| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/multi_log_ct_verifier.h" | 5 #include "net/cert/multi_log_ct_verifier.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/file_util.h" | 9 #include "base/file_util.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| 11 #include "net/base/capturing_net_log.h" |
| 11 #include "net/base/net_errors.h" | 12 #include "net/base/net_errors.h" |
| 13 #include "net/base/net_log.h" |
| 12 #include "net/base/test_data_directory.h" | 14 #include "net/base/test_data_directory.h" |
| 13 #include "net/cert/ct_log_verifier.h" | 15 #include "net/cert/ct_log_verifier.h" |
| 14 #include "net/cert/ct_serialization.h" | 16 #include "net/cert/ct_serialization.h" |
| 15 #include "net/cert/ct_verify_result.h" | 17 #include "net/cert/ct_verify_result.h" |
| 16 #include "net/cert/pem_tokenizer.h" | 18 #include "net/cert/pem_tokenizer.h" |
| 17 #include "net/cert/signed_certificate_timestamp.h" | 19 #include "net/cert/signed_certificate_timestamp.h" |
| 18 #include "net/cert/x509_certificate.h" | 20 #include "net/cert/x509_certificate.h" |
| 19 #include "net/test/cert_test_util.h" | 21 #include "net/test/cert_test_util.h" |
| 20 #include "net/test/ct_test_util.h" | 22 #include "net/test/ct_test_util.h" |
| 21 #include "testing/gtest/include/gtest/gtest.h" | 23 #include "testing/gtest/include/gtest/gtest.h" |
| (...skipping 24 matching lines...) Expand all Loading... |
| 46 result.unknown_logs_scts.empty(); | 48 result.unknown_logs_scts.empty(); |
| 47 } | 49 } |
| 48 | 50 |
| 49 bool CheckForSCTOrigin( | 51 bool CheckForSCTOrigin( |
| 50 const ct::CTVerifyResult& result, | 52 const ct::CTVerifyResult& result, |
| 51 ct::SignedCertificateTimestamp::Origin origin) { | 53 ct::SignedCertificateTimestamp::Origin origin) { |
| 52 return (result.verified_scts.size() > 0) && | 54 return (result.verified_scts.size() > 0) && |
| 53 (result.verified_scts[0]->origin == origin); | 55 (result.verified_scts[0]->origin == origin); |
| 54 } | 56 } |
| 55 | 57 |
| 58 bool CheckForEmbeddedSCTInNetLog(CapturingNetLog& net_log) { |
| 59 CapturingNetLog::CapturedEntryList entries; |
| 60 net_log.GetEntries(&entries); |
| 61 if (entries.size() != 2) |
| 62 return false; |
| 63 |
| 64 const CapturingNetLog::CapturedEntry& received(entries[0]); |
| 65 std::string embedded_scts; |
| 66 if (!received.GetStringValue("embedded_scts", &embedded_scts)) |
| 67 return false; |
| 68 if (embedded_scts.empty()) |
| 69 return false; |
| 70 |
| 71 //XXX(eranm): entries[1] is the NetLog message with the checked SCTs. |
| 72 //When CapturedEntry has methods to get a dictionary, rather than just |
| 73 //a string, add more checks here. |
| 74 |
| 75 return true; |
| 76 } |
| 77 |
| 56 bool CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) { | 78 bool CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) { |
| 57 ct::CTVerifyResult result; | 79 ct::CTVerifyResult result; |
| 58 return (verifier_->Verify(chain, "", "", &result) == OK) && | 80 CapturingNetLog net_log; |
| 81 BoundNetLog bound_net_log = |
| 82 BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB); |
| 83 return (verifier_->Verify(chain, "", "", &result, bound_net_log) == OK) && |
| 59 CheckForSingleVerifiedSCTInResult(result) && | 84 CheckForSingleVerifiedSCTInResult(result) && |
| 60 CheckForSCTOrigin( | 85 CheckForSCTOrigin( |
