Chromium Code Reviews Chromium Code Reviews
Issue 9940001:
Fix imported server certs being distrusted in NSS 3.13. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/base/cert_database_nss_unittest.cc |
| diff --git a/net/base/cert_database_nss_unittest.cc b/net/base/cert_database_nss_unittest.cc |
| index 75ea641e1235a3ae56424ff6d43ee6204d6680c1..f2e262921b6a92d54a2d65cdfa8e11bef98d4302 100644 |
| --- a/net/base/cert_database_nss_unittest.cc |
| +++ b/net/base/cert_database_nss_unittest.cc |
| @@ -3,6 +3,7 @@ |
| // found in the LICENSE file. |
| #include <cert.h> |
| +#include <certdb.h> |
| #include <pk11pub.h> |
| #include <algorithm> |
| @@ -26,11 +27,14 @@ |
| #include "net/base/crypto_module.h" |
| #include "net/base/net_errors.h" |
| #include "net/base/x509_certificate.h" |
| -#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" |
| #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
| #include "testing/gtest/include/gtest/gtest.h" |
| -namespace psm = mozilla_security_manager; |
| +// In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use |
| +// the new name of the macro. |
| +#if !defined(CERTDB_TERMINAL_RECORD) |
| +#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER |
| +#endif |
| namespace net { |
| @@ -275,12 +279,13 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { |
| EXPECT_EQ(CertDatabase::TRUSTED_SSL, |
| cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| - psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); |
| - EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); |
| - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); |
| - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); |
| - EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_TRUE, PR_TRUE)); |
| - EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); |
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| + CERTDB_TRUSTED_CLIENT_CA), |
| + cert->os_cert_handle()->trust->sslFlags); |
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| + cert->os_cert_handle()->trust->emailFlags); |
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| + cert->os_cert_handle()->trust->objectSigningFlags); |
| } |
| TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { |
| @@ -305,11 +310,13 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { |
| EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, |
| cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| - psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); |
| - EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); |
| - EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); |
| - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); |
| - EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); |
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| + cert->os_cert_handle()->trust->sslFlags); |
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| + CERTDB_TRUSTED_CLIENT_CA), |
| + cert->os_cert_handle()->trust->emailFlags); |
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| + cert->os_cert_handle()->trust->objectSigningFlags); |
| } |
| TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { |
| @@ -334,11 +341,13 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { |
| EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, |
| cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| - psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); |
| - EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); |
| - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); |
| - EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); |
| - EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); |
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| + cert->os_cert_handle()->trust->sslFlags); |
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| + cert->os_cert_handle()->trust->emailFlags); |
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| + CERTDB_TRUSTED_CLIENT_CA), |
| + cert->os_cert_handle()->trust->objectSigningFlags); |
| } |
| TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { |
| @@ -510,7 +519,8 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { |
| ASSERT_EQ(2U, certs.size()); |
| CertDatabase::ImportCertFailureList failed; |
| - EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); |
| + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED, |
| + &failed)); |
| EXPECT_EQ(0U, failed.size()); |
| @@ -523,8 +533,10 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { |
| EXPECT_EQ(CertDatabase::UNTRUSTED, |
| cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| - psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); |
| - EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); |
| + |
| + EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
| + EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->emailFlags); |
| + EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->objectSigningFlags); |
| scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| int flags = 0; |
| @@ -540,7 +552,8 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| CertDatabase::ImportCertFailureList failed; |
| - EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); |
| + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED, |
| + &failed)); |
| EXPECT_EQ(0U, failed.size()); |
| @@ -550,8 +563,9 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| EXPECT_EQ(CertDatabase::UNTRUSTED, |
| cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| - psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); |
| - EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); |
| + EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
| + EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags); |
| + EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags); |
| scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| int flags = 0; |
| @@ -574,4 +588,121 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| EXPECT_EQ(0U, verify_result.cert_status); |
| } |
| +TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { |
| + // When using CERT_PKIXVerifyCert (which we do), server trust only works from |
| + // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. |
| + if (!NSS_VersionCheck("3.13.4")) { |
| + LOG(INFO) << "test skipped on NSS < 3.13.4"; |
| + return; |
| + } |
| + |
| + CertificateList certs; |
| + ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| + |
| + CertDatabase::ImportCertFailureList failed; |
| + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL, |
| + &failed)); |
| + |
| + EXPECT_EQ(0U, failed.size()); |
| + |
| + CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| + ASSERT_EQ(1U, cert_list.size()); |
| + scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| + |
| + EXPECT_EQ(CertDatabase::TRUSTED_SSL, |
| + cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| + EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), |
| + puny_cert->os_cert_handle()->trust->sslFlags); |
| + EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags); |
| + EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags); |
| + |
| + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
|
Ryan Sleevi
2012/05/16 03:57:23
Blergh, this is a bug I should clean up.
