Revert "Fix broken channel icon in chrome://help on CrOS" and try again
[chromium-blink-merge.git] / net / cert / ct_objects_extractor_unittest.cc
blob7640e5bdb0d8c6a158edcef27b20941c5e1ef5cb
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/ct_objects_extractor.h"
7 #include "base/files/file_path.h"
8 #include "net/base/test_data_directory.h"
9 #include "net/cert/ct_log_verifier.h"
10 #include "net/cert/ct_serialization.h"
11 #include "net/cert/signed_certificate_timestamp.h"
12 #include "net/cert/x509_certificate.h"
13 #include "net/test/cert_test_util.h"
14 #include "net/test/ct_test_util.h"
15 #include "testing/gtest/include/gtest/gtest.h"
17 namespace net {
19 namespace ct {
21 class CTObjectsExtractorTest : public ::testing::Test {
22 public:
23 void SetUp() override {
24 precert_chain_ =
25 CreateCertificateListFromFile(GetTestCertsDirectory(),
26 "ct-test-embedded-cert.pem",
27 X509Certificate::FORMAT_AUTO);
28 ASSERT_EQ(2u, precert_chain_.size());
30 std::string der_test_cert(ct::GetDerEncodedX509Cert());
31 test_cert_ = X509Certificate::CreateFromBytes(der_test_cert.data(),
32 der_test_cert.length());
34 log_ = CTLogVerifier::Create(ct::GetTestPublicKey(), "testlog",
35 "https://ct.example.com").Pass();
36 ASSERT_TRUE(log_);
39 void ExtractEmbeddedSCT(scoped_refptr<X509Certificate> cert,
40 scoped_refptr<SignedCertificateTimestamp>* sct) {
41 std::string sct_list;
42 EXPECT_TRUE(ExtractEmbeddedSCTList(cert->os_cert_handle(), &sct_list));
44 std::vector<base::StringPiece> parsed_scts;
45 base::StringPiece sct_list_sp(sct_list);
46 // Make sure the SCT list can be decoded properly
47 EXPECT_TRUE(DecodeSCTList(&sct_list_sp, &parsed_scts));
49 EXPECT_TRUE(DecodeSignedCertificateTimestamp(&parsed_scts[0], sct));
52 protected:
53 CertificateList precert_chain_;
54 scoped_refptr<X509Certificate> test_cert_;
55 scoped_refptr<CTLogVerifier> log_;
58 // Test that an SCT can be extracted and the extracted SCT contains the
59 // expected data.
60 TEST_F(CTObjectsExtractorTest, ExtractEmbeddedSCT) {
61 scoped_refptr<ct::SignedCertificateTimestamp> sct(
62 new ct::SignedCertificateTimestamp());
63 ExtractEmbeddedSCT(precert_chain_[0], &sct);
65 EXPECT_EQ(sct->version, SignedCertificateTimestamp::SCT_VERSION_1);
66 EXPECT_EQ(ct::GetTestPublicKeyId(), sct->log_id);
68 base::Time expected_timestamp =
69 base::Time::UnixEpoch() +
70 base::TimeDelta::FromMilliseconds(1365181456275);
71 EXPECT_EQ(expected_timestamp, sct->timestamp);
74 TEST_F(CTObjectsExtractorTest, ExtractPrecert) {
75 LogEntry entry;
76 ASSERT_TRUE(GetPrecertLogEntry(precert_chain_[0]->os_cert_handle(),
77 precert_chain_[1]->os_cert_handle(),
78 &entry));
80 ASSERT_EQ(ct::LogEntry::LOG_ENTRY_TYPE_PRECERT, entry.type);
81 // Should have empty leaf cert for this log entry type.
82 ASSERT_TRUE(entry.leaf_certificate.empty());
83 // Compare hash values of issuer spki.
84 SHA256HashValue expected_issuer_key_hash;
85 memcpy(expected_issuer_key_hash.data, GetDefaultIssuerKeyHash().data(), 32);
86 ASSERT_TRUE(expected_issuer_key_hash.Equals(entry.issuer_key_hash));
89 TEST_F(CTObjectsExtractorTest, ExtractOrdinaryX509Cert) {
90 LogEntry entry;
91 ASSERT_TRUE(GetX509LogEntry(test_cert_->os_cert_handle(), &entry));
93 ASSERT_EQ(ct::LogEntry::LOG_ENTRY_TYPE_X509, entry.type);
94 // Should have empty tbs_certificate for this log entry type.
