Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(222)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/cert_database_nss_unittest.cc

Issue 10916094: Move the NSS functions out of CertDatabase into a new NSSCertDatabase class. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Addressed comments Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/base/cert_database.cc ('K') | « net/base/cert_database_nss.cc ('k') | net/base/cert_database_openssl.cc » ('j') | net/base/nss_cert_database.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <cert.h>
6 #include <certdb.h>
7 #include <pk11pub.h>
8
9 #include <algorithm>
10
11 #include "base/file_path.h"
12 #include "base/file_util.h"
13 #include "base/lazy_instance.h"
14 #include "base/message_loop.h"
15 #include "base/path_service.h"
16 #include "base/string16.h"
17 #include "base/string_util.h"
18 #include "base/utf_string_conversions.h"
19 #include "crypto/nss_util.h"
20 #include "crypto/nss_util_internal.h"
21 #include "crypto/scoped_nss_types.h"
22 #include "net/base/cert_database.h"
23 #include "net/base/cert_status_flags.h"
24 #include "net/base/cert_test_util.h"
25 #include "net/base/cert_verify_proc.h"
26 #include "net/base/cert_verify_result.h"
27 #include "net/base/crypto_module.h"
28 #include "net/base/net_errors.h"
29 #include "net/base/x509_certificate.h"
30 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
31 #include "testing/gtest/include/gtest/gtest.h"
32
33 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
34 // the new name of the macro.
35 #if !defined(CERTDB_TERMINAL_RECORD)
36 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
37 #endif
38
39 namespace net {
40
41 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is
42 // fixed, switch back to using a separate userdb for each test.
43 // (When doing so, remember to add some standalone tests of DeleteCert since it
44 // won't be tested by TearDown anymore.)
45 class CertDatabaseNSSTest : public testing::Test {
46 public:
47 static void SetUpTestCase() {
48 ASSERT_TRUE(crypto::OpenTestNSSDB());
49 // There is no matching TearDownTestCase call to close the test NSS DB
50 // because that would leave NSS in a potentially broken state for further
51 // tests, due to https://bugzilla.mozilla.org/show_bug.cgi?id=588269
52 }
53
54 virtual void SetUp() {
55 slot_ = cert_db_.GetPublicModule();
56
57 // Test db should be empty at start of test.
58 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
59 }
60
61 virtual void TearDown() {
62 // Don't try to cleanup if the setup failed.
63 ASSERT_TRUE(slot_->os_module_handle());
64
65 EXPECT_TRUE(CleanupSlotContents(slot_->os_module_handle()));
66
67 // Run the message loop to process any observer callbacks (e.g. for the
68 // ClientSocketFactory singleton) so that the scoped ref ptrs created in
69 // CertDatabase::NotifyObservers* get released.
70 MessageLoop::current()->RunAllPending();
71
72 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
73 }
74
75 protected:
76 static std::string ReadTestFile(const std::string& name) {
77 std::string result;
78 FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
79 EXPECT_TRUE(file_util::ReadFileToString(cert_path, &result));
80 return result;
81 }
82
83 static bool ReadCertIntoList(const std::string& name,
84 CertificateList* certs) {
85 scoped_refptr<X509Certificate> cert(
86 ImportCertFromFile(GetTestCertsDirectory(), name));
87 if (!cert.get())
88 return false;
89
90 certs->push_back(cert);
91 return true;
92 }
93
94 static CertificateList ListCertsInSlot(PK11SlotInfo* slot) {
95 CertificateList result;
96 CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
97 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
98 !CERT_LIST_END(node, cert_list);
99 node = CERT_LIST_NEXT(node)) {
100 result.push_back(X509Certificate::CreateFromHandle(
101 node->cert, X509Certificate::OSCertHandles()));
102 }
103 CERT_DestroyCertList(cert_list);
104
105 // Sort the result so that test comparisons can be deterministic.
106 std::sort(result.begin(), result.end(), X509Certificate::LessThan());
107 return result;
108 }
109
110 scoped_refptr<CryptoModule> slot_;
111 CertDatabase cert_db_;
112
113 private:
114 static bool CleanupSlotContents(PK11SlotInfo* slot) {
115 CertDatabase cert_db;
116 bool ok = true;
117 CertificateList certs = ListCertsInSlot(slot);
118 CERTCertTrust default_trust = {0};
119 for (size_t i = 0; i < certs.size(); ++i) {
120 // Reset cert trust values to defaults before deleting. Otherwise NSS
121 // somehow seems to remember the trust which can break following tests.
