Home | History | Annotate | Download | only in cert 
      1 // Copyright 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "net/cert/ct_log_verifier.h"
      6 
      7 #include <string>
      8 
      9 #include "base/time/time.h"
     10 #include "net/cert/signed_certificate_timestamp.h"
     11 #include "net/cert/signed_tree_head.h"
     12 #include "net/test/ct_test_util.h"
     13 #include "testing/gtest/include/gtest/gtest.h"
     14 
     15 namespace net {
     16 
     17 class CTLogVerifierTest : public ::testing::Test {
     18  public:
     19   CTLogVerifierTest() {}
     20 
     21   virtual void SetUp() OVERRIDE {
     22     log_ = CTLogVerifier::Create(ct::GetTestPublicKey(), "testlog").Pass();
     23 
     24     ASSERT_TRUE(log_);
     25     ASSERT_EQ(log_->key_id(), ct::GetTestPublicKeyId());
     26   }
     27 
     28  protected:
     29   scoped_ptr<CTLogVerifier> log_;
     30 };
     31 
     32 TEST_F(CTLogVerifierTest, VerifiesCertSCT) {
     33   ct::LogEntry cert_entry;
     34   ct::GetX509CertLogEntry(&cert_entry);
     35 
     36   scoped_refptr<ct::SignedCertificateTimestamp> cert_sct;
     37   ct::GetX509CertSCT(&cert_sct);
     38 
     39   EXPECT_TRUE(log_->Verify(cert_entry, *cert_sct));
     40 }
     41 
     42 TEST_F(CTLogVerifierTest, VerifiesPrecertSCT) {
     43   ct::LogEntry precert_entry;
     44   ct::GetPrecertLogEntry(&precert_entry);
     45 
     46   scoped_refptr<ct::SignedCertificateTimestamp> precert_sct;
     47   ct::GetPrecertSCT(&precert_sct);
     48 
     49   EXPECT_TRUE(log_->Verify(precert_entry, *precert_sct));
     50 }
     51 
     52 TEST_F(CTLogVerifierTest, FailsInvalidTimestamp) {
     53   ct::LogEntry cert_entry;
     54   ct::GetX509CertLogEntry(&cert_entry);
     55 
     56   scoped_refptr<ct::SignedCertificateTimestamp> cert_sct;
     57   ct::GetX509CertSCT(&cert_sct);
     58 
     59   // Mangle the timestamp, so that it should fail signature validation.
     60   cert_sct->timestamp = base::Time::Now();
     61 
     62   EXPECT_FALSE(log_->Verify(cert_entry, *cert_sct));
     63 }
     64 
     65 TEST_F(CTLogVerifierTest, FailsInvalidLogID) {
     66   ct::LogEntry cert_entry;
     67   ct::GetX509CertLogEntry(&cert_entry);
     68 
     69   scoped_refptr<ct::SignedCertificateTimestamp> cert_sct;
     70   ct::GetX509CertSCT(&cert_sct);
     71 
     72   // Mangle the log ID, which should cause it to match a different log before
     73   // attempting signature validation.
     74   cert_sct->log_id.assign(cert_sct->log_id.size(), '\0');
     75 
     76   EXPECT_FALSE(log_->Verify(cert_entry, *cert_sct));
     77 }
     78 
     79 TEST_F(CTLogVerifierTest, SetsValidSTH) {
     80   scoped_ptr<ct::SignedTreeHead> sth(new ct::SignedTreeHead());
     81   ct::GetSignedTreeHead(sth.get());
     82   ASSERT_TRUE(log_->SetSignedTreeHead(sth.Pass()));
     83 }
     84 
     85 TEST_F(CTLogVerifierTest, DoesNotSetInvalidSTH) {
     86   scoped_ptr<ct::SignedTreeHead> sth(new ct::SignedTreeHead());
     87   ct::GetSignedTreeHead(sth.get());
     88   sth->sha256_root_hash[0] = '\x0';
     89   ASSERT_FALSE(log_->SetSignedTreeHead(sth.Pass()));
     90 }
     91 
     92 }  // namespace net
     93