| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/multi_log_ct_verifier.h" | 5 #include "net/cert/multi_log_ct_verifier.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/files/file_util.h" | 10 #include "base/files/file_util.h" |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 63 der_test_cert.length()); | 63 der_test_cert.length()); |
| 64 ASSERT_TRUE(chain_.get()); | 64 ASSERT_TRUE(chain_.get()); |
| 65 | 65 |
| 66 embedded_sct_chain_ = | 66 embedded_sct_chain_ = |
| 67 CreateCertificateChainFromFile(GetTestCertsDirectory(), | 67 CreateCertificateChainFromFile(GetTestCertsDirectory(), |
| 68 "ct-test-embedded-cert.pem", | 68 "ct-test-embedded-cert.pem", |
| 69 X509Certificate::FORMAT_AUTO); | 69 X509Certificate::FORMAT_AUTO); |
| 70 ASSERT_TRUE(embedded_sct_chain_.get()); | 70 ASSERT_TRUE(embedded_sct_chain_.get()); |
| 71 } | 71 } |
| 72 | 72 |
| 73 bool CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) { |
| 74 return (result.verified_scts.size() == 1U) && |
| 75 result.invalid_scts.empty() && |
| 76 result.unknown_logs_scts.empty() && |
| 77 result.verified_scts[0]->log_description == kLogDescription; |
| 78 } |
| 79 |
| 80 bool CheckForSCTOrigin( |
| 81 const ct::CTVerifyResult& result, |
| 82 ct::SignedCertificateTimestamp::Origin origin) { |
| 83 return (result.verified_scts.size() > 0) && |
| 84 (result.verified_scts[0]->origin == origin); |
| 85 } |
| 86 |
| 73 bool CheckForEmbeddedSCTInNetLog(TestNetLog& net_log) { | 87 bool CheckForEmbeddedSCTInNetLog(TestNetLog& net_log) { |
| 74 TestNetLogEntry::List entries; | 88 TestNetLogEntry::List entries; |
| 75 net_log.GetEntries(&entries); | 89 net_log.GetEntries(&entries); |
| 76 if (entries.size() != 2) | 90 if (entries.size() != 2) |
| 77 return false; | 91 return false; |
| 78 | 92 |
| 79 const TestNetLogEntry& received = entries[0]; | 93 const TestNetLogEntry& received = entries[0]; |
| 80 std::string embedded_scts; | 94 std::string embedded_scts; |
| 81 if (!received.GetStringValue("embedded_scts", &embedded_scts)) | 95 if (!received.GetStringValue("embedded_scts", &embedded_scts)) |
| 82 return false; | 96 return false; |
| (...skipping 24 matching lines...) Expand all Loading... |
| 107 } | 121 } |
| 108 | 122 |
| 109 if (!parsed.GetListValue("unknown_logs_scts", &other_scts) || | 123 if (!parsed.GetListValue("unknown_logs_scts", &other_scts) || |
| 110 !other_scts->empty()) { | 124 !other_scts->empty()) { |
| 111 return false; | 125 return false; |
| 112 } | 126 } |
| 113 | 127 |
| 114 return true; | 128 return true; |
| 115 } | 129 } |
| 116 | 130 |
| 131 std::string GetSCTListWithInvalidSCT() { |
| 132 std::string sct(ct::GetTestSignedCertificateTimestamp()); |
| 133 |
| 134 // Change a byte inside the Log ID part of the SCT so it does |
| 135 // not match the log used in the tests |
| 136 sct[15] = 't'; |
| 137 |
| 138 std::string sct_list; |
| 139 ct::EncodeSCTListForTesting(sct, &sct_list); |
| 140 return sct_list; |
| 141 } |
| 142 |
| 117 bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain, | 143 bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain, |
| 118 const BoundNetLog& bound_net_log, | 144 const BoundNetLog& bound_net_log, |
| 119 ct::CTVerifyResult* result) { | 145 ct::CTVerifyResult* result) { |
| 120 return verifier_->Verify(chain.get(), | 146 return verifier_->Verify(chain.get(), |
| 121 std::string(), | 147 std::string(), |
| 122 std::string(), | 148 std::string(), |
| 123 result, | 149 result, |
| 124 bound_net_log) == OK; | 150 bound_net_log) == OK; |
| 125 } | 151 } |
| 126 | 152 |
| 127 bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain) { | 153 bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain) { |
| 128 ct::CTVerifyResult result; | 154 ct::CTVerifyResult result; |
| 129 TestNetLog net_log; | 155 TestNetLog net_log; |