122 SECStatus srv = CERT_ChangeCertTrust(
123 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust);
124 if (srv != SECSuccess)
125 ok = false;
126
127 if (!cert_db.DeleteCertAndKey(certs[i]))
128 ok = false;
129 }
130 return ok;
131 }
132 };
133
134 TEST_F(CertDatabaseNSSTest, ListCerts) {
135 // This test isn't terribly useful, though it will at least let valgrind test
136 // for leaks.
137 CertificateList certs;
138 cert_db_.ListCerts(&certs);
139 // The test DB is empty, but let's assume there will always be something in
140 // the other slots.
141 EXPECT_LT(0U, certs.size());
142 }
143
144 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
145 std::string pkcs12_data = ReadTestFile("client.p12");
146
147 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
148 cert_db_.ImportFromPKCS12(slot_,
149 pkcs12_data,
150 string16(),
151 true, // is_extractable
152 NULL));
153
154 // Test db should still be empty.
155 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
156 }
157
158 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
159 std::string pkcs12_data = ReadTestFile("client.p12");
160
161 EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(slot_,
162 pkcs12_data,
163 ASCIIToUTF16("12345"),
164 true, // is_extractable
165 NULL));
166
167 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
168 ASSERT_EQ(1U, cert_list.size());
169 scoped_refptr<X509Certificate> cert(cert_list[0]);
170
171 EXPECT_EQ("testusercert",
172 cert->subject().common_name);
173
174 // TODO(mattm): move export test to separate test case?
175 std::string exported_data;
176 EXPECT_EQ(1, cert_db_.ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
177 &exported_data));
178 ASSERT_LT(0U, exported_data.size());
179 // TODO(mattm): further verification of exported data?
180 }
181
182 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
183 std::string pkcs12_data = ReadTestFile("client.p12");
184
185 EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(slot_,
186 pkcs12_data,
187 ASCIIToUTF16("12345"),
188 true, // is_extractable
189 NULL));
190 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
191
192 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
193 // it's ever used. This test verifies that.
194 EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(slot_,
195 pkcs12_data,
196 ASCIIToUTF16("12345"),
197 true, // is_extractable
198 NULL));
199 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
200 }
201
202 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
203 std::string pkcs12_data = ReadTestFile("client.p12");
204
205 EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(slot_,
206 pkcs12_data,
207 ASCIIToUTF16("12345"),
208 false, // is_extractable
209 NULL));
210
211 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
212 ASSERT_EQ(1U, cert_list.size());
213 scoped_refptr<X509Certificate> cert(cert_list[0]);
214
215 EXPECT_EQ("testusercert",
216 cert->subject().common_name);
217
218 std::string exported_data;
219 EXPECT_EQ(0, cert_db_.ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
220 &exported_data));
221 }
222
223 // Importing a PKCS#12 file with a certificate but no corresponding
224 // private key should not mark an existing private key as unextractable.
225 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
226 std::string pkcs12_data = ReadTestFile("client.p12");
227 EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(slot_,
228 pkcs12_data,
229 ASCIIToUTF16("12345"),
230 true, // is_extractable
231 NULL));
232
233 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
234 ASSERT_EQ(1U, cert_list.size());
235
236 // Now import a PKCS#12 file with just a certificate but no private key.
237 pkcs12_data = ReadTestFile("client-nokey.p12");
238 EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(slot_,
239 pkcs12_data,
240 ASCIIToUTF16("12345"),
241 false, // is_extractable
242 NULL));
243
244 cert_list = ListCertsInSlot(slot_->os_module_handle());
245 ASSERT_EQ(1U, cert_list.size());
246
247 // Make sure the imported private key is still extractable.
248 std::string exported_data;
249 EXPECT_EQ(1, cert_db_.ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
250 &exported_data));
251 ASSERT_LT(0U, exported_data.size());
252 }
253
254 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
255 std::string pkcs12_data = "Foobarbaz";
256
257 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
258 cert_db_.ImportFromPKCS12(slot_,
259 pkcs12_data,
260 string16(),
261 true, // is_extractable
262 NULL));
263
264 // Test db should still be empty.
