Chromium Code Reviews Chromium Code Reviews
Issue 9940001:
Fix imported server certs being distrusted in NSS 3.13. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <certdb.h> | |
| 6 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 7 | 8 |
| 8 #include <algorithm> | 9 #include <algorithm> |
| 9 | 10 |
| 10 #include "base/file_path.h" | 11 #include "base/file_path.h" |
| 11 #include "base/file_util.h" | 12 #include "base/file_util.h" |
| 12 #include "base/lazy_instance.h" | 13 #include "base/lazy_instance.h" |
| 13 #include "base/message_loop.h" | 14 #include "base/message_loop.h" |
| 14 #include "base/path_service.h" | 15 #include "base/path_service.h" |
| 15 #include "base/string16.h" | 16 #include "base/string16.h" |
| 16 #include "base/string_util.h" | 17 #include "base/string_util.h" |
| 17 #include "base/utf_string_conversions.h" | 18 #include "base/utf_string_conversions.h" |
| 18 #include "crypto/nss_util.h" | 19 #include "crypto/nss_util.h" |
| 19 #include "crypto/nss_util_internal.h" | 20 #include "crypto/nss_util_internal.h" |
| 20 #include "crypto/scoped_nss_types.h" | 21 #include "crypto/scoped_nss_types.h" |
| 21 #include "net/base/cert_database.h" | 22 #include "net/base/cert_database.h" |
| 22 #include "net/base/cert_status_flags.h" | 23 #include "net/base/cert_status_flags.h" |
| 23 #include "net/base/cert_test_util.h" | 24 #include "net/base/cert_test_util.h" |
| 24 #include "net/base/cert_verify_proc.h" | 25 #include "net/base/cert_verify_proc.h" |
| 25 #include "net/base/cert_verify_result.h" | 26 #include "net/base/cert_verify_result.h" |
| 26 #include "net/base/crypto_module.h" | 27 #include "net/base/crypto_module.h" |
| 27 #include "net/base/net_errors.h" | 28 #include "net/base/net_errors.h" |
| 28 #include "net/base/x509_certificate.h" | 29 #include "net/base/x509_certificate.h" |
| 29 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" | |
| 30 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | 30 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
| 31 #include "testing/gtest/include/gtest/gtest.h" | 31 #include "testing/gtest/include/gtest/gtest.h" |
| 32 | 32 |
| 33 namespace psm = mozilla_security_manager; | 33 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use |
| 34 // the new name of the macro. | |
| 35 #if !defined(CERTDB_TERMINAL_RECORD) | |
| 36 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER | |
| 37 #endif | |
| 34 | 38 |
| 35 namespace net { | 39 namespace net { |
| 36 | 40 |
| 37 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is | 41 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is |
| 38 // fixed, switch back to using a separate userdb for each test. | 42 // fixed, switch back to using a separate userdb for each test. |
| 39 // (When doing so, remember to add some standalone tests of DeleteCert since it | 43 // (When doing so, remember to add some standalone tests of DeleteCert since it |
| 40 // won't be tested by TearDown anymore.) | 44 // won't be tested by TearDown anymore.) |
| 41 class CertDatabaseNSSTest : public testing::Test { | 45 class CertDatabaseNSSTest : public testing::Test { |
| 42 public: | 46 public: |
| 43 static void SetUpTestCase() { | 47 static void SetUpTestCase() { |
| (...skipping 224 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 268 EXPECT_EQ(0U, failed.size()); | 272 EXPECT_EQ(0U, failed.size()); |
| 269 | 273 |
| 270 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 274 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 271 ASSERT_EQ(1U, cert_list.size()); | 275 ASSERT_EQ(1U, cert_list.size()); |
| 272 scoped_refptr<X509Certificate> cert(cert_list[0]); | 276 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 273 EXPECT_EQ("Test CA", cert->subject().common_name); | 277 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 274 | 278 |
| 275 EXPECT_EQ(CertDatabase::TRUSTED_SSL, | 279 EXPECT_EQ(CertDatabase::TRUSTED_SSL, |
| 276 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 280 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 277 | 281 |
| 278 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 282 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
|
wtc
2012/05/16 23:37:12
Is the 'unsigned' cast necessary? Just curious.
