| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <pk11pub.h> | 6 #include <pk11pub.h> |
| 7 | 7 |
| 8 #include <algorithm> | 8 #include <algorithm> |
| 9 | 9 |
| 10 #include "base/crypto/scoped_nss_types.h" | 10 #include "base/crypto/scoped_nss_types.h" |
| (...skipping 166 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 177 std::string cert_data = ReadTestFile("root_ca_cert.crt"); | 177 std::string cert_data = ReadTestFile("root_ca_cert.crt"); |
| 178 | 178 |
| 179 CertificateList certs = | 179 CertificateList certs = |
| 180 X509Certificate::CreateCertificateListFromBytes( | 180 X509Certificate::CreateCertificateListFromBytes( |
| 181 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); | 181 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); |
| 182 ASSERT_EQ(1U, certs.size()); | 182 ASSERT_EQ(1U, certs.size()); |
| 183 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 183 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 184 | 184 |
| 185 // Import it. | 185 // Import it. |
| 186 CertDatabase::ImportCertFailureList failed; | 186 CertDatabase::ImportCertFailureList failed; |
| 187 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, | 187 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, |
| 188 &failed)); | 188 &failed)); |
| 189 | 189 |
| 190 EXPECT_EQ(0U, failed.size()); | 190 EXPECT_EQ(0U, failed.size()); |
| 191 | 191 |
| 192 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 192 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 193 ASSERT_EQ(1U, cert_list.size()); | 193 ASSERT_EQ(1U, cert_list.size()); |
| 194 scoped_refptr<X509Certificate> cert(cert_list[0]); | 194 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 195 EXPECT_EQ("Test CA", cert->subject().common_name); | 195 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 196 | 196 |
| 197 EXPECT_EQ(CertDatabase::TRUSTED_SSL, | 197 EXPECT_EQ(CertDatabase::TRUSTED_SSL, |
| 198 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 198 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| (...skipping 10 matching lines...) Expand all Loading... |
| 209 std::string cert_data = ReadTestFile("root_ca_cert.crt"); | 209 std::string cert_data = ReadTestFile("root_ca_cert.crt"); |
| 210 | 210 |
| 211 CertificateList certs = | 211 CertificateList certs = |
| 212 X509Certificate::CreateCertificateListFromBytes( | 212 X509Certificate::CreateCertificateListFromBytes( |
| 213 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); | 213 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); |
| 214 ASSERT_EQ(1U, certs.size()); | 214 ASSERT_EQ(1U, certs.size()); |
| 215 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 215 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 216 | 216 |
| 217 // Import it. | 217 // Import it. |
| 218 CertDatabase::ImportCertFailureList failed; | 218 CertDatabase::ImportCertFailureList failed; |
| 219 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, | 219 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, |
| 220 &failed)); | 220 &failed)); |
| 221 | 221 |
| 222 EXPECT_EQ(0U, failed.size()); | 222 EXPECT_EQ(0U, failed.size()); |
| 223 | 223 |
| 224 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 224 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 225 ASSERT_EQ(1U, cert_list.size()); | 225 ASSERT_EQ(1U, cert_list.size()); |
| 226 scoped_refptr<X509Certificate> cert(cert_list[0]); | 226 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 227 EXPECT_EQ("Test CA", cert->subject().common_name); | 227 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 228 | 228 |
| 229 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, | 229 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, |
| 230 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 230 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 231 | 231 |
| 232 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 232 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); |
| 233 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 233 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); |
| 234 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 234 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); |
| 235 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); | 235 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); |
| 236 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 236 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); |
| 237 } | 237 } |
| 238 | 238 |
| 239 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { | 239 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { |
| 240 std::string cert_data = ReadTestFile("root_ca_cert.crt"); | 240 std::string cert_data = ReadTestFile("root_ca_cert.crt"); |
| 241 | 241 |
| 242 CertificateList certs = | 242 CertificateList certs = |
| 243 X509Certificate::CreateCertificateListFromBytes( | 243 X509Certificate::CreateCertificateListFromBytes( |
| 244 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); | 244 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); |