265 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
266 }
267
268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
269 CertificateList certs = CreateCertificateListFromFile(
270 GetTestCertsDirectory(), "root_ca_cert.crt",
271 X509Certificate::FORMAT_AUTO);
272 ASSERT_EQ(1U, certs.size());
273 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
274
275 // Import it.
276 CertDatabase::ImportCertFailureList failed;
277 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL,
278 &failed));
279
280 EXPECT_EQ(0U, failed.size());
281
282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
283 ASSERT_EQ(1U, cert_list.size());
284 scoped_refptr<X509Certificate> cert(cert_list[0]);
285 EXPECT_EQ("Test CA", cert->subject().common_name);
286
287 EXPECT_EQ(CertDatabase::TRUSTED_SSL,
288 cert_db_.GetCertTrust(cert.get(), CA_CERT));
289
290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
291 CERTDB_TRUSTED_CLIENT_CA),
292 cert->os_cert_handle()->trust->sslFlags);
293 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
294 cert->os_cert_handle()->trust->emailFlags);
295 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
296 cert->os_cert_handle()->trust->objectSigningFlags);
297 }
298
299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
300 CertificateList certs = CreateCertificateListFromFile(
301 GetTestCertsDirectory(), "root_ca_cert.crt",
302 X509Certificate::FORMAT_AUTO);
303 ASSERT_EQ(1U, certs.size());
304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
305
306 // Import it.
307 CertDatabase::ImportCertFailureList failed;
308 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL,
309 &failed));
310
311 EXPECT_EQ(0U, failed.size());
312
313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
314 ASSERT_EQ(1U, cert_list.size());
315 scoped_refptr<X509Certificate> cert(cert_list[0]);
316 EXPECT_EQ("Test CA", cert->subject().common_name);
317
318 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL,
319 cert_db_.GetCertTrust(cert.get(), CA_CERT));
320
321 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
322 cert->os_cert_handle()->trust->sslFlags);
323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
324 CERTDB_TRUSTED_CLIENT_CA),
325 cert->os_cert_handle()->trust->emailFlags);
326 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
327 cert->os_cert_handle()->trust->objectSigningFlags);
328 }
329
330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
331 CertificateList certs = CreateCertificateListFromFile(
332 GetTestCertsDirectory(), "root_ca_cert.crt",
333 X509Certificate::FORMAT_AUTO);
334 ASSERT_EQ(1U, certs.size());
335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
336
337 // Import it.
338 CertDatabase::ImportCertFailureList failed;
339 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN,
340 &failed));
341
342 EXPECT_EQ(0U, failed.size());
343
344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
345 ASSERT_EQ(1U, cert_list.size());
346 scoped_refptr<X509Certificate> cert(cert_list[0]);
347 EXPECT_EQ("Test CA", cert->subject().common_name);
348
349 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN,
350 cert_db_.GetCertTrust(cert.get(), CA_CERT));
351
352 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
353 cert->os_cert_handle()->trust->sslFlags);
354 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
355 cert->os_cert_handle()->trust->emailFlags);
356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
357 CERTDB_TRUSTED_CLIENT_CA),
358 cert->os_cert_handle()->trust->objectSigningFlags);
359 }
360
361 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
362 CertificateList certs = CreateCertificateListFromFile(
363 GetTestCertsDirectory(), "google.single.pem",
364 X509Certificate::FORMAT_AUTO);
365 ASSERT_EQ(1U, certs.size());
366 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
367
368 // Import it.
369 CertDatabase::ImportCertFailureList failed;
370 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL,
371 &failed));
372 ASSERT_EQ(1U, failed.size());
373 // Note: this compares pointers directly. It's okay in this case because
374 // ImportCACerts returns the same pointers that were passed in. In the
375 // general case IsSameOSCert should be used.
376 EXPECT_EQ(certs[0], failed[0].certificate);
377 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
378
379 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
380 }
381
382 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
383 CertificateList certs;
384 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
385 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
386 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
387
388 // Import it.
389 CertDatabase::ImportCertFailureList failed;
390 // Have to specify email trust for the cert verification of the child cert to
391 // work (see
392 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7 52
393 // "XXX This choice of trustType seems arbitrary.")
