1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/ct_log_verifier.h"
9 #include "base/time/time.h"
10 #include "net/cert/signed_certificate_timestamp.h"
11 #include "net/cert/signed_tree_head.h"
12 #include "net/test/ct_test_util.h"
13 #include "testing/gtest/include/gtest/gtest.h"
17 class CTLogVerifierTest
: public ::testing::Test
{
19 CTLogVerifierTest() {}
21 void SetUp() override
{
22 log_
= CTLogVerifier::Create(ct::GetTestPublicKey(), "testlog",
23 "https://ct.example.com").Pass();
26 ASSERT_EQ(log_
->key_id(), ct::GetTestPublicKeyId());
30 scoped_refptr
<CTLogVerifier
> log_
;
33 TEST_F(CTLogVerifierTest
, VerifiesCertSCT
) {
34 ct::LogEntry cert_entry
;
35 ct::GetX509CertLogEntry(&cert_entry
);
37 scoped_refptr
<ct::SignedCertificateTimestamp
> cert_sct
;
38 ct::GetX509CertSCT(&cert_sct
);
40 EXPECT_TRUE(log_
->Verify(cert_entry
, *cert_sct
.get()));
43 TEST_F(CTLogVerifierTest
, VerifiesPrecertSCT
) {
44 ct::LogEntry precert_entry
;
45 ct::GetPrecertLogEntry(&precert_entry
);
47 scoped_refptr
<ct::SignedCertificateTimestamp
> precert_sct
;
48 ct::GetPrecertSCT(&precert_sct
);
50 EXPECT_TRUE(log_
->Verify(precert_entry
, *precert_sct
.get()));
53 TEST_F(CTLogVerifierTest
, FailsInvalidTimestamp
) {
54 ct::LogEntry cert_entry
;
55 ct::GetX509CertLogEntry(&cert_entry
);
57 scoped_refptr
<ct::SignedCertificateTimestamp
> cert_sct
;
58 ct::GetX509CertSCT(&cert_sct
);
60 // Mangle the timestamp, so that it should fail signature validation.
61 cert_sct
->timestamp
= base::Time::Now();
63 EXPECT_FALSE(log_
->Verify(cert_entry
, *cert_sct
.get()));
66 TEST_F(CTLogVerifierTest
, FailsInvalidLogID
) {
67 ct::LogEntry cert_entry
;
68 ct::GetX509CertLogEntry(&cert_entry
);
70 scoped_refptr
<ct::SignedCertificateTimestamp
> cert_sct
;
71 ct::GetX509CertSCT(&cert_sct
);
73 // Mangle the log ID, which should cause it to match a different log before
74 // attempting signature validation.
75 cert_sct
->log_id
.assign(cert_sct
->log_id
.size(), '\0');
77 EXPECT_FALSE(log_
->Verify(cert_entry
, *cert_sct
.get()));
80 TEST_F(CTLogVerifierTest
, SetsValidSTH
) {
81 ct::SignedTreeHead sth
;
82 ct::GetSignedTreeHead(&sth
);
83 ASSERT_TRUE(log_
->VerifySignedTreeHead(sth
));
86 TEST_F(CTLogVerifierTest
, DoesNotSetInvalidSTH
) {
87 ct::SignedTreeHead sth
;
88 ct::GetSignedTreeHead(&sth
);
89 sth
.sha256_root_hash
[0] = '\x0';
90 ASSERT_FALSE(log_
->VerifySignedTreeHead(sth
));
93 // Test that excess data after the public key is rejected.
94 TEST_F(CTLogVerifierTest
, ExcessDataInPublicKey
) {
95 std::string key
= ct::GetTestPublicKey();
98 scoped_refptr
<CTLogVerifier
> log
=
99 CTLogVerifier::Create(key
, "testlog", "https://ct.example.com");