chromium_src/components/certificate_transparency/chrome_require_ct_delegate_unittest.cc · OpenHarmony-TPC/chromium_src - AtomGit

// Copyright 2016 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "components/certificate_transparency/chrome_require_ct_delegate.h"

#include <iterator>

#include "base/memory/ref_counted.h"
#include "base/run_loop.h"
#include "base/task/sequenced_task_runner.h"
#include "base/task/single_thread_task_runner.h"
#include "base/test/task_environment.h"
#include "base/test/test_message_loop.h"
#include "base/values.h"
#include "components/certificate_transparency/pref_names.h"
#include "components/prefs/pref_registry_simple.h"
#include "components/prefs/testing_pref_service.h"
#include "net/base/hash_value.h"
#include "net/cert/require_ct_delegate.h"
#include "net/cert/x509_certificate.h"
#include "net/cert/x509_util.h"
#include "net/test/cert_builder.h"
#include "net/test/cert_test_util.h"
#include "net/test/test_data_directory.h"
#include "testing/gtest/include/gtest/gtest.h"

namespace certificate_transparency {

namespace {

class ChromeRequireCTDelegateTest : public ::testing::Test {
 public:
  void SetUp() override {
    cert_ = net::CreateCertificateChainFromFile(
        net::GetTestCertsDirectory(), "expired_cert.pem",
        net::X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
    ASSERT_TRUE(cert_);

    net::SHA256HashValue spki_hash;
    ASSERT_TRUE(net::x509_util::CalculateSha256SpkiHash(cert_->cert_buffer(),
                                                        &spki_hash));
    hashes_.push_back(spki_hash);
  }

 protected:
  base::test::SingleThreadTaskEnvironment task_environment_{
      base::test::SingleThreadTaskEnvironment::MainThreadType::IO};
  scoped_refptr<net::X509Certificate> cert_;
  std::vector<net::SHA256HashValue> hashes_;
};

// Treat the preferences as a black box as far as naming, but ensure that
// preferences get registered.
TEST_F(ChromeRequireCTDelegateTest, RegistersPrefs) {
  TestingPrefServiceSimple pref_service;
  auto registered_prefs = std::distance(pref_service.registry()->begin(),
                                        pref_service.registry()->end());
  certificate_transparency::prefs::RegisterPrefs(pref_service.registry());
  auto newly_registered_prefs = std::distance(pref_service.registry()->begin(),
                                              pref_service.registry()->end());
  EXPECT_NE(registered_prefs, newly_registered_prefs);
}

TEST_F(ChromeRequireCTDelegateTest, DelegateChecksExcludedHosts) {
  using CTRequirementLevel = net::RequireCTDelegate::CTRequirementLevel;
  scoped_refptr<ChromeRequireCTDelegate> delegate =
      base::MakeRefCounted<ChromeRequireCTDelegate>();

  // No setting should yield the default results.
  EXPECT_EQ(CTRequirementLevel::REQUIRED,
            delegate->IsCTRequiredForHost("google.com", cert_.get(), hashes_));

  // Add a excluded host
  delegate->UpdateCTPolicies({"google.com"}, {});

  // The new setting should take effect.
  EXPECT_EQ(CTRequirementLevel::NOT_REQUIRED,
            delegate->IsCTRequiredForHost("google.com", cert_.get(), hashes_));
}

TEST_F(ChromeRequireCTDelegateTest, DelegateChecksExcludedSPKIs) {
  using CTRequirementLevel = net::RequireCTDelegate::CTRequirementLevel;
  scoped_refptr<ChromeRequireCTDelegate> delegate =
      base::MakeRefCounted<ChromeRequireCTDelegate>();

  // No setting should yield the default results.
  EXPECT_EQ(CTRequirementLevel::REQUIRED,
            delegate->IsCTRequiredForHost("google.com", cert_.get(), hashes_));

  // Add a excluded SPKI
  delegate->UpdateCTPolicies({}, {net::HashValue(hashes_.front()).ToString()});

  // The new setting should take effect.
  EXPECT_EQ(CTRequirementLevel::NOT_REQUIRED,
            delegate->IsCTRequiredForHost("google.com", cert_.get(), hashes_));
}

