Certificate Transparency DNS log client

components/certificate_transparency/log_dns_client_unittest.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/certificate_transparency/log_dns_client.h"
+
+#include <algorithm>
+#include <numeric>
+#include <utility>
+#include <vector>
+
+#include "base/big_endian.h"
+#include "base/macros.h"
+#include "base/memory/ref_counted.h"
+#include "base/run_loop.h"
+#include "base/sys_byteorder.h"
+#include "base/test/simple_test_clock.h"
+#include "base/test/test_timeouts.h"
+#include "content/public/test/test_browser_thread_bundle.h"
+#include "crypto/sha2.h"
+#include "net/base/net_errors.h"
+#include "net/cert/merkle_audit_proof.h"
+#include "net/cert/merkle_tree_leaf.h"
+#include "net/cert/signed_certificate_timestamp.h"
+#include "net/dns/dns_client.h"
+#include "net/dns/dns_config_service.h"
+#include "net/dns/dns_protocol.h"
+#include "net/log/net_log.h"
+#include "net/socket/socket_test_util.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace certificate_transparency {
+namespace {
+
+using ::testing::AllOf;
+using ::testing::DeleteArg;
+using ::testing::IsNull;
+using ::testing::Not;
+using ::testing::Pointee;
+using ::testing::Field;
+using ::testing::SizeIs;
+
+constexpr char kLeafHash[] =
+    "\x1f\x25\xe1\xca\xba\x4f\xf9\xb8\x27\x24\x83\x0f\xca\x60\xe4\xc2\xbe\xa8"
+    "\xc3\xa9\x44\x1c\x27\xb0\xb4\x3e\x6a\x96\x94\xc7\xb8\x04";
+
+MATCHER(IsNetOk, "") {
+  if (arg <= net::OK)
+    *result_listener << net::ErrorToString(arg);
+  return arg == net::OK;
+}
+
+MATCHER_P(IsNetError, expected, "") {
+  if (arg <= net::OK)
+    *result_listener << net::ErrorToString(arg);
+  return arg == expected;
+}
+
+// Always return min, to simplify testing.
+// This should result in the DNS query ID always being 0.
+int FakeRandInt(int min, int max) {
+  return min;
+}
+
+std::vector<char> CreateDnsTxtRequest(base::StringPiece qname) {
+  std::string encoded_qname;
+  EXPECT_TRUE(net::DNSDomainFromDot(qname, &encoded_qname));
+
+  const size_t query_section_size = encoded_qname.size() + 4;
+
+  std::vector<char> request(sizeof(net::dns_protocol::Header) +
+                            query_section_size);
+  base::BigEndianWriter writer(request.data(), request.size());
+
+  // Header
+  net::dns_protocol::Header header = {};
+  header.flags = base::HostToNet16(net::dns_protocol::kFlagRD);
+  header.qdcount = base::HostToNet16(1);
+  EXPECT_TRUE(writer.WriteBytes(&header, sizeof(header)));
+  // Query section
+  EXPECT_TRUE(writer.WriteBytes(encoded_qname.data(), encoded_qname.size()));
+  EXPECT_TRUE(writer.WriteU16(net::dns_protocol::kTypeTXT));
+  EXPECT_TRUE(writer.WriteU16(net::dns_protocol::kClassIN));
+  EXPECT_EQ(0, writer.remaining());
+
+  return request;
+}
+
+std::vector<char> CreateDnsTxtResponse(const std::vector<char>& request,
+                                       base::StringPiece answer) {
+  const size_t answers_section_size = 12 + answer.size();
+  constexpr uint32_t ttl = 86400;  // seconds
+
+  std::vector<char> response(request.size() + answers_section_size);
+  std::copy(request.begin(), request.end(), response.begin());
+  // Modify the header
+  net::dns_protocol::Header* header =
+      reinterpret_cast<net::dns_protocol::Header*>(response.data());
+  header->ancount = base::HostToNet16(1);
+  header->flags |= base::HostToNet16(net::dns_protocol::kFlagResponse);
+
+  // Write the answer section
+  base::BigEndianWriter writer(response.data() + request.size(),
+                               response.size() - request.size());
+  EXPECT_TRUE(writer.WriteU8(0xc0));  // qname is a pointer
+  EXPECT_TRUE(writer.WriteU8(
+      sizeof(*header)));  // address of qname (start of query section)
+  EXPECT_TRUE(writer.WriteU16(net::dns_protocol::kTypeTXT));
+  EXPECT_TRUE(writer.WriteU16(net::dns_protocol::kClassIN));
+  EXPECT_TRUE(writer.WriteU32(ttl));
+  EXPECT_TRUE(writer.WriteU16(answer.size()));
+  EXPECT_TRUE(writer.WriteBytes(answer.data(), answer.size()));
+  EXPECT_EQ(0, writer.remaining());
+
+  return response;
+}
+
+std::vector<char> CreateDnsErrorResponse(const std::vector<char>& request,
+                                         uint8_t rcode) {
+  std::vector<char> response(request);
+  // Modify the header
+  net::dns_protocol::Header* header =
+      reinterpret_cast<net::dns_protocol::Header*>(response.data());
+  header->ancount = base::HostToNet16(1);
+  header->flags |= base::HostToNet16(net::dns_protocol::kFlagResponse | rcode);
+
+  return response;
+}
+
+std::vector<std::string> GetSampleAuditProof(size_t length) {
+  std::vector<std::string> audit_proof(length);
+  // Makes each node of the audit proof different, so that tests are able to
+  // confirm that the audit proof is reconstructed in the correct order.
