| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <certdb.h> | 6 #include <certdb.h> |
| 7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| 11 #include "base/file_path.h" | 11 #include "base/file_path.h" |
| 12 #include "base/file_util.h" | 12 #include "base/file_util.h" |
| 13 #include "base/lazy_instance.h" | 13 #include "base/lazy_instance.h" |
| 14 #include "base/message_loop.h" | 14 #include "base/message_loop.h" |
| 15 #include "base/path_service.h" | 15 #include "base/path_service.h" |
| 16 #include "base/string16.h" | 16 #include "base/string16.h" |
| 17 #include "base/string_util.h" | 17 #include "base/string_util.h" |
| 18 #include "base/utf_string_conversions.h" | 18 #include "base/utf_string_conversions.h" |
| 19 #include "crypto/nss_util.h" | 19 #include "crypto/nss_util.h" |
| 20 #include "crypto/nss_util_internal.h" | 20 #include "crypto/nss_util_internal.h" |
| 21 #include "crypto/scoped_nss_types.h" | 21 #include "crypto/scoped_nss_types.h" |
| 22 #include "net/base/cert_database.h" | |
| 23 #include "net/base/cert_status_flags.h" | 22 #include "net/base/cert_status_flags.h" |
| 24 #include "net/base/cert_test_util.h" | 23 #include "net/base/cert_test_util.h" |
| 25 #include "net/base/cert_verify_proc.h" | 24 #include "net/base/cert_verify_proc.h" |
| 26 #include "net/base/cert_verify_result.h" | 25 #include "net/base/cert_verify_result.h" |
| 27 #include "net/base/crypto_module.h" | 26 #include "net/base/crypto_module.h" |
| 28 #include "net/base/net_errors.h" | 27 #include "net/base/net_errors.h" |
| 28 #include "net/base/nss_cert_database.h" |
| 29 #include "net/base/x509_certificate.h" | 29 #include "net/base/x509_certificate.h" |
| 30 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | 30 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
| 31 #include "testing/gtest/include/gtest/gtest.h" | 31 #include "testing/gtest/include/gtest/gtest.h" |
| 32 | 32 |
| 33 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use | 33 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use |
| 34 // the new name of the macro. | 34 // the new name of the macro. |
| 35 #if !defined(CERTDB_TERMINAL_RECORD) | 35 #if !defined(CERTDB_TERMINAL_RECORD) |
| 36 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER | 36 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER |
| 37 #endif | 37 #endif |
| 38 | 38 |
| (...skipping 20 matching lines...) Expand all Loading... |
| 59 } | 59 } |
| 60 | 60 |
| 61 virtual void TearDown() { | 61 virtual void TearDown() { |
| 62 // Don't try to cleanup if the setup failed. | 62 // Don't try to cleanup if the setup failed. |
| 63 ASSERT_TRUE(slot_->os_module_handle()); | 63 ASSERT_TRUE(slot_->os_module_handle()); |
| 64 | 64 |
| 65 EXPECT_TRUE(CleanupSlotContents(slot_->os_module_handle())); | 65 EXPECT_TRUE(CleanupSlotContents(slot_->os_module_handle())); |
| 66 | 66 |
| 67 // Run the message loop to process any observer callbacks (e.g. for the | 67 // Run the message loop to process any observer callbacks (e.g. for the |
| 68 // ClientSocketFactory singleton) so that the scoped ref ptrs created in | 68 // ClientSocketFactory singleton) so that the scoped ref ptrs created in |
| 69 // CertDatabase::NotifyObservers* get released. | 69 // NSSCertDatabase::NotifyObservers* get released. |
| 70 MessageLoop::current()->RunAllPending(); | 70 MessageLoop::current()->RunAllPending(); |
| 71 | 71 |
| 72 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 72 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 73 } | 73 } |
| 74 | 74 |
| 75 protected: | 75 protected: |
| 76 static std::string ReadTestFile(const std::string& name) { | 76 static std::string ReadTestFile(const std::string& name) { |
| 77 std::string result; | 77 std::string result; |
| 78 FilePath cert_path = GetTestCertsDirectory().AppendASCII(name); | 78 FilePath cert_path = GetTestCertsDirectory().AppendASCII(name); |
| 79 EXPECT_TRUE(file_util::ReadFileToString(cert_path, &result)); | 79 EXPECT_TRUE(file_util::ReadFileToString(cert_path, &result)); |
| (...skipping 21 matching lines...) Expand all Loading... |
| 101 node->cert, X509Certificate::OSCertHandles())); | 101 node->cert, X509Certificate::OSCertHandles())); |
| 102 } | 102 } |
| 103 CERT_DestroyCertList(cert_list); | 103 CERT_DestroyCertList(cert_list); |
| 104 | 104 |
| 105 // Sort the result so that test comparisons can be deterministic. | 105 // Sort the result so that test comparisons can be deterministic. |
| 106 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); | 106 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); |
| 107 return result; | 107 return result; |
| 108 } | 108 } |
| 109 | 109 |
| 110 scoped_refptr<CryptoModule> slot_; | 110 scoped_refptr<CryptoModule> slot_; |
| 111 CertDatabase cert_db_; | 111 NSSCertDatabase cert_db_; |
| 112 | 112 |
| 113 private: | 113 private: |
| 114 static bool CleanupSlotContents(PK11SlotInfo* slot) { | 114 static bool CleanupSlotContents(PK11SlotInfo* slot) { |
| 115 CertDatabase cert_db; | 115 NSSCertDatabase cert_db; |
| 116 bool ok = true; | 116 bool ok = true; |
| 117 CertificateList certs = ListCertsInSlot(slot); | 117 CertificateList certs = ListCertsInSlot(slot); |
| 118 CERTCertTrust default_trust = {0}; | 118 CERTCertTrust default_trust = {0}; |
| 119 for (size_t i = 0; i < certs.size(); ++i) { | 119 for (size_t i = 0; i < certs.size(); ++i) { |
| 120 // Reset cert trust values to defaults before deleting. Otherwise NSS | 120 // Reset cert trust values to defaults before deleting. Otherwise NSS |
| 121 // somehow seems to remember the trust which can break following tests. | 121 // somehow seems to remember the trust which can break following tests. |
| 122 SECStatus srv = CERT_ChangeCertTrust( | 122 SECStatus srv = CERT_ChangeCertTrust( |
| 123 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); | 123 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); |
| 124 if (srv != SECSuccess) | 124 if (srv != SECSuccess) |
| 125 ok = false; | 125 ok = false; |
| (...skipping 140 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 266 } | 266 } |
| 267 | 267 |
| 268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { | 268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { |
| 269 CertificateList certs = CreateCertificateListFromFile( | 269 CertificateList certs = CreateCertificateListFromFile( |
| 270 GetTestCertsDirectory(), "root_ca_cert.crt", | 270 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 271 X509Certificate::FORMAT_AUTO); | 271 X509Certificate::FORMAT_AUTO); |
| 272 ASSERT_EQ(1U, certs.size()); | 272 ASSERT_EQ(1U, certs.size()); |
| 273 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 273 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 274 | 274 |
| 275 // Import it. | 275 // Import it. |
| 276 CertDatabase::ImportCertFailureList failed; | 276 NSSCertDatabase::ImportCertFailureList failed; |
| 277 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, | 277 EXPECT_TRUE(cert_db_.ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, |
| 278 &failed)); | 278 &failed)); |
| 279 | 279 |
| 280 EXPECT_EQ(0U, failed.size()); | 280 EXPECT_EQ(0U, failed.size()); |
| 281 | 281 |
| 282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 283 ASSERT_EQ(1U, cert_list.size()); | 283 ASSERT_EQ(1U, cert_list.size()); |
| 284 scoped_refptr<X509Certificate> cert(cert_list[0]); | 284 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 285 EXPECT_EQ("Test CA", cert->subject().common_name); | 285 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 286 | 286 |