394 EXPECT_TRUE(cert_db_.ImportCACerts(
395 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL,
396 &failed));
397
398 ASSERT_EQ(2U, failed.size());
399 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
400 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
401 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
402 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
403
404 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
405 ASSERT_EQ(1U, cert_list.size());
406 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
407 }
408
409 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
410 CertificateList certs;
411 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
412
413 // First import just the root.
414 CertDatabase::ImportCertFailureList failed;
415 EXPECT_TRUE(cert_db_.ImportCACerts(
416 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL,
417 &failed));
418
419 EXPECT_EQ(0U, failed.size());
420 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
421 ASSERT_EQ(1U, cert_list.size());
422 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
423
424 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
425 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
426
427 // Now import with the other certs in the list too. Even though the root is
428 // already present, we should still import the rest.
429 failed.clear();
430 EXPECT_TRUE(cert_db_.ImportCACerts(
431 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL,
432 &failed));
433
434 ASSERT_EQ(3U, failed.size());
435 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name);
436 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error);
437 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
438 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
439 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
440 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
441
442 cert_list = ListCertsInSlot(slot_->os_module_handle());
443 ASSERT_EQ(1U, cert_list.size());
444 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
445 }
446
447 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
448 CertificateList certs;
449 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
450 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
451
452 // Import it.
453 CertDatabase::ImportCertFailureList failed;
454 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUST_DEFAULT,
455 &failed));
456
457 ASSERT_EQ(1U, failed.size());
458 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
459 // TODO(mattm): should check for net error equivalent of
460 // SEC_ERROR_UNTRUSTED_ISSUER
461 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
462
463 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
464 ASSERT_EQ(1U, cert_list.size());
465 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
466 }
467
468 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
469 CertificateList certs;
470 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
471 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
472 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
473
474 // Import it.
475 CertDatabase::ImportCertFailureList failed;
476 EXPECT_TRUE(cert_db_.ImportCACerts(
477 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL,
478 &failed));
479
480 EXPECT_EQ(2U, failed.size());
481 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
482 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
483 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
484 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
485
486 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
487 ASSERT_EQ(1U, cert_list.size());
488 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
489 }
490
491 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
492 CertificateList certs = CreateCertificateListFromFile(
493 GetTestCertsDirectory(), "root_ca_cert.crt",
494 X509Certificate::FORMAT_AUTO);
495 ASSERT_EQ(1U, certs.size());
496 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
497 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
498
499 // Import it.
500 CertDatabase::ImportCertFailureList failed;
501 EXPECT_TRUE(cert_db_.ImportCACerts(
502 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL |
503 CertDatabase::TRUSTED_OBJ_SIGN, &failed));
504
505 ASSERT_EQ(2U, failed.size());
506 // TODO(mattm): should check for net error equivalent of
507 // SEC_ERROR_UNKNOWN_ISSUER
508 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
509 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
510 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
511 EXPECT_EQ(ERR_FAILED, failed[1].net_error);
512
513 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
514 ASSERT_EQ(1U, cert_list.size());
515 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name);
516 }
517
518 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired
519 // certificate.
520 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
521 // Need to import intermediate cert for the verify of google cert, otherwise
522 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which
523 // will cause OCSPCreateSession on the main thread, which is not allowed.
524 CertificateList certs = CreateCertificateListFromFile(
525 GetTestCertsDirectory(), "google.chain.pem",
526 X509Certificate::FORMAT_AUTO);
527 ASSERT_EQ(2U, certs.size());
528
529 CertDatabase::ImportCertFailureList failed;
530 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT,
531 &failed));
532
533 EXPECT_EQ(0U, failed.size());
534
535 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
536 ASSERT_EQ(2U, cert_list.size());
537 scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
538 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
539 EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
540 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
541
542 EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
543 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT));
544
545 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
546
547 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
548 int flags = 0;
549 CertVerifyResult verify_result;
550 int error = verify_proc->Verify(goog_cert, "www.google.com", flags,
551 NULL, &verify_result);
552 EXPECT_EQ(OK, error);
553 EXPECT_EQ(0U, verify_result.cert_status);
554 }
555
556 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
557 CertificateList certs;
558 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
559
560 CertDatabase::ImportCertFailureList failed;
561 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT,
562 &failed));
563
564 EXPECT_EQ(0U, failed.size());
565
566 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
567 ASSERT_EQ(1U, cert_list.size());
568 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
569
570 EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
571 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT));
572 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
573
574 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
575 int flags = 0;
576 CertVerifyResult verify_result;
577 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
578 NULL, &verify_result);
579 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
580 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
581 }
582
583 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
584 // When using CERT_PKIXVerifyCert (which we do), server trust only works from
585 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364.
