net/cert/ct_policy_enforcer_unittest.cc - chromium/src - Git at Google

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "net/cert/ct_policy_enforcer.h"

 #include <string>

 #include "base/memory/scoped_ptr.h"
 #include "base/time/time.h"
 #include "base/version.h"
 #include "crypto/sha2.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/x509_certificate.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/ct_test_util.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"

 namespace net {

 namespace {

 class DummyEVCertsWhitelist : public ct::EVCertsWhitelist {
  public:
   DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response)
       : canned_is_valid_(is_valid_response),
         canned_contains_response_(contains_hash_response) {}

   bool IsValid() const override { return canned_is_valid_; }

   bool ContainsCertificateHash(
       const std::string& certificate_hash) const override {
     return canned_contains_response_;
   }

   base::Version Version() const override { return base::Version(); }

  protected:
   ~DummyEVCertsWhitelist() override {}

  private:
   bool canned_is_valid_;
   bool canned_contains_response_;
 };

 const char kGoogleAviatorLogID[] =
     "\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51"
     "\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4";
 static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length,
               "Incorrect log ID length.");

 class CTPolicyEnforcerTest : public ::testing::Test {
  public:
   void SetUp() override {
     policy_enforcer_.reset(new CTPolicyEnforcer);

     std::string der_test_cert(ct::GetDerEncodedX509Cert());
     chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(),
                                               der_test_cert.size());
     ASSERT_TRUE(chain_.get());
     google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length);
     non_google_log_id_.assign(crypto::kSHA256Length, 'A');
   }

   void FillResultWithSCTsOfOrigin(
       ct::SignedCertificateTimestamp::Origin desired_origin,
       size_t num_scts,
       const std::vector<std::string>& desired_log_keys,
       bool timestamp_past_enforcement_date,
       ct::CTVerifyResult* result) {
     for (size_t i = 0; i < num_scts; ++i) {
       scoped_refptr<ct::SignedCertificateTimestamp> sct(
           new ct::SignedCertificateTimestamp());
       sct->origin = desired_origin;
       if (i < desired_log_keys.size())
         sct->log_id = desired_log_keys[i];
       else
         sct->log_id = non_google_log_id_;

       if (timestamp_past_enforcement_date)
         sct->timestamp =
             base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0});
       else
         sct->timestamp =
             base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0});

       result->verified_scts.push_back(sct);
     }
   }

   void FillResultWithSCTsOfOrigin(
       ct::SignedCertificateTimestamp::Origin desired_origin,
       size_t num_scts,
       ct::CTVerifyResult* result) {
     std::vector<std::string> desired_log_ids;
     desired_log_ids.push_back(google_log_id_);
     FillResultWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true,
                                result);
   }

   void FillResultWithRepeatedLogID(const std::string& desired_id,
                                    size_t num_scts,
                                    bool timestamp_past_enforcement_date,
                                    ct::CTVerifyResult* result) {
     std::vector<std::string> desired_log_ids(num_scts, desired_id);

     FillResultWithSCTsOfOrigin(
         ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, num_scts,
         desired_log_ids, timestamp_past_enforcement_date, result);
   }

   void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
       const base::Time& start,
       const base::Time& end,
       size_t required_scts) {
     scoped_refptr<X509Certificate> cert(
         new X509Certificate("subject", "issuer", start, end));
     ct::CTVerifyResult result;

     for (size_t i = 0; i < required_scts - 1; ++i) {
       FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
                                  1, std::vector<std::string>(), false, &result);
       EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
           cert.get(), nullptr, result, BoundNetLog()))
           << " for: " << (end - start).InDays() << " and " << required_scts
           << " scts=" << result.verified_scts.size() << " i=" << i;
     }
     FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                                std::vector<std::string>(), false, &result);
     EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
         cert.get(), nullptr, result, BoundNetLog()))
         << " for: " << (end - start).InDays() << " and " << required_scts
         << " scts=" << result.verified_scts.size();
   }

  protected:
   scoped_ptr<CTPolicyEnforcer> policy_enforcer_;
   scoped_refptr<X509Certificate> chain_;
   std::string google_log_id_;
   std::string non_google_log_id_;
 };

