Certificate Transparency: Add the high-level interface for verifying SCTs over multiple logs

net/cert/multi_log_ct_verifier_unittest.cc

Index: net/cert/multi_log_ct_verifier_unittest.cc
diff --git a/net/cert/multi_log_ct_verifier_unittest.cc b/net/cert/multi_log_ct_verifier_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..ae84d45a277c7222f605ef1d9b69adccc0a02820
--- /dev/null
+++ b/net/cert/multi_log_ct_verifier_unittest.cc
@@ -0,0 +1,147 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/multi_log_ct_verifier.h"
+
+#include <string>
+
+#include "base/file_util.h"
+#include "base/files/file_path.h"
+#include "net/base/net_log.h"
+#include "net/base/test_completion_callback.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/ct_log_verifier.h"
+#include "net/cert/ct_serialization.h"
+#include "net/cert/ct_verify_result.h"
+#include "net/cert/pem_tokenizer.h"
+#include "net/cert/signed_certificate_timestamp.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/cert_test_util.h"
+#include "net/test/ct_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+namespace {
+
+class MultiLogCTVerifierTest : public ::testing::Test {
+ public:
+  virtual void SetUp() OVERRIDE {
+    scoped_ptr<CTLogVerifier> log(
+        CTLogVerifier::Create(ct::GetTestPublicKey(), ""));
+    ASSERT_TRUE(log);
+
+    verifier_.reset(new MultiLogCTVerifier(log.Pass()));
+    std::string der_test_cert(ct::GetDerEncodedX509Cert());
+    chain_ = X509Certificate::CreateFromBytes(
+        der_test_cert.data(),
+        der_test_cert.length());
+    ASSERT_TRUE(chain_);
+
+  }
+
+  void CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) {
+    EXPECT_EQ(1U, result.verified_scts.size());
+    ASSERT_TRUE(result.unverified_scts.empty());
+    ASSERT_TRUE(result.unknown_logs_scts.empty());

[Ryan Sleevi, 2013/11/20 01:09:42]

These ASSERTs will not function as you expect, because this is in a void
function return.

That is, it will return from *this* function, but the remaining code of the
calling function will continue executing. You'd need to check the error state in
the parent test on each return or, alternatively, just use a bool here.

Style is up to you.

+  }
+
+  void CheckForSCTOrigin(
+      const ct::CTVerifyResult& result,
+      ct::SignedCertificateTimestamp::Origin origin) {
+    ASSERT_TRUE(result.verified_scts.size() > 0);
+    EXPECT_EQ(origin, result.verified_scts[0].origin);
+  }
+
+  void CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) {
+    ct::CTVerifyResult result;
+    TestCompletionCallback cb;
+    EXPECT_EQ(OK, verifier_->Verify(
+          chain, "", "", &result, cb.callback(), BoundNetLog()));
+    CheckForSingleVerifiedSCTInResult(result);
+    CheckForSCTOrigin(result, ct::SignedCertificateTimestamp::SCT_EMBEDDED);
+  }
+
+ protected:
+  scoped_ptr<MultiLogCTVerifier> verifier_;
+  scoped_refptr<X509Certificate> chain_;
+};
+
+TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT) {
+  scoped_refptr<X509Certificate> chain(
+      CreateCertificateChainFromFile(GetTestCertsDirectory(),
+                                     "ct-test-embedded-cert.pem",
+                                     X509Certificate::FORMAT_AUTO));
+  ASSERT_TRUE(chain);
+  CheckPrecertificateVerification(chain);
+}
+
+TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithPreCA) {
+  scoped_refptr<X509Certificate> chain(
+      CreateCertificateChainFromFile(GetTestCertsDirectory(),
+                                     "ct-test-embedded-with-preca-chain.pem",
+                                     X509Certificate::FORMAT_AUTO));
+  ASSERT_TRUE(chain);
+
+  CheckPrecertificateVerification(chain);
+}
+
+TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithIntermediate) {
+  scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile(
+      GetTestCertsDirectory(),
+      "ct-test-embedded-with-intermediate-chain.pem",
+      X509Certificate::FORMAT_AUTO));
+  ASSERT_TRUE(chain);
+
+  CheckPrecertificateVerification(chain);
+}
+
+TEST_F(MultiLogCTVerifierTest,
+       VerifiesEmbeddedSCTWithIntermediateAndPreCA) {
+  scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile(
+      GetTestCertsDirectory(),
+      "ct-test-embedded-with-intermediate-preca-chain.pem",
+      X509Certificate::FORMAT_AUTO));
+  ASSERT_TRUE(chain);
+
+  CheckPrecertificateVerification(chain);
+}
+
+TEST_F(MultiLogCTVerifierTest,
+       VerifiesSCTOverX509Cert) {
+  std::string sct(ct::GetTestSignedCertificateTimestamp());
+
+  std::string sct_list;
+  ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list));
+
+  ct::CTVerifyResult result;
+  TestCompletionCallback cb;
+  EXPECT_EQ(OK, verifier_->Verify(
+        chain_, "", sct_list, &result, cb.callback(), BoundNetLog()));
+  CheckForSingleVerifiedSCTInResult(result);
+  CheckForSCTOrigin(
+      result, ct::SignedCertificateTimestamp::SCT_FROM_TLS_HANDSHAKE);
+}
+
+TEST_F(MultiLogCTVerifierTest,
+       IdentifiesSCTFromUnknownLog) {
+  std::string sct(ct::GetTestSignedCertificateTimestamp());
+
+  // Change a byte inside the Log ID part of the SCT so it does
+  // not match the log used in the tests
+  sct[15] = 't';
+
+  std::string sct_list;
+  ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list));
+
+  ct::CTVerifyResult result;
+  TestCompletionCallback cb;
+  EXPECT_NE(OK, verifier_->Verify(
+        chain_, sct_list, "", &result, cb.callback(), BoundNetLog()));
+  EXPECT_EQ(1U, result.unknown_logs_scts.size());
+}
+
+}  // namespace
+
+}  // namespace net