chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc - Issue 8890073: Handle Origin Bound Certificate expiration.

Unified Diff: chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc

Issue 8890073: Handle Origin Bound Certificate expiration. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: perf_tests fix Created 9 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc

diff --git a/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc b/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc

index cc3130d7b1959a89175ad7c7d686598ad5df5312..bc67ab6fd430b9adf1cf0c083da9821ce0034789 100644

--- a/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc

+++ b/chrome/browser/net/sqlite_origin_bound_cert_store_unittest.cc

@@ -12,6 +12,7 @@

#include "chrome/browser/net/sqlite_origin_bound_cert_store.h"

#include "chrome/common/chrome_constants.h"

#include "content/test/test_browser_thread.h"

+#include "net/base/cert_test_util.h"

#include "sql/statement.h"

#include "testing/gtest/include/gtest/gtest.h"

@@ -24,6 +25,30 @@ class SQLiteOriginBoundCertStoreTest : public testing::Test {

}

protected:

+ static void ReadTestKeyAndCert(std::string* key, std::string* cert) {

+ FilePath key_path = net::GetTestCertsDirectory().AppendASCII(

+ "unittest.originbound.key.der");

+ FilePath cert_path = net::GetTestCertsDirectory().AppendASCII(

+ "unittest.originbound.der");

+ ASSERT_TRUE(file_util::ReadFileToString(key_path, key));

+ ASSERT_TRUE(file_util::ReadFileToString(cert_path, cert));

+ }

+ static base::Time GetTestCertExpirationTime() {

+ // Cert expiration time from 'dumpasn1 unittest.originbound.der':

+ // GeneralizedTime 19/11/2111 02:23:45 GMT

+ base::Time::Exploded exploded_time;

+ exploded_time.year = 2111;

+ exploded_time.month = 11;

+ exploded_time.day_of_week = 0; // Unused.

+ exploded_time.day_of_month = 19;

+ exploded_time.hour = 2;

+ exploded_time.minute = 23;

+ exploded_time.second = 45;

+ exploded_time.millisecond = 0;

+ return base::Time::FromUTCExploded(exploded_time);

+ }

virtual void SetUp() {

db_thread_.Start();

ASSERT_TRUE(temp_dir_.CreateUniqueTempDir());

@@ -36,7 +61,9 @@ class SQLiteOriginBoundCertStoreTest : public testing::Test {

store_->AddOriginBoundCert(

net::DefaultOriginBoundCertStore::OriginBoundCert(

"https://encrypted.google.com:8443",

- net::CLIENT_CERT_RSA_SIGN, "a", "b"));

+ net::CLIENT_CERT_RSA_SIGN,

+ base::Time(),

+ "a", "b"));

}

content::TestBrowserThread db_thread_;

@@ -79,7 +106,10 @@ TEST_F(SQLiteOriginBoundCertStoreTest, RemoveOnDestruction) {

TEST_F(SQLiteOriginBoundCertStoreTest, TestPersistence) {

store_->AddOriginBoundCert(

net::DefaultOriginBoundCertStore::OriginBoundCert(

- "https://www.google.com/", net::CLIENT_CERT_ECDSA_SIGN, "c", "d"));

+ "https://www.google.com/",

+ net::CLIENT_CERT_ECDSA_SIGN,

+ base::Time(),

+ "c", "d"));

std::vector<net::DefaultOriginBoundCertStore::OriginBoundCert*> certs;

// Replace the store effectively destroying the current one and forcing it

@@ -121,8 +151,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestPersistence) {

store_ = NULL;

// Make sure we wait until the destructor has run.

ASSERT_TRUE(helper->Run());

- STLDeleteContainerPointers(certs.begin(), certs.end());

- certs.clear();

+ STLDeleteElements(&certs);

store_ = new SQLiteOriginBoundCertStore(

temp_dir_.path().Append(chrome::kOBCertFilename));

@@ -131,12 +160,16 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestPersistence) {

ASSERT_EQ(0U, certs.size());

}

-TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgrade) {

+TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV1) {

// Reset the store. We'll be using a different database for this test.

store_ = NULL;

FilePath v1_db_path(temp_dir_.path().AppendASCII("v1db"));

+ std::string key_data;

+ std::string cert_data;

+ ReadTestKeyAndCert(&key_data, &cert_data);

// Create a version 1 database.