 TEST_F(CTPolicyEnforcerTest,
        DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) {
   ct::CTVerifyResult result;
   FillResultWithRepeatedLogID(google_log_id_, 2, true, &result);

   EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
       chain_.get(), nullptr, result, BoundNetLog()));
 }

 TEST_F(CTPolicyEnforcerTest,
        DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) {
   ct::CTVerifyResult result;
   FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result);

   EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
       chain_.get(), nullptr, result, BoundNetLog()));
 }

 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
   ct::CTVerifyResult result;
   FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result);

   EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
                                                         result, BoundNetLog()));
 }

 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(
       ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);

   EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
                                                         result, BoundNetLog()));
 }

 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
   // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
                              &result);

   EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
                                                         result, BoundNetLog()));
 }

 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
   scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
       new DummyEVCertsWhitelist(true, false));
   // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
   // However, as there are only two logs, two SCTs will be required - supply one
   // to guarantee the test fails.
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);

   EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
       chain_.get(), non_including_whitelist.get(), result, BoundNetLog()));

   // ... but should be OK if whitelisted.
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(true, true));
   EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
       chain_.get(), whitelist.get(), result, BoundNetLog()));
 }

 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
   scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
       "subject", "issuer", base::Time(), base::Time::Now()));
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
                              &result);
   EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
       no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));
   // ... but should be OK if whitelisted.
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(true, true));
   EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
       chain_.get(), whitelist.get(), result, BoundNetLog()));
 }

 TEST_F(CTPolicyEnforcerTest,
        ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
   // Test multiple validity periods
   const struct TestData {
     base::Time validity_start;
     base::Time validity_end;
     size_t scts_required;
   } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs.
                     base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
                     base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}),
                     2},
                    {// Cert valid for exactly 15 months, needs 3 SCTs.
                     base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
                     base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}),
                     3},
                    {// Cert valid for over 15 months, needs 3 SCTs.
                     base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
                     base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}),
                     3},
                    {// Cert valid for exactly 27 months, needs 3 SCTs.
                     base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
                     base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}),
                     3},
                    {// Cert valid for over 27 months, needs 4 SCTs.
                     base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
                     base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}),
                     4},
                    {// Cert valid for exactly 39 months, needs 4 SCTs.
                     base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
                     base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}),
                     4},
                    {// Cert valid for over 39 months, needs 5 SCTs.
                     base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
                     base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}),
                     5}};

   for (size_t i = 0; i < arraysize(kTestData); ++i) {
     SCOPED_TRACE(i);
     CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
         kTestData[i].validity_start, kTestData[i].validity_end,
         kTestData[i].scts_required);
   }
 }

 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(true, true));

   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
   EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
       chain_.get(), whitelist.get(), result, BoundNetLog()));
 }

 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(false, true));

   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
   EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
       chain_.get(), whitelist.get(), result, BoundNetLog()));
 }

 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) {
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
   EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
       chain_.get(), nullptr, result, BoundNetLog()));
 }

 }  // namespace

 }  // namespace net
	// Copyright 2014 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "net/cert/ct_policy_enforcer.h"

	#include <string>

	#include "base/memory/scoped_ptr.h"
	#include "base/time/time.h"
	#include "base/version.h"
	#include "crypto/sha2.h"
	#include "net/base/test_data_directory.h"
	#include "net/cert/ct_ev_whitelist.h"
	#include "net/cert/ct_verify_result.h"
	#include "net/cert/x509_certificate.h"
	#include "net/test/cert_test_util.h"
	#include "net/test/ct_test_util.h"
	#include "testing/gmock/include/gmock/gmock.h"
	#include "testing/gtest/include/gtest/gtest.h"