| 287 EXPECT_EQ(CertDatabase::TRUSTED_SSL, | 287 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
| 288 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 288 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 289 | 289 |
| 290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 291 CERTDB_TRUSTED_CLIENT_CA), | 291 CERTDB_TRUSTED_CLIENT_CA), |
| 292 cert->os_cert_handle()->trust->sslFlags); | 292 cert->os_cert_handle()->trust->sslFlags); |
| 293 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 293 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 294 cert->os_cert_handle()->trust->emailFlags); | 294 cert->os_cert_handle()->trust->emailFlags); |
| 295 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 295 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 296 cert->os_cert_handle()->trust->objectSigningFlags); | 296 cert->os_cert_handle()->trust->objectSigningFlags); |
| 297 } | 297 } |
| 298 | 298 |
| 299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { | 299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { |
| 300 CertificateList certs = CreateCertificateListFromFile( | 300 CertificateList certs = CreateCertificateListFromFile( |
| 301 GetTestCertsDirectory(), "root_ca_cert.crt", | 301 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 302 X509Certificate::FORMAT_AUTO); | 302 X509Certificate::FORMAT_AUTO); |
| 303 ASSERT_EQ(1U, certs.size()); | 303 ASSERT_EQ(1U, certs.size()); |
| 304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 305 | 305 |
| 306 // Import it. | 306 // Import it. |
| 307 CertDatabase::ImportCertFailureList failed; | 307 NSSCertDatabase::ImportCertFailureList failed; |
| 308 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, | 308 EXPECT_TRUE(cert_db_.ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, |
| 309 &failed)); | 309 &failed)); |
| 310 | 310 |
| 311 EXPECT_EQ(0U, failed.size()); | 311 EXPECT_EQ(0U, failed.size()); |
| 312 | 312 |
| 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 314 ASSERT_EQ(1U, cert_list.size()); | 314 ASSERT_EQ(1U, cert_list.size()); |
| 315 scoped_refptr<X509Certificate> cert(cert_list[0]); | 315 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 316 EXPECT_EQ("Test CA", cert->subject().common_name); | 316 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 317 | 317 |
| 318 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, | 318 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, |
| 319 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 319 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 320 | 320 |
| 321 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 321 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 322 cert->os_cert_handle()->trust->sslFlags); | 322 cert->os_cert_handle()->trust->sslFlags); |
| 323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 324 CERTDB_TRUSTED_CLIENT_CA), | 324 CERTDB_TRUSTED_CLIENT_CA), |
| 325 cert->os_cert_handle()->trust->emailFlags); | 325 cert->os_cert_handle()->trust->emailFlags); |
| 326 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 326 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 327 cert->os_cert_handle()->trust->objectSigningFlags); | 327 cert->os_cert_handle()->trust->objectSigningFlags); |
| 328 } | 328 } |
| 329 | 329 |
| 330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { | 330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { |
| 331 CertificateList certs = CreateCertificateListFromFile( | 331 CertificateList certs = CreateCertificateListFromFile( |
| 332 GetTestCertsDirectory(), "root_ca_cert.crt", | 332 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 333 X509Certificate::FORMAT_AUTO); | 333 X509Certificate::FORMAT_AUTO); |
| 334 ASSERT_EQ(1U, certs.size()); | 334 ASSERT_EQ(1U, certs.size()); |
| 335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 336 | 336 |
| 337 // Import it. | 337 // Import it. |
| 338 CertDatabase::ImportCertFailureList failed; | 338 NSSCertDatabase::ImportCertFailureList failed; |
| 339 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, | 339 EXPECT_TRUE(cert_db_.ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, |
| 340 &failed)); | 340 &failed)); |
| 341 | 341 |
| 342 EXPECT_EQ(0U, failed.size()); | 342 EXPECT_EQ(0U, failed.size()); |
| 343 | 343 |
| 344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 345 ASSERT_EQ(1U, cert_list.size()); | 345 ASSERT_EQ(1U, cert_list.size()); |
| 346 scoped_refptr<X509Certificate> cert(cert_list[0]); | 346 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 347 EXPECT_EQ("Test CA", cert->subject().common_name); | 347 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 348 | 348 |
| 349 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, | 349 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, |
| 350 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 350 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 351 | 351 |
| 352 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 352 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 353 cert->os_cert_handle()->trust->sslFlags); | 353 cert->os_cert_handle()->trust->sslFlags); |
| 354 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 354 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 355 cert->os_cert_handle()->trust->emailFlags); | 355 cert->os_cert_handle()->trust->emailFlags); |
| 356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 357 CERTDB_TRUSTED_CLIENT_CA), | 357 CERTDB_TRUSTED_CLIENT_CA), |
| 358 cert->os_cert_handle()->trust->objectSigningFlags); | 358 cert->os_cert_handle()->trust->objectSigningFlags); |
| 359 } | 359 } |
| 360 | 360 |
| 361 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { | 361 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { |
| 362 CertificateList certs = CreateCertificateListFromFile( | 362 CertificateList certs = CreateCertificateListFromFile( |
| 363 GetTestCertsDirectory(), "google.single.pem", | 363 GetTestCertsDirectory(), "google.single.pem", |
| 364 X509Certificate::FORMAT_AUTO); | 364 X509Certificate::FORMAT_AUTO); |
| 365 ASSERT_EQ(1U, certs.size()); | 365 ASSERT_EQ(1U, certs.size()); |
| 366 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 366 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 367 | 367 |
| 368 // Import it. | 368 // Import it. |
| 369 CertDatabase::ImportCertFailureList failed; | 369 NSSCertDatabase::ImportCertFailureList failed; |
| 370 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, | 370 EXPECT_TRUE(cert_db_.ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, |
| 371 &failed)); | 371 &failed)); |
| 372 ASSERT_EQ(1U, failed.size()); | 372 ASSERT_EQ(1U, failed.size()); |
| 373 // Note: this compares pointers directly. It's okay in this case because | 373 // Note: this compares pointers directly. It's okay in this case because |
| 374 // ImportCACerts returns the same pointers that were passed in. In the | 374 // ImportCACerts returns the same pointers that were passed in. In the |
| 375 // general case IsSameOSCert should be used. | 375 // general case IsSameOSCert should be used. |
| 376 EXPECT_EQ(certs[0], failed[0].certificate); | 376 EXPECT_EQ(certs[0], failed[0].certificate); |
| 377 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); | 377 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); |
| 378 | 378 |
| 379 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 379 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 380 } | 380 } |
| 381 | 381 |
