| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <certdb.h> |
| 6 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 7 | 8 |
| 8 #include <algorithm> | 9 #include <algorithm> |
| 9 | 10 |
| 10 #include "base/file_path.h" | 11 #include "base/file_path.h" |
| 11 #include "base/file_util.h" | 12 #include "base/file_util.h" |
| 12 #include "base/lazy_instance.h" | 13 #include "base/lazy_instance.h" |
| 13 #include "base/message_loop.h" | 14 #include "base/message_loop.h" |
| 14 #include "base/path_service.h" | 15 #include "base/path_service.h" |
| 15 #include "base/string16.h" | 16 #include "base/string16.h" |
| 16 #include "base/string_util.h" | 17 #include "base/string_util.h" |
| 17 #include "base/utf_string_conversions.h" | 18 #include "base/utf_string_conversions.h" |
| 18 #include "crypto/nss_util.h" | 19 #include "crypto/nss_util.h" |
| 19 #include "crypto/nss_util_internal.h" | 20 #include "crypto/nss_util_internal.h" |
| 20 #include "crypto/scoped_nss_types.h" | 21 #include "crypto/scoped_nss_types.h" |
| 21 #include "net/base/cert_database.h" | 22 #include "net/base/cert_database.h" |
| 22 #include "net/base/cert_status_flags.h" | 23 #include "net/base/cert_status_flags.h" |
| 23 #include "net/base/cert_test_util.h" | 24 #include "net/base/cert_test_util.h" |
| 24 #include "net/base/cert_verify_proc.h" | 25 #include "net/base/cert_verify_proc.h" |
| 25 #include "net/base/cert_verify_result.h" | 26 #include "net/base/cert_verify_result.h" |
| 26 #include "net/base/crypto_module.h" | 27 #include "net/base/crypto_module.h" |
| 27 #include "net/base/net_errors.h" | 28 #include "net/base/net_errors.h" |
| 28 #include "net/base/x509_certificate.h" | 29 #include "net/base/x509_certificate.h" |
| 29 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" | |
| 30 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | 30 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
| 31 #include "testing/gtest/include/gtest/gtest.h" | 31 #include "testing/gtest/include/gtest/gtest.h" |
| 32 | 32 |
| 33 namespace psm = mozilla_security_manager; | 33 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use |
| 34 // the new name of the macro. |
| 35 #if !defined(CERTDB_TERMINAL_RECORD) |
| 36 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER |
| 37 #endif |
| 34 | 38 |
| 35 namespace net { | 39 namespace net { |
| 36 | 40 |
| 37 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is | 41 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is |
| 38 // fixed, switch back to using a separate userdb for each test. | 42 // fixed, switch back to using a separate userdb for each test. |
| 39 // (When doing so, remember to add some standalone tests of DeleteCert since it | 43 // (When doing so, remember to add some standalone tests of DeleteCert since it |
| 40 // won't be tested by TearDown anymore.) | 44 // won't be tested by TearDown anymore.) |
| 41 class CertDatabaseNSSTest : public testing::Test { | 45 class CertDatabaseNSSTest : public testing::Test { |
| 42 public: | 46 public: |
| 43 static void SetUpTestCase() { | 47 static void SetUpTestCase() { |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 104 } | 108 } |
| 105 | 109 |
| 106 scoped_refptr<CryptoModule> slot_; | 110 scoped_refptr<CryptoModule> slot_; |
| 107 CertDatabase cert_db_; | 111 CertDatabase cert_db_; |
| 108 | 112 |
| 109 private: | 113 private: |
| 110 static bool CleanupSlotContents(PK11SlotInfo* slot) { | 114 static bool CleanupSlotContents(PK11SlotInfo* slot) { |
| 111 CertDatabase cert_db; | 115 CertDatabase cert_db; |
| 112 bool ok = true; | 116 bool ok = true; |
| 113 CertificateList certs = ListCertsInSlot(slot); | 117 CertificateList certs = ListCertsInSlot(slot); |
| 118 CERTCertTrust default_trust = {0}; |
| 114 for (size_t i = 0; i < certs.size(); ++i) { | 119 for (size_t i = 0; i < certs.size(); ++i) { |
| 120 // Reset cert trust values to defaults before deleting. Otherwise NSS |
| 121 // somehow seems to remember the trust which can break following tests. |
| 122 SECStatus srv = CERT_ChangeCertTrust( |
| 123 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); |
| 124 if (srv != SECSuccess) |
| 125 ok = false; |
| 126 |
| 115 if (!cert_db.DeleteCertAndKey(certs[i])) | 127 if (!cert_db.DeleteCertAndKey(certs[i])) |
| 116 ok = false; | 128 ok = false; |
| 117 } | 129 } |
| 118 return ok; | 130 return ok; |
| 119 } | 131 } |
| 120 }; | 132 }; |
| 121 | 133 |
| 122 TEST_F(CertDatabaseNSSTest, ListCerts) { | 134 TEST_F(CertDatabaseNSSTest, ListCerts) { |
| 123 // This test isn't terribly useful, though it will at least let valgrind test | 135 // This test isn't terribly useful, though it will at least let valgrind test |
| 124 // for leaks. | 136 // for leaks. |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 268 EXPECT_EQ(0U, failed.size()); | 280 EXPECT_EQ(0U, failed.size()); |
