Chromium Code Reviews Chromium Code Reviews
Issue 9940001:
Fix imported server certs being distrusted in NSS 3.13. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/common/net/x509_certificate_model.h" | 5 #include "chrome/common/net/x509_certificate_model.h" |
| 6 | 6 |
| 7 #include "base/file_path.h" | 7 #include "base/file_path.h" |
| 8 #include "base/file_util.h" | 8 #include "base/file_util.h" |
| 9 #include "base/path_service.h" | 9 #include "base/path_service.h" |
| 10 #include "net/base/cert_database.h" | 10 #include "net/base/cert_database.h" |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 21 // Remove this when OpenSSL build implements the necessary functions. | 21 // Remove this when OpenSSL build implements the necessary functions. |
| 22 EXPECT_EQ(net::UNKNOWN_CERT, | 22 EXPECT_EQ(net::UNKNOWN_CERT, |
| 23 x509_certificate_model::GetType(cert->os_cert_handle())); | 23 x509_certificate_model::GetType(cert->os_cert_handle())); |
| 24 #else | 24 #else |
| 25 EXPECT_EQ(net::CA_CERT, | 25 EXPECT_EQ(net::CA_CERT, |
| 26 x509_certificate_model::GetType(cert->os_cert_handle())); | 26 x509_certificate_model::GetType(cert->os_cert_handle())); |
| 27 | 27 |
| 28 // Test that explicitly distrusted CA certs are still returned as CA_CERT | 28 // Test that explicitly distrusted CA certs are still returned as CA_CERT |
| 29 // type. See http://crbug.com/96654. | 29 // type. See http://crbug.com/96654. |
| 30 net::CertDatabase cert_db; | 30 net::CertDatabase cert_db; |
| 31 // TODO(mattm): This depends on the implementation details of SetCertTrust | 31 EXPECT_TRUE(cert_db.SetCertTrust(cert, net::CA_CERT, |
| 32 // where calling with SERVER_CERT and UNTRUSTED causes a cert to be explicitly | 32 net::CertDatabase::DISTRUSTED_SSL)); |
| 33 // distrusted (trust set to CERTDB_TERMINAL_RECORD). See | |
| 34 // http://crbug.com/116411. When I fix that bug I'll also add a way to set | |
| 35 // this directly. | |
| 36 EXPECT_TRUE(cert_db.SetCertTrust(cert, net::SERVER_CERT, | |
| 37 net::CertDatabase::UNTRUSTED)); | |
| 38 | 33 |
| 39 EXPECT_EQ(net::CA_CERT, | 34 EXPECT_EQ(net::CA_CERT, |
| 40 x509_certificate_model::GetType(cert->os_cert_handle())); | 35 x509_certificate_model::GetType(cert->os_cert_handle())); |
| 41 #endif | 36 #endif |
| 42 } | 37 } |
| 43 | 38 |
| 44 TEST(X509CertificateModelTest, GetTypeServer) { | 39 TEST(X509CertificateModelTest, GetTypeServer) { |
| 45 scoped_refptr<net::X509Certificate> cert( | 40 scoped_refptr<net::X509Certificate> cert( |
| 46 net::ImportCertFromFile(net::GetTestCertsDirectory(), | 41 net::ImportCertFromFile(net::GetTestCertsDirectory(), |
| 47 "google.single.der")); | 42 "google.single.der")); |
| 48 ASSERT_TRUE(cert.get()); | 43 ASSERT_TRUE(cert.get()); |
| 49 | 44 |
| 50 #if defined(USE_OPENSSL) | 45 #if defined(USE_OPENSSL) |
| 51 // Remove this when OpenSSL build implements the necessary functions. | 46 // Remove this when OpenSSL build implements the necessary functions. |
| 52 EXPECT_EQ(net::UNKNOWN_CERT, | 47 EXPECT_EQ(net::UNKNOWN_CERT, |
| 53 x509_certificate_model::GetType(cert->os_cert_handle())); | 48 x509_certificate_model::GetType(cert->os_cert_handle())); |
| 54 #else | 49 #else |
| 50 // Test GetCertType with server certs and default trust. Currently this | |
|
wtc
2012/05/22 00:28:39
In these comments, "GetCertType" is a little confu
mattm
2012/05/26 03:41:35
Done.
| |
| 51 // doesn't work. | |
| 55 // TODO(mattm): make GetCertType smarter so we can tell server certs even if | 52 // TODO(mattm): make GetCertType smarter so we can tell server certs even if |
| 56 // they have no trust bits set. | 53 // they have no trust bits set. |
| 57 EXPECT_EQ(net::UNKNOWN_CERT, | 54 EXPECT_EQ(net::UNKNOWN_CERT, |
| 58 x509_certificate_model::GetType(cert->os_cert_handle())); | 55 x509_certificate_model::GetType(cert->os_cert_handle())); |
| 59 | 56 |
| 60 net::CertDatabase cert_db; | 57 net::CertDatabase cert_db; |
| 58 // Test GetCertType with server certs and explicit trust. | |
| 61 EXPECT_TRUE(cert_db.SetCertTrust(cert, net::SERVER_CERT, | 59 EXPECT_TRUE(cert_db.SetCertTrust(cert, net::SERVER_CERT, |
| 62 net::CertDatabase::TRUSTED_SSL)); | 60 net::CertDatabase::TRUSTED_SSL)); |
| 63 | 61 |
| 64 EXPECT_EQ(net::SERVER_CERT, | 62 EXPECT_EQ(net::SERVER_CERT, |
| 65 x509_certificate_model::GetType(cert->os_cert_handle())); | 63 x509_certificate_model::GetType(cert->os_cert_handle())); |
| 66 | 64 |
| 65 // Test GetCertType with server certs and explicit distrust. | |
| 67 EXPECT_TRUE(cert_db.SetCertTrust(cert, net::SERVER_CERT, | 66 EXPECT_TRUE(cert_db.SetCertTrust(cert, net::SERVER_CERT, |
| 68 net::CertDatabase::UNTRUSTED)); | 67 net::CertDatabase::DISTRUSTED_SSL)); |
| 69 | 68 |
| 70 EXPECT_EQ(net::SERVER_CERT, | 69 EXPECT_EQ(net::SERVER_CERT, |
| 71 x509_certificate_model::GetType(cert->os_cert_handle())); | 70 x509_certificate_model::GetType(cert->os_cert_handle())); |
| 72 #endif | 71 #endif |
| 73 } | 72 } |
| OLD | NEW |
