This applies GUIDs to certificate and key nicknames when

chrome/browser/chromeos/cros/onc_network_parser_unittest.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/cros/onc_network_parser.h"
 
 #include <cert.h>
+#include <keyhi.h>
 #include <pk11pub.h>
 
 #include "base/lazy_instance.h"
 #include "base/scoped_temp_dir.h"
 #include "base/values.h"
 #include "chrome/browser/chromeos/cros/network_library.h"
+#include "chrome/browser/chromeos/system/runtime_environment.h"
 #include "crypto/nss_util.h"
 #include "net/base/cert_database.h"
+#include "net/base/cert_type.h"
 #include "net/base/crypto_module.h"
 #include "net/base/x509_certificate.h"
+#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
+namespace msm = mozilla_security_manager;
 namespace chromeos {
 
+namespace {
 const char kNetworkConfigurationOpenVPN[] =
       "    {"
       "      \"GUID\": \"{408290ea-9299-4757-ab04-8957d55f0f13}\","
       "      \"Type\": \"VPN\","
       "      \"Name\": \"MyVPN\","
       "      \"VPN\": {"
       "        \"Host\": \"vpn.acme.org\","
       "        \"Type\": \"OpenVPN\","
       "        \"OpenVPN\": {"
       "          \"AuthRetry\": \"interact\","
@@ skipping 62 matching lines @@
       "B/zAdBgNVHQ4EFgQUbYygbSkl4kpjCNuxoezFGupA97UwgcgGA1UdIwSBwDCBvYAUbYyg"
       "bSkl4kpjCNuxoezFGupA97WhgZmkgZYwgZMxFTATBgNVBAoTDEdvb2dsZSwgSW5jLjERM"
       "A8GA1UECxMIQ2hyb21lT1MxIjAgBgkqhkiG9w0BCQEWE2dzcGVuY2VyQGdvb2dsZS5jb2"
       "0xGjAYBgNVBAcTEU1vdW50YWluIFZpZXcsIENBMQswCQYDVQQIEwJDQTELMAkGA1UEBhM"
       "CVVMxDTALBgNVBAMTBGxtYW+CCQChr4uWYBFg1TANBgkqhkiG9w0BAQQFAAOBgQCDq9wi"
       "Q4uVuf1CQU3sXfXCy1yqi5m8AsO9FxHvah5/SVFNwKllqTfedpCaWEswJ55YAojW9e+pY"
       "2Fh3Fo/Y9YkF88KCtLuBjjqDKCRLxF4LycjHODKyQQ7mN/t5AtP9yKOsNvWF+M4IfReg5"
       "1kohau6FauQx87by5NIRPdkNPvkQ==\""
       "        }";
 
+const char g_token_name[] = "OncNetworkParserTest token";
+
+net::CertType GetCertType(const net::X509Certificate* cert) {
+  DCHECK(cert);
+  msm::nsNSSCertTrust trust(cert->os_cert_handle()->trust);
+  if (trust.HasAnyUser())
+    return net::USER_CERT;
+  if (trust.HasAnyCA() || CERT_IsCACert(cert->os_cert_handle(), NULL))
+    return net::CA_CERT;
+  if (trust.HasPeer(PR_TRUE, PR_FALSE, PR_FALSE))
+    return net::SERVER_CERT;
+  return net::UNKNOWN_CERT;
+}
+
+}  // namespace
 
 class OncNetworkParserTest : public testing::Test {
  public:
   static void SetUpTestCase() {
     ASSERT_TRUE(temp_db_dir_.Get().CreateUniqueTempDir());
     // Ideally, we'd open a test DB for each test case, and close it
     // again, removing the temp dir, but unfortunately, there's a
     // bug in NSS that prevents this from working, so we just open
     // it once, and empty it for each test case.  Here's the bug:
     // https://bugzilla.mozilla.org/show_bug.cgi?id=588269
     ASSERT_TRUE(
-        crypto::OpenTestNSSDB(temp_db_dir_.Get().path(),
-                              "OncNetworkParserTest db"));
+        crypto::OpenTestNSSDB(temp_db_dir_.Get().path(), g_token_name));
   }
 
   static void TearDownTestCase() {
     ASSERT_TRUE(temp_db_dir_.Get().Delete());
   }
 
   virtual void SetUp() {
     slot_ = cert_db_.GetPublicModule();
 
