OLD | NEW |
(Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/cert/nss_profile_filter_chromeos.h" |
| 6 |
| 7 #include <cert.h> |
| 8 #include <pk11pub.h> |
| 9 #include <secmod.h> |
| 10 |
| 11 #include "crypto/nss_util.h" |
| 12 #include "crypto/nss_util_internal.h" |
| 13 #include "crypto/scoped_nss_types.h" |
| 14 #include "net/base/test_data_directory.h" |
| 15 #include "net/test/cert_test_util.h" |
| 16 #include "testing/gtest/include/gtest/gtest.h" |
| 17 |
| 18 namespace net { |
| 19 |
| 20 namespace { |
| 21 |
| 22 crypto::ScopedPK11Slot GetRootCertsSlot() { |
| 23 crypto::AutoSECMODListReadLock auto_lock; |
| 24 SECMODModuleList* head = SECMOD_GetDefaultModuleList(); |
| 25 for (SECMODModuleList* item = head; item != NULL; item = item->next) { |
| 26 int slot_count = item->module->loaded ? item->module->slotCount : 0; |
| 27 for (int i = 0; i < slot_count; i++) { |
| 28 PK11SlotInfo* slot = item->module->slots[i]; |
| 29 if (!PK11_IsPresent(slot)) |
| 30 continue; |
| 31 if (PK11_HasRootCerts(slot)) |
| 32 return crypto::ScopedPK11Slot(PK11_ReferenceSlot(slot)); |
| 33 } |
| 34 } |
| 35 return crypto::ScopedPK11Slot(); |
| 36 } |
| 37 |
| 38 CertificateList ListCertsInSlot(PK11SlotInfo* slot) { |
| 39 CertificateList result; |
| 40 CERTCertList* cert_list = PK11_ListCertsInSlot(slot); |
| 41 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
| 42 !CERT_LIST_END(node, cert_list); |
| 43 node = CERT_LIST_NEXT(node)) { |
| 44 result.push_back(X509Certificate::CreateFromHandle( |
| 45 node->cert, X509Certificate::OSCertHandles())); |
| 46 } |
| 47 CERT_DestroyCertList(cert_list); |
| 48 |
| 49 // Sort the result so that test comparisons can be deterministic. |
| 50 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); |
| 51 return result; |
| 52 } |
| 53 |
| 54 } |
| 55 |
| 56 class NSSProfileFilterChromeOSTest : public testing::Test { |
| 57 public: |
| 58 NSSProfileFilterChromeOSTest() : user_1_("user1"), user_2_("user2") {} |
| 59 |
| 60 virtual void SetUp() OVERRIDE { |
| 61 // Initialize nss_util slots. |
| 62 ASSERT_TRUE(user_1_.constructed_successfully()); |
| 63 ASSERT_TRUE(user_2_.constructed_successfully()); |
| 64 user_1_.FinishInit(); |
| 65 user_2_.FinishInit(); |
| 66 |
| 67 // TODO(mattm): more accurately test public/private slot filtering somehow. |
| 68 // (The slots used to initialize a profile filter should be separate slots |
| 69 // in separate modules, while ScopedTestNSSChromeOSUser uses the same slot |
| 70 // for both.) |
| 71 crypto::ScopedPK11Slot private_slot_1(crypto::GetPrivateSlotForChromeOSUser( |
| 72 user_1_.username_hash(), |
| 73 base::Callback<void(crypto::ScopedPK11Slot)>())); |
| 74 ASSERT_TRUE(private_slot_1.get()); |
| 75 profile_filter_1_.Init( |
| 76 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()), |
| 77 private_slot_1.Pass()); |
| 78 |
| 79 crypto::ScopedPK11Slot private_slot_2(crypto::GetPrivateSlotForChromeOSUser( |
| 80 user_2_.username_hash(), |
| 81 base::Callback<void(crypto::ScopedPK11Slot)>())); |
| 82 ASSERT_TRUE(private_slot_2.get()); |
| 83 profile_filter_2_.Init( |
| 84 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()), |
| 85 private_slot_2.Pass()); |
| 86 |
| 87 certs_ = CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 88 "root_ca_cert.pem", |
| 89 X509Certificate::FORMAