unplugged-system/external/cronet/net/cert/ct_objects_extractor_unittest.cc

// Copyright 2013 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "net/cert/ct_objects_extractor.h"

#include "base/files/file_path.h"
#include "net/cert/ct_log_verifier.h"
#include "net/cert/ct_serialization.h"
#include "net/cert/signed_certificate_timestamp.h"
#include "net/cert/x509_certificate.h"
#include "net/test/cert_test_util.h"
#include "net/test/ct_test_util.h"
#include "net/test/test_data_directory.h"
#include "testing/gtest/include/gtest/gtest.h"

namespace net::ct {

class CTObjectsExtractorTest : public ::testing::Test {
 public:
  void SetUp() override {
    precert_chain_ =
        CreateCertificateListFromFile(GetTestCertsDirectory(),
                                      "ct-test-embedded-cert.pem",
                                      X509Certificate::FORMAT_AUTO);
    ASSERT_EQ(2u, precert_chain_.size());

    std::string der_test_cert(ct::GetDerEncodedX509Cert());
    test_cert_ = X509Certificate::CreateFromBytes(
        base::as_bytes(base::make_span(der_test_cert)));
    ASSERT_TRUE(test_cert_);

    log_ = CTLogVerifier::Create(ct::GetTestPublicKey(), "testlog");
    ASSERT_TRUE(log_);
  }

  void ExtractEmbeddedSCT(scoped_refptr<X509Certificate> cert,
                          scoped_refptr<SignedCertificateTimestamp>* sct) {
    std::string sct_list;
    ASSERT_TRUE(ExtractEmbeddedSCTList(cert->cert_buffer(), &sct_list));

    std::vector<base::StringPiece> parsed_scts;
    // Make sure the SCT list can be decoded properly
    ASSERT_TRUE(DecodeSCTList(sct_list, &parsed_scts));
    ASSERT_EQ(1u, parsed_scts.size());
    EXPECT_TRUE(DecodeSignedCertificateTimestamp(&parsed_scts[0], sct));
  }

 protected:
  CertificateList precert_chain_;
  scoped_refptr<X509Certificate> test_cert_;
  scoped_refptr<const CTLogVerifier> log_;
};

// Test that an SCT can be extracted and the extracted SCT contains the
// expected data.
TEST_F(CTObjectsExtractorTest, ExtractEmbeddedSCT) {
  auto sct = base::MakeRefCounted<ct::SignedCertificateTimestamp>();
  ExtractEmbeddedSCT(precert_chain_[0], &sct);

  EXPECT_EQ(sct->version, SignedCertificateTimestamp::V1);
  EXPECT_EQ(ct::GetTestPublicKeyId(), sct->log_id);

  base::Time expected_timestamp =
      base::Time::UnixEpoch() + base::Milliseconds(1365181456275);
  EXPECT_EQ(expected_timestamp, sct->timestamp);
}

// Test that the extractor correctly skips over issuerUniqueID and
// subjectUniqueID fields. See https://crbug.com/1199744.
TEST_F(CTObjectsExtractorTest, ExtractEmbeddedSCTListWithUIDs) {
  CertificateList certs = CreateCertificateListFromFile(
      GetTestCertsDirectory(), "ct-test-embedded-with-uids.pem",
      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
  ASSERT_EQ(1u, certs.size());

  auto sct = base::MakeRefCounted<ct::SignedCertificateTimestamp>();
  ExtractEmbeddedSCT(certs[0], &sct);

  EXPECT_EQ(sct->version, SignedCertificateTimestamp::V1);
  EXPECT_EQ(ct::GetTestPublicKeyId(), sct->log_id);

  base::Time expected_timestamp =
      base::Time::UnixEpoch() + base::Milliseconds(1365181456275);
  EXPECT_EQ(expected_timestamp, sct->timestamp);
}

TEST_F(CTObjectsExtractorTest, ExtractPrecert) {
  SignedEntryData entry;
  ASSERT_TRUE(GetPrecertSignedEntry(precert_chain_[0]->cert_buffer(),
                                    precert_chain_[1]->cert_buffer(), &entry));

  ASSERT_EQ(ct::SignedEntryData::LOG_ENTRY_TYPE_PRECERT, entry.type);
  // Should have empty leaf cert for this log entry type.
  ASSERT_TRUE(entry.leaf_certificate.empty());
  // Compare hash values of issuer spki.
  SHA256HashValue expected_issuer_key_hash;
  memcpy(expected_issuer_key_hash.data, GetDefaultIssuerKeyHash().data(), 32);
  ASSERT_EQ(expected_issuer_key_hash, entry.issuer_key_hash);
}