     // Don't run the test if the setup failed.
@@ skipping 311 matching lines @@
                       flimflam::kProviderL2tpIpsec);
   EXPECT_EQ("l2tp.acme.org", vpn->server_hostname());
   CheckStringProperty(vpn, PROPERTY_INDEX_PROVIDER_HOST, "l2tp.acme.org");
   CheckStringProperty(vpn, PROPERTY_INDEX_VPN_DOMAIN, "");
   EXPECT_EQ("passphrase", vpn->psk_passphrase());
   CheckStringProperty(vpn, PROPERTY_INDEX_L2TPIPSEC_PSK, "passphrase");
   CheckStringProperty(vpn, PROPERTY_INDEX_IPSEC_IKEVERSION, "1");
   EXPECT_FALSE(vpn->save_credentials());
 }
 
-TEST_F(OncNetworkParserTest, TestAddServerCertificate) {
-  std::string test_blob(
-      "{"
-      "    \"Certificates\": ["
-      "        {"
-      "            \"GUID\": \"{f998f760-272b-6939-4c2beffe428697aa}\","
-      "            \"Type\": \"Server\","
-      "            \"X509\": \"MIICWDCCAcECAxAAATANBgkqhkiG9w0BAQQFADCBkzEVM"
-      "BMGA1UEChMMR29vZ2xlLCBJbmMuMREwDwYDVQQLEwhDaHJvbWVPUzEiMCAGCSqGSIb3DQ"
-      "EJARYTZ3NwZW5jZXJAZ29vZ2xlLmNvbTEaMBgGA1UEBxMRTW91bnRhaW4gVmlldywgQ0E"
-      "xCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzENMAsGA1UEAxMEbG1hbzAeFw0xMTAzMTYy"
-      "MzQ5MzhaFw0xMjAzMTUyMzQ5MzhaMFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVM"
-      "BMGA1UEChMMR29vZ2xlLCBJbmMuMREwDwYDVQQLEwhDaHJvbWVPUzENMAsGA1UEAxMEbG"
-      "1hbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA31WiJ9LvprrhKtDlW0RdLFAO7Qj"
-      "kvs+sG6j2Vp2aBSrlhALG/0BVHUhWi4F/HHJho+ncLHAg5AGO0sdAjYUdQG6tfPqjLsIA"
-      "LtoKEZZdFe/JhmqOEaxWsSdu2S2RdPgCQOsP79EH58gXwu2gejCkJDmU22WL4YLuqOc17"
-      "nxbDC8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCv4vMD+PMlfnftu4/6Yf/oMLE8yCOqZT"
-      "Q/dWCxB9PiJnOefiBeSzSZE6Uv3G7qnblZPVZaFeJMd+ostt0viCyPucFsFgLMyyoV1dM"
-      "VPVwJT5Iq1AHehWXnTBbxUK9wioA5jOEKdroKjuSSsg/Q8Wx6cpJmttQz5olGPgstmACR"
-      "WA==\""
-      "        }"
-      "    ],"
-      "}");
-  OncNetworkParser parser(test_blob);
-
-  EXPECT_EQ(1, parser.GetCertificatesSize());
-  EXPECT_TRUE(parser.ParseCertificate(0));
-}
-
-TEST_F(OncNetworkParserTest, TestAddAuthorityCertificate) {
-  const std::string test_blob(std::string("{"
-      "    \"Certificates\": [") +
-      std::string(kCertificateWebAuthority) + std::string(
-      "    ],"
-      "}"));
-  OncNetworkParser parser(test_blob);
-
-  EXPECT_EQ(1, parser.GetCertificatesSize());
-  EXPECT_TRUE(parser.ParseCertificate(0));
-}
-
 TEST_F(OncNetworkParserTest, TestAddClientCertificate) {
   std::string test_blob(
       "{"
       "    \"Certificates\": ["
       "        {"
       "            \"GUID\": \"{f998f760-272b-6939-4c2beffe428697ac}\","
       "            \"Type\": \"Client\","
       "            \"PKCS12\": \"MIIGUQIBAzCCBhcGCSqGSIb3DQEHAaCCBggEggYEMII"
       "GADCCAv8GCSqGSIb3DQEHBqCCAvAwggLsAgEAMIIC5QYJKoZIhvcNAQcBMBwGCiqGSIb3"
       "DQEMAQYwDgQIHnFaWM2Y0BgCAggAgIICuG4ou9mxkhpus8WictLJe+JOnSQrdNXV3FMQr"
@@ skipping 22 matching lines @@
       "9jv3n8vSwvA0Xn0okAv1FWYLStiCpNxnD6lmXQvcmL/skAlJJpHY9/58qt/e5sGYrkKBw"
       "3jnX40zaK4W7GeJvhij0MRr6yUL2lvaEcWDnK6K1F90G/ybKRCTHBCJzyBe7yHhZCc+Zc"
       "vKK6DTi83fELTyupy08BkXt7oPdapxmKlZxTldo9FpPXSqrdRtAWhDkEkIEf8dMf8QrQr"
       "3glCWfbcQ047URYX45AHRnLTLLkJfdY8+Y3KsHoqL2UrOrct+J1u0mmnLbonN3pB2B4nd"
       "9X9vf9/uSFrgvk0iPO0Ro3UPRUIIYEP2Kx51pZZVDd++hl5gXtqe0NIpphGhxLycIdzEl"
       "MCMGCSqGSIb3DQEJFTEWBBR1uVpGjHRddIEYuJhz/FgG4Onh6jAxMCEwCQYFKw4DAhoFA"
       "AQU1M+0WRDkoVGbGg1jj7q2fI67qHIECBzRYESpgt5iAgIIAA==\""
       "        }"
       "    ],"
       "}");
+  std::string test_guid("{f998f760-272b-6939-4c2beffe428697ac}");
   OncNetworkParser parser(test_blob);
+  ASSERT_EQ(1, parser.GetCertificatesSize());
 
