| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <certdb.h> | 6 #include <certdb.h> |
| 7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| (...skipping 536 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 547 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 547 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 548 | 548 |
| 549 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 549 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 550 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); | 550 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 551 | 551 |
| 552 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); | 552 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
| 553 | 553 |
| 554 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 554 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 555 int flags = 0; | 555 int flags = 0; |
| 556 CertVerifyResult verify_result; | 556 CertVerifyResult verify_result; |
| 557 int error = verify_proc->Verify(goog_cert.get(), | 557 int error = |
| 558 "www.google.com", | 558 verify_proc->Verify(goog_cert.get(), "www.google.com", std::string(), |
| 559 flags, | 559 flags, NULL, empty_cert_list_, &verify_result); |
| 560 NULL, | |
| 561 empty_cert_list_, | |
| 562 &verify_result); | |
| 563 EXPECT_EQ(OK, error); | 560 EXPECT_EQ(OK, error); |
| 564 EXPECT_EQ(0U, verify_result.cert_status); | 561 EXPECT_EQ(0U, verify_result.cert_status); |
| 565 } | 562 } |
| 566 | 563 |
| 567 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 564 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 568 CertificateList certs; | 565 CertificateList certs; |
| 569 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); | 566 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); |
| 570 | 567 |
| 571 NSSCertDatabase::ImportCertFailureList failed; | 568 NSSCertDatabase::ImportCertFailureList failed; |
| 572 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 569 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 573 &failed)); | 570 &failed)); |
| 574 | 571 |
| 575 EXPECT_EQ(0U, failed.size()); | 572 EXPECT_EQ(0U, failed.size()); |
| 576 | 573 |
| 577 CertificateList cert_list = ListCerts(); | 574 CertificateList cert_list = ListCerts(); |
| 578 ASSERT_EQ(1U, cert_list.size()); | 575 ASSERT_EQ(1U, cert_list.size()); |
| 579 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 576 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 580 | 577 |
| 581 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 578 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 582 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 579 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 583 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); | 580 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
| 584 | 581 |
| 585 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 582 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 586 int flags = 0; | 583 int flags = 0; |
| 587 CertVerifyResult verify_result; | 584 CertVerifyResult verify_result; |
| 588 int error = verify_proc->Verify(puny_cert.get(), | 585 int error = |
| 589 "xn--wgv71a119e.com", | 586 verify_proc->Verify(puny_cert.get(), "xn--wgv71a119e.com", std::string(), |
| 590 flags, | 587 flags, NULL, empty_cert_list_, &verify_result); |
| 591 NULL, | |
| 592 empty_cert_list_, | |
| 593 &verify_result); | |
| 594 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 588 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 595 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 589 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 596 } | 590 } |
| 597 | 591 |
| 598 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { | 592 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { |
| 599 CertificateList certs; | 593 CertificateList certs; |
| 600 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); | 594 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); |
| 601 | 595 |
| 602 NSSCertDatabase::ImportCertFailureList failed; | 596 NSSCertDatabase::ImportCertFailureList failed; |
| 603 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, | 597 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, |
| 604 &failed)); | 598 &failed)); |
| 605 | 599 |
| 606 EXPECT_EQ(0U, failed.size()); | 600 EXPECT_EQ(0U, failed.size()); |
| 607 | 601 |
| 608 CertificateList cert_list = ListCerts(); | 602 CertificateList cert_list = ListCerts(); |
| 609 ASSERT_EQ(1U, cert_list.size()); | 603 ASSERT_EQ(1U, cert_list.size()); |
| 610 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 604 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 611 | 605 |
| 612 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, | 606 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
| 613 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 607 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 614 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), | 608 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), |