TEST_F(ChromeRequireCTDelegateTest, IgnoresInvalidEntries) {
  using CTRequirementLevel = net::RequireCTDelegate::CTRequirementLevel;
  scoped_refptr<ChromeRequireCTDelegate> delegate =
      base::MakeRefCounted<ChromeRequireCTDelegate>();

  // No setting should yield the default results.
  EXPECT_EQ(CTRequirementLevel::REQUIRED,
            delegate->IsCTRequiredForHost("google.com", cert_.get(), hashes_));

  // Now setup invalid state (that is, that fail to be parsable as
  // URLs).
  delegate->UpdateCTPolicies(
      {"file:///etc/fstab", "file://withahost/etc/fstab", "file:///c|/Windows",
       "*", "https://*", "example.com", "https://example.test:invalid_port"},
      {});

  // Wildcards are ignored (both * and https://*).
  EXPECT_EQ(CTRequirementLevel::REQUIRED,
            delegate->IsCTRequiredForHost("google.com", cert_.get(), hashes_));
  // File URL hosts are ignored.
  // TODO(rsleevi): https://crbug.com/841407 - Ensure that file URLs have their
  // hosts ignored for policy.
  // EXPECT_EQ(CTRequirementLevel::DEFAULT,
  //          delegate->IsCTRequiredForHost("withahost", cert_.get(), hashes_));

  // While the partially parsed hosts should take effect.
  EXPECT_EQ(
      CTRequirementLevel::NOT_REQUIRED,
      delegate->IsCTRequiredForHost("example.test", cert_.get(), hashes_));
  EXPECT_EQ(CTRequirementLevel::NOT_REQUIRED,
            delegate->IsCTRequiredForHost("example.com", cert_.get(), hashes_));
}

TEST_F(ChromeRequireCTDelegateTest, SupportsOrgRestrictions) {
  using CTRequirementLevel = net::RequireCTDelegate::CTRequirementLevel;

  scoped_refptr<ChromeRequireCTDelegate> delegate =
      base::MakeRefCounted<ChromeRequireCTDelegate>();

  base::FilePath test_directory = net::GetTestNetDataDirectory().Append(
      FILE_PATH_LITERAL("ov_name_constraints"));

  // As all the leaves and intermediates share SPKIs in their classes, load
  // known-good answers for the remaining test config.
  scoped_refptr<net::X509Certificate> tmp =
      net::ImportCertFromFile(test_directory, "leaf-o1.pem");
  ASSERT_TRUE(tmp);
  net::SHA256HashValue leaf_spki;
  ASSERT_TRUE(
      net::x509_util::CalculateSha256SpkiHash(tmp->cert_buffer(), &leaf_spki));
  tmp = net::ImportCertFromFile(test_directory, "int-o3.pem");
  ASSERT_TRUE(tmp);
  net::SHA256HashValue intermediate_spki;
  ASSERT_TRUE(net::x509_util::CalculateSha256SpkiHash(tmp->cert_buffer(),
                                                      &intermediate_spki));

  struct {
    const char* const leaf_file;
    const char* const intermediate_file;
    const net::SHA256HashValue spki;
    CTRequirementLevel expected;
  } kTestCases[] = {
      // Positive cases
      //
      // Exact match on the leaf SPKI (leaf has O)
      {"leaf-o1.pem", nullptr, leaf_spki, CTRequirementLevel::NOT_REQUIRED},
      // Exact match on the leaf SPKI (leaf does not have O)
      {"leaf-no-o.pem", nullptr, leaf_spki, CTRequirementLevel::NOT_REQUIRED},
      // Exact match on the leaf SPKI (leaf has O), even when the
      // intermediate does not
      {"leaf-o1.pem", "int-cn.pem", leaf_spki,
       CTRequirementLevel::NOT_REQUIRED},
      // Matches (multiple) organization values in two SEQUENCEs+SETs
      {"leaf-o1-o2.pem", "int-o1-o2.pem", intermediate_spki,
       CTRequirementLevel::NOT_REQUIRED},
      // Matches (multiple) organization values in a single SEQUENCE+SET
      {"leaf-o1-o2.pem", "int-o1-plus-o2.pem", intermediate_spki,
       CTRequirementLevel::NOT_REQUIRED},
      // Matches nameConstrained O
      {"leaf-o1.pem", "nc-int-permit-o1.pem", intermediate_spki,
       CTRequirementLevel::NOT_REQUIRED},
      // Matches the second nameConstraint on the O, out of 3
      {"leaf-o1.pem", "nc-int-permit-o2-o1-o3.pem", intermediate_spki,
       CTRequirementLevel::NOT_REQUIRED},
      // Leaf is in different string type than issuer (BMPString), but it is
      // in the issuer O field, not the nameConstraint
      // TODO(rsleevi): Make this fail, because it's not byte-for-byte
      // identical
      {"leaf-o1.pem", "int-bmp-o1.pem", intermediate_spki,
       CTRequirementLevel::NOT_REQUIRED},