| 130 BoundNetLog bound_net_log = | 156 BoundNetLog bound_net_log = |
| 131 BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB); | 157 BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB); |
| 132 | 158 |
| 133 return verifier_->Verify(chain.get(), | 159 return verifier_->Verify(chain.get(), |
| 134 std::string(), | 160 std::string(), |
| 135 std::string(), | 161 std::string(), |
| 136 &result, | 162 &result, |
| 137 bound_net_log) == OK; | 163 bound_net_log) == OK; |
| 138 } | 164 } |
| 139 | 165 |
| 140 bool CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) { | 166 bool CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) { |
| 141 ct::CTVerifyResult result; | 167 ct::CTVerifyResult result; |
| 142 TestNetLog net_log; | 168 TestNetLog net_log; |
| 143 BoundNetLog bound_net_log = | 169 BoundNetLog bound_net_log = |
| 144 BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB); | 170 BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB); |
| 145 return (VerifySinglePrecertificateChain(chain, bound_net_log, &result) && | 171 return (VerifySinglePrecertificateChain(chain, bound_net_log, &result) && |
| 146 ct::CheckForSingleVerifiedSCTInResult(result, kLogDescription) && | 172 CheckForSingleVerifiedSCTInResult(result) && |
| 147 ct::CheckForSCTOrigin( | 173 CheckForSCTOrigin(result, |
| 148 result, ct::SignedCertificateTimestamp::SCT_EMBEDDED) && | 174 ct::SignedCertificateTimestamp::SCT_EMBEDDED) && |
| 149 CheckForEmbeddedSCTInNetLog(net_log)); | 175 CheckForEmbeddedSCTInNetLog(net_log)); |
| 150 } | 176 } |
| 151 | 177 |
| 152 // Histogram-related helper methods | 178 // Histogram-related helper methods |
| 153 int GetValueFromHistogram(const std::string& histogram_name, | 179 int GetValueFromHistogram(const std::string& histogram_name, |
| 154 int sample_index) { | 180 int sample_index) { |
| 155 base::Histogram* histogram = static_cast<base::Histogram*>( | 181 base::Histogram* histogram = static_cast<base::Histogram*>( |
| 156 base::StatisticsRecorder::FindHistogram(histogram_name)); | 182 base::StatisticsRecorder::FindHistogram(histogram_name)); |
| 157 | 183 |
| 158 if (histogram == NULL) | 184 if (histogram == NULL) |
| (...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 208 TEST_F(MultiLogCTVerifierTest, | 234 TEST_F(MultiLogCTVerifierTest, |
| 209 VerifiesEmbeddedSCTWithIntermediateAndPreCA) { | 235 VerifiesEmbeddedSCTWithIntermediateAndPreCA) { |
| 210 scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile( | 236 scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile( |
| 211 GetTestCertsDirectory(), | 237 GetTestCertsDirectory(), |
| 212 "ct-test-embedded-with-intermediate-preca-chain.pem", | 238 "ct-test-embedded-with-intermediate-preca-chain.pem", |
| 213 X509Certificate::FORMAT_AUTO)); | 239 X509Certificate::FORMAT_AUTO)); |
| 214 ASSERT_TRUE(chain.get()); | 240 ASSERT_TRUE(chain.get()); |
| 215 ASSERT_TRUE(CheckPrecertificateVerification(chain)); | 241 ASSERT_TRUE(CheckPrecertificateVerification(chain)); |
| 216 } | 242 } |
| 217 | 243 |
| 218 TEST_F(MultiLogCTVerifierTest, VerifiesSCTOverX509Cert) { | 244 TEST_F(MultiLogCTVerifierTest, |
| 219 std::string sct_list = ct::GetSCTListForTesting(); | 245 VerifiesSCTOverX509Cert) { |
| 246 std::string sct(ct::GetTestSignedCertificateTimestamp()); |
| 247 |
| 248 std::string sct_list; |
| 249 ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list)); |
| 220 | 250 |
| 221 ct::CTVerifyResult result; | 251 ct::CTVerifyResult result; |
| 222 EXPECT_EQ(OK, | 252 EXPECT_EQ(OK, |
| 223 verifier_->Verify( | 253 verifier_->Verify( |
| 224 chain_.get(), std::string(), sct_list, &result, BoundNetLog())); | 254 chain_.get(), std::string(), sct_list, &result, BoundNetLog())); |
