OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/multi_log_ct_verifier.h" | 5 #include "net/cert/multi_log_ct_verifier.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 | 8 |
9 #include "base/file_util.h" | 9 #include "base/file_util.h" |
10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
(...skipping 30 matching lines...) Expand all Loading... |
41 scoped_ptr<CTLogVerifier> log( | 41 scoped_ptr<CTLogVerifier> log( |
42 CTLogVerifier::Create(ct::GetTestPublicKey(), kLogDescription)); | 42 CTLogVerifier::Create(ct::GetTestPublicKey(), kLogDescription)); |
43 ASSERT_TRUE(log); | 43 ASSERT_TRUE(log); |
44 | 44 |
45 verifier_.reset(new MultiLogCTVerifier()); | 45 verifier_.reset(new MultiLogCTVerifier()); |
46 verifier_->AddLog(log.Pass()); | 46 verifier_->AddLog(log.Pass()); |
47 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | 47 std::string der_test_cert(ct::GetDerEncodedX509Cert()); |
48 chain_ = X509Certificate::CreateFromBytes( | 48 chain_ = X509Certificate::CreateFromBytes( |
49 der_test_cert.data(), | 49 der_test_cert.data(), |
50 der_test_cert.length()); | 50 der_test_cert.length()); |
51 ASSERT_TRUE(chain_); | 51 ASSERT_TRUE(chain_.get()); |
52 | 52 |
53 embedded_sct_chain_ = | 53 embedded_sct_chain_ = |
54 CreateCertificateChainFromFile(GetTestCertsDirectory(), | 54 CreateCertificateChainFromFile(GetTestCertsDirectory(), |
55 "ct-test-embedded-cert.pem", | 55 "ct-test-embedded-cert.pem", |
56 X509Certificate::FORMAT_AUTO); | 56 X509Certificate::FORMAT_AUTO); |
57 ASSERT_TRUE(embedded_sct_chain_); | 57 ASSERT_TRUE(embedded_sct_chain_.get()); |
58 } | 58 } |
59 | 59 |
60 bool CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) { | 60 bool CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) { |
61 return (result.verified_scts.size() == 1U) && | 61 return (result.verified_scts.size() == 1U) && |
62 result.invalid_scts.empty() && | 62 result.invalid_scts.empty() && |
63 result.unknown_logs_scts.empty() && | 63 result.unknown_logs_scts.empty() && |
64 result.verified_scts[0]->log_description == kLogDescription; | 64 result.verified_scts[0]->log_description == kLogDescription; |
65 } | 65 } |
66 | 66 |
67 bool CheckForSCTOrigin( | 67 bool CheckForSCTOrigin( |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
123 sct[15] = 't'; | 123 sct[15] = 't'; |
124 | 124 |
125 std::string sct_list; | 125 std::string sct_list; |
126 ct::EncodeSCTListForTesting(sct, &sct_list); | 126 ct::EncodeSCTListForTesting(sct, &sct_list); |
127 return sct_list; | 127 return sct_list; |
128 } | 128 } |
129 | 129 |
130 bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain, | 130 bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain, |
131 const BoundNetLog& bound_net_log, | 131 const BoundNetLog& bound_net_log, |
132 ct::CTVerifyResult* result) { | 132 ct::CTVerifyResult* result) { |
133 return verifier_->Verify( | 133 return verifier_->Verify(chain.get(), |
134 chain, std::string(), std::string(), result, bound_net_log) == | 134 std::string(), |
135 OK; | 135 std::string(), |
| 136 result, |
| 137 bound_net_log) == OK; |
136 } | 138 } |
137 | 139 |
138 bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain) { | 140 bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain) { |