| 382 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { | 382 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { |
| 383 CertificateList certs; | 383 CertificateList certs; |
| 384 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 384 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 385 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 385 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 386 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 386 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
| 387 | 387 |
| 388 // Import it. | 388 // Import it. |
| 389 CertDatabase::ImportCertFailureList failed; | 389 NSSCertDatabase::ImportCertFailureList failed; |
| 390 // Have to specify email trust for the cert verification of the child cert to | 390 // Have to specify email trust for the cert verification of the child cert to |
| 391 // work (see | 391 // work (see |
| 392 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 | 392 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 |
| 393 // "XXX This choice of trustType seems arbitrary.") | 393 // "XXX This choice of trustType seems arbitrary.") |
| 394 EXPECT_TRUE(cert_db_.ImportCACerts( | 394 EXPECT_TRUE(cert_db_.ImportCACerts( |
| 395 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 395 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 396 &failed)); | 396 &failed)); |
| 397 | 397 |
| 398 ASSERT_EQ(2U, failed.size()); | 398 ASSERT_EQ(2U, failed.size()); |
| 399 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 399 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 400 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. | 400 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. |
| 401 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); | 401 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); |
| 402 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); | 402 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); |
| 403 | 403 |
| 404 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 404 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 405 ASSERT_EQ(1U, cert_list.size()); | 405 ASSERT_EQ(1U, cert_list.size()); |
| 406 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 406 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 407 } | 407 } |
| 408 | 408 |
| 409 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { | 409 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { |
| 410 CertificateList certs; | 410 CertificateList certs; |
| 411 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 411 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 412 | 412 |
| 413 // First import just the root. | 413 // First import just the root. |
| 414 CertDatabase::ImportCertFailureList failed; | 414 NSSCertDatabase::ImportCertFailureList failed; |
| 415 EXPECT_TRUE(cert_db_.ImportCACerts( | 415 EXPECT_TRUE(cert_db_.ImportCACerts( |
| 416 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 416 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 417 &failed)); | 417 &failed)); |
| 418 | 418 |
| 419 EXPECT_EQ(0U, failed.size()); | 419 EXPECT_EQ(0U, failed.size()); |
| 420 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 420 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 421 ASSERT_EQ(1U, cert_list.size()); | 421 ASSERT_EQ(1U, cert_list.size()); |
| 422 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 422 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 423 | 423 |
| 424 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 424 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 425 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 425 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
| 426 | 426 |
| 427 // Now import with the other certs in the list too. Even though the root is | 427 // Now import with the other certs in the list too. Even though the root is |
| 428 // already present, we should still import the rest. | 428 // already present, we should still import the rest. |
| 429 failed.clear(); | 429 failed.clear(); |
| 430 EXPECT_TRUE(cert_db_.ImportCACerts( | 430 EXPECT_TRUE(cert_db_.ImportCACerts( |
| 431 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 431 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 432 &failed)); | 432 &failed)); |
| 433 | 433 |
| 434 ASSERT_EQ(3U, failed.size()); | 434 ASSERT_EQ(3U, failed.size()); |
| 435 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); | 435 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); |
| 436 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); | 436 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); |
| 437 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 437 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 438 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. | 438 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. |
| 439 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name); | 439 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name); |
| 440 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error); | 440 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error); |
| 441 | 441 |
| 442 cert_list = ListCertsInSlot(slot_->os_module_handle()); | 442 cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 443 ASSERT_EQ(1U, cert_list.size()); | 443 ASSERT_EQ(1U, cert_list.size()); |
| 444 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 444 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 445 } | 445 } |
| 446 | 446 |
| 447 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { | 447 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { |
| 448 CertificateList certs; | 448 CertificateList certs; |
| 449 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 449 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 450 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 450 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 451 | 451 |
| 452 // Import it. | 452 // Import it. |
| 453 CertDatabase::ImportCertFailureList failed; | 453 NSSCertDatabase::ImportCertFailureList failed; |
| 454 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUST_DEFAULT, | 454 EXPECT_TRUE(cert_db_.ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 455 &failed)); | 455 &failed)); |
| 456 | 456 |
| 457 ASSERT_EQ(1U, failed.size()); | 457 ASSERT_EQ(1U, failed.size()); |
| 458 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 458 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 459 // TODO(mattm): should check for net error equivalent of | 459 // TODO(mattm): should check for net error equivalent of |
| 460 // SEC_ERROR_UNTRUSTED_ISSUER | 460 // SEC_ERROR_UNTRUSTED_ISSUER |
| 461 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 461 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 462 | 462 |
| 463 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 463 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 464 ASSERT_EQ(1U, cert_list.size()); | 464 ASSERT_EQ(1U, cert_list.size()); |
| 465 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 465 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 466 } | 466 } |
| 467 | 467 |
| 468 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { | 468 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { |
| 469 CertificateList certs; | 469 CertificateList certs; |
| 470 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 470 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 471 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 471 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 472 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 472 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 473 | 473 |