| 61 result, ct::SignedCertificateTimestamp::SCT_EMBEDDED); | 86 result, ct::SignedCertificateTimestamp::SCT_EMBEDDED) && |
| 87 CheckForEmbeddedSCTInNetLog(net_log); |
| 62 } | 88 } |
| 63 | 89 |
| 64 protected: | 90 protected: |
| 65 scoped_ptr<MultiLogCTVerifier> verifier_; | 91 scoped_ptr<MultiLogCTVerifier> verifier_; |
| 66 scoped_refptr<X509Certificate> chain_; | 92 scoped_refptr<X509Certificate> chain_; |
| 67 }; | 93 }; |
| 68 | 94 |
| 69 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT) { | 95 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT) { |
| 70 scoped_refptr<X509Certificate> chain( | 96 scoped_refptr<X509Certificate> chain( |
| 71 CreateCertificateChainFromFile(GetTestCertsDirectory(), | 97 CreateCertificateChainFromFile(GetTestCertsDirectory(), |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 104 } | 130 } |
| 105 | 131 |
| 106 TEST_F(MultiLogCTVerifierTest, | 132 TEST_F(MultiLogCTVerifierTest, |
| 107 VerifiesSCTOverX509Cert) { | 133 VerifiesSCTOverX509Cert) { |
| 108 std::string sct(ct::GetTestSignedCertificateTimestamp()); | 134 std::string sct(ct::GetTestSignedCertificateTimestamp()); |
| 109 | 135 |
| 110 std::string sct_list; | 136 std::string sct_list; |
| 111 ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list)); | 137 ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list)); |
| 112 | 138 |
| 113 ct::CTVerifyResult result; | 139 ct::CTVerifyResult result; |
| 114 EXPECT_EQ(OK, verifier_->Verify(chain_, "", sct_list, &result)); | 140 EXPECT_EQ(OK, |
| 141 verifier_->Verify(chain_, "", sct_list, &result, BoundNetLog())); |
| 115 ASSERT_TRUE(CheckForSingleVerifiedSCTInResult(result)); | 142 ASSERT_TRUE(CheckForSingleVerifiedSCTInResult(result)); |
| 116 ASSERT_TRUE(CheckForSCTOrigin( | 143 ASSERT_TRUE(CheckForSCTOrigin( |
| 117 result, ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION)); | 144 result, ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION)); |
| 118 } | 145 } |
| 119 | 146 |
| 120 TEST_F(MultiLogCTVerifierTest, | 147 TEST_F(MultiLogCTVerifierTest, |
| 121 IdentifiesSCTFromUnknownLog) { | 148 IdentifiesSCTFromUnknownLog) { |
| 122 std::string sct(ct::GetTestSignedCertificateTimestamp()); | 149 std::string sct(ct::GetTestSignedCertificateTimestamp()); |
| 123 | 150 |
| 124 // Change a byte inside the Log ID part of the SCT so it does | 151 // Change a byte inside the Log ID part of the SCT so it does |
| 125 // not match the log used in the tests | 152 // not match the log used in the tests |
| 126 sct[15] = 't'; | 153 sct[15] = 't'; |
| 127 | 154 |
| 128 std::string sct_list; | 155 std::string sct_list; |
| 129 ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list)); | 156 ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list)); |
| 130 | 157 |
| 131 ct::CTVerifyResult result; | 158 ct::CTVerifyResult result; |
| 132 EXPECT_NE(OK, verifier_->Verify(chain_, sct_list, "", &result)); | 159 EXPECT_NE(OK, |
| 160 verifier_->Verify(chain_, sct_list, "", &result, BoundNetLog())); |
| 133 EXPECT_EQ(1U, result.unknown_logs_scts.size()); | 161 EXPECT_EQ(1U, result.unknown_logs_scts.size()); |
| 134 } | 162 } |
| 135 | 163 |
| 136 } // namespace | 164 } // namespace |
| 137 | 165 |
| 138 } // namespace net | 166 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 86503002:
Certificate Transparency: Logging SCTs to the NetLog. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src