| 269 | 281 |
| 270 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 271 ASSERT_EQ(1U, cert_list.size()); | 283 ASSERT_EQ(1U, cert_list.size()); |
| 272 scoped_refptr<X509Certificate> cert(cert_list[0]); | 284 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 273 EXPECT_EQ("Test CA", cert->subject().common_name); | 285 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 274 | 286 |
| 275 EXPECT_EQ(CertDatabase::TRUSTED_SSL, | 287 EXPECT_EQ(CertDatabase::TRUSTED_SSL, |
| 276 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 288 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 277 | 289 |
| 278 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 279 EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 291 CERTDB_TRUSTED_CLIENT_CA), |
| 280 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 292 cert->os_cert_handle()->trust->sslFlags); |
| 281 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); | 293 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 282 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 294 cert->os_cert_handle()->trust->emailFlags); |
| 283 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 295 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 296 cert->os_cert_handle()->trust->objectSigningFlags); |
| 284 } | 297 } |
| 285 | 298 |
| 286 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { | 299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { |
| 287 CertificateList certs = CreateCertificateListFromFile( | 300 CertificateList certs = CreateCertificateListFromFile( |
| 288 GetTestCertsDirectory(), "root_ca_cert.crt", | 301 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 289 X509Certificate::FORMAT_AUTO); | 302 X509Certificate::FORMAT_AUTO); |
| 290 ASSERT_EQ(1U, certs.size()); | 303 ASSERT_EQ(1U, certs.size()); |
| 291 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 292 | 305 |
| 293 // Import it. | 306 // Import it. |
| 294 CertDatabase::ImportCertFailureList failed; | 307 CertDatabase::ImportCertFailureList failed; |
| 295 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, | 308 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, |
| 296 &failed)); | 309 &failed)); |
| 297 | 310 |
| 298 EXPECT_EQ(0U, failed.size()); | 311 EXPECT_EQ(0U, failed.size()); |
| 299 | 312 |
| 300 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 301 ASSERT_EQ(1U, cert_list.size()); | 314 ASSERT_EQ(1U, cert_list.size()); |
| 302 scoped_refptr<X509Certificate> cert(cert_list[0]); | 315 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 303 EXPECT_EQ("Test CA", cert->subject().common_name); | 316 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 304 | 317 |
| 305 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, | 318 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, |
| 306 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 319 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 307 | 320 |
| 308 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 321 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 309 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 322 cert->os_cert_handle()->trust->sslFlags); |
| 310 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 311 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); | 324 CERTDB_TRUSTED_CLIENT_CA), |
| 312 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 325 cert->os_cert_handle()->trust->emailFlags); |
| 326 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 327 cert->os_cert_handle()->trust->objectSigningFlags); |
| 313 } | 328 } |
| 314 | 329 |
| 315 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { | 330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { |
| 316 CertificateList certs = CreateCertificateListFromFile( | 331 CertificateList certs = CreateCertificateListFromFile( |
| 317 GetTestCertsDirectory(), "root_ca_cert.crt", | 332 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 318 X509Certificate::FORMAT_AUTO); | 333 X509Certificate::FORMAT_AUTO); |
| 319 ASSERT_EQ(1U, certs.size()); | 334 ASSERT_EQ(1U, certs.size()); |
| 320 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 321 | 336 |
| 322 // Import it. | 337 // Import it. |
| 323 CertDatabase::ImportCertFailureList failed; | 338 CertDatabase::ImportCertFailureList failed; |
| 324 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, | 339 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, |
| 325 &failed)); | 340 &failed)); |
| 326 | 341 |
| 327 EXPECT_EQ(0U, failed.size()); | 342 EXPECT_EQ(0U, failed.size()); |
| 328 | 343 |
| 329 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 330 ASSERT_EQ(1U, cert_list.size()); | 345 ASSERT_EQ(1U, cert_list.size()); |
| 331 scoped_refptr<X509Certificate> cert(cert_list[0]); | 346 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 332 EXPECT_EQ("Test CA", cert->subject().common_name); | 347 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 333 | 348 |