+  for (size_t i = 0; i < length; ++i) {
+    std::string node(crypto::kSHA256Length, '\0');
+    // Each node is 32 bytes, with each byte having a different value.
+    for (size_t j = 0; j < crypto::kSHA256Length; ++j) {
+      node[j] = static_cast<char>((-127 + i + j) % 128);
+    }
+    audit_proof[i].assign(std::move(node));
+  }
+
+  return audit_proof;
+}
+
+class MockLeafIndexCallback {
+ public:
+  MOCK_METHOD2(Run, void(int net_error, uint64_t leaf_index));
+};
+
+class MockAuditProofCallback {
+ public:
+  MOCK_METHOD2(Run_, void(int net_error, net::ct::MerkleAuditProof* proof));
+
+  // This proxy function is required because Chromium's GMock is not built with
+  // C++11 support (required for handling std::unique_ptr parameters).
+  // Remove it once this is rectified.
+  void Run(int net_error, std::unique_ptr<net::ct::MerkleAuditProof> proof) {
+    Run_(net_error, proof.release());
+  }
+};
+
+// A container for all of the data we need to keep alive for a mock socket.
+// This is useful because Mock{Read,Write}, SequencedSocketData and
+// MockClientSocketFactory all do not take ownership of or copy their arguments,
+// so we have to manage the lifetime of those arguments ourselves. Wrapping all
+// of that up in a single class simplifies this.
+class MockSocketData {
+ public:
+  // A socket that expects one write and one read operation.
+  MockSocketData(const std::vector<char>& write, const std::vector<char>& read)
+      : expected_write_payload_(write),
+        expected_read_payload_(read),
+        expected_write_(net::SYNCHRONOUS,
+                        expected_write_payload_.data(),
+                        expected_write_payload_.size(),
+                        0),
+        expected_read_(net::ASYNC,
+                       expected_read_payload_.data(),
+                       expected_read_payload_.size(),
+                       1),
+        socket_data_(&expected_read_, 1, &expected_write_, 1) {}
+
+  void SetWriteMode(net::IoMode mode) { expected_write_.mode = mode; }
+  void SetReadMode(net::IoMode mode) { expected_read_.mode = mode; }
+
+  void AddToFactory(net::MockClientSocketFactory* socket_factory) {
+    socket_factory->AddSocketDataProvider(&socket_data_);
+  }
+
+ private:
+  const std::vector<char> expected_write_payload_;
+  const std::vector<char> expected_read_payload_;
+  net::MockWrite expected_write_;
+  net::MockRead expected_read_;
+  net::SequencedSocketData socket_data_;
+
+  DISALLOW_COPY_AND_ASSIGN(MockSocketData);
+};
+
+class LogDnsClientTest : public ::testing::TestWithParam<net::IoMode> {
+ protected:
+  LogDnsClientTest()
+      : thread_bundle_(content::TestBrowserThreadBundle::IO_MAINLOOP) {}
+
+  std::unique_ptr<net::DnsClient> CreateDnsClient() {
+    net::DnsConfig config;
+    // Use an invalid nameserver address. This prevents the tests accidentally
+    // sending real DNS queries. The mock sockets don't care that the address
+    // is invalid.
