Chromium Code Reviews Chromium Code Reviews
Issue 123633002:
ChromeOS: Fix crash if login profile triggers client auth. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 #include "net/cert/nss_profile_filter_chromeos.h" | |
| 2 | |
| 3 #include <cert.h> | |
| 4 #include <pk11pub.h> | |
| 5 #include <secmod.h> | |
| 6 | |
| 7 #include "crypto/nss_util.h" | |
| 8 #include "crypto/nss_util_internal.h" | |
| 9 #include "crypto/scoped_nss_types.h" | |
| 10 #include "net/base/test_data_directory.h" | |
| 11 #include "net/test/cert_test_util.h" | |
| 12 #include "testing/gtest/include/gtest/gtest.h" | |
| 13 | |
| 14 namespace net { | |
| 15 | |
| 16 namespace { | |
| 17 | |
| 18 crypto::ScopedPK11Slot GetRootCertsSlot() { | |
| 19 crypto::AutoSECMODListReadLock auto_lock; | |
| 20 SECMODModuleList* head = SECMOD_GetDefaultModuleList(); | |
| 21 for (SECMODModuleList* item = head; item != NULL; item = item->next) { | |
| 22 int slot_count = item->module->loaded ? item->module->slotCount : 0; | |
|
Ryan Sleevi
2014/01/11 03:36:14
when would ->loaded be 0?
I just compare with htt
mattm
2014/01/14 02:29:06
I was just copying that from somewhere.. Ex:
https
| |
| 23 for (int i = 0; i < slot_count; i++) { | |
| 24 PK11SlotInfo* slot = item->module->slots[i]; | |
| 25 if (PK11_HasRootCerts(slot)) | |
|
Ryan Sleevi
2014/01/11 03:36:14
Note, > 1 slot can have root certs, fwiw.
mattm
2014/01/14 02:29:06
Should be okay for the test's purposes, though, ri
| |
| 26 return crypto::ScopedPK11Slot(PK11_ReferenceSlot(slot)); | |
| 27 } | |
| 28 } | |
| 29 return crypto::ScopedPK11Slot(); | |
| 30 } | |
| 31 | |
| 32 CertificateList ListCertsInSlot(PK11SlotInfo* slot) { | |
| 33 CertificateList result; | |
| 34 CERTCertList* cert_list = PK11_ListCertsInSlot(slot); | |
| 35 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | |
| 36 !CERT_LIST_END(node, cert_list); | |
| 37 node = CERT_LIST_NEXT(node)) { | |
| 38 result.push_back(X509Certificate::CreateFromHandle( | |
| 39 node->cert, X509Certificate::OSCertHandles())); | |
| 40 } | |
| 41 CERT_DestroyCertList(cert_list); | |
| 42 | |
| 43 // Sort the result so that test comparisons can be deterministic. | |
| 44 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); | |
| 45 return result; | |
| 46 } | |
| 47 | |
| 48 } | |
| 49 | |
| 50 class NSSProfileFilterChromeOSTest : public testing::Test { | |
| 51 public: | |
| 52 NSSProfileFilterChromeOSTest() : user_1_("user1"), user_2_("user2") {} | |
| 53 | |
| 54 virtual void SetUp() OVERRIDE { | |
| 55 // Initialize nss_util slots. | |
| 56 ASSERT_TRUE(user_1_.constructed_successfully()); | |
| 57 ASSERT_TRUE(user_2_.constructed_successfully()); | |
| 58 user_1_.FinishInit(); | |
| 59 user_2_.FinishInit(); | |
| 60 | |
| 61 // TODO(mattm): more accurately test public/private slot filtering somehow. | |
| 62 // (The slots used to initialize a profile filter should be separate slots | |
| 63 // in separate modules, while ScopedTestNSSChromeOSUser uses the same slot | |
| 64 // for both.) | |
| 65 crypto::ScopedPK11Slot private_slot_1(crypto::GetPrivateSlotForChromeOSUser( | |
| 66 user_1_.username_hash(), | |
| 67 base::Callback<void(crypto::ScopedPK11Slot)>())); | |
| 68 ASSERT_TRUE(private_slot_1.get()); | |
| 69 profile_filter_1_.Init( | |
| 70 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()), | |
| 71 private_slot_1.Pass()); | |
| 72 | |
| 73 crypto::ScopedPK11Slot private_slot_2(crypto::GetPrivateSlotForChromeOSUser( | |
| 74 user_2_.username_hash(), | |
| 75 base::Callback<void(crypto::ScopedPK11Slot)>())); | |
| 76 ASSERT_TRUE(private_slot_2.get()); | |
| 77 profile_filter_2_.Init( | |
| 78 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()), | |
| 79 private_slot_2.Pass()); | |
| 80 | |
| 81 certs_ = CreateCertificateListFromFile(GetTestCertsDirectory(), | |
| 82 "root_ca_cert.pem", | |
| 83 X509Certificate::FORMAT_AUTO); | |
| 84 ASSERT_EQ(1U, certs_.size()); | |
| 85 } | |
| 86 | |
| 87 protected: | |
