OLD | NEW |
---|---|
(Empty) | |
1 #include "net/cert/nss_profile_filter_chromeos.h" | |
2 | |
3 #include <cert.h> | |
4 #include <pk11pub.h> | |
5 #include <secmod.h> | |
6 | |
7 #include "crypto/nss_util.h" | |
8 #include "crypto/nss_util_internal.h" | |
9 #include "crypto/scoped_nss_types.h" | |
10 #include "net/base/test_data_directory.h" | |
11 #include "net/test/cert_test_util.h" | |
12 #include "testing/gtest/include/gtest/gtest.h" | |
13 | |
14 namespace net { | |
15 | |
16 namespace { | |
17 | |
18 crypto::ScopedPK11Slot GetRootCertsSlot() { | |
19 crypto::AutoSECMODListReadLock auto_lock; | |
20 SECMODModuleList* head = SECMOD_GetDefaultModuleList(); | |
21 for (SECMODModuleList* item = head; item != NULL; item = item->next) { | |
22 int slot_count = item->module->loaded ? item->module->slotCount : 0; | |
Ryan Sleevi
2014/01/11 03:36:14
when would ->loaded be 0?
I just compare with htt
mattm
2014/01/14 02:29:06
I was just copying that from somewhere.. Ex:
https
| |
23 for (int i = 0; i < slot_count; i++) { | |
24 PK11SlotInfo* slot = item->module->slots[i]; | |
25 if (PK11_HasRootCerts(slot)) | |
Ryan Sleevi
2014/01/11 03:36:14
Note, > 1 slot can have root certs, fwiw.
mattm
2014/01/14 02:29:06
Should be okay for the test's purposes, though, ri
| |
26 return crypto::ScopedPK11Slot(PK11_ReferenceSlot(slot)); | |
27 } | |
28 } | |
29 return crypto::ScopedPK11Slot(); | |
30 } | |
31 | |
32 CertificateList ListCertsInSlot(PK11SlotInfo* slot) { | |
33 CertificateList result; | |
34 CERTCertList* cert_list = PK11_ListCertsInSlot(slot); | |
35 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | |
36 !CERT_LIST_END(node, cert_list); | |
37 node = CERT_LIST_NEXT(node)) { | |
38 result.push_back(X509Certificate::CreateFromHandle( | |
39 node->cert, X509Certificate::OSCertHandles())); | |
40 } | |
41 CERT_DestroyCertList(cert_list); | |
42 | |
43 // Sort the result so that test comparisons can be deterministic. | |
44 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); | |
45 return result; | |
46 } | |
47 | |
48 } | |
49 | |
50 class NSSProfileFilterChromeOSTest : public testing::Test { | |
51 public: | |
52 NSSProfileFilterChromeOSTest() : user_1_("user1"), user_2_("user2") {} | |
53 | |
54 virtual void SetUp() OVERRIDE { | |
55 // Initialize nss_util slots. | |
56 ASSERT_TRUE(user_1_.constructed_successfully()); | |
57 ASSERT_TRUE(user_2_.constructed_successfully()); | |
58 user_1_.FinishInit(); | |
59 user_2_.FinishInit(); | |
60 | |
61 // TODO(mattm): more accurately test public/private slot filtering somehow. | |
62 // (The slots used to initialize a profile filter should be separate slots | |
63 // in separate modules, while ScopedTestNSSChromeOSUser uses the same slot | |
64 // for both.) | |
65 crypto::ScopedPK11Slot private_slot_1(crypto::GetPrivateSlotForChromeOSUser( | |
66 user_1_.username_hash(), | |
67 base::Callback<void(crypto::ScopedPK11Slot)>())); | |
68 ASSERT_TRUE(private_slot_1.get()); | |
69 profile_filter_1_.Init( | |
70 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()), | |
71 private_slot_1.Pass()); | |
72 | |
73 crypto::ScopedPK11Slot private_slot_2(crypto::GetPrivateSlotForChromeOSUser( | |
74 user_2_.username_hash(), | |
75 base::Callback<void(crypto::ScopedPK11Slot)>())); | |
76 ASSERT_TRUE(private_slot_2.get()); | |
77 profile_filter_2_.Init( | |
78 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()), | |
79 private_slot_2.Pass()); | |
80 | |
81 certs_ = CreateCertificateListFromFile(GetTestCertsDirectory(), | |
82 "root_ca_cert.pem", | |
83 X509Certificate::FORMAT_AUTO); | |
84 ASSERT_EQ(1U, certs_.size()); | |
85 } | |
86 | |
87 protected: | |
88 CertificateList certs_; | |
89 crypto::ScopedTestNSSChromeOSUser user_1_; | |
