| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" | 5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "base/callback.h" | 9 #include "base/callback.h" |
| 10 #include "base/memory/ref_counted.h" | 10 #include "base/memory/ref_counted.h" |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 57 test_ca_cert_list_.push_back(test_ca_cert_); | 57 test_ca_cert_list_.push_back(test_ca_cert_); |
| 58 } | 58 } |
| 59 | 59 |
| 60 void TearDown() override { | 60 void TearDown() override { |
| 61 // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise | 61 // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise |
| 62 // BrowserThread::CurrentlyOn checks fail. | 62 // BrowserThread::CurrentlyOn checks fail. |
| 63 cert_verifier_.reset(); | 63 cert_verifier_.reset(); |
| 64 } | 64 } |
| 65 | 65 |
| 66 protected: | 66 protected: |
| 67 int VerifyTestServerCert(const net::TestCompletionCallback& test_callback, | 67 int VerifyTestServerCert( |
| 68 net::CertVerifyResult* verify_result, | 68 const net::TestCompletionCallback& test_callback, |
| 69 net::CertVerifier::RequestHandle* request_handle) { | 69 net::CertVerifyResult* verify_result, |
| 70 scoped_ptr<net::CertVerifier::Request>* request_handle) { |
| 70 return cert_verifier_->Verify(test_server_cert_.get(), "127.0.0.1", | 71 return cert_verifier_->Verify(test_server_cert_.get(), "127.0.0.1", |
| 71 std::string(), 0, NULL, verify_result, | 72 std::string(), 0, NULL, verify_result, |
| 72 test_callback.callback(), request_handle, | 73 test_callback.callback(), request_handle, |
| 73 net::BoundNetLog()); | 74 net::BoundNetLog()); |
| 74 } | 75 } |
| 75 | 76 |
| 76 bool SupportsAdditionalTrustAnchors() { | 77 bool SupportsAdditionalTrustAnchors() { |
| 77 scoped_refptr<net::CertVerifyProc> proc = | 78 scoped_refptr<net::CertVerifyProc> proc = |
| 78 net::CertVerifyProc::CreateDefault(); | 79 net::CertVerifyProc::CreateDefault(); |
| 79 return proc->SupportsAdditionalTrustAnchors(); | 80 return proc->SupportsAdditionalTrustAnchors(); |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 117 bool trust_anchor_used_; | 118 bool trust_anchor_used_; |
| 118 crypto::ScopedTestNSSChromeOSUser test_nss_user_; | 119 crypto::ScopedTestNSSChromeOSUser test_nss_user_; |
| 119 content::TestBrowserThreadBundle thread_bundle_; | 120 content::TestBrowserThreadBundle thread_bundle_; |
| 120 }; | 121 }; |
| 121 | 122 |
| 122 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { | 123 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { |
| 123 // |test_server_cert_| is untrusted, so Verify() fails. | 124 // |test_server_cert_| is untrusted, so Verify() fails. |
| 124 { | 125 { |
| 125 net::CertVerifyResult verify_result; | 126 net::CertVerifyResult verify_result; |
| 126 net::TestCompletionCallback callback; | 127 net::TestCompletionCallback callback; |
| 127 net::CertVerifier::RequestHandle request_handle = NULL; | 128 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 128 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 129 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 129 ASSERT_EQ(net::ERR_IO_PENDING, error); | 130 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 130 EXPECT_TRUE(request_handle); | 131 EXPECT_TRUE(request_handle); |
| 131 error = callback.WaitForResult(); | 132 error = callback.WaitForResult(); |
| 132 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 133 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 133 } | 134 } |
| 134 | 135 |
| 135 // Issuing the same request again hits the cache. This tests the synchronous | 136 // Issuing the same request again hits the cache. This tests the synchronous |
| 136 // path. | 137 // path. |
| 137 { | 138 { |
| 138 net::CertVerifyResult verify_result; | 139 net::CertVerifyResult verify_result; |
| 139 net::TestCompletionCallback callback; | 140 net::TestCompletionCallback callback; |
| 140 net::CertVerifier::RequestHandle request_handle = NULL; | 141 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 141 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 142 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 142 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 143 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 143 } | 144 } |
| 144 | 145 |
| 145 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 146 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 146 } | 147 } |
| 147 | 148 |
| 148 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { | 149 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { |
| 149 // Make the database trust |test_ca_cert_|. | 150 // Make the database trust |test_ca_cert_|. |
| 150 net::NSSCertDatabase::ImportCertFailureList failure_list; | 151 net::NSSCertDatabase::ImportCertFailureList failure_list; |
| 151 ASSERT_TRUE(test_cert_db_->ImportCACerts( | 152 ASSERT_TRUE(test_cert_db_->ImportCACerts( |
| 152 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); | 153 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); |
| 153 ASSERT_TRUE(failure_list.empty()); | 154 ASSERT_TRUE(failure_list.empty()); |
| 154 | 155 |
| 155 // Verify that it is now trusted. | 156 // Verify that it is now trusted. |
| 156 net::NSSCertDatabase::TrustBits trust = | 157 net::NSSCertDatabase::TrustBits trust = |
| 157 test_cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT); | 158 test_cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT); |
| 158 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); | 159 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); |
| 159 | 160 |
| 160 // Verify() successfully verifies |test_server_cert_| after it was imported. | 161 // Verify() successfully verifies |test_server_cert_| after it was imported. |
| 161 net::CertVerifyResult verify_result; | 162 net::CertVerifyResult verify_result; |
| 162 net::TestCompletionCallback callback; | 163 net::TestCompletionCallback callback; |
