net/cert/multi_log_ct_verifier_unittest.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/multi_log_ct_verifier.h"
   6
   7 #include <string>
   8
   9 #include "base/file_util.h"
  10 #include "base/files/file_path.h"
  11 #include "base/metrics/histogram.h"
  12 #include "base/metrics/histogram_samples.h"
  13 #include "base/metrics/statistics_recorder.h"
  14 #include "base/values.h"
  15 #include "net/base/capturing_net_log.h"
  16 #include "net/base/net_errors.h"
  17 #include "net/base/net_log.h"
  18 #include "net/base/test_data_directory.h"
  19 #include "net/cert/ct_log_verifier.h"
  20 #include "net/cert/ct_serialization.h"
  21 #include "net/cert/ct_verify_result.h"
  22 #include "net/cert/pem_tokenizer.h"
  23 #include "net/cert/sct_status_flags.h"
  24 #include "net/cert/signed_certificate_timestamp.h"
  25 #include "net/cert/x509_certificate.h"
  26 #include "net/test/cert_test_util.h"
  27 #include "net/test/ct_test_util.h"
  28 #include "testing/gtest/include/gtest/gtest.h"
  29
  30 namespace net {
  31
  32 namespace {
  33
  34 const char kLogDescription[] = "somelog";
  35 const char kSCTCountHistogram[] =
  36     "Net.CertificateTransparency.SCTsPerConnection";
  37
  38 class MultiLogCTVerifierTest : public ::testing::Test {
  39  public:
  40   virtual void SetUp() OVERRIDE {
  41     scoped_ptr<CTLogVerifier> log(
  42         CTLogVerifier::Create(ct::GetTestPublicKey(), kLogDescription));
  43     ASSERT_TRUE(log);
  44
  45     verifier_.reset(new MultiLogCTVerifier());
  46     verifier_->AddLog(log.Pass());
  47     std::string der_test_cert(ct::GetDerEncodedX509Cert());
  48     chain_ = X509Certificate::CreateFromBytes(
  49         der_test_cert.data(),
  50         der_test_cert.length());
  51     ASSERT_TRUE(chain_);
  52
  53     embedded_sct_chain_ =
  54         CreateCertificateChainFromFile(GetTestCertsDirectory(),
  55                                        "ct-test-embedded-cert.pem",
  56                                        X509Certificate::FORMAT_AUTO);
  57     ASSERT_TRUE(embedded_sct_chain_);
  58   }
  59
  60   bool CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) {
  61     return (result.verified_scts.size() == 1U) &&
  62         result.invalid_scts.empty() &&
  63         result.unknown_logs_scts.empty() &&
  64         result.verified_scts[0]->log_description == kLogDescription;
  65   }
  66
  67   bool CheckForSCTOrigin(
  68       const ct::CTVerifyResult& result,
  69       ct::SignedCertificateTimestamp::Origin origin) {
  70     return (result.verified_scts.size() > 0) &&
  71         (result.verified_scts[0]->origin == origin);
  72   }
  73
  74   bool CheckForEmbeddedSCTInNetLog(CapturingNetLog& net_log) {
  75     CapturingNetLog::CapturedEntryList entries;
  76     net_log.GetEntries(&entries);
  77     if (entries.size() != 2)
  78       return false;
  79
  80     const CapturingNetLog::CapturedEntry& received = entries[0];
  81     std::string embedded_scts;
  82     if (!received.GetStringValue("embedded_scts", &embedded_scts))
  83       return false;
  84     if (embedded_scts.empty())
  85       return false;
  86
  87     const CapturingNetLog::CapturedEntry& parsed = entries[1];
  88     base::ListValue* verified_scts;
  89     if (!parsed.GetListValue("verified_scts", &verified_scts) ||
  90         verified_scts->GetSize() != 1) {
  91       return false;
  92     }
  93
  94     base::DictionaryValue* the_sct;
  95     if (!verified_scts->GetDictionary(0, &the_sct))
  96       return false;
  97
  98     std::string origin;
  99     if (!the_sct->GetString("origin", &origin))
 100       return false;
 101     if (origin != "embedded_in_certificate")
 102       return false;
 103
 104     base::ListValue* other_scts;
 105     if (!parsed.GetListValue("invalid_scts", &other_scts) ||