TEST_F(CTObjectsExtractorTest, ExtractOrdinaryX509Cert) {
  SignedEntryData entry;
  ASSERT_TRUE(GetX509SignedEntry(test_cert_->cert_buffer(), &entry));

  ASSERT_EQ(ct::SignedEntryData::LOG_ENTRY_TYPE_X509, entry.type);
  // Should have empty tbs_certificate for this log entry type.
  ASSERT_TRUE(entry.tbs_certificate.empty());
  // Length of leaf_certificate should be 718, see the CT Serialization tests.
  ASSERT_EQ(718U, entry.leaf_certificate.size());
}

// Test that the embedded SCT verifies
TEST_F(CTObjectsExtractorTest, ExtractedSCTVerifies) {
  auto sct = base::MakeRefCounted<ct::SignedCertificateTimestamp>();
  ExtractEmbeddedSCT(precert_chain_[0], &sct);

  SignedEntryData entry;
  ASSERT_TRUE(GetPrecertSignedEntry(precert_chain_[0]->cert_buffer(),
                                    precert_chain_[1]->cert_buffer(), &entry));

  EXPECT_TRUE(log_->Verify(entry, *sct.get()));
}

// Test that an externally-provided SCT verifies over the SignedEntryData
// of a regular X.509 Certificate
TEST_F(CTObjectsExtractorTest, ComplementarySCTVerifies) {
  auto sct = base::MakeRefCounted<ct::SignedCertificateTimestamp>();
  GetX509CertSCT(&sct);

  SignedEntryData entry;
  ASSERT_TRUE(GetX509SignedEntry(test_cert_->cert_buffer(), &entry));

  EXPECT_TRUE(log_->Verify(entry, *sct.get()));
}

// Test that the extractor can parse OCSP responses.
TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponse) {
  std::string der_subject_cert(ct::GetDerEncodedFakeOCSPResponseCert());
  scoped_refptr<X509Certificate> subject_cert =
      X509Certificate::CreateFromBytes(
          base::as_bytes(base::make_span(der_subject_cert)));
  ASSERT_TRUE(subject_cert);
  std::string der_issuer_cert(ct::GetDerEncodedFakeOCSPResponseIssuerCert());
  scoped_refptr<X509Certificate> issuer_cert = X509Certificate::CreateFromBytes(
      base::as_bytes(base::make_span(der_issuer_cert)));
  ASSERT_TRUE(issuer_cert);

  std::string fake_sct_list = ct::GetFakeOCSPExtensionValue();
  ASSERT_FALSE(fake_sct_list.empty());
  std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();

  std::string extracted_sct_list;
  EXPECT_TRUE(ct::ExtractSCTListFromOCSPResponse(
      issuer_cert->cert_buffer(), subject_cert->serial_number(), ocsp_response,
      &extracted_sct_list));
  EXPECT_EQ(extracted_sct_list, fake_sct_list);
}

// Test that the extractor honours serial number.
TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponseMatchesSerial) {
  std::string der_issuer_cert(ct::GetDerEncodedFakeOCSPResponseIssuerCert());
  scoped_refptr<X509Certificate> issuer_cert = X509Certificate::CreateFromBytes(
      base::as_bytes(base::make_span(der_issuer_cert)));
  ASSERT_TRUE(issuer_cert);

  std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();

  std::string extracted_sct_list;
  EXPECT_FALSE(ct::ExtractSCTListFromOCSPResponse(
      issuer_cert->cert_buffer(), test_cert_->serial_number(), ocsp_response,
      &extracted_sct_list));
}

// Test that the extractor honours issuer ID.
TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponseMatchesIssuer) {
  std::string der_subject_cert(ct::GetDerEncodedFakeOCSPResponseCert());
  scoped_refptr<X509Certificate> subject_cert =
      X509Certificate::CreateFromBytes(
          base::as_bytes(base::make_span(der_subject_cert)));
  ASSERT_TRUE(subject_cert);

  std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();

  std::string extracted_sct_list;
  // Use test_cert_ for issuer - it is not the correct issuer of |subject_cert|.
  EXPECT_FALSE(ct::ExtractSCTListFromOCSPResponse(
      test_cert_->cert_buffer(), subject_cert->serial_number(), ocsp_response,
      &extracted_sct_list));
}

}  // namespace net::ct
Initial commit: AOSP 14 with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00			`// Copyright 2013 The Chromium Authors`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`

			`#include "net/cert/ct_objects_extractor.h"`

			`#include "base/files/file_path.h"`
			`#include "net/cert/ct_log_verifier.h"`
			`#include "net/cert/ct_serialization.h"`
			`#include "net/cert/signed_certificate_timestamp.h"`
			`#include "net/cert/x509_certificate.h"`
			`#include "net/test/cert_test_util.h"`
			`#include "net/test/ct_test_util.h"`
			`#include "net/test/test_data_directory.h"`
			`#include "testing/gtest/include/gtest/gtest.h"`

