OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "base/files/file_path.h" |
| 6 #include "build/build_config.h" |
| 7 #include "net/base/net_errors.h" |
| 8 #include "net/base/test_data_directory.h" |
| 9 #include "net/cert/cert_status_flags.h" |
| 10 #include "net/cert/cert_verify_proc.h" |
| 11 #include "net/cert/cert_verify_result.h" |
| 12 #include "net/cert/test_root_certs.h" |
| 13 #include "net/cert/x509_certificate.h" |
| 14 #include "net/test/cert_test_util.h" |
| 15 #include "testing/gtest/include/gtest/gtest.h" |
| 16 |
| 17 #if defined(USE_NSS) || defined(OS_IOS) |
| 18 #include <nss.h> |
| 19 #endif |
| 20 |
| 21 namespace net { |
| 22 |
| 23 namespace { |
| 24 |
| 25 // The local test root certificate. |
| 26 const char kRootCertificateFile[] = "root_ca_cert.pem"; |
| 27 // A certificate issued by the local test root for 127.0.0.1. |
| 28 const char kGoodCertificateFile[] = "ok_cert.pem"; |
| 29 |
| 30 } // namespace |
| 31 |
| 32 // Test basic functionality when adding from an existing X509Certificate. |
| 33 TEST(TestRootCertsTest, AddFromPointer) { |
| 34 scoped_refptr<X509Certificate> root_cert = |
| 35 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile); |
| 36 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); |
| 37 |
| 38 TestRootCerts* test_roots = TestRootCerts::GetInstance(); |
| 39 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); |
| 40 EXPECT_TRUE(test_roots->IsEmpty()); |
| 41 |
| 42 EXPECT_TRUE(test_roots->Add(root_cert)); |
| 43 EXPECT_FALSE(test_roots->IsEmpty()); |
| 44 |
| 45 test_roots->Clear(); |
| 46 EXPECT_TRUE(test_roots->IsEmpty()); |
| 47 } |
| 48 |
| 49 // Test basic functionality when adding directly from a file, which should |
| 50 // behave the same as when adding from an existing certificate. |
| 51 TEST(TestRootCertsTest, AddFromFile) { |
| 52 TestRootCerts* test_roots = TestRootCerts::GetInstance(); |
| 53 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); |
| 54 EXPECT_TRUE(test_roots->IsEmpty()); |
| 55 |
| 56 base::FilePath cert_path = |
| 57 GetTestCertsDirectory().AppendASCII(kRootCertificateFile); |
| 58 EXPECT_TRUE(test_roots->AddFromFile(cert_path)); |
| 59 EXPECT_FALSE(test_roots->IsEmpty()); |
| 60 |
| 61 test_roots->Clear(); |
| 62 EXPECT_TRUE(test_roots->IsEmpty()); |
| 63 } |
| 64 |
| 65 // Test that TestRootCerts actually adds the appropriate trust status flags |
| 66 // when requested, and that the trusted status is cleared once the root is |
| 67 // removed the TestRootCerts. This test acts as a canary/sanity check for |
| 68 // the results of the rest of net_unittests, ensuring that the trust status |
| 69 // is properly being set and cleared. |
| 70 TEST(TestRootCertsTest, OverrideTrust) { |
| 71 #if defined(USE_NSS) || defined(OS_IOS) |
| 72 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { |
| 73 // See http://bugzil.la/863947 for details |
| 74 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; |
| 75 return; |
| 76 } |
| 77 #endif |
| 78 |
| 79 TestRootCerts* test_roots = TestRootCerts::GetInstance(); |
| 80 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); |
| 81 EXPECT_TRUE(test_roots->IsEmpty()); |
| 82 |
| 83 scoped_refptr<X509Certificate> test_cert = |
| 84 ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile); |
| 85 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert); |
| 86 |
| 87 // Test that the good certificate fails verification, because the root |
| 88 // certificate should not yet be trusted. |
| 89 int flags = 0; |
| 90 CertVerifyResult bad_verify_result; |
| 91 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 92 int bad_status = verify_proc->Verify(test_cert, |
| 93 "127.0.0.1", |
| 94 flags, |
| 95 NULL, |
| 96 CertificateList(), |
| 97 &bad_verify_result); |
| 98 EXPECT_NE(OK, bad_status); |
| 99 EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); |
| 100 |
| 101 // Add the root certificate and mark it as trusted. |
| 102 EXPECT_TRUE(test_roots->AddFromFile( |
| 103 GetTestCertsDirectory().AppendASCII(kRootCertificateFile))); |
| 104 EXPECT_FALSE(test_roots->IsEmpty()); |
| 105 |
| 106 // Test that the certificate verification now succeeds, because the |
| 107 // TestRootCerts is successfully imbuing trust. |
| 108 CertVerifyResult good_verify_result; |
| 109 int good_status = verify_proc->Verify(test_cert, |
| 110 "127.0.0.1", |
| 111 flags, |
| 112 NULL, |
| 113 CertificateList(), |
| 114 &good_verify_result); |
| 115 EXPECT_EQ(OK, good_status); |
| 116 EXPECT_EQ(0u, good_verify_result.cert_status); |
| 117 |
| 118 test_roots->Clear(); |
| 119 EXPECT_TRUE(test_roots->IsEmpty()); |
| 120 |
| 121 // Ensure that when the TestRootCerts is cleared, the trust settings |
| 122 // revert to their original state, and don't linger. If trust status |
| 123 // lingers, it will likely break other tests in net_unittests. |
| 124 CertVerifyResult restored_verify_result; |
| 125 int restored_status = verify_proc->Verify(test_cert, |
| 126 "127.0.0.1", |
| 127 flags, |
| 128 NULL, |
| 129 CertificateList(), |
| 130 &restored_verify_result); |
| 131 EXPECT_NE(OK, restored_status); |
| 132 EXPECT_NE(0u, |
| 133 restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); |
| 134 EXPECT_EQ(bad_status, restored_status); |
| 135 EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status); |
| 136 } |
| 137 |
| 138 // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that |
| 139 // TestRootCerts properly injects itself into the validation process. See |
| 140 // http://crbug.com/63958 |
| 141 |
| 142 } // namespace net |
OLD | NEW |