summaryrefslogtreecommitdiffstats
path: root/security/ct/tests/gtest/CTLogVerifierTest.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'security/ct/tests/gtest/CTLogVerifierTest.cpp')
-rw-r--r--security/ct/tests/gtest/CTLogVerifierTest.cpp118
1 files changed, 118 insertions, 0 deletions
diff --git a/security/ct/tests/gtest/CTLogVerifierTest.cpp b/security/ct/tests/gtest/CTLogVerifierTest.cpp
new file mode 100644
index 0000000000..1b7374a836
--- /dev/null
+++ b/security/ct/tests/gtest/CTLogVerifierTest.cpp
@@ -0,0 +1,118 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "CTLogVerifier.h"
+#include "CTTestUtils.h"
+#include "nss.h"
+
+#include "gtest/gtest.h"
+
+namespace mozilla {
+namespace ct {
+
+using namespace pkix;
+
+class CTLogVerifierTest : public ::testing::Test {
+ public:
+ void SetUp() override {
+ // Does nothing if NSS is already initialized.
+ if (NSS_NoDB_Init(nullptr) != SECSuccess) {
+ abort();
+ }
+
+ ASSERT_EQ(Success,
+ mLog.Init(InputForBuffer(GetTestPublicKey()), -1 /*operator id*/,
+ CTLogStatus::Included, 0 /*disqualification time*/));
+ ASSERT_EQ(GetTestPublicKeyId(), mLog.keyId());
+ }
+
+ protected:
+ CTLogVerifier mLog;
+};
+
+TEST_F(CTLogVerifierTest, VerifiesCertSCT) {
+ LogEntry certEntry;
+ GetX509CertLogEntry(certEntry);
+
+ SignedCertificateTimestamp certSct;
+ GetX509CertSCT(certSct);
+
+ EXPECT_EQ(Success, mLog.Verify(certEntry, certSct));
+}
+
+TEST_F(CTLogVerifierTest, VerifiesPrecertSCT) {
+ LogEntry precertEntry;
+ GetPrecertLogEntry(precertEntry);
+
+ SignedCertificateTimestamp precertSct;
+ GetPrecertSCT(precertSct);
+
+ EXPECT_EQ(Success, mLog.Verify(precertEntry, precertSct));
+}
+
+TEST_F(CTLogVerifierTest, FailsInvalidTimestamp) {
+ LogEntry certEntry;
+ GetX509CertLogEntry(certEntry);
+
+ SignedCertificateTimestamp certSct;
+ GetX509CertSCT(certSct);
+
+ // Mangle the timestamp, so that it should fail signature validation.
+ certSct.timestamp = 0;
+
+ EXPECT_EQ(pkix::Result::ERROR_BAD_SIGNATURE, mLog.Verify(certEntry, certSct));
+}
+
+TEST_F(CTLogVerifierTest, FailsInvalidSignature) {
+ LogEntry certEntry;
+ GetX509CertLogEntry(certEntry);
+
+ // Mangle the value of the signature, making the underlying signature
+ // verification code return ERROR_BAD_SIGNATURE.
+ SignedCertificateTimestamp certSct;
+ GetX509CertSCT(certSct);
+ certSct.signature.signatureData[20] ^= '\xFF';
+ EXPECT_EQ(pkix::Result::ERROR_BAD_SIGNATURE, mLog.Verify(certEntry, certSct));
+
+ // Mangle the encoding of the signature, making the underlying implementation
+ // return ERROR_BAD_DER. We still expect the verifier to return
+ // ERROR_BAD_SIGNATURE.
+ SignedCertificateTimestamp certSct2;
+ GetX509CertSCT(certSct2);
+ certSct2.signature.signatureData[0] ^= '\xFF';
+ EXPECT_EQ(pkix::Result::ERROR_BAD_SIGNATURE,
+ mLog.Verify(certEntry, certSct2));
+}
+
+TEST_F(CTLogVerifierTest, FailsInvalidLogID) {
+ LogEntry certEntry;
+ GetX509CertLogEntry(certEntry);
+
+ SignedCertificateTimestamp certSct;
+ GetX509CertSCT(certSct);
+
+ // Mangle the log ID, which should cause it to match a different log before
+ // attempting signature validation.
+ certSct.logId.push_back('\x0');
+
+ EXPECT_EQ(pkix::Result::FATAL_ERROR_INVALID_ARGS,
+ mLog.Verify(certEntry, certSct));
+}
+
+// Test that excess data after the public key is rejected.
+TEST_F(CTLogVerifierTest, ExcessDataInPublicKey) {
+ Buffer key = GetTestPublicKey();
+ std::string extra = "extra";
+ key.insert(key.end(), extra.begin(), extra.end());
+
+ CTLogVerifier log;
+ EXPECT_NE(Success,
+ log.Init(InputForBuffer(key), -1 /*operator id*/,
+ CTLogStatus::Included, 0 /*disqualification time*/));
+}
+
+} // namespace ct
+} // namespace mozilla