			`namespace net::ct {`

			`class CTObjectsExtractorTest : public ::testing::Test {`
			`public:`
			`void SetUp() override {`
			`precert_chain_ =`
			`CreateCertificateListFromFile(GetTestCertsDirectory(),`
			`"ct-test-embedded-cert.pem",`
			`X509Certificate::FORMAT_AUTO);`
			`ASSERT_EQ(2u, precert_chain_.size());`

			`std::string der_test_cert(ct::GetDerEncodedX509Cert());`
			`test_cert_ = X509Certificate::CreateFromBytes(`
			`base::as_bytes(base::make_span(der_test_cert)));`
			`ASSERT_TRUE(test_cert_);`

			`log_ = CTLogVerifier::Create(ct::GetTestPublicKey(), "testlog");`
			`ASSERT_TRUE(log_);`
			`}`

			`void ExtractEmbeddedSCT(scoped_refptr<X509Certificate> cert,`
			`scoped_refptr<SignedCertificateTimestamp>* sct) {`
			`std::string sct_list;`
			`ASSERT_TRUE(ExtractEmbeddedSCTList(cert->cert_buffer(), &sct_list));`

			`std::vector<base::StringPiece> parsed_scts;`
			`// Make sure the SCT list can be decoded properly`
			`ASSERT_TRUE(DecodeSCTList(sct_list, &parsed_scts));`
			`ASSERT_EQ(1u, parsed_scts.size());`
			`EXPECT_TRUE(DecodeSignedCertificateTimestamp(&parsed_scts[0], sct));`
			`}`

			`protected:`
			`CertificateList precert_chain_;`
			`scoped_refptr<X509Certificate> test_cert_;`
			`scoped_refptr<const CTLogVerifier> log_;`
			`};`

			`// Test that an SCT can be extracted and the extracted SCT contains the`
			`// expected data.`
			`TEST_F(CTObjectsExtractorTest, ExtractEmbeddedSCT) {`
			`auto sct = base::MakeRefCounted<ct::SignedCertificateTimestamp>();`
			`ExtractEmbeddedSCT(precert_chain_[0], &sct);`

			`EXPECT_EQ(sct->version, SignedCertificateTimestamp::V1);`
			`EXPECT_EQ(ct::GetTestPublicKeyId(), sct->log_id);`

			`base::Time expected_timestamp =`
			`base::Time::UnixEpoch() + base::Milliseconds(1365181456275);`
			`EXPECT_EQ(expected_timestamp, sct->timestamp);`
			`}`

			`// Test that the extractor correctly skips over issuerUniqueID and`
			`// subjectUniqueID fields. See https://crbug.com/1199744.`
			`TEST_F(CTObjectsExtractorTest, ExtractEmbeddedSCTListWithUIDs) {`
			`CertificateList certs = CreateCertificateListFromFile(`
			`GetTestCertsDirectory(), "ct-test-embedded-with-uids.pem",`
			`X509Certificate::FORMAT_PEM_CERT_SEQUENCE);`
			`ASSERT_EQ(1u, certs.size());`

			`auto sct = base::MakeRefCounted<ct::SignedCertificateTimestamp>();`
			`ExtractEmbeddedSCT(certs[0], &sct);`

			`EXPECT_EQ(sct->version, SignedCertificateTimestamp::V1);`
			`EXPECT_EQ(ct::GetTestPublicKeyId(), sct->log_id);`

			`base::Time expected_timestamp =`
			`base::Time::UnixEpoch() + base::Milliseconds(1365181456275);`
			`EXPECT_EQ(expected_timestamp, sct->timestamp);`
			`}`

			`TEST_F(CTObjectsExtractorTest, ExtractPrecert) {`
			`SignedEntryData entry;`
			`ASSERT_TRUE(GetPrecertSignedEntry(precert_chain_[0]->cert_buffer(),`
			`precert_chain_[1]->cert_buffer(), &entry));`

			`ASSERT_EQ(ct::SignedEntryData::LOG_ENTRY_TYPE_PRECERT, entry.type);`
			`// Should have empty leaf cert for this log entry type.`
			`ASSERT_TRUE(entry.leaf_certificate.empty());`
			`// Compare hash values of issuer spki.`
			`SHA256HashValue expected_issuer_key_hash;`
			`memcpy(expected_issuer_key_hash.data, GetDefaultIssuerKeyHash().data(), 32);`
			`ASSERT_EQ(expected_issuer_key_hash, entry.issuer_key_hash);`
			`}`

			`TEST_F(CTObjectsExtractorTest, ExtractOrdinaryX509Cert) {`
			`SignedEntryData entry;`
			`ASSERT_TRUE(GetX509SignedEntry(test_cert_->cert_buffer(), &entry));`

