Add m-esr52 at 52.6.0

1 files changed, 233 insertions, 0 deletions

diff --git a/security/certverifier/tests/gtest/MultiLogCTVerifierTest.cpp b/security/certverifier/tests/gtest/MultiLogCTVerifierTest.cpp
new file mode 100644
index 000000000..f8f04804e
--- /dev/null
+++ b/security/certverifier/tests/gtest/MultiLogCTVerifierTest.cpp
@@ -0,0 +1,233 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "MultiLogCTVerifier.h"
+
+#include <stdint.h>
+
+#include "CTLogVerifier.h"
+#include "CTObjectsExtractor.h"
+#include "CTSerialization.h"
+#include "CTTestUtils.h"
+#include "gtest/gtest.h"
+#include "mozilla/EnumSet.h"
+#include "mozilla/Move.h"
+#include "nss.h"
+
+namespace mozilla { namespace ct {
+
+using namespace mozilla::pkix;
+
+class MultiLogCTVerifierTest : public ::testing::Test
+{
+public:
+  MultiLogCTVerifierTest()
+    : mNow(Time::uninitialized)
+  {}
+
+  void SetUp() override
+  {
+    // Does nothing if NSS is already initialized.
+    MOZ_RELEASE_ASSERT(NSS_NoDB_Init(nullptr) == SECSuccess);
+
+    ASSERT_EQ(Success, mVerifier.AddLog(InputForBuffer(GetTestPublicKey())));
+
+    mTestCert = GetDEREncodedX509Cert();
+    mEmbeddedCert = GetDEREncodedTestEmbeddedCert();
+    mCaCert = GetDEREncodedCACert();
+    mCaCertSPKI = ExtractCertSPKI(mCaCert);
+    mIntermediateCert = GetDEREncodedIntermediateCert();
+    mIntermediateCertSPKI = ExtractCertSPKI(mIntermediateCert);
+
+    // Set the current time making sure all test timestamps are in the past.
+    mNow = TimeFromEpochInSeconds(1451606400u); // Date.parse("2016-01-01")/1000
+  }
+
+  void CheckForSingleVerifiedSCTInResult(const CTVerifyResult& result,
+    SignedCertificateTimestamp::Origin origin)
+  {
+    EXPECT_EQ(0U, result.decodingErrors);
+    ASSERT_EQ(1U, result.scts.length());
+    EXPECT_EQ(SignedCertificateTimestamp::VerificationStatus::OK,
+              result.scts[0].verificationStatus);
+    EXPECT_EQ(origin, result.scts[0].origin);
+  }
+
+  // Writes an SCTList containing a single |sct| into |output|.
+  void EncodeSCTListForTesting(Input sct, Buffer& output)
+  {
+    Vector<Input> list;
+    ASSERT_TRUE(list.append(Move(sct)));
+    ASSERT_EQ(Success, EncodeSCTList(list, output));
+  }
+
+  void GetSCTListWithInvalidLogID(Buffer& result)
+  {
+    result.clear();
+    Buffer sct(GetTestSignedCertificateTimestamp());
+    // Change a byte inside the Log ID part of the SCT so it does
+    // not match the log used in the tests.
+    sct[15] ^= '\xFF';
+    EncodeSCTListForTesting(InputForBuffer(sct), result);
+  }
+
+  void CheckPrecertVerification(const Buffer& cert, const Buffer& issuerSPKI)
+  {
+    Buffer sctList;
+    ExtractEmbeddedSCTList(cert, sctList);
+    ASSERT_FALSE(sctList.empty());
+
+    CTVerifyResult result;
+    ASSERT_EQ(Success,
+              mVerifier.Verify(InputForBuffer(cert), InputForBuffer(issuerSPKI),
+                               InputForBuffer(sctList), Input(), Input(),
+                               mNow, result));
+    CheckForSingleVerifiedSCTInResult(result,
+      SignedCertificateTimestamp::Origin::Embedded);
+  }
+
+protected:
+  MultiLogCTVerifier mVerifier;
+  Buffer mTestCert;
+  Buffer mEmbeddedCert;
+  Buffer mCaCert;
+  Buffer mCaCertSPKI;
+  Buffer mIntermediateCert;
+  Buffer mIntermediateCertSPKI;
+  Time mNow;
+};
+
+// Test that an embedded SCT can be extracted and the extracted SCT contains
+// the expected data. This tests the ExtractEmbeddedSCTList function from
+// CTTestUtils.h that other tests here rely upon.
+TEST_F(MultiLogCTVerifierTest, ExtractEmbeddedSCT)
+{
+  SignedCertificateTimestamp sct;
+
+  // Extract the embedded SCT.