mattm
2012/05/18 03:40:54
Yeah, the NSS defines are signed, but the trust st
| |
| 279 EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 283 CERTDB_TRUSTED_CLIENT_CA), |
| 280 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 284 cert->os_cert_handle()->trust->sslFlags); |
| 281 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); | 285 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 282 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 286 cert->os_cert_handle()->trust->emailFlags); |
| 283 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 287 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 288 cert->os_cert_handle()->trust->objectSigningFlags); | |
| 284 } | 289 } |
| 285 | 290 |
| 286 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { | 291 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { |
| 287 CertificateList certs = CreateCertificateListFromFile( | 292 CertificateList certs = CreateCertificateListFromFile( |
| 288 GetTestCertsDirectory(), "root_ca_cert.crt", | 293 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 289 X509Certificate::FORMAT_AUTO); | 294 X509Certificate::FORMAT_AUTO); |
| 290 ASSERT_EQ(1U, certs.size()); | 295 ASSERT_EQ(1U, certs.size()); |
| 291 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 296 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 292 | 297 |
| 293 // Import it. | 298 // Import it. |
| 294 CertDatabase::ImportCertFailureList failed; | 299 CertDatabase::ImportCertFailureList failed; |
| 295 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, | 300 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, |
| 296 &failed)); | 301 &failed)); |
| 297 | 302 |
| 298 EXPECT_EQ(0U, failed.size()); | 303 EXPECT_EQ(0U, failed.size()); |
| 299 | 304 |
| 300 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 305 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 301 ASSERT_EQ(1U, cert_list.size()); | 306 ASSERT_EQ(1U, cert_list.size()); |
| 302 scoped_refptr<X509Certificate> cert(cert_list[0]); | 307 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 303 EXPECT_EQ("Test CA", cert->subject().common_name); | 308 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 304 | 309 |
| 305 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, | 310 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, |
| 306 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 311 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 307 | 312 |
| 308 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 313 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 309 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 314 cert->os_cert_handle()->trust->sslFlags); |
| 310 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 315 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 311 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); | 316 CERTDB_TRUSTED_CLIENT_CA), |
| 312 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 317 cert->os_cert_handle()->trust->emailFlags); |
| 318 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | |
| 319 cert->os_cert_handle()->trust->objectSigningFlags); | |
| 313 } | 320 } |
| 314 | 321 |
| 315 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { | 322 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { |
| 316 CertificateList certs = CreateCertificateListFromFile( | 323 CertificateList certs = CreateCertificateListFromFile( |
| 317 GetTestCertsDirectory(), "root_ca_cert.crt", | 324 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 318 X509Certificate::FORMAT_AUTO); | 325 X509Certificate::FORMAT_AUTO); |
| 319 ASSERT_EQ(1U, certs.size()); | 326 ASSERT_EQ(1U, certs.size()); |
| 320 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 327 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 321 | 328 |
| 322 // Import it. | 329 // Import it. |
| 323 CertDatabase::ImportCertFailureList failed; | 330 CertDatabase::ImportCertFailureList failed; |
| 324 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, | 331 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, |
| 325 &failed)); | 332 &failed)); |
| 326 | 333 |
| 327 EXPECT_EQ(0U, failed.size()); | 334 EXPECT_EQ(0U, failed.size()); |
| 328 | 335 |
| 329 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 336 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 330 ASSERT_EQ(1U, cert_list.size()); | 337 ASSERT_EQ(1U, cert_list.size()); |
| 331 scoped_refptr<X509Certificate> cert(cert_list[0]); | 338 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 332 EXPECT_EQ("Test CA", cert->subject().common_name); | 339 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 333 | 340 |
| 334 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, | 341 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, |
| 335 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 342 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 336 | 343 |
| 337 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 344 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 338 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 345 cert->os_cert_handle()->trust->sslFlags); |
| 339 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 346 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 340 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); | 347 cert->os_cert_handle()->trust->emailFlags); |
| 341 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 348 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 349 CERTDB_TRUSTED_CLIENT_CA), | |
| 350 cert->os_cert_handle()->trust->objectSigningFlags); | |
| 342 } | 351 } |
| 343 | 352 |
| 344 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { | 353 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { |
| 345 CertificateList certs = CreateCertificateListFromFile( | 354 CertificateList certs = CreateCertificateListFromFile( |
| 346 GetTestCertsDirectory(), "google.single.pem", | 355 GetTestCertsDirectory(), "google.single.pem", |