This sho
|
| + int flags = 0; |
| + CertVerifyResult verify_result; |
| + int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, |
| + NULL, &verify_result); |
| + EXPECT_EQ(OK, error); |
| + EXPECT_EQ(0U, verify_result.cert_status); |
| +} |
| + |
| +TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { |
| + CertificateList ca_certs = CreateCertificateListFromFile( |
| + GetTestCertsDirectory(), "root_ca_cert.crt", |
| + X509Certificate::FORMAT_AUTO); |
| + ASSERT_EQ(1U, ca_certs.size()); |
| + |
| + // Import CA cert and trust it. |
| + CertDatabase::ImportCertFailureList failed; |
| + EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, |
| + &failed)); |
| + EXPECT_EQ(0U, failed.size()); |
| + |
| + CertificateList certs = CreateCertificateListFromFile( |
| + GetTestCertsDirectory(), "ok_cert.pem", |
| + X509Certificate::FORMAT_AUTO); |
| + ASSERT_EQ(1U, certs.size()); |
| + |
| + // Import server cert with default trust. |
| + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED, |
| + &failed)); |
| + EXPECT_EQ(0U, failed.size()); |
| + |
| + // Server cert should verify. |
| + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| + int flags = 0; |
| + CertVerifyResult verify_result; |
| + int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| + NULL, &verify_result); |
| + EXPECT_EQ(OK, error); |
| + EXPECT_EQ(0U, verify_result.cert_status); |
| +} |
| + |
| +TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { |
| + // Explicit distrust only works starting in NSS 3.13. |
| + if (!NSS_VersionCheck("3.13")) { |
| + LOG(INFO) << "test skipped on NSS < 3.13"; |
| + return; |
| + } |
| + |
| + CertificateList ca_certs = CreateCertificateListFromFile( |
| + GetTestCertsDirectory(), "root_ca_cert.crt", |
| + X509Certificate::FORMAT_AUTO); |
| + ASSERT_EQ(1U, ca_certs.size()); |
| + |
| + // Import CA cert and trust it. |
| + CertDatabase::ImportCertFailureList failed; |
| + EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, |
| + &failed)); |
| + EXPECT_EQ(0U, failed.size()); |
| + |
| + CertificateList certs = CreateCertificateListFromFile( |
| + GetTestCertsDirectory(), "ok_cert.pem", |
| + X509Certificate::FORMAT_AUTO); |
| + ASSERT_EQ(1U, certs.size()); |
| + |
| + // Import server cert without inheriting trust from issuer (explicit |
| + // distrust). |
| + EXPECT_TRUE(cert_db_.ImportServerCert( |
| + certs, CertDatabase::EXPLICIT_DISTRUST, &failed)); |
| + EXPECT_EQ(0U, failed.size()); |
| + EXPECT_EQ(CertDatabase::EXPLICIT_DISTRUST, |
| + cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| + |
| + EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| + certs[0]->os_cert_handle()->trust->sslFlags); |
| + EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| + certs[0]->os_cert_handle()->trust->emailFlags); |
| + EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| + certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| + |
| + // Server cert should fail to verify. |
| + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| + int flags = 0; |
| + CertVerifyResult verify_result; |
| + int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| + NULL, &verify_result); |
| + EXPECT_EQ(ERR_CERT_REVOKED, error); |
| + EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| +} |
| + |
| } // namespace net |