+    config.nameservers.push_back(net::IPEndPoint());
+    // Don't attempt retransmissions - just fail.
+    config.attempts = 1;
+    // This ensures timeouts are long enough for memory tests.
+    config.timeout = TestTimeouts::action_timeout();
+    // Simplify testing - don't require random numbers for the source port.
+    // This means our FakeRandInt function should only be called to get query
+    // IDs.
+    config.randomize_ports = false;
+
+    std::unique_ptr<net::DnsClient> client =
+        net::DnsClient::CreateClientForTesting(
+            net_log_.net_log(), &socket_factory_, base::Bind(&FakeRandInt));
+    client->SetConfig(config);
+    return client;
+  }
+
+  void ExpectRequestAndResponse(base::StringPiece qname,
+                                base::StringPiece answer) {
+    std::vector<char> request = CreateDnsTxtRequest(qname);
+    std::vector<char> response = CreateDnsTxtResponse(request, answer);
+
+    mock_socket_data_.emplace_back(new MockSocketData(request, response));
+    mock_socket_data_.back()->SetReadMode(GetParam());
+    mock_socket_data_.back()->AddToFactory(&socket_factory_);
+  }
+
+  void ExpectRequestAndErrorResponse(base::StringPiece qname, uint8_t rcode) {
+    std::vector<char> request = CreateDnsTxtRequest(qname);
+    std::vector<char> response = CreateDnsErrorResponse(request, rcode);
+
+    mock_socket_data_.emplace_back(new MockSocketData(request, response));
+    mock_socket_data_.back()->SetReadMode(GetParam());
+    mock_socket_data_.back()->AddToFactory(&socket_factory_);
+  }
+
+  void ExpectLeafIndexRequestAndResponse(base::StringPiece qname,
+                                         base::StringPiece leaf_index) {
+    // Prepend size to leaf_index to create the query answer (rdata)
+    ASSERT_LE(leaf_index.size(), 0xFFul);  // size must fit into a single byte
+    std::string answer = leaf_index.as_string();
+    answer.insert(answer.begin(), static_cast<char>(leaf_index.size()));
+
+    ExpectRequestAndResponse(qname, answer);
+  }
+
+  void ExpectAuditProofRequestAndResponse(
+      base::StringPiece qname,
+      std::vector<std::string>::const_iterator audit_path_start,
+      std::vector<std::string>::const_iterator audit_path_end) {
+    // Join nodes in the audit path into a single string.
+    std::string proof =
+        std::accumulate(audit_path_start, audit_path_end, std::string());
+
+    // Prepend size to proof to create the query answer (rdata)
+    ASSERT_LE(proof.size(), 0xFFul);  // size must fit into a single byte
+    proof.insert(proof.begin(), static_cast<char>(proof.size()));
+
+    ExpectRequestAndResponse(qname, proof);
+  }
+
+  void QueryLeafIndex(base::StringPiece log_domain,
+                      base::StringPiece leaf_hash,
+                      MockLeafIndexCallback* callback) {
+    std::unique_ptr<net::DnsClient> dns_client = CreateDnsClient();
+    LogDnsClient log_client(std::move(dns_client), net_log_, &clock_);
+
+    LogDnsClient::LeafIndexCallback callback_func =
+        base::Bind(&MockLeafIndexCallback::Run, base::Unretained(callback));
+
+    log_client.QueryLeafIndex(log_domain, leaf_hash, callback_func);
+    base::RunLoop().RunUntilIdle();
+  }
+
+  void QueryAuditProof(base::StringPiece log_domain,
+                       uint64_t leaf_index,
+                       uint64_t tree_size,
+                       MockAuditProofCallback* callback) {
+    std::unique_ptr<net::DnsClient> dns_client = CreateDnsClient();
+    LogDnsClient log_client(std::move(dns_client), net_log_, &clock_);
+
+    LogDnsClient::AuditProofCallback callback_func =
+        base::Bind(&MockAuditProofCallback::Run, base::Unretained(callback));
+
+    log_client.QueryAuditProof(log_domain, leaf_index, tree_size,
+                               callback_func);
+    base::RunLoop().RunUntilIdle();
+  }
+
+  content::TestBrowserThreadBundle thread_bundle_;
+  net::BoundNetLog net_log_;

[mmenke, 2016/06/27 19:30:32]

Can remove this entirely - just inline net::BoundNetLog where you use this. 
