\xf4";
std::vector<std::pair<std::string, base::Time>> disqualified_logs;
std::map<std::string, LogInfo> log_info;
base::Time now = base::Time::Now();
base::Time past_disqualification = now - base::Hours(1);
base::Time future_disqualification = now + base::Hours(1);
disqualified_logs.emplace_back(kModifiedTestLogID, future_disqualification);
disqualified_logs.emplace_back(kTestLogID, past_disqualification);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(disqualified_logs, log_info);
base::Time disqualification_time;
EXPECT_TRUE(policy_enforcer->IsLogDisqualified(kTestLogID, now,
&disqualification_time));
EXPECT_EQ(disqualification_time, past_disqualification);
EXPECT_EQ(policy_enforcer->GetLogDisqualificationTime(kTestLogID),
past_disqualification);
EXPECT_FALSE(policy_enforcer->IsLogDisqualified(kModifiedTestLogID, now,
&disqualification_time));
EXPECT_EQ(disqualification_time, future_disqualification);
EXPECT_EQ(policy_enforcer->GetLogDisqualificationTime(kModifiedTestLogID),
future_disqualification);
}
TEST_F(ChromeCTPolicyEnforcerTest, IsLogDisqualifiedReturnsFalseOnUnknownLog) {
// Clear the log list and add a single disqualified log, with a
// disqualification date in the past;
const char kModifiedTestLogID[] =
"\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51"
"\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\x4f\xf4";
std::vector<std::pair<std::string, base::Time>> disqualified_logs;
std::map<std::string, LogInfo> log_info;
base::Time now = base::Time::Now();
disqualified_logs.emplace_back(kModifiedTestLogID, now - base::Days(1));
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(disqualified_logs, log_info);
base::Time unused;
// IsLogDisqualified should return false for a log that is not in the
// disqualified list.
EXPECT_FALSE(policy_enforcer->IsLogDisqualified(kTestLogID, now, &unused));
EXPECT_EQ(policy_enforcer->GetLogDisqualificationTime(kTestLogID),
std::nullopt);
}
TEST_F(ChromeCTPolicyEnforcerTest,
ConformsWithCTPolicyFutureRetirementDateLogs) {
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED, 5, &scts);
std::vector<std::pair<std::string, base::Time>> disqualified_logs;
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
// Set all the log operators for these SCTs as disqualified, with a timestamp
// one hour from now.
base::Time retirement_time = base::Time::Now() + base::Hours(1);
// This mirrors how FillListWithSCTsOfOrigin generates log ids.
disqualified_logs.emplace_back(test_log_id_, retirement_time);
for (size_t i = 1; i < 5; ++i) {
disqualified_logs.emplace_back(
std::string(crypto::hash::kSha256Size, static_cast<char>(i)),
retirement_time);
}
std::sort(std::begin(disqualified_logs), std::end(disqualified_logs));
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(disqualified_logs, log_info);
// SCTs should comply since retirement date is in the future.
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest,
DoesNotConformWithCTPolicyPastRetirementDateLogs) {
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED, 5, &scts);
std::vector<std::pair<std::string, base::Time>> disqualified_logs;
std::map<std::string, LogInfo> log_info;
// Set all the log operators for these SCTs as disqualiied, with a timestamp
// one hour ago.
base::Time retirement_time = base::Time::Now() - base::Hours(1);
// This mirrors how FillListWithSCTsOfOrigin generates log ids.
disqualified_logs.emplace_back(test_log_id_, retirement_time);
for (size_t i = 1; i < 5; ++i) {
disqualified_logs.emplace_back(
std::string(crypto::hash::kSha256Size, static_cast<char>(i)),
retirement_time);
}
std::sort(std::begin(disqualified_logs), std::end(disqualified_logs));
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(disqualified_logs, log_info);
// SCTs should not comply since retirement date is in the past.