| 225 ASSERT_TRUE(ct::CheckForSingleVerifiedSCTInResult(result, kLogDescription)); | 255 ASSERT_TRUE(CheckForSingleVerifiedSCTInResult(result)); |
| 226 ASSERT_TRUE(ct::CheckForSCTOrigin( | 256 ASSERT_TRUE(CheckForSCTOrigin( |
| 227 result, ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION)); | 257 result, ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION)); |
| 228 } | 258 } |
| 229 | 259 |
| 230 TEST_F(MultiLogCTVerifierTest, IdentifiesSCTFromUnknownLog) { | 260 TEST_F(MultiLogCTVerifierTest, |
| 231 std::string sct_list = ct::GetSCTListWithInvalidSCT(); | 261 IdentifiesSCTFromUnknownLog) { |
| 262 std::string sct_list = GetSCTListWithInvalidSCT(); |
| 232 ct::CTVerifyResult result; | 263 ct::CTVerifyResult result; |
| 233 | 264 |
| 234 EXPECT_NE(OK, | 265 EXPECT_NE(OK, |
| 235 verifier_->Verify( | 266 verifier_->Verify( |
| 236 chain_.get(), std::string(), sct_list, &result, BoundNetLog())); | 267 chain_.get(), std::string(), sct_list, &result, BoundNetLog())); |
| 237 EXPECT_EQ(1U, result.unknown_logs_scts.size()); | 268 EXPECT_EQ(1U, result.unknown_logs_scts.size()); |
| 238 EXPECT_EQ("", result.unknown_logs_scts[0]->log_description); | 269 EXPECT_EQ("", result.unknown_logs_scts[0]->log_description); |
| 239 } | 270 } |
| 240 | 271 |
| 241 TEST_F(MultiLogCTVerifierTest, CountsValidSCTsInStatusHistogram) { | 272 TEST_F(MultiLogCTVerifierTest, CountsValidSCTsInStatusHistogram) { |
| 242 int num_valid_scts = NumValidSCTsInStatusHistogram(); | 273 int num_valid_scts = NumValidSCTsInStatusHistogram(); |
| 243 | 274 |
| 244 ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_)); | 275 ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_)); |
| 245 | 276 |
| 246 EXPECT_EQ(num_valid_scts + 1, NumValidSCTsInStatusHistogram()); | 277 EXPECT_EQ(num_valid_scts + 1, NumValidSCTsInStatusHistogram()); |
| 247 } | 278 } |
| 248 | 279 |
| 249 TEST_F(MultiLogCTVerifierTest, CountsInvalidSCTsInStatusHistogram) { | 280 TEST_F(MultiLogCTVerifierTest, CountsInvalidSCTsInStatusHistogram) { |
| 250 std::string sct_list = ct::GetSCTListWithInvalidSCT(); | 281 std::string sct_list = GetSCTListWithInvalidSCT(); |
| 251 ct::CTVerifyResult result; | 282 ct::CTVerifyResult result; |
| 252 int num_valid_scts = NumValidSCTsInStatusHistogram(); | 283 int num_valid_scts = NumValidSCTsInStatusHistogram(); |
| 253 int num_invalid_scts = GetValueFromHistogram( | 284 int num_invalid_scts = GetValueFromHistogram( |
| 254 "Net.CertificateTransparency.SCTStatus", ct::SCT_STATUS_LOG_UNKNOWN); | 285 "Net.CertificateTransparency.SCTStatus", ct::SCT_STATUS_LOG_UNKNOWN); |
| 255 | 286 |
| 256 EXPECT_NE(OK, | 287 EXPECT_NE(OK, |
| 257 verifier_->Verify( | 288 verifier_->Verify( |
| 258 chain_.get(), std::string(), sct_list, &result, BoundNetLog())); | 289 chain_.get(), std::string(), sct_list, &result, BoundNetLog())); |
| 259 | 290 |
| 260 ASSERT_EQ(num_valid_scts, NumValidSCTsInStatusHistogram()); | 291 ASSERT_EQ(num_valid_scts, NumValidSCTsInStatusHistogram()); |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 299 Mock::VerifyAndClearExpectations(&observer); | 330 Mock::VerifyAndClearExpectations(&observer); |
| 300 | 331 |
| 301 EXPECT_CALL(observer, OnSCTVerified(embedded_sct_chain_.get(), _)).Times(0); | 332 EXPECT_CALL(observer, OnSCTVerified(embedded_sct_chain_.get(), _)).Times(0); |
| 302 verifier_->SetObserver(nullptr); | 333 verifier_->SetObserver(nullptr); |
| 303 ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_)); | 334 ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_)); |
| 304 } | 335 } |
| 305 | 336 |
| 306 } // namespace | 337 } // namespace |
| 307 | 338 |
| 308 } // namespace net | 339 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1517593002:
Revert of CT Verify test utilities change - Moved the following common functions (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master