blob: d4736cf07ae4375c0f8eb7523ba00ff3105eaae4 [file] [log] [blame]
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/multi_log_ct_verifier.h"
#include <memory>
#include <string>
#include "base/files/file_path.h"
#include "base/files/file_util.h"
#include "base/metrics/histogram.h"
#include "base/metrics/histogram_samples.h"
#include "base/metrics/statistics_recorder.h"
#include "base/values.h"
#include "net/base/net_errors.h"
#include "net/cert/ct_log_verifier.h"
#include "net/cert/ct_serialization.h"
#include "net/cert/pem_tokenizer.h"
#include "net/cert/sct_status_flags.h"
#include "net/cert/signed_certificate_timestamp.h"
#include "net/cert/signed_certificate_timestamp_and_status.h"
#include "net/cert/x509_certificate.h"
#include "net/log/net_log_source_type.h"
#include "net/log/net_log_with_source.h"
#include "net/log/test_net_log.h"
#include "net/log/test_net_log_entry.h"
#include "net/test/cert_test_util.h"
#include "net/test/ct_test_util.h"
#include "net/test/test_data_directory.h"
#include "testing/gmock/include/gmock/gmock.h"
#include "testing/gtest/include/gtest/gtest.h"
using testing::_;
using testing::Mock;
namespace net {
namespace {
const char kHostname[] = "example.com";
const char kLogDescription[] = "somelog";
const char kSCTCountHistogram[] =
"Net.CertificateTransparency.SCTsPerConnection";
class MockSCTObserver : public CTVerifier::Observer {
public:
MOCK_METHOD3(OnSCTVerified,
void(base::StringPiece hostname,
X509Certificate* cert,
const ct::SignedCertificateTimestamp* sct));
};
class MultiLogCTVerifierTest : public ::testing::Test {
public:
void SetUp() override {
scoped_refptr<const CTLogVerifier> log(CTLogVerifier::Create(
ct::GetTestPublicKey(), kLogDescription, "dns.example.com"));
ASSERT_TRUE(log);
log_verifiers_.push_back(log);
verifier_.reset(new MultiLogCTVerifier());
verifier_->AddLogs(log_verifiers_);
std::string der_test_cert(ct::GetDerEncodedX509Cert());
chain_ = X509Certificate::CreateFromBytes(
der_test_cert.data(),
der_test_cert.length());
ASSERT_TRUE(chain_.get());
embedded_sct_chain_ =
CreateCertificateChainFromFile(GetTestCertsDirectory(),
"ct-test-embedded-cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_TRUE(embedded_sct_chain_.get());
}
bool CheckForEmbeddedSCTInNetLog(const TestNetLog& net_log) {
TestNetLogEntry::List entries;
net_log.GetEntries(&entries);
if (entries.size() != 2)
return false;
const TestNetLogEntry& received = entries[0];
std::string embedded_scts;
if (!received.GetStringValue("embedded_scts", &embedded_scts))
return false;
if (embedded_scts.empty())
return false;
const TestNetLogEntry& parsed = entries[1];
base::ListValue* scts;
if (!parsed.GetListValue("scts", &scts) || scts->GetSize() != 1) {
return false;
}
base::DictionaryValue* the_sct;
if (!scts->GetDictionary(0, &the_sct))
return false;
std::string origin;
if (!the_sct->GetString("origin", &origin))
return false;
if (origin != "Embedded in certificate")
return false;
std::string verification_status;
if (!the_sct->GetString("verification_status", &verification_status))
return false;
if (verification_status != "Verified")
return false;
return true;
}
// Returns true if |chain| is a certificate with embedded SCTs that can be
// successfully extracted.
bool VerifySinglePrecertificateChain(scoped_refptr<X509Certificate> chain) {
SignedCertificateTimestampAndStatusList scts;
verifier_->Verify(kHostname, chain.get(), base::StringPiece(),
base::StringPiece(), &scts, NetLogWithSource());
return !scts.empty();
}
// Returns true if |chain| is a certificate with a single embedded SCT that
// can be successfully extracted and matched to the test log indicated by
// |kLogDescription|.
