net/cert/ct_log_verifier_unittest.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/ct_log_verifier.h"
   6
   7 #include <string>
   8
   9 #include "base/time/time.h"
  10 #include "net/cert/signed_certificate_timestamp.h"
  11 #include "net/cert/signed_tree_head.h"
  12 #include "net/test/ct_test_util.h"
  13 #include "testing/gtest/include/gtest/gtest.h"
  14
  15 namespace net {
  16
  17 class CTLogVerifierTest : public ::testing::Test {
  18  public:
  19   CTLogVerifierTest() {}
  20
  21   void SetUp() override {
  22     log_ = CTLogVerifier::Create(ct::GetTestPublicKey(), "testlog",
  23                                  "https://ct.example.com").Pass();
  24
  25     ASSERT_TRUE(log_);
  26     ASSERT_EQ(log_->key_id(), ct::GetTestPublicKeyId());
  27   }
  28
  29  protected:
  30   scoped_refptr<CTLogVerifier> log_;
  31 };
  32
  33 TEST_F(CTLogVerifierTest, VerifiesCertSCT) {
  34   ct::LogEntry cert_entry;
  35   ct::GetX509CertLogEntry(&cert_entry);
  36
  37   scoped_refptr<ct::SignedCertificateTimestamp> cert_sct;
  38   ct::GetX509CertSCT(&cert_sct);
  39
  40   EXPECT_TRUE(log_->Verify(cert_entry, *cert_sct.get()));
  41 }
  42
  43 TEST_F(CTLogVerifierTest, VerifiesPrecertSCT) {
  44   ct::LogEntry precert_entry;
  45   ct::GetPrecertLogEntry(&precert_entry);
  46
  47   scoped_refptr<ct::SignedCertificateTimestamp> precert_sct;
  48   ct::GetPrecertSCT(&precert_sct);
  49
  50   EXPECT_TRUE(log_->Verify(precert_entry, *precert_sct.get()));
  51 }
  52
  53 TEST_F(CTLogVerifierTest, FailsInvalidTimestamp) {
  54   ct::LogEntry cert_entry;
  55   ct::GetX509CertLogEntry(&cert_entry);
  56
  57   scoped_refptr<ct::SignedCertificateTimestamp> cert_sct;
  58   ct::GetX509CertSCT(&cert_sct);
  59
  60   // Mangle the timestamp, so that it should fail signature validation.
  61   cert_sct->timestamp = base::Time::Now();
  62
  63   EXPECT_FALSE(log_->Verify(cert_entry, *cert_sct.get()));
  64 }
  65
  66 TEST_F(CTLogVerifierTest, FailsInvalidLogID) {
  67   ct::LogEntry cert_entry;
  68   ct::GetX509CertLogEntry(&cert_entry);
  69
  70   scoped_refptr<ct::SignedCertificateTimestamp> cert_sct;
  71   ct::GetX509CertSCT(&cert_sct);
  72
  73   // Mangle the log ID, which should cause it to match a different log before
  74   // attempting signature validation.
  75   cert_sct->log_id.assign(cert_sct->log_id.size(), '\0');
  76
  77   EXPECT_FALSE(log_->Verify(cert_entry, *cert_sct.get()));
  78 }
  79
  80 TEST_F(CTLogVerifierTest, SetsValidSTH) {
  81   ct::SignedTreeHead sth;
  82   ct::GetSampleSignedTreeHead(&sth);
  83   ASSERT_TRUE(log_->VerifySignedTreeHead(sth));
  84 }
  85
  86 TEST_F(CTLogVerifierTest, DoesNotSetInvalidSTH) {
  87   ct::SignedTreeHead sth;
  88   ct::GetSampleSignedTreeHead(&sth);
  89   sth.sha256_root_hash[0] = '\x0';
  90   ASSERT_FALSE(log_->VerifySignedTreeHead(sth));
  91 }
  92
  93 // Test that excess data after the public key is rejected.
  94 TEST_F(CTLogVerifierTest, ExcessDataInPublicKey) {
  95   std::string key = ct::GetTestPublicKey();
  96   key += "extra";
  97
  98   scoped_refptr<CTLogVerifier> log =
  99       CTLogVerifier::Create(key, "testlog", "https://ct.example.com");
 100   EXPECT_FALSE(log);
 101 }
 102
 103 }  // namespace net