| 334 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, | 349 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, |
| 335 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 350 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 336 | 351 |
| 337 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 352 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 338 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 353 cert->os_cert_handle()->trust->sslFlags); |
| 339 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 354 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 340 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); | 355 cert->os_cert_handle()->trust->emailFlags); |
| 341 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 357 CERTDB_TRUSTED_CLIENT_CA), |
| 358 cert->os_cert_handle()->trust->objectSigningFlags); |
| 342 } | 359 } |
| 343 | 360 |
| 344 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { | 361 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { |
| 345 CertificateList certs = CreateCertificateListFromFile( | 362 CertificateList certs = CreateCertificateListFromFile( |
| 346 GetTestCertsDirectory(), "google.single.pem", | 363 GetTestCertsDirectory(), "google.single.pem", |
| 347 X509Certificate::FORMAT_AUTO); | 364 X509Certificate::FORMAT_AUTO); |
| 348 ASSERT_EQ(1U, certs.size()); | 365 ASSERT_EQ(1U, certs.size()); |
| 349 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 366 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 350 | 367 |
| 351 // Import it. | 368 // Import it. |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 425 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); | 442 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); |
| 426 } | 443 } |
| 427 | 444 |
| 428 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { | 445 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { |
| 429 CertificateList certs; | 446 CertificateList certs; |
| 430 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 447 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 431 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 448 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 432 | 449 |
| 433 // Import it. | 450 // Import it. |
| 434 CertDatabase::ImportCertFailureList failed; | 451 CertDatabase::ImportCertFailureList failed; |
| 435 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, &failed)); | 452 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUST_DEFAULT, |
| 453 &failed)); |
| 436 | 454 |
| 437 ASSERT_EQ(1U, failed.size()); | 455 ASSERT_EQ(1U, failed.size()); |
| 438 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 456 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 439 // TODO(mattm): should check for net error equivalent of | 457 // TODO(mattm): should check for net error equivalent of |
| 440 // SEC_ERROR_UNTRUSTED_ISSUER | 458 // SEC_ERROR_UNTRUSTED_ISSUER |
| 441 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 459 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 442 | 460 |
| 443 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 461 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 444 ASSERT_EQ(1U, cert_list.size()); | 462 ASSERT_EQ(1U, cert_list.size()); |
| 445 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 463 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 503 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { | 521 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { |
| 504 // Need to import intermediate cert for the verify of google cert, otherwise | 522 // Need to import intermediate cert for the verify of google cert, otherwise |
| 505 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which | 523 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which |
| 506 // will cause OCSPCreateSession on the main thread, which is not allowed. | 524 // will cause OCSPCreateSession on the main thread, which is not allowed. |
| 507 CertificateList certs = CreateCertificateListFromFile( | 525 CertificateList certs = CreateCertificateListFromFile( |
| 508 GetTestCertsDirectory(), "google.chain.pem", | 526 GetTestCertsDirectory(), "google.chain.pem", |
| 509 X509Certificate::FORMAT_AUTO); | 527 X509Certificate::FORMAT_AUTO); |
| 510 ASSERT_EQ(2U, certs.size()); | 528 ASSERT_EQ(2U, certs.size()); |
| 511 | 529 |
| 512 CertDatabase::ImportCertFailureList failed; | 530 CertDatabase::ImportCertFailureList failed; |
| 513 EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); | 531 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, |
| 532 &failed)); |
| 514 | 533 |
| 515 EXPECT_EQ(0U, failed.size()); | 534 EXPECT_EQ(0U, failed.size()); |
| 516 | 535 |