bool CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) {
SignedCertificateTimestampAndStatusList scts;
TestNetLog test_net_log;
NetLogWithSource net_log = NetLogWithSource::Make(
&test_net_log, NetLogSourceType::SSL_CONNECT_JOB);
verifier_->Verify(kHostname, chain.get(), base::StringPiece(),
base::StringPiece(), &scts, net_log);
return ct::CheckForSingleVerifiedSCTInResult(scts, kLogDescription) &&
ct::CheckForSCTOrigin(
scts, ct::SignedCertificateTimestamp::SCT_EMBEDDED) &&
CheckForEmbeddedSCTInNetLog(test_net_log);
}
// Histogram-related helper methods
int GetValueFromHistogram(const std::string& histogram_name,
int sample_index) {
base::Histogram* histogram = static_cast<base::Histogram*>(
base::StatisticsRecorder::FindHistogram(histogram_name));
if (histogram == NULL)
return 0;
std::unique_ptr<base::HistogramSamples> samples =
histogram->SnapshotSamples();
return samples->GetCount(sample_index);
}
int NumConnectionsWithSingleSCT() {
return GetValueFromHistogram(kSCTCountHistogram, 1);
}
int NumEmbeddedSCTsInHistogram() {
return GetValueFromHistogram("Net.CertificateTransparency.SCTOrigin",
ct::SignedCertificateTimestamp::SCT_EMBEDDED);
}
int NumValidSCTsInStatusHistogram() {
return GetValueFromHistogram("Net.CertificateTransparency.SCTStatus",
ct::SCT_STATUS_OK);
}
protected:
std::unique_ptr<MultiLogCTVerifier> verifier_;
scoped_refptr<X509Certificate> chain_;
scoped_refptr<X509Certificate> embedded_sct_chain_;
std::vector<scoped_refptr<const CTLogVerifier>> log_verifiers_;
};
TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT) {
ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_));
}
TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithPreCA) {
scoped_refptr<X509Certificate> chain(
CreateCertificateChainFromFile(GetTestCertsDirectory(),
"ct-test-embedded-with-preca-chain.pem",
X509Certificate::FORMAT_AUTO));
ASSERT_TRUE(chain.get());
ASSERT_TRUE(CheckPrecertificateVerification(chain));
}
TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithIntermediate) {
scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile(
GetTestCertsDirectory(),
"ct-test-embedded-with-intermediate-chain.pem",
X509Certificate::FORMAT_AUTO));
ASSERT_TRUE(chain.get());
ASSERT_TRUE(CheckPrecertificateVerification(chain));
}
TEST_F(MultiLogCTVerifierTest,
VerifiesEmbeddedSCTWithIntermediateAndPreCA) {
scoped_refptr<X509Certificate> chain(CreateCertificateChainFromFile(
GetTestCertsDirectory(),
"ct-test-embedded-with-intermediate-preca-chain.pem",
X509Certificate::FORMAT_AUTO));
ASSERT_TRUE(chain.get());
ASSERT_TRUE(CheckPrecertificateVerification(chain));
}
TEST_F(MultiLogCTVerifierTest, VerifiesSCTOverX509Cert) {
std::string sct_list = ct::GetSCTListForTesting();
SignedCertificateTimestampAndStatusList scts;
verifier_->Verify(kHostname, chain_.get(), base::StringPiece(), sct_list,
&scts, NetLogWithSource());
ASSERT_TRUE(ct::CheckForSingleVerifiedSCTInResult(scts, kLogDescription));
ASSERT_TRUE(ct::CheckForSCTOrigin(
scts, ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION));
}
TEST_F(MultiLogCTVerifierTest, IdentifiesSCTFromUnknownLog) {
std::string sct_list = ct::GetSCTListWithInvalidSCT();
SignedCertificateTimestampAndStatusList scts;
verifier_->Verify(kHostname, chain_.get(), base::StringPiece(), sct_list,
&scts, NetLogWithSource());
EXPECT_EQ(1U, scts.size());
EXPECT_EQ("", scts[0].sct->log_description);
EXPECT_EQ(ct::SCT_STATUS_LOG_UNKNOWN, scts[0].status);
}
TEST_F(MultiLogCTVerifierTest, CountsValidSCTsInStatusHistogram) {
int num_valid_scts = NumValidSCTsInStatusHistogram();
ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_));
EXPECT_EQ(num_valid_scts + 1, NumValidSCTsInStatusHistogram());
}
TEST_F(MultiLogCTVerifierTest, CountsInvalidSCTsInStatusHistogram) {
std::string sct_list = ct::GetSCTListWithInvalidSCT();
SignedCertificateTimestampAndStatusList scts;
int num_valid_scts = NumValidSCTsInStatusHistogram();
int num_invalid_scts = GetValueFromHistogram(
"Net.CertificateTransparency.SCTStatus", ct::SCT_STATUS_LOG_UNKNOWN);
verifier_->Verify(kHostname, chain_.get(), base::StringPiece(), sct_list,
&scts, NetLogWithSource());
ASSERT_EQ(num_valid_scts, NumValidSCTsInStatusHistogram());
ASSERT_EQ(num_invalid_scts + 1,
GetValueFromHistogram("Net.CertificateTransparency.SCTStatus",
ct::SCT_STATUS_LOG_UNKNOWN));
}
TEST_F(MultiLogCTVerifierTest, CountsSingleEmbeddedSCTInConnectionsHistogram) {
int old_sct_count = NumConnectionsWithSingleSCT();
ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_));
EXPECT_EQ(old_sct_count + 1, NumConnectionsWithSingleSCT());
}
TEST_F(MultiLogCTVerifierTest, CountsSingleEmbeddedSCTInOriginsHistogram) {
int old_embedded_count = NumEmbeddedSCTsInHistogram();
ASSERT_TRUE(CheckPrecertificateVerification(embedded_sct_chain_));
EXPECT_EQ(old_embedded_count + 1, NumEmbeddedSCTsInHistogram());
}
TEST_F(MultiLogCTVerifierTest, CountsZeroSCTsCorrectly) {
int connections_without_scts = GetValueFromHistogram(kSCTCountHistogram, 0);
EXPECT_FALSE(VerifySinglePrecertificateChain(chain_));
ASSERT_EQ(connections_without_scts + 1,
GetValueFromHistogram(kSCTCountHistogram, 0));
}
TEST_F(MultiLogCTVerifierTest, NotifiesOfValidSCT) {
MockSCTObserver observer;
verifier_->SetObserver(&observer);
EXPECT_CALL(observer, OnSCTVerified(base::StringPiece(kHostname),
embedded_sct_chain_.get(), _));
ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_));
}
TEST_F(MultiLogCTVerifierTest, StopsNotifyingCorrectly) {
MockSCTObserver observer;
verifier_->SetObserver(&observer);
EXPECT_CALL(observer, OnSCTVerified(base::StringPiece(kHostname),
embedded_sct_chain_.get(), _))
.Times(1);
ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_));
Mock::VerifyAndClearExpectations(&observer);
EXPECT_CALL(observer, OnSCTVerified(base::StringPiece(kHostname),
embedded_sct_chain_.get(), _))
.Times(0);
verifier_->SetObserver(nullptr);
ASSERT_TRUE(VerifySinglePrecertificateChain(embedded_sct_chain_));
}
} // namespace
} // namespace net