Chromium Code Reviews Chromium Code Reviews
Issue 37633002:
CT: First step towards supporting Certificate Transparency in Chrome. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/ct_serialization.h" | |
| 6 | |
| 7 #include <string> | |
| 8 | |
| 9 #include "base/file_util.h" | |
| 10 #include "base/files/file_path.h" | |
| 11 #include "net/base/net_log.h" | |
| 12 #include "net/base/test_completion_callback.h" | |
| 13 #include "net/base/test_data_directory.h" | |
| 14 #include "net/cert/x509_certificate.h" | |
| 15 #include "net/test/cert_test_util.h" | |
| 16 #include "net/test/ct_test_util.h" | |
| 17 #include "testing/gtest/include/gtest/gtest.h" | |
| 18 | |
| 19 namespace net { | |
| 20 | |
| 21 class CtSerializationTest : public ::testing::Test { | |
| 22 public: | |
| 23 virtual void SetUp() OVERRIDE { | |
| 24 test_digitally_signed_ = ct::GetTestDigitallySigned(); | |
| 25 } | |
| 26 | |
| 27 std::string test_digitally_signed_; | |
|
wtc
2013/10/24 23:14:23
Does this member need to be public?
Eran M. (Google)
2013/10/30 18:00:08
No - changed to protected.
| |
| 28 }; | |
| 29 | |
| 30 TEST_F(CtSerializationTest, DecodesDigitallySigned) { | |
| 31 base::StringPiece digitally_signed(test_digitally_signed_); | |
| 32 ct::DigitallySigned parsed; | |
| 33 | |
| 34 ASSERT_TRUE(ct::DecodeDigitallySigned(&digitally_signed, &parsed)); | |
| 35 EXPECT_EQ( | |
| 36 ct::DigitallySigned::HASH_ALGO_SHA256, | |
| 37 parsed.hash_algorithm); | |
| 38 | |
| 39 EXPECT_EQ( | |
| 40 ct::DigitallySigned::SIG_ALGO_ECDSA, | |
| 41 parsed.signature_algorithm); | |
| 42 | |
| 43 EXPECT_EQ( | |
| 44 test_digitally_signed_.substr(4), | |
|
wtc
2013/10/24 23:14:23
Nit: explain 4 (1 byte hash algorithm, 1 byte sign
Eran M. (Google)
2013/10/30 18:00:08
Done.
| |
| 45 parsed.signature_data); | |
| 46 } | |
| 47 | |
| 48 | |
| 49 TEST_F(CtSerializationTest, FailsToDecodePartialDigitallySigned) { | |
| 50 base::StringPiece digitally_signed( | |
| 51 test_digitally_signed_.substr(0, test_digitally_signed_.size() - 5)); | |
| 52 ct::DigitallySigned parsed; | |
| 53 | |
| 54 ASSERT_FALSE(ct::DecodeDigitallySigned(&digitally_signed, &parsed)); | |
| 55 } | |
| 56 | |
| 57 | |
| 58 TEST_F(CtSerializationTest, EncodesDigitallySigned) { | |
| 59 ct::DigitallySigned digitally_signed; | |
| 60 digitally_signed.hash_algorithm = ct::DigitallySigned::HASH_ALGO_SHA256; | |
| 61 digitally_signed.signature_algorithm = ct::DigitallySigned::SIG_ALGO_ECDSA; | |
| 62 digitally_signed.signature_data = test_digitally_signed_.substr(4); | |
| 63 | |
| 64 std::string encoded; | |
| 65 | |
| 66 ASSERT_TRUE(ct::EncodeDigitallySigned(digitally_signed, &encoded)); | |
| 67 EXPECT_EQ(test_digitally_signed_, encoded); | |
| 68 } | |
| 69 | |
| 70 | |
| 71 TEST_F(CtSerializationTest, EncodesLogEntryForX509Cert) { | |
| 72 ct::LogEntry entry; | |
| 73 GetX509CertLogEntry(&entry); | |
| 74 | |
| 75 std::string encoded; | |
| 76 ASSERT_TRUE(ct::EncodeLogEntry(entry, &encoded)); | |
| 77 EXPECT_EQ((size_t) (718 + 5), encoded.size()); | |
|
wtc
2013/10/24 23:14:23
We usually deal with this by adding the U suffix t
Eran M. (Google)
2013/10/30 18:00:08
Done, thanks for the tip.