Note that BoundNetLogs are copyable, they aren't passed as pointer.

[Rob Percival, 2016/06/28 21:44:54]

Done.

+  base::SimpleTestClock clock_;
+  std::vector<std::unique_ptr<MockSocketData>> mock_socket_data_;
+  net::MockClientSocketFactory socket_factory_;
+};
+
+TEST_P(LogDnsClientTest, QueryLeafIndex) {
+  ExpectLeafIndexRequestAndResponse(
+      "D4S6DSV2J743QJZEQMH4UYHEYK7KRQ5JIQOCPMFUHZVJNFGHXACA.hash.ct.test.",
+      "123456");
+
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetOk(), 123456));
+
+  QueryLeafIndex("ct.test", kLeafHash, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryLeafIndexReportsThatLogDomainDoesNotExist) {
+  ExpectRequestAndErrorResponse(
+      "D4S6DSV2J743QJZEQMH4UYHEYK7KRQ5JIQOCPMFUHZVJNFGHXACA.hash.ct.test.",
+      net::dns_protocol::kRcodeNXDOMAIN);
+
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetError(net::ERR_NAME_NOT_RESOLVED), 0));
+
+  QueryLeafIndex("ct.test", kLeafHash, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryLeafIndexReportsServerFailure) {
+  ExpectRequestAndErrorResponse(
+      "D4S6DSV2J743QJZEQMH4UYHEYK7KRQ5JIQOCPMFUHZVJNFGHXACA.hash.ct.test.",
+      net::dns_protocol::kRcodeSERVFAIL);
+
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetError(net::ERR_DNS_SERVER_FAILED), 0));
+
+  QueryLeafIndex("ct.test", kLeafHash, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryLeafIndexReportsServerRefusal) {
+  ExpectRequestAndErrorResponse(
+      "D4S6DSV2J743QJZEQMH4UYHEYK7KRQ5JIQOCPMFUHZVJNFGHXACA.hash.ct.test.",
+      net::dns_protocol::kRcodeREFUSED);
+
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetError(net::ERR_DNS_SERVER_FAILED), 0));
+
+  QueryLeafIndex("ct.test", kLeafHash, &callback);
+}
+
+TEST_P(LogDnsClientTest,
+       QueryLeafIndexReportsMalformedResponseIfLeafIndexIsNotNumeric) {
+  ExpectLeafIndexRequestAndResponse(
+      "D4S6DSV2J743QJZEQMH4UYHEYK7KRQ5JIQOCPMFUHZVJNFGHXACA.hash.ct.test.",
+      "foo");
+
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetError(net::ERR_DNS_MALFORMED_RESPONSE), 0));
+
+  QueryLeafIndex("ct.test", kLeafHash, &callback);
+}
+
+TEST_P(LogDnsClientTest,
+       QueryLeafIndexReportsMalformedResponseIfLeafIndexIsFloatingPoint) {
+  ExpectLeafIndexRequestAndResponse(
+      "D4S6DSV2J743QJZEQMH4UYHEYK7KRQ5JIQOCPMFUHZVJNFGHXACA.hash.ct.test.",
+      "123456.0");
+
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetError(net::ERR_DNS_MALFORMED_RESPONSE), 0));
+
+  QueryLeafIndex("ct.test", kLeafHash, &callback);
+}
+
+TEST_P(LogDnsClientTest,
+       QueryLeafIndexReportsMalformedResponseIfLeafIndexIsEmpty) {
+  ExpectLeafIndexRequestAndResponse(
+      "D4S6DSV2J743QJZEQMH4UYHEYK7KRQ5JIQOCPMFUHZVJNFGHXACA.hash.ct.test.", "");
+
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetError(net::ERR_DNS_MALFORMED_RESPONSE), 0));
+
+  QueryLeafIndex("ct.test", kLeafHash, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryLeafIndexReportsInvalidArgIfLogDomainIsEmpty) {
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetError(net::ERR_INVALID_ARGUMENT), 0));
+
+  QueryLeafIndex("", kLeafHash, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryLeafIndexReportsInvalidArgIfLogDomainIsNull) {
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetError(net::ERR_INVALID_ARGUMENT), 0));
+
+  QueryLeafIndex(nullptr, kLeafHash, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryLeafIndexReportsInvalidArgIfLeafHashIsInvalid) {
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetError(net::ERR_INVALID_ARGUMENT), 0));
+
+  QueryLeafIndex("ct.test", "foo", &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryLeafIndexReportsInvalidArgIfLeafHashIsEmpty) {
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetError(net::ERR_INVALID_ARGUMENT), 0));
+
+  QueryLeafIndex("ct.test", "", &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryLeafIndexReportsInvalidArgIfLeafHashIsNull) {
+  MockLeafIndexCallback callback;
+  EXPECT_CALL(callback, Run(IsNetError(net::ERR_INVALID_ARGUMENT), 0));
+
+  QueryLeafIndex("ct.test", nullptr, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryAuditProof) {
+  const std::vector<std::string> audit_proof = GetSampleAuditProof(20);
+
+  // It should require 3 queries to collect the entire audit proof, as there is
+  // only space for 7 nodes per UDP packet.
