Chromium Code Reviews Chromium Code Reviews
Issue 1454993002:
QUIC - Code to verify SCT tag with certificate transparency verifier (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/quic/crypto/proof_test.cc |
| diff --git a/net/quic/crypto/proof_test.cc b/net/quic/crypto/proof_test.cc |
| index 3a7db6fbd83b0ec96bd73cd1365a0df0ad67a799..5e4aa391f4975d4b21feb8d93997d358786e4451 100644 |
| --- a/net/quic/crypto/proof_test.cc |
| +++ b/net/quic/crypto/proof_test.cc |
| @@ -14,6 +14,7 @@ |
| #include "net/quic/crypto/proof_verifier.h" |
| #include "net/quic/test_tools/crypto_test_utils.h" |
| #include "net/test/cert_test_util.h" |
| +#include "net/test/ct_test_util.h" |
| #include "testing/gtest/include/gtest/gtest.h" |
| #if defined(OS_WIN) |
| @@ -60,6 +61,7 @@ void RunVerification(ProofVerifier* verifier, |
| const string& hostname, |
| const string& server_config, |
| const vector<string>& certs, |
| + const string& cert_sct, |
| const string& proof, |
| bool expected_ok) { |
| scoped_ptr<ProofVerifyDetails> details; |
| @@ -72,7 +74,7 @@ void RunVerification(ProofVerifier* verifier, |
| new TestProofVerifierCallback(&comp_callback, &ok, &error_details); |
| QuicAsyncStatus status = verifier->VerifyProof( |
| - hostname, server_config, certs, "", proof, verify_context.get(), |
| + hostname, server_config, certs, cert_sct, proof, verify_context.get(), |
| &error_details, &details, callback); |
| switch (status) { |
| @@ -133,28 +135,30 @@ TEST(ProofTest, DISABLED_Verify) { |
| ASSERT_EQ(signature, first_signature); |
| ASSERT_EQ(first_cert_sct, cert_sct); |
| - RunVerification( |
| - verifier.get(), hostname, server_config, *certs, signature, true); |
| + RunVerification(verifier.get(), hostname, server_config, *certs, cert_sct, |
| + signature, true); |
| - RunVerification( |
| - verifier.get(), "foo.com", server_config, *certs, signature, false); |
| + RunVerification(verifier.get(), "foo.com", server_config, *certs, cert_sct, |
| + signature, false); |
| - RunVerification( |
| - verifier.get(), server_config.substr(1, string::npos), server_config, |
| - *certs, signature, false); |
| + RunVerification(verifier.get(), server_config.substr(1, string::npos), |
| + server_config, *certs, cert_sct, signature, false); |
| + |
| + // We don't generate errors for corrupt SCT. |
|
Eran Messeri
2015/11/18 11:14:00
Can you / should you dig into the ProofVerifyDetai
ramant (doing other things)
2015/11/21 00:27:02
Hi Eran,
This is shared code with internal serve
|
| + const string corrupt_cert_sct = "1" + cert_sct; |
| + RunVerification(verifier.get(), "foo.com", server_config, *certs, |
| + corrupt_cert_sct, signature, true); |
| const string corrupt_signature = "1" + signature; |
| - RunVerification( |
| - verifier.get(), hostname, server_config, *certs, corrupt_signature, |
| - false); |
| + RunVerification(verifier.get(), hostname, server_config, *certs, cert_sct, |
| + corrupt_signature, false); |
| vector<string> wrong_certs; |
| for (size_t i = 1; i < certs->size(); i++) { |
| wrong_certs.push_back((*certs)[i]); |
| } |
| - RunVerification( |
| - verifier.get(), "foo.com", server_config, wrong_certs, corrupt_signature, |
| - false); |
| + RunVerification(verifier.get(), "foo.com", server_config, wrong_certs, |
| + corrupt_cert_sct, corrupt_signature, false); |
| } |
| // A known answer test that allows us to test ProofVerifier without a working |
| @@ -245,6 +249,8 @@ TEST(ProofTest, VerifyRSAKnownAnswerTest) { |
| certs[0] = LoadTestCert("test.example.com.crt"); |
| certs[1] = LoadTestCert("intermediate.crt"); |
| + const string cert_sct = ct::GetTestSignedCertificateTimestamp(); |
| + |
| // Signatures are nondeterministic, so we test multiple signatures on the |
| // same server_config. |
| vector<string> signatures(3); |
| @@ -258,25 +264,29 @@ TEST(ProofTest, VerifyRSAKnownAnswerTest) { |
| for (size_t i = 0; i < signatures.size(); i++) { |
| const string& signature = signatures[i]; |
| - RunVerification( |