139 ct::CTVerifyResult result; | 141 ct::CTVerifyResult result; |
140 CapturingNetLog net_log; | 142 CapturingNetLog net_log; |
141 BoundNetLog bound_net_log = | 143 BoundNetLog bound_net_log = |
142 BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB); | 144 BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB); |
143 | 145 |
144 return verifier_->Verify( | 146 return verifier_->Verify(chain.get(), |
145 chain, std::string(), std::string(), &result, bound_net_log) == | 147 std::string(), |
146 OK; | 148 std::string(), |
| 149 &result, |
| 150 bound_net_log) == OK; |
147 } | 151 } |
148 | 152 |
149 bool CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) { | 153 bool CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) { |
150 ct::CTVerifyResult result; | 154 ct::CTVerifyResult result; |
151 CapturingNetLog net_log; | 155 CapturingNetLog net_log; |
152 BoundNetLog bound_net_log = | 156 BoundNetLog bound_net_log = |
153 BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB); | 157 BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB); |
154 return (VerifySinglePrecertificateChain(chain, bound_net_log, &result) && | 158 return (VerifySinglePrecertificateChain(chain, bound_net_log, &result) && |
155 CheckForSingleVerifiedSCTInResult(result) && | 159 CheckForSingleVerifiedSCTInResult(result) && |
156 CheckForSCTOrigin(result, | 160 CheckForSCTOrigin(result, |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
192 | 196 |
193 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT) { | 197 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT) { |
194 ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_)); | 198 ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_)); |
195 } | 199 } |
196 | 200 |
197 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithPreCA) { | 201 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithPreCA) { |
198 scoped_refptr<X509Certificate> chain( | 202 scoped_refptr<X509Certificate> chain( |
199 CreateCertificateChainFromFile(GetTestCertsDirectory(), | 203 CreateCertificateChainFromFile(GetTestCertsDirectory(), |
200 "ct-test-embedded-with-preca-chain.pem", | 204 "ct-test-embedded-with-preca-chain.pem", |
201 X509Certificate::FORMAT_AUTO)); | 205 X509Certificate::FORMAT_AUTO)); |
202 ASSERT_TRUE(chain); | 206 ASSERT_TRUE(chain.get()); |
203 ASSERT_TRUE(CheckPrecertificateVerification(chain)); | 207 ASSERT_TRUE(CheckPrecertificateVerification(chain)); |
204 } | 208 } |
205 | 209 |
206 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithIntermediate) { | 210 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithIntermediate) { |
207 scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile( | 211 scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile( |
208 GetTestCertsDirectory(), | 212 GetTestCertsDirectory(), |
209 "ct-test-embedded-with-intermediate-chain.pem", | 213 "ct-test-embedded-with-intermediate-chain.pem", |
210 X509Certificate::FORMAT_AUTO)); | 214 X509Certificate::FORMAT_AUTO)); |
211 ASSERT_TRUE(chain); | 215 ASSERT_TRUE(chain.get()); |
212 ASSERT_TRUE(CheckPrecertificateVerification(chain)); | 216 ASSERT_TRUE(CheckPrecertificateVerification(chain)); |
213 } | 217 } |
214 | 218 |
215 TEST_F(MultiLogCTVerifierTest, | 219 TEST_F(MultiLogCTVerifierTest, |