| 615 puny_cert->os_cert_handle()->trust->sslFlags); | 609 puny_cert->os_cert_handle()->trust->sslFlags); |
| 616 | 610 |
| 617 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 611 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 618 int flags = 0; | 612 int flags = 0; |
| 619 CertVerifyResult verify_result; | 613 CertVerifyResult verify_result; |
| 620 int error = verify_proc->Verify(puny_cert.get(), | 614 int error = |
| 621 "xn--wgv71a119e.com", | 615 verify_proc->Verify(puny_cert.get(), "xn--wgv71a119e.com", std::string(), |
| 622 flags, | 616 flags, NULL, empty_cert_list_, &verify_result); |
| 623 NULL, | |
| 624 empty_cert_list_, | |
| 625 &verify_result); | |
| 626 EXPECT_EQ(OK, error); | 617 EXPECT_EQ(OK, error); |
| 627 EXPECT_EQ(0U, verify_result.cert_status); | 618 EXPECT_EQ(0U, verify_result.cert_status); |
| 628 } | 619 } |
| 629 | 620 |
| 630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { | 621 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { |
| 631 CertificateList ca_certs = CreateCertificateListFromFile( | 622 CertificateList ca_certs = CreateCertificateListFromFile( |
| 632 GetTestCertsDirectory(), "root_ca_cert.pem", | 623 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 633 X509Certificate::FORMAT_AUTO); | 624 X509Certificate::FORMAT_AUTO); |
| 634 ASSERT_EQ(1U, ca_certs.size()); | 625 ASSERT_EQ(1U, ca_certs.size()); |
| 635 | 626 |
| (...skipping 10 matching lines...) Expand all Loading... |
| 646 | 637 |
| 647 // Import server cert with default trust. | 638 // Import server cert with default trust. |
| 648 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 639 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 649 &failed)); | 640 &failed)); |
| 650 EXPECT_EQ(0U, failed.size()); | 641 EXPECT_EQ(0U, failed.size()); |
| 651 | 642 |
| 652 // Server cert should verify. | 643 // Server cert should verify. |
| 653 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 644 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 654 int flags = 0; | 645 int flags = 0; |
| 655 CertVerifyResult verify_result; | 646 CertVerifyResult verify_result; |
| 656 int error = verify_proc->Verify(certs[0].get(), | 647 int error = |
| 657 "127.0.0.1", | 648 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 658 flags, | 649 NULL, empty_cert_list_, &verify_result); |
| 659 NULL, | |
| 660 empty_cert_list_, | |
| 661 &verify_result); | |
| 662 EXPECT_EQ(OK, error); | 650 EXPECT_EQ(OK, error); |
| 663 EXPECT_EQ(0U, verify_result.cert_status); | 651 EXPECT_EQ(0U, verify_result.cert_status); |
| 664 } | 652 } |
| 665 | 653 |
| 666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { | 654 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { |
| 667 CertificateList ca_certs = CreateCertificateListFromFile( | 655 CertificateList ca_certs = CreateCertificateListFromFile( |
| 668 GetTestCertsDirectory(), "root_ca_cert.pem", | 656 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 669 X509Certificate::FORMAT_AUTO); | 657 X509Certificate::FORMAT_AUTO); |
| 670 ASSERT_EQ(1U, ca_certs.size()); | 658 ASSERT_EQ(1U, ca_certs.size()); |
| 671 | 659 |
| (...skipping 16 matching lines...) Expand all Loading... |
| 688 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, | 676 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, |
| 689 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 677 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 690 | 678 |
| 691 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 679 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 692 certs[0]->os_cert_handle()->trust->sslFlags); | 680 certs[0]->os_cert_handle()->trust->sslFlags); |
| 693 | 681 |
| 694 // Server cert should fail to verify. | 682 // Server cert should fail to verify. |
| 695 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 683 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 696 int flags = 0; | 684 int flags = 0; |
| 697 CertVerifyResult verify_result; | 685 CertVerifyResult verify_result; |
| 698 int error = verify_proc->Verify(certs[0].get(), | 686 int error = |
| 699 "127.0.0.1", | 687 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 700 flags, | 688 NULL, empty_cert_list_, &verify_result); |
| 701 NULL, | |
| 702 empty_cert_list_, | |
| 703 &verify_result); | |
| 704 EXPECT_EQ(ERR_CERT_REVOKED, error); | 689 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 705 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 690 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 706 } | 691 } |
| 707 | 692 |
| 708 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { | 693 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { |
| 709 CertificateList ca_certs = CreateCertificateListFromFile( | 694 CertificateList ca_certs = CreateCertificateListFromFile( |
| 710 GetTestCertsDirectory(), "2048-rsa-root.pem", | 695 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 711 X509Certificate::FORMAT_AUTO); | 696 X509Certificate::FORMAT_AUTO); |
