net/cert/ct_objects_extractor_unittest.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/ct_objects_extractor.h"
   6
   7 #include "base/files/file_path.h"
   8 #include "net/base/test_data_directory.h"
   9 #include "net/cert/ct_log_verifier.h"
  10 #include "net/cert/ct_serialization.h"
  11 #include "net/cert/signed_certificate_timestamp.h"
  12 #include "net/cert/x509_certificate.h"
  13 #include "net/test/cert_test_util.h"
  14 #include "net/test/ct_test_util.h"
  15 #include "testing/gtest/include/gtest/gtest.h"
  16
  17 namespace net {
  18
  19 namespace ct {
  20
  21 class CTObjectsExtractorTest : public ::testing::Test {
  22  public:
  23   void SetUp() override {
  24     precert_chain_ =
  25         CreateCertificateListFromFile(GetTestCertsDirectory(),
  26                                       "ct-test-embedded-cert.pem",
  27                                       X509Certificate::FORMAT_AUTO);
  28     ASSERT_EQ(2u, precert_chain_.size());
  29
  30     std::string der_test_cert(ct::GetDerEncodedX509Cert());
  31     test_cert_ = X509Certificate::CreateFromBytes(der_test_cert.data(),
  32                                                   der_test_cert.length());
  33
  34     log_ = CTLogVerifier::Create(ct::GetTestPublicKey(), "testlog",
  35                                  "https://ct.example.com").Pass();
  36     ASSERT_TRUE(log_);
  37   }
  38
  39   void ExtractEmbeddedSCT(scoped_refptr<X509Certificate> cert,
  40                           scoped_refptr<SignedCertificateTimestamp>* sct) {
  41     std::string sct_list;
  42     EXPECT_TRUE(ExtractEmbeddedSCTList(cert->os_cert_handle(), &sct_list));
  43
  44     std::vector<base::StringPiece> parsed_scts;
  45     base::StringPiece sct_list_sp(sct_list);
  46     // Make sure the SCT list can be decoded properly
  47     EXPECT_TRUE(DecodeSCTList(&sct_list_sp, &parsed_scts));
  48
  49     EXPECT_TRUE(DecodeSignedCertificateTimestamp(&parsed_scts[0], sct));
  50   }
  51
  52  protected:
  53   CertificateList precert_chain_;
  54   scoped_refptr<X509Certificate> test_cert_;
  55   scoped_refptr<CTLogVerifier> log_;
  56 };
  57
  58 // Test that an SCT can be extracted and the extracted SCT contains the
  59 // expected data.
  60 TEST_F(CTObjectsExtractorTest, ExtractEmbeddedSCT) {
  61   scoped_refptr<ct::SignedCertificateTimestamp> sct(
  62       new ct::SignedCertificateTimestamp());
  63   ExtractEmbeddedSCT(precert_chain_[0], &sct);
  64
  65   EXPECT_EQ(sct->version, SignedCertificateTimestamp::SCT_VERSION_1);
  66   EXPECT_EQ(ct::GetTestPublicKeyId(), sct->log_id);
  67
  68   base::Time expected_timestamp =
  69       base::Time::UnixEpoch() +
  70       base::TimeDelta::FromMilliseconds(1365181456275);
  71   EXPECT_EQ(expected_timestamp, sct->timestamp);
  72 }
  73
  74 TEST_F(CTObjectsExtractorTest, ExtractPrecert) {
  75   LogEntry entry;
  76   ASSERT_TRUE(GetPrecertLogEntry(precert_chain_[0]->os_cert_handle(),
  77                                  precert_chain_[1]->os_cert_handle(),
  78                                  &entry));
  79
  80   ASSERT_EQ(ct::LogEntry::LOG_ENTRY_TYPE_PRECERT, entry.type);
  81   // Should have empty leaf cert for this log entry type.
  82   ASSERT_TRUE(entry.leaf_certificate.empty());
  83   // Compare hash values of issuer spki.
  84   SHA256HashValue expected_issuer_key_hash;
  85   memcpy(expected_issuer_key_hash.data, GetDefaultIssuerKeyHash().data(), 32);
  86   ASSERT_TRUE(expected_issuer_key_hash.Equals(entry.issuer_key_hash));
  87 }
  88
  89 TEST_F(CTObjectsExtractorTest, ExtractOrdinaryX509Cert) {
  90   LogEntry entry;
  91   ASSERT_TRUE(GetX509LogEntry(test_cert_->os_cert_handle(), &entry));
  92
  93   ASSERT_EQ(ct::LogEntry::LOG_ENTRY_TYPE_X509, entry.type);
  94   // Should have empty tbs_certificate for this log entry type.
