| Index: chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc
|
| diff --git a/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc b/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc
|
| index cc3130d7b1959a89175ad7c7d686598ad5df5312..bc67ab6fd430b9adf1cf0c083da9821ce0034789 100644
|
| --- a/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc
|
| +++ b/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc
|
| @@ -12,6 +12,7 @@
|
| #include "chrome/browser/net/sqlite_origin_bound_cert_store.h"
|
| #include "chrome/common/chrome_constants.h"
|
| #include "content/test/test_browser_thread.h"
|
| +#include "net/base/cert_test_util.h"
|
| #include "sql/statement.h"
|
| #include "testing/gtest/include/gtest/gtest.h"
|
|
|
| @@ -24,6 +25,30 @@ class SQLiteOriginBoundCertStoreTest : public testing::Test {
|
| }
|
|
|
| protected:
|
| + static void ReadTestKeyAndCert(std::string* key, std::string* cert) {
|
| + FilePath key_path = net::GetTestCertsDirectory().AppendASCII(
|
| + "unittest.originbound.key.der");
|
| + FilePath cert_path = net::GetTestCertsDirectory().AppendASCII(
|
| + "unittest.originbound.der");
|
| + ASSERT_TRUE(file_util::ReadFileToString(key_path, key));
|
| + ASSERT_TRUE(file_util::ReadFileToString(cert_path, cert));
|
| + }
|
| +
|
| + static base::Time GetTestCertExpirationTime() {
|
| + // Cert expiration time from 'dumpasn1 unittest.originbound.der':
|
| + // GeneralizedTime 19/11/2111 02:23:45 GMT
|
| + base::Time::Exploded exploded_time;
|
| + exploded_time.year = 2111;
|
| + exploded_time.month = 11;
|
| + exploded_time.day_of_week = 0; // Unused.
|
| + exploded_time.day_of_month = 19;
|
| + exploded_time.hour = 2;
|
| + exploded_time.minute = 23;
|
| + exploded_time.second = 45;
|
| + exploded_time.millisecond = 0;
|
| + return base::Time::FromUTCExploded(exploded_time);
|
| + }
|
| +
|
| virtual void SetUp() {
|
| db_thread_.Start();
|
| ASSERT_TRUE(temp_dir_.CreateUniqueTempDir());
|
| @@ -36,7 +61,9 @@ class SQLiteOriginBoundCertStoreTest : public testing::Test {
|
| store_->AddOriginBoundCert(
|
| net::DefaultOriginBoundCertStore::OriginBoundCert(
|
| "https://encrypted.google.com:8443",
|
| - net::CLIENT_CERT_RSA_SIGN, "a", "b"));
|
| + net::CLIENT_CERT_RSA_SIGN,
|
| + base::Time(),
|
| + "a", "b"));
|
| }
|
|
|
| content::TestBrowserThread db_thread_;
|
| @@ -79,7 +106,10 @@ TEST_F(SQLiteOriginBoundCertStoreTest, RemoveOnDestruction) {
|
| TEST_F(SQLiteOriginBoundCertStoreTest, TestPersistence) {
|
| store_->AddOriginBoundCert(
|
| net::DefaultOriginBoundCertStore::OriginBoundCert(
|
| - "https://www.google.com/", net::CLIENT_CERT_ECDSA_SIGN, "c", "d"));
|
| + "https://www.google.com/",
|
| + net::CLIENT_CERT_ECDSA_SIGN,
|
| + base::Time(),
|
| + "c", "d"));
|
|
|
| std::vector<net::DefaultOriginBoundCertStore::OriginBoundCert*> certs;
|
| // Replace the store effectively destroying the current one and forcing it
|
| @@ -121,8 +151,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestPersistence) {
|
| store_ = NULL;
|
| // Make sure we wait until the destructor has run.
|
| ASSERT_TRUE(helper->Run());
|
| - STLDeleteContainerPointers(certs.begin(), certs.end());
|
| - certs.clear();
|
| + STLDeleteElements(&certs);
|
| store_ = new SQLiteOriginBoundCertStore(
|
| temp_dir_.path().Append(chrome::kOBCertFilename));
|
|
|
| @@ -131,12 +160,16 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestPersistence) {
|
| ASSERT_EQ(0U, certs.size());
|
| }
|
|
|
| -TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgrade) {
|
| +TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV1) {
|
| // Reset the store. We'll be using a different database for this test.
|
| store_ = NULL;
|
|
|
| FilePath v1_db_path(temp_dir_.path().AppendASCII("v1db"));
|
|
|
| + std::string key_data;
|
| + std::string cert_data;
|
| + ReadTestKeyAndCert(&key_data, &cert_data);
|
| +
|
| // Create a version 1 database.
