diff options
| author | eranm@google.com <eranm@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-10 20:33:25 +0000 |
|---|---|---|
| committer | eranm@google.com <eranm@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-10 20:33:25 +0000 |
| commit | 1a49a438b0f86e3abbe6389521d6e3af823e9cfd (patch) | |
| tree | 7eb00fb49ea3bd5a33d0861eea37afb115598a00 /net/cert | |
| parent | ab5ac0c38a2a0e562bced6db98767f0ca595a414 (diff) | |
| download | chromium_src-1a49a438b0f86e3abbe6389521d6e3af823e9cfd.zip chromium_src-1a49a438b0f86e3abbe6389521d6e3af823e9cfd.tar.gz chromium_src-1a49a438b0f86e3abbe6389521d6e3af823e9cfd.tar.bz2 | |
Certificate Transparency: Saving log description in SCT.
This is necessary for displaying a human-readable affilication for
each Signed Certificate Timestamp, as well as keeping the description
of the log in persistent storage in case the log is removed from Chrome
but validated SCTs from this log exist in the cache.
BUG=309578
Review URL: https://codereview.chromium.org/110593002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@239836 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert')
| -rw-r--r-- | net/cert/multi_log_ct_verifier.cc | 2 | ||||
| -rw-r--r-- | net/cert/multi_log_ct_verifier_unittest.cc | 8 | ||||
| -rw-r--r-- | net/cert/signed_certificate_timestamp.cc | 8 | ||||
| -rw-r--r-- | net/cert/signed_certificate_timestamp.h | 5 | ||||
| -rw-r--r-- | net/cert/signed_certificate_timestamp_unittest.cc | 54 |
5 files changed, 74 insertions, 3 deletions
diff --git a/net/cert/multi_log_ct_verifier.cc b/net/cert/multi_log_ct_verifier.cc index ae78a7b..d91195f 100644 --- a/net/cert/multi_log_ct_verifier.cc +++ b/net/cert/multi_log_ct_verifier.cc @@ -147,6 +147,8 @@ bool MultiLogCTVerifier::VerifySingleSCT( return false; } + sct->log_description = it->second->description(); + if (!it->second->Verify(expected_entry, *sct)) { DVLOG(1) << "Unable to verify SCT signature."; result->invalid_scts.push_back(sct); diff --git a/net/cert/multi_log_ct_verifier_unittest.cc b/net/cert/multi_log_ct_verifier_unittest.cc index b27abf0..30d92b8 100644 --- a/net/cert/multi_log_ct_verifier_unittest.cc +++ b/net/cert/multi_log_ct_verifier_unittest.cc @@ -26,11 +26,13 @@ namespace net { namespace { +const char kLogDescription[] = "somelog"; + class MultiLogCTVerifierTest : public ::testing::Test { public: virtual void SetUp() OVERRIDE { scoped_ptr<CTLogVerifier> log( - CTLogVerifier::Create(ct::GetTestPublicKey(), "")); + CTLogVerifier::Create(ct::GetTestPublicKey(), kLogDescription)); ASSERT_TRUE(log); verifier_.reset(new MultiLogCTVerifier()); @@ -45,7 +47,8 @@ class MultiLogCTVerifierTest : public ::testing::Test { bool CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) { return (result.verified_scts.size() == 1U) && result.invalid_scts.empty() && - result.unknown_logs_scts.empty(); + result.unknown_logs_scts.empty() && + result.verified_scts[0]->log_description == kLogDescription; } bool CheckForSCTOrigin( @@ -159,6 +162,7 @@ TEST_F(MultiLogCTVerifierTest, EXPECT_NE(OK, verifier_->Verify(chain_, sct_list, "", &result, BoundNetLog())); EXPECT_EQ(1U, result.unknown_logs_scts.size()); + EXPECT_EQ("", result.unknown_logs_scts[0]->log_description); } } // namespace diff --git a/net/cert/signed_certificate_timestamp.cc b/net/cert/signed_certificate_timestamp.cc index bdb54f1..0a72cd1 100644 --- a/net/cert/signed_certificate_timestamp.cc +++ b/net/cert/signed_certificate_timestamp.cc @@ -38,6 +38,8 @@ void SignedCertificateTimestamp::Persist(Pickle* pickle) { CHECK(pickle->WriteInt(signature.hash_algorithm)); CHECK(pickle->WriteInt(signature.signature_algorithm)); CHECK(pickle->WriteString(signature.signature_data)); + CHECK(pickle->WriteInt(origin)); + CHECK(pickle->WriteString(log_description)); } // static @@ -49,6 +51,7 @@ SignedCertificateTimestamp::CreateFromPickle(PickleIterator* iter) { int sig_algorithm; scoped_refptr<SignedCertificateTimestamp> sct( new SignedCertificateTimestamp()); + int origin; // string values are set directly if (!