      // Negative cases
      // Leaf is missing O
      {"leaf-no-o.pem", "int-o1-o2.pem", intermediate_spki,
       CTRequirementLevel::REQUIRED},
      // Leaf is missing O
      {"leaf-no-o.pem", "int-cn.pem", intermediate_spki,
       CTRequirementLevel::REQUIRED},
      // Leaf doesn't match issuer O
      {"leaf-o1.pem", "int-o3.pem", intermediate_spki,
       CTRequirementLevel::REQUIRED},
      // Multiple identical organization values, but in different orders.
      {"leaf-o1-o2.pem", "int-o2-o1.pem", intermediate_spki,
       CTRequirementLevel::REQUIRED},
      // Intermediate is nameConstrained, with a dirName, but not an O
      {"leaf-o1.pem", "nc-int-permit-cn.pem", intermediate_spki,
       CTRequirementLevel::REQUIRED},
      // Intermediate is nameConstrained, but with a dNSName
      {"leaf-o1.pem", "nc-int-permit-dns.pem", intermediate_spki,
       CTRequirementLevel::REQUIRED},
      // Intermediate is nameConstrained, but with an excludedSubtrees that
      // has a dirName that matches the O.
      {"leaf-o1.pem", "nc-int-exclude-o1.pem", intermediate_spki,
       CTRequirementLevel::REQUIRED},
      // Intermediate is nameConstrained, but the encoding of the
      // nameConstraint is different from the encoding of the leaf
      {"leaf-o1.pem", "nc-int-permit-bmp-o1.pem", intermediate_spki,
       CTRequirementLevel::REQUIRED},
  };

  for (const auto& test : kTestCases) {
    SCOPED_TRACE(::testing::Message()
                 << "leaf=" << test.leaf_file
                 << ",intermediate=" << test.intermediate_file);

    scoped_refptr<net::X509Certificate> leaf =
        net::ImportCertFromFile(test_directory, test.leaf_file);
    ASSERT_TRUE(leaf);

    std::vector<net::SHA256HashValue> hashes;
    net::SHA256HashValue leaf_spki_hash;
    ASSERT_TRUE(net::x509_util::CalculateSha256SpkiHash(leaf->cert_buffer(),
                                                        &leaf_spki_hash));
    hashes.push_back(std::move(leaf_spki_hash));

    // Append the intermediate to |leaf|, if any.
    if (test.intermediate_file) {
      scoped_refptr<net::X509Certificate> intermediate =
          net::ImportCertFromFile(test_directory, test.intermediate_file);
      ASSERT_TRUE(intermediate);

      net::SHA256HashValue intermediate_hash;
      ASSERT_TRUE(net::x509_util::CalculateSha256SpkiHash(
          intermediate->cert_buffer(), &intermediate_hash));
      hashes.push_back(std::move(intermediate_hash));

      std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
      intermediates.push_back(bssl::UpRef(intermediate->cert_buffer()));

      leaf = net::X509Certificate::CreateFromBuffer(
          bssl::UpRef(leaf->cert_buffer()), std::move(intermediates));
    }
    delegate->UpdateCTPolicies({}, {});

    // The default setting should require CT.
    EXPECT_EQ(CTRequirementLevel::REQUIRED,
              delegate->IsCTRequiredForHost("google.com", leaf.get(), hashes));

    delegate->UpdateCTPolicies({}, {net::HashValue(test.spki).ToString()});

    // The new setting should take effect.
    EXPECT_EQ(test.expected,
              delegate->IsCTRequiredForHost("google.com", leaf.get(), hashes));
  }
}

