Roll src/third_party/WebKit eac3800:0237a66 (svn 202606:202607)
[chromium-blink-merge.git] / net / cert / multi_log_ct_verifier_unittest.cc
bloba994eb218f25131163a439493a446e0b159c98be
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/multi_log_ct_verifier.h"
7 #include <string>
9 #include "base/files/file_path.h"
10 #include "base/files/file_util.h"
11 #include "base/metrics/histogram.h"
12 #include "base/metrics/histogram_samples.h"
13 #include "base/metrics/statistics_recorder.h"
14 #include "base/values.h"
15 #include "net/base/net_errors.h"
16 #include "net/base/test_data_directory.h"
17 #include "net/cert/ct_log_verifier.h"
18 #include "net/cert/ct_serialization.h"
19 #include "net/cert/ct_verify_result.h"
20 #include "net/cert/pem_tokenizer.h"
21 #include "net/cert/sct_status_flags.h"
22 #include "net/cert/signed_certificate_timestamp.h"
23 #include "net/cert/x509_certificate.h"
24 #include "net/log/net_log.h"
25 #include "net/log/test_net_log.h"
26 #include "net/log/test_net_log_entry.h"
27 #include "net/test/cert_test_util.h"
28 #include "net/test/ct_test_util.h"
29 #include "testing/gmock/include/gmock/gmock.h"
30 #include "testing/gtest/include/gtest/gtest.h"
32 using testing::_;
33 using testing::Mock;
35 namespace net {
37 namespace {
39 const char kLogDescription[] = "somelog";
40 const char kSCTCountHistogram[] =
41 "Net.CertificateTransparency.SCTsPerConnection";
43 class MockSCTObserver : public CTVerifier::Observer {
44 public:
45 MOCK_METHOD2(OnSCTVerified,
46 void(X509Certificate* cert,
47 const ct::SignedCertificateTimestamp* sct));
50 class MultiLogCTVerifierTest : public ::testing::Test {
51 public:
52 void SetUp() override {
53 scoped_refptr<CTLogVerifier> log(CTLogVerifier::Create(
54 ct::GetTestPublicKey(), kLogDescription, "https://ct.example.com"));
55 ASSERT_TRUE(log);
56 log_verifiers_.push_back(log);
58 verifier_.reset(new MultiLogCTVerifier());
59 verifier_->AddLogs(log_verifiers_);
60 std::string der_test_cert(ct::GetDerEncodedX509Cert());
61 chain_ = X509Certificate::CreateFromBytes(
62 der_test_cert.data(),
63 der_test_cert.length());
64 ASSERT_TRUE(chain_.get());
66 embedded_sct_chain_ =
67 CreateCertificateChainFromFile(GetTestCertsDirectory(),
68 "ct-test-embedded-cert.pem",
69 X509Certificate::FORMAT_AUTO);
70 ASSERT_TRUE(embedded_sct_chain_.get());
73 bool CheckForSingleVerifiedSCTInResult(const ct::CTVerifyResult& result) {
74 return (result.verified_scts.size() == 1U) &&
75 result.invalid_scts.empty() &&
76 result.unknown_logs_scts.empty() &&
77 result.verified_scts[0]->log_description == kLogDescription;
80 bool CheckForSCTOrigin(
81 const ct::CTVerifyResult& result,
82 ct::SignedCertificateTimestamp::Origin origin) {
83 return (result.verified_scts.size() > 0) &&
84 (result.verified_scts[0]->origin == origin);
87 bool CheckForEmbeddedSCTInNetLog(TestNetLog& net_log) {
88 TestNetLogEntry::List entries;
89 net_log.GetEntries(&entries);
90 if (entries.size() != 2)
91 return false;
93 const TestNetLogEntry& received = entries[0];
94 std::string embedded_scts;
95 if (!received.GetStringValue("embedded_scts", &embedded_scts))
96 return false;
97 if (embedded_scts.empty())
98 return false;
100 const TestNetLogEntry& parsed = entries[1];
101 base::ListValue* verified_scts;
102 if (!parsed.GetListValue("verified_scts", &verified_scts) ||
103 verified_scts->GetSize() != 1) {
104 return false;
107 base::DictionaryValue* the_sct;
108 if (!verified_scts->GetDictionary(0, &the_sct))
109 return false;
111 std::string origin;
112 if (!the_sct->GetString("origin", &origin))
113 return false;
114 if (origin != "embedded_in_certificate")
115 return false;
