| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <certdb.h> | 6 #include <certdb.h> |
| 7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| (...skipping 538 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 549 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 549 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 550 | 550 |
| 551 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 551 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 552 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); | 552 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 553 | 553 |
| 554 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); | 554 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
| 555 | 555 |
| 556 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 556 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 557 int flags = 0; | 557 int flags = 0; |
| 558 CertVerifyResult verify_result; | 558 CertVerifyResult verify_result; |
| 559 int error = verify_proc->Verify(goog_cert.get(), | 559 int error = |
| 560 "www.google.com", | 560 verify_proc->Verify(goog_cert.get(), "www.google.com", std::string(), |
| 561 flags, | 561 flags, NULL, empty_cert_list_, &verify_result); |
| 562 NULL, | |
| 563 empty_cert_list_, | |
| 564 &verify_result); | |
| 565 EXPECT_EQ(OK, error); | 562 EXPECT_EQ(OK, error); |
| 566 EXPECT_EQ(0U, verify_result.cert_status); | 563 EXPECT_EQ(0U, verify_result.cert_status); |
| 567 } | 564 } |
| 568 | 565 |
| 569 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 566 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 570 CertificateList certs; | 567 CertificateList certs; |
| 571 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); | 568 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); |
| 572 | 569 |
| 573 NSSCertDatabase::ImportCertFailureList failed; | 570 NSSCertDatabase::ImportCertFailureList failed; |
| 574 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 571 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 575 &failed)); | 572 &failed)); |
| 576 | 573 |
| 577 EXPECT_EQ(0U, failed.size()); | 574 EXPECT_EQ(0U, failed.size()); |
| 578 | 575 |
| 579 CertificateList cert_list = ListCerts(); | 576 CertificateList cert_list = ListCerts(); |
| 580 ASSERT_EQ(1U, cert_list.size()); | 577 ASSERT_EQ(1U, cert_list.size()); |
| 581 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 578 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 582 | 579 |
| 583 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 580 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 584 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 581 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 585 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); | 582 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
| 586 | 583 |
| 587 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 584 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 588 int flags = 0; | 585 int flags = 0; |
| 589 CertVerifyResult verify_result; | 586 CertVerifyResult verify_result; |
| 590 int error = verify_proc->Verify(puny_cert.get(), | 587 int error = |
| 591 "xn--wgv71a119e.com", | 588 verify_proc->Verify(puny_cert.get(), "xn--wgv71a119e.com", std::string(), |
| 592 flags, | 589 flags, NULL, empty_cert_list_, &verify_result); |
| 593 NULL, | |
| 594 empty_cert_list_, | |
| 595 &verify_result); | |
| 596 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 590 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 597 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 591 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 598 } | 592 } |
| 599 | 593 |
| 600 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { | 594 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { |
| 601 CertificateList certs; | 595 CertificateList certs; |
| 602 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); | 596 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); |
| 603 | 597 |
| 604 NSSCertDatabase::ImportCertFailureList failed; | 598 NSSCertDatabase::ImportCertFailureList failed; |
| 605 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, | 599 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, |
| 606 &failed)); | 600 &failed)); |
| 607 | 601 |
| 608 EXPECT_EQ(0U, failed.size()); | 602 EXPECT_EQ(0U, failed.size()); |
| 609 | 603 |
| 610 CertificateList cert_list = ListCerts(); | 604 CertificateList cert_list = ListCerts(); |
| 611 ASSERT_EQ(1U, cert_list.size()); | 605 ASSERT_EQ(1U, cert_list.size()); |
| 612 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 606 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 613 | 607 |
| 614 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, | 608 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
| 615 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 609 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 616 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), | 610 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), |