| 347 X509Certificate::FORMAT_AUTO); | 356 X509Certificate::FORMAT_AUTO); |
| 348 ASSERT_EQ(1U, certs.size()); | 357 ASSERT_EQ(1U, certs.size()); |
| 349 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 358 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 350 | 359 |
| 351 // Import it. | 360 // Import it. |
| (...skipping 151 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 503 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { | 512 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { |
| 504 // Need to import intermediate cert for the verify of google cert, otherwise | 513 // Need to import intermediate cert for the verify of google cert, otherwise |
| 505 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which | 514 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which |
| 506 // will cause OCSPCreateSession on the main thread, which is not allowed. | 515 // will cause OCSPCreateSession on the main thread, which is not allowed. |
| 507 CertificateList certs = CreateCertificateListFromFile( | 516 CertificateList certs = CreateCertificateListFromFile( |
| 508 GetTestCertsDirectory(), "google.chain.pem", | 517 GetTestCertsDirectory(), "google.chain.pem", |
| 509 X509Certificate::FORMAT_AUTO); | 518 X509Certificate::FORMAT_AUTO); |
| 510 ASSERT_EQ(2U, certs.size()); | 519 ASSERT_EQ(2U, certs.size()); |
| 511 | 520 |
| 512 CertDatabase::ImportCertFailureList failed; | 521 CertDatabase::ImportCertFailureList failed; |
| 513 EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); | 522 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED, |
| 523 &failed)); | |
| 514 | 524 |
| 515 EXPECT_EQ(0U, failed.size()); | 525 EXPECT_EQ(0U, failed.size()); |
| 516 | 526 |
| 517 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 527 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 518 ASSERT_EQ(2U, cert_list.size()); | 528 ASSERT_EQ(2U, cert_list.size()); |
| 519 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); | 529 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); |
| 520 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); | 530 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); |
| 521 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); | 531 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); |
| 522 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 532 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 523 | 533 |
| 524 EXPECT_EQ(CertDatabase::UNTRUSTED, | 534 EXPECT_EQ(CertDatabase::UNTRUSTED, |
| 525 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); | 535 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 526 psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); | 536 |
| 527 EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 537 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
| 538 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->emailFlags); | |
| 539 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->objectSigningFlags); | |
| 528 | 540 |
| 529 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 541 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 530 int flags = 0; | 542 int flags = 0; |
| 531 CertVerifyResult verify_result; | 543 CertVerifyResult verify_result; |
| 532 int error = verify_proc->Verify(goog_cert, "www.google.com", flags, | 544 int error = verify_proc->Verify(goog_cert, "www.google.com", flags, |
| 533 NULL, &verify_result); | 545 NULL, &verify_result); |
| 534 EXPECT_EQ(OK, error); | 546 EXPECT_EQ(OK, error); |
| 535 EXPECT_EQ(0U, verify_result.cert_status); | 547 EXPECT_EQ(0U, verify_result.cert_status); |
| 536 } | 548 } |
| 537 | 549 |
| 538 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 550 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 539 CertificateList certs; | 551 CertificateList certs; |
| 540 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 552 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 541 | 553 |
| 542 CertDatabase::ImportCertFailureList failed; | 554 CertDatabase::ImportCertFailureList failed; |
| 543 EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); | 555 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED, |
| 556 &failed)); | |
| 544 | 557 |
| 545 EXPECT_EQ(0U, failed.size()); | 558 EXPECT_EQ(0U, failed.size()); |
| 546 | 559 |
| 547 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 560 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 548 ASSERT_EQ(1U, cert_list.size()); | 561 ASSERT_EQ(1U, cert_list.size()); |
| 549 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 562 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 550 | 563 |
| 551 EXPECT_EQ(CertDatabase::UNTRUSTED, | 564 EXPECT_EQ(CertDatabase::UNTRUSTED, |
| 552 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); | 565 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 553 psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); | 566 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
| 554 EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 567 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags); |
| 568 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags); | |
| 555 | 569 |
| 556 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 570 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 557 int flags = 0; | 571 int flags = 0; |
| 558 CertVerifyResult verify_result; | 572 CertVerifyResult verify_result; |
| 559 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 573 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, |
| 560 NULL, &verify_result); | 574 NULL, &verify_result); |
| 561 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 575 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 562 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 576 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 563 | 577 |
| 564 // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not | 578 // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not |
| 565 // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 | 579 // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 |
| 566 EXPECT_TRUE(cert_db_.SetCertTrust( | 580 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 567 puny_cert.get(), CA_CERT, | 581 puny_cert.get(), CA_CERT, |
| 568 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); | 582 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); |
| 569 | 583 |
| 570 verify_result.Reset(); | 584 verify_result.Reset(); |
| 571 error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 585 error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, |
| 572 NULL, &verify_result); | 586 NULL, &verify_result); |
| 573 EXPECT_EQ(OK, error); | 587 EXPECT_EQ(OK, error); |
| 574 EXPECT_EQ(0U, verify_result.cert_status); | 588 EXPECT_EQ(0U, verify_result.cert_status); |
| 575 } | 589 } |
| 576 | 590 |
| 591 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { | |
| 592 // When using CERT_PKIXVerifyCert (which we do), server trust only works from | |
| 593 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. | |
| 594 if (!NSS_VersionCheck("3.13.4")) { | |
| 595 LOG(INFO) << "test skipped on NSS < 3.13.4"; | |
| 596 return; | |
| 597 } | |
| 598 | |
| 599 CertificateList certs; | |
| 600 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | |
| 601 | |
| 602 CertDatabase::ImportCertFailureList failed; | |
| 603 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL, | |
| 604 &failed)); | |
| 605 | |
| 606 EXPECT_EQ(0U, failed.size()); | |
| 607 | |
| 608 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | |
| 609 ASSERT_EQ(1U, cert_list.size()); | |
| 610 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | |
| 611 | |
| 612 EXPECT_EQ(CertDatabase::TRUSTED_SSL, | |
| 613 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); | |
| 614 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), | |
| 615 puny_cert->os_cert_handle()->trust->sslFlags); | |
| 616 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags); | |
| 617 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags); | |
| 618 | |
| 619 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | |
| 620 int flags = 0; | |
| 621 CertVerifyResult verify_result; | |
| 622 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | |
| 623 NULL, &verify_result); | |
| 624 EXPECT_EQ(OK, error); | |
| 625 EXPECT_EQ(0U, verify_result.cert_status); | |
| 626 } | |
| 627 | |
| 628 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { | |
| 629 CertificateList ca_certs = CreateCertificateListFromFile( | |
| 630 GetTestCertsDirectory(), "root_ca_cert.crt", | |
| 631 X509Certificate::FORMAT_AUTO); | |
| 632 ASSERT_EQ(1U, ca_certs.size()); | |
| 633 | |
| 634 // Import CA cert and trust it. | |
| 635 CertDatabase::ImportCertFailureList failed; | |
| 636 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, | |
| 637 &failed)); | |
| 638 EXPECT_EQ(0U, failed.size()); | |
| 639 | |
| 640 CertificateList certs = CreateCertificateListFromFile( | |
| 641 GetTestCertsDirectory(), "ok_cert.pem", | |
| 642 X509Certificate::FORMAT_AUTO); | |
| 643 ASSERT_EQ(1U, certs.size()); | |
| 644 | |
| 645 // Import server cert with default trust. | |
| 646 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED, | |
| 647 &failed)); | |
| 648 EXPECT_EQ(0U, failed.size()); | |
| 649 | |
| 650 // Server cert should verify. | |
| 651 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | |
| 652 int flags = 0; | |
| 653 CertVerifyResult verify_result; | |
| 654 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | |
| 655 NULL, &verify_result); | |
| 656 EXPECT_EQ(OK, error); | |
| 657 EXPECT_EQ(0U, verify_result.cert_status); | |
| 658 } | |
| 659 | |
| 660 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { | |
| 661 // Explicit distrust only works starting in NSS 3.13. | |
| 662 if (!NSS_VersionCheck("3.13")) { | |
| 663 LOG(INFO) << "test skipped on NSS < 3.13"; | |
| 664 return; | |
| 665 } | |
| 666 | |
| 667 CertificateList ca_certs = CreateCertificateListFromFile( | |
| 668 GetTestCertsDirectory(), "root_ca_cert.crt", | |
| 669 X509Certificate::FORMAT_AUTO); | |
| 670 ASSERT_EQ(1U, ca_certs.size()); | |
| 671 | |
| 672 // Import CA cert and trust it. | |
| 673 CertDatabase::ImportCertFailureList failed; | |
| 674 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, | |
| 675 &failed)); | |
| 676 EXPECT_EQ(0U, failed.size()); | |
| 677 | |
| 678 CertificateList certs = CreateCertificateListFromFile( | |
| 679 GetTestCertsDirectory(), "ok_cert.pem", | |
| 680 X509Certificate::FORMAT_AUTO); | |
| 681 ASSERT_EQ(1U, certs.size()); | |
| 682 | |
| 683 // Import server cert without inheriting trust from issuer (explicit | |
| 684 // distrust). | |
| 685 EXPECT_TRUE(cert_db_.ImportServerCert( | |
| 686 certs, CertDatabase::EXPLICIT_DISTRUST, &failed)); | |
| 687 EXPECT_EQ(0U, failed.size()); | |
| 688 EXPECT_EQ(CertDatabase::EXPLICIT_DISTRUST, | |
| 689 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); | |
| 690 | |
| 691 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | |
| 692 certs[0]->os_cert_handle()->trust->sslFlags); | |
| 693 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | |
| 694 certs[0]->os_cert_handle()->trust->emailFlags); | |
| 695 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | |
| 696 certs[0]->os_cert_handle()->trust->objectSigningFlags); | |
| 697 | |
| 698 // Server cert should fail to verify. | |
| 699 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | |
| 700 int flags = 0; | |
| 701 CertVerifyResult verify_result; | |
| 702 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | |
| 703 NULL, &verify_result); | |
| 704 EXPECT_EQ(ERR_CERT_REVOKED, error); | |
| 705 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | |
| 706 } | |
| 707 | |
| 577 } // namespace net | 708 } // namespace net |
| OLD | NEW |