| 474 // Import it. | 474 // Import it. |
| 475 CertDatabase::ImportCertFailureList failed; | 475 NSSCertDatabase::ImportCertFailureList failed; |
| 476 EXPECT_TRUE(cert_db_.ImportCACerts( | 476 EXPECT_TRUE(cert_db_.ImportCACerts( |
| 477 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 477 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 478 &failed)); | 478 &failed)); |
| 479 | 479 |
| 480 EXPECT_EQ(2U, failed.size()); | 480 EXPECT_EQ(2U, failed.size()); |
| 481 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 481 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
| 482 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. | 482 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. |
| 483 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 483 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 484 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. | 484 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. |
| 485 | 485 |
| 486 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 486 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 487 ASSERT_EQ(1U, cert_list.size()); | 487 ASSERT_EQ(1U, cert_list.size()); |
| 488 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 488 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 489 } | 489 } |
| 490 | 490 |
| 491 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { | 491 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { |
| 492 CertificateList certs = CreateCertificateListFromFile( | 492 CertificateList certs = CreateCertificateListFromFile( |
| 493 GetTestCertsDirectory(), "root_ca_cert.crt", | 493 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 494 X509Certificate::FORMAT_AUTO); | 494 X509Certificate::FORMAT_AUTO); |
| 495 ASSERT_EQ(1U, certs.size()); | 495 ASSERT_EQ(1U, certs.size()); |
| 496 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 496 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 497 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 497 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 498 | 498 |
| 499 // Import it. | 499 // Import it. |
| 500 CertDatabase::ImportCertFailureList failed; | 500 NSSCertDatabase::ImportCertFailureList failed; |
| 501 EXPECT_TRUE(cert_db_.ImportCACerts( | 501 EXPECT_TRUE(cert_db_.ImportCACerts( |
| 502 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL | | 502 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | |
| 503 CertDatabase::TRUSTED_OBJ_SIGN, &failed)); | 503 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); |
| 504 | 504 |
| 505 ASSERT_EQ(2U, failed.size()); | 505 ASSERT_EQ(2U, failed.size()); |
| 506 // TODO(mattm): should check for net error equivalent of | 506 // TODO(mattm): should check for net error equivalent of |
| 507 // SEC_ERROR_UNKNOWN_ISSUER | 507 // SEC_ERROR_UNKNOWN_ISSUER |
| 508 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 508 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
| 509 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 509 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 510 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 510 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 511 EXPECT_EQ(ERR_FAILED, failed[1].net_error); | 511 EXPECT_EQ(ERR_FAILED, failed[1].net_error); |
| 512 | 512 |
| 513 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 513 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 514 ASSERT_EQ(1U, cert_list.size()); | 514 ASSERT_EQ(1U, cert_list.size()); |
| 515 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name); | 515 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name); |
| 516 } | 516 } |
| 517 | 517 |
| 518 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired | 518 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired |
| 519 // certificate. | 519 // certificate. |
| 520 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { | 520 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { |
| 521 // Need to import intermediate cert for the verify of google cert, otherwise | 521 // Need to import intermediate cert for the verify of google cert, otherwise |
| 522 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which | 522 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which |
| 523 // will cause OCSPCreateSession on the main thread, which is not allowed. | 523 // will cause OCSPCreateSession on the main thread, which is not allowed. |
| 524 CertificateList certs = CreateCertificateListFromFile( | 524 CertificateList certs = CreateCertificateListFromFile( |
| 525 GetTestCertsDirectory(), "google.chain.pem", | 525 GetTestCertsDirectory(), "google.chain.pem", |
| 526 X509Certificate::FORMAT_AUTO); | 526 X509Certificate::FORMAT_AUTO); |
| 527 ASSERT_EQ(2U, certs.size()); | 527 ASSERT_EQ(2U, certs.size()); |
| 528 | 528 |
| 529 CertDatabase::ImportCertFailureList failed; | 529 NSSCertDatabase::ImportCertFailureList failed; |
| 530 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, | 530 EXPECT_TRUE(cert_db_.ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 531 &failed)); | 531 &failed)); |
| 532 | 532 |
| 533 EXPECT_EQ(0U, failed.size()); | 533 EXPECT_EQ(0U, failed.size()); |
| 534 | 534 |
| 535 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 535 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 536 ASSERT_EQ(2U, cert_list.size()); | 536 ASSERT_EQ(2U, cert_list.size()); |
| 537 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); | 537 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); |
| 538 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); | 538 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); |
| 539 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); | 539 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); |
| 540 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 540 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 541 | 541 |
| 542 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, | 542 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 543 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); | 543 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 544 | 544 |
| 545 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); | 545 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
| 546 | 546 |
| 547 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 547 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 548 int flags = 0; | 548 int flags = 0; |
| 549 CertVerifyResult verify_result; | 549 CertVerifyResult verify_result; |
| 550 int error = verify_proc->Verify(goog_cert, "www.google.com", flags, | 550 int error = verify_proc->Verify(goog_cert, "www.google.com", flags, |
| 551 NULL, &verify_result); | 551 NULL, &verify_result); |
| 552 EXPECT_EQ(OK, error); | 552 EXPECT_EQ(OK, error); |
| 553 EXPECT_EQ(0U, verify_result.cert_status); | 553 EXPECT_EQ(0U, verify_result.cert_status); |
| 554 } | 554 } |
| 555 | 555 |
| 556 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 556 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 557 CertificateList certs; | 557 CertificateList certs; |
| 558 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 558 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 559 | 559 |
| 560 CertDatabase::ImportCertFailureList failed; | 560 NSSCertDatabase::ImportCertFailureList failed; |