			`ASSERT_EQ(ct::SignedEntryData::LOG_ENTRY_TYPE_X509, entry.type);`
			`// Should have empty tbs_certificate for this log entry type.`
			`ASSERT_TRUE(entry.tbs_certificate.empty());`
			`// Length of leaf_certificate should be 718, see the CT Serialization tests.`
			`ASSERT_EQ(718U, entry.leaf_certificate.size());`
			`}`

			`// Test that the embedded SCT verifies`
			`TEST_F(CTObjectsExtractorTest, ExtractedSCTVerifies) {`
			`auto sct = base::MakeRefCounted<ct::SignedCertificateTimestamp>();`
			`ExtractEmbeddedSCT(precert_chain_[0], &sct);`

			`SignedEntryData entry;`
			`ASSERT_TRUE(GetPrecertSignedEntry(precert_chain_[0]->cert_buffer(),`
			`precert_chain_[1]->cert_buffer(), &entry));`

			`EXPECT_TRUE(log_->Verify(entry, *sct.get()));`
			`}`

			`// Test that an externally-provided SCT verifies over the SignedEntryData`
			`// of a regular X.509 Certificate`
			`TEST_F(CTObjectsExtractorTest, ComplementarySCTVerifies) {`
			`auto sct = base::MakeRefCounted<ct::SignedCertificateTimestamp>();`
			`GetX509CertSCT(&sct);`

			`SignedEntryData entry;`
			`ASSERT_TRUE(GetX509SignedEntry(test_cert_->cert_buffer(), &entry));`

			`EXPECT_TRUE(log_->Verify(entry, *sct.get()));`
			`}`

			`// Test that the extractor can parse OCSP responses.`
			`TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponse) {`
			`std::string der_subject_cert(ct::GetDerEncodedFakeOCSPResponseCert());`
			`scoped_refptr<X509Certificate> subject_cert =`
			`X509Certificate::CreateFromBytes(`
			`base::as_bytes(base::make_span(der_subject_cert)));`
			`ASSERT_TRUE(subject_cert);`
			`std::string der_issuer_cert(ct::GetDerEncodedFakeOCSPResponseIssuerCert());`
			`scoped_refptr<X509Certificate> issuer_cert = X509Certificate::CreateFromBytes(`
			`base::as_bytes(base::make_span(der_issuer_cert)));`
			`ASSERT_TRUE(issuer_cert);`

			`std::string fake_sct_list = ct::GetFakeOCSPExtensionValue();`
			`ASSERT_FALSE(fake_sct_list.empty());`
			`std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();`

			`std::string extracted_sct_list;`
			`EXPECT_TRUE(ct::ExtractSCTListFromOCSPResponse(`
			`issuer_cert->cert_buffer(), subject_cert->serial_number(), ocsp_response,`
			`&extracted_sct_list));`
			`EXPECT_EQ(extracted_sct_list, fake_sct_list);`
			`}`

			`// Test that the extractor honours serial number.`
			`TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponseMatchesSerial) {`
			`std::string der_issuer_cert(ct::GetDerEncodedFakeOCSPResponseIssuerCert());`
			`scoped_refptr<X509Certificate> issuer_cert = X509Certificate::CreateFromBytes(`
			`base::as_bytes(base::make_span(der_issuer_cert)));`
			`ASSERT_TRUE(issuer_cert);`

			`std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();`

			`std::string extracted_sct_list;`
			`EXPECT_FALSE(ct::ExtractSCTListFromOCSPResponse(`
			`issuer_cert->cert_buffer(), test_cert_->serial_number(), ocsp_response,`
			`&extracted_sct_list));`
			`}`

			`// Test that the extractor honours issuer ID.`
			`TEST_F(CTObjectsExtractorTest, ExtractSCTListFromOCSPResponseMatchesIssuer) {`
			`std::string der_subject_cert(ct::GetDerEncodedFakeOCSPResponseCert());`
			`scoped_refptr<X509Certificate> subject_cert =`
			`X509Certificate::CreateFromBytes(`
			`base::as_bytes(base::make_span(der_subject_cert)));`
			`ASSERT_TRUE(subject_cert);`

			`std::string ocsp_response = ct::GetDerEncodedFakeOCSPResponse();`

			`std::string extracted_sct_list;`
			`// Use test_cert_ for issuer - it is not the correct issuer of \|subject_cert\|.`
			`EXPECT_FALSE(ct::ExtractSCTListFromOCSPResponse(`
			`test_cert_->cert_buffer(), subject_cert->serial_number(), ocsp_response,`
			`&extracted_sct_list));`
			`}`

			`} // namespace net::ct`