QUIC - Code to verify SCT tag with certificate transparency verifier

net/quic/crypto/proof_verifier_chromium_test.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/proof_verifier_chromium.h"
 
 #include "base/memory/ref_counted.h"
 #include "base/memory/scoped_ptr.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/cert_policy_enforcer.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/ct_serialization.h"
+#include "net/cert/ct_verify_result.h"
 #include "net/cert/mock_cert_verifier.h"
+#include "net/cert/multi_log_ct_verifier.h"
 #include "net/cert/x509_certificate.h"
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log.h"
 #include "net/quic/crypto/proof_verifier.h"
 #include "net/test/cert_test_util.h"
+#include "net/test/ct_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 namespace test {
 
 namespace {
 
 // CertVerifier that will fail the test if it is ever called.
 class FailsTestCertVerifier : public CertVerifier {
  public:
@@ skipping 56 matching lines @@
 
   void Run(bool ok,
            const std::string& error_details,
            scoped_ptr<ProofVerifyDetails>* details) override {
     // Do nothing
   }
 };
 
 const char kTestHostname[] = "test.example.com";
 const char kTestConfig[] = "server config bytes";
+const char kLogDescription[] = "somelog";
 
 }  // namespace
 
 class ProofVerifierChromiumTest : public ::testing::Test {
  public:
   ProofVerifierChromiumTest()
       : verify_context_(new ProofVerifyContextChromium(0 /*cert_verify_flags*/,
                                                        BoundNetLog())) {}
 
   void SetUp() override {
+    scoped_refptr<const CTLogVerifier> log(CTLogVerifier::Create(
+        ct::GetTestPublicKey(), kLogDescription, "https://test.example.com"));
+    ASSERT_TRUE(log);
+    log_verifiers_.push_back(log);
+
+    ct_verifier_.reset(new MultiLogCTVerifier());
+    ct_verifier_->AddLogs(log_verifiers_);
+
     ASSERT_NO_FATAL_FAILURE(GetTestCertificates(&certs_));
   }
 
   scoped_refptr<X509Certificate> GetTestServerCertificate() {
     static const char kTestCert[] = "quic_test.example.com.crt";
     return ImportCertFromFile(GetTestCertsDirectory(), kTestCert);
   }
 
   void GetTestCertificates(std::vector<std::string>* certs) {
     scoped_refptr<X509Certificate> cert = GetTestServerCertificate();
@@ skipping 32 matching lines @@
         0x64, 0x3d, 0x3f, 0x98, 0xce, 0xc1, 0xa6, 0x33, 0x32, 0xd3, 0x5c, 0xa8,
         0x39, 0x93, 0xdc, 0x1c, 0xb9, 0xab, 0x3c, 0x80, 0x62, 0xb3, 0x76, 0x21,
         0xdf, 0x47, 0x1e, 0xa9, 0x0e, 0x5e, 0x8a, 0xbe, 0x66, 0x5b, 0x7c, 0x21,
         0xfa, 0x78, 0x2d, 0xd1, 0x1d, 0x5c, 0x35, 0x8a, 0x34, 0xb2, 0x1a, 0xc2,
         0xc4, 0x4b, 0x53, 0x54,
     };
     return std::string(reinterpret_cast<const char*>(kTestSignature),
                        sizeof(kTestSignature));
   }
 