| 163 net::CertVerifier::RequestHandle request_handle = NULL; | 164 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 164 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 165 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 165 ASSERT_EQ(net::ERR_IO_PENDING, error); | 166 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 166 EXPECT_TRUE(request_handle); | 167 EXPECT_TRUE(request_handle); |
| 167 error = callback.WaitForResult(); | 168 error = callback.WaitForResult(); |
| 168 EXPECT_EQ(net::OK, error); | 169 EXPECT_EQ(net::OK, error); |
| 169 | 170 |
| 170 // The additional trust anchors were not used, since the certificate is | 171 // The additional trust anchors were not used, since the certificate is |
| 171 // trusted from the database. | 172 // trusted from the database. |
| 172 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 173 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 173 } | 174 } |
| 174 | 175 |
| 175 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { | 176 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { |
| 176 ASSERT_TRUE(SupportsAdditionalTrustAnchors()); | 177 ASSERT_TRUE(SupportsAdditionalTrustAnchors()); |
| 177 | 178 |
| 178 // |test_server_cert_| is untrusted, so Verify() fails. | 179 // |test_server_cert_| is untrusted, so Verify() fails. |
| 179 { | 180 { |
| 180 net::CertVerifyResult verify_result; | 181 net::CertVerifyResult verify_result; |
| 181 net::TestCompletionCallback callback; | 182 net::TestCompletionCallback callback; |
| 182 net::CertVerifier::RequestHandle request_handle = NULL; | 183 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 183 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 184 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 184 ASSERT_EQ(net::ERR_IO_PENDING, error); | 185 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 185 EXPECT_TRUE(request_handle); | 186 EXPECT_TRUE(request_handle); |
| 186 error = callback.WaitForResult(); | 187 error = callback.WaitForResult(); |
| 187 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 188 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 188 } | 189 } |
| 189 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 190 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 190 | 191 |
| 191 // Verify() again with the additional trust anchors. | 192 // Verify() again with the additional trust anchors. |
| 192 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); | 193 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); |
| 193 { | 194 { |
| 194 net::CertVerifyResult verify_result; | 195 net::CertVerifyResult verify_result; |
| 195 net::TestCompletionCallback callback; | 196 net::TestCompletionCallback callback; |
| 196 net::CertVerifier::RequestHandle request_handle = NULL; | 197 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 197 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 198 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 198 ASSERT_EQ(net::ERR_IO_PENDING, error); | 199 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 199 EXPECT_TRUE(request_handle); | 200 EXPECT_TRUE(request_handle); |
| 200 error = callback.WaitForResult(); | 201 error = callback.WaitForResult(); |
| 201 EXPECT_EQ(net::OK, error); | 202 EXPECT_EQ(net::OK, error); |
| 202 } | 203 } |
| 203 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); | 204 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); |
| 204 | 205 |
| 205 // Verify() again with the additional trust anchors will hit the cache. | 206 // Verify() again with the additional trust anchors will hit the cache. |
| 206 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); | 207 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); |
| 207 { | 208 { |
| 208 net::CertVerifyResult verify_result; | 209 net::CertVerifyResult verify_result; |
| 209 net::TestCompletionCallback callback; | 210 net::TestCompletionCallback callback; |
| 210 net::CertVerifier::RequestHandle request_handle = NULL; | 211 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 211 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 212 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 212 EXPECT_EQ(net::OK, error); | 213 EXPECT_EQ(net::OK, error); |
| 213 } | 214 } |
| 214 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); | 215 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); |
| 215 | 216 |
| 216 // Verifying after removing the trust anchors should now fail. | 217 // Verifying after removing the trust anchors should now fail. |
| 217 cert_verifier_->SetTrustAnchors(net::CertificateList()); | 218 cert_verifier_->SetTrustAnchors(net::CertificateList()); |
| 218 { | 219 { |
| 219 net::CertVerifyResult verify_result; | 220 net::CertVerifyResult verify_result; |
| 220 net::TestCompletionCallback callback; | 221 net::TestCompletionCallback callback; |
| 221 net::CertVerifier::RequestHandle request_handle = NULL; | 222 scoped_ptr<net::CertVerifier::Request> request_handle; |
| 222 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | 223 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); |
| 223 // Note: this hits the cached result from the first Verify() in this test. | 224 // Note: this hits the cached result from the first Verify() in this test. |
| 224 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 225 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 225 } | 226 } |
| 226 // The additional trust anchors were reset, thus |cert_verifier_| should not | 227 // The additional trust anchors were reset, thus |cert_verifier_| should not |
| 227 // signal it's usage anymore. | 228 // signal it's usage anymore. |
| 228 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 229 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 229 } | 230 } |
| 230 | 231 |
| 231 } // namespace policy | 232 } // namespace policy |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1115903002:
Refactor the API for CertVerifier::Verify() and the implementation of MultiThreadedCertVerifier::Ver (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master