Certificate Transparency: Start tracking logs' state

components/certificate_transparency/single_tree_tracker_unittest.cc

Index: components/certificate_transparency/single_tree_tracker_unittest.cc
diff --git a/components/certificate_transparency/single_tree_tracker_unittest.cc b/components/certificate_transparency/single_tree_tracker_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..4c3124abcb6c6d4f409ad22a3f3bfaf7a47a2eda
--- /dev/null
+++ b/components/certificate_transparency/single_tree_tracker_unittest.cc
@@ -0,0 +1,139 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/certificate_transparency/single_tree_tracker.h"
+
+#include <string>
+#include <utility>
+
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_piece.h"
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/ct_serialization.h"
+#include "net/cert/signed_certificate_timestamp.h"
+#include "net/cert/signed_tree_head.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/ct_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace certificate_transparency {
+
+namespace {
+
+const char kOldSTHSignatureData[] =
+    "0403004730450220157b2342a25f88c90b30a6b44950b3abf525fe27f03f9abfc1165a7ac"
+    "0622bbb022100e657a3fefc5a829b2946151dbcfd9e877fd0005d624f9a1a9f2079d0c134"
+    "2e08";
+
+size_t kOldSTHTreeSize = 12u;

[Sorin Jianu, 2016/05/11 17:03:39]

const?

[Eran Messeri, 2016/05/12 17:04:49]

Done.

+int64_t kOldSTHTimestamp = INT64_C(1348589665525);
+
+const char kOldSTHRootHash[] =
+    "18041bd4665083001fba8c5411d2d748e8abbfdcdfd9218cb02b68a78e7d4c23";
+
+bool GetOldSignedTreeHead(net::ct::SignedTreeHead* sth) {
+  sth->version = net::ct::SignedTreeHead::V1;
+  sth->timestamp = base::Time::UnixEpoch() +
+                   base::TimeDelta::FromMilliseconds(kOldSTHTimestamp);
+  sth->tree_size = kOldSTHTreeSize;
+
+  std::vector<uint8_t> hex_output;
+  if (!base::HexStringToBytes(kOldSTHRootHash, &hex_output))
+    return false;
+
+  std::string sha256_root_hash(hex_output.begin(), hex_output.end());

[Sorin Jianu, 2016/05/11 17:03:39]

const?

[Eran Messeri, 2016/05/12 17:04:49]

Done.

+  memcpy(sth->sha256_root_hash, sha256_root_hash.c_str(),
+         net::ct::kSthRootHashLength);
+  sth->log_id = net::ct::GetTestPublicKeyId();
+
+  hex_output.clear();
+  if (!base::HexStringToBytes(kOldSTHSignatureData, &hex_output))
+    return false;
+  std::string tree_head_signature(hex_output.begin(), hex_output.end());

[Sorin Jianu, 2016/05/11 17:03:39]

const?

[Eran Messeri, 2016/05/12 17:04:49]

Done.

+  base::StringPiece sp(tree_head_signature);
+  return DecodeDigitallySigned(&sp, &(sth->signature)) && sp.empty();

[Sorin Jianu, 2016/05/11 17:03:39]

Is && sp.empty() correct? Not sure what the logic is here, just asking to double
check.

[Eran Messeri, 2016/05/12 17:04:49]

Yes - DecodeDigitallySigned modifies the StringPiece, so not only should it
succeed, but there should be no bytes left over in the StringPiece afterwards.

+}
+
+}  // namespace
+
+class SingleTreeTrackerTest : public ::testing::Test {
+  void SetUp() override {
+    log_ = net::CTLogVerifier::Create(net::ct::GetTestPublicKey(), "testlog",
+                                      "https://ct.example.com");
+
+    ASSERT_TRUE(log_);
+    ASSERT_EQ(log_->key_id(), net::ct::GetTestPublicKeyId());
+
+    tree_tracker_.reset(new SingleTreeTracker(log_));
+    std::string der_test_cert(net::ct::GetDerEncodedX509Cert());

[Sorin Jianu, 2016/05/11 17:03:39]

const?

