| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" | 5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "base/callback.h" | 9 #include "base/callback.h" |
| 10 #include "base/memory/ref_counted.h" | 10 #include "base/memory/ref_counted.h" |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 59 test_ca_cert_list_.push_back(test_ca_cert_); | 59 test_ca_cert_list_.push_back(test_ca_cert_); |
| 60 } | 60 } |
| 61 | 61 |
| 62 void TearDown() override { | 62 void TearDown() override { |
| 63 // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise | 63 // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise |
| 64 // BrowserThread::CurrentlyOn checks fail. | 64 // BrowserThread::CurrentlyOn checks fail. |
| 65 cert_verifier_.reset(); | 65 cert_verifier_.reset(); |
| 66 } | 66 } |
| 67 | 67 |
| 68 protected: | 68 protected: |
| 69 int VerifyTestServerCert(const net::TestCompletionCallback& test_callback, | 69 int VerifyTestServerCert( |
| 70 net::CertVerifyResult* verify_result, | 70 const net::TestCompletionCallback& test_callback, |
| 71 net::CertVerifier::RequestHandle* request_handle) { | 71 net::CertVerifyResult* verify_result, |
| 72 scoped_ptr<net::CertVerifier::Request>* request_handle) { |
| 72 return cert_verifier_->Verify(test_server_cert_.get(), "127.0.0.1", | 73 return cert_verifier_->Verify(test_server_cert_.get(), "127.0.0.1", |
| 73 std::string(), 0, NULL, verify_result, | 74 std::string(), 0, NULL, verify_result, |
| 74 test_callback.callback(), request_handle, | 75 test_callback.callback(), request_handle, |
| 75 net::BoundNetLog()); | 76 net::BoundNetLog()); |
| 76 } | 77 } |
| 77 | 78 |
| 78 bool SupportsAdditionalTrustAnchors() { | 79 bool SupportsAdditionalTrustAnchors() { |
| 79 scoped_refptr<net::CertVerifyProc> proc = | 80 scoped_refptr<net::CertVerifyProc> proc = |
| 80 net::CertVerifyProc::CreateDefault(); | 81 net::CertVerifyProc::CreateDefault(); |
| 81 return proc->SupportsAdditionalTrustAnchors(); | 82 return proc->SupportsAdditionalTrustAnchors(); |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 119 bool trust_anchor_used_; | 120 bool trust_anchor_used_; |
| 120 crypto::ScopedTestNSSChromeOSUser test_nss_user_; | 121 crypto::ScopedTestNSSChromeOSUser test_nss_user_; |
| 121 content::TestBrowserThreadBundle thread_bundle_; | 122 content::TestBrowserThreadBundle thread_bundle_; |
| 122 }; | 123 }; |
| 123 | 124 |
| 124 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { | 125 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { |
| 125 // |test_server_cert_| is untrusted, so Verify() fails. | 126 // |test_server_cert_| is untrusted, so Verify() fails. |
| 126 { | 127 { |
| 127 net::CertVerifyResult verify_result; | 128 net::CertVerifyResult verify_result; |
| 128 net::TestCompletionCallback callback; | 129 net::TestCompletionCallback callback; |
| 129 net::CertVerifier::RequestHandle request_handle = NULL; | 130 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 130 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 131 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 131 ASSERT_EQ(net::ERR_IO_PENDING, error); | 132 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 132 EXPECT_TRUE(request_handle); | 133 EXPECT_TRUE(request_handle); |
| 133 error = callback.WaitForResult(); | 134 error = callback.WaitForResult(); |
| 134 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 135 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 135 } | 136 } |
| 136 | 137 |
| 137 // Issuing the same request again hits the cache. This tests the synchronous | 138 // Issuing the same request again hits the cache. This tests the synchronous |
| 138 // path. | 139 // path. |
| 139 { | 140 { |
| 140 net::CertVerifyResult verify_result; | 141 net::CertVerifyResult verify_result; |
| 141 net::TestCompletionCallback callback; | 142 net::TestCompletionCallback callback; |
| 142 net::CertVerifier::RequestHandle request_handle = NULL; | 143 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 143 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 144 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 144 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 145 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 145 } | 146 } |
| 146 | 147 |
| 147 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 148 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 148 } | 149 } |
| 149 | 150 |
| 150 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { | 151 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { |
| 151 // Make the database trust |test_ca_cert_|. | 152 // Make the database trust |test_ca_cert_|. |
| 152 net::NSSCertDatabase::ImportCertFailureList failure_list; | 153 net::NSSCertDatabase::ImportCertFailureList failure_list; |
| 153 ASSERT_TRUE(test_cert_db_->ImportCACerts( | 154 ASSERT_TRUE(test_cert_db_->ImportCACerts( |
| 154 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); | 155 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); |
| 155 ASSERT_TRUE(failure_list.empty()); | 156 ASSERT_TRUE(failure_list.empty()); |
| 156 | 157 |
| 157 // Verify that it is now trusted. | 158 // Verify that it is now trusted. |
| 158 net::NSSCertDatabase::TrustBits trust = | 159 net::NSSCertDatabase::TrustBits trust = |
| 159 test_cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT); | 160 test_cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT); |
| 160 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); | 161 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); |
| 161 | 162 |
| 162 // Verify() successfully verifies |test_server_cert_| after it was imported. | 163 // Verify() successfully verifies |test_server_cert_| after it was imported. |
| 163 net::CertVerifyResult verify_result; | 164 net::CertVerifyResult verify_result; |
| 164 net::TestCompletionCallback callback; | 165 net::TestCompletionCallback callback; |