90 crypto::ScopedTestNSSChromeOSUser user_2_; | |
91 NSSProfileFilterChromeOS no_slots_profile_filter_; | |
92 NSSProfileFilterChromeOS profile_filter_1_; | |
93 NSSProfileFilterChromeOS profile_filter_2_; | |
94 }; | |
95 | |
96 TEST_F(NSSProfileFilterChromeOSTest, TempCertAllowed) { | |
97 EXPECT_EQ(NULL, certs_[0]->os_cert_handle()->slot); | |
98 EXPECT_TRUE(no_slots_profile_filter_.IsCertAllowed(certs_[0])); | |
99 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(certs_[0])); | |
100 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(certs_[0])); | |
101 } | |
102 | |
103 TEST_F(NSSProfileFilterChromeOSTest, InternalSlotAllowed) { | |
104 crypto::ScopedPK11Slot internal_slot(PK11_GetInternalSlot()); | |
105 ASSERT_TRUE(internal_slot.get()); | |
106 EXPECT_TRUE(no_slots_profile_filter_.IsModuleAllowed(internal_slot.get())); | |
107 EXPECT_TRUE(profile_filter_1_.IsModuleAllowed(internal_slot.get())); | |
108 EXPECT_TRUE(profile_filter_2_.IsModuleAllowed(internal_slot.get())); | |
109 | |
110 crypto::ScopedPK11Slot internal_key_slot(PK11_GetInternalKeySlot()); | |
111 ASSERT_TRUE(internal_key_slot.get()); | |
112 EXPECT_TRUE( | |
113 no_slots_profile_filter_.IsModuleAllowed(internal_key_slot.get())); | |
114 EXPECT_TRUE(profile_filter_1_.IsModuleAllowed(internal_key_slot.get())); | |
115 EXPECT_TRUE(profile_filter_2_.IsModuleAllowed(internal_key_slot.get())); | |
116 } | |
117 | |
118 TEST_F(NSSProfileFilterChromeOSTest, RootCertsAllowed) { | |
119 crypto::ScopedPK11Slot root_certs_slot(GetRootCertsSlot()); | |
120 ASSERT_TRUE(root_certs_slot.get()); | |
121 EXPECT_TRUE(no_slots_profile_filter_.IsModuleAllowed(root_certs_slot.get())); | |
122 EXPECT_TRUE(profile_filter_1_.IsModuleAllowed(root_certs_slot.get())); | |
123 EXPECT_TRUE(profile_filter_2_.IsModuleAllowed(root_certs_slot.get())); | |
124 | |
125 CertificateList root_certs(ListCertsInSlot(root_certs_slot.get())); | |
126 ASSERT_FALSE(root_certs.empty()); | |
127 EXPECT_TRUE(no_slots_profile_filter_.IsCertAllowed(root_certs[0])); | |
128 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(root_certs[0])); | |
129 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(root_certs[0])); | |
130 } | |
131 | |
132 TEST_F(NSSProfileFilterChromeOSTest, SoftwareSlots) { | |
133 crypto::ScopedPK11Slot slot_1( | |
134 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash())); | |
135 ASSERT_TRUE(slot_1); | |
136 crypto::ScopedPK11Slot slot_2( | |
137 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash())); | |
138 ASSERT_TRUE(slot_2); | |
139 | |
140 scoped_refptr<X509Certificate> cert_1 = certs_[0]; | |
141 CertificateList certs_2 = CreateCertificateListFromFile( | |
142 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); | |
143 ASSERT_EQ(1U, certs_2.size()); | |
144 scoped_refptr<X509Certificate> cert_2 = certs_2[0]; | |
145 | |
146 ASSERT_EQ(SECSuccess, | |
147 PK11_ImportCert(slot_1.get(), | |
148 cert_1->os_cert_handle(), | |
149 CK_INVALID_HANDLE, | |
150 "cert1", | |
151 PR_FALSE /* includeTrust (unused) */)); | |
152 | |
153 ASSERT_EQ(SECSuccess, | |
154 PK11_ImportCert(slot_2.get(), | |
155 cert_2->os_cert_handle(), | |
156 CK_INVALID_HANDLE, | |
157 "cert2", | |
158 PR_FALSE /* includeTrust (unused) */)); | |
159 | |
160 EXPECT_FALSE(no_slots_profile_filter_.IsCertAllowed(cert_1)); | |
161 EXPECT_FALSE(no_slots_profile_filter_.IsCertAllowed(cert_2)); | |
162 | |
163 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(cert_1)); | |
164 EXPECT_FALSE(profile_filter_1_.IsCertAllowed(cert_2)); | |
165 | |
166 EXPECT_FALSE(profile_filter_2_.IsCertAllowed(cert_1)); | |
167 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(cert_2)); | |
168 } | |
169 | |
170 } // namespace net | |
OLD | NEW |