|
| {
|
| sql::Connection db;
|
| @@ -148,49 +181,160 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgrade) {
|
| "INSERT INTO \"meta\" VALUES('last_compatible_version','1');"
|
| "CREATE TABLE origin_bound_certs ("
|
| "origin TEXT NOT NULL UNIQUE PRIMARY KEY,"
|
| - "private_key BLOB NOT NULL,cert BLOB NOT NULL);"
|
| - "INSERT INTO \"origin_bound_certs\" VALUES("
|
| - "'https://google.com',X'AA',X'BB');"
|
| + "private_key BLOB NOT NULL,cert BLOB NOT NULL);"));
|
| +
|
| + sql::Statement add_smt(db.GetUniqueStatement(
|
| + "INSERT INTO origin_bound_certs (origin, private_key, cert) "
|
| + "VALUES (?,?,?)"));
|
| + add_smt.BindString(0, "https://www.google.com:443");
|
| + add_smt.BindBlob(1, key_data.data(), key_data.size());
|
| + add_smt.BindBlob(2, cert_data.data(), cert_data.size());
|
| + ASSERT_TRUE(add_smt.Run());
|
| +
|
| + ASSERT_TRUE(db.Execute(
|
| "INSERT INTO \"origin_bound_certs\" VALUES("
|
| - "'https://foo.com',X'CC',X'DD');"
|
| + "'https://foo.com',X'AA',X'BB');"
|
| ));
|
| }
|
|
|
| - std::vector<net::DefaultOriginBoundCertStore::OriginBoundCert*> certs;
|
| - store_ = new SQLiteOriginBoundCertStore(v1_db_path);
|
| + // Load and test the DB contents twice. First time ensures that we can use
|
| + // the updated values immediately. Second time ensures that the updated
|
| + // values are stored and read correctly on next load.
|
| + for (int i = 0; i < 2; ++i) {
|
| + SCOPED_TRACE(i);
|
|
|
| - // Load the database and ensure the certs can be read and are marked as RSA.
|
| - ASSERT_TRUE(store_->Load(&certs));
|
| - ASSERT_EQ(2U, certs.size());
|
| - ASSERT_STREQ("https://google.com", certs[0]->origin().c_str());
|
| - ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type());
|
| - ASSERT_STREQ("\xaa", certs[0]->private_key().c_str());
|
| - ASSERT_STREQ("\xbb", certs[0]->cert().c_str());
|
| - ASSERT_STREQ("https://foo.com", certs[1]->origin().c_str());
|
| - ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[1]->type());
|
| - ASSERT_STREQ("\xcc", certs[1]->private_key().c_str());
|
| - ASSERT_STREQ("\xdd", certs[1]->cert().c_str());
|
| -
|
| - STLDeleteContainerPointers(certs.begin(), certs.end());
|
| - certs.clear();
|
| + std::vector<net::DefaultOriginBoundCertStore::OriginBoundCert*> certs;
|
| + store_ = new SQLiteOriginBoundCertStore(v1_db_path);
|
| +
|
| + // Load the database and ensure the certs can be read and are marked as RSA.
|
| + ASSERT_TRUE(store_->Load(&certs));
|
| + ASSERT_EQ(2U, certs.size());
|
| +
|
| + ASSERT_STREQ("https://www.google.com:443", certs[0]->origin().c_str());
|
| + ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type());
|
| + ASSERT_EQ(GetTestCertExpirationTime(),
|
| + certs[0]->expiration_time());
|
| + ASSERT_EQ(key_data, certs[0]->private_key());
|
| + ASSERT_EQ(cert_data, certs[0]->cert());
|
| +
|
| + ASSERT_STREQ("https://foo.com", certs[1]->origin().c_str());
|
| + ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[1]->type());
|
| + // Undecodable cert, expiration time will be uninitialized.
|
| + ASSERT_EQ(base::Time(), certs[1]->expiration_time());
|
| + ASSERT_STREQ("\xaa", certs[1]->private_key().c_str());
|
| + ASSERT_STREQ("\xbb", certs[1]->cert().c_str());
|
| +
|
| + STLDeleteElements(&certs);
|
| +
|
| + store_ = NULL;
|
| + // Make sure we wait until the destructor has run.
|
| + scoped_refptr<base::ThreadTestHelper> helper(
|
| + new base::ThreadTestHelper(
|
| + BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB)));
|
| + ASSERT_TRUE(helper->Run());
|
| +
|
| + // Verify the database version is updated.
|
| + {
|
| + sql::Connection db;
|
| + ASSERT_TRUE(db.Open(v1_db_path));
|
| + sql::Statement smt(db.GetUniqueStatement(
|
| + "SELECT value FROM meta WHERE key = \"version\""));
|
| + ASSERT_TRUE(smt);
|
| + ASSERT_TRUE(smt.Step());
|
| + EXPECT_EQ(3, smt.ColumnInt(0));
|
| + EXPECT_FALSE(smt.Step());
|
| + }
|
| + }
|
| +}
|
|
|
| +TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV2) {
|
| + // Reset the store. We'll be using a different database for this test.
|
| store_ = NULL;
|
| - // Make sure we wait until the destructor has run.
|
| - scoped_refptr<base::ThreadTestHelper> helper(
|
| - new base::ThreadTestHelper(
|
| - BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB)));
|
| - ASSERT_TRUE(helper->Run());
|
|
|
| - // Verify the database version is updated.