| 561 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, | 561 EXPECT_TRUE(cert_db_.ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 562 &failed)); | 562 &failed)); |
| 563 | 563 |
| 564 EXPECT_EQ(0U, failed.size()); | 564 EXPECT_EQ(0U, failed.size()); |
| 565 | 565 |
| 566 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 566 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 567 ASSERT_EQ(1U, cert_list.size()); | 567 ASSERT_EQ(1U, cert_list.size()); |
| 568 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 568 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 569 | 569 |
| 570 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, | 570 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 571 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); | 571 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 572 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); | 572 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
| 573 | 573 |
| 574 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 574 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 575 int flags = 0; | 575 int flags = 0; |
| 576 CertVerifyResult verify_result; | 576 CertVerifyResult verify_result; |
| 577 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 577 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, |
| 578 NULL, &verify_result); | 578 NULL, &verify_result); |
| 579 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 579 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 580 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 580 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 581 } | 581 } |
| 582 | 582 |
| 583 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { | 583 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { |
| 584 // When using CERT_PKIXVerifyCert (which we do), server trust only works from | 584 // When using CERT_PKIXVerifyCert (which we do), server trust only works from |
| 585 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. | 585 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. |
| 586 if (!NSS_VersionCheck("3.13.4")) { | 586 if (!NSS_VersionCheck("3.13.4")) { |
| 587 LOG(INFO) << "test skipped on NSS < 3.13.4"; | 587 LOG(INFO) << "test skipped on NSS < 3.13.4"; |
| 588 return; | 588 return; |
| 589 } | 589 } |
| 590 | 590 |
| 591 CertificateList certs; | 591 CertificateList certs; |
| 592 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 592 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 593 | 593 |
| 594 CertDatabase::ImportCertFailureList failed; | 594 NSSCertDatabase::ImportCertFailureList failed; |
| 595 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL, | 595 EXPECT_TRUE(cert_db_.ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, |
| 596 &failed)); | 596 &failed)); |
| 597 | 597 |
| 598 EXPECT_EQ(0U, failed.size()); | 598 EXPECT_EQ(0U, failed.size()); |
| 599 | 599 |
| 600 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 600 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 601 ASSERT_EQ(1U, cert_list.size()); | 601 ASSERT_EQ(1U, cert_list.size()); |
| 602 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 602 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 603 | 603 |
| 604 EXPECT_EQ(CertDatabase::TRUSTED_SSL, | 604 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
| 605 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); | 605 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 606 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), | 606 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), |
| 607 puny_cert->os_cert_handle()->trust->sslFlags); | 607 puny_cert->os_cert_handle()->trust->sslFlags); |
| 608 | 608 |
| 609 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 609 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 610 int flags = 0; | 610 int flags = 0; |
| 611 CertVerifyResult verify_result; | 611 CertVerifyResult verify_result; |
| 612 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 612 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, |
| 613 NULL, &verify_result); | 613 NULL, &verify_result); |
| 614 EXPECT_EQ(OK, error); | 614 EXPECT_EQ(OK, error); |
| 615 EXPECT_EQ(0U, verify_result.cert_status); | 615 EXPECT_EQ(0U, verify_result.cert_status); |
| 616 } | 616 } |
| 617 | 617 |
| 618 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { | 618 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { |
| 619 CertificateList ca_certs = CreateCertificateListFromFile( | 619 CertificateList ca_certs = CreateCertificateListFromFile( |
| 620 GetTestCertsDirectory(), "root_ca_cert.crt", | 620 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 621 X509Certificate::FORMAT_AUTO); | 621 X509Certificate::FORMAT_AUTO); |
| 622 ASSERT_EQ(1U, ca_certs.size()); | 622 ASSERT_EQ(1U, ca_certs.size()); |
| 623 | 623 |
| 624 // Import CA cert and trust it. | 624 // Import CA cert and trust it. |
| 625 CertDatabase::ImportCertFailureList failed; | 625 NSSCertDatabase::ImportCertFailureList failed; |
| 626 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, | 626 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, |
| 627 &failed)); | 627 &failed)); |
| 628 EXPECT_EQ(0U, failed.size()); | 628 EXPECT_EQ(0U, failed.size()); |
| 629 | 629 |
| 630 CertificateList certs = CreateCertificateListFromFile( | 630 CertificateList certs = CreateCertificateListFromFile( |
| 631 GetTestCertsDirectory(), "ok_cert.pem", | 631 GetTestCertsDirectory(), "ok_cert.pem", |
| 632 X509Certificate::FORMAT_AUTO); | 632 X509Certificate::FORMAT_AUTO); |
| 633 ASSERT_EQ(1U, certs.size()); | 633 ASSERT_EQ(1U, certs.size()); |
| 634 | 634 |
| 635 // Import server cert with default trust. | 635 // Import server cert with default trust. |
| 636 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, | 636 EXPECT_TRUE(cert_db_.ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 637 &failed)); | 637 &failed)); |
| 638 EXPECT_EQ(0U, failed.size()); | 638 EXPECT_EQ(0U, failed.size()); |
| 639 | 639 |
| 640 // Server cert should verify. | 640 // Server cert should verify. |
| 641 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 641 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 642 int flags = 0; | 642 int flags = 0; |
| 643 CertVerifyResult verify_result; | 643 CertVerifyResult verify_result; |
| 644 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 644 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 645 NULL, &verify_result); | 645 NULL, &verify_result); |
| 646 EXPECT_EQ(OK, error); | 646 EXPECT_EQ(OK, error); |
| 647 EXPECT_EQ(0U, verify_result.cert_status); | 647 EXPECT_EQ(0U, verify_result.cert_status); |
| 648 } | 648 } |
| 649 | 649 |
| 650 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { | 650 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { |
| 651 // Explicit distrust only works starting in NSS 3.13. | 651 // Explicit distrust only works starting in NSS 3.13. |
| 652 if (!NSS_VersionCheck("3.13")) { | 652 if (!NSS_VersionCheck("3.13")) { |
| 653 LOG(INFO) << "test skipped on NSS < 3.13"; | 653 LOG(INFO) << "test skipped on NSS < 3.13"; |
| 654 return; | 654 return; |
| 655 } | 655 } |
| 656 | 656 |
| 657 CertificateList ca_certs = CreateCertificateListFromFile( | 657 CertificateList ca_certs = CreateCertificateListFromFile( |
| 658 GetTestCertsDirectory(), "root_ca_cert.crt", | 658 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 659 X509Certificate::FORMAT_AUTO); | 659 X509Certificate::FORMAT_AUTO); |
| 660 ASSERT_EQ(1U, ca_certs.size()); | 660 ASSERT_EQ(1U, ca_certs.size()); |
| 661 | 661 |
