components/cast_certificate/cast_crl_unittest.cc - Issue 2050983002: Cast device revocation checking.

Side by Side Diff: components/cast_certificate/cast_crl_unittest.cc

Issue 2050983002: Cast device revocation checking. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fixed proto again Created 4 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« components/cast_certificate/cast_crl_root_ca_cert_der-inc.h ('K') | « components/cast_certificate/cast_crl_root_ca_cert_der-inc.h ('k') | components/cast_certificate/proto/BUILD.gn » ('j') | components/test/data/cast_certificate/certificates/cast_crl_test_root_ca.pem » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "base/time/time.h"

	6 #include "components/cast_certificate/cast_cert_validator.h"

	7 #include "components/cast_certificate/cast_cert_validator_test_helpers.h"

	8 #include "components/cast_certificate/cast_crl.h"

	9 #include "components/cast_certificate/proto/test_suite.pb.h"

	10 #include "testing/gtest/include/gtest/gtest.h"

	11

	12 namespace cast_certificate {

	13 namespace {

	14

	15 // Converts uint64_t UTC time to Exploded time.
	eroman 2016/07/15 22:52:49 same comment regarding UTC time (I think the termi same comment regarding UTC time (I think the terminology is "unix timestamp" ryanchung 2016/07/18 23:39:08 Done. Show quoted text On 2016/07/15 22:52:49, eroman wrote: > same comment regarding UTC time (I think the terminology is "unix timestamp" Done.
	16 base::Time::Exploded ConvertUTC(uint64_t time) {

	17 base::Time utc_time =

	18 base::Time::UnixEpoch() + base::TimeDelta::FromMilliseconds(time);

	19 base::Time::Exploded result;

	20 utc_time.UTCExplode(&result);

	21 return result;

	22 }

	23 // Indicates the expected result of test step's verification.

	24 enum TestStepResult {

	25 RESULT_SUCCESS,

	26 RESULT_FAIL,

	27 };

	28

	29 // Verifies that the provided certificate chain is valid at the specified time

	30 // and chains up to a trust anchor.

	31 bool TestVerifyCertificate(TestStepResult expected_result,

	32 const std::vector<std::string>& certificate_chain,

	33 const base::Time::Exploded& time) {

	34 std::unique_ptr<CertVerificationContext> context;

	35 CastDeviceCertPolicy policy;

	36 bool result = VerifyDeviceCert(certificate_chain, time, &context, &policy,

	37 nullptr, CRLPolicy::CRL_OPTIONAL);

	38 if (expected_result != RESULT_SUCCESS) {

	39 EXPECT_FALSE(result);

	40 return !result;

	41 }

	42 EXPECT_TRUE(result);

	43 return result;

	44 }

	45

	46 // Verifies that the provided Cast CRL is signed by a trusted issuer

	47 // and that the CRL can be parsed successfully.

	48 // The validity of the CRL is also checked at the specified time.

	49 bool TestVerifyCRL(TestStepResult expected_result,

	50 const std::string& crl_bundle,

	51 const base::Time::Exploded& time) {

	52 std::unique_ptr<CastCRL> crl = ParseAndVerifyCRL(crl_bundle, time);

	53 if (expected_result != RESULT_SUCCESS) {

	54 EXPECT_EQ(crl, nullptr);

	55 return crl == nullptr;

	56 }

	57 EXPECT_NE(crl, nullptr);

	58 return crl != nullptr;

	59 }

	60

	61 // Verifies that the certificate chain provided is not revoked according to

	62 // the provided Cast CRL at \|cert_time\|.

	63 // The provided CRL is verified at \|crl_time\|.

	64 // If \|crl_required\| is set, then a valid Cast CRL must be provided.

	65 // Otherwise, a missing CRL is be ignored.

	66 bool TestVerifyRevocation(TestStepResult expected_result,

	67 const std::vector<std::string>& certificate_chain,

	68 const std::string& crl_bundle,

	69 const base::Time::Exploded& crl_time,

	70 const base::Time::Exploded& cert_time,

	71 bool crl_required) {

	72 std::unique_ptr<CastCRL> crl;

	73 if (!crl_bundle.empty()) {

	74 crl = ParseAndVerifyCRL(crl_bundle, crl_time);

	75 EXPECT_NE(crl.get(), nullptr);

	76 }

	77

	78 std::unique_ptr<CertVerificationContext> context;

	79 CastDeviceCertPolicy policy;

	80 CRLPolicy crl_policy = CRLPolicy::CRL_REQUIRED;

	81 if (!crl_required)

	82 crl_policy = CRLPolicy::CRL_OPTIONAL;

	83 int result = VerifyDeviceCert(certificate_chain, cert_time, &context, &policy,

	84 crl.get(), crl_policy);

	85 if (expected_result != RESULT_SUCCESS) {

	86 EXPECT_FALSE(result);

	87 return !result;

	88 }

	89 EXPECT_TRUE(result);

	90 return result;

	91 }

	92

	93 // Runs a single test case.