 106         !other_scts->empty()) {
 107       return false;
 108     }
 109
 110     if (!parsed.GetListValue("unknown_logs_scts", &other_scts) ||
 111         !other_scts->empty()) {
 112       return false;
 113     }
 114
 115     return true;
 116   }
 117
 118   std::string GetSCTListWithInvalidSCT() {
 119     std::string sct(ct::GetTestSignedCertificateTimestamp());
 120
 121     // Change a byte inside the Log ID part of the SCT so it does
 122     // not match the log used in the tests
 123     sct[15] = 't';
 124
 125     std::string sct_list;
 126     ct::EncodeSCTListForTesting(sct, &sct_list);
 127     return sct_list;
 128   }
 129
 130   bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain,
 131                                        const BoundNetLog& bound_net_log,
 132                                        ct::CTVerifyResult* result) {
 133     return verifier_->Verify(
 134                chain, std::string(), std::string(), result, bound_net_log) ==
 135            OK;
 136   }
 137
 138   bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain) {
 139     ct::CTVerifyResult result;
 140     CapturingNetLog net_log;
 141     BoundNetLog bound_net_log =
 142         BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB);
 143
 144     return verifier_->Verify(
 145                chain, std::string(), std::string(), &result, bound_net_log) ==
 146            OK;
 147   }
 148
 149   bool CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) {
 150     ct::CTVerifyResult result;
 151     CapturingNetLog net_log;
 152     BoundNetLog bound_net_log =
 153       BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB);
 154     return (VerifySinglePrecertificateChain(chain, bound_net_log, &result) &&
 155             CheckForSingleVerifiedSCTInResult(result) &&
 156             CheckForSCTOrigin(result,
 157                               ct::SignedCertificateTimestamp::SCT_EMBEDDED) &&
 158             CheckForEmbeddedSCTInNetLog(net_log));
 159   }
 160
 161   // Histogram-related helper methods
 162   int GetValueFromHistogram(std::string histogram_name, int sample_index) {
 163     base::Histogram* histogram = static_cast<base::Histogram*>(
 164         base::StatisticsRecorder::FindHistogram(histogram_name));
 165
 166     if (histogram == NULL)
 167       return 0;
 168
 169     scoped_ptr<base::HistogramSamples> samples = histogram->SnapshotSamples();
 170     return samples->GetCount(sample_index);
 171   }
 172
 173   int NumConnectionsWithSingleSCT() {
 174     return GetValueFromHistogram(kSCTCountHistogram, 1);
 175   }
 176
 177   int NumEmbeddedSCTsInHistogram() {
 178     return GetValueFromHistogram("Net.CertificateTransparency.SCTOrigin",
 179                                  ct::SignedCertificateTimestamp::SCT_EMBEDDED);
 180   }
 181
 182   int NumValidSCTsInStatusHistogram() {
 183     return GetValueFromHistogram("Net.CertificateTransparency.SCTStatus",
 184                                  ct::SCT_STATUS_OK);
 185   }
 186
 187  protected:
 188   scoped_ptr<MultiLogCTVerifier> verifier_;
 189   scoped_refptr<X509Certificate> chain_;
 190   scoped_refptr<X509Certificate> embedded_sct_chain_;
 191 };
 192
 193 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT) {
 194   ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_));
 195 }
 196
 197 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithPreCA) {
 198   scoped_refptr<X509Certificate> chain(
 199       CreateCertificateChainFromFile(GetTestCertsDirectory(),
 200                                      "ct-test-embedded-with-preca-chain.pem",
 201                                      X509Certificate::FORMAT_AUTO));
 202   ASSERT_TRUE(chain);
 203   ASSERT_TRUE(CheckPrecertificateVerification(chain));
 204 }
 205
 206 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithIntermediate) {