| 88 CertificateList certs_; | |
| 89 crypto::ScopedTestNSSChromeOSUser user_1_; | |
| 90 crypto::ScopedTestNSSChromeOSUser user_2_; | |
| 91 NSSProfileFilterChromeOS no_slots_profile_filter_; | |
| 92 NSSProfileFilterChromeOS profile_filter_1_; | |
| 93 NSSProfileFilterChromeOS profile_filter_2_; | |
| 94 }; | |
| 95 | |
| 96 TEST_F(NSSProfileFilterChromeOSTest, TempCertAllowed) { | |
| 97 EXPECT_EQ(NULL, certs_[0]->os_cert_handle()->slot); | |
| 98 EXPECT_TRUE(no_slots_profile_filter_.IsCertAllowed(certs_[0])); | |
| 99 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(certs_[0])); | |
| 100 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(certs_[0])); | |
| 101 } | |
| 102 | |
| 103 TEST_F(NSSProfileFilterChromeOSTest, InternalSlotAllowed) { | |
| 104 crypto::ScopedPK11Slot internal_slot(PK11_GetInternalSlot()); | |
| 105 ASSERT_TRUE(internal_slot.get()); | |
| 106 EXPECT_TRUE(no_slots_profile_filter_.IsModuleAllowed(internal_slot.get())); | |
| 107 EXPECT_TRUE(profile_filter_1_.IsModuleAllowed(internal_slot.get())); | |
| 108 EXPECT_TRUE(profile_filter_2_.IsModuleAllowed(internal_slot.get())); | |
| 109 | |
| 110 crypto::ScopedPK11Slot internal_key_slot(PK11_GetInternalKeySlot()); | |
| 111 ASSERT_TRUE(internal_key_slot.get()); | |
| 112 EXPECT_TRUE( | |
| 113 no_slots_profile_filter_.IsModuleAllowed(internal_key_slot.get())); | |
| 114 EXPECT_TRUE(profile_filter_1_.IsModuleAllowed(internal_key_slot.get())); | |
| 115 EXPECT_TRUE(profile_filter_2_.IsModuleAllowed(internal_key_slot.get())); | |
| 116 } | |
| 117 | |
| 118 TEST_F(NSSProfileFilterChromeOSTest, RootCertsAllowed) { | |
| 119 crypto::ScopedPK11Slot root_certs_slot(GetRootCertsSlot()); | |
| 120 ASSERT_TRUE(root_certs_slot.get()); | |
| 121 EXPECT_TRUE(no_slots_profile_filter_.IsModuleAllowed(root_certs_slot.get())); | |
| 122 EXPECT_TRUE(profile_filter_1_.IsModuleAllowed(root_certs_slot.get())); | |
| 123 EXPECT_TRUE(profile_filter_2_.IsModuleAllowed(root_certs_slot.get())); | |
| 124 | |
| 125 CertificateList root_certs(ListCertsInSlot(root_certs_slot.get())); | |
| 126 ASSERT_FALSE(root_certs.empty()); | |
| 127 EXPECT_TRUE(no_slots_profile_filter_.IsCertAllowed(root_certs[0])); | |
| 128 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(root_certs[0])); | |
| 129 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(root_certs[0])); | |
| 130 } | |
| 131 | |
| 132 TEST_F(NSSProfileFilterChromeOSTest, SoftwareSlots) { | |
| 133 crypto::ScopedPK11Slot slot_1( | |
| 134 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash())); | |
| 135 ASSERT_TRUE(slot_1); | |
| 136 crypto::ScopedPK11Slot slot_2( | |
| 137 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash())); | |
| 138 ASSERT_TRUE(slot_2); | |
| 139 | |
| 140 scoped_refptr<X509Certificate> cert_1 = certs_[0]; | |
| 141 CertificateList certs_2 = CreateCertificateListFromFile( | |
| 142 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); | |
| 143 ASSERT_EQ(1U, certs_2.size()); | |
| 144 scoped_refptr<X509Certificate> cert_2 = certs_2[0]; | |
| 145 | |
| 146 ASSERT_EQ(SECSuccess, | |
| 147 PK11_ImportCert(slot_1.get(), | |
| 148 cert_1->os_cert_handle(), | |
| 149 CK_INVALID_HANDLE, | |
| 150 "cert1", | |
| 151 PR_FALSE /* includeTrust (unused) */)); | |
| 152 | |
| 153 ASSERT_EQ(SECSuccess, | |
| 154 PK11_ImportCert(slot_2.get(), | |
| 155 cert_2->os_cert_handle(), | |
| 156 CK_INVALID_HANDLE, | |
| 157 "cert2", | |
| 158 PR_FALSE /* includeTrust (unused) */)); | |
| 159 | |
| 160 EXPECT_FALSE(no_slots_profile_filter_.IsCertAllowed(cert_1)); | |
| 161 EXPECT_FALSE(no_slots_profile_filter_.IsCertAllowed(cert_2)); | |
| 162 | |
| 163 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(cert_1)); | |
| 164 EXPECT_FALSE(profile_filter_1_.IsCertAllowed(cert_2)); | |
| 165 | |
| 166 EXPECT_FALSE(profile_filter_2_.IsCertAllowed(cert_1)); | |
| 167 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(cert_2)); | |
| 168 } | |
| 169 | |
| 170 } // namespace net | |
| OLD | NEW |