| 245 ASSERT_EQ(1U, certs.size()); | 245 ASSERT_EQ(1U, certs.size()); |
| 246 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 246 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 247 | 247 |
| 248 // Import it. | 248 // Import it. |
| 249 CertDatabase::ImportCertFailureList failed; | 249 CertDatabase::ImportCertFailureList failed; |
| 250 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, | 250 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, |
| 251 &failed)); | 251 &failed)); |
| 252 | 252 |
| 253 EXPECT_EQ(0U, failed.size()); | 253 EXPECT_EQ(0U, failed.size()); |
| 254 | 254 |
| 255 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 255 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 256 ASSERT_EQ(1U, cert_list.size()); | 256 ASSERT_EQ(1U, cert_list.size()); |
| 257 scoped_refptr<X509Certificate> cert(cert_list[0]); | 257 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 258 EXPECT_EQ("Test CA", cert->subject().common_name); | 258 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 259 | 259 |
| 260 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, | 260 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, |
| 261 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 261 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 262 | 262 |
| 263 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 263 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); |
| 264 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 264 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); |
| 265 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 265 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); |
| 266 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); | 266 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); |
| 267 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 267 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); |
| 268 } | 268 } |
| 269 | 269 |
| 270 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { | 270 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { |
| 271 std::string cert_data = ReadTestFile("google.single.pem"); | 271 std::string cert_data = ReadTestFile("google.single.pem"); |
| 272 | 272 |
| 273 CertificateList certs = | 273 CertificateList certs = |
| 274 X509Certificate::CreateCertificateListFromBytes( | 274 X509Certificate::CreateCertificateListFromBytes( |
| 275 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); | 275 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); |
| 276 ASSERT_EQ(1U, certs.size()); | 276 ASSERT_EQ(1U, certs.size()); |
| 277 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 277 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 278 | 278 |
| 279 // Import it. | 279 // Import it. |
| 280 CertDatabase::ImportCertFailureList failed; | 280 CertDatabase::ImportCertFailureList failed; |
| 281 EXPECT_EQ(true, | 281 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, |
| 282 cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, &failed)); | 282 &failed)); |
| 283 ASSERT_EQ(1U, failed.size()); | 283 ASSERT_EQ(1U, failed.size()); |
| 284 // Note: this compares pointers directly. It's okay in this case because | 284 // Note: this compares pointers directly. It's okay in this case because |
| 285 // ImportCACerts returns the same pointers that were passed in. In the | 285 // ImportCACerts returns the same pointers that were passed in. In the |
| 286 // general case IsSameOSCert should be used. | 286 // general case IsSameOSCert should be used. |
| 287 EXPECT_EQ(certs[0], failed[0].certificate); | 287 EXPECT_EQ(certs[0], failed[0].certificate); |
| 288 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); | 288 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); |
| 289 | 289 |
| 290 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 290 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 291 } | 291 } |
| 292 | 292 |
| 293 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { | 293 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { |
| 294 CertificateList certs; | 294 CertificateList certs; |
| 295 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 295 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 296 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 296 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 297 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 297 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
| 298 | 298 |
| 299 // Import it. | 299 // Import it. |
| 300 CertDatabase::ImportCertFailureList failed; | 300 CertDatabase::ImportCertFailureList failed; |
| 301 // Have to specify email trust for the cert verification of the child cert to | 301 // Have to specify email trust for the cert verification of the child cert to |
| 302 // work (see | 302 // work (see |
| 303 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 | 303 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 |