+  void GetSCTTestCertificates(std::vector<std::string>* certs) {
+    std::string der_test_cert(ct::GetDerEncodedX509Cert());
+    scoped_refptr<X509Certificate> test_cert = X509Certificate::CreateFromBytes(
+        der_test_cert.data(), der_test_cert.length());
+    ASSERT_TRUE(test_cert.get());
+
+    std::string der_bytes;
+    ASSERT_TRUE(X509Certificate::GetDEREncoded(test_cert->os_cert_handle(),
+                                               &der_bytes));
+
+    certs->clear();
+    certs->push_back(der_bytes);
+  }
+
+  std::string GetSCTListForTesting() {
+    const std::string sct = ct::GetTestSignedCertificateTimestamp();
+    std::string sct_list;
+    ct::EncodeSCTListForTesting(sct, &sct_list);
+    return sct_list;
+  }
+
+  std::string GetCorruptSCTListForTesting() {
+    std::string sct = ct::GetTestSignedCertificateTimestamp();
+    sct[15] = 't';  // Corrupt a byte inside SCT.
+    std::string sct_list;
+    ct::EncodeSCTListForTesting(sct, &sct_list);
+    return sct_list;
+  }
+
+  bool CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) {
+    return (result.verified_scts.size() == 1U) && result.invalid_scts.empty() &&
+           result.unknown_logs_scts.empty() &&
+           result.verified_scts[0]->log_description == kLogDescription;
+  }
+
+  bool CheckForSCTOrigin(const ct::CTVerifyResult& result,
+                         ct::SignedCertificateTimestamp::Origin origin) {
+    return (result.verified_scts.size() > 0) &&
+           (result.verified_scts[0]->origin == origin);
+  }
+
+  void CheckSCT(bool sct_expected_ok) {
+    ProofVerifyDetailsChromium* proof_details =
+        reinterpret_cast<ProofVerifyDetailsChromium*>(details_.get());
+    const ct::CTVerifyResult& ct_verify_result =
+        proof_details->ct_verify_result;
+    if (sct_expected_ok) {
+      ASSERT_TRUE(CheckForSingleVerifiedSCTInResult(ct_verify_result));
+      ASSERT_TRUE(CheckForSCTOrigin(
+          ct_verify_result,
+          ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION));
+    } else {
+      EXPECT_EQ(1U, ct_verify_result.unknown_logs_scts.size());
+    }
+  }
+
  protected:
+  scoped_ptr<MultiLogCTVerifier> ct_verifier_;
+  std::vector<scoped_refptr<const CTLogVerifier>> log_verifiers_;
   scoped_ptr<ProofVerifyContext> verify_context_;
   scoped_ptr<ProofVerifyDetails> details_;
   std::string error_details_;
   std::vector<std::string> certs_;
 };
 
 // Tests that the ProofVerifier fails verification if certificate
 // verification fails.
 TEST_F(ProofVerifierChromiumTest, FailsIfCertFails) {
   MockCertVerifier dummy_verifier;
-  ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr);
+  ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr,
+                                       ct_verifier_.get());
 
   DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
   QuicAsyncStatus status = proof_verifier.VerifyProof(
       kTestHostname, kTestConfig, certs_, "", GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, callback);
   ASSERT_EQ(QUIC_FAILURE, status);
   delete callback;
 }
 
+// Valid SCT, but invalid signature.
+TEST_F(ProofVerifierChromiumTest, ValidSCTList) {
+  // Use different certificates for SCT tests.
+  ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_));
+
+  MockCertVerifier cert_verifier;
+  ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr,
+                                       ct_verifier_.get());
+
+  DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
+  QuicAsyncStatus status = proof_verifier.VerifyProof(
+      kTestHostname, kTestConfig, certs_, GetSCTListForTesting(), "",
+      verify_context_.get(), &error_details_, &details_, callback);
+  ASSERT_EQ(QUIC_FAILURE, status);
+  CheckSCT(/*sct_expected_ok=*/true);
+  delete callback;
+}
+
+// Invalid SCT and signature.
+TEST_F(ProofVerifierChromiumTest, InvalidSCTList) {
+  // Use different certificates for SCT tests.
+  ASSERT_NO_FATAL_FAILURE(GetSCTTestCertificates(&certs_));
+
+  MockCertVerifier cert_verifier;
+  ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr,
+                                       ct_verifier_.get());
+
+  DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
+  QuicAsyncStatus status = proof_verifier.VerifyProof(
+      kTestHostname, kTestConfig, certs_, GetCorruptSCTListForTesting(), "",
+      verify_context_.get(), &error_details_, &details_, callback);
+  ASSERT_EQ(QUIC_FAILURE, status);
+  CheckSCT(/*sct_expected_ok=*/false);
+  delete callback;
+}
+
 // Tests that the ProofVerifier doesn't verify certificates if the config
 // signature fails.
 TEST_F(ProofVerifierChromiumTest, FailsIfSignatureFails) {
   FailsTestCertVerifier cert_verifier;
-  ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr);
+  ProofVerifierChromium proof_verifier(&cert_verifier, nullptr, nullptr,
+                                       ct_verifier_.get());
 
   DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
   QuicAsyncStatus status = proof_verifier.VerifyProof(
       kTestHostname, kTestConfig, certs_, "", kTestConfig,
       verify_context_.get(), &error_details_, &details_, callback);
   ASSERT_EQ(QUIC_FAILURE, status);
   delete callback;
 }
 
 // Tests that EV certificates are left as EV if there is no certificate
 // policy enforcement.
 TEST_F(ProofVerifierChromiumTest, PreservesEVIfNoPolicy) {
   scoped_refptr<X509Certificate> test_cert = GetTestServerCertificate();
   ASSERT_TRUE(test_cert);
 
   CertVerifyResult dummy_result;
   dummy_result.verified_cert = test_cert;
   dummy_result.cert_status = CERT_STATUS_IS_EV;
 
   MockCertVerifier dummy_verifier;
   dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
 
-  ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr);
+  ProofVerifierChromium proof_verifier(&dummy_verifier, nullptr, nullptr,
+                                       ct_verifier_.get());
 
   DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
   QuicAsyncStatus status = proof_verifier.VerifyProof(
       kTestHostname, kTestConfig, certs_, "", GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, callback);
   ASSERT_EQ(QUIC_SUCCESS, status);
   delete callback;
 
   ASSERT_TRUE(details_.get());
   ProofVerifyDetailsChromium* verify_details =
@@ skipping 11 matching lines @@
   CertVerifyResult dummy_result;
   dummy_result.verified_cert = test_cert;
   dummy_result.cert_status = CERT_STATUS_IS_EV;
 
   MockCertVerifier dummy_verifier;
   dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
 
   MockCertPolicyEnforcer policy_enforcer(true /*is_ev*/);
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer,
-                                       nullptr);
+                                       nullptr, ct_verifier_.get());
 
   DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
   QuicAsyncStatus status = proof_verifier.VerifyProof(
       kTestHostname, kTestConfig, certs_, "", GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, callback);
   ASSERT_EQ(QUIC_SUCCESS, status);
   delete callback;
 
   ASSERT_TRUE(details_.get());
   ProofVerifyDetailsChromium* verify_details =
@@ skipping 11 matching lines @@
   CertVerifyResult dummy_result;
   dummy_result.verified_cert = test_cert;
   dummy_result.cert_status = CERT_STATUS_IS_EV;
 
   MockCertVerifier dummy_verifier;
   dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
 
   MockCertPolicyEnforcer policy_enforcer(false /*is_ev*/);
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer,
-                                       nullptr);
+                                       nullptr, ct_verifier_.get());
 
   DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
   QuicAsyncStatus status = proof_verifier.VerifyProof(
       kTestHostname, kTestConfig, certs_, "", GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, callback);
   ASSERT_EQ(QUIC_SUCCESS, status);
   delete callback;
 
   ASSERT_TRUE(details_.get());
   ProofVerifyDetailsChromium* verify_details =
@@ skipping 12 matching lines @@
   CertVerifyResult dummy_result;
   dummy_result.verified_cert = test_cert;
   dummy_result.cert_status = 0;
 
   MockCertVerifier dummy_verifier;
   dummy_verifier.AddResultForCert(test_cert.get(), dummy_result, OK);
 
   FailsTestCertPolicyEnforcer policy_enforcer;
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &policy_enforcer,
-                                       nullptr);
+                                       nullptr, ct_verifier_.get());
 
   DummyProofVerifierCallback* callback = new DummyProofVerifierCallback;
   QuicAsyncStatus status = proof_verifier.VerifyProof(
       kTestHostname, kTestConfig, certs_, "", GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, callback);
   ASSERT_EQ(QUIC_SUCCESS, status);
   delete callback;
 
   ASSERT_TRUE(details_.get());
   ProofVerifyDetailsChromium* verify_details =
       static_cast<ProofVerifyDetailsChromium*>(details_.get());
   EXPECT_EQ(0u, verify_details->cert_verify_result.cert_status);
 }
 
 }  // namespace test
 }  // namespace net