586 if (!NSS_VersionCheck("3.13.4")) {
587 LOG(INFO) << "test skipped on NSS < 3.13.4";
588 return;
589 }
590
591 CertificateList certs;
592 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
593
594 CertDatabase::ImportCertFailureList failed;
595 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL,
596 &failed));
597
598 EXPECT_EQ(0U, failed.size());
599
600 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
601 ASSERT_EQ(1U, cert_list.size());
602 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
603
604 EXPECT_EQ(CertDatabase::TRUSTED_SSL,
605 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT));
606 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
607 puny_cert->os_cert_handle()->trust->sslFlags);
608
609 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
610 int flags = 0;
611 CertVerifyResult verify_result;
612 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
613 NULL, &verify_result);
614 EXPECT_EQ(OK, error);
615 EXPECT_EQ(0U, verify_result.cert_status);
616 }
617
618 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
619 CertificateList ca_certs = CreateCertificateListFromFile(
620 GetTestCertsDirectory(), "root_ca_cert.crt",
621 X509Certificate::FORMAT_AUTO);
622 ASSERT_EQ(1U, ca_certs.size());
623
624 // Import CA cert and trust it.
625 CertDatabase::ImportCertFailureList failed;
626 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
627 &failed));
628 EXPECT_EQ(0U, failed.size());
629
630 CertificateList certs = CreateCertificateListFromFile(
631 GetTestCertsDirectory(), "ok_cert.pem",
632 X509Certificate::FORMAT_AUTO);
633 ASSERT_EQ(1U, certs.size());
634
635 // Import server cert with default trust.
636 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT,
637 &failed));
638 EXPECT_EQ(0U, failed.size());
639
640 // Server cert should verify.
641 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
642 int flags = 0;
643 CertVerifyResult verify_result;
644 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
645 NULL, &verify_result);
646 EXPECT_EQ(OK, error);
647 EXPECT_EQ(0U, verify_result.cert_status);
648 }
649
650 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
651 // Explicit distrust only works starting in NSS 3.13.
652 if (!NSS_VersionCheck("3.13")) {
653 LOG(INFO) << "test skipped on NSS < 3.13";
654 return;
655 }
656
657 CertificateList ca_certs = CreateCertificateListFromFile(
658 GetTestCertsDirectory(), "root_ca_cert.crt",
659 X509Certificate::FORMAT_AUTO);
660 ASSERT_EQ(1U, ca_certs.size());
661
662 // Import CA cert and trust it.
663 CertDatabase::ImportCertFailureList failed;
664 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
665 &failed));
666 EXPECT_EQ(0U, failed.size());
667
668 CertificateList certs = CreateCertificateListFromFile(
669 GetTestCertsDirectory(), "ok_cert.pem",
670 X509Certificate::FORMAT_AUTO);
671 ASSERT_EQ(1U, certs.size());
672
673 // Import server cert without inheriting trust from issuer (explicit
674 // distrust).
675 EXPECT_TRUE(cert_db_.ImportServerCert(
676 certs, CertDatabase::DISTRUSTED_SSL, &failed));
677 EXPECT_EQ(0U, failed.size());
678 EXPECT_EQ(CertDatabase::DISTRUSTED_SSL,
679 cert_db_.GetCertTrust(certs[0], SERVER_CERT));
680
681 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
682 certs[0]->os_cert_handle()->trust->sslFlags);
683
684 // Server cert should fail to verify.
685 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
686 int flags = 0;
687 CertVerifyResult verify_result;
688 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
689 NULL, &verify_result);
690 EXPECT_EQ(ERR_CERT_REVOKED, error);
691 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
692 }
693
694 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
695 CertificateList ca_certs = CreateCertificateListFromFile(
696 GetTestCertsDirectory(), "2048-rsa-root.pem",
697 X509Certificate::FORMAT_AUTO);
698 ASSERT_EQ(1U, ca_certs.size());
699
700 // Import Root CA cert and distrust it.