| 304 // "XXX This choice of trustType seems arbitrary.") | 304 // "XXX This choice of trustType seems arbitrary.") |
| 305 EXPECT_EQ(true, cert_db_.ImportCACerts( | 305 EXPECT_TRUE(cert_db_.ImportCACerts( |
| 306 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 306 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
| 307 &failed)); | 307 &failed)); |
| 308 | 308 |
| 309 ASSERT_EQ(1U, failed.size()); | 309 ASSERT_EQ(1U, failed.size()); |
| 310 EXPECT_EQ("www.us.army.mil", failed[0].certificate->subject().common_name); | 310 EXPECT_EQ("www.us.army.mil", failed[0].certificate->subject().common_name); |
| 311 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); | 311 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); |
| 312 | 312 |
| 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 314 ASSERT_EQ(2U, cert_list.size()); | 314 ASSERT_EQ(2U, cert_list.size()); |
| 315 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 315 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 316 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); | 316 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); |
| 317 } | 317 } |
| 318 | 318 |
| 319 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { | 319 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { |
| 320 CertificateList certs; | 320 CertificateList certs; |
| 321 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 321 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 322 | 322 |
| 323 // First import just the root. | 323 // First import just the root. |
| 324 CertDatabase::ImportCertFailureList failed; | 324 CertDatabase::ImportCertFailureList failed; |
| 325 EXPECT_EQ(true, cert_db_.ImportCACerts( | 325 EXPECT_TRUE(cert_db_.ImportCACerts( |
| 326 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 326 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
| 327 &failed)); | 327 &failed)); |
| 328 | 328 |
| 329 EXPECT_EQ(0U, failed.size()); | 329 EXPECT_EQ(0U, failed.size()); |
| 330 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 330 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 331 ASSERT_EQ(1U, cert_list.size()); | 331 ASSERT_EQ(1U, cert_list.size()); |
| 332 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 332 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 333 | 333 |
| 334 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 334 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 335 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 335 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
| 336 | 336 |
| 337 // Now import with the other certs in the list too. Even though the root is | 337 // Now import with the other certs in the list too. Even though the root is |
| 338 // already present, we should still import the rest. | 338 // already present, we should still import the rest. |
| 339 failed.clear(); | 339 failed.clear(); |
| 340 EXPECT_EQ(true, cert_db_.ImportCACerts( | 340 EXPECT_TRUE(cert_db_.ImportCACerts( |
| 341 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 341 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
| 342 &failed)); | 342 &failed)); |
| 343 | 343 |
| 344 ASSERT_EQ(2U, failed.size()); | 344 ASSERT_EQ(2U, failed.size()); |
| 345 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); | 345 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); |
| 346 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); | 346 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); |
| 347 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); | 347 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); |
| 348 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); | 348 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); |
| 349 | 349 |
| 350 cert_list = ListCertsInSlot(slot_->os_module_handle()); | 350 cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 351 ASSERT_EQ(2U, cert_list.size()); | 351 ASSERT_EQ(2U, cert_list.size()); |
| 352 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 352 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 353 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); | 353 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); |
| 354 } | 354 } |
| 355 | 355 |
| 356 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { | 356 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { |
| 357 CertificateList certs; | 357 CertificateList certs; |
| 358 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 358 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 359 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 359 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 360 | 360 |
| 361 // Import it. | 361 // Import it. |
| 362 CertDatabase::ImportCertFailureList failed; | 362 CertDatabase::ImportCertFailureList failed; |
| 363 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, | 363 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, &failed)); |
| 364 &failed)); | |
| 365 | 364 |
| 366 ASSERT_EQ(1U, failed.size()); | 365 ASSERT_EQ(1U, failed.size()); |