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, UpdatedSCTRequirements) {
// Test multiple validity periods
base::Time time_2015_3_0_25_11_25_0_0 =
CreateTime({2015, 3, 0, 25, 11, 25, 0, 0});
base::Time time_2015_9_0_20_11_25_0_0 =
CreateTime({2015, 9, 0, 20, 11, 25, 0, 0});
base::Time time_2015_9_0_21_11_25_0_0 =
CreateTime({2015, 9, 0, 21, 11, 25, 0, 0});
base::Time time_2015_9_0_21_11_25_1_0 =
CreateTime({2015, 9, 0, 21, 11, 25, 1, 0});
base::Time time_2016_3_0_25_11_25_0_0 =
CreateTime({2016, 3, 0, 25, 11, 25, 0, 0});
struct TestData {
base::Time validity_start;
base::Time validity_end;
size_t scts_required;
};
const auto kTestData = std::to_array<TestData>({
{// Cert valid for -12 months (nonsensical), needs 2 SCTs.
time_2016_3_0_25_11_25_0_0, time_2015_3_0_25_11_25_0_0, 2},
{// Cert valid for 179 days, needs 2 SCTs.
time_2015_3_0_25_11_25_0_0, time_2015_9_0_20_11_25_0_0, 2},
{// Cert valid for exactly 180 days, needs only 2 SCTs.
time_2015_3_0_25_11_25_0_0, time_2015_9_0_21_11_25_0_0, 2},
{// Cert valid for barely over 180 days, needs 3 SCTs.
time_2015_3_0_25_11_25_0_0, time_2015_9_0_21_11_25_1_0, 3},
{// Cert valid for over 180 days, needs 3 SCTs.
time_2015_3_0_25_11_25_0_0, time_2016_3_0_25_11_25_0_0, 3},
});
for (size_t i = 0; i < std::size(kTestData); ++i) {
SCOPED_TRACE(i);
const base::Time& validity_start = kTestData[i].validity_start;
const base::Time& validity_end = kTestData[i].validity_end;
size_t scts_required = kTestData[i].scts_required;
// Create a self-signed certificate with exactly the validity period.
std::string cert_data;
ASSERT_TRUE(net::x509_util::CreateSelfSignedCert(
crypto::test::FixedRsa2048PrivateKeyForTesting().key(),
net::x509_util::DIGEST_SHA256, "CN=test", i * 10 + scts_required,
validity_start, validity_end, {}, &cert_data));
scoped_refptr<X509Certificate> cert(
X509Certificate::CreateFromBytes(base::as_byte_span(cert_data)));
ASSERT_TRUE(cert);
std::map<std::string, LogInfo> log_info;
for (size_t j = 0; j <= scts_required; ++j) {
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED, j,
std::vector<std::string>(), &scts);
// Add different operators to the logs so the SCTs comply with operator
// diversity.
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
CTPolicyCompliance expected;
if (j == scts_required) {
// If the scts provided are as many as are required, the cert should be
// declared as compliant.
expected = CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS;
} else if (j == 1) {
// If a single SCT is provided, it should trip the diversity check.
expected = CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS;
} else {
// In any other case, the 'not enough' check should trip.
expected = CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
}
EXPECT_EQ(expected,
policy_enforcer->CheckCompliance(
cert.get(), scts, base::Time::Now(), NetLogWithSource()))
<< " for: " << (validity_end - validity_start).InDays() << " and "
<< scts_required << " scts=" << scts.size() << " j=" << j;
}
}
}
TEST_F(ChromeCTPolicyEnforcerTest,
DoesNotConformToCTPolicyAllLogsSameOperator) {
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
2, std::vector<std::string>(), &scts);
std::map<std::string, LogInfo> log_info;
for (auto sct : scts) {
OperatorHistoryEntry entry;
entry.current_operator = "Operator";
LogInfo info;
info.operator_history = entry;
info.log_type = network::mojom::CTLogInfo::LogType::kRFC6962;
log_info[sct->log_id] = info;
}
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, ConformsToCTPolicyDifferentOperators) {
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
2, std::vector<std::string>(), &scts);
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, ConformsToPolicyDueToOperatorSwitch) {
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
2, std::vector<std::string>(), &scts);
std::map<std::string, LogInfo> log_info;
// Set all logs to the same operator.