| 517 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 536 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 518 ASSERT_EQ(2U, cert_list.size()); | 537 ASSERT_EQ(2U, cert_list.size()); |
| 519 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); | 538 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); |
| 520 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); | 539 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); |
| 521 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); | 540 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); |
| 522 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 541 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 523 | 542 |
| 524 EXPECT_EQ(CertDatabase::UNTRUSTED, | 543 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 525 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); | 544 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 526 psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); | 545 |
| 527 EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 546 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
| 547 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->emailFlags); |
| 548 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->objectSigningFlags); |
| 528 | 549 |
| 529 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 550 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 530 int flags = 0; | 551 int flags = 0; |
| 531 CertVerifyResult verify_result; | 552 CertVerifyResult verify_result; |
| 532 int error = verify_proc->Verify(goog_cert, "www.google.com", flags, | 553 int error = verify_proc->Verify(goog_cert, "www.google.com", flags, |
| 533 NULL, &verify_result); | 554 NULL, &verify_result); |
| 534 EXPECT_EQ(OK, error); | 555 EXPECT_EQ(OK, error); |
| 535 EXPECT_EQ(0U, verify_result.cert_status); | 556 EXPECT_EQ(0U, verify_result.cert_status); |
| 536 } | 557 } |
| 537 | 558 |
| 538 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 559 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 539 CertificateList certs; | 560 CertificateList certs; |
| 540 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 561 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 541 | 562 |
| 542 CertDatabase::ImportCertFailureList failed; | 563 CertDatabase::ImportCertFailureList failed; |
| 543 EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); | 564 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, |
| 565 &failed)); |
| 544 | 566 |
| 545 EXPECT_EQ(0U, failed.size()); | 567 EXPECT_EQ(0U, failed.size()); |
| 546 | 568 |
| 547 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 569 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 548 ASSERT_EQ(1U, cert_list.size()); | 570 ASSERT_EQ(1U, cert_list.size()); |
| 549 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 571 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 550 | 572 |
| 551 EXPECT_EQ(CertDatabase::UNTRUSTED, | 573 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 552 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); | 574 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 553 psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); | 575 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
| 554 EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 576 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags); |
| 577 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags); |
| 555 | 578 |
| 556 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 579 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 557 int flags = 0; | 580 int flags = 0; |
| 558 CertVerifyResult verify_result; | 581 CertVerifyResult verify_result; |
| 559 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 582 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, |
| 560 NULL, &verify_result); | 583 NULL, &verify_result); |
| 561 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 584 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 562 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 585 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 563 | 586 } |
| 564 // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not | 587 |
| 565 // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 | 588 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { |
| 566 EXPECT_TRUE(cert_db_.SetCertTrust( | 589 // When using CERT_PKIXVerifyCert (which we do), server trust only works from |
| 567 puny_cert.get(), CA_CERT, | 590 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. |
| 568 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); | 591 if (!NSS_VersionCheck("3.13.4")) { |
| 569 | 592 LOG(INFO) << "test skipped on NSS < 3.13.4"; |
| 570 verify_result.Reset(); | 593 return; |
| 571 error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 594 } |
| 572 NULL, &verify_result); | 595 |
| 573 EXPECT_EQ(OK, error); | 596 CertificateList certs; |