| 712 ASSERT_EQ(1U, ca_certs.size()); | 697 ASSERT_EQ(1U, ca_certs.size()); |
| 713 | 698 |
| (...skipping 22 matching lines...) Expand all Loading... |
| 736 EXPECT_TRUE(cert_db_->ImportServerCert( | 721 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 737 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 722 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 738 EXPECT_EQ(0U, failed.size()); | 723 EXPECT_EQ(0U, failed.size()); |
| 739 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 724 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 740 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 725 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 741 | 726 |
| 742 // Server cert should verify. | 727 // Server cert should verify. |
| 743 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 728 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 744 int flags = 0; | 729 int flags = 0; |
| 745 CertVerifyResult verify_result; | 730 CertVerifyResult verify_result; |
| 746 int error = verify_proc->Verify(certs[0].get(), | 731 int error = |
| 747 "127.0.0.1", | 732 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 748 flags, | 733 NULL, empty_cert_list_, &verify_result); |
| 749 NULL, | |
| 750 empty_cert_list_, | |
| 751 &verify_result); | |
| 752 EXPECT_EQ(OK, error); | 734 EXPECT_EQ(OK, error); |
| 753 EXPECT_EQ(0U, verify_result.cert_status); | 735 EXPECT_EQ(0U, verify_result.cert_status); |
| 754 | 736 |
| 755 // Trust the root cert and distrust the intermediate. | 737 // Trust the root cert and distrust the intermediate. |
| 756 EXPECT_TRUE(cert_db_->SetCertTrust( | 738 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 757 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL)); | 739 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL)); |
| 758 EXPECT_TRUE(cert_db_->SetCertTrust( | 740 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 759 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); | 741 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); |
| 760 EXPECT_EQ( | 742 EXPECT_EQ( |
| 761 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), | 743 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), |
| 762 ca_certs[0]->os_cert_handle()->trust->sslFlags); | 744 ca_certs[0]->os_cert_handle()->trust->sslFlags); |
| 763 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 745 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 764 ca_certs[0]->os_cert_handle()->trust->emailFlags); | 746 ca_certs[0]->os_cert_handle()->trust->emailFlags); |
| 765 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 747 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 766 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 748 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 767 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 749 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 768 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); | 750 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); |
| 769 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 751 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 770 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); | 752 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); |
| 771 EXPECT_EQ( | 753 EXPECT_EQ( |
| 772 unsigned(CERTDB_VALID_CA), | 754 unsigned(CERTDB_VALID_CA), |
| 773 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 755 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 774 | 756 |
| 775 // Server cert should fail to verify. | 757 // Server cert should fail to verify. |
| 776 CertVerifyResult verify_result2; | 758 CertVerifyResult verify_result2; |
| 777 error = verify_proc->Verify(certs[0].get(), | 759 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 778 "127.0.0.1", | 760 NULL, empty_cert_list_, &verify_result2); |
| 779 flags, | |
| 780 NULL, | |
| 781 empty_cert_list_, | |
| 782 &verify_result2); | |
| 783 EXPECT_EQ(ERR_CERT_REVOKED, error); | 761 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 784 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); | 762 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); |
| 785 } | 763 } |
| 786 | 764 |
| 787 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { | 765 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { |
| 788 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { | 766 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { |
| 789 // See http://bugzil.la/863947 for details. | 767 // See http://bugzil.la/863947 for details. |
| 790 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; | 768 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; |
| 791 return; | 769 return; |
| 792 } | 770 } |
| (...skipping 19 matching lines...) Expand all Loading... |