-  EXPECT_EQ(1, parser.GetCertificatesSize());
-  EXPECT_TRUE(parser.ParseCertificate(0));
+  scoped_refptr<net::X509Certificate> cert = parser.ParseCertificate(0).get();
+  EXPECT_TRUE(cert.get() != NULL);
+  EXPECT_EQ(net::USER_CERT, GetCertType(cert.get()));
+
+  EXPECT_STREQ(test_guid.c_str(),
+               cert->GetDefaultNickname(net::USER_CERT).c_str());
+  net::CertificateList result_list;
+  OncNetworkParser::ListCertsWithNickname(test_guid, &result_list);
+  ASSERT_EQ(1ul, result_list.size());
+  EXPECT_EQ(net::USER_CERT, GetCertType(result_list[0].get()));
+
+  SECKEYPrivateKeyList* privkey_list =
+      PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL);
+  EXPECT_TRUE(privkey_list);
+  if (privkey_list) {
+    SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(privkey_list);
+    int count = 0;
+    while (!PRIVKEY_LIST_END(node, privkey_list)) {
+      char* name = PK11_GetPrivateKeyNickname(node->key);
+      EXPECT_STREQ(test_guid.c_str(), name);
+      PORT_Free(name);
+      count++;
+      node = PRIVKEY_LIST_NEXT(node);
+    }
+    EXPECT_EQ(1, count);
+    SECKEY_DestroyPrivateKeyList(privkey_list);
+  }
+
+  SECKEYPublicKeyList* pubkey_list =
+      PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL);
+  EXPECT_TRUE(pubkey_list);
+  if (pubkey_list) {
+    SECKEYPublicKeyListNode* node = PUBKEY_LIST_HEAD(pubkey_list);
+    int count = 0;
+    while (!PUBKEY_LIST_END(node, pubkey_list)) {
+      count++;
+      node = PUBKEY_LIST_NEXT(node);
+    }
+    EXPECT_EQ(1, count);
+    SECKEY_DestroyPublicKeyList(pubkey_list);
+  }
+}
+
+TEST_F(OncNetworkParserTest, TestAddServerCertificate) {
+  std::string test_blob(
+      "{"
+      "    \"Certificates\": ["
+      "        {"
+      "            \"GUID\": \"{f998f760-272b-6939-4c2beffe428697aa}\","
+      "            \"Type\": \"Server\","
+      "            \"X509\": \"MIICWDCCAcECAxAAATANBgkqhkiG9w0BAQQFADCBkzEVM"
+      "BMGA1UEChMMR29vZ2xlLCBJbmMuMREwDwYDVQQLEwhDaHJvbWVPUzEiMCAGCSqGSIb3DQ"
+      "EJARYTZ3NwZW5jZXJAZ29vZ2xlLmNvbTEaMBgGA1UEBxMRTW91bnRhaW4gVmlldywgQ0E"
+      "xCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzENMAsGA1UEAxMEbG1hbzAeFw0xMTAzMTYy"
+      "MzQ5MzhaFw0xMjAzMTUyMzQ5MzhaMFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVM"
+      "BMGA1UEChMMR29vZ2xlLCBJbmMuMREwDwYDVQQLEwhDaHJvbWVPUzENMAsGA1UEAxMEbG"
+      "1hbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA31WiJ9LvprrhKtDlW0RdLFAO7Qj"
+      "kvs+sG6j2Vp2aBSrlhALG/0BVHUhWi4F/HHJho+ncLHAg5AGO0sdAjYUdQG6tfPqjLsIA"
+      "LtoKEZZdFe/JhmqOEaxWsSdu2S2RdPgCQOsP79EH58gXwu2gejCkJDmU22WL4YLuqOc17"
+      "nxbDC8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCv4vMD+PMlfnftu4/6Yf/oMLE8yCOqZT"
+      "Q/dWCxB9PiJnOefiBeSzSZE6Uv3G7qnblZPVZaFeJMd+ostt0viCyPucFsFgLMyyoV1dM"
+      "VPVwJT5Iq1AHehWXnTBbxUK9wioA5jOEKdroKjuSSsg/Q8Wx6cpJmttQz5olGPgstmACR"
+      "WA==\""
+      "        }"
+      "    ],"
