1// Copyright 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/cert/ct_log_verifier.h" 6 7#include <string> 8 9#include "base/time/time.h" 10#include "net/cert/signed_certificate_timestamp.h" 11#include "net/cert/signed_tree_head.h" 12#include "net/test/ct_test_util.h" 13#include "testing/gtest/include/gtest/gtest.h" 14 15namespace net { 16 17class CTLogVerifierTest : public ::testing::Test { 18 public: 19 CTLogVerifierTest() {} 20 21 virtual void SetUp() OVERRIDE { 22 log_ = CTLogVerifier::Create(ct::GetTestPublicKey(), "testlog").Pass(); 23 24 ASSERT_TRUE(log_); 25 ASSERT_EQ(log_->key_id(), ct::GetTestPublicKeyId()); 26 } 27 28 protected: 29 scoped_ptr<CTLogVerifier> log_; 30}; 31 32TEST_F(CTLogVerifierTest, VerifiesCertSCT) { 33 ct::LogEntry cert_entry; 34 ct::GetX509CertLogEntry(&cert_entry); 35 36 scoped_refptr<ct::SignedCertificateTimestamp> cert_sct; 37 ct::GetX509CertSCT(&cert_sct); 38 39 EXPECT_TRUE(log_->Verify(cert_entry, *cert_sct.get())); 40} 41 42TEST_F(CTLogVerifierTest, VerifiesPrecertSCT) { 43 ct::LogEntry precert_entry; 44 ct::GetPrecertLogEntry(&precert_entry); 45 46 scoped_refptr<ct::SignedCertificateTimestamp> precert_sct; 47 ct::GetPrecertSCT(&precert_sct); 48 49 EXPECT_TRUE(log_->Verify(precert_entry, *precert_sct.get())); 50} 51 52TEST_F(CTLogVerifierTest, FailsInvalidTimestamp) { 53 ct::LogEntry cert_entry; 54 ct::GetX509CertLogEntry(&cert_entry); 55 56 scoped_refptr<ct::SignedCertificateTimestamp> cert_sct; 57 ct::GetX509CertSCT(&cert_sct); 58 59 // Mangle the timestamp, so that it should fail signature validation. 60 cert_sct->timestamp = base::Time::Now(); 61 62 EXPECT_FALSE(log_->Verify(cert_entry, *cert_sct.get())); 63} 64 65TEST_F(CTLogVerifierTest, FailsInvalidLogID) { 66 ct::LogEntry cert_entry; 67 ct::GetX509CertLogEntry(&cert_entry); 68 69 scoped_refptr<ct::SignedCertificateTimestamp> cert_sct; 70 ct::GetX509CertSCT(&cert_sct); 71 72 // Mangle the log ID, which should cause it to match a different log before 73 // attempting signature validation. 74 cert_sct->log_id.assign(cert_sct->log_id.size(), '\0'); 75 76 EXPECT_FALSE(log_->Verify(cert_entry, *cert_sct.get())); 77} 78 79TEST_F(CTLogVerifierTest, SetsValidSTH) { 80 scoped_ptr<ct::SignedTreeHead> sth(new ct::SignedTreeHead()); 81 ct::GetSignedTreeHead(sth.get()); 82 ASSERT_TRUE(log_->SetSignedTreeHead(sth.Pass())); 83} 84 85TEST_F(CTLogVerifierTest, DoesNotSetInvalidSTH) { 86 scoped_ptr<ct::SignedTreeHead> sth(new ct::SignedTreeHead()); 87 ct::GetSignedTreeHead(sth.get()); 88 sth->sha256_root_hash[0] = '\x0'; 89 ASSERT_FALSE(log_->SetSignedTreeHead(sth.Pass())); 90} 91 92} // namespace net 93