CT: First step towards supporting Certificate Transparency in Chrome.

net/cert/ct_serialization_unittest.cc

Index: net/cert/ct_serialization_unittest.cc
diff --git a/net/cert/ct_serialization_unittest.cc b/net/cert/ct_serialization_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..dbc1d3c59fbef3b245b1877f7acd179ca2feee05
--- /dev/null
+++ b/net/cert/ct_serialization_unittest.cc
@@ -0,0 +1,163 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/ct_serialization.h"
+
+#include <string>
+
+#include "base/file_util.h"
+#include "base/files/file_path.h"
+#include "net/base/net_log.h"
+#include "net/base/test_completion_callback.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/cert_test_util.h"
+#include "net/test/ct_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+class CtSerializationTest : public ::testing::Test {
+ public:
+  virtual void SetUp() OVERRIDE {
+    test_digitally_signed_ = ct::GetTestDigitallySigned();
+  }
+
+  std::string test_digitally_signed_;

[wtc, 2013/10/24 23:14:23]

Does this member need to be public?

[Eran M. (Google), 2013/10/30 18:00:08]

No - changed to protected.

+};
+
+TEST_F(CtSerializationTest, DecodesDigitallySigned) {
+  base::StringPiece digitally_signed(test_digitally_signed_);
+  ct::DigitallySigned parsed;
+
+  ASSERT_TRUE(ct::DecodeDigitallySigned(&digitally_signed, &parsed));
+  EXPECT_EQ(
+      ct::DigitallySigned::HASH_ALGO_SHA256,
+      parsed.hash_algorithm);
+
+  EXPECT_EQ(
+      ct::DigitallySigned::SIG_ALGO_ECDSA,
+      parsed.signature_algorithm);
+
+  EXPECT_EQ(
+      test_digitally_signed_.substr(4),

[wtc, 2013/10/24 23:14:23]

Nit: explain 4 (1 byte hash algorithm, 1 byte signature algorithm, 2 bytes
length prefix for the signature).

[Eran M. (Google), 2013/10/30 18:00:08]

Done.

+      parsed.signature_data);
+}
+
+
+TEST_F(CtSerializationTest, FailsToDecodePartialDigitallySigned) {
+  base::StringPiece digitally_signed(
+      test_digitally_signed_.substr(0, test_digitally_signed_.size() - 5));
+  ct::DigitallySigned parsed;
+
+  ASSERT_FALSE(ct::DecodeDigitallySigned(&digitally_signed, &parsed));
+}
+
+
+TEST_F(CtSerializationTest, EncodesDigitallySigned) {
+  ct::DigitallySigned digitally_signed;
+  digitally_signed.hash_algorithm = ct::DigitallySigned::HASH_ALGO_SHA256;
+  digitally_signed.signature_algorithm = ct::DigitallySigned::SIG_ALGO_ECDSA;
+  digitally_signed.signature_data = test_digitally_signed_.substr(4);
+
+  std::string encoded;
+
+  ASSERT_TRUE(ct::EncodeDigitallySigned(digitally_signed, &encoded));
+  EXPECT_EQ(test_digitally_signed_, encoded);
+}
+
+
+TEST_F(CtSerializationTest, EncodesLogEntryForX509Cert) {
+  ct::LogEntry entry;
+  GetX509CertLogEntry(&entry);
+
+  std::string encoded;
+  ASSERT_TRUE(ct::EncodeLogEntry(entry, &encoded));
+  EXPECT_EQ((size_t) (718 + 5), encoded.size());

[wtc, 2013/10/24 23:14:23]

We usually deal with this by adding the U suffix to constants: 718U + 5U.

[Eran M. (Google), 2013/10/30 18:00:08]

Done, thanks for the tip.

+  // First two bytes are log entry type. Next, length:
+  // Length is 718 which is 512 + 206, which is 2<<8 + 0xce

[wtc, 2013/10/24 23:14:23]

Nit: we can say "which is 0x2ce". Is there a particular reason to write it as
2<<8 + 0xce? To point out it will be serialized in big-endian order?

[Eran M. (Google), 2013/10/30 18:00:08]

Done - originally described it so it's clear why the 0x02 appears in the upper
byte, but both are ok.