|
| + FilePath v2_db_path(temp_dir_.path().AppendASCII("v2db"));
|
| +
|
| + std::string key_data;
|
| + std::string cert_data;
|
| + ReadTestKeyAndCert(&key_data, &cert_data);
|
| +
|
| + // Create a version 2 database.
|
| {
|
| sql::Connection db;
|
| - ASSERT_TRUE(db.Open(v1_db_path));
|
| - sql::Statement smt(db.GetUniqueStatement(
|
| - "SELECT value FROM meta WHERE key = \"version\""));
|
| - ASSERT_TRUE(smt);
|
| - ASSERT_TRUE(smt.Step());
|
| - EXPECT_EQ(2, smt.ColumnInt(0));
|
| - EXPECT_FALSE(smt.Step());
|
| + ASSERT_TRUE(db.Open(v2_db_path));
|
| + ASSERT_TRUE(db.Execute(
|
| + "CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,"
|
| + "value LONGVARCHAR);"
|
| + "INSERT INTO \"meta\" VALUES('version','2');"
|
| + "INSERT INTO \"meta\" VALUES('last_compatible_version','1');"
|
| + "CREATE TABLE origin_bound_certs ("
|
| + "origin TEXT NOT NULL UNIQUE PRIMARY KEY,"
|
| + "private_key BLOB NOT NULL,"
|
| + "cert BLOB NOT NULL,"
|
| + "cert_type INTEGER);"
|
| + ));
|
| +
|
| + sql::Statement add_smt(db.GetUniqueStatement(
|
| + "INSERT INTO origin_bound_certs (origin, private_key, cert, cert_type) "
|
| + "VALUES (?,?,?,?)"));
|
| + add_smt.BindString(0, "https://www.google.com:443");
|
| + add_smt.BindBlob(1, key_data.data(), key_data.size());
|
| + add_smt.BindBlob(2, cert_data.data(), cert_data.size());
|
| + add_smt.BindInt64(3, 1);
|
| + ASSERT_TRUE(add_smt.Run());
|
| +
|
| + ASSERT_TRUE(db.Execute(
|
| + "INSERT INTO \"origin_bound_certs\" VALUES("
|
| + "'https://foo.com',X'AA',X'BB',64);"
|
| + ));
|
| + }
|
| +
|
| + // Load and test the DB contents twice. First time ensures that we can use
|
| + // the updated values immediately. Second time ensures that the updated
|
| + // values are saved and read correctly on next load.
|
| + for (int i = 0; i < 2; ++i) {
|
| + SCOPED_TRACE(i);
|
| +
|
| + std::vector<net::DefaultOriginBoundCertStore::OriginBoundCert*> certs;
|
| + store_ = new SQLiteOriginBoundCertStore(v2_db_path);
|
| +
|
| + // Load the database and ensure the certs can be read and are marked as RSA.
|
| + ASSERT_TRUE(store_->Load(&certs));
|
| + ASSERT_EQ(2U, certs.size());
|
| +
|
| + ASSERT_STREQ("https://www.google.com:443", certs[0]->origin().c_str());
|
| + ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type());
|
| + ASSERT_EQ(GetTestCertExpirationTime(),
|
| + certs[0]->expiration_time());
|
| + ASSERT_EQ(key_data, certs[0]->private_key());
|
| + ASSERT_EQ(cert_data, certs[0]->cert());
|
| +
|
| + ASSERT_STREQ("https://foo.com", certs[1]->origin().c_str());
|
| + ASSERT_EQ(net::CLIENT_CERT_ECDSA_SIGN, certs[1]->type());
|
| + // Undecodable cert, expiration time will be uninitialized.
|
| + ASSERT_EQ(base::Time(), certs[1]->expiration_time());
|
| + ASSERT_STREQ("\xaa", certs[1]->private_key().c_str());
|
| + ASSERT_STREQ("\xbb", certs[1]->cert().c_str());
|
| +
|
| + STLDeleteElements(&certs);
|
| +
|
| + store_ = NULL;
|
| + // Make sure we wait until the destructor has run.
|
| + scoped_refptr<base::ThreadTestHelper> helper(
|
| + new base::ThreadTestHelper(
|
| + BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB)));
|
| + ASSERT_TRUE(helper->Run());
|
| +
|
| + // Verify the database version is updated.
|
| + {
|
| + sql::Connection db;
|
| + ASSERT_TRUE(db.Open(v2_db_path));
|
| + sql::Statement smt(db.GetUniqueStatement(
|
| + "SELECT value FROM meta WHERE key = \"version\""));
|
| + ASSERT_TRUE(smt);
|
| + ASSERT_TRUE(smt.Step());
|
| + EXPECT_EQ(3, smt.ColumnInt(0));
|
| + EXPECT_FALSE(smt.Step());
|
| + }
|
| }
|
| }
|
|
|
| @@ -212,6 +356,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestFlush) {
|
| net::DefaultOriginBoundCertStore::OriginBoundCert(
|
| origin,
|
| net::CLIENT_CERT_RSA_SIGN,
|
| + base::Time(),
|
| private_key,
|
| cert));
|
| }
|
|
|
Chromium Code Reviews
Issue 8890073:
Handle Origin Bound Certificate expiration. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src