+  ExpectAuditProofRequestAndResponse("0.123456.999999.tree.ct.test.",
+                                     audit_proof.begin(),
+                                     audit_proof.begin() + 7);
+  ExpectAuditProofRequestAndResponse("7.123456.999999.tree.ct.test.",
+                                     audit_proof.begin() + 7,
+                                     audit_proof.begin() + 14);
+  ExpectAuditProofRequestAndResponse("14.123456.999999.tree.ct.test.",
+                                     audit_proof.begin() + 14,
+                                     audit_proof.end());
+
+  MockAuditProofCallback callback;
+  EXPECT_CALL(callback,
+              Run_(IsNetOk(),
+                   Pointee(AllOf(
+                       Field(&net::ct::MerkleAuditProof::nodes, audit_proof),
+                       Field(&net::ct::MerkleAuditProof::leaf_index, 123456)))))
+      .WillOnce(DeleteArg<1>());
+
+  QueryAuditProof("ct.test", 123456, 999999, &callback);
+}
+
+TEST_P(LogDnsClientTest,
+       QueryAuditProofHandlesResponsesWithEmptyAndShortAuditPaths) {
+  const std::vector<std::string> audit_proof = GetSampleAuditProof(20);
+
+  // Make some of the responses empty or contain fewer audit proof nodes than
+  // they can hold.
+  ExpectAuditProofRequestAndResponse("0.123456.999999.tree.ct.test.",
+                                     audit_proof.begin(), audit_proof.begin());
+  ExpectAuditProofRequestAndResponse("0.123456.999999.tree.ct.test.",
+                                     audit_proof.begin(),
+                                     audit_proof.begin() + 1);
+  ExpectAuditProofRequestAndResponse("1.123456.999999.tree.ct.test.",
+                                     audit_proof.begin() + 1,
+                                     audit_proof.begin() + 3);
+  ExpectAuditProofRequestAndResponse("3.123456.999999.tree.ct.test.",
+                                     audit_proof.begin() + 3,
+                                     audit_proof.begin() + 6);
+  ExpectAuditProofRequestAndResponse("6.123456.999999.tree.ct.test.",
+                                     audit_proof.begin() + 6,
+                                     audit_proof.begin() + 10);
+  ExpectAuditProofRequestAndResponse("10.123456.999999.tree.ct.test.",
+                                     audit_proof.begin() + 10,
+                                     audit_proof.begin() + 13);
+  ExpectAuditProofRequestAndResponse("13.123456.999999.tree.ct.test.",
+                                     audit_proof.begin() + 13,
+                                     audit_proof.end());
+
+  MockAuditProofCallback callback;
+  EXPECT_CALL(callback,
+              Run_(IsNetOk(),
+                   Pointee(AllOf(
+                       Field(&net::ct::MerkleAuditProof::nodes, audit_proof),
+                       Field(&net::ct::MerkleAuditProof::leaf_index, 123456)))))
+      .WillOnce(DeleteArg<1>());
+
+  QueryAuditProof("ct.test", 123456, 999999, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryAuditProofReportsThatLogDomainDoesNotExist) {
+  ExpectRequestAndErrorResponse("0.123456.999999.tree.ct.test.",
+                                net::dns_protocol::kRcodeNXDOMAIN);
+
+  MockAuditProofCallback callback;
+  EXPECT_CALL(callback, Run_(IsNetError(net::ERR_NAME_NOT_RESOLVED), nullptr));
+