216 VerifiesEmbeddedSCTWithIntermediateAndPreCA) { | 220 VerifiesEmbeddedSCTWithIntermediateAndPreCA) { |
217 scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile( | 221 scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile( |
218 GetTestCertsDirectory(), | 222 GetTestCertsDirectory(), |
219 "ct-test-embedded-with-intermediate-preca-chain.pem", | 223 "ct-test-embedded-with-intermediate-preca-chain.pem", |
220 X509Certificate::FORMAT_AUTO)); | 224 X509Certificate::FORMAT_AUTO)); |
221 ASSERT_TRUE(chain); | 225 ASSERT_TRUE(chain.get()); |
222 ASSERT_TRUE(CheckPrecertificateVerification(chain)); | 226 ASSERT_TRUE(CheckPrecertificateVerification(chain)); |
223 } | 227 } |
224 | 228 |
225 TEST_F(MultiLogCTVerifierTest, | 229 TEST_F(MultiLogCTVerifierTest, |
226 VerifiesSCTOverX509Cert) { | 230 VerifiesSCTOverX509Cert) { |
227 std::string sct(ct::GetTestSignedCertificateTimestamp()); | 231 std::string sct(ct::GetTestSignedCertificateTimestamp()); |
228 | 232 |
229 std::string sct_list; | 233 std::string sct_list; |
230 ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list)); | 234 ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list)); |
231 | 235 |
232 ct::CTVerifyResult result; | 236 ct::CTVerifyResult result; |
233 EXPECT_EQ(OK, | 237 EXPECT_EQ(OK, |
234 verifier_->Verify(chain_, std::string(), sct_list, &result, | 238 verifier_->Verify( |
235 BoundNetLog())); | 239 chain_.get(), std::string(), sct_list, &result, BoundNetLog())); |
236 ASSERT_TRUE(CheckForSingleVerifiedSCTInResult(result)); | 240 ASSERT_TRUE(CheckForSingleVerifiedSCTInResult(result)); |
237 ASSERT_TRUE(CheckForSCTOrigin( | 241 ASSERT_TRUE(CheckForSCTOrigin( |
238 result, ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION)); | 242 result, ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION)); |
239 } | 243 } |
240 | 244 |
241 TEST_F(MultiLogCTVerifierTest, | 245 TEST_F(MultiLogCTVerifierTest, |
242 IdentifiesSCTFromUnknownLog) { | 246 IdentifiesSCTFromUnknownLog) { |
243 std::string sct_list = GetSCTListWithInvalidSCT(); | 247 std::string sct_list = GetSCTListWithInvalidSCT(); |
244 ct::CTVerifyResult result; | 248 ct::CTVerifyResult result; |
245 | 249 |
246 EXPECT_NE(OK, | 250 EXPECT_NE(OK, |
247 verifier_->Verify( | 251 verifier_->Verify( |
248 chain_, std::string(), sct_list, &result, BoundNetLog())); | 252 chain_.get(), std::string(), sct_list, &result, BoundNetLog())); |
249 EXPECT_EQ(1U, result.unknown_logs_scts.size()); | 253 EXPECT_EQ(1U, result.unknown_logs_scts.size()); |
250 EXPECT_EQ("", result.unknown_logs_scts[0]->log_description); | 254 EXPECT_EQ("", result.unknown_logs_scts[0]->log_description); |
251 } | 255 } |
252 | 256 |
253 TEST_F(MultiLogCTVerifierTest, CountsValidSCTsInStatusHistogram) { | 257 TEST_F(MultiLogCTVerifierTest, CountsValidSCTsInStatusHistogram) { |
254 int num_valid_scts = NumValidSCTsInStatusHistogram(); | 258 int num_valid_scts = NumValidSCTsInStatusHistogram(); |
255 | 259 |
256 ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_)); | 260 ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_)); |
257 | 261 |
258 EXPECT_EQ(num_valid_scts + 1, NumValidSCTsInStatusHistogram()); | 262 EXPECT_EQ(num_valid_scts + 1, NumValidSCTsInStatusHistogram()); |
259 } | 263 } |
260 | 264 |