| - verifier.get(), hostname, server_config, certs, signature, true); |
| - RunVerification( |
| - verifier.get(), "foo.com", server_config, certs, signature, false); |
| - RunVerification( |
| - verifier.get(), hostname, server_config.substr(1, string::npos), |
| - certs, signature, false); |
| + RunVerification(verifier.get(), hostname, server_config, certs, cert_sct, |
| + signature, true); |
| + RunVerification(verifier.get(), "foo.com", server_config, certs, cert_sct, |
| + signature, false); |
| + RunVerification(verifier.get(), hostname, |
| + server_config.substr(1, string::npos), certs, cert_sct, |
| + signature, false); |
| + |
| + // We don't generate errors for corrupt SCT. |
| + const string corrupt_cert_sct = "1" + cert_sct; |
| + RunVerification(verifier.get(), hostname, server_config, certs, |
| + corrupt_cert_sct, signature, true); |
| const string corrupt_signature = "1" + signature; |
| - RunVerification( |
| - verifier.get(), hostname, server_config, certs, corrupt_signature, |
| - false); |
| + RunVerification(verifier.get(), hostname, server_config, certs, cert_sct, |
| + corrupt_signature, false); |
| vector<string> wrong_certs; |
| for (size_t i = 1; i < certs.size(); i++) { |
| wrong_certs.push_back(certs[i]); |
| } |
| RunVerification(verifier.get(), hostname, server_config, wrong_certs, |
| - signature, false); |
| + cert_sct, signature, false); |
| } |
| } |
| @@ -327,6 +337,8 @@ TEST(ProofTest, VerifyECDSAKnownAnswerTest) { |
| certs[0] = LoadTestCert("test_ecc.example.com.crt"); |
| certs[1] = LoadTestCert("intermediate.crt"); |
| + const string cert_sct = ct::GetTestSignedCertificateTimestamp(); |
| + |
| // Signatures are nondeterministic, so we test multiple signatures on the |
| // same server_config. |
| vector<string> signatures(3); |
| @@ -340,35 +352,37 @@ TEST(ProofTest, VerifyECDSAKnownAnswerTest) { |
| for (size_t i = 0; i < signatures.size(); i++) { |
| const string& signature = signatures[i]; |
| - RunVerification( |
| - verifier.get(), hostname, server_config, certs, signature, true); |
| - RunVerification( |
| - verifier.get(), "foo.com", server_config, certs, signature, false); |
| - RunVerification( |
| - verifier.get(), hostname, server_config.substr(1, string::npos), |
| - certs, signature, false); |
| + RunVerification(verifier.get(), hostname, server_config, certs, cert_sct, |
| + signature, true); |
| + RunVerification(verifier.get(), "foo.com", server_config, certs, cert_sct, |
| + signature, false); |
| + RunVerification(verifier.get(), hostname, |
| + server_config.substr(1, string::npos), certs, cert_sct, |
| + signature, false); |
| + |
| + // We don't generate errors for corrupt SCT. |
| + const string corrupt_cert_sct = "1" + cert_sct; |
| + RunVerification(verifier.get(), hostname, server_config, certs, |
| + corrupt_cert_sct, signature, true); |
| // An ECDSA signature is DER-encoded. Corrupt the last byte so that the |
| // signature can still be DER-decoded correctly. |
| string corrupt_signature = signature; |
| corrupt_signature[corrupt_signature.size() - 1] += 1; |
| - RunVerification( |
| - verifier.get(), hostname, server_config, certs, corrupt_signature, |
| - false); |
| + RunVerification(verifier.get(), hostname, server_config, certs, cert_sct, |
| + corrupt_signature, false); |
| // Prepending a "1" makes the DER invalid. |
| const string bad_der_signature1 = "1" + signature; |
| - RunVerification( |
| - verifier.get(), hostname, server_config, certs, bad_der_signature1, |
| - false); |
| + RunVerification(verifier.get(), hostname, server_config, certs, cert_sct, |
| + bad_der_signature1, false); |
| vector<string> wrong_certs; |
| for (size_t i = 1; i < certs.size(); i++) { |
| wrong_certs.push_back(certs[i]); |
| } |
| - RunVerification( |
| - verifier.get(), hostname, server_config, wrong_certs, signature, |
| - false); |
| + RunVerification(verifier.get(), hostname, server_config, wrong_certs, |
| + cert_sct, signature, false); |
| } |
| } |
