summaryrefslogtreecommitdiffstats
path: root/security/certverifier/tests/gtest/CTLogVerifierTest.cpp
diff options
context:
space:
mode:
authorMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
committerMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
commit5f8de423f190bbb79a62f804151bc24824fa32d8 (patch)
tree10027f336435511475e392454359edea8e25895d /security/certverifier/tests/gtest/CTLogVerifierTest.cpp
parent49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff)
downloadUXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip
Add m-esr52 at 52.6.0
Diffstat (limited to 'security/certverifier/tests/gtest/CTLogVerifierTest.cpp')
-rw-r--r--security/certverifier/tests/gtest/CTLogVerifierTest.cpp129
1 files changed, 129 insertions, 0 deletions
diff --git a/security/certverifier/tests/gtest/CTLogVerifierTest.cpp b/security/certverifier/tests/gtest/CTLogVerifierTest.cpp
new file mode 100644
index 000000000..2cf0085a1
--- /dev/null
+++ b/security/certverifier/tests/gtest/CTLogVerifierTest.cpp
@@ -0,0 +1,129 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "CTLogVerifier.h"
+#include "CTTestUtils.h"
+#include "nss.h"
+
+#include "gtest/gtest.h"
+
+namespace mozilla { namespace ct {
+
+using namespace pkix;
+
+class CTLogVerifierTest : public ::testing::Test
+{
+public:
+ void SetUp() override
+ {
+ // Does nothing if NSS is already initialized.
+ MOZ_RELEASE_ASSERT(NSS_NoDB_Init(nullptr) == SECSuccess);
+
+ ASSERT_EQ(Success, mLog.Init(InputForBuffer(GetTestPublicKey())));
+ ASSERT_EQ(GetTestPublicKeyId(), mLog.keyId());
+ }
+
+protected:
+ CTLogVerifier mLog;
+};
+
+TEST_F(CTLogVerifierTest, VerifiesCertSCT)
+{
+ LogEntry certEntry;
+ GetX509CertLogEntry(certEntry);
+
+ SignedCertificateTimestamp certSct;
+ GetX509CertSCT(certSct);
+
+ EXPECT_EQ(Success, mLog.Verify(certEntry, certSct));
+}
+
+TEST_F(CTLogVerifierTest, VerifiesPrecertSCT)
+{
+ LogEntry precertEntry;
+ GetPrecertLogEntry(precertEntry);
+
+ SignedCertificateTimestamp precertSct;
+ GetPrecertSCT(precertSct);
+
+ EXPECT_EQ(Success, mLog.Verify(precertEntry, precertSct));
+}
+
+TEST_F(CTLogVerifierTest, FailsInvalidTimestamp)
+{
+ LogEntry certEntry;
+ GetX509CertLogEntry(certEntry);
+
+ SignedCertificateTimestamp certSct;
+ GetX509CertSCT(certSct);
+
+ // Mangle the timestamp, so that it should fail signature validation.
+ certSct.timestamp = 0;
+
+ EXPECT_EQ(Result::ERROR_BAD_SIGNATURE, mLog.Verify(certEntry, certSct));
+}
+
+TEST_F(CTLogVerifierTest, FailsInvalidSignature)
+{
+ LogEntry certEntry;
+ GetX509CertLogEntry(certEntry);
+
+ // Mangle the signature, making VerifyECDSASignedDigestNSS (used by
+ // CTLogVerifier) return ERROR_BAD_SIGNATURE.
+ SignedCertificateTimestamp certSct;
+ GetX509CertSCT(certSct);
+ certSct.signature.signatureData[20] ^= '\xFF';
+ EXPECT_EQ(Result::ERROR_BAD_SIGNATURE, mLog.Verify(certEntry, certSct));
+
+ // Make VerifyECDSASignedDigestNSS return ERROR_BAD_DER. We still expect
+ // the verifier to return ERROR_BAD_SIGNATURE.
+ SignedCertificateTimestamp certSct2;
+ GetX509CertSCT(certSct2);
+ certSct2.signature.signatureData[0] ^= '\xFF';
+ EXPECT_EQ(Result::ERROR_BAD_SIGNATURE, mLog.Verify(certEntry, certSct2));
+}
+
+TEST_F(CTLogVerifierTest, FailsInvalidLogID)
+{
+ LogEntry certEntry;
+ GetX509CertLogEntry(certEntry);
+
+ SignedCertificateTimestamp certSct;
+ GetX509CertSCT(certSct);
+
+ // Mangle the log ID, which should cause it to match a different log before
+ // attempting signature validation.
+ MOZ_RELEASE_ASSERT(certSct.logId.append('\x0'));
+
+ EXPECT_EQ(Result::FATAL_ERROR_INVALID_ARGS, mLog.Verify(certEntry, certSct));
+}
+
+TEST_F(CTLogVerifierTest, VerifiesValidSTH)
+{
+ SignedTreeHead sth;
+ GetSampleSignedTreeHead(sth);
+ EXPECT_EQ(Success, mLog.VerifySignedTreeHead(sth));
+}
+
+TEST_F(CTLogVerifierTest, DoesNotVerifyInvalidSTH)
+{
+ SignedTreeHead sth;
+ GetSampleSignedTreeHead(sth);
+ sth.sha256RootHash[0] ^= '\xFF';
+ EXPECT_EQ(Result::ERROR_BAD_SIGNATURE, mLog.VerifySignedTreeHead(sth));
+}
+
+// Test that excess data after the public key is rejected.
+TEST_F(CTLogVerifierTest, ExcessDataInPublicKey)
+{
+ Buffer key = GetTestPublicKey();
+ MOZ_RELEASE_ASSERT(key.append("extra", 5));
+
+ CTLogVerifier log;
+ EXPECT_NE(Success, log.Init(InputForBuffer(key)));
+}
+
+} } // namespace mozilla::ct