	namespace net {

	namespace {

	class DummyEVCertsWhitelist : public ct::EVCertsWhitelist {
	public:
	DummyEVCertsWhitelist(bool is_valid_response, bool contains_hash_response)
	: canned_is_valid_(is_valid_response),
	canned_contains_response_(contains_hash_response) {}

	bool IsValid() const override { return canned_is_valid_; }

	bool ContainsCertificateHash(
	const std::string& certificate_hash) const override {
	return canned_contains_response_;
	}

	base::Version Version() const override { return base::Version(); }

	protected:
	~DummyEVCertsWhitelist() override {}

	private:
	bool canned_is_valid_;
	bool canned_contains_response_;
	};

	const char kGoogleAviatorLogID[] =
	"\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51"
	"\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4";
	static_assert(arraysize(kGoogleAviatorLogID) - 1 == crypto::kSHA256Length,
	"Incorrect log ID length.");

	class CTPolicyEnforcerTest : public ::testing::Test {
	public:
	void SetUp() override {
	policy_enforcer_.reset(new CTPolicyEnforcer);

	std::string der_test_cert(ct::GetDerEncodedX509Cert());
	chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(),
	der_test_cert.size());
	ASSERT_TRUE(chain_.get());
	google_log_id_ = std::string(kGoogleAviatorLogID, crypto::kSHA256Length);
	non_google_log_id_.assign(crypto::kSHA256Length, 'A');
	}

	void FillResultWithSCTsOfOrigin(
	ct::SignedCertificateTimestamp::Origin desired_origin,
	size_t num_scts,
	const std::vector<std::string>& desired_log_keys,
	bool timestamp_past_enforcement_date,
	ct::CTVerifyResult* result) {
	for (size_t i = 0; i < num_scts; ++i) {
	scoped_refptr<ct::SignedCertificateTimestamp> sct(
	new ct::SignedCertificateTimestamp());
	sct->origin = desired_origin;
	if (i < desired_log_keys.size())
	sct->log_id = desired_log_keys[i];
	else
	sct->log_id = non_google_log_id_;

	if (timestamp_past_enforcement_date)
	sct->timestamp =
	base::Time::FromUTCExploded({2015, 8, 0, 15, 0, 0, 0, 0});
	else
	sct->timestamp =
	base::Time::FromUTCExploded({2015, 6, 0, 15, 0, 0, 0, 0});

	result->verified_scts.push_back(sct);
	}
	}

	void FillResultWithSCTsOfOrigin(
	ct::SignedCertificateTimestamp::Origin desired_origin,
	size_t num_scts,
	ct::CTVerifyResult* result) {
	std::vector<std::string> desired_log_ids;
	desired_log_ids.push_back(google_log_id_);
	FillResultWithSCTsOfOrigin(desired_origin, num_scts, desired_log_ids, true,
	result);
	}

	void FillResultWithRepeatedLogID(const std::string& desired_id,
	size_t num_scts,
	bool timestamp_past_enforcement_date,
	ct::CTVerifyResult* result) {
	std::vector<std::string> desired_log_ids(num_scts, desired_id);

	FillResultWithSCTsOfOrigin(
	ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, num_scts,
	desired_log_ids, timestamp_past_enforcement_date, result);
	}

	void CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
	const base::Time& start,
	const base::Time& end,
	size_t required_scts) {
	scoped_refptr<X509Certificate> cert(
	new X509Certificate("subject", "issuer", start, end));
	ct::CTVerifyResult result;

	for (size_t i = 0; i < required_scts - 1; ++i) {
	FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
	1, std::vector<std::string>(), false, &result);
	EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
	cert.get(), nullptr, result, BoundNetLog()))
	<< " for: " << (end - start).InDays() << " and " << required_scts
	<< " scts=" << result.verified_scts.size() << " i=" << i;
	}
	FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
	std::vector<std::string>(), false, &result);
	EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
	cert.get(), nullptr, result, BoundNetLog()))
	<< " for: " << (end - start).InDays() << " and " << required_scts
	<< " scts=" << result.verified_scts.size();
	}

	protected:
	scoped_ptr<CTPolicyEnforcer> policy_enforcer_;
	scoped_refptr<X509Certificate> chain_;
	std::string google_log_id_;
	std::string non_google_log_id_;
	};