  95   ASSERT_TRUE(entry.tbs_certificate.empty());
  96   // Length of leaf_certificate should be 718, see the CT Serialization tests.
  97   ASSERT_EQ(718U, entry.leaf_certificate.size());
  98 }
  99
 100 // Test that the embedded SCT verifies
 101 TEST_F(CTObjectsExtractorTest, ExtractedSCTVerifies) {
 102   scoped_refptr<ct::SignedCertificateTimestamp> sct(
 103       new ct::SignedCertificateTimestamp());
 104   ExtractEmbeddedSCT(precert_chain_[0], &sct);
 105
 106   LogEntry entry;
 107   ASSERT_TRUE(GetPrecertLogEntry(precert_chain_[0]->os_cert_handle(),
 108                                  precert_chain_[1]->os_cert_handle(),
 109                                  &entry));
 110
 111   EXPECT_TRUE(log_->Verify(entry, *sct.get()));
 112 }
 113
 114 // Test that an externally-provided SCT verifies over the LogEntry
 115 // of a regular X.509 Certificate
 116 TEST_F(CTObjectsExtractorTest, ComplementarySCTVerifies) {
 117   scoped_refptr<ct::SignedCertificateTimestamp> sct(
 118       new ct::SignedCertificateTimestamp());
 119   GetX509CertSCT(&sct);
 120
 121   LogEntry entry;
 122   ASSERT_TRUE(GetX509LogEntry(test_cert_->os_cert_handle(), &entry));
 123
 124   EXPECT_TRUE(log_->Verify(entry, *sct.get()));
 125 }
 126
 127 // Test that the extractor can parse OCSP responses.
 128 TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponse) {
 129   std::string der_subject_cert(ct::GetDerEncodedFakeOCSPResponseCert());
 130   scoped_refptr<X509Certificate> subject_cert =
 131       X509Certificate::CreateFromBytes(der_subject_cert.data(),
 132                                        der_subject_cert.length());
 133   std::string der_issuer_cert(ct::GetDerEncodedFakeOCSPResponseIssuerCert());
 134   scoped_refptr<X509Certificate> issuer_cert =
 135       X509Certificate::CreateFromBytes(der_issuer_cert.data(),
 136                                        der_issuer_cert.length());
 137
 138   std::string fake_sct_list = ct::GetFakeOCSPExtensionValue();
 139   ASSERT_FALSE(fake_sct_list.empty());
 140   std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();
 141
 142   std::string extracted_sct_list;
 143   EXPECT_TRUE(ct::ExtractSCTListFromOCSPResponse(
 144       issuer_cert->os_cert_handle(), subject_cert->serial_number(),
 145       ocsp_response, &extracted_sct_list));
 146   EXPECT_EQ(extracted_sct_list, fake_sct_list);
 147 }
 148
 149 // Test that the extractor honours serial number.
 150 TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponseMatchesSerial) {
 151   std::string der_issuer_cert(ct::GetDerEncodedFakeOCSPResponseIssuerCert());
 152   scoped_refptr<X509Certificate> issuer_cert =
 153       X509Certificate::CreateFromBytes(der_issuer_cert.data(),
 154                                        der_issuer_cert.length());
 155
 156   std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();
 157
 158   std::string extracted_sct_list;
 159   EXPECT_FALSE(ct::ExtractSCTListFromOCSPResponse(
 160       issuer_cert->os_cert_handle(), test_cert_->serial_number(),
 161       ocsp_response, &extracted_sct_list));
 162 }
 163
 164 // Test that the extractor honours issuer ID.
 165 TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponseMatchesIssuer) {
 166   std::string der_subject_cert(ct::GetDerEncodedFakeOCSPResponseCert());
 167   scoped_refptr<X509Certificate> subject_cert =
 168       X509Certificate::CreateFromBytes(der_subject_cert.data(),
 169                                        der_subject_cert.length());
 170
 171   std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();
 172
 173   std::string extracted_sct_list;
 174   // Use test_cert_ for issuer - it is not the correct issuer of |subject_cert|.
 175   EXPECT_FALSE(ct::ExtractSCTListFromOCSPResponse(
 176       test_cert_->os_cert_handle(), subject_cert->serial_number(),
 177       ocsp_response, &extracted_sct_list));
 178 }
 179
 180 }  // namespace ct
 181
 182 }  // namespace net