Add public key and signature verification to browser-side API keys

content/browser/experiments/api_key_signature_verifier_unittest.cc

Index: content/browser/experiments/api_key_signature_verifier_unittest.cc
diff --git a/content/browser/experiments/api_key_signature_verifier_unittest.cc b/content/browser/experiments/api_key_signature_verifier_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..bbe393b2b7c92601dfd599788a1b1de91a43331e
--- /dev/null
+++ b/content/browser/experiments/api_key_signature_verifier_unittest.cc
@@ -0,0 +1,72 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/experiments/api_key_signature_verifier.h"
+
+#include "base/memory/scoped_ptr.h"
+#include "base/test/simple_test_clock.h"
+#include "base/time/time.h"
+#include "content/common/experiments/api_key.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace content {
+
+namespace {
+
+/*
+This is a sample public key for testing the API. The corresponding private
+key (use this to generate new samples for this test file) is
+
+    0x83, 0x67, 0xf4, 0xcd, 0x2a, 0x1f, 0x0e, 0x04, 0x0d, 0x43,
+    0x13, 0x4c, 0x67, 0xc4, 0xf4, 0x28, 0xc9, 0x90, 0x15, 0x02,
+    0xe2, 0xba, 0xfd, 0xbb, 0xfa, 0xbc, 0x92, 0x76, 0x8a, 0x2c,
+    0x4b, 0xc7, 0x75, 0x10, 0xac, 0xf9, 0x3a, 0x1c, 0xb8, 0xa9,
+    0x28, 0x70, 0xd2, 0x9a, 0xd0, 0x0b, 0x59, 0xe1, 0xac, 0x2b,
+    0xb7, 0xd5, 0xca, 0x1f, 0x64, 0x90, 0x08, 0x8e, 0xa8, 0xe0,
+    0x56, 0x3a, 0x04, 0xd0
+*/
+const uint8_t kTestPublicKey[] = {
+    0x75, 0x10, 0xac, 0xf9, 0x3a, 0x1c, 0xb8, 0xa9, 0x28, 0x70, 0xd2,
+    0x9a, 0xd0, 0x0b, 0x59, 0xe1, 0xac, 0x2b, 0xb7, 0xd5, 0xca, 0x1f,
+    0x64, 0x90, 0x08, 0x8e, 0xa8, 0xe0, 0x56, 0x3a, 0x04, 0xd0,
+};
+const size_t kTestPublicKeyLength = sizeof(kTestPublicKey);
+
+// This is a good key, signed with the above test private key.
+const char* kSampleAPIKey =
+    "UsEO0cNxoUtBnHDJdGPWTlXuLENjXcEIPL7Bs7sbvicPCcvAtyqhQuTJ9h/u1R3VZpWigtI+S"
+    "dUwk7Dyk/qbDw==|https://valid.example.com|Frobulate|1458766277";
+
+// Well-formed API key with an invalid signature.
+const char* kInvalidSignatureAPIKey =
+    "CO8hDne98QeFeOJ0DbRZCBN3uE0nyaPgaLlkYhSWnbRoDfEAg+TXELaYfQPfEvKYFauBg/hnx"
+    "mba765hz0mXMc==|https://valid.example.com|Frobulate|1458766277";
+
+}  // namespace
+
+class ApiKeySignatureVerifierTest : public testing::Test {};
+
+TEST_F(ApiKeySignatureVerifierTest, VerifyValidSignature) {
+  scoped_ptr<ApiKey> key = ApiKey::Parse(kSampleAPIKey);
+  ASSERT_TRUE(key);
+  EXPECT_TRUE(ApiKeySignatureVerifier::VerifySignature(
+      key->signature(), key->data(), kTestPublicKey, kTestPublicKeyLength));
+}
+
+TEST_F(ApiKeySignatureVerifierTest, VerifyInvalidSignature) {
+  scoped_ptr<ApiKey> key = ApiKey::Parse(kInvalidSignatureAPIKey);
+  ASSERT_TRUE(key);
+  EXPECT_FALSE(ApiKeySignatureVerifier::VerifySignature(
+      key->signature(), key->data(), kTestPublicKey, kTestPublicKeyLength));
+}
+
+TEST_F(ApiKeySignatureVerifierTest, VerifySignatureOnWrongKey) {
+  scoped_ptr<ApiKey> key = ApiKey::Parse(kSampleAPIKey);
+  ASSERT_TRUE(key);
+  // Signature will be invalid if tested against the real public key
+  EXPECT_FALSE(
+      ApiKeySignatureVerifier::VerifySignature(key->signature(), key->data()));
+}
+
+}  // namespace content