| 662 // Import CA cert and trust it. | 662 // Import CA cert and trust it. |
| 663 CertDatabase::ImportCertFailureList failed; | 663 NSSCertDatabase::ImportCertFailureList failed; |
| 664 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, | 664 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, |
| 665 &failed)); | 665 &failed)); |
| 666 EXPECT_EQ(0U, failed.size()); | 666 EXPECT_EQ(0U, failed.size()); |
| 667 | 667 |
| 668 CertificateList certs = CreateCertificateListFromFile( | 668 CertificateList certs = CreateCertificateListFromFile( |
| 669 GetTestCertsDirectory(), "ok_cert.pem", | 669 GetTestCertsDirectory(), "ok_cert.pem", |
| 670 X509Certificate::FORMAT_AUTO); | 670 X509Certificate::FORMAT_AUTO); |
| 671 ASSERT_EQ(1U, certs.size()); | 671 ASSERT_EQ(1U, certs.size()); |
| 672 | 672 |
| 673 // Import server cert without inheriting trust from issuer (explicit | 673 // Import server cert without inheriting trust from issuer (explicit |
| 674 // distrust). | 674 // distrust). |
| 675 EXPECT_TRUE(cert_db_.ImportServerCert( | 675 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 676 certs, CertDatabase::DISTRUSTED_SSL, &failed)); | 676 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed)); |
| 677 EXPECT_EQ(0U, failed.size()); | 677 EXPECT_EQ(0U, failed.size()); |
| 678 EXPECT_EQ(CertDatabase::DISTRUSTED_SSL, | 678 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, |
| 679 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); | 679 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 680 | 680 |
| 681 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 681 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 682 certs[0]->os_cert_handle()->trust->sslFlags); | 682 certs[0]->os_cert_handle()->trust->sslFlags); |
| 683 | 683 |
| 684 // Server cert should fail to verify. | 684 // Server cert should fail to verify. |
| 685 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 685 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 686 int flags = 0; | 686 int flags = 0; |
| 687 CertVerifyResult verify_result; | 687 CertVerifyResult verify_result; |
| 688 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 688 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 689 NULL, &verify_result); | 689 NULL, &verify_result); |
| 690 EXPECT_EQ(ERR_CERT_REVOKED, error); | 690 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 691 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 691 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 692 } | 692 } |
| 693 | 693 |
| 694 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { | 694 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { |
| 695 CertificateList ca_certs = CreateCertificateListFromFile( | 695 CertificateList ca_certs = CreateCertificateListFromFile( |
| 696 GetTestCertsDirectory(), "2048-rsa-root.pem", | 696 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 697 X509Certificate::FORMAT_AUTO); | 697 X509Certificate::FORMAT_AUTO); |
| 698 ASSERT_EQ(1U, ca_certs.size()); | 698 ASSERT_EQ(1U, ca_certs.size()); |
| 699 | 699 |
| 700 // Import Root CA cert and distrust it. | 700 // Import Root CA cert and distrust it. |
| 701 CertDatabase::ImportCertFailureList failed; | 701 NSSCertDatabase::ImportCertFailureList failed; |
| 702 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::DISTRUSTED_SSL, | 702 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL, |
| 703 &failed)); | 703 &failed)); |
| 704 EXPECT_EQ(0U, failed.size()); | 704 EXPECT_EQ(0U, failed.size()); |
| 705 | 705 |
| 706 CertificateList intermediate_certs = CreateCertificateListFromFile( | 706 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 707 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", | 707 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 708 X509Certificate::FORMAT_AUTO); | 708 X509Certificate::FORMAT_AUTO); |
| 709 ASSERT_EQ(1U, intermediate_certs.size()); | 709 ASSERT_EQ(1U, intermediate_certs.size()); |
| 710 | 710 |
| 711 // Import Intermediate CA cert and trust it. | 711 // Import Intermediate CA cert and trust it. |
| 712 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, | 712 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 713 CertDatabase::TRUSTED_SSL, &failed)); | 713 NSSCertDatabase::TRUSTED_SSL, &failed)); |
| 714 EXPECT_EQ(0U, failed.size()); | 714 EXPECT_EQ(0U, failed.size()); |
| 715 | 715 |
| 716 CertificateList certs = CreateCertificateListFromFile( | 716 CertificateList certs = CreateCertificateListFromFile( |
| 717 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 717 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 718 X509Certificate::FORMAT_AUTO); | 718 X509Certificate::FORMAT_AUTO); |
| 719 ASSERT_EQ(1U, certs.size()); | 719 ASSERT_EQ(1U, certs.size()); |
| 720 | 720 |
| 721 // Import server cert with default trust. | 721 // Import server cert with default trust. |
| 722 EXPECT_TRUE(cert_db_.ImportServerCert( | 722 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 723 certs, CertDatabase::TRUST_DEFAULT, &failed)); | 723 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 724 EXPECT_EQ(0U, failed.size()); | 724 EXPECT_EQ(0U, failed.size()); |
| 725 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, | 725 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 726 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); | 726 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 727 | 727 |
| 728 // Server cert should verify. | 728 // Server cert should verify. |
| 729 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 729 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 730 int flags = 0; | 730 int flags = 0; |
| 731 CertVerifyResult verify_result; | 731 CertVerifyResult verify_result; |
| 732 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 732 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 733 NULL, &verify_result); | 733 NULL, &verify_result); |
| 734 EXPECT_EQ(OK, error); | 734 EXPECT_EQ(OK, error); |
| 735 EXPECT_EQ(0U, verify_result.cert_status); | 735 EXPECT_EQ(0U, verify_result.cert_status); |
| 736 | 736 |
| 737 // Explicit distrust only works starting in NSS 3.13. | 737 // Explicit distrust only works starting in NSS 3.13. |
| 738 if (!NSS_VersionCheck("3.13")) { | 738 if (!NSS_VersionCheck("3.13")) { |
| 739 LOG(INFO) << "test partially skipped on NSS < 3.13"; | 739 LOG(INFO) << "test partially skipped on NSS < 3.13"; |
| 740 return; | 740 return; |
| 741 } | 741 } |
| 742 | 742 |
| 743 // Trust the root cert and distrust the intermediate. | 743 // Trust the root cert and distrust the intermediate. |
| 744 EXPECT_TRUE(cert_db_.SetCertTrust( | 744 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 745 ca_certs[0], CA_CERT, CertDatabase::TRUSTED_SSL)); | 745 ca_certs[0], CA_CERT, NSSCertDatabase::TRUSTED_SSL)); |
| 746 EXPECT_TRUE(cert_db_.SetCertTrust( | 746 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 747 intermediate_certs[0], CA_CERT, CertDatabase::DISTRUSTED_SSL)); | 747 intermediate_certs[0], CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); |
| 748 EXPECT_EQ( | 748 EXPECT_EQ( |
| 749 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), | 749 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), |
| 750 ca_certs[0]->os_cert_handle()->trust->sslFlags); | 750 ca_certs[0]->os_cert_handle()->trust->sslFlags); |
| 751 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 751 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 752 ca_certs[0]->os_cert_handle()->trust->emailFlags); | 752 ca_certs[0]->os_cert_handle()->trust->emailFlags); |