701 CertDatabase::ImportCertFailureList failed;
702 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::DISTRUSTED_SSL,
703 &failed));
704 EXPECT_EQ(0U, failed.size());
705
706 CertificateList intermediate_certs = CreateCertificateListFromFile(
707 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
708 X509Certificate::FORMAT_AUTO);
709 ASSERT_EQ(1U, intermediate_certs.size());
710
711 // Import Intermediate CA cert and trust it.
712 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs,
713 CertDatabase::TRUSTED_SSL, &failed));
714 EXPECT_EQ(0U, failed.size());
715
716 CertificateList certs = CreateCertificateListFromFile(
717 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
718 X509Certificate::FORMAT_AUTO);
719 ASSERT_EQ(1U, certs.size());
720
721 // Import server cert with default trust.
722 EXPECT_TRUE(cert_db_.ImportServerCert(
723 certs, CertDatabase::TRUST_DEFAULT, &failed));
724 EXPECT_EQ(0U, failed.size());
725 EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
726 cert_db_.GetCertTrust(certs[0], SERVER_CERT));
727
728 // Server cert should verify.
729 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
730 int flags = 0;
731 CertVerifyResult verify_result;
732 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
733 NULL, &verify_result);
734 EXPECT_EQ(OK, error);
735 EXPECT_EQ(0U, verify_result.cert_status);
736
737 // Explicit distrust only works starting in NSS 3.13.
738 if (!NSS_VersionCheck("3.13")) {
739 LOG(INFO) << "test partially skipped on NSS < 3.13";
740 return;
741 }
742
743 // Trust the root cert and distrust the intermediate.
744 EXPECT_TRUE(cert_db_.SetCertTrust(
745 ca_certs[0], CA_CERT, CertDatabase::TRUSTED_SSL));
746 EXPECT_TRUE(cert_db_.SetCertTrust(
747 intermediate_certs[0], CA_CERT, CertDatabase::DISTRUSTED_SSL));
748 EXPECT_EQ(
749 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA),
750 ca_certs[0]->os_cert_handle()->trust->sslFlags);
751 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
752 ca_certs[0]->os_cert_handle()->trust->emailFlags);
753 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
754 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);
755 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
756 intermediate_certs[0]->os_cert_handle()->trust->sslFlags);
757 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
758 intermediate_certs[0]->os_cert_handle()->trust->emailFlags);
759 EXPECT_EQ(
760 unsigned(CERTDB_VALID_CA),
761 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);
762
763 // Server cert should fail to verify.
764 CertVerifyResult verify_result2;
765 error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
766 NULL, &verify_result2);
767 EXPECT_EQ(ERR_CERT_REVOKED, error);
768 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);
769 }
770
771 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {
772 CertDatabase::ImportCertFailureList failed;
773
774 CertificateList intermediate_certs = CreateCertificateListFromFile(
775 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
776 X509Certificate::FORMAT_AUTO);
777 ASSERT_EQ(1U, intermediate_certs.size());
778
779 // Import Intermediate CA cert and trust it.
780 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs,
781 CertDatabase::TRUSTED_SSL, &failed));
782 EXPECT_EQ(0U, failed.size());
783
784 CertificateList certs = CreateCertificateListFromFile(
785 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
786 X509Certificate::FORMAT_AUTO);
787 ASSERT_EQ(1U, certs.size());
788
789 // Import server cert with default trust.
790 EXPECT_TRUE(cert_db_.ImportServerCert(
791 certs, CertDatabase::TRUST_DEFAULT, &failed));
792 EXPECT_EQ(0U, failed.size());
793 EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
794 cert_db_.GetCertTrust(certs[0], SERVER_CERT));
795
796 // Server cert should verify.
797 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
798 int flags = 0;
799 CertVerifyResult verify_result;
800 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
801 NULL, &verify_result);
802 EXPECT_EQ(OK, error);
803 EXPECT_EQ(0U, verify_result.cert_status);
804
805 // Without explicit trust of the intermediate, verification should fail.
806 EXPECT_TRUE(cert_db_.SetCertTrust(
807 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT));
808
809 // Server cert should fail to verify.