| 617 puny_cert->os_cert_handle()->trust->sslFlags); | 611 puny_cert->os_cert_handle()->trust->sslFlags); |
| 618 | 612 |
| 619 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 613 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 620 int flags = 0; | 614 int flags = 0; |
| 621 CertVerifyResult verify_result; | 615 CertVerifyResult verify_result; |
| 622 int error = verify_proc->Verify(puny_cert.get(), | 616 int error = |
| 623 "xn--wgv71a119e.com", | 617 verify_proc->Verify(puny_cert.get(), "xn--wgv71a119e.com", std::string(), |
| 624 flags, | 618 flags, NULL, empty_cert_list_, &verify_result); |
| 625 NULL, | |
| 626 empty_cert_list_, | |
| 627 &verify_result); | |
| 628 EXPECT_EQ(OK, error); | 619 EXPECT_EQ(OK, error); |
| 629 EXPECT_EQ(0U, verify_result.cert_status); | 620 EXPECT_EQ(0U, verify_result.cert_status); |
| 630 } | 621 } |
| 631 | 622 |
| 632 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { | 623 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { |
| 633 CertificateList ca_certs = CreateCertificateListFromFile( | 624 CertificateList ca_certs = CreateCertificateListFromFile( |
| 634 GetTestCertsDirectory(), "root_ca_cert.pem", | 625 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 635 X509Certificate::FORMAT_AUTO); | 626 X509Certificate::FORMAT_AUTO); |
| 636 ASSERT_EQ(1U, ca_certs.size()); | 627 ASSERT_EQ(1U, ca_certs.size()); |
| 637 | 628 |
| (...skipping 10 matching lines...) Expand all Loading... |
| 648 | 639 |
| 649 // Import server cert with default trust. | 640 // Import server cert with default trust. |
| 650 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 641 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 651 &failed)); | 642 &failed)); |
| 652 EXPECT_EQ(0U, failed.size()); | 643 EXPECT_EQ(0U, failed.size()); |
| 653 | 644 |
| 654 // Server cert should verify. | 645 // Server cert should verify. |
| 655 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 646 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 656 int flags = 0; | 647 int flags = 0; |
| 657 CertVerifyResult verify_result; | 648 CertVerifyResult verify_result; |
| 658 int error = verify_proc->Verify(certs[0].get(), | 649 int error = |
| 659 "127.0.0.1", | 650 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 660 flags, | 651 NULL, empty_cert_list_, &verify_result); |
| 661 NULL, | |
| 662 empty_cert_list_, | |
| 663 &verify_result); | |
| 664 EXPECT_EQ(OK, error); | 652 EXPECT_EQ(OK, error); |
| 665 EXPECT_EQ(0U, verify_result.cert_status); | 653 EXPECT_EQ(0U, verify_result.cert_status); |
| 666 } | 654 } |
| 667 | 655 |
| 668 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { | 656 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { |
| 669 CertificateList ca_certs = CreateCertificateListFromFile( | 657 CertificateList ca_certs = CreateCertificateListFromFile( |
| 670 GetTestCertsDirectory(), "root_ca_cert.pem", | 658 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 671 X509Certificate::FORMAT_AUTO); | 659 X509Certificate::FORMAT_AUTO); |
| 672 ASSERT_EQ(1U, ca_certs.size()); | 660 ASSERT_EQ(1U, ca_certs.size()); |
| 673 | 661 |
| (...skipping 16 matching lines...) Expand all Loading... |
| 690 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, | 678 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, |
| 691 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 679 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 692 | 680 |
| 693 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 681 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 694 certs[0]->os_cert_handle()->trust->sslFlags); | 682 certs[0]->os_cert_handle()->trust->sslFlags); |
| 695 | 683 |
| 696 // Server cert should fail to verify. | 684 // Server cert should fail to verify. |
| 697 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 685 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 698 int flags = 0; | 686 int flags = 0; |
| 699 CertVerifyResult verify_result; | 687 CertVerifyResult verify_result; |
| 700 int error = verify_proc->Verify(certs[0].get(), | 688 int error = |
| 701 "127.0.0.1", | 689 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 702 flags, | 690 NULL, empty_cert_list_, &verify_result); |
| 703 NULL, | |
| 704 empty_cert_list_, | |
| 705 &verify_result); | |
| 706 EXPECT_EQ(ERR_CERT_REVOKED, error); | 691 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 707 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 692 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 708 } | 693 } |
| 709 | 694 |
| 710 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { | 695 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { |
| 711 CertificateList ca_certs = CreateCertificateListFromFile( | 696 CertificateList ca_certs = CreateCertificateListFromFile( |
| 712 GetTestCertsDirectory(), "2048-rsa-root.pem", | 697 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 713 X509Certificate::FORMAT_AUTO); | 698 X509Certificate::FORMAT_AUTO); |
