Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1833)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/base/cert_database_nss_unittest.cc

Issue 9940001: Fix imported server certs being distrusted in NSS 3.13. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/base/cert_database.h ('K') | « net/base/cert_database_nss.cc ('k') | net/third_party/mozilla_security_manager/nsNSSCertTrust.h » ('j') | net/third_party/mozilla_security_manager/nsNSSCertTrust.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/cert_database_nss_unittest.cc
diff --git a/net/base/cert_database_nss_unittest.cc b/net/base/cert_database_nss_unittest.cc
index 8ed8251b45c660fde8d85580df170d9cc3722757..9799f6dd019ae9da96c75f8611840f8411200db3 100644
--- a/net/base/cert_database_nss_unittest.cc
+++ b/net/base/cert_database_nss_unittest.cc
@@ -535,7 +535,8 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
ASSERT_EQ(2U, certs.size());
CertDatabase::ImportCertFailureList failed;
- EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed));
+ EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED,
+ &failed));
EXPECT_EQ(0U, failed.size());
@@ -549,7 +550,7 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
EXPECT_EQ(CertDatabase::UNTRUSTED,
cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT));
psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust);
- EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE));
+ EXPECT_TRUE(goog_trust.HasTerminalRecord(PR_TRUE, PR_TRUE, PR_TRUE));
scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
int flags = 0;
@@ -565,7 +566,8 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
CertDatabase::ImportCertFailureList failed;
- EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed));
+ EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED,
+ &failed));
EXPECT_EQ(0U, failed.size());
@@ -576,7 +578,9 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
EXPECT_EQ(CertDatabase::UNTRUSTED,
cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT));
psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust);
- EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE));
+ EXPECT_FALSE(puny_trust.HasTerminalRecord(PR_TRUE, PR_FALSE, PR_FALSE));
+ EXPECT_FALSE(puny_trust.HasTerminalRecord(PR_FALSE, PR_TRUE, PR_FALSE));
+ EXPECT_FALSE(puny_trust.HasTerminalRecord(PR_FALSE, PR_FALSE, PR_TRUE));
scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
int flags = 0;
@@ -599,4 +603,122 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
EXPECT_EQ(0U, verify_result.cert_status);
}
+TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
+ // When using CERT_PKIXVerifyCert (which we do), server trust only works from
+ // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364.
+ if (!NSS_VersionCheck("3.13.4")) {
+ LOG(INFO) << "test skipped on NSS < 3.13.4";
+ return;
+ }
+
+ CertificateList certs;
+ ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
+
+ CertDatabase::ImportCertFailureList failed;
+ EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL,
+ &failed));
+
+ EXPECT_EQ(0U, failed.size());
+
+ CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ ASSERT_EQ(1U, cert_list.size());
+ scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
+
+ EXPECT_EQ(CertDatabase::TRUSTED_SSL,
+ cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT));
+ psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust);
+ EXPECT_TRUE(puny_trust.HasTerminalRecord(PR_TRUE, PR_FALSE, PR_FALSE));
+ EXPECT_FALSE(puny_trust.HasTerminalRecord(PR_FALSE, PR_TRUE, PR_FALSE));
+ EXPECT_FALSE(puny_trust.HasTerminalRecord(PR_FALSE, PR_FALSE, PR_TRUE));
+
+ scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+ int flags = 0;
+ CertVerifyResult verify_result;
+ int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
+ NULL, &verify_result);
+ EXPECT_EQ(OK, error);
+ EXPECT_EQ(0U, verify_result.cert_status);
+}
+
+TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
+ std::string ca_cert_data = ReadTestFile("root_ca_cert.crt");
+
+ CertificateList ca_certs =
+ X509Certificate::CreateCertificateListFromBytes(
+ ca_cert_data.data(), ca_cert_data.size(),
+ X509Certificate::FORMAT_AUTO);
Ryan Sleevi 2012/03/29 23:35:13 Use the net/base/cert_test_util helpers here (and
mattm 2012/05/16 03:30:45 Done.
+ ASSERT_EQ(1U, ca_certs.size());
+
+ // Import CA cert and trust it.
+ CertDatabase::ImportCertFailureList failed;
+ EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
+ &failed));
+ EXPECT_EQ(0U, failed.size());
+
+ std::string server_cert_data = ReadTestFile("ok_cert.pem");
+ CertificateList certs = X509Certificate::CreateCertificateListFromBytes(
+ server_cert_data.data(), server_cert_data.size(),
+ X509Certificate::FORMAT_AUTO);
+ ASSERT_EQ(1U, certs.size());
+
+ // Import server cert with default trust.
+ EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::UNTRUSTED,
+ &failed));
+ EXPECT_EQ(0U, failed.size());
+
+ // Server cert should verify.
+ scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+ int flags = 0;
+ CertVerifyResult verify_result;
+ int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+ NULL, &verify_result);
+ EXPECT_EQ(OK, error);
+ EXPECT_EQ(0U, verify_result.cert_status);
+}
+
+TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
+ // Explicit distrust only works starting in NSS 3.13.
+ if (!NSS_VersionCheck("3.13")) {
+ LOG(INFO) << "test skipped on NSS < 3.13";
+ return;
+ }
+
+ std::string ca_cert_data = ReadTestFile("root_ca_cert.crt");
+
+ CertificateList ca_certs =
+ X509Certificate::CreateCertificateListFromBytes(
+ ca_cert_data.data(), ca_cert_data.size(),
+ X509Certificate::FORMAT_AUTO);
+ ASSERT_EQ(1U, ca_certs.size());
+
+ // Import CA cert and trust it.
+ CertDatabase::ImportCertFailureList failed;
+ EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
+ &failed));
+ EXPECT_EQ(0U, failed.size());
+
+ std::string server_cert_data = ReadTestFile("ok_cert.pem");
+ CertificateList certs = X509Certificate::CreateCertificateListFromBytes(
+ server_cert_data.data(), server_cert_data.size(),
+ X509Certificate::FORMAT_AUTO);
+ ASSERT_EQ(1U, certs.size());
+
+ // Import server cert without inheriting trust from issuer (explicit
+ // distrust).
+ EXPECT_TRUE(cert_db_.ImportServerCert(
+ certs, CertDatabase::TRUST_TERMINAL_RECORD, &failed));
+ EXPECT_EQ(0U, failed.size());
+ EXPECT_EQ(CertDatabase::TRUST_TERMINAL_RECORD,
+ cert_db_.GetCertTrust(certs[0], SERVER_CERT));
+
+ // Server cert should fail to verify.
+ scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+ int flags = 0;
+ CertVerifyResult verify_result;
+ int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
+ NULL, &verify_result);
+ EXPECT_EQ(ERR_CERT_REVOKED, error);
+ EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
+}
+
} // namespace net
« net/base/cert_database.h ('K') | « net/base/cert_database_nss.cc ('k') | net/third_party/mozilla_security_manager/nsNSSCertTrust.h » ('j') | net/third_party/mozilla_security_manager/nsNSSCertTrust.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698