Cast device revocation checking.

components/cast_certificate/cast_crl_unittest.cc

Index: components/cast_certificate/cast_crl_unittest.cc
diff --git a/components/cast_certificate/cast_crl_unittest.cc b/components/cast_certificate/cast_crl_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..0edb0f931f29ca40d75e175a6f54c05d25d81cbf
--- /dev/null
+++ b/components/cast_certificate/cast_crl_unittest.cc
@@ -0,0 +1,191 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/time/time.h"
+#include "components/cast_certificate/cast_cert_validator.h"
+#include "components/cast_certificate/cast_cert_validator_test_helpers.h"
+#include "components/cast_certificate/cast_crl.h"
+#include "components/cast_certificate/cast_crl_test_untrusted_root_ca_der-inc.h"
+#include "components/cast_certificate/cast_test_untrusted_root_ca_der-inc.h"
+#include "components/cast_certificate/proto/test_suite.pb.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace cast_certificate {
+namespace {
+
+// Converts uint64_t UTC time to Exploded time.
+base::Time::Exploded ConvertUTC(uint64_t time) {
+  base::Time utc_time =
+      base::Time::UnixEpoch() + base::TimeDelta::FromMilliseconds(time);
+  base::Time::Exploded result;
+  utc_time.UTCExplode(&result);
+  return result;
+}
+// Indicates the expected result of test step's verification.
+enum TestStepResult {
+  RESULT_SUCCESS,
+  RESULT_FAIL,
+};
+
+// Verifies that the provided certificate chain is valid at the specified time
+// and chains up to a trust anchor.
+bool TestVerifyCertificate(TestStepResult expected_result,
+                           const std::vector<std::string> certificate_chain,

[sheretov, 2016/07/08 18:07:08]

const std::vector<std::string>& certificate_chain

[ryanchung, 2016/07/08 22:49:29]

Done.

+                           const base::Time::Exploded& time) {
+  std::unique_ptr<CertVerificationContext> context;
+  CastDeviceCertPolicy policy;
+  CRLOptions crl_options;
+  crl_options.crl_required = false;
+  bool result = VerifyDeviceCert(certificate_chain, time, &context, &policy,
+                                 nullptr, crl_options);
+  EXPECT_EQ(result, expected_result == RESULT_SUCCESS);

[sheretov, 2016/07/08 18:07:08]

The logic was a little hard for me to follow: expected_result is being checked
inside of the TestVerifyXXX() functions, but is also returned and checked by the
caller.  Can we stick to doing one or the other?

[ryanchung, 2016/07/08 22:49:29]

Done.
Changed the return value to be true iff the expected value is seen. This is
still needed to check if the test, as a whole, passed or failed.