+      "}");
+  std::string test_guid("{f998f760-272b-6939-4c2beffe428697aa}");
+  OncNetworkParser parser(test_blob);
+  ASSERT_EQ(1, parser.GetCertificatesSize());
+
+  scoped_refptr<net::X509Certificate> cert = parser.ParseCertificate(0).get();
+  EXPECT_TRUE(cert.get() != NULL);
+  EXPECT_EQ(net::SERVER_CERT, GetCertType(cert.get()));
+
+  EXPECT_STREQ(test_guid.c_str(),
+               cert->GetDefaultNickname(net::SERVER_CERT).c_str());
+  net::CertificateList result_list;
+  OncNetworkParser::ListCertsWithNickname(test_guid, &result_list);
+  ASSERT_EQ(1ul, result_list.size());
+  EXPECT_EQ(net::SERVER_CERT, GetCertType(result_list[0].get()));
+
+  SECKEYPrivateKeyList* privkey_list =
+      PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL);
+  EXPECT_FALSE(privkey_list);
+
+  SECKEYPublicKeyList* pubkey_list =
+      PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL);
+  EXPECT_FALSE(pubkey_list);
+
+}
+
+TEST_F(OncNetworkParserTest, TestAddAuthorityCertificate) {
+  const std::string test_blob(std::string("{"
+      "    \"Certificates\": [") +
+      std::string(kCertificateWebAuthority) + std::string(
+      "    ],"
+      "}"));
+  std::string test_guid("{f998f760-272b-6939-4c2beffe428697ab}");
+  OncNetworkParser parser(test_blob);
+  ASSERT_EQ(1, parser.GetCertificatesSize());
+
+  scoped_refptr<net::X509Certificate> cert = parser.ParseCertificate(0).get();
+  EXPECT_TRUE(cert.get() != NULL);
+  EXPECT_EQ(net::CA_CERT, GetCertType(cert.get()));
+
+  EXPECT_STREQ(test_guid.c_str(),
+               cert->GetDefaultNickname(net::CA_CERT).c_str());
+  net::CertificateList result_list;
+  OncNetworkParser::ListCertsWithNickname(test_guid, &result_list);
+  ASSERT_EQ(1ul, result_list.size());
+  EXPECT_EQ(net::CA_CERT, GetCertType(result_list[0].get()));
+
+  SECKEYPrivateKeyList* privkey_list =
+      PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL);
+  EXPECT_FALSE(privkey_list);
+
+  SECKEYPublicKeyList* pubkey_list =
+      PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL);
+  EXPECT_FALSE(pubkey_list);
+
 }
 
 TEST_F(OncNetworkParserTest, TestNetworkAndCertificate) {
   std::string test_blob(std::string(
       "{"
       "  \"NetworkConfigurations\": [") +
       std::string(kNetworkConfigurationOpenVPN) + std::string(
       "  ],"
       "  \"Certificates\": [") +
       std::string(kCertificateWebAuthority) + std::string(
       "  ],"
       "}"));
   OncNetworkParser parser(test_blob);
 
   EXPECT_EQ(1, parser.GetCertificatesSize());
   EXPECT_TRUE(parser.ParseCertificate(0));
 
   EXPECT_EQ(1, parser.GetNetworkConfigsSize());
   scoped_ptr<Network> network(parser.ParseNetwork(0));
   ASSERT_TRUE(network.get() != NULL);
   EXPECT_EQ(network->type(), chromeos::TYPE_VPN);
   VirtualNetwork* vpn = static_cast<VirtualNetwork*>(network.get());
   EXPECT_EQ(PROVIDER_TYPE_OPEN_VPN, vpn->provider_type());
 }
 
 }  // namespace chromeos