| 812 EXPECT_TRUE(cert_db_->ImportServerCert( | 790 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 813 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 791 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 814 EXPECT_EQ(0U, failed.size()); | 792 EXPECT_EQ(0U, failed.size()); |
| 815 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 793 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 816 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 794 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 817 | 795 |
| 818 // Server cert should verify. | 796 // Server cert should verify. |
| 819 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 797 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 820 int flags = 0; | 798 int flags = 0; |
| 821 CertVerifyResult verify_result; | 799 CertVerifyResult verify_result; |
| 822 int error = verify_proc->Verify(certs[0].get(), | 800 int error = |
| 823 "127.0.0.1", | 801 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 824 flags, | 802 NULL, empty_cert_list_, &verify_result); |
| 825 NULL, | |
| 826 empty_cert_list_, | |
| 827 &verify_result); | |
| 828 EXPECT_EQ(OK, error); | 803 EXPECT_EQ(OK, error); |
| 829 EXPECT_EQ(0U, verify_result.cert_status); | 804 EXPECT_EQ(0U, verify_result.cert_status); |
| 830 | 805 |
| 831 // Without explicit trust of the intermediate, verification should fail. | 806 // Without explicit trust of the intermediate, verification should fail. |
| 832 EXPECT_TRUE(cert_db_->SetCertTrust( | 807 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 833 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 808 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 834 | 809 |
| 835 // Server cert should fail to verify. | 810 // Server cert should fail to verify. |
| 836 CertVerifyResult verify_result2; | 811 CertVerifyResult verify_result2; |
| 837 error = verify_proc->Verify(certs[0].get(), | 812 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 838 "127.0.0.1", | 813 NULL, empty_cert_list_, &verify_result2); |
| 839 flags, | |
| 840 NULL, | |
| 841 empty_cert_list_, | |
| 842 &verify_result2); | |
| 843 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 814 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 844 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 815 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 845 } | 816 } |
| 846 | 817 |
| 847 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { | 818 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { |
| 848 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { | 819 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { |
| 849 // See http://bugzil.la/863947 for details. | 820 // See http://bugzil.la/863947 for details. |
| 850 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; | 821 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; |
| 851 return; | 822 return; |
| 852 } | 823 } |
| (...skipping 29 matching lines...) Expand all Loading... |
| 882 EXPECT_TRUE(cert_db_->ImportServerCert( | 853 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 883 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 854 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 884 EXPECT_EQ(0U, failed.size()); | 855 EXPECT_EQ(0U, failed.size()); |
| 885 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 856 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 886 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 857 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 887 | 858 |
| 888 // Server cert should verify. | 859 // Server cert should verify. |
| 889 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 860 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 890 int flags = 0; | 861 int flags = 0; |
| 891 CertVerifyResult verify_result; | 862 CertVerifyResult verify_result; |
| 892 int error = verify_proc->Verify(certs[0].get(), | 863 int error = |
| 893 "127.0.0.1", | 864 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 894 flags, | 865 NULL, empty_cert_list_, &verify_result); |
| 895 NULL, | |
| 896 empty_cert_list_, | |
| 897 &verify_result); | |
| 898 EXPECT_EQ(OK, error); | 866 EXPECT_EQ(OK, error); |
| 899 EXPECT_EQ(0U, verify_result.cert_status); | 867 EXPECT_EQ(0U, verify_result.cert_status); |
| 900 | 868 |
| 901 // Without explicit trust of the intermediate, verification should fail. | 869 // Without explicit trust of the intermediate, verification should fail. |
| 902 EXPECT_TRUE(cert_db_->SetCertTrust( | 870 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 903 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 871 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 904 | 872 |
| 905 // Server cert should fail to verify. | 873 // Server cert should fail to verify. |
| 906 CertVerifyResult verify_result2; | 874 CertVerifyResult verify_result2; |
| 907 error = verify_proc->Verify(certs[0].get(), | 875 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 908 "127.0.0.1", | 876 NULL, empty_cert_list_, &verify_result2); |
| 909 flags, | |
| 910 NULL, | |
| 911 empty_cert_list_, | |