+  return result;
+}
+
+// Verifies that the provided Cast CRL signed by a trusted issuer
+// and that the CRL can be parsed successfully.
+// The validity of the CRL is also checked at the specified time.
+bool TestVerifyCRL(TestStepResult expected_result,
+                   const std::string& crl_bundle,
+                   const base::Time::Exploded& time) {
+  std::unique_ptr<CastCRL> crl = ParseAndVerifyCRL(crl_bundle, time);
+  if (expected_result == RESULT_SUCCESS) {
+    EXPECT_NE(crl, nullptr);
+  } else {
+    EXPECT_EQ(crl, nullptr);
+  }
+  return crl != nullptr;
+}
+
+// Verifies that the certificate chain provided is not revoked according to
+// the provided Cast CRL at |cert_time|.
+// The provided CRL is verified at |crl_time|.
+// If |crl_required| is set, then a valid Cast CRL must be provided.
+// Otherwise, a missing CRL is be ignored.
+bool TestVerifyRevocation(TestStepResult expected_result,
+                          const std::vector<std::string> certificate_chain,
+                          const std::string& crl_bundle,
+                          const base::Time::Exploded& crl_time,
+                          const base::Time::Exploded& cert_time,
+                          bool crl_required) {
+  std::unique_ptr<CastCRL> crl;
+  if (!crl_bundle.empty()) {
+    crl = ParseAndVerifyCRL(crl_bundle, crl_time);
+    EXPECT_NE(crl.get(), nullptr);
+  }
+
+  std::unique_ptr<CertVerificationContext> context;
+  CastDeviceCertPolicy policy;
+  CRLOptions crl_options;
+  crl_options.crl_required = crl_required;
+  int result = VerifyDeviceCert(certificate_chain, cert_time, &context, &policy,
+                                crl.get(), crl_options);
+  EXPECT_EQ(result, expected_result == RESULT_SUCCESS);
+  return result;
+}
+
+// Runs a single test case.
+bool RunTest(const DeviceCertTest& test_case) {
+  bool use_test_trust_anchors = test_case.use_test_trust_anchors();
+  if (use_test_trust_anchors) {
+    ClearCRLTrustAnchorForTest();
+    EXPECT_TRUE(SetCRLTrustAnchorForTest(kCastCRLTestRootCaDer,
+                                         sizeof(kCastCRLTestRootCaDer)));
+    EXPECT_TRUE(
+        SetTrustAnchorForTest(kCastTestRootCaDer, sizeof(kCastTestRootCaDer)));
+  }
+
+  VerificationResult expected_result = test_case.expected_result();
+
+  std::vector<std::string> certificate_chain;
+  for (auto const& cert : test_case.der_cert_path()) {
+    certificate_chain.push_back(cert);
+  }
+
+  uint64_t cert_verify_time = test_case.cert_verification_time_millis();
+  base::Time::Exploded cert_exploded_time = ConvertUTC(cert_verify_time);
+
+  uint64_t crl_verify_time = test_case.crl_verification_time_millis();
+  base::Time::Exploded crl_exploded_time = ConvertUTC(crl_verify_time);
+  if (crl_verify_time == 0)
+    crl_exploded_time = cert_exploded_time;
+
+  std::string crl_bundle = test_case.crl_bundle();
+  switch (expected_result) {
+    case PATH_VERIFICATION_FAILED:
+      return !TestVerifyCertificate(RESULT_FAIL, certificate_chain,
+                                    cert_exploded_time);
+      break;
+    case CRL_VERIFICATION_FAILED:
+      return !TestVerifyCRL(RESULT_FAIL, crl_bundle, crl_exploded_time);
+      break;
+    case REVOCATION_CHECK_FAILED_WITHOUT_CRL:
+      return TestVerifyCertificate(RESULT_SUCCESS, certificate_chain,
+                                   cert_exploded_time) &&
+             !TestVerifyCRL(RESULT_FAIL, crl_bundle, crl_exploded_time) &&
+             !TestVerifyRevocation(RESULT_FAIL, certificate_chain, crl_bundle,
+                                   crl_exploded_time, cert_exploded_time, true);
+      break;
+    case REVOCATION_CHECK_FAILED:
+      return TestVerifyCertificate(RESULT_SUCCESS, certificate_chain,
+                                   cert_exploded_time) &&
+             TestVerifyCRL(RESULT_SUCCESS, crl_bundle, crl_exploded_time) &&
+             !TestVerifyRevocation(RESULT_FAIL, certificate_chain, crl_bundle,
+                                   crl_exploded_time, cert_exploded_time,
+                                   false);
+      break;
+    case SUCCESS:
+      return (crl_bundle.empty() ||
+              TestVerifyCRL(RESULT_SUCCESS, crl_bundle, crl_exploded_time)) &&
+             TestVerifyCertificate(RESULT_SUCCESS, certificate_chain,
+                                   cert_exploded_time) &&
+             TestVerifyRevocation(RESULT_SUCCESS, certificate_chain, crl_bundle,
+                                  crl_exploded_time, cert_exploded_time,
+                                  !crl_bundle.empty());
+      break;
+  }
+}
+
+// Parses the provided test suite provided in wire-format proto
+// Each test contains the inputs and the expected output.
+// To see the description of the test, execute the test.
+// These tests are generated by a test generator in google3.
+void RunTestSuite(const std::string& test_suite_file_name) {
+  std::string testsuite_raw =
+      cast_certificate::testing::ReadFromFile(test_suite_file_name);
+  DeviceCertTestSuite test_suite;
+  EXPECT_TRUE(test_suite.ParseFromString(testsuite_raw));
+  uint16_t success = 0;
+  uint16_t failed = 0;
+  std::vector<std::string> failed_tests;
+
+  for (auto const& test_case : test_suite.tests()) {
+    LOG(INFO) << "[ RUN      ] " << test_case.description();
+    bool result = RunTest(test_case);
+    EXPECT_TRUE(result);
+    if (!result) {
+      LOG(INFO) << "[  FAILED  ] " << test_case.description();
+      ++failed;
+      failed_tests.push_back(test_case.description());
+    } else {
+      LOG(INFO) << "[  PASSED  ] " << test_case.description();
+      ++success;
+    }
+  }
+  LOG(INFO) << "[  PASSED  ] " << success << " test(s).";
+  if (failed) {
+    LOG(INFO) << "[  FAILED  ] " << failed << " test(s), listed below:";
+    for (const auto& failed_test : failed_tests) {
+      LOG(INFO) << "[  FAILED  ] " << failed_test;
+    }
+  }
+}
+
+TEST(CastCertificateTest, TestSuite1) {
+  RunTestSuite("testsuite/testsuite1.pb");
+}
+
+}  // namespace
+
+}  // namespace cast_certificate