95 ASSERT_TRUE(entry.tbs_certificate.empty());
96 // Length of leaf_certificate should be 718, see the CT Serialization tests.
97 ASSERT_EQ(718U, entry.leaf_certificate.size());
100 // Test that the embedded SCT verifies
101 TEST_F(CTObjectsExtractorTest, ExtractedSCTVerifies) {
102 scoped_refptr<ct::SignedCertificateTimestamp> sct(
103 new ct::SignedCertificateTimestamp());
104 ExtractEmbeddedSCT(precert_chain_[0], &sct);
106 LogEntry entry;
107 ASSERT_TRUE(GetPrecertLogEntry(precert_chain_[0]->os_cert_handle(),
108 precert_chain_[1]->os_cert_handle(),
109 &entry));
111 EXPECT_TRUE(log_->Verify(entry, *sct.get()));
114 // Test that an externally-provided SCT verifies over the LogEntry
115 // of a regular X.509 Certificate
116 TEST_F(CTObjectsExtractorTest, ComplementarySCTVerifies) {
117 scoped_refptr<ct::SignedCertificateTimestamp> sct(
118 new ct::SignedCertificateTimestamp());
119 GetX509CertSCT(&sct);
121 LogEntry entry;
122 ASSERT_TRUE(GetX509LogEntry(test_cert_->os_cert_handle(), &entry));
124 EXPECT_TRUE(log_->Verify(entry, *sct.get()));
127 // Test that the extractor can parse OCSP responses.
128 TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponse) {
129 std::string der_subject_cert(ct::GetDerEncodedFakeOCSPResponseCert());
130 scoped_refptr<X509Certificate> subject_cert =
131 X509Certificate::CreateFromBytes(der_subject_cert.data(),
132 der_subject_cert.length());
133 std::string der_issuer_cert(ct::GetDerEncodedFakeOCSPResponseIssuerCert());
134 scoped_refptr<X509Certificate> issuer_cert =
135 X509Certificate::CreateFromBytes(der_issuer_cert.data(),
136 der_issuer_cert.length());
138 std::string fake_sct_list = ct::GetFakeOCSPExtensionValue();
139 ASSERT_FALSE(fake_sct_list.empty());
140 std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();
142 std::string extracted_sct_list;
143 EXPECT_TRUE(ct::ExtractSCTListFromOCSPResponse(
144 issuer_cert->os_cert_handle(), subject_cert->serial_number(),
145 ocsp_response, &extracted_sct_list));
146 EXPECT_EQ(extracted_sct_list, fake_sct_list);
149 // Test that the extractor honours serial number.
150 TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponseMatchesSerial) {
151 std::string der_issuer_cert(ct::GetDerEncodedFakeOCSPResponseIssuerCert());
152 scoped_refptr<X509Certificate> issuer_cert =
153 X509Certificate::CreateFromBytes(der_issuer_cert.data(),
154 der_issuer_cert.length());
156 std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();
158 std::string extracted_sct_list;
159 EXPECT_FALSE(ct::ExtractSCTListFromOCSPResponse(
160 issuer_cert->os_cert_handle(), test_cert_->serial_number(),
161 ocsp_response, &extracted_sct_list));
164 // Test that the extractor honours issuer ID.
165 TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponseMatchesIssuer) {
166 std::string der_subject_cert(ct::GetDerEncodedFakeOCSPResponseCert());
167 scoped_refptr<X509Certificate> subject_cert =
168 X509Certificate::CreateFromBytes(der_subject_cert.data(),
169 der_subject_cert.length());
171 std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();
173 std::string extracted_sct_list;
174 // Use test_cert_ for issuer - it is not the correct issuer of |subject_cert|.
175 EXPECT_FALSE(ct::ExtractSCTListFromOCSPResponse(
176 test_cert_->os_cert_handle(), subject_cert->serial_number(),
177 ocsp_response, &extracted_sct_list));
180 } // namespace ct
182 } // namespace net