810 CertVerifyResult verify_result2;
811 error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
812 NULL, &verify_result2);
813 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
814 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
815 }
816
817 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {
818 CertDatabase::ImportCertFailureList failed;
819
820 CertificateList ca_certs = CreateCertificateListFromFile(
821 GetTestCertsDirectory(), "2048-rsa-root.pem",
822 X509Certificate::FORMAT_AUTO);
823 ASSERT_EQ(1U, ca_certs.size());
824
825 // Import Root CA cert and default trust it.
826 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUST_DEFAULT,
827 &failed));
828 EXPECT_EQ(0U, failed.size());
829
830 CertificateList intermediate_certs = CreateCertificateListFromFile(
831 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
832 X509Certificate::FORMAT_AUTO);
833 ASSERT_EQ(1U, intermediate_certs.size());
834
835 // Import Intermediate CA cert and trust it.
836 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs,
837 CertDatabase::TRUSTED_SSL, &failed));
838 EXPECT_EQ(0U, failed.size());
839
840 CertificateList certs = CreateCertificateListFromFile(
841 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
842 X509Certificate::FORMAT_AUTO);
843 ASSERT_EQ(1U, certs.size());
844
845 // Import server cert with default trust.
846 EXPECT_TRUE(cert_db_.ImportServerCert(
847 certs, CertDatabase::TRUST_DEFAULT, &failed));
848 EXPECT_EQ(0U, failed.size());
849 EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
850 cert_db_.GetCertTrust(certs[0], SERVER_CERT));
851
852 // Server cert should verify.
853 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
854 int flags = 0;
855 CertVerifyResult verify_result;
856 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
857 NULL, &verify_result);
858 EXPECT_EQ(OK, error);
859 EXPECT_EQ(0U, verify_result.cert_status);
860
861 // Without explicit trust of the intermediate, verification should fail.
862 EXPECT_TRUE(cert_db_.SetCertTrust(
863 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT));
864
865 // Server cert should fail to verify.
866 CertVerifyResult verify_result2;
867 error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
868 NULL, &verify_result2);
869 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
870 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
871 }
872
873 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
874 // Explicit distrust only works starting in NSS 3.13.
875 if (!NSS_VersionCheck("3.13")) {
876 LOG(INFO) << "test skipped on NSS < 3.13";
877 return;
878 }
879
880 CertDatabase::ImportCertFailureList failed;
881
882 CertificateList ca_certs = CreateCertificateListFromFile(
883 GetTestCertsDirectory(), "2048-rsa-root.pem",
884 X509Certificate::FORMAT_AUTO);
885 ASSERT_EQ(1U, ca_certs.size());
886
887 // Import Root CA cert and trust it.
888 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
889 &failed));
890 EXPECT_EQ(0U, failed.size());
891
892 CertificateList intermediate_certs = CreateCertificateListFromFile(
893 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
894 X509Certificate::FORMAT_AUTO);
895 ASSERT_EQ(1U, intermediate_certs.size());
896
897 // Import Intermediate CA cert and distrust it.
898 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs,
899 CertDatabase::DISTRUSTED_SSL, &failed));
900 EXPECT_EQ(0U, failed.size());
901
902 CertificateList certs = CreateCertificateListFromFile(
903 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
904 X509Certificate::FORMAT_AUTO);
905 ASSERT_EQ(1U, certs.size());
906
907 // Import server cert with default trust.
908 EXPECT_TRUE(cert_db_.ImportServerCert(
909 certs, CertDatabase::TRUST_DEFAULT, &failed));
910 EXPECT_EQ(0U, failed.size());
911 EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
912 cert_db_.GetCertTrust(certs[0], SERVER_CERT));
913
914 // Server cert should not verify.
915 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
916 int flags = 0;
917 CertVerifyResult verify_result;
918 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
919 NULL, &verify_result);
920 EXPECT_EQ(ERR_CERT_REVOKED, error);
921 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
922
923 // Without explicit distrust of the intermediate, verification should succeed.
924 EXPECT_TRUE(cert_db_.SetCertTrust(
925 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT));
926
927 // Server cert should verify.
928 CertVerifyResult verify_result2;
929 error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
930 NULL, &verify_result2);
931 EXPECT_EQ(OK, error);
932 EXPECT_EQ(0U, verify_result2.cert_status);
933 }
934
935 } // namespace net
OLDNEW
« net/base/cert_database.cc ('K') | « net/base/cert_database_nss.cc ('k') | net/base/cert_database_openssl.cc » ('j') | net/base/nss_cert_database.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698