| 714 ASSERT_EQ(1U, ca_certs.size()); | 699 ASSERT_EQ(1U, ca_certs.size()); |
| 715 | 700 |
| (...skipping 22 matching lines...) Expand all Loading... |
| 738 EXPECT_TRUE(cert_db_->ImportServerCert( | 723 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 739 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 724 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 740 EXPECT_EQ(0U, failed.size()); | 725 EXPECT_EQ(0U, failed.size()); |
| 741 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 726 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 742 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 727 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 743 | 728 |
| 744 // Server cert should verify. | 729 // Server cert should verify. |
| 745 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 730 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 746 int flags = 0; | 731 int flags = 0; |
| 747 CertVerifyResult verify_result; | 732 CertVerifyResult verify_result; |
| 748 int error = verify_proc->Verify(certs[0].get(), | 733 int error = |
| 749 "127.0.0.1", | 734 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 750 flags, | 735 NULL, empty_cert_list_, &verify_result); |
| 751 NULL, | |
| 752 empty_cert_list_, | |
| 753 &verify_result); | |
| 754 EXPECT_EQ(OK, error); | 736 EXPECT_EQ(OK, error); |
| 755 EXPECT_EQ(0U, verify_result.cert_status); | 737 EXPECT_EQ(0U, verify_result.cert_status); |
| 756 | 738 |
| 757 // Trust the root cert and distrust the intermediate. | 739 // Trust the root cert and distrust the intermediate. |
| 758 EXPECT_TRUE(cert_db_->SetCertTrust( | 740 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 759 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL)); | 741 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL)); |
| 760 EXPECT_TRUE(cert_db_->SetCertTrust( | 742 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 761 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); | 743 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); |
| 762 EXPECT_EQ( | 744 EXPECT_EQ( |
| 763 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), | 745 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), |
| 764 ca_certs[0]->os_cert_handle()->trust->sslFlags); | 746 ca_certs[0]->os_cert_handle()->trust->sslFlags); |
| 765 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 747 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 766 ca_certs[0]->os_cert_handle()->trust->emailFlags); | 748 ca_certs[0]->os_cert_handle()->trust->emailFlags); |
| 767 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 749 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 768 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 750 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 769 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 751 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 770 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); | 752 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); |
| 771 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 753 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 772 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); | 754 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); |
| 773 EXPECT_EQ( | 755 EXPECT_EQ( |
| 774 unsigned(CERTDB_VALID_CA), | 756 unsigned(CERTDB_VALID_CA), |
| 775 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 757 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 776 | 758 |
| 777 // Server cert should fail to verify. | 759 // Server cert should fail to verify. |
| 778 CertVerifyResult verify_result2; | 760 CertVerifyResult verify_result2; |
| 779 error = verify_proc->Verify(certs[0].get(), | 761 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 780 "127.0.0.1", | 762 NULL, empty_cert_list_, &verify_result2); |
| 781 flags, | |
| 782 NULL, | |
| 783 empty_cert_list_, | |
| 784 &verify_result2); | |
| 785 EXPECT_EQ(ERR_CERT_REVOKED, error); | 763 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 786 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); | 764 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); |
| 787 } | 765 } |
| 788 | 766 |
| 789 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { | 767 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { |
| 790 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { | 768 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { |
| 791 // See http://bugzil.la/863947 for details. | 769 // See http://bugzil.la/863947 for details. |
| 792 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; | 770 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; |
| 793 return; | 771 return; |
| 794 } | 772 } |
| (...skipping 19 matching lines...) Expand all Loading... |