 207   scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile(
 208       GetTestCertsDirectory(),
 209       "ct-test-embedded-with-intermediate-chain.pem",
 210       X509Certificate::FORMAT_AUTO));
 211   ASSERT_TRUE(chain);
 212   ASSERT_TRUE(CheckPrecertificateVerification(chain));
 213 }
 214
 215 TEST_F(MultiLogCTVerifierTest,
 216        VerifiesEmbeddedSCTWithIntermediateAndPreCA) {
 217   scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile(
 218       GetTestCertsDirectory(),
 219       "ct-test-embedded-with-intermediate-preca-chain.pem",
 220       X509Certificate::FORMAT_AUTO));
 221   ASSERT_TRUE(chain);
 222   ASSERT_TRUE(CheckPrecertificateVerification(chain));
 223 }
 224
 225 TEST_F(MultiLogCTVerifierTest,
 226        VerifiesSCTOverX509Cert) {
 227   std::string sct(ct::GetTestSignedCertificateTimestamp());
 228
 229   std::string sct_list;
 230   ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list));
 231
 232   ct::CTVerifyResult result;
 233   EXPECT_EQ(OK,
 234             verifier_->Verify(chain_, std::string(), sct_list, &result,
 235                               BoundNetLog()));
 236   ASSERT_TRUE(CheckForSingleVerifiedSCTInResult(result));
 237   ASSERT_TRUE(CheckForSCTOrigin(
 238       result, ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION));
 239 }
 240
 241 TEST_F(MultiLogCTVerifierTest,
 242        IdentifiesSCTFromUnknownLog) {
 243   std::string sct_list = GetSCTListWithInvalidSCT();
 244   ct::CTVerifyResult result;
 245
 246   EXPECT_NE(OK,
 247             verifier_->Verify(
 248                 chain_, std::string(), sct_list, &result, BoundNetLog()));
 249   EXPECT_EQ(1U, result.unknown_logs_scts.size());
 250   EXPECT_EQ("", result.unknown_logs_scts[0]->log_description);
 251 }
 252
 253 TEST_F(MultiLogCTVerifierTest, CountsValidSCTsInStatusHistogram) {
 254   int num_valid_scts = NumValidSCTsInStatusHistogram();
 255
 256   ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_));
 257
 258   EXPECT_EQ(num_valid_scts + 1, NumValidSCTsInStatusHistogram());
 259 }
 260
 261 TEST_F(MultiLogCTVerifierTest, CountsInvalidSCTsInStatusHistogram) {
 262   std::string sct_list = GetSCTListWithInvalidSCT();
 263   ct::CTVerifyResult result;
 264   int num_valid_scts = NumValidSCTsInStatusHistogram();
 265   int num_invalid_scts = GetValueFromHistogram(
 266       "Net.CertificateTransparency.SCTStatus", ct::SCT_STATUS_LOG_UNKNOWN);
 267
 268   EXPECT_NE(OK,
 269             verifier_->Verify(chain_, std::string(), sct_list, &result,
 270                               BoundNetLog()));
 271
 272   ASSERT_EQ(num_valid_scts, NumValidSCTsInStatusHistogram());
 273   ASSERT_EQ(num_invalid_scts + 1,
 274             GetValueFromHistogram("Net.CertificateTransparency.SCTStatus",
 275                                   ct::SCT_STATUS_LOG_UNKNOWN));
 276 }
 277
 278 TEST_F(MultiLogCTVerifierTest, CountsSingleEmbeddedSCTInConnectionsHistogram) {
 279   int old_sct_count = NumConnectionsWithSingleSCT();
 280   ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_));
 281   EXPECT_EQ(old_sct_count + 1, NumConnectionsWithSingleSCT());
 282 }
 283
 284 TEST_F(MultiLogCTVerifierTest, CountsSingleEmbeddedSCTInOriginsHistogram) {
 285   int old_embedded_count = NumEmbeddedSCTsInHistogram();
 286   ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_));
 287   EXPECT_EQ(old_embedded_count + 1, NumEmbeddedSCTsInHistogram());
 288 }
 289
 290 TEST_F(MultiLogCTVerifierTest, CountsZeroSCTsCorrectly) {
 291   int connections_without_scts = GetValueFromHistogram(kSCTCountHistogram, 0);
 292   EXPECT_FALSE(VerifySinglePrecertificateChain(chain_));
 293   ASSERT_EQ(connections_without_scts + 1,
 294             GetValueFromHistogram(kSCTCountHistogram, 0));
 295 }
 296
 297 }  // namespace
 298
 299 }  // namespace net