| 753 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 753 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 754 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 754 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 755 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 755 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 756 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); | 756 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); |
| 757 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 757 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 758 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); | 758 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); |
| 759 EXPECT_EQ( | 759 EXPECT_EQ( |
| 760 unsigned(CERTDB_VALID_CA), | 760 unsigned(CERTDB_VALID_CA), |
| 761 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 761 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 762 | 762 |
| 763 // Server cert should fail to verify. | 763 // Server cert should fail to verify. |
| 764 CertVerifyResult verify_result2; | 764 CertVerifyResult verify_result2; |
| 765 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 765 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 766 NULL, &verify_result2); | 766 NULL, &verify_result2); |
| 767 EXPECT_EQ(ERR_CERT_REVOKED, error); | 767 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 768 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); | 768 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); |
| 769 } | 769 } |
| 770 | 770 |
| 771 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { | 771 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { |
| 772 CertDatabase::ImportCertFailureList failed; | 772 NSSCertDatabase::ImportCertFailureList failed; |
| 773 | 773 |
| 774 CertificateList intermediate_certs = CreateCertificateListFromFile( | 774 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 775 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", | 775 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 776 X509Certificate::FORMAT_AUTO); | 776 X509Certificate::FORMAT_AUTO); |
| 777 ASSERT_EQ(1U, intermediate_certs.size()); | 777 ASSERT_EQ(1U, intermediate_certs.size()); |
| 778 | 778 |
| 779 // Import Intermediate CA cert and trust it. | 779 // Import Intermediate CA cert and trust it. |
| 780 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, | 780 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 781 CertDatabase::TRUSTED_SSL, &failed)); | 781 NSSCertDatabase::TRUSTED_SSL, &failed)); |
| 782 EXPECT_EQ(0U, failed.size()); | 782 EXPECT_EQ(0U, failed.size()); |
| 783 | 783 |
| 784 CertificateList certs = CreateCertificateListFromFile( | 784 CertificateList certs = CreateCertificateListFromFile( |
| 785 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 785 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 786 X509Certificate::FORMAT_AUTO); | 786 X509Certificate::FORMAT_AUTO); |
| 787 ASSERT_EQ(1U, certs.size()); | 787 ASSERT_EQ(1U, certs.size()); |
| 788 | 788 |
| 789 // Import server cert with default trust. | 789 // Import server cert with default trust. |
| 790 EXPECT_TRUE(cert_db_.ImportServerCert( | 790 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 791 certs, CertDatabase::TRUST_DEFAULT, &failed)); | 791 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 792 EXPECT_EQ(0U, failed.size()); | 792 EXPECT_EQ(0U, failed.size()); |
| 793 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, | 793 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 794 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); | 794 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 795 | 795 |
| 796 // Server cert should verify. | 796 // Server cert should verify. |
| 797 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 797 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 798 int flags = 0; | 798 int flags = 0; |
| 799 CertVerifyResult verify_result; | 799 CertVerifyResult verify_result; |
| 800 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 800 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 801 NULL, &verify_result); | 801 NULL, &verify_result); |
| 802 EXPECT_EQ(OK, error); | 802 EXPECT_EQ(OK, error); |
| 803 EXPECT_EQ(0U, verify_result.cert_status); | 803 EXPECT_EQ(0U, verify_result.cert_status); |
| 804 | 804 |
| 805 // Without explicit trust of the intermediate, verification should fail. | 805 // Without explicit trust of the intermediate, verification should fail. |
| 806 EXPECT_TRUE(cert_db_.SetCertTrust( | 806 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 807 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); | 807 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 808 | 808 |
| 809 // Server cert should fail to verify. | 809 // Server cert should fail to verify. |
| 810 CertVerifyResult verify_result2; | 810 CertVerifyResult verify_result2; |
| 811 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 811 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 812 NULL, &verify_result2); | 812 NULL, &verify_result2); |
| 813 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 813 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 814 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 814 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 815 } | 815 } |
| 816 | 816 |
| 817 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { | 817 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { |
| 818 CertDatabase::ImportCertFailureList failed; | 818 NSSCertDatabase::ImportCertFailureList failed; |
| 819 | 819 |
| 820 CertificateList ca_certs = CreateCertificateListFromFile( | 820 CertificateList ca_certs = CreateCertificateListFromFile( |
| 821 GetTestCertsDirectory(), "2048-rsa-root.pem", | 821 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 822 X509Certificate::FORMAT_AUTO); | 822 X509Certificate::FORMAT_AUTO); |
| 823 ASSERT_EQ(1U, ca_certs.size()); | 823 ASSERT_EQ(1U, ca_certs.size()); |
| 824 | 824 |
| 825 // Import Root CA cert and default trust it. | 825 // Import Root CA cert and default trust it. |
| 826 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUST_DEFAULT, | 826 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT, |
| 827 &failed)); | 827 &failed)); |
| 828 EXPECT_EQ(0U, failed.size()); | 828 EXPECT_EQ(0U, failed.size()); |
| 829 | 829 |
| 830 CertificateList intermediate_certs = CreateCertificateListFromFile( | 830 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 831 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", | 831 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 832 X509Certificate::FORMAT_AUTO); | 832 X509Certificate::FORMAT_AUTO); |
| 833 ASSERT_EQ(1U, intermediate_certs.size()); | 833 ASSERT_EQ(1U, intermediate_certs.size()); |
| 834 | 834 |
| 835 // Import Intermediate CA cert and trust it. | 835 // Import Intermediate CA cert and trust it. |
| 836 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, | 836 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 837 CertDatabase::TRUSTED_SSL, &failed)); | 837 NSSCertDatabase::TRUSTED_SSL, &failed)); |
| 838 EXPECT_EQ(0U, failed.size()); | 838 EXPECT_EQ(0U, failed.size()); |
| 839 | 839 |
| 840 CertificateList certs = CreateCertificateListFromFile( | 840 CertificateList certs = CreateCertificateListFromFile( |
| 841 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 841 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 842 X509Certificate::FORMAT_AUTO); | 842 X509Certificate::FORMAT_AUTO); |