+  std::string expected_prefix("\0\0\0\x2\xCE", 5);
+  // Note we use std::string comparison rather than ASSERT_STREQ due
+  // to null characters in the buffer.
+  EXPECT_EQ(expected_prefix, encoded.substr(0, 5));
+}
+
+TEST_F(CtSerializationTest, EncodesV1SCTSignedData) {
+  base::Time timestamp = base::Time::UnixEpoch() +
+      base::TimeDelta::FromMilliseconds(1348589665525);
+  std::string dummy_entry("abc");
+  std::string empty_extensions("");
+  // For now, no known failure cases.
+  std::string encoded;
+  ASSERT_TRUE(ct::EncodeV1SCTSignedData(
+      timestamp,
+      dummy_entry,
+      empty_extensions,
+      &encoded));
+  EXPECT_EQ((size_t) 15, encoded.size());
+  // Byte 0 is version, byte 1 is signature type
+  // Bytes 2-10 are timestamp
+  // Bytes 11-14 are the log signature
+  // Byte 15 is the empty extension
+  //EXPECT_EQ(0, timestamp.ToTimeT());
+  std::string expected_buffer(
+      "\x0\x0\x0\x0\x1\x39\xFE\x35\x3C\xF5\x61\x62\x63\x0\x0", 15);
+  EXPECT_EQ(expected_buffer, encoded);
+}
+
+TEST_F(CtSerializationTest, DecodesSCTList) {
+  // Two items in the list: "abc", "def"
+  base::StringPiece encoded("\x0\xa\x0\x3\x61\x62\x63\x0\x3\x64\x65\x66", 12);
+  std::vector<base::StringPiece> decoded;
+
+  ASSERT_TRUE(ct::DecodeSCTList(&encoded, &decoded));
+  ASSERT_STREQ("abc", decoded[0].data());
+  ASSERT_STREQ("def", decoded[1].data());
+}
+
+TEST_F(CtSerializationTest, FailsDecodingInvalidSCTList) {
+  // A list with one item that's too short
+  base::StringPiece encoded("\x0\xa\x0\x3\x61\x62\x63\x0\x5\x64\x65\x66", 12);
+  std::vector<base::StringPiece> decoded;
+
+  ASSERT_FALSE(ct::DecodeSCTList(&encoded, &decoded));
+}
+
+TEST_F(CtSerializationTest, DecodesSignedCertificateTimestamp) {
+  std::string encoded_test_sct(ct::GetTestSignedCertificateTimestamp());
+  base::StringPiece encoded_sct(encoded_test_sct);
+
+  ct::SignedCertificateTimestamp sct;
+  ASSERT_TRUE(ct::DecodeSignedCertificateTimestamp(&encoded_sct, &sct));
+  EXPECT_EQ(0, sct.version);
+  std::string expected_log_key(
+      "\xdf\x1c\x2e\xc1\x15\x00\x94\x52\x47\xa9\x61\x68\x32\x5d\xdc\x5c\x79\x59"
+      "\xe8\xf7\xc6\xd3\x88\xfc\x00\x2e\x0b\xbd\x3f\x74\xd7\x64",
+      32);
+  EXPECT_EQ(expected_log_key, sct.log_id);
+  base::Time expected_time = base::Time::UnixEpoch() +
+      base::TimeDelta::FromMilliseconds(1365181456089);
+  EXPECT_EQ(expected_time, sct.timestamp);
+  // Subtracting 4 bytes for signature data (hash & sig algs),
+  // actual signature data should be 71 bytes.
+  EXPECT_EQ((size_t) 71, sct.signature.signature_data.size());
+  EXPECT_EQ(std::string(""), sct.extensions);
+}
+
+TEST_F(CtSerializationTest, FailsDecodingInvalidSignedCertificateTimestamp) {
+  // Invalid version
+  base::StringPiece invalid_version_sct("\x2\x0", 2);
+  ct::SignedCertificateTimestamp sct;
+
+  ASSERT_FALSE(
+      ct::DecodeSignedCertificateTimestamp(&invalid_version_sct, &sct));
+
+  // Valid version, invalid length (missing data)
+  base::StringPiece invalid_length_sct("\x0\xa\xb\xc", 4);
+  ASSERT_FALSE(
+      ct::DecodeSignedCertificateTimestamp(&invalid_length_sct, &sct));
+}
+
+} // namespace net
+