Chromium Code Reviews Chromium Code Reviews
Issue 67513008:
Certificate Transparency: Add the high-level interface for verifying SCTs over multiple logs (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/multi_log_ct_verifier.h" | |
| 6 | |
| 7 #include <string> | |
| 8 | |
| 9 #include "base/file_util.h" | |
| 10 #include "base/files/file_path.h" | |
| 11 #include "net/base/net_log.h" | |
| 12 #include "net/base/test_completion_callback.h" | |
| 13 #include "net/base/test_data_directory.h" | |
| 14 #include "net/cert/ct_log_verifier.h" | |
| 15 #include "net/cert/ct_serialization.h" | |
| 16 #include "net/cert/ct_verify_result.h" | |
| 17 #include "net/cert/pem_tokenizer.h" | |
| 18 #include "net/cert/signed_certificate_timestamp.h" | |
| 19 #include "net/cert/x509_certificate.h" | |
| 20 #include "net/test/cert_test_util.h" | |
| 21 #include "net/test/ct_test_util.h" | |
| 22 #include "testing/gtest/include/gtest/gtest.h" | |
| 23 | |
| 24 namespace net { | |
| 25 | |
| 26 namespace { | |
| 27 | |
| 28 class MultiLogCTVerifierTest : public ::testing::Test { | |
| 29 public: | |
| 30 virtual void SetUp() OVERRIDE { | |
| 31 scoped_ptr<CTLogVerifier> log( | |
| 32 CTLogVerifier::Create(ct::GetTestPublicKey(), "")); | |
| 33 ASSERT_TRUE(log); | |
| 34 | |
| 35 verifier_.reset(new MultiLogCTVerifier(log.Pass())); | |
| 36 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | |
| 37 chain_ = X509Certificate::CreateFromBytes( | |
| 38 der_test_cert.data(), | |
| 39 der_test_cert.length()); | |
| 40 ASSERT_TRUE(chain_); | |
| 41 | |
| 42 } | |
| 43 | |
| 44 void CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) { | |
| 45 EXPECT_EQ(1U, result.verified_scts.size()); | |
| 46 ASSERT_TRUE(result.unverified_scts.empty()); | |
| 47 ASSERT_TRUE(result.unknown_logs_scts.empty()); | |
|
Ryan Sleevi
2013/11/20 01:09:42
These ASSERTs will not function as you expect, bec
| |
| 48 } | |
| 49 | |
| 50 void CheckForSCTOrigin( | |
| 51 const ct::CTVerifyResult& result, | |
| 52 ct::SignedCertificateTimestamp::Origin origin) { | |
| 53 ASSERT_TRUE(result.verified_scts.size() > 0); | |
| 54 EXPECT_EQ(origin, result.verified_scts[0].origin); | |
| 55 } | |
| 56 | |
| 57 void CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) { | |
| 58 ct::CTVerifyResult result; | |
| 59 TestCompletionCallback cb; | |
| 60 EXPECT_EQ(OK, verifier_->Verify( | |
| 61 chain, "", "", &result, cb.callback(), BoundNetLog())); | |
| 62 CheckForSingleVerifiedSCTInResult(result); | |
| 63 CheckForSCTOrigin(result, ct::SignedCertificateTimestamp::SCT_EMBEDDED); | |
| 64 } | |
| 65 | |
| 66 protected: | |
| 67 scoped_ptr<MultiLogCTVerifier> verifier_; | |
| 68 scoped_refptr<X509Certificate> chain_; | |
| 69 }; | |
| 70 | |
| 71 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT) { | |
| 72 scoped_refptr<X509Certificate> chain( | |
| 73 CreateCertificateChainFromFile(GetTestCertsDirectory(), | |
| 74 "ct-test-embedded-cert.pem", | |
| 75 X509Certificate::FORMAT_AUTO)); | |
| 76 ASSERT_TRUE(chain); | |
| 77 CheckPrecertificateVerification(chain); | |
| 78 } | |
| 79 | |
| 80 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithPreCA) { | |
| 81 scoped_refptr<X509Certificate> chain( | |
| 82 CreateCertificateChainFromFile(GetTestCertsDirectory(), | |
| 83 "ct-test-embedded-with-preca-chain.pem", | |
| 84 X509Certificate::FORMAT_AUTO)); | |
| 85 ASSERT_TRUE(chain); | |
| 86 | |
| 87 CheckPrecertificateVerification(chain); | |
| 88 } | |
| 89 | |
| 90 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithIntermediate) { | |
| 91 scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile( | |
| 92 GetTestCertsDirectory(), | |
| 93 "ct-test-embedded-with-intermediate-chain.pem", | |
| 94 X509Certificate::FORMAT_AUTO)); | |
| 95 ASSERT_TRUE(chain); | |
| 96 | |
| 97 CheckPrecertificateVerification(chain); | |
| 98 } | |
| 99 | |
| 100 TEST_F(MultiLogCTVerifierTest, | |
| 101 VerifiesEmbeddedSCTWithIntermediateAndPreCA) { | |
| 102 scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile( | |
| 103 GetTestCertsDirectory(), | |
| 104 "ct-test-embedded-with-intermediate-preca-chain.pem", | |
| 105 X509Certificate::FORMAT_AUTO)); | |
| 106 ASSERT_TRUE(chain); | |
| 107 | |
| 108 CheckPrecertificateVerification(chain); | |
| 109 } | |
| 110 | |
| 111 TEST_F(MultiLogCTVerifierTest, | |
| 112 VerifiesSCTOverX509Cert) { | |
| 113 std::string sct(ct::GetTestSignedCertificateTimestamp()); | |
| 114 | |
| 115 std::string sct_list; | |
| 116 ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list)); | |
| 117 | |
| 118 ct::CTVerifyResult result; | |
| 119 TestCompletionCallback cb; | |
| 120 EXPECT_EQ(OK, verifier_->Verify( | |
| 121 chain_, "", sct_list, &result, cb.callback(), BoundNetLog())); | |
| 122 CheckForSingleVerifiedSCTInResult(result); | |
| 123 CheckForSCTOrigin( | |
| 124 result, ct::SignedCertificateTimestamp::SCT_FROM_TLS_HANDSHAKE); | |
| 125 } | |
| 126 | |
| 127 TEST_F(MultiLogCTVerifierTest, | |
| 128 IdentifiesSCTFromUnknownLog) { | |
| 129 std::string sct(ct::GetTestSignedCertificateTimestamp()); | |
| 130 | |
| 131 // Change a byte inside the Log ID part of the SCT so it does | |
| 132 // not match the log used in the tests | |
| 133 sct[15] = 't'; | |
| 134 | |
| 135 std::string sct_list; | |
| 136 ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list)); | |
| 137 | |
| 138 ct::CTVerifyResult result; | |
| 139 TestCompletionCallback cb; | |
| 140 EXPECT_NE(OK, verifier_->Verify( | |
| 141 chain_, sct_list, "", &result, cb.callback(), BoundNetLog())); | |
| 142 EXPECT_EQ(1U, result.unknown_logs_scts.size()); | |
| 143 } | |
| 144 | |
| 145 } // namespace | |
| 146 | |
| 147 } // namespace net | |
| OLD | NEW |