| 367 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 366 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 368 // TODO(mattm): should check for net error equivalent of | 367 // TODO(mattm): should check for net error equivalent of |
| 369 // SEC_ERROR_UNTRUSTED_ISSUER | 368 // SEC_ERROR_UNTRUSTED_ISSUER |
| 370 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 369 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 371 | 370 |
| 372 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 371 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 373 ASSERT_EQ(1U, cert_list.size()); | 372 ASSERT_EQ(1U, cert_list.size()); |
| 374 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 373 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 375 } | 374 } |
| 376 | 375 |
| 377 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { | 376 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { |
| 378 CertificateList certs; | 377 CertificateList certs; |
| 379 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 378 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 380 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 379 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 381 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 380 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 382 | 381 |
| 383 // Import it. | 382 // Import it. |
| 384 CertDatabase::ImportCertFailureList failed; | 383 CertDatabase::ImportCertFailureList failed; |
| 385 EXPECT_EQ(true, cert_db_.ImportCACerts( | 384 EXPECT_TRUE(cert_db_.ImportCACerts( |
| 386 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 385 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
| 387 &failed)); | 386 &failed)); |
| 388 | 387 |
| 389 EXPECT_EQ(0U, failed.size()); | 388 EXPECT_EQ(0U, failed.size()); |
| 390 | 389 |
| 391 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 390 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 392 ASSERT_EQ(3U, cert_list.size()); | 391 ASSERT_EQ(3U, cert_list.size()); |
| 393 EXPECT_EQ("DOD CA-13", cert_list[0]->subject().common_name); | 392 EXPECT_EQ("DOD CA-13", cert_list[0]->subject().common_name); |
| 394 EXPECT_EQ("DoD Root CA 2", cert_list[1]->subject().common_name); | 393 EXPECT_EQ("DoD Root CA 2", cert_list[1]->subject().common_name); |
| 395 EXPECT_EQ("DOD CA-17", cert_list[2]->subject().common_name); | 394 EXPECT_EQ("DOD CA-17", cert_list[2]->subject().common_name); |
| 396 } | 395 } |
| 397 | 396 |
| 398 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { | 397 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { |
| 399 std::string cert_data = ReadTestFile("root_ca_cert.crt"); | 398 std::string cert_data = ReadTestFile("root_ca_cert.crt"); |
| 400 CertificateList certs = | 399 CertificateList certs = |
| 401 X509Certificate::CreateCertificateListFromBytes( | 400 X509Certificate::CreateCertificateListFromBytes( |
| 402 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); | 401 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); |
| 403 ASSERT_EQ(1U, certs.size()); | 402 ASSERT_EQ(1U, certs.size()); |
| 404 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 403 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 405 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 404 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 406 | 405 |
| 407 // Import it. | 406 // Import it. |
| 408 CertDatabase::ImportCertFailureList failed; | 407 CertDatabase::ImportCertFailureList failed; |
| 409 EXPECT_EQ(true, cert_db_.ImportCACerts( | 408 EXPECT_TRUE(cert_db_.ImportCACerts( |
| 410 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL | | 409 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL | |
| 411 CertDatabase::TRUSTED_OBJ_SIGN, &failed)); | 410 CertDatabase::TRUSTED_OBJ_SIGN, &failed)); |
| 412 | 411 |
| 413 ASSERT_EQ(2U, failed.size()); | 412 ASSERT_EQ(2U, failed.size()); |
| 414 // TODO(mattm): should check for net error equivalent of | 413 // TODO(mattm): should check for net error equivalent of |
| 415 // SEC_ERROR_UNKNOWN_ISSUER | 414 // SEC_ERROR_UNKNOWN_ISSUER |
| 416 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 415 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
| 417 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 416 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 418 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 417 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 419 EXPECT_EQ(ERR_FAILED, failed[1].net_error); | 418 EXPECT_EQ(ERR_FAILED, failed[1].net_error); |
| 420 | 419 |
| 421 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 420 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 422 ASSERT_EQ(1U, cert_list.size()); | 421 ASSERT_EQ(1U, cert_list.size()); |
| 423 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name); | 422 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name); |
| 424 } | 423 } |
| 425 | 424 |
| 426 TEST_F(CertDatabaseNSSTest, ImportServerCert) { | 425 TEST_F(CertDatabaseNSSTest, ImportServerCert) { |