(iter->ReadInt(&version) && iter->ReadString(&sct->log_id) && @@ -56,7 +59,9 @@ SignedCertificateTimestamp::CreateFromPickle(PickleIterator* iter) { iter->ReadString(&sct->extensions) && iter->ReadInt(&hash_algorithm) && iter->ReadInt(&sig_algorithm) && - iter->ReadString(&sct->signature.signature_data))) { + iter->ReadString(&sct->signature.signature_data) && + iter->ReadInt(&origin) && + iter->ReadString(&sct->log_description))) { return NULL; } // Now set the rest of the member variables: @@ -66,6 +71,7 @@ SignedCertificateTimestamp::CreateFromPickle(PickleIterator* iter) { static_cast<DigitallySigned::HashAlgorithm>(hash_algorithm); sct->signature.signature_algorithm = static_cast<DigitallySigned::SignatureAlgorithm>(sig_algorithm); + sct->origin = static_cast<Origin>(origin); return sct; } diff --git a/net/cert/signed_certificate_timestamp.h b/net/cert/signed_certificate_timestamp.h index c3d0009..f065a94 100644 --- a/net/cert/signed_certificate_timestamp.h +++ b/net/cert/signed_certificate_timestamp.h @@ -108,6 +108,11 @@ struct NET_EXPORT SignedCertificateTimestamp // The origin should not participate in equality checks // as the same SCT can be provided from multiple sources. Origin origin; + // The log description is not one of the SCT fields, but a user-readable + // name defined alongside the log key. It should not participate + // in equality checks as the log's description could change while + // the SCT would be the same. + std::string log_description; private: friend class base::RefCountedThreadSafe<SignedCertificateTimestamp>; diff --git a/net/cert/signed_certificate_timestamp_unittest.cc b/net/cert/signed_certificate_timestamp_unittest.cc new file mode 100644 index 0000000..c758d65 --- /dev/null +++ b/net/cert/signed_certificate_timestamp_unittest.cc @@ -0,0 +1,54 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/cert/signed_certificate_timestamp.h" + +#include <string> + +#include "base/pickle.h" +#include "net/test/ct_test_util.h" +#include "testing/gtest/include/gtest/gtest.h" + +namespace net { + +namespace ct { + +namespace { + +const char kLogDescription[] = "somelog"; + +class SignedCertificateTimestampTest : public ::testing::Test { + public: + virtual void SetUp() OVERRIDE { + GetX509CertSCT(&sample_sct_); + sample_sct_->origin = SignedCertificateTimestamp::SCT_FROM_OCSP_RESPONSE; + sample_sct_->log_description = kLogDescription; + } + + protected: + scoped_refptr<SignedCertificateTimestamp> sample_sct_; +}; + +TEST_F(SignedCertificateTimestampTest, PicklesAndUnpickles) { + Pickle pickle; + + sample_sct_->Persist(&pickle); + PickleIterator iter(pickle); + + scoped_refptr<SignedCertificateTimestamp> unpickled_sct( + SignedCertificateTimestamp::CreateFromPickle(&iter)); + + SignedCertificateTimestamp::LessThan less_than; + + ASSERT_FALSE(less_than(sample_sct_, unpickled_sct)); + ASSERT_FALSE(less_than(unpickled_sct, sample_sct_)); + ASSERT_EQ(sample_sct_->origin, unpickled_sct->origin); + ASSERT_EQ(sample_sct_->log_description, unpickled_sct->log_description); +} + +} // namespace + +} // namespace ct + +} // namespace net |