+  QueryAuditProof("ct.test", 123456, 999999, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryAuditProofReportsServerFailure) {
+  ExpectRequestAndErrorResponse("0.123456.999999.tree.ct.test.",
+                                net::dns_protocol::kRcodeSERVFAIL);
+
+  MockAuditProofCallback callback;
+  EXPECT_CALL(callback, Run_(IsNetError(net::ERR_DNS_SERVER_FAILED), nullptr));
+
+  QueryAuditProof("ct.test", 123456, 999999, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryAuditProofReportsServerRefusal) {
+  ExpectRequestAndErrorResponse("0.123456.999999.tree.ct.test.",
+                                net::dns_protocol::kRcodeREFUSED);
+
+  MockAuditProofCallback callback;
+  EXPECT_CALL(callback, Run_(IsNetError(net::ERR_DNS_SERVER_FAILED), nullptr));
+
+  QueryAuditProof("ct.test", 123456, 999999, &callback);
+}
+
+TEST_P(LogDnsClientTest,
+       QueryAuditProofReportsResponseMalformedIfNodeTooShort) {
+  // node is shorter than a SHA-256 hash (31 vs 32 bytes)
+  const std::vector<std::string> audit_proof(1, std::string(31, 'a'));
+
+  ExpectAuditProofRequestAndResponse("0.123456.999999.tree.ct.test.",
+                                     audit_proof.begin(), audit_proof.end());
+
+  MockAuditProofCallback callback;
+  EXPECT_CALL(callback,
+              Run_(IsNetError(net::ERR_DNS_MALFORMED_RESPONSE), nullptr));
+
+  QueryAuditProof("ct.test", 123456, 999999, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryAuditProofReportsResponseMalformedIfNodeTooLong) {
+  // node is longer than a SHA-256 hash (33 vs 32 bytes)
+  const std::vector<std::string> audit_proof(1, std::string(33, 'a'));
+
+  ExpectAuditProofRequestAndResponse("0.123456.999999.tree.ct.test.",
+                                     audit_proof.begin(), audit_proof.end());
+
+  MockAuditProofCallback callback;
+  EXPECT_CALL(callback,
+              Run_(IsNetError(net::ERR_DNS_MALFORMED_RESPONSE), nullptr));
+
+  QueryAuditProof("ct.test", 123456, 999999, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryAuditProofReportsInvalidArgIfLogDomainIsEmpty) {
+  MockAuditProofCallback callback;
+  EXPECT_CALL(callback, Run_(IsNetError(net::ERR_INVALID_ARGUMENT), nullptr));
+
+  QueryAuditProof("", 123456, 999999, &callback);
+}
+
+TEST_P(LogDnsClientTest, QueryAuditProofReportsInvalidArgIfLogDomainIsNull) {
+  MockAuditProofCallback callback;
+  EXPECT_CALL(callback, Run_(IsNetError(net::ERR_INVALID_ARGUMENT), nullptr));
+
+  QueryAuditProof(nullptr, 123456, 999999, &callback);
+}
+
+TEST_P(LogDnsClientTest,
+       QueryAuditProofReportInvalidArgIfLeafIndexEqualToTreeSize) {
+  MockAuditProofCallback callback;
+  EXPECT_CALL(callback, Run_(IsNetError(net::ERR_INVALID_ARGUMENT), nullptr));
+
+  QueryAuditProof("ct.test", 123456, 123456, &callback);
+}
+
+TEST_P(LogDnsClientTest,
+       QueryAuditProofReportInvalidArgIfLeafIndexGreaterThanTreeSize) {
+  MockAuditProofCallback callback;
+  EXPECT_CALL(callback, Run_(IsNetError(net::ERR_INVALID_ARGUMENT), nullptr));
+
+  QueryAuditProof("ct.test", 999999, 123456, &callback);
+}
+
+INSTANTIATE_TEST_CASE_P(ReadMode,
+                        LogDnsClientTest,
+                        ::testing::Values(net::IoMode::ASYNC,
+                                          net::IoMode::SYNCHRONOUS));
+
+}  // namespace
+}  // namespace certificate_transparency