{

sql::Connection db;

@@ -148,49 +181,160 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgrade) {

"INSERT INTO \"meta\" VALUES('last_compatible_version','1');"

"CREATE TABLE origin_bound_certs ("

"origin TEXT NOT NULL UNIQUE PRIMARY KEY,"

- "private_key BLOB NOT NULL,cert BLOB NOT NULL);"

- "INSERT INTO \"origin_bound_certs\" VALUES("

- "'https://google.com',X'AA',X'BB');"

+ "private_key BLOB NOT NULL,cert BLOB NOT NULL);"));

+ sql::Statement add_smt(db.GetUniqueStatement(

+ "INSERT INTO origin_bound_certs (origin, private_key, cert) "

+ "VALUES (?,?,?)"));

+ add_smt.BindString(0, "https://www.google.com:443");

+ add_smt.BindBlob(1, key_data.data(), key_data.size());

+ add_smt.BindBlob(2, cert_data.data(), cert_data.size());

+ ASSERT_TRUE(add_smt.Run());

+ ASSERT_TRUE(db.Execute(

"INSERT INTO \"origin_bound_certs\" VALUES("

- "'https://foo.com',X'CC',X'DD');"

+ "'https://foo.com',X'AA',X'BB');"

));

}

- std::vector<net::DefaultOriginBoundCertStore::OriginBoundCert*> certs;

- store_ = new SQLiteOriginBoundCertStore(v1_db_path);

+ // Load and test the DB contents twice. First time ensures that we can use

+ // the updated values immediately. Second time ensures that the updated

+ // values are stored and read correctly on next load.

+ for (int i = 0; i < 2; ++i) {

+ SCOPED_TRACE(i);

- // Load the database and ensure the certs can be read and are marked as RSA.

- ASSERT_TRUE(store_->Load(&certs));

- ASSERT_EQ(2U, certs.size());

- ASSERT_STREQ("https://google.com", certs[0]->origin().c_str());

- ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type());

- ASSERT_STREQ("\xaa", certs[0]->private_key().c_str());

- ASSERT_STREQ("\xbb", certs[0]->cert().c_str());

- ASSERT_STREQ("https://foo.com", certs[1]->origin().c_str());

- ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[1]->type());

- ASSERT_STREQ("\xcc", certs[1]->private_key().c_str());

- ASSERT_STREQ("\xdd", certs[1]->cert().c_str());

- STLDeleteContainerPointers(certs.begin(), certs.end());

- certs.clear();

+ std::vector<net::DefaultOriginBoundCertStore::OriginBoundCert*> certs;

+ store_ = new SQLiteOriginBoundCertStore(v1_db_path);

+ // Load the database and ensure the certs can be read and are marked as RSA.

+ ASSERT_TRUE(store_->Load(&certs));

+ ASSERT_EQ(2U, certs.size());

+ ASSERT_STREQ("https://www.google.com:443", certs[0]->origin().c_str());

+ ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type());

+ ASSERT_EQ(GetTestCertExpirationTime(),

+ certs[0]->expiration_time());

+ ASSERT_EQ(key_data, certs[0]->private_key());

+ ASSERT_EQ(cert_data, certs[0]->cert());

+ ASSERT_STREQ("https://foo.com", certs[1]->origin().c_str());

+ ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[1]->type());

+ // Undecodable cert, expiration time will be uninitialized.

+ ASSERT_EQ(base::Time(), certs[1]->expiration_time());

+ ASSERT_STREQ("\xaa", certs[1]->private_key().c_str());

+ ASSERT_STREQ("\xbb", certs[1]->cert().c_str());

+ STLDeleteElements(&certs);

+ store_ = NULL;

+ // Make sure we wait until the destructor has run.

+ scoped_refptr<base::ThreadTestHelper> helper(

+ new base::ThreadTestHelper(

+ BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB)));

+ ASSERT_TRUE(helper->Run());

+ // Verify the database version is updated.

+ {

+ sql::Connection db;

+ ASSERT_TRUE(db.Open(v1_db_path));

+ sql::Statement smt(db.GetUniqueStatement(

+ "SELECT value FROM meta WHERE key = \"version\""));

+ ASSERT_TRUE(smt);

+ ASSERT_TRUE(smt.Step());

+ EXPECT_EQ(3, smt.ColumnInt(0));

+ EXPECT_FALSE(smt.Step());

+ }

+TEST_F(SQLiteOriginBoundCertStoreTest, TestUpgradeV2) {

+ // Reset the store. We'll be using a different database for this test.

store_ = NULL;

- // Make sure we wait until the destructor has run.

- scoped_refptr<base::ThreadTestHelper> helper(

- new base::ThreadTestHelper(

- BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB)));

- ASSERT_TRUE(helper->Run());

- // Verify the database version is updated.

+ FilePath v2_db_path(temp_dir_.path().AppendASCII("v2db"));

+ std::string key_data;

+ std::string cert_data;

+ ReadTestKeyAndCert(&key_data, &cert_data);

+ // Create a version 2 database.