+
+  Buffer sctList;
+  ExtractEmbeddedSCTList(mEmbeddedCert, sctList);
+  ASSERT_FALSE(sctList.empty());
+
+  Reader sctReader;
+  ASSERT_EQ(Success, DecodeSCTList(InputForBuffer(sctList), sctReader));
+  Input sctItemInput;
+  ASSERT_EQ(Success, ReadSCTListItem(sctReader, sctItemInput));
+  EXPECT_TRUE(sctReader.AtEnd()); // we only expect one sct in the list
+
+  Reader sctItemReader(sctItemInput);
+  ASSERT_EQ(Success, DecodeSignedCertificateTimestamp(sctItemReader, sct));
+
+  // Make sure the SCT contains the expected data.
+
+  EXPECT_EQ(SignedCertificateTimestamp::Version::V1, sct.version);
+  EXPECT_EQ(GetTestPublicKeyId(), sct.logId);
+
+  uint64_t expectedTimestamp = 1365181456275;
+  EXPECT_EQ(expectedTimestamp, sct.timestamp);
+}
+
+TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCT)
+{
+  CheckPrecertVerification(mEmbeddedCert, mCaCertSPKI);
+}
+
+TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithPreCA)
+{
+  CheckPrecertVerification(GetDEREncodedTestEmbeddedWithPreCACert(),
+                           mCaCertSPKI);
+}
+
+TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithIntermediate)
+{
+  CheckPrecertVerification(GetDEREncodedTestEmbeddedWithIntermediateCert(),
+                           mIntermediateCertSPKI);
+}
+
+TEST_F(MultiLogCTVerifierTest, VerifiesEmbeddedSCTWithIntermediateAndPreCA)
+{
+  CheckPrecertVerification(GetDEREncodedTestEmbeddedWithIntermediatePreCACert(),
+                           mIntermediateCertSPKI);
+}
+
+TEST_F(MultiLogCTVerifierTest, VerifiesSCTFromOCSP)
+{
+  Buffer sct(GetTestSignedCertificateTimestamp());
+  Buffer sctList;
+  EncodeSCTListForTesting(InputForBuffer(sct), sctList);
+
+  CTVerifyResult result;
+  ASSERT_EQ(Success,
+            mVerifier.Verify(InputForBuffer(mTestCert), Input(),
+                             Input(), InputForBuffer(sctList), Input(),
+                             mNow, result));
+
+  CheckForSingleVerifiedSCTInResult(result,
+    SignedCertificateTimestamp::Origin::OCSPResponse);
+}
+
+TEST_F(MultiLogCTVerifierTest, VerifiesSCTFromTLS)
+{
+  Buffer sct(GetTestSignedCertificateTimestamp());
+  Buffer sctList;
+  EncodeSCTListForTesting(InputForBuffer(sct), sctList);
+
+  CTVerifyResult result;
+  ASSERT_EQ(Success,
+            mVerifier.Verify(InputForBuffer(mTestCert), Input(),
+                             Input(), Input(), InputForBuffer(sctList),
+                             mNow, result));
+
+  CheckForSingleVerifiedSCTInResult(result,
+    SignedCertificateTimestamp::Origin::TLSExtension);
+}
+
+TEST_F(MultiLogCTVerifierTest, VerifiesSCTFromMultipleSources)
+{
+  Buffer sct(GetTestSignedCertificateTimestamp());
+  Buffer sctList;
+  EncodeSCTListForTesting(InputForBuffer(sct), sctList);
+
+  CTVerifyResult result;
+  ASSERT_EQ(Success,
+            mVerifier.Verify(InputForBuffer(mTestCert), Input(), Input(),
+                             InputForBuffer(sctList), InputForBuffer(sctList),
+                             mNow, result));
+
+  // The result should contain verified SCTs from TLS and OCSP origins.
+  EnumSet<SignedCertificateTimestamp::Origin> origins;
+  for (const SignedCertificateTimestamp& sct : result.scts) {
+    EXPECT_EQ(SignedCertificateTimestamp::VerificationStatus::OK,
+              sct.verificationStatus);
+    origins += sct.origin;
+  }
+  EXPECT_FALSE(
+    origins.contains(SignedCertificateTimestamp::Origin::Embedded));
+  EXPECT_TRUE(
+    origins.contains(SignedCertificateTimestamp::Origin::OCSPResponse));
+  EXPECT_TRUE(
+    origins.contains(SignedCertificateTimestamp::Origin::TLSExtension));
+}
+
+TEST_F(MultiLogCTVerifierTest, IdentifiesSCTFromUnknownLog)
+{
+  Buffer sctList;
+  GetSCTListWithInvalidLogID(sctList);
+
+  CTVerifyResult result;
+  ASSERT_EQ(Success,
+            mVerifier.Verify(InputForBuffer(mTestCert), Input(),
+                             Input(), Input(), InputForBuffer(sctList),
+                             mNow, result));
+
+  EXPECT_EQ(0U, result.decodingErrors);
+  ASSERT_EQ(1U, result.scts.length());
+  EXPECT_EQ(SignedCertificateTimestamp::VerificationStatus::UnknownLog,
+            result.scts[0].verificationStatus);
+}
+
+} } // namespace mozilla::ct