[Eran Messeri, 2016/05/12 17:04:49]

Done.

+    chain_ = net::X509Certificate::CreateFromBytes(der_test_cert.data(),
+                                                   der_test_cert.length());
+    ASSERT_TRUE(chain_.get());
+    net::ct::GetX509CertSCT(&cert_sct_);
+  }
+
+ protected:
+  scoped_refptr<const net::CTLogVerifier> log_;
+  std::unique_ptr<SingleTreeTracker> tree_tracker_;
+  scoped_refptr<net::X509Certificate> chain_;
+  scoped_refptr<net::ct::SignedCertificateTimestamp> cert_sct_;
+};
+
+TEST_F(SingleTreeTrackerTest, TestCorrectlyClassifiesUnobservedSCTNoSTH) {
+  EXPECT_EQ(
+      SingleTreeTracker::SCT_NOT_OBSERVED,
+      tree_tracker_->GetLogEntryInclusionStatus(chain_.get(), cert_sct_.get()));
+  tree_tracker_->OnSCTVerified(chain_.get(), cert_sct_.get());
+
+  EXPECT_EQ(
+      SingleTreeTracker::SCT_PENDING_NEWER_STH,
+      tree_tracker_->GetLogEntryInclusionStatus(chain_.get(), cert_sct_.get()));
+}
+
+TEST_F(SingleTreeTrackerTest,
+       TestCorrectlyClassifiesUnobservedSCTWithRecentSTH) {
+  net::ct::SignedTreeHead sth;
+  net::ct::GetSampleSignedTreeHead(&sth);
+  tree_tracker_->NewSTHObserved(sth);
+
+  EXPECT_EQ(
+      SingleTreeTracker::SCT_NOT_OBSERVED,
+      tree_tracker_->GetLogEntryInclusionStatus(chain_.get(), cert_sct_.get()));
+
+  tree_tracker_->OnSCTVerified(chain_.get(), cert_sct_.get());
+
+  EXPECT_EQ(
+      SingleTreeTracker::SCT_PENDING_INCLUSION_CHECK,
+      tree_tracker_->GetLogEntryInclusionStatus(chain_.get(), cert_sct_.get()));
+}
+
+TEST_F(SingleTreeTrackerTest, TestCorrectlyUpdatesSCTStatusOnNewSTH) {
+  tree_tracker_->OnSCTVerified(chain_.get(), cert_sct_.get());
+  EXPECT_EQ(
+      SingleTreeTracker::SCT_PENDING_NEWER_STH,
+      tree_tracker_->GetLogEntryInclusionStatus(chain_.get(), cert_sct_.get()));
+
+  net::ct::SignedTreeHead sth;
+  net::ct::GetSampleSignedTreeHead(&sth);
+  tree_tracker_->NewSTHObserved(sth);
+  EXPECT_EQ(
+      SingleTreeTracker::SCT_PENDING_INCLUSION_CHECK,
+      tree_tracker_->GetLogEntryInclusionStatus(chain_.get(), cert_sct_.get()));
+}
+
+TEST_F(SingleTreeTrackerTest, TestDoesNotUpdatesSCTStatusOnOldSTH) {
+  tree_tracker_->OnSCTVerified(chain_.get(), cert_sct_.get());
+  EXPECT_EQ(
+      SingleTreeTracker::SCT_PENDING_NEWER_STH,
+      tree_tracker_->GetLogEntryInclusionStatus(chain_.get(), cert_sct_.get()));
+
+  net::ct::SignedTreeHead sth;
+  GetOldSignedTreeHead(&sth);
+  tree_tracker_->NewSTHObserved(sth);
+  EXPECT_EQ(
+      SingleTreeTracker::SCT_PENDING_NEWER_STH,
+      tree_tracker_->GetLogEntryInclusionStatus(chain_.get(), cert_sct_.get()));
+}
+
+}  // namespace certificate_transparency