117 base::ListValue* other_scts;
118 if (!parsed.GetListValue("invalid_scts", &other_scts) ||
119 !other_scts->empty()) {
120 return false;
123 if (!parsed.GetListValue("unknown_logs_scts", &other_scts) ||
124 !other_scts->empty()) {
125 return false;
128 return true;
131 std::string GetSCTListWithInvalidSCT() {
132 std::string sct(ct::GetTestSignedCertificateTimestamp());
134 // Change a byte inside the Log ID part of the SCT so it does
135 // not match the log used in the tests
136 sct[15] = 't';
138 std::string sct_list;
139 ct::EncodeSCTListForTesting(sct, &sct_list);
140 return sct_list;
143 bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain,
144 const BoundNetLog& bound_net_log,
145 ct::CTVerifyResult* result) {
146 return verifier_->Verify(chain.get(),
147 std::string(),
148 std::string(),
149 result,
150 bound_net_log) == OK;
153 bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain) {
154 ct::CTVerifyResult result;
155 TestNetLog net_log;
156 BoundNetLog bound_net_log =
157 BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB);
159 return verifier_->Verify(chain.get(),
160 std::string(),
161 std::string(),
162 &result,
163 bound_net_log) == OK;
166 bool CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) {
167 ct::CTVerifyResult result;
168 TestNetLog net_log;
169 BoundNetLog bound_net_log =
170 BoundNetLog::Make(&net_log, NetLog::SOURCE_CONNECT_JOB);
171 return (VerifySinglePrecertificateChain(chain, bound_net_log, &result) &&
172 CheckForSingleVerifiedSCTInResult(result) &&
173 CheckForSCTOrigin(result,
174 ct::SignedCertificateTimestamp::SCT_EMBEDDED) &&
175 CheckForEmbeddedSCTInNetLog(net_log));
178 // Histogram-related helper methods
179 int GetValueFromHistogram(std::string histogram_name, int sample_index) {
180 base::Histogram* histogram = static_cast<base::Histogram*>(
181 base::StatisticsRecorder::FindHistogram(histogram_name));
183 if (histogram == NULL)
184 return 0;
186 scoped_ptr<base::HistogramSamples> samples = histogram->SnapshotSamples();
187 return samples->GetCount(sample_index);
190 int NumConnectionsWithSingleSCT() {
191 return GetValueFromHistogram(kSCTCountHistogram, 1);
194 int NumEmbeddedSCTsInHistogram() {
195 return GetValueFromHistogram("Net.CertificateTransparency.SCTOrigin",
196 ct::SignedCertificateTimestamp::SCT_EMBEDDED);
199 int NumValidSCTsInStatusHistogram() {
200 return GetValueFromHistogram("Net.CertificateTransparency.SCTStatus",
201 ct::SCT_STATUS_OK);
204 protected:
205 scoped_ptr<MultiLogCTVerifier> verifier_;
206 scoped_refptr<X509Certificate> chain_;
207 scoped_refptr<X509Certificate> embedded_sct_chain_;
208 std::vector<scoped_refptr<CTLogVerifier>> log_verifiers_;
211 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT) {
212 ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_));
215 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithPreCA) {
216 scoped_refptr<X509Certificate> chain(
217 CreateCertificateChainFromFile(GetTestCertsDirectory(),
218 "ct-test-embedded-with-preca-chain.pem",
219 X509Certificate::FORMAT_AUTO));
220 ASSERT_TRUE(chain.get());
221 ASSERT_TRUE(CheckPrecertificateVerification(chain));
224 TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithIntermediate) {
225 scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile(
226 GetTestCertsDirectory(),
227 "ct-test-embedded-with-intermediate-chain.pem",
228 X509Certificate::FORMAT_AUTO));
229 ASSERT_TRUE(chain.get());
230 ASSERT_TRUE(CheckPrecertificateVerification(chain));
233 TEST_F(MultiLogCTVerifierTest,
234 VerifiesEmbeddedSCTWithIntermediateAndPreCA) {
235 scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile(