| 814 EXPECT_TRUE(cert_db_->ImportServerCert( | 792 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 815 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 793 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 816 EXPECT_EQ(0U, failed.size()); | 794 EXPECT_EQ(0U, failed.size()); |
| 817 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 795 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 818 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 796 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 819 | 797 |
| 820 // Server cert should verify. | 798 // Server cert should verify. |
| 821 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 799 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 822 int flags = 0; | 800 int flags = 0; |
| 823 CertVerifyResult verify_result; | 801 CertVerifyResult verify_result; |
| 824 int error = verify_proc->Verify(certs[0].get(), | 802 int error = |
| 825 "127.0.0.1", | 803 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 826 flags, | 804 NULL, empty_cert_list_, &verify_result); |
| 827 NULL, | |
| 828 empty_cert_list_, | |
| 829 &verify_result); | |
| 830 EXPECT_EQ(OK, error); | 805 EXPECT_EQ(OK, error); |
| 831 EXPECT_EQ(0U, verify_result.cert_status); | 806 EXPECT_EQ(0U, verify_result.cert_status); |
| 832 | 807 |
| 833 // Without explicit trust of the intermediate, verification should fail. | 808 // Without explicit trust of the intermediate, verification should fail. |
| 834 EXPECT_TRUE(cert_db_->SetCertTrust( | 809 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 835 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 810 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 836 | 811 |
| 837 // Server cert should fail to verify. | 812 // Server cert should fail to verify. |
| 838 CertVerifyResult verify_result2; | 813 CertVerifyResult verify_result2; |
| 839 error = verify_proc->Verify(certs[0].get(), | 814 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 840 "127.0.0.1", | 815 NULL, empty_cert_list_, &verify_result2); |
| 841 flags, | |
| 842 NULL, | |
| 843 empty_cert_list_, | |
| 844 &verify_result2); | |
| 845 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 816 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 846 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 817 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 847 } | 818 } |
| 848 | 819 |
| 849 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { | 820 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { |
| 850 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { | 821 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { |
| 851 // See http://bugzil.la/863947 for details. | 822 // See http://bugzil.la/863947 for details. |
| 852 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; | 823 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; |
| 853 return; | 824 return; |
| 854 } | 825 } |
| (...skipping 29 matching lines...) Expand all Loading... |
| 884 EXPECT_TRUE(cert_db_->ImportServerCert( | 855 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 885 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 856 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 886 EXPECT_EQ(0U, failed.size()); | 857 EXPECT_EQ(0U, failed.size()); |
| 887 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 858 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 888 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 859 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 889 | 860 |
| 890 // Server cert should verify. | 861 // Server cert should verify. |
| 891 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 862 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 892 int flags = 0; | 863 int flags = 0; |
| 893 CertVerifyResult verify_result; | 864 CertVerifyResult verify_result; |
| 894 int error = verify_proc->Verify(certs[0].get(), | 865 int error = |
| 895 "127.0.0.1", | 866 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 896 flags, | 867 NULL, empty_cert_list_, &verify_result); |
| 897 NULL, | |
| 898 empty_cert_list_, | |
| 899 &verify_result); | |
| 900 EXPECT_EQ(OK, error); | 868 EXPECT_EQ(OK, error); |
| 901 EXPECT_EQ(0U, verify_result.cert_status); | 869 EXPECT_EQ(0U, verify_result.cert_status); |
| 902 | 870 |
| 903 // Without explicit trust of the intermediate, verification should fail. | 871 // Without explicit trust of the intermediate, verification should fail. |
| 904 EXPECT_TRUE(cert_db_->SetCertTrust( | 872 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 905 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 873 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 906 | 874 |
| 907 // Server cert should fail to verify. | 875 // Server cert should fail to verify. |
| 908 CertVerifyResult verify_result2; | 876 CertVerifyResult verify_result2; |
| 909 error = verify_proc->Verify(certs[0].get(), | 877 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 910 "127.0.0.1", | 878 NULL, empty_cert_list_, &verify_result2); |
| 911 flags, | |
| 912 NULL, | |
| 913 empty_cert_list_, | |