| 574 EXPECT_EQ(0U, verify_result.cert_status); | 597 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 598 |
| 599 CertDatabase::ImportCertFailureList failed; |
| 600 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL, |
| 601 &failed)); |
| 602 |
| 603 EXPECT_EQ(0U, failed.size()); |
| 604 |
| 605 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 606 ASSERT_EQ(1U, cert_list.size()); |
| 607 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 608 |
| 609 EXPECT_EQ(CertDatabase::TRUSTED_SSL, |
| 610 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 611 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), |
| 612 puny_cert->os_cert_handle()->trust->sslFlags); |
| 613 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags); |
| 614 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags); |
| 615 |
| 616 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 617 int flags = 0; |
| 618 CertVerifyResult verify_result; |
| 619 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, |
| 620 NULL, &verify_result); |
| 621 EXPECT_EQ(OK, error); |
| 622 EXPECT_EQ(0U, verify_result.cert_status); |
| 623 } |
| 624 |
| 625 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { |
| 626 CertificateList ca_certs = CreateCertificateListFromFile( |
| 627 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 628 X509Certificate::FORMAT_AUTO); |
| 629 ASSERT_EQ(1U, ca_certs.size()); |
| 630 |
| 631 // Import CA cert and trust it. |
| 632 CertDatabase::ImportCertFailureList failed; |
| 633 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, |
| 634 &failed)); |
| 635 EXPECT_EQ(0U, failed.size()); |
| 636 |
| 637 CertificateList certs = CreateCertificateListFromFile( |
| 638 GetTestCertsDirectory(), "ok_cert.pem", |
| 639 X509Certificate::FORMAT_AUTO); |
| 640 ASSERT_EQ(1U, certs.size()); |
| 641 |
| 642 // Import server cert with default trust. |
| 643 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, |
| 644 &failed)); |
| 645 EXPECT_EQ(0U, failed.size()); |
| 646 |
| 647 // Server cert should verify. |
| 648 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 649 int flags = 0; |
| 650 CertVerifyResult verify_result; |
| 651 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 652 NULL, &verify_result); |
| 653 EXPECT_EQ(OK, error); |
| 654 EXPECT_EQ(0U, verify_result.cert_status); |
| 655 } |
| 656 |
| 657 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { |
| 658 // Explicit distrust only works starting in NSS 3.13. |
| 659 if (!NSS_VersionCheck("3.13")) { |
| 660 LOG(INFO) << "test skipped on NSS < 3.13"; |
| 661 return; |
| 662 } |
| 663 |
| 664 CertificateList ca_certs = CreateCertificateListFromFile( |
| 665 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 666 X509Certificate::FORMAT_AUTO); |
| 667 ASSERT_EQ(1U, ca_certs.size()); |
| 668 |
| 669 // Import CA cert and trust it. |
| 670 CertDatabase::ImportCertFailureList failed; |
| 671 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, |
| 672 &failed)); |
| 673 EXPECT_EQ(0U, failed.size()); |
| 674 |
| 675 CertificateList certs = CreateCertificateListFromFile( |
| 676 GetTestCertsDirectory(), "ok_cert.pem", |
| 677 X509Certificate::FORMAT_AUTO); |
| 678 ASSERT_EQ(1U, certs.size()); |
| 679 |
| 680 // Import server cert without inheriting trust from issuer (explicit |
| 681 // distrust). |
| 682 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 683 certs, CertDatabase::DISTRUSTED_SSL, &failed)); |
| 684 EXPECT_EQ(0U, failed.size()); |
| 685 EXPECT_EQ(CertDatabase::DISTRUSTED_SSL, |
| 686 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 687 |
| 688 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 689 certs[0]->os_cert_handle()->trust->sslFlags); |
| 690 EXPECT_EQ(0U, certs[0]->os_cert_handle()->trust->emailFlags); |
| 691 EXPECT_EQ(0U, certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 692 |
| 693 // Server cert should fail to verify. |
| 694 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 695 int flags = 0; |
| 696 CertVerifyResult verify_result; |
| 697 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 698 NULL, &verify_result); |
| 699 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 700 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 701 } |
| 702 |
| 703 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { |
| 704 CertificateList ca_certs = CreateCertificateListFromFile( |
| 705 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 706 X509Certificate::FORMAT_AUTO); |
| 707 ASSERT_EQ(1U, ca_certs.size()); |
| 708 |
| 709 // Import Root CA cert and distrust it. |
| 710 CertDatabase::ImportCertFailureList failed; |
| 711 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::DISTRUSTED_SSL, |
| 712 &failed)); |
| 713 EXPECT_EQ(0U, failed.size()); |
| 714 |
| 715 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 716 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 717 X509Certificate::FORMAT_AUTO); |