236 GetTestCertsDirectory(),
237 "ct-test-embedded-with-intermediate-preca-chain.pem",
238 X509Certificate::FORMAT_AUTO));
239 ASSERT_TRUE(chain.get());
240 ASSERT_TRUE(CheckPrecertificateVerification(chain));
243 TEST_F(MultiLogCTVerifierTest,
244 VerifiesSCTOverX509Cert) {
245 std::string sct(ct::GetTestSignedCertificateTimestamp());
247 std::string sct_list;
248 ASSERT_TRUE(ct::EncodeSCTListForTesting(sct, &sct_list));
250 ct::CTVerifyResult result;
251 EXPECT_EQ(OK,
252 verifier_->Verify(
253 chain_.get(), std::string(), sct_list, &result, BoundNetLog()));
254 ASSERT_TRUE(CheckForSingleVerifiedSCTInResult(result));
255 ASSERT_TRUE(CheckForSCTOrigin(
256 result, ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION));
259 TEST_F(MultiLogCTVerifierTest,
260 IdentifiesSCTFromUnknownLog) {
261 std::string sct_list = GetSCTListWithInvalidSCT();
262 ct::CTVerifyResult result;
264 EXPECT_NE(OK,
265 verifier_->Verify(
266 chain_.get(), std::string(), sct_list, &result, BoundNetLog()));
267 EXPECT_EQ(1U, result.unknown_logs_scts.size());
268 EXPECT_EQ("", result.unknown_logs_scts[0]->log_description);
271 TEST_F(MultiLogCTVerifierTest, CountsValidSCTsInStatusHistogram) {
272 int num_valid_scts = NumValidSCTsInStatusHistogram();
274 ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_));
276 EXPECT_EQ(num_valid_scts + 1, NumValidSCTsInStatusHistogram());
279 TEST_F(MultiLogCTVerifierTest, CountsInvalidSCTsInStatusHistogram) {
280 std::string sct_list = GetSCTListWithInvalidSCT();
281 ct::CTVerifyResult result;
282 int num_valid_scts = NumValidSCTsInStatusHistogram();
283 int num_invalid_scts = GetValueFromHistogram(
284 "Net.CertificateTransparency.SCTStatus", ct::SCT_STATUS_LOG_UNKNOWN);
286 EXPECT_NE(OK,
287 verifier_->Verify(
288 chain_.get(), std::string(), sct_list, &result, BoundNetLog()));
290 ASSERT_EQ(num_valid_scts, NumValidSCTsInStatusHistogram());
291 ASSERT_EQ(num_invalid_scts + 1,
292 GetValueFromHistogram("Net.CertificateTransparency.SCTStatus",
293 ct::SCT_STATUS_LOG_UNKNOWN));
296 TEST_F(MultiLogCTVerifierTest, CountsSingleEmbeddedSCTInConnectionsHistogram) {
297 int old_sct_count = NumConnectionsWithSingleSCT();
298 ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_));
299 EXPECT_EQ(old_sct_count + 1, NumConnectionsWithSingleSCT());
302 TEST_F(MultiLogCTVerifierTest, CountsSingleEmbeddedSCTInOriginsHistogram) {
303 int old_embedded_count = NumEmbeddedSCTsInHistogram();
304 ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_));
305 EXPECT_EQ(old_embedded_count + 1, NumEmbeddedSCTsInHistogram());
308 TEST_F(MultiLogCTVerifierTest, CountsZeroSCTsCorrectly) {
309 int connections_without_scts = GetValueFromHistogram(kSCTCountHistogram, 0);
310 EXPECT_FALSE(VerifySinglePrecertificateChain(chain_));
311 ASSERT_EQ(connections_without_scts + 1,
312 GetValueFromHistogram(kSCTCountHistogram, 0));
315 TEST_F(MultiLogCTVerifierTest, NotifiesOfValidSCT) {
316 MockSCTObserver observer;
317 verifier_->SetObserver(&observer);
319 EXPECT_CALL(observer, OnSCTVerified(embedded_sct_chain_.get(), _));
320 ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_));
323 TEST_F(MultiLogCTVerifierTest, StopsNotifyingCorrectly) {
324 MockSCTObserver observer;
325 verifier_->SetObserver(&observer);
327 EXPECT_CALL(observer, OnSCTVerified(embedded_sct_chain_.get(), _)).Times(1);
328 ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_));
329 Mock::VerifyAndClearExpectations(&observer);
331 EXPECT_CALL(observer, OnSCTVerified(embedded_sct_chain_.get(), _)).Times(0);
332 verifier_->SetObserver(nullptr);
333 ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_));
336 } // namespace
338 } // namespace net