261 TEST_F(MultiLogCTVerifierTest, CountsInvalidSCTsInStatusHistogram) { | 265 TEST_F(MultiLogCTVerifierTest, CountsInvalidSCTsInStatusHistogram) { |
262 std::string sct_list = GetSCTListWithInvalidSCT(); | 266 std::string sct_list = GetSCTListWithInvalidSCT(); |
263 ct::CTVerifyResult result; | 267 ct::CTVerifyResult result; |
264 int num_valid_scts = NumValidSCTsInStatusHistogram(); | 268 int num_valid_scts = NumValidSCTsInStatusHistogram(); |
265 int num_invalid_scts = GetValueFromHistogram( | 269 int num_invalid_scts = GetValueFromHistogram( |
266 "Net.CertificateTransparency.SCTStatus", ct::SCT_STATUS_LOG_UNKNOWN); | 270 "Net.CertificateTransparency.SCTStatus", ct::SCT_STATUS_LOG_UNKNOWN); |
267 | 271 |
268 EXPECT_NE(OK, | 272 EXPECT_NE(OK, |
269 verifier_->Verify(chain_, std::string(), sct_list, &result, | 273 verifier_->Verify( |
270 BoundNetLog())); | 274 chain_.get(), std::string(), sct_list, &result, BoundNetLog())); |
271 | 275 |
272 ASSERT_EQ(num_valid_scts, NumValidSCTsInStatusHistogram()); | 276 ASSERT_EQ(num_valid_scts, NumValidSCTsInStatusHistogram()); |
273 ASSERT_EQ(num_invalid_scts + 1, | 277 ASSERT_EQ(num_invalid_scts + 1, |
274 GetValueFromHistogram("Net.CertificateTransparency.SCTStatus", | 278 GetValueFromHistogram("Net.CertificateTransparency.SCTStatus", |
275 ct::SCT_STATUS_LOG_UNKNOWN)); | 279 ct::SCT_STATUS_LOG_UNKNOWN)); |
276 } | 280 } |
277 | 281 |
278 TEST_F(MultiLogCTVerifierTest, CountsSingleEmbeddedSCTInConnectionsHistogram) { | 282 TEST_F(MultiLogCTVerifierTest, CountsSingleEmbeddedSCTInConnectionsHistogram) { |
279 int old_sct_count = NumConnectionsWithSingleSCT(); | 283 int old_sct_count = NumConnectionsWithSingleSCT(); |
280 ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_)); | 284 ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_)); |
281 EXPECT_EQ(old_sct_count + 1, NumConnectionsWithSingleSCT()); | 285 EXPECT_EQ(old_sct_count + 1, NumConnectionsWithSingleSCT()); |
282 } | 286 } |
283 | 287 |
284 TEST_F(MultiLogCTVerifierTest, CountsSingleEmbeddedSCTInOriginsHistogram) { | 288 TEST_F(MultiLogCTVerifierTest, CountsSingleEmbeddedSCTInOriginsHistogram) { |
285 int old_embedded_count = NumEmbeddedSCTsInHistogram(); | 289 int old_embedded_count = NumEmbeddedSCTsInHistogram(); |
286 ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_)); | 290 ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_)); |
287 EXPECT_EQ(old_embedded_count + 1, NumEmbeddedSCTsInHistogram()); | 291 EXPECT_EQ(old_embedded_count + 1, NumEmbeddedSCTsInHistogram()); |
288 } | 292 } |
289 | 293 |
290 TEST_F(MultiLogCTVerifierTest, CountsZeroSCTsCorrectly) { | 294 TEST_F(MultiLogCTVerifierTest, CountsZeroSCTsCorrectly) { |
291 int connections_without_scts = GetValueFromHistogram(kSCTCountHistogram, 0); | 295 int connections_without_scts = GetValueFromHistogram(kSCTCountHistogram, 0); |
292 EXPECT_FALSE(VerifySinglePrecertificateChain(chain_)); | 296 EXPECT_FALSE(VerifySinglePrecertificateChain(chain_)); |
293 ASSERT_EQ(connections_without_scts + 1, | 297 ASSERT_EQ(connections_without_scts + 1, |
294 GetValueFromHistogram(kSCTCountHistogram, 0)); | 298 GetValueFromHistogram(kSCTCountHistogram, 0)); |
295 } | 299 } |
296 | 300 |
297 } // namespace | 301 } // namespace |
298 | 302 |
299 } // namespace net | 303 } // namespace net |
OLD | NEW |