| 914 &verify_result2); | |
| 915 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 879 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 916 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 880 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 917 } | 881 } |
| 918 | 882 |
| 919 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { | 883 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { |
| 920 NSSCertDatabase::ImportCertFailureList failed; | 884 NSSCertDatabase::ImportCertFailureList failed; |
| 921 | 885 |
| 922 CertificateList ca_certs = CreateCertificateListFromFile( | 886 CertificateList ca_certs = CreateCertificateListFromFile( |
| 923 GetTestCertsDirectory(), "2048-rsa-root.pem", | 887 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 924 X509Certificate::FORMAT_AUTO); | 888 X509Certificate::FORMAT_AUTO); |
| (...skipping 23 matching lines...) Expand all Loading... |
| 948 EXPECT_TRUE(cert_db_->ImportServerCert( | 912 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 949 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 913 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 950 EXPECT_EQ(0U, failed.size()); | 914 EXPECT_EQ(0U, failed.size()); |
| 951 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 915 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 952 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 916 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 953 | 917 |
| 954 // Server cert should not verify. | 918 // Server cert should not verify. |
| 955 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 919 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 956 int flags = 0; | 920 int flags = 0; |
| 957 CertVerifyResult verify_result; | 921 CertVerifyResult verify_result; |
| 958 int error = verify_proc->Verify(certs[0].get(), | 922 int error = |
| 959 "127.0.0.1", | 923 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 960 flags, | 924 NULL, empty_cert_list_, &verify_result); |
| 961 NULL, | |
| 962 empty_cert_list_, | |
| 963 &verify_result); | |
| 964 EXPECT_EQ(ERR_CERT_REVOKED, error); | 925 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 965 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 926 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 966 | 927 |
| 967 // Without explicit distrust of the intermediate, verification should succeed. | 928 // Without explicit distrust of the intermediate, verification should succeed. |
| 968 EXPECT_TRUE(cert_db_->SetCertTrust( | 929 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 969 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 930 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 970 | 931 |
| 971 // Server cert should verify. | 932 // Server cert should verify. |
| 972 CertVerifyResult verify_result2; | 933 CertVerifyResult verify_result2; |
| 973 error = verify_proc->Verify(certs[0].get(), | 934 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 974 "127.0.0.1", | 935 NULL, empty_cert_list_, &verify_result2); |
| 975 flags, | |
| 976 NULL, | |
| 977 empty_cert_list_, | |
| 978 &verify_result2); | |
| 979 EXPECT_EQ(OK, error); | 936 EXPECT_EQ(OK, error); |
| 980 EXPECT_EQ(0U, verify_result2.cert_status); | 937 EXPECT_EQ(0U, verify_result2.cert_status); |
| 981 } | 938 } |
| 982 | 939 |
| 983 // Importing two certificates with the same issuer and subject common name, | 940 // Importing two certificates with the same issuer and subject common name, |
| 984 // but overall distinct subject names, should succeed and generate a unique | 941 // but overall distinct subject names, should succeed and generate a unique |
| 985 // nickname for the second certificate. | 942 // nickname for the second certificate. |
| 986 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { | 943 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { |
| 987 CertificateList certs = | 944 CertificateList certs = |
| 988 CreateCertificateListFromFile(GetTestCertsDirectory(), | 945 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| (...skipping 28 matching lines...) Expand all Loading... |
| 1017 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 974 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 1018 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); | 975 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); |
| 1019 | 976 |
| 1020 new_certs = ListCerts(); | 977 new_certs = ListCerts(); |
| 1021 ASSERT_EQ(2U, new_certs.size()); | 978 ASSERT_EQ(2U, new_certs.size()); |
| 1022 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, | 979 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, |
| 1023 new_certs[1]->os_cert_handle()->nickname); | 980 new_certs[1]->os_cert_handle()->nickname); |
| 1024 } | 981 } |
| 1025 | 982 |
| 1026 } // namespace net | 983 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1081913003:
Route OCSP stapling through CertVerifier. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@boringnss