| 718 ASSERT_EQ(1U, intermediate_certs.size()); |
| 719 |
| 720 // Import Intermediate CA cert and trust it. |
| 721 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 722 CertDatabase::TRUSTED_SSL, &failed)); |
| 723 EXPECT_EQ(0U, failed.size()); |
| 724 |
| 725 CertificateList certs = CreateCertificateListFromFile( |
| 726 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 727 X509Certificate::FORMAT_AUTO); |
| 728 ASSERT_EQ(1U, certs.size()); |
| 729 |
| 730 // Import server cert with default trust. |
| 731 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 732 certs, CertDatabase::TRUST_DEFAULT, &failed)); |
| 733 EXPECT_EQ(0U, failed.size()); |
| 734 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 735 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 736 |
| 737 // Server cert should verify. |
| 738 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 739 int flags = 0; |
| 740 CertVerifyResult verify_result; |
| 741 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 742 NULL, &verify_result); |
| 743 EXPECT_EQ(OK, error); |
| 744 EXPECT_EQ(0U, verify_result.cert_status); |
| 745 |
| 746 // Explicit distrust only works starting in NSS 3.13. |
| 747 if (!NSS_VersionCheck("3.13")) { |
| 748 LOG(INFO) << "test partially skipped on NSS < 3.13"; |
| 749 return; |
| 750 } |
| 751 |
| 752 // Trust the root cert and distrust the intermediate. |
| 753 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 754 ca_certs[0], CA_CERT, CertDatabase::TRUSTED_SSL)); |
| 755 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 756 intermediate_certs[0], CA_CERT, CertDatabase::DISTRUSTED_SSL)); |
| 757 EXPECT_EQ( |
| 758 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), |
| 759 ca_certs[0]->os_cert_handle()->trust->sslFlags); |
| 760 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 761 ca_certs[0]->os_cert_handle()->trust->emailFlags); |
| 762 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 763 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 764 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 765 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); |
| 766 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 767 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); |
| 768 EXPECT_EQ( |
| 769 unsigned(CERTDB_VALID_CA), |
| 770 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 771 |
| 772 // Server cert should fail to verify. |
| 773 CertVerifyResult verify_result2; |
| 774 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 775 NULL, &verify_result2); |
| 776 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 777 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); |
| 778 } |
| 779 |
| 780 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { |
| 781 CertDatabase::ImportCertFailureList failed; |
| 782 |
| 783 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 784 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 785 X509Certificate::FORMAT_AUTO); |
| 786 ASSERT_EQ(1U, intermediate_certs.size()); |
| 787 |
| 788 // Import Intermediate CA cert and trust it. |
| 789 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 790 CertDatabase::TRUSTED_SSL, &failed)); |
| 791 EXPECT_EQ(0U, failed.size()); |
| 792 |
| 793 CertificateList certs = CreateCertificateListFromFile( |
| 794 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 795 X509Certificate::FORMAT_AUTO); |
| 796 ASSERT_EQ(1U, certs.size()); |
| 797 |
| 798 // Import server cert with default trust. |
| 799 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 800 certs, CertDatabase::TRUST_DEFAULT, &failed)); |
| 801 EXPECT_EQ(0U, failed.size()); |
| 802 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 803 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 804 |
| 805 // Server cert should verify. |
| 806 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 807 int flags = 0; |
| 808 CertVerifyResult verify_result; |
| 809 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 810 NULL, &verify_result); |
| 811 EXPECT_EQ(OK, error); |
| 812 EXPECT_EQ(0U, verify_result.cert_status); |
| 813 |
| 814 // Without explicit trust of the intermediate, verification should fail. |
| 815 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 816 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); |
| 817 |
| 818 // Server cert should fail to verify. |
| 819 CertVerifyResult verify_result2; |
| 820 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 821 NULL, &verify_result2); |
| 822 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 823 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 824 } |
| 825 |
| 826 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { |
| 827 CertDatabase::ImportCertFailureList failed; |
| 828 |
| 829 CertificateList ca_certs = CreateCertificateListFromFile( |