	TEST_F(CTPolicyEnforcerTest,
	DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) {
	ct::CTVerifyResult result;
	FillResultWithRepeatedLogID(google_log_id_, 2, true, &result);

	EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
	chain_.get(), nullptr, result, BoundNetLog()));
	}

	TEST_F(CTPolicyEnforcerTest,
	DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) {
	ct::CTVerifyResult result;
	FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result);

	EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
	chain_.get(), nullptr, result, BoundNetLog()));
	}

	TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
	ct::CTVerifyResult result;
	FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result);

	EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
	result, BoundNetLog()));
	}

	TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
	ct::CTVerifyResult result;
	FillResultWithSCTsOfOrigin(
	ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);

	EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
	result, BoundNetLog()));
	}

	TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
	// This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
	ct::CTVerifyResult result;
	FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
	&result);

	EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
	result, BoundNetLog()));
	}

	TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
	scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
	new DummyEVCertsWhitelist(true, false));
	// This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
	// However, as there are only two logs, two SCTs will be required - supply one
	// to guarantee the test fails.
	ct::CTVerifyResult result;
	FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
	&result);

	EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
	chain_.get(), non_including_whitelist.get(), result, BoundNetLog()));

	// ... but should be OK if whitelisted.
	scoped_refptr<ct::EVCertsWhitelist> whitelist(
	new DummyEVCertsWhitelist(true, true));
	EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
	chain_.get(), whitelist.get(), result, BoundNetLog()));
	}

	TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
	scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
	"subject", "issuer", base::Time(), base::Time::Now()));
	ct::CTVerifyResult result;
	FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
	&result);
	EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
	no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));
	// ... but should be OK if whitelisted.
	scoped_refptr<ct::EVCertsWhitelist> whitelist(
	new DummyEVCertsWhitelist(true, true));
	EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
	chain_.get(), whitelist.get(), result, BoundNetLog()));
	}

	TEST_F(CTPolicyEnforcerTest,
	ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
	// Test multiple validity periods
	const struct TestData {
	base::Time validity_start;
	base::Time validity_end;
	size_t scts_required;
	} kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs.
	base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
	base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}),
	2},
	{// Cert valid for exactly 15 months, needs 3 SCTs.
	base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
	base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}),
	3},
	{// Cert valid for over 15 months, needs 3 SCTs.
	base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
	base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}),
	3},
	{// Cert valid for exactly 27 months, needs 3 SCTs.
	base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
	base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}),
	3},
	{// Cert valid for over 27 months, needs 4 SCTs.
	base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
	base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}),
	4},
	{// Cert valid for exactly 39 months, needs 4 SCTs.
	base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
	base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}),
	4},
	{// Cert valid for over 39 months, needs 5 SCTs.
	base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
	base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}),
	5}};

	for (size_t i = 0; i < arraysize(kTestData); ++i) {
	SCOPED_TRACE(i);
	CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
	kTestData[i].validity_start, kTestData[i].validity_end,
	kTestData[i].scts_required);
	}
	}

	TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
	scoped_refptr<ct::EVCertsWhitelist> whitelist(
	new DummyEVCertsWhitelist(true, true));

	ct::CTVerifyResult result;
	FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
	&result);
	EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
	chain_.get(), whitelist.get(), result, BoundNetLog()));
	}

	TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
	scoped_refptr<ct::EVCertsWhitelist> whitelist(
	new DummyEVCertsWhitelist(false, true));

	ct::CTVerifyResult result;
	FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
	&result);
	EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
	chain_.get(), whitelist.get(), result, BoundNetLog()));
	}

	TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) {
	ct::CTVerifyResult result;
	FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
	&result);
	EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
	chain_.get(), nullptr, result, BoundNetLog()));
	}

	} // namespace

	} // namespace net