Chromium Code Reviews Chromium Code Reviews
Issue 9584041:
Create stubs for system certificate validation. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <pk11pub.h> | 6 #include <pk11pub.h> |
| 7 | 7 |
| 8 #include <algorithm> | 8 #include <algorithm> |
| 9 | 9 |
| 10 #include "base/file_path.h" | 10 #include "base/file_path.h" |
| 11 #include "base/file_util.h" | 11 #include "base/file_util.h" |
| 12 #include "base/lazy_instance.h" | 12 #include "base/lazy_instance.h" |
| 13 #include "base/message_loop.h" | 13 #include "base/message_loop.h" |
| 14 #include "base/path_service.h" | 14 #include "base/path_service.h" |
| 15 #include "base/string16.h" | 15 #include "base/string16.h" |
| 16 #include "base/string_util.h" | 16 #include "base/string_util.h" |
| 17 #include "base/utf_string_conversions.h" | 17 #include "base/utf_string_conversions.h" |
| 18 #include "crypto/nss_util.h" | 18 #include "crypto/nss_util.h" |
| 19 #include "crypto/nss_util_internal.h" | 19 #include "crypto/nss_util_internal.h" |
| 20 #include "crypto/scoped_nss_types.h" | 20 #include "crypto/scoped_nss_types.h" |
| 21 #include "net/base/cert_database.h" | 21 #include "net/base/cert_database.h" |
| 22 #include "net/base/cert_status_flags.h" | 22 #include "net/base/cert_status_flags.h" |
| 23 #include "net/base/cert_verify_proc_nss.h" | |
| 23 #include "net/base/cert_verify_result.h" | 24 #include "net/base/cert_verify_result.h" |
| 24 #include "net/base/crypto_module.h" | 25 #include "net/base/crypto_module.h" |
| 25 #include "net/base/net_errors.h" | 26 #include "net/base/net_errors.h" |
| 26 #include "net/base/x509_certificate.h" | 27 #include "net/base/x509_certificate.h" |
| 27 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" | 28 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" |
| 28 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | 29 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
| 29 #include "testing/gtest/include/gtest/gtest.h" | 30 #include "testing/gtest/include/gtest/gtest.h" |
| 30 | 31 |
| 31 namespace psm = mozilla_security_manager; | 32 namespace psm = mozilla_security_manager; |
| 32 | 33 |
| (...skipping 510 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 543 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); | 544 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); |
| 544 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); | 545 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); |
| 545 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); | 546 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); |
| 546 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 547 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 547 | 548 |
| 548 EXPECT_EQ(CertDatabase::UNTRUSTED, | 549 EXPECT_EQ(CertDatabase::UNTRUSTED, |
| 549 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); | 550 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 550 psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); | 551 psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); |
| 551 EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 552 EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); |
| 552 | 553 |
| 554 scoped_refptr<CertVerifyProcNSS> nss_verify_proc(new CertVerifyProcNSS()); | |
|
Ryan Sleevi
2012/03/12 23:07:51
This code directly uses CertVerifyProcNSS as it's
| |
| 553 int flags = 0; | 555 int flags = 0; |
| 554 CertVerifyResult verify_result; | 556 CertVerifyResult verify_result; |
| 555 int error = goog_cert->Verify("www.google.com", flags, NULL, &verify_result); | 557 int error = nss_verify_proc->Verify(goog_cert, "www.google.com", flags, |
| 558 NULL, &verify_result); | |
| 556 EXPECT_EQ(OK, error); | 559 EXPECT_EQ(OK, error); |
| 557 EXPECT_EQ(0U, verify_result.cert_status); | 560 EXPECT_EQ(0U, verify_result.cert_status); |
| 558 } | 561 } |
| 559 | 562 |
| 560 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 563 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 561 CertificateList certs; | 564 CertificateList certs; |
| 562 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 565 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 563 | 566 |
| 564 CertDatabase::ImportCertFailureList failed; | 567 CertDatabase::ImportCertFailureList failed; |
| 565 EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); | 568 EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); |
| 566 | 569 |
| 567 EXPECT_EQ(0U, failed.size()); | 570 EXPECT_EQ(0U, failed.size()); |
| 568 | 571 |
| 569 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 572 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 570 ASSERT_EQ(1U, cert_list.size()); | 573 ASSERT_EQ(1U, cert_list.size()); |
| 571 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 574 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 572 | 575 |
| 573 EXPECT_EQ(CertDatabase::UNTRUSTED, | 576 EXPECT_EQ(CertDatabase::UNTRUSTED, |
| 574 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); | 577 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 575 psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); | 578 psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); |
| 576 EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 579 EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); |
| 577 | 580 |
| 581 scoped_refptr<CertVerifyProcNSS> nss_verify_proc(new CertVerifyProcNSS()); | |
| 578 int flags = 0; | 582 int flags = 0; |
| 579 CertVerifyResult verify_result; | 583 CertVerifyResult verify_result; |
| 580 int error = puny_cert->Verify("xn--wgv71a119e.com", flags, NULL, | 584 int error = nss_verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, |
| 581 &verify_result); | 585 NULL, &verify_result); |
| 582 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 586 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 583 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 587 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 584 | 588 |
| 585 // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not | 589 // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not |
| 586 // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 | 590 // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 |
| 587 EXPECT_TRUE(cert_db_.SetCertTrust( | 591 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 588 puny_cert.get(), CA_CERT, | 592 puny_cert.get(), CA_CERT, |
| 589 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); | 593 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); |
| 590 | 594 |
| 591 verify_result.Reset(); | 595 verify_result.Reset(); |
| 592 error = puny_cert->Verify("xn--wgv71a119e.com", flags, NULL, &verify_result); | 596 error = nss_verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, |
| 597 NULL, &verify_result); | |
| 593 EXPECT_EQ(OK, error); | 598 EXPECT_EQ(OK, error); |
| 594 EXPECT_EQ(0U, verify_result.cert_status); | 599 EXPECT_EQ(0U, verify_result.cert_status); |
| 595 } | 600 } |
| 596 | 601 |
| 597 } // namespace net | 602 } // namespace net |
| OLD | NEW |