| 830 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 831 X509Certificate::FORMAT_AUTO); |
| 832 ASSERT_EQ(1U, ca_certs.size()); |
| 833 |
| 834 // Import Root CA cert and default trust it. |
| 835 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUST_DEFAULT, |
| 836 &failed)); |
| 837 EXPECT_EQ(0U, failed.size()); |
| 838 |
| 839 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 840 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 841 X509Certificate::FORMAT_AUTO); |
| 842 ASSERT_EQ(1U, intermediate_certs.size()); |
| 843 |
| 844 // Import Intermediate CA cert and trust it. |
| 845 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 846 CertDatabase::TRUSTED_SSL, &failed)); |
| 847 EXPECT_EQ(0U, failed.size()); |
| 848 |
| 849 CertificateList certs = CreateCertificateListFromFile( |
| 850 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 851 X509Certificate::FORMAT_AUTO); |
| 852 ASSERT_EQ(1U, certs.size()); |
| 853 |
| 854 // Import server cert with default trust. |
| 855 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 856 certs, CertDatabase::TRUST_DEFAULT, &failed)); |
| 857 EXPECT_EQ(0U, failed.size()); |
| 858 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 859 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 860 |
| 861 // Server cert should verify. |
| 862 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 863 int flags = 0; |
| 864 CertVerifyResult verify_result; |
| 865 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 866 NULL, &verify_result); |
| 867 EXPECT_EQ(OK, error); |
| 868 EXPECT_EQ(0U, verify_result.cert_status); |
| 869 |
| 870 // Without explicit trust of the intermediate, verification should fail. |
| 871 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 872 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); |
| 873 |
| 874 // Server cert should fail to verify. |
| 875 CertVerifyResult verify_result2; |
| 876 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 877 NULL, &verify_result2); |
| 878 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 879 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 880 } |
| 881 |
| 882 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { |
| 883 // Explicit distrust only works starting in NSS 3.13. |
| 884 if (!NSS_VersionCheck("3.13")) { |
| 885 LOG(INFO) << "test skipped on NSS < 3.13"; |
| 886 return; |
| 887 } |
| 888 |
| 889 CertDatabase::ImportCertFailureList failed; |
| 890 |
| 891 CertificateList ca_certs = CreateCertificateListFromFile( |
| 892 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 893 X509Certificate::FORMAT_AUTO); |
| 894 ASSERT_EQ(1U, ca_certs.size()); |
| 895 |
| 896 // Import Root CA cert and trust it. |
| 897 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, |
| 898 &failed)); |
| 899 EXPECT_EQ(0U, failed.size()); |
| 900 |
| 901 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 902 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 903 X509Certificate::FORMAT_AUTO); |
| 904 ASSERT_EQ(1U, intermediate_certs.size()); |
| 905 |
| 906 // Import Intermediate CA cert and distrust it. |
| 907 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 908 CertDatabase::DISTRUSTED_SSL, &failed)); |
| 909 EXPECT_EQ(0U, failed.size()); |
| 910 |
| 911 CertificateList certs = CreateCertificateListFromFile( |
| 912 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 913 X509Certificate::FORMAT_AUTO); |
| 914 ASSERT_EQ(1U, certs.size()); |
| 915 |
| 916 // Import server cert with default trust. |
| 917 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 918 certs, CertDatabase::TRUST_DEFAULT, &failed)); |
| 919 EXPECT_EQ(0U, failed.size()); |
| 920 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 921 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 922 |
| 923 // Server cert should not verify. |
| 924 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 925 int flags = 0; |
| 926 CertVerifyResult verify_result; |
| 927 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 928 NULL, &verify_result); |
| 929 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 930 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 931 |
| 932 // Without explicit distrust of the intermediate, verification should succeed. |
| 933 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 934 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); |
| 935 |
| 936 // Server cert should verify. |
| 937 CertVerifyResult verify_result2; |
| 938 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 939 NULL, &verify_result2); |
| 940 EXPECT_EQ(OK, error); |
| 941 EXPECT_EQ(0U, verify_result2.cert_status); |
| 575 } | 942 } |
| 576 | 943 |
| 577 } // namespace net | 944 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9940001:
Fix imported server certs being distrusted in NSS 3.13. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src