| 912 &verify_result2); | |
| 913 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 877 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 914 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 878 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 915 } | 879 } |
| 916 | 880 |
| 917 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { | 881 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { |
| 918 NSSCertDatabase::ImportCertFailureList failed; | 882 NSSCertDatabase::ImportCertFailureList failed; |
| 919 | 883 |
| 920 CertificateList ca_certs = CreateCertificateListFromFile( | 884 CertificateList ca_certs = CreateCertificateListFromFile( |
| 921 GetTestCertsDirectory(), "2048-rsa-root.pem", | 885 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 922 X509Certificate::FORMAT_AUTO); | 886 X509Certificate::FORMAT_AUTO); |
| (...skipping 23 matching lines...) Expand all Loading... |
| 946 EXPECT_TRUE(cert_db_->ImportServerCert( | 910 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 947 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 911 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 948 EXPECT_EQ(0U, failed.size()); | 912 EXPECT_EQ(0U, failed.size()); |
| 949 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 913 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 950 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 914 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 951 | 915 |
| 952 // Server cert should not verify. | 916 // Server cert should not verify. |
| 953 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 917 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 954 int flags = 0; | 918 int flags = 0; |
| 955 CertVerifyResult verify_result; | 919 CertVerifyResult verify_result; |
| 956 int error = verify_proc->Verify(certs[0].get(), | 920 int error = |
| 957 "127.0.0.1", | 921 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 958 flags, | 922 NULL, empty_cert_list_, &verify_result); |
| 959 NULL, | |
| 960 empty_cert_list_, | |
| 961 &verify_result); | |
| 962 EXPECT_EQ(ERR_CERT_REVOKED, error); | 923 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 963 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 924 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 964 | 925 |
| 965 // Without explicit distrust of the intermediate, verification should succeed. | 926 // Without explicit distrust of the intermediate, verification should succeed. |
| 966 EXPECT_TRUE(cert_db_->SetCertTrust( | 927 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 967 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 928 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 968 | 929 |
| 969 // Server cert should verify. | 930 // Server cert should verify. |
| 970 CertVerifyResult verify_result2; | 931 CertVerifyResult verify_result2; |
| 971 error = verify_proc->Verify(certs[0].get(), | 932 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 972 "127.0.0.1", | 933 NULL, empty_cert_list_, &verify_result2); |
| 973 flags, | |
| 974 NULL, | |
| 975 empty_cert_list_, | |
| 976 &verify_result2); | |
| 977 EXPECT_EQ(OK, error); | 934 EXPECT_EQ(OK, error); |
| 978 EXPECT_EQ(0U, verify_result2.cert_status); | 935 EXPECT_EQ(0U, verify_result2.cert_status); |
| 979 } | 936 } |
| 980 | 937 |
| 981 // Importing two certificates with the same issuer and subject common name, | 938 // Importing two certificates with the same issuer and subject common name, |
| 982 // but overall distinct subject names, should succeed and generate a unique | 939 // but overall distinct subject names, should succeed and generate a unique |
| 983 // nickname for the second certificate. | 940 // nickname for the second certificate. |
| 984 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { | 941 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { |
| 985 CertificateList certs = | 942 CertificateList certs = |
| 986 CreateCertificateListFromFile(GetTestCertsDirectory(), | 943 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| (...skipping 28 matching lines...) Expand all Loading... |
| 1015 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 972 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 1016 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); | 973 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); |
| 1017 | 974 |
| 1018 new_certs = ListCerts(); | 975 new_certs = ListCerts(); |
| 1019 ASSERT_EQ(2U, new_certs.size()); | 976 ASSERT_EQ(2U, new_certs.size()); |
| 1020 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, | 977 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, |
| 1021 new_certs[1]->os_cert_handle()->nickname); | 978 new_certs[1]->os_cert_handle()->nickname); |
| 1022 } | 979 } |
| 1023 | 980 |
| 1024 } // namespace net | 981 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1081913003:
Route OCSP stapling through CertVerifier. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@boringnss