diff options
| author | eranm@google.com <eranm@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-19 04:23:10 +0000 |
|---|---|---|
| committer | eranm@google.com <eranm@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-19 04:23:10 +0000 |
| commit | f5c82e82d06b5ecb640e78b549460479f59ea8e7 (patch) | |
| tree | 47f8b5cbbb2ca33e80d14cbc10f877253e382b95 /net/cert/ct_objects_extractor_unittest.cc | |
| parent | 3d6a8298c13dc5062898762839daad2e957f0c99 (diff) | |
| download | chromium_src-f5c82e82d06b5ecb640e78b549460479f59ea8e7.zip chromium_src-f5c82e82d06b5ecb640e78b549460479f59ea8e7.tar.gz chromium_src-f5c82e82d06b5ecb640e78b549460479f59ea8e7.tar.bz2 | |
CT: Adding SCT and PreCertificates extractor. This code creates the
LogEntry structure over which Signed Certificate Timestamps can be
verified (and the unit tests demonstrate this).
BUG=309578
Review URL: https://codereview.chromium.org/65863002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@235915 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert/ct_objects_extractor_unittest.cc')
| -rw-r--r-- | net/cert/ct_objects_extractor_unittest.cc | 125 |
1 files changed, 125 insertions, 0 deletions
diff --git a/net/cert/ct_objects_extractor_unittest.cc b/net/cert/ct_objects_extractor_unittest.cc new file mode 100644 index 0000000..30ababd --- /dev/null +++ b/net/cert/ct_objects_extractor_unittest.cc @@ -0,0 +1,125 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/cert/ct_objects_extractor.h" + +#include "base/files/file_path.h" +#include "net/base/test_data_directory.h" +#include "net/cert/ct_log_verifier.h" +#include "net/cert/ct_serialization.h" +#include "net/cert/signed_certificate_timestamp.h" +#include "net/cert/x509_certificate.h" +#include "net/test/cert_test_util.h" +#include "net/test/ct_test_util.h" +#include "testing/gtest/include/gtest/gtest.h" + +namespace net { + +namespace ct { + +class CTObjectsExtractorTest : public ::testing::Test { + public: + virtual void SetUp() OVERRIDE { + precert_chain_ = + CreateCertificateListFromFile(GetTestCertsDirectory(), + "ct-test-embedded-cert.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(2u, precert_chain_.size()); + + std::string der_test_cert(ct::GetDerEncodedX509Cert()); + test_cert_ = X509Certificate::CreateFromBytes(der_test_cert.data(), + der_test_cert.length()); + + log_ = CTLogVerifier::Create(ct::GetTestPublicKey(), "testlog").Pass(); + ASSERT_TRUE(log_); + } + + void ExtractEmbeddedSCT(scoped_refptr<X509Certificate> cert, + SignedCertificateTimestamp* sct) { + std::string sct_list; + EXPECT_TRUE(ExtractEmbeddedSCTList(cert->os_cert_handle(), &sct_list)); + + std::vector<base::StringPiece> parsed_scts; + base::StringPiece sct_list_sp(sct_list); + // Make sure the SCT list can be decoded properly + EXPECT_TRUE(DecodeSCTList(&sct_list_sp, &parsed_scts)); + + EXPECT_TRUE(DecodeSignedCertificateTimestamp(&parsed_scts[0], sct)); + } + + protected: + CertificateList precert_chain_; + scoped_refptr<X509Certificate> test_cert_; + scoped_ptr<CTLogVerifier> log_; +}; + +// Test that an SCT can be extracted and the extracted SCT contains the +// expected data. +TEST_F(CTObjectsExtractorTest, ExtractEmbeddedSCT) { + ct::SignedCertificateTimestamp sct; + ExtractEmbeddedSCT(precert_chain_[0], &sct); + + EXPECT_EQ(sct.version, SignedCertificateTimestamp::SCT_VERSION_1); + EXPECT_EQ(ct::GetTestPublicKeyId(), sct.log_id); + + base::Time expected_timestamp = + base::Time::UnixEpoch() + + base::TimeDelta::FromMilliseconds(1365181456275); + EXPECT_EQ(expected_timestamp, sct.timestamp); +} + +TEST_F(CTObjectsExtractorTest, ExtractPrecert) { + LogEntry entry; + ASSERT_TRUE(GetPrecertLogEntry(precert_chain_[0]->os_cert_handle(), + precert_chain_[1]->os_cert_handle(), + &entry)); + + ASSERT_EQ(ct::LogEntry::LOG_ENTRY_TYPE_PRECERT, entry.type); + // Should have empty leaf cert for this log entry type. + ASSERT_TRUE(entry.leaf_certificate.empty()); + // Compare hash values of issuer spki. + SHA256HashValue expected_issuer_key_hash; + memcpy(expected_issuer_key_hash.data, GetDefaultIssuerKeyHash().data(), 32); + ASSERT_TRUE(expected_issuer_key_hash.Equals(entry.issuer_key_hash)); +} + +TEST_F(CTObjectsExtractorTest, ExtractOrdinaryX509Cert) { + LogEntry entry; + ASSERT_TRUE(GetX509LogEntry(test_cert_->os_cert_handle(), &entry)); + + ASSERT_EQ(ct::LogEntry::LOG_ENTRY_TYPE_X509, entry.type); + // Should have empty tbs_certificate for this log entry type. + ASSERT_TRUE(entry.tbs_certificate.empty()); + // Length of leaf_certificate should be 718, see the CT Serialization tests. + ASSERT_EQ(718U, entry.leaf_certificate.size()); +} + +// Test that the embedded SCT verifies +TEST_F(CTObjectsExtractorTest, ExtractedSCTVerifies) { + ct::SignedCertificateTimestamp sct; + ExtractEmbeddedSCT(precert_chain_[0], &sct); + + LogEntry entry; + ASSERT_TRUE(GetPrecertLogEntry(precert_chain_[0]->os_cert_handle(), + precert_chain_[1]->os_cert_handle(), + &entry)); + + EXPECT_TRUE(log_->Verify(entry, sct)); +} + +// Test that an externally-provided SCT verifies over the LogEntry +// of a regular X.509 Certificate +TEST_F(CTObjectsExtractorTest, ComplementarySCTVerifies) { + ct::SignedCertificateTimestamp sct; + GetX509CertSCT(&sct); + + LogEntry entry; + ASSERT_TRUE(GetX509LogEntry(test_cert_->os_cert_handle(), &entry)); + + EXPECT_TRUE(log_->Verify(entry, sct)); +} + +} // namespace ct + +} // namespace net |