TEST_F(ChromeRequireCTDelegateTest, OrgRestrictionsMatchCorrectCert) {
  using CTRequirementLevel = net::RequireCTDelegate::CTRequirementLevel;
  scoped_refptr<ChromeRequireCTDelegate> delegate =
      base::MakeRefCounted<ChromeRequireCTDelegate>();

  auto [leaf, i1, i2] = net::CertBuilder::CreateSimpleChain3();

  // SEQUENCE {
  //   SET {
  //     SEQUENCE {
  //       # organizationName
  //       OBJECT_IDENTIFIER { 2.5.4.10 }
  //       UTF8String { "O1" }
  //     }
  //   }
  //   SET {
  //     SEQUENCE {
  //       # commonName
  //       OBJECT_IDENTIFIER { 2.5.4.3 }
  //       UTF8String { "Leaf" }
  //     }
  //   }
  // }
  constexpr uint8_t leaf_subject[] = {
      0x30, 0x1c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
      0x0a, 0x0c, 0x02, 0x4f, 0x31, 0x31, 0x0d, 0x30, 0x0b, 0x06,
      0x03, 0x55, 0x04, 0x03, 0x0c, 0x04, 0x4c, 0x65, 0x61, 0x66};

  // SEQUENCE {
  //   SET {
  //     SEQUENCE {
  //       # organizationName
  //       OBJECT_IDENTIFIER { 2.5.4.10 }
  //       UTF8String { "O1" }
  //     }
  //   }
  // }
  constexpr uint8_t o1_subject[] = {0x30, 0x0d, 0x31, 0x0b, 0x30,
                                    0x09, 0x06, 0x03, 0x55, 0x04,
                                    0x0a, 0x0c, 0x02, 0x4f, 0x31};

  // SEQUENCE {
  //   SET {
  //     SEQUENCE {
  //       # organizationName
  //       OBJECT_IDENTIFIER { 2.5.4.10 }
  //       UTF8String { "O2" }
  //     }
  //   }
  // }
  constexpr uint8_t o2_subject[] = {0x30, 0x0d, 0x31, 0x0b, 0x30,
                                    0x09, 0x06, 0x03, 0x55, 0x04,
                                    0x0a, 0x0c, 0x02, 0x4f, 0x32};

  leaf->SetSubjectTLV(leaf_subject);
  i1->SetSubjectTLV(o1_subject);
  i2->SetSubjectTLV(o2_subject);

  net::SHA256HashValue leaf_spki_hash;
  ASSERT_TRUE(net::x509_util::CalculateSha256SpkiHash(leaf->GetCertBuffer(),
                                                      &leaf_spki_hash));
  net::SHA256HashValue i1_spki_hash;
  ASSERT_TRUE(net::x509_util::CalculateSha256SpkiHash(i1->GetCertBuffer(),
                                                      &i1_spki_hash));
  net::SHA256HashValue i2_spki_hash;
  ASSERT_TRUE(net::x509_util::CalculateSha256SpkiHash(i2->GetCertBuffer(),
                                                      &i2_spki_hash));

  std::vector<net::SHA256HashValue> hashes;
  hashes.push_back(leaf_spki_hash);
  hashes.push_back(i1_spki_hash);
  hashes.push_back(i2_spki_hash);

  // The default setting should require CT.
  delegate->UpdateCTPolicies({}, {});
  EXPECT_EQ(
      CTRequirementLevel::REQUIRED,
      delegate->IsCTRequiredForHost(
          "google.com", leaf->GetX509CertificateFullChain().get(), hashes));

  // If the SPKI for the intermediate with O1 is excluded, CT should not be
  // required.
  delegate->UpdateCTPolicies({}, {net::HashValue(i1_spki_hash).ToString()});
  EXPECT_EQ(
      CTRequirementLevel::NOT_REQUIRED,
      delegate->IsCTRequiredForHost(
          "google.com", leaf->GetX509CertificateFullChain().get(), hashes));

  // If the SPKI for the intermediate with O2 is excluded, CT should still be
  // required.
  delegate->UpdateCTPolicies({}, {net::HashValue(i2_spki_hash).ToString()});
  EXPECT_EQ(
      CTRequirementLevel::REQUIRED,
      delegate->IsCTRequiredForHost(
          "google.com", leaf->GetX509CertificateFullChain().get(), hashes));
}

}  // namespace

}  // namespace certificate_transparency