{

sql::Connection db;

- ASSERT_TRUE(db.Open(v1_db_path));

- sql::Statement smt(db.GetUniqueStatement(

- "SELECT value FROM meta WHERE key = \"version\""));

- ASSERT_TRUE(smt);

- ASSERT_TRUE(smt.Step());

- EXPECT_EQ(2, smt.ColumnInt(0));

- EXPECT_FALSE(smt.Step());

+ ASSERT_TRUE(db.Open(v2_db_path));

+ ASSERT_TRUE(db.Execute(

+ "CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,"

+ "value LONGVARCHAR);"

+ "INSERT INTO \"meta\" VALUES('version','2');"

+ "INSERT INTO \"meta\" VALUES('last_compatible_version','1');"

+ "CREATE TABLE origin_bound_certs ("

+ "origin TEXT NOT NULL UNIQUE PRIMARY KEY,"

+ "private_key BLOB NOT NULL,"

+ "cert BLOB NOT NULL,"

+ "cert_type INTEGER);"

+ ));

+ sql::Statement add_smt(db.GetUniqueStatement(

+ "INSERT INTO origin_bound_certs (origin, private_key, cert, cert_type) "

+ "VALUES (?,?,?,?)"));

+ add_smt.BindString(0, "https://www.google.com:443");

+ add_smt.BindBlob(1, key_data.data(), key_data.size());

+ add_smt.BindBlob(2, cert_data.data(), cert_data.size());

+ add_smt.BindInt64(3, 1);

+ ASSERT_TRUE(add_smt.Run());

+ ASSERT_TRUE(db.Execute(

+ "INSERT INTO \"origin_bound_certs\" VALUES("

+ "'https://foo.com',X'AA',X'BB',64);"

+ ));

+ }

+ // Load and test the DB contents twice. First time ensures that we can use

+ // the updated values immediately. Second time ensures that the updated

+ // values are saved and read correctly on next load.

+ for (int i = 0; i < 2; ++i) {

+ SCOPED_TRACE(i);

+ std::vector<net::DefaultOriginBoundCertStore::OriginBoundCert*> certs;

+ store_ = new SQLiteOriginBoundCertStore(v2_db_path);

+ // Load the database and ensure the certs can be read and are marked as RSA.

+ ASSERT_TRUE(store_->Load(&certs));

+ ASSERT_EQ(2U, certs.size());

+ ASSERT_STREQ("https://www.google.com:443", certs[0]->origin().c_str());

+ ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type());

+ ASSERT_EQ(GetTestCertExpirationTime(),

+ certs[0]->expiration_time());

+ ASSERT_EQ(key_data, certs[0]->private_key());

+ ASSERT_EQ(cert_data, certs[0]->cert());

+ ASSERT_STREQ("https://foo.com", certs[1]->origin().c_str());

+ ASSERT_EQ(net::CLIENT_CERT_ECDSA_SIGN, certs[1]->type());

+ // Undecodable cert, expiration time will be uninitialized.

+ ASSERT_EQ(base::Time(), certs[1]->expiration_time());

+ ASSERT_STREQ("\xaa", certs[1]->private_key().c_str());

+ ASSERT_STREQ("\xbb", certs[1]->cert().c_str());

+ STLDeleteElements(&certs);

+ store_ = NULL;

+ // Make sure we wait until the destructor has run.

+ scoped_refptr<base::ThreadTestHelper> helper(

+ new base::ThreadTestHelper(

+ BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB)));

+ ASSERT_TRUE(helper->Run());

+ // Verify the database version is updated.

+ {

+ sql::Connection db;

+ ASSERT_TRUE(db.Open(v2_db_path));

+ sql::Statement smt(db.GetUniqueStatement(

+ "SELECT value FROM meta WHERE key = \"version\""));

+ ASSERT_TRUE(smt);

+ ASSERT_TRUE(smt.Step());

+ EXPECT_EQ(3, smt.ColumnInt(0));

+ EXPECT_FALSE(smt.Step());

+ }

}

@@ -212,6 +356,7 @@ TEST_F(SQLiteOriginBoundCertStoreTest, TestFlush) {

net::DefaultOriginBoundCertStore::OriginBoundCert(

origin,

net::CLIENT_CERT_RSA_SIGN,

+ base::Time(),

private_key,

cert));

}

« no previous file with comments | « chrome/browser/net/sqlite_origin_bound_cert_store.cc ('k') | chrome/chrome_tests.gypi » ('j') | net/base/origin_bound_cert_service.cc » ('J')