| 165 net::CertVerifier::RequestHandle request_handle = NULL; | 166 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 166 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 167 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 167 ASSERT_EQ(net::ERR_IO_PENDING, error); | 168 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 168 EXPECT_TRUE(request_handle); | 169 EXPECT_TRUE(request_handle); |
| 169 error = callback.WaitForResult(); | 170 error = callback.WaitForResult(); |
| 170 EXPECT_EQ(net::OK, error); | 171 EXPECT_EQ(net::OK, error); |
| 171 | 172 |
| 172 // The additional trust anchors were not used, since the certificate is | 173 // The additional trust anchors were not used, since the certificate is |
| 173 // trusted from the database. | 174 // trusted from the database. |
| 174 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 175 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 175 } | 176 } |
| 176 | 177 |
| 177 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { | 178 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { |
| 178 ASSERT_TRUE(SupportsAdditionalTrustAnchors()); | 179 ASSERT_TRUE(SupportsAdditionalTrustAnchors()); |
| 179 | 180 |
| 180 // |test_server_cert_| is untrusted, so Verify() fails. | 181 // |test_server_cert_| is untrusted, so Verify() fails. |
| 181 { | 182 { |
| 182 net::CertVerifyResult verify_result; | 183 net::CertVerifyResult verify_result; |
| 183 net::TestCompletionCallback callback; | 184 net::TestCompletionCallback callback; |
| 184 net::CertVerifier::RequestHandle request_handle = NULL; | 185 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 185 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 186 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 186 ASSERT_EQ(net::ERR_IO_PENDING, error); | 187 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 187 EXPECT_TRUE(request_handle); | 188 EXPECT_TRUE(request_handle); |
| 188 error = callback.WaitForResult(); | 189 error = callback.WaitForResult(); |
| 189 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 190 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 190 } | 191 } |
| 191 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 192 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 192 | 193 |
| 193 // Verify() again with the additional trust anchors. | 194 // Verify() again with the additional trust anchors. |
| 194 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); | 195 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); |
| 195 { | 196 { |
| 196 net::CertVerifyResult verify_result; | 197 net::CertVerifyResult verify_result; |
| 197 net::TestCompletionCallback callback; | 198 net::TestCompletionCallback callback; |
| 198 net::CertVerifier::RequestHandle request_handle = NULL; | 199 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 199 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 200 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 200 ASSERT_EQ(net::ERR_IO_PENDING, error); | 201 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 201 EXPECT_TRUE(request_handle); | 202 EXPECT_TRUE(request_handle); |
| 202 error = callback.WaitForResult(); | 203 error = callback.WaitForResult(); |
| 203 EXPECT_EQ(net::OK, error); | 204 EXPECT_EQ(net::OK, error); |
| 204 } | 205 } |
| 205 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); | 206 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); |
| 206 | 207 |
| 207 // Verify() again with the additional trust anchors will hit the cache. | 208 // Verify() again with the additional trust anchors will hit the cache. |
| 208 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); | 209 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); |
| 209 { | 210 { |
| 210 net::CertVerifyResult verify_result; | 211 net::CertVerifyResult verify_result; |
| 211 net::TestCompletionCallback callback; | 212 net::TestCompletionCallback callback; |
| 212 net::CertVerifier::RequestHandle request_handle = NULL; | 213 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 213 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 214 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 214 EXPECT_EQ(net::OK, error); | 215 EXPECT_EQ(net::OK, error); |
| 215 } | 216 } |
| 216 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); | 217 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); |
| 217 | 218 |
| 218 // Verifying after removing the trust anchors should now fail. | 219 // Verifying after removing the trust anchors should now fail. |
| 219 cert_verifier_->SetTrustAnchors(net::CertificateList()); | 220 cert_verifier_->SetTrustAnchors(net::CertificateList()); |
| 220 { | 221 { |
| 221 net::CertVerifyResult verify_result; | 222 net::CertVerifyResult verify_result; |
| 222 net::TestCompletionCallback callback; | 223 net::TestCompletionCallback callback; |
| 223 net::CertVerifier::RequestHandle request_handle = NULL; | 224 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 224 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 225 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 225 // Note: this hits the cached result from the first Verify() in this test. | 226 // Note: this hits the cached result from the first Verify() in this test. |
| 226 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 227 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 227 } | 228 } |
| 228 // The additional trust anchors were reset, thus |cert_verifier_| should not | 229 // The additional trust anchors were reset, thus |cert_verifier_| should not |
| 229 // signal it's usage anymore. | 230 // signal it's usage anymore. |
| 230 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 231 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 231 } | 232 } |
| 232 | 233 |
| 233 } // namespace policy | 234 } // namespace policy |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1115903002:
Refactor the API for CertVerifier::Verify() and the implementation of MultiThreadedCertVerifier::Ver (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master