Certificate Transparency: Code for unpacking EV cert hashes whitelist

net/cert/ct_ev_whitelist_unittest.cc

Index: net/cert/ct_ev_whitelist_unittest.cc
diff --git a/net/cert/ct_ev_whitelist_unittest.cc b/net/cert/ct_ev_whitelist_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..f050016183590b037818046c732dc2cca7858f7e
--- /dev/null
+++ b/net/cert/ct_ev_whitelist_unittest.cc
@@ -0,0 +1,148 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/ct_ev_whitelist.h"
+
+#include <string>
+
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+namespace ct {
+
+namespace internal {
+
+const char kSomeData[] = {0xd5, 0xe2, 0xaf, 0xe5, 0xbb, 0x10, 0x7c, 0xd1};
+
+TEST(BitStreamReaderTest, CanReadSingleByte) {
+  BitStreamReader reader(kSomeData, 1);
+  uint64 v(0);
+
+  ASSERT_EQ(8u, reader.BitsLeft());

[wtc, 2014/09/02 23:03:02]

IMPORTANT: most of the ASSERT_xxx's in this file should be EXPECT_xxx's.

[Eran Messeri, 2014/09/03 09:38:51]

Done.

+  ASSERT_TRUE(reader.ReadBits(8, &v));
+  ASSERT_EQ(UINT64_C(0xd5), v);
+
+  ASSERT_FALSE(reader.ReadBits(1, &v));
+  ASSERT_EQ(0u, reader.BitsLeft());
+}
+
+TEST(BitStreamReaderTest, CanReadSingleBits) {
+  const uint64 expected_bits[] = {1, 1, 0, 1, 0, 1, 0, 1,
+                                  1, 1, 1, 0, 0, 0, 1, 0};
+  BitStreamReader reader(kSomeData, 2);
+  ASSERT_EQ(16u, reader.BitsLeft());
+  uint64 v(0);
+
+  for (int i = 0; i < 16; ++i) {
+    ASSERT_TRUE(reader.ReadBits(1, &v));
+    ASSERT_EQ(expected_bits[i], v);
+  }
+  ASSERT_EQ(0u, reader.BitsLeft());
+}
+
+TEST(BitStreamReaderTest, CanReadBitGroups) {
+  BitStreamReader reader(kSomeData, 3);
+  ASSERT_EQ(24u, reader.BitsLeft());
+  uint64 v(0);
+  uint64 res(0);
+
+  ASSERT_TRUE(reader.ReadBits(5, &v));
+  res |= v << 19;
+  ASSERT_EQ(19u, reader.BitsLeft());
+  ASSERT_TRUE(reader.ReadBits(13, &v));
+  res |= v << 6;
+  ASSERT_EQ(6u, reader.BitsLeft());
+  ASSERT_TRUE(reader.ReadBits(6, &v));
+  res |= v;
+  ASSERT_EQ(UINT64_C(0xd5e2af), res);
+
+  ASSERT_FALSE(reader.ReadBits(1, &v));
+}
+
+TEST(BitStreamReaderTest, CanRead64Bit) {
+  BitStreamReader reader(kSomeData, 8);
+  ASSERT_EQ(64u, reader.BitsLeft());
+  uint64 v(0);
+
+  ASSERT_TRUE(reader.ReadBits(64, &v));
+  ASSERT_EQ(UINT64_C(0xd5e2afe5bb107cd1), v);
+}
+
+TEST(BitStreamReaderTest, CanReadUnaryEncodedNumbers) {
+  BitStreamReader reader(kSomeData, 3);
+  const uint64 expected_values[] = {2, 1, 1, 4, 0, 0, 1, 1, 1, 4};
+  uint64 v(0);
+  for (int i = 0; i < 10; ++i) {
+    ASSERT_TRUE(reader.ReadUnaryEncoding(&v));
+    ASSERT_EQ(expected_values[i], v) << "Values differ at position " << i;
+  }
+}
+
+}  // namespace internal
+
+const char kFirstHash[] = {0x00, 0x00, 0x03, 0xd7, 0xfc, 0x18, 0x02, 0xcb};
+// Second hash: Diff from first hash is > 2^47
+const char kSecondHash[] = {0x00, 0x01, 0x05, 0xd2, 0x58, 0x47, 0xa7, 0xbf};
+// Third hash: Diff from 2nd hash is < 2^47
+const char kThirdHash[] = {0x00, 0x01, 0x48, 0x45, 0x8c, 0x53, 0x03, 0x94};
+
+const char kWhitelistData[] = {
+    0x00, 0x00, 0x03, 0xd7, 0xfc, 0x18, 0x02, 0xcb,  // First hash
+    0xc0, 0x7e, 0x97, 0x0b, 0xe9, 0x3d, 0x10, 0x9c,
+    0xcd, 0x02, 0xd6, 0xf5, 0x40,
+};
+
+TEST(CTEVWhitelistTest, UncompressFailsForTooShortList) {
+  // This list does not contain enough bytes even for the first hash.
+  std::set<std::string> res;
+  ASSERT_FALSE(
+      internal::UncompressEVWhitelist(std::string(kWhitelistData, 7), &res));
+}
+
+TEST(CTEVWhitelistTest, UncompressFailsForTruncatedList) {
+  // This list is missing bits for the second part of the diff.
+  std::set<std::string> res;
+  ASSERT_FALSE(
+      internal::UncompressEVWhitelist(std::string(kWhitelistData, 14), &res));
+}
+
+TEST(CTEVWhitelistTest, UncompressesWhitelistCorrectly) {
+  std::set<std::string> res;
+  ASSERT_TRUE(internal::UncompressEVWhitelist(
+      std::string(kWhitelistData, arraysize(kWhitelistData)), &res));
+
+  // Ensure first hash is found
+  ASSERT_TRUE(res.find(std::string(kFirstHash, 8)) != res.end());
+  // Ensure second hash is found
+  ASSERT_TRUE(res.find(std::string(kSecondHash, 8)) != res.end());
+  // Ensure last hash is found
+  ASSERT_TRUE(res.find(std::string(kThirdHash, 8)) != res.end());
+  // Ensure that there are exactly 3 hashes.
+  ASSERT_EQ(3u, res.size());
+}
+
+TEST(CTEVWhitelistTest, CanFindHashInSetList) {
+  std::set<std::string> whitelist_data;
+  whitelist_data.insert(kFirstHash);
+  internal::SetEVWhitelistData(whitelist_data);
+
+  ASSERT_TRUE(IsCertificateHashInWhitelist(kFirstHash));
+}
+
+TEST(CTEVWhitelistTest, CannotFindOldHashAfterSetList) {
+  std::set<std::string> whitelist_data;
+  whitelist_data.insert(kFirstHash);
+  internal::SetEVWhitelistData(whitelist_data);
+  ASSERT_TRUE(IsCertificateHashInWhitelist(kFirstHash));
+
+  std::set<std::string> new_whitelist_data;
+  new_whitelist_data.insert(kSecondHash);
+  internal::SetEVWhitelistData(new_whitelist_data);
+  ASSERT_TRUE(IsCertificateHashInWhitelist(kFirstHash));

[wtc, 2014/09/02 23:03:02]

IMPORTANT: we should expect FALSE here, right?

[Eran Messeri, 2014/09/03 09:38:51]

Yes, my bad, I had a bug in the test (should have created the std::strings
explicitly by specifying the size, otherwise, since kFirstHash and kSecondHash
start with null, I'd get empty std::strings created from them).

+}
+
+}  // namespace ct
+
+}  // namespace net