	94 bool RunTest(const DeviceCertTest& test_case) {

	95 bool use_test_trust_anchors = test_case.use_test_trust_anchors();

	96 if (use_test_trust_anchors) {

	97 const auto crl_test_root =

	98 cast_certificate::testing::ReadCertificateChainFromFile(

	99 "certificates/cast_crl_test_root_ca.pem");

	100 EXPECT_EQ(crl_test_root.size(), 1u);

	101 EXPECT_TRUE(SetCRLTrustAnchorForTest(crl_test_root[0]));

	102 const auto cast_test_root =

	103 cast_certificate::testing::ReadCertificateChainFromFile(

	104 "certificates/cast_test_root_ca.pem");

	105 EXPECT_EQ(cast_test_root.size(), 1u);

	106 EXPECT_TRUE(SetTrustAnchorForTest(cast_test_root[0]));

	107 }

	108

	109 VerificationResult expected_result = test_case.expected_result();

	110

	111 std::vector<std::string> certificate_chain;

	112 for (auto const& cert : test_case.der_cert_path()) {

	113 certificate_chain.push_back(cert);

	114 }

	115

	116 base::Time::Exploded cert_exploded_time =

	117 ConvertUTC(test_case.cert_verification_time_seconds() * 1000);

	118

	119 uint64_t crl_verify_time = test_case.crl_verification_time_seconds() * 1000;

	120 base::Time::Exploded crl_exploded_time = ConvertUTC(crl_verify_time);

	121 if (crl_verify_time == 0)

	122 crl_exploded_time = cert_exploded_time;

	123

	124 std::string crl_bundle = test_case.crl_bundle();

	125 switch (expected_result) {

	126 case PATH_VERIFICATION_FAILED:

	127 return TestVerifyCertificate(RESULT_FAIL, certificate_chain,

	128 cert_exploded_time);

	129 break;

	130 case CRL_VERIFICATION_FAILED:

	131 return TestVerifyCRL(RESULT_FAIL, crl_bundle, crl_exploded_time);

	132 break;

	133 case REVOCATION_CHECK_FAILED_WITHOUT_CRL:

	134 return TestVerifyCertificate(RESULT_SUCCESS, certificate_chain,

	135 cert_exploded_time) &&

	136 TestVerifyCRL(RESULT_FAIL, crl_bundle, crl_exploded_time) &&

	137 TestVerifyRevocation(RESULT_FAIL, certificate_chain, crl_bundle,

	138 crl_exploded_time, cert_exploded_time, true);

	139 break;

	140 case REVOCATION_CHECK_FAILED:

	141 return TestVerifyCertificate(RESULT_SUCCESS, certificate_chain,

	142 cert_exploded_time) &&

	143 TestVerifyCRL(RESULT_SUCCESS, crl_bundle, crl_exploded_time) &&

	144 TestVerifyRevocation(RESULT_FAIL, certificate_chain, crl_bundle,

	145 crl_exploded_time, cert_exploded_time, false);

	146 break;

	147 case SUCCESS:

	148 return (crl_bundle.empty() \|\|

	149 TestVerifyCRL(RESULT_SUCCESS, crl_bundle, crl_exploded_time)) &&

	150 TestVerifyCertificate(RESULT_SUCCESS, certificate_chain,

	151 cert_exploded_time) &&

	152 TestVerifyRevocation(RESULT_SUCCESS, certificate_chain, crl_bundle,

	153 crl_exploded_time, cert_exploded_time,

	154 !crl_bundle.empty());

	155 break;

	156 case UNSPECIFIED:

	157 return false;

	158 break;

	159 }

	160 return false;

	161 }

	162

	163 // Parses the provided test suite provided in wire-format proto.
	eroman 2016/07/15 22:52:49 FYI: I didn't review the unit-tests in as much det FYI: I didn't review the unit-tests in as much detail, relying on sheretov to have given a good design review of this protobuf approach. ryanchung 2016/07/18 23:39:08 We decided to use this proto test-suite approach s Show quoted text On 2016/07/15 22:52:49, eroman wrote: > FYI: I didn't review the unit-tests in as much detail, relying on sheretov to > have given a good design review of this protobuf approach. We decided to use this proto test-suite approach so that the same sets of inputs/expected-values can be run through the different implementations we have (eg. iOS, java, chromium).
	164 // Each test contains the inputs and the expected output.

	165 // To see the description of the test, execute the test.

	166 // These tests are generated by a test generator in google3.

	167 void RunTestSuite(const std::string& test_suite_file_name) {

	168 std::string testsuite_raw =

	169 cast_certificate::testing::ReadTestFileToString(test_suite_file_name);

	170 DeviceCertTestSuite test_suite;

	171 EXPECT_TRUE(test_suite.ParseFromString(testsuite_raw));

	172 uint16_t success = 0;

	173 uint16_t failed = 0;

	174 std::vector<std::string> failed_tests;

	175

	176 for (auto const& test_case : test_suite.tests()) {

	177 LOG(INFO) << "[ RUN ] " << test_case.description();

	178 bool result = RunTest(test_case);

	179 EXPECT_TRUE(result);

	180 if (!result) {

	181 LOG(INFO) << "[ FAILED ] " << test_case.description();

	182 ++failed;

	183 failed_tests.push_back(test_case.description());

	184 } else {

	185 LOG(INFO) << "[ PASSED ] " << test_case.description();

	186 ++success;

	187 }

	188 }

	189 LOG(INFO) << "[ PASSED ] " << success << " test(s).";

	190 if (failed) {

	191 LOG(INFO) << "[ FAILED ] " << failed << " test(s), listed below:";

	192 for (const auto& failed_test : failed_tests) {

	193 LOG(INFO) << "[ FAILED ] " << failed_test;

	194 }

	195 }

	196 }

	197

	198 TEST(CastCertificateTest, TestSuite1) {

	199 RunTestSuite("testsuite/testsuite1.pb");

	200 }

	201

	202 } // namespace

	203

	204 } // namespace cast_certificate

OLD	NEW