| 427 // Need to import intermediate cert for the verify of google cert, otherwise | 426 // Need to import intermediate cert for the verify of google cert, otherwise |
| 428 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which | 427 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which |
| 429 // will cause OCSPCreateSession on the main thread, which is not allowed. | 428 // will cause OCSPCreateSession on the main thread, which is not allowed. |
| 430 std::string cert_data = ReadTestFile("google.chain.pem"); | 429 std::string cert_data = ReadTestFile("google.chain.pem"); |
| 431 CertificateList certs = | 430 CertificateList certs = |
| 432 X509Certificate::CreateCertificateListFromBytes( | 431 X509Certificate::CreateCertificateListFromBytes( |
| 433 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); | 432 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); |
| 434 ASSERT_EQ(2U, certs.size()); | 433 ASSERT_EQ(2U, certs.size()); |
| 435 | 434 |
| 436 CertDatabase::ImportCertFailureList failed; | 435 CertDatabase::ImportCertFailureList failed; |
| 437 EXPECT_EQ(true, cert_db_.ImportServerCert(certs, &failed)); | 436 EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); |
| 438 | 437 |
| 439 EXPECT_EQ(0U, failed.size()); | 438 EXPECT_EQ(0U, failed.size()); |
| 440 | 439 |
| 441 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 440 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 442 ASSERT_EQ(2U, cert_list.size()); | 441 ASSERT_EQ(2U, cert_list.size()); |
| 443 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); | 442 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); |
| 444 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); | 443 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); |
| 445 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); | 444 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); |
| 446 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 445 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 447 | 446 |
| 448 EXPECT_EQ(CertDatabase::UNTRUSTED, | 447 EXPECT_EQ(CertDatabase::UNTRUSTED, |
| 449 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); | 448 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 450 psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); | 449 psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); |
| 451 EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 450 EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); |
| 452 | 451 |
| 453 int flags = 0; | 452 int flags = 0; |
| 454 CertVerifyResult verify_result; | 453 CertVerifyResult verify_result; |
| 455 int error = goog_cert->Verify("www.google.com", flags, &verify_result); | 454 int error = goog_cert->Verify("www.google.com", flags, &verify_result); |
| 456 EXPECT_EQ(OK, error); | 455 EXPECT_EQ(OK, error); |
| 457 EXPECT_EQ(0, verify_result.cert_status); | 456 EXPECT_EQ(0, verify_result.cert_status); |
| 458 } | 457 } |
| 459 | 458 |
| 460 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 459 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 461 CertificateList certs; | 460 CertificateList certs; |
| 462 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 461 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 463 | 462 |
| 464 CertDatabase::ImportCertFailureList failed; | 463 CertDatabase::ImportCertFailureList failed; |
| 465 EXPECT_EQ(true, cert_db_.ImportServerCert(certs, &failed)); | 464 EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); |
| 466 | 465 |
| 467 EXPECT_EQ(0U, failed.size()); | 466 EXPECT_EQ(0U, failed.size()); |
| 468 | 467 |
| 469 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 468 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 470 ASSERT_EQ(1U, cert_list.size()); | 469 ASSERT_EQ(1U, cert_list.size()); |
| 471 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 470 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 472 | 471 |
| 473 EXPECT_EQ(CertDatabase::UNTRUSTED, | 472 EXPECT_EQ(CertDatabase::UNTRUSTED, |
| 474 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); | 473 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 475 psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); | 474 psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 487 puny_cert.get(), CA_CERT, | 486 puny_cert.get(), CA_CERT, |
| 488 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); | 487 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); |
| 489 | 488 |
| 490 verify_result.Reset(); | 489 verify_result.Reset(); |
| 491 error = puny_cert->Verify("xn--wgv71a119e.com", flags, &verify_result); | 490 error = puny_cert->Verify("xn--wgv71a119e.com", flags, &verify_result); |
| 492 EXPECT_EQ(OK, error); | 491 EXPECT_EQ(OK, error); |
| 493 EXPECT_EQ(0, verify_result.cert_status); | 492 EXPECT_EQ(0, verify_result.cert_status); |
| 494 } | 493 } |
| 495 | 494 |
| 496 } // namespace net | 495 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6300001:
Clang: enable -Wbool-conversions and -Wunused-variables on Linux. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src