| 843 ASSERT_EQ(1U, certs.size()); | 843 ASSERT_EQ(1U, certs.size()); |
| 844 | 844 |
| 845 // Import server cert with default trust. | 845 // Import server cert with default trust. |
| 846 EXPECT_TRUE(cert_db_.ImportServerCert( | 846 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 847 certs, CertDatabase::TRUST_DEFAULT, &failed)); | 847 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 848 EXPECT_EQ(0U, failed.size()); | 848 EXPECT_EQ(0U, failed.size()); |
| 849 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, | 849 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 850 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); | 850 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 851 | 851 |
| 852 // Server cert should verify. | 852 // Server cert should verify. |
| 853 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 853 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 854 int flags = 0; | 854 int flags = 0; |
| 855 CertVerifyResult verify_result; | 855 CertVerifyResult verify_result; |
| 856 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 856 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 857 NULL, &verify_result); | 857 NULL, &verify_result); |
| 858 EXPECT_EQ(OK, error); | 858 EXPECT_EQ(OK, error); |
| 859 EXPECT_EQ(0U, verify_result.cert_status); | 859 EXPECT_EQ(0U, verify_result.cert_status); |
| 860 | 860 |
| 861 // Without explicit trust of the intermediate, verification should fail. | 861 // Without explicit trust of the intermediate, verification should fail. |
| 862 EXPECT_TRUE(cert_db_.SetCertTrust( | 862 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 863 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); | 863 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 864 | 864 |
| 865 // Server cert should fail to verify. | 865 // Server cert should fail to verify. |
| 866 CertVerifyResult verify_result2; | 866 CertVerifyResult verify_result2; |
| 867 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 867 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 868 NULL, &verify_result2); | 868 NULL, &verify_result2); |
| 869 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 869 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 870 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 870 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 871 } | 871 } |
| 872 | 872 |
| 873 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { | 873 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { |
| 874 // Explicit distrust only works starting in NSS 3.13. | 874 // Explicit distrust only works starting in NSS 3.13. |
| 875 if (!NSS_VersionCheck("3.13")) { | 875 if (!NSS_VersionCheck("3.13")) { |
| 876 LOG(INFO) << "test skipped on NSS < 3.13"; | 876 LOG(INFO) << "test skipped on NSS < 3.13"; |
| 877 return; | 877 return; |
| 878 } | 878 } |
| 879 | 879 |
| 880 CertDatabase::ImportCertFailureList failed; | 880 NSSCertDatabase::ImportCertFailureList failed; |
| 881 | 881 |
| 882 CertificateList ca_certs = CreateCertificateListFromFile( | 882 CertificateList ca_certs = CreateCertificateListFromFile( |
| 883 GetTestCertsDirectory(), "2048-rsa-root.pem", | 883 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 884 X509Certificate::FORMAT_AUTO); | 884 X509Certificate::FORMAT_AUTO); |
| 885 ASSERT_EQ(1U, ca_certs.size()); | 885 ASSERT_EQ(1U, ca_certs.size()); |
| 886 | 886 |
| 887 // Import Root CA cert and trust it. | 887 // Import Root CA cert and trust it. |
| 888 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, | 888 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, |
| 889 &failed)); | 889 &failed)); |
| 890 EXPECT_EQ(0U, failed.size()); | 890 EXPECT_EQ(0U, failed.size()); |
| 891 | 891 |
| 892 CertificateList intermediate_certs = CreateCertificateListFromFile( | 892 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 893 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", | 893 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 894 X509Certificate::FORMAT_AUTO); | 894 X509Certificate::FORMAT_AUTO); |
| 895 ASSERT_EQ(1U, intermediate_certs.size()); | 895 ASSERT_EQ(1U, intermediate_certs.size()); |
| 896 | 896 |
| 897 // Import Intermediate CA cert and distrust it. | 897 // Import Intermediate CA cert and distrust it. |
| 898 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, | 898 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 899 CertDatabase::DISTRUSTED_SSL, &failed)); | 899 NSSCertDatabase::DISTRUSTED_SSL, &failed)); |
| 900 EXPECT_EQ(0U, failed.size()); | 900 EXPECT_EQ(0U, failed.size()); |
| 901 | 901 |
| 902 CertificateList certs = CreateCertificateListFromFile( | 902 CertificateList certs = CreateCertificateListFromFile( |
| 903 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 903 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 904 X509Certificate::FORMAT_AUTO); | 904 X509Certificate::FORMAT_AUTO); |
| 905 ASSERT_EQ(1U, certs.size()); | 905 ASSERT_EQ(1U, certs.size()); |
| 906 | 906 |
| 907 // Import server cert with default trust. | 907 // Import server cert with default trust. |
| 908 EXPECT_TRUE(cert_db_.ImportServerCert( | 908 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 909 certs, CertDatabase::TRUST_DEFAULT, &failed)); | 909 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 910 EXPECT_EQ(0U, failed.size()); | 910 EXPECT_EQ(0U, failed.size()); |
| 911 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, | 911 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 912 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); | 912 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 913 | 913 |
| 914 // Server cert should not verify. | 914 // Server cert should not verify. |
| 915 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 915 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 916 int flags = 0; | 916 int flags = 0; |
| 917 CertVerifyResult verify_result; | 917 CertVerifyResult verify_result; |
| 918 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 918 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 919 NULL, &verify_result); | 919 NULL, &verify_result); |
| 920 EXPECT_EQ(ERR_CERT_REVOKED, error); | 920 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 921 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 921 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 922 | 922 |
| 923 // Without explicit distrust of the intermediate, verification should succeed. | 923 // Without explicit distrust of the intermediate, verification should succeed. |
| 924 EXPECT_TRUE(cert_db_.SetCertTrust( | 924 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 925 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); | 925 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 926 | 926 |
| 927 // Server cert should verify. | 927 // Server cert should verify. |
| 928 CertVerifyResult verify_result2; | 928 CertVerifyResult verify_result2; |
| 929 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 929 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 930 NULL, &verify_result2); | 930 NULL, &verify_result2); |
| 931 EXPECT_EQ(OK, error); | 931 EXPECT_EQ(OK, error); |
| 932 EXPECT_EQ(0U, verify_result2.cert_status); | 932 EXPECT_EQ(0U, verify_result2.cert_status); |
| 933 } | 933 } |
| 934 | 934 |
| 935 } // namespace net | 935 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10916094:
Move the NSS functions out of CertDatabase into a new NSSCertDatabase class. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src