for (auto sct : scts) {
OperatorHistoryEntry entry;
entry.current_operator = "Same Operator";
LogInfo info;
info.operator_history = entry;
info.log_type = network::mojom::CTLogInfo::LogType::kRFC6962;
log_info[sct->log_id] = info;
}
// Set the previous operator of one of the logs to a different one, with an
// end time after the SCT timestamp.
log_info[scts[1]->log_id].operator_history.previous_operators.emplace_back(
"Different Operator", scts[1]->timestamp + base::Seconds(1));
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, DoesNotConformToPolicyDueToOperatorSwitch) {
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
2, std::vector<std::string>(), &scts);
std::map<std::string, LogInfo> log_info;
// Set logs to different operators
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
// Set the previous operator of one of the logs to the same as the other log,
// with an end time after the SCT timestamp.
log_info[scts[1]->log_id].operator_history.previous_operators.emplace_back(
"Operator 0", scts[1]->timestamp + base::Seconds(1));
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, MultipleOperatorSwitches) {
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
2, std::vector<std::string>(), &scts);
std::map<std::string, LogInfo> log_info;
// Set logs to different operators
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
// Set multiple previous operators, the first should be ignored since it
// stopped operating before the SCT timestamp.
log_info[scts[1]->log_id].operator_history.previous_operators.emplace_back(
"Different Operator", scts[1]->timestamp - base::Seconds(1));
log_info[scts[1]->log_id].operator_history.previous_operators.emplace_back(
"Operator 0", scts[1]->timestamp + base::Seconds(1));
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
TEST_F(ChromeCTPolicyEnforcerTest, MultipleOperatorSwitchesBeforeSCTTimestamp) {
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION,
2, std::vector<std::string>(), &scts);
std::map<std::string, LogInfo> log_info;
// Set all logs to the same operator.
for (auto sct : scts) {
OperatorHistoryEntry entry;
entry.current_operator = "Same Operator";
LogInfo info;
info.operator_history = entry;
info.log_type = network::mojom::CTLogInfo::LogType::kRFC6962;
log_info[sct->log_id] = info;
}
// Set multiple previous operators, all of them should be ignored since they
// all stopped operating before the SCT timestamp.
log_info[scts[1]->log_id].operator_history.previous_operators.emplace_back(
"Different Operator", scts[1]->timestamp - base::Seconds(2));
log_info[scts[1]->log_id].operator_history.previous_operators.emplace_back(
"Yet Another Different Operator", scts[1]->timestamp - base::Seconds(1));
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info);
EXPECT_EQ(CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
std::string GetLogTypeName(network::mojom::CTLogInfo::LogType log_type) {
switch (log_type) {
case network::mojom::CTLogInfo::LogType::kUnspecified:
return "Unspecified";
case network::mojom::CTLogInfo::LogType::kRFC6962:
return "RFC6962";
case network::mojom::CTLogInfo::LogType::kStaticCTAPI:
return "Static CT API";
default:
NOTREACHED();
}
}
TEST_F(ChromeCTPolicyEnforcerTest, DoesNotConformToCTPolicyNoRFC6962Log) {
struct TestCase {
std::string const name;
network::mojom::CTLogInfo::LogType log_type;
bool enable_static_ct_api_enforcement;
size_t sct_count;
CTPolicyCompliance result;
} kTestCases[] = {
// Tests with Static CT API log types:
{"Not enough SCTs with StaticCT API Policy disabled",
network::mojom::CTLogInfo::LogType::kStaticCTAPI,
/*enable_static_ct_api_enforcement=*/false, 2,
CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS},
{"Enough SCTs with StaticCT API Policy disabled",
network::mojom::CTLogInfo::LogType::kStaticCTAPI,
/*enable_static_ct_api_enforcement=*/false, 3,
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS},
{"Not enough SCTs with Static CT API Policy enabled",
network::mojom::CTLogInfo::LogType::kStaticCTAPI,
/*enable_static_ct_api_enforcement=*/true, 2,
// TODO(crbug.com/370724580): Reconsider this, might also return
// CT_POLICY_NOT_ENOUGH_SCTS.
CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS},
{"Enough SCTs with Static CT API Policy Enabled",
network::mojom::CTLogInfo::LogType::kStaticCTAPI,
/*enable_static_ct_api_enforcement=*/true, 3,
CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS},
// Same tests as above, but with unspecified log types. These should be
// treated as RFC6962 logs for now.
// TODO(crbug.com/370724580): Disallow kUnspecified once all logs in the
// hardcoded and component updater protos have proper log types.
{"Not enough SCTs with StaticCT API Policy disabled",
network::mojom::CTLogInfo::LogType::kUnspecified,
/*enable_static_ct_api_enforcement=*/false, 2,
CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS},
{"Enough SCTs with StaticCT API Policy disabled",
network::mojom::CTLogInfo::LogType::kUnspecified,
/*enable_static_ct_api_enforcement=*/false, 3,
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS},
{"Not enough SCTs with Static CT API Policy enabled",
network::mojom::CTLogInfo::LogType::kUnspecified,
/*enable_static_ct_api_enforcement=*/true, 2,
CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS},
{"Enough SCTs with Static CT API Policy Enabled",
network::mojom::CTLogInfo::LogType::kUnspecified,
/*enable_static_ct_api_enforcement=*/true, 3,
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS},
};
for (const TestCase& tc : kTestCases) {
SCOPED_TRACE(
base::StrCat({tc.name, " log_type=", GetLogTypeName(tc.log_type)}));
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED,
tc.sct_count, &scts);
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
// Set all logs to the same log type given for this test and add
// a valid leaf index extension.
for (size_t i = 0; i < scts.size(); i++) {
log_info[scts[i]->log_id].log_type = tc.log_type;
scts[i]->extensions = std::string(std::begin(kExtensionWithLeafIndex),
std::end(kExtensionWithLeafIndex));
}
scoped_refptr<ChromeCTPolicyEnforcer> policy_enforcer =
MakeChromeCTPolicyEnforcer(GetDisqualifiedLogs(), log_info,
tc.enable_static_ct_api_enforcement);
EXPECT_EQ(tc.result,
policy_enforcer->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
}
TEST_F(ChromeCTPolicyEnforcerTest, StaticCTAPILeafIndex) {
const std::string extension_with_leaf_index(
std::begin(kExtensionWithLeafIndex), std::end(kExtensionWithLeafIndex));
const std::string extension_with_leaf_index2(
std::begin(kExtensionWithLeafIndex2), std::end(kExtensionWithLeafIndex2));
const std::string extension_without_leaf_index(
std::begin(kExtensionWithoutLeafIndex),
std::end(kExtensionWithoutLeafIndex));
const std::string extension_with_multiple_leaf_indexes(
std::begin(kExtensionWithMultipleLeafIndexes),
std::end(kExtensionWithMultipleLeafIndexes));
struct SctInfo {
const network::mojom::CTLogInfo::LogType log_type;
const std::string extensions;
};
const struct TestCase {
std::string name;
const std::vector<SctInfo> sct_infos;
// Expected result with Static CT API policy enforcement disabled:
const CTPolicyCompliance result_without_enforcement;
// Expected result with Static CT API policy enforcement enabled:
const CTPolicyCompliance result_with_enforcement;
} kTestCases[] = {
{"Need at least 3 SCTs for longer lived certs regardless of whether "
"Static-CT-API policy enforcement is enabled",
{
SctInfo{network::mojom::CTLogInfo::LogType::kRFC6962, ""},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI,
extension_with_leaf_index},
},
/*result_without_enforcement=*/
CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
/*result_with_enforcement=*/
CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS},
{"Leaf indexes for non-static-CT-API logs should be ignored when Static "
"CT policy is enforced",
{
SctInfo{network::mojom::CTLogInfo::LogType::kRFC6962, ""},
SctInfo{network::mojom::CTLogInfo::LogType::kRFC6962,
extension_with_leaf_index},
SctInfo{network::mojom::CTLogInfo::LogType::kRFC6962,
extension_without_leaf_index},
},
/*result_without_enforcement=*/
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
/*result_with_enforcement=*/
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS},
{"Static-CT-API logs without leaf indexes should be ignored "
"when Static-CT-API policy is enforced",
{
SctInfo{network::mojom::CTLogInfo::LogType::kRFC6962, ""},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI, ""},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI, ""},
},
/*result_without_enforcement=*/
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
/*result_with_enforcement=*/
CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS},
{"Static-CT-API logs without valid extensions should be ignored "
"when Static-CT-API policy is enforced",
{
SctInfo{network::mojom::CTLogInfo::LogType::kRFC6962, ""},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI,
"invalidextensionstring"},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI,
"anotherone"},
},
/*result_without_enforcement=*/
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
/*result_with_enforcement=*/
CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS},
{"Static-CT-API logs with valid extensions without leaf indexes should "
"be ignored when Static CT API policy is enforced",
{
SctInfo{network::mojom::CTLogInfo::LogType::kRFC6962, ""},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI,
extension_with_leaf_index},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI,
extension_without_leaf_index},
},
/*result_without_enforcement=*/
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
/*result_with_enforcement=*/
CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS},
{"Static-CT-API logs with valid extensions with multiple leaf indexes "
"should be ignored when Static CT API policy is enforced",
{
SctInfo{network::mojom::CTLogInfo::LogType::kRFC6962, ""},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI,
extension_with_leaf_index},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI,
extension_with_multiple_leaf_indexes},
},
/*result_without_enforcement=*/
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
/*result_with_enforcement=*/
CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS},
{"Valid case with valid leaf index extension",
{
SctInfo{network::mojom::CTLogInfo::LogType::kRFC6962, ""},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI,
extension_with_leaf_index},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI,
extension_with_leaf_index},
},
/*result_without_enforcement=*/
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
/*result_with_enforcement=*/
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS},
{"Valid case with valid leaf index extension where the leaf index "
"is not the first extension",
{
SctInfo{network::mojom::CTLogInfo::LogType::kRFC6962, ""},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI,
extension_with_leaf_index2},
SctInfo{network::mojom::CTLogInfo::LogType::kStaticCTAPI,
extension_with_leaf_index2},
},
/*result_without_enforcement=*/
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
/*result_with_enforcement=*/
CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS},
};
for (const auto& test_case : kTestCases) {
SCOPED_TRACE(test_case.name);
SCTList scts;
FillListWithSCTsOfOrigin(SignedCertificateTimestamp::SCT_EMBEDDED,
test_case.sct_infos.size(), &scts);
for (size_t i = 0; i < test_case.sct_infos.size(); i++) {
scts[i]->extensions = test_case.sct_infos[i].extensions;
}
std::map<std::string, LogInfo> log_info;
FillOperatorHistoryWithDiverseOperators(scts, &log_info);
// Override log types:
for (size_t i = 0; i < test_case.sct_infos.size(); i++) {
log_info[scts[i]->log_id].log_type = test_case.sct_infos[i].log_type;
}
// Check with Static CT API policy disabled.
scoped_refptr<ChromeCTPolicyEnforcer>
policy_enforcer_without_staticct_enforcement =
MakeChromeCTPolicyEnforcer(
GetDisqualifiedLogs(), log_info,
/*enable_static_ct_api_enforcement=*/false);
EXPECT_EQ(test_case.result_without_enforcement,
policy_enforcer_without_staticct_enforcement->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
// Check again with Static CT API policy enabled.
scoped_refptr<ChromeCTPolicyEnforcer>
policy_enforcer_with_staticct_enforcement = MakeChromeCTPolicyEnforcer(
GetDisqualifiedLogs(), log_info,
/*enable_static_ct_api_enforcement=*/true);
EXPECT_EQ(test_case.result_with_enforcement,
policy_enforcer_with_staticct_enforcement->CheckCompliance(
chain_.get(), scts, base::Time::Now(), NetLogWithSource()));
}
}
} // namespace certificate_transparency