Fix imported server certs being distrusted in NSS 3.13.

net/base/cert_database_nss_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <cert.h>
 #include <pk11pub.h>
 
 #include <algorithm>
 
 #include "base/file_path.h"
@@ skipping 70 matching lines @@
     if (cert_data.empty())
       return false;
 
     X509Certificate* cert = X509Certificate::CreateFromBytes(
         cert_data.data(), cert_data.size());
     if (!cert)
       return false;
 
     certs->push_back(cert);
     return true;
   }

[Ryan Sleevi, 2012/03/29 23:35:13]

Can you use the net/test/cert_test_util function here?

[mattm, 2012/05/16 03:30:45]

Done.

 
   static CertificateList ListCertsInSlot(PK11SlotInfo* slot) {
     CertificateList result;
     CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
     for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
          !CERT_LIST_END(node, cert_list);
          node = CERT_LIST_NEXT(node)) {
       result.push_back(X509Certificate::CreateFromHandle(
           node->cert, X509Certificate::OSCertHandles()));
     }
@@ skipping 426 matching lines @@
   // Need to import intermediate cert for the verify of google cert, otherwise
   // it will try to fetch it automatically with cert_pi_useAIACertFetch, which
   // will cause OCSPCreateSession on the main thread, which is not allowed.
   std::string cert_data = ReadTestFile("google.chain.pem");
   CertificateList certs =
       X509Certificate::CreateCertificateListFromBytes(
           cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(2U, certs.size());
 
   CertDatabase::ImportCertFailureList failed;
-  EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed));
+  EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED,
+                                        &failed));
 
   EXPECT_EQ(0U, failed.size());
 
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(2U, cert_list.size());
   scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
   scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
   EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
   EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
 
   EXPECT_EQ(CertDatabase::UNTRUSTED,
             cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT));
   psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust);
-  EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE));
+  EXPECT_TRUE(goog_trust.HasTerminalRecord(PR_TRUE, PR_TRUE, PR_TRUE));
 
   scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
   int flags = 0;
   CertVerifyResult verify_result;
   int error = verify_proc->Verify(goog_cert, "www.google.com", flags,
                                       NULL, &verify_result);
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
 }
 
 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
   CertificateList certs;
   ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
 
   CertDatabase::ImportCertFailureList failed;
-  EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed));
+  EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED,
+                                        &failed));
 
   EXPECT_EQ(0U, failed.size());
 
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
 
   EXPECT_EQ(CertDatabase::UNTRUSTED,
             cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT));
   psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust);
-  EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE));
+  EXPECT_FALSE(puny_trust.HasTerminalRecord(PR_TRUE, PR_FALSE, PR_FALSE));
+  EXPECT_FALSE(puny_trust.HasTerminalRecord(PR_FALSE, PR_TRUE, PR_FALSE));
+  EXPECT_FALSE(puny_trust.HasTerminalRecord(PR_FALSE, PR_FALSE, PR_TRUE));
 
   scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
   int flags = 0;
   CertVerifyResult verify_result;
   int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
                                       NULL, &verify_result);
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
 
   // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not
   // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160
   EXPECT_TRUE(cert_db_.SetCertTrust(
       puny_cert.get(), CA_CERT,
       CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL));
 
   verify_result.Reset();
   error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
                                   NULL, &verify_result);
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
 }
 
+TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
+  // When using CERT_PKIXVerifyCert (which we do), server trust only works from
+  // 3.13.4 onwards.  See https://bugzilla.mozilla.org/show_bug.cgi?id=647364.
+  if (!NSS_VersionCheck("3.13.4")) {
+    LOG(INFO) << "test skipped on NSS < 3.13.4";
+    return;
+  }
+
+  CertificateList certs;
+  ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
+
+  CertDatabase::ImportCertFailureList failed;
+  EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL,
+                                        &failed));
+
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+  ASSERT_EQ(1U, cert_list.size());
+  scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
+
+  EXPECT_EQ(CertDatabase::TRUSTED_SSL,
+            cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT));
+  psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust);
+  EXPECT_TRUE(puny_trust.HasTerminalRecord(PR_TRUE, PR_FALSE, PR_FALSE));
+  EXPECT_FALSE(puny_trust.HasTerminalRecord(PR_FALSE, PR_TRUE, PR_FALSE));
+  EXPECT_FALSE(puny_trust.HasTerminalRecord(PR_FALSE, PR_FALSE, PR_TRUE));
+
+  scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
+                                      NULL, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+}
+
+TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
+  std::string ca_cert_data = ReadTestFile("root_ca_cert.crt");
+
+  CertificateList ca_certs =
+      X509Certificate::CreateCertificateListFromBytes(
+          ca_cert_data.data(), ca_cert_data.size(),
+          X509Certificate::FORMAT_AUTO);

[Ryan Sleevi, 2012/03/29 23:35:13]

Use the net/base/cert_test_util helpers here (and for the tests below)

[mattm, 2012/05/16 03:30:45]

Done.

+  ASSERT_EQ(1U, ca_certs.size());
+
+  // Import CA cert and trust it.
+  CertDatabase::ImportCertFailureList failed;
+  EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
+                                     &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  std::string server_cert_data = ReadTestFile("ok_cert.pem");
+  CertificateList certs = X509Certificate::CreateCertificateListFromBytes(
+          server_cert_data.data(), server_cert_data.size(),
+          X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs.size());
+
+  // Import server cert with default trust.
+  EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED,
+                                        &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  // Server cert should verify.
+  scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result);
+  EXPECT_EQ(OK, error);
+  EXPECT_EQ(0U, verify_result.cert_status);
+}
+
+TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
+  // Explicit distrust only works starting in NSS 3.13.
+  if (!NSS_VersionCheck("3.13")) {
+    LOG(INFO) << "test skipped on NSS < 3.13";
+    return;
+  }
+
+  std::string ca_cert_data = ReadTestFile("root_ca_cert.crt");
+
+  CertificateList ca_certs =
+      X509Certificate::CreateCertificateListFromBytes(
+          ca_cert_data.data(), ca_cert_data.size(),
+          X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, ca_certs.size());
+
+  // Import CA cert and trust it.
+  CertDatabase::ImportCertFailureList failed;
+  EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
+                                     &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  std::string server_cert_data = ReadTestFile("ok_cert.pem");
+  CertificateList certs = X509Certificate::CreateCertificateListFromBytes(
+          server_cert_data.data(), server_cert_data.size(),
+          X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs.size());
+
+  // Import server cert without inheriting trust from issuer (explicit
+  // distrust).
+  EXPECT_TRUE(cert_db_.ImportServerCert(
+      certs, CertDatabase::TRUST_TERMINAL_RECORD, &failed));
+  EXPECT_EQ(0U, failed.size());
+  EXPECT_EQ(CertDatabase::TRUST_TERMINAL_RECORD,
+            cert_db_.GetCertTrust(certs[0], SERVER_CERT));
+
+  // Server cert should fail to verify.
+  scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+                                  NULL, &verify_result);
+  EXPECT_EQ(ERR_CERT_REVOKED, error);
+  EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
+}
+
 }  // namespace net