| |
| 78 // First two bytes are log entry type. Next, length: | |
| 79 // Length is 718 which is 512 + 206, which is 2<<8 + 0xce | |
|
wtc
2013/10/24 23:14:23
Nit: we can say "which is 0x2ce". Is there a parti
Eran M. (Google)
2013/10/30 18:00:08
Done - originally described it so it's clear why t
| |
| 80 std::string expected_prefix("\0\0\0\x2\xCE", 5); | |
| 81 // Note we use std::string comparison rather than ASSERT_STREQ due | |
| 82 // to null characters in the buffer. | |
| 83 EXPECT_EQ(expected_prefix, encoded.substr(0, 5)); | |
| 84 } | |
| 85 | |
| 86 TEST_F(CtSerializationTest, EncodesV1SCTSignedData) { | |
| 87 base::Time timestamp = base::Time::UnixEpoch() + | |
| 88 base::TimeDelta::FromMilliseconds(1348589665525); | |
| 89 std::string dummy_entry("abc"); | |
| 90 std::string empty_extensions(""); | |
| 91 // For now, no known failure cases. | |
| 92 std::string encoded; | |
| 93 ASSERT_TRUE(ct::EncodeV1SCTSignedData( | |
| 94 timestamp, | |
| 95 dummy_entry, | |
| 96 empty_extensions, | |
| 97 &encoded)); | |
| 98 EXPECT_EQ((size_t) 15, encoded.size()); | |
| 99 // Byte 0 is version, byte 1 is signature type | |
| 100 // Bytes 2-10 are timestamp | |
| 101 // Bytes 11-14 are the log signature | |
| 102 // Byte 15 is the empty extension | |
| 103 //EXPECT_EQ(0, timestamp.ToTimeT()); | |
| 104 std::string expected_buffer( | |
| 105 "\x0\x0\x0\x0\x1\x39\xFE\x35\x3C\xF5\x61\x62\x63\x0\x0", 15); | |
| 106 EXPECT_EQ(expected_buffer, encoded); | |
| 107 } | |
| 108 | |
| 109 TEST_F(CtSerializationTest, DecodesSCTList) { | |
| 110 // Two items in the list: "abc", "def" | |
| 111 base::StringPiece encoded("\x0\xa\x0\x3\x61\x62\x63\x0\x3\x64\x65\x66", 12); | |
| 112 std::vector<base::StringPiece> decoded; | |
| 113 | |
| 114 ASSERT_TRUE(ct::DecodeSCTList(&encoded, &decoded)); | |
| 115 ASSERT_STREQ("abc", decoded[0].data()); | |
| 116 ASSERT_STREQ("def", decoded[1].data()); | |
| 117 } | |
| 118 | |
| 119 TEST_F(CtSerializationTest, FailsDecodingInvalidSCTList) { | |
| 120 // A list with one item that's too short | |
| 121 base::StringPiece encoded("\x0\xa\x0\x3\x61\x62\x63\x0\x5\x64\x65\x66", 12); | |
| 122 std::vector<base::StringPiece> decoded; | |
| 123 | |
| 124 ASSERT_FALSE(ct::DecodeSCTList(&encoded, &decoded)); | |
| 125 } | |
| 126 | |
| 127 TEST_F(CtSerializationTest, DecodesSignedCertificateTimestamp) { | |
| 128 std::string encoded_test_sct(ct::GetTestSignedCertificateTimestamp()); | |
| 129 base::StringPiece encoded_sct(encoded_test_sct); | |
| 130 | |
| 131 ct::SignedCertificateTimestamp sct; | |
| 132 ASSERT_TRUE(ct::DecodeSignedCertificateTimestamp(&encoded_sct, &sct)); | |
| 133 EXPECT_EQ(0, sct.version); | |
| 134 std::string expected_log_key( | |
| 135 "\xdf\x1c\x2e\xc1\x15\x00\x94\x52\x47\xa9\x61\x68\x32\x5d\xdc\x5c\x79\x59" | |
| 136 "\xe8\xf7\xc6\xd3\x88\xfc\x00\x2e\x0b\xbd\x3f\x74\xd7\x64", | |
| 137 32); | |
| 138 EXPECT_EQ(expected_log_key, sct.log_id); | |
| 139 base::Time expected_time = base::Time::UnixEpoch() + | |
| 140 base::TimeDelta::FromMilliseconds(1365181456089); | |
| 141 EXPECT_EQ(expected_time, sct.timestamp); | |
| 142 // Subtracting 4 bytes for signature data (hash & sig algs), | |
| 143 // actual signature data should be 71 bytes. | |
| 144 EXPECT_EQ((size_t) 71, sct.signature.signature_data.size()); | |
| 145 EXPECT_EQ(std::string(""), sct.extensions); | |
| 146 } | |
| 147 | |
| 148 TEST_F(CtSerializationTest, FailsDecodingInvalidSignedCertificateTimestamp) { | |
| 149 // Invalid version | |
| 150 base::StringPiece invalid_version_sct("\x2\x0", 2); | |
| 151 ct::SignedCertificateTimestamp sct; | |
| 152 | |
| 153 ASSERT_FALSE( | |
| 154 ct::DecodeSignedCertificateTimestamp(&invalid_version_sct, &sct)); | |
| 155 | |
| 156 // Valid version, invalid length (missing data) | |
| 157 base::StringPiece invalid_length_sct("\x0\xa\xb\xc", 4); | |
| 158 ASSERT_FALSE( | |
| 159 ct::DecodeSignedCertificateTimestamp(&invalid_length_sct, &sct)); | |
| 160 } | |
| 161 | |
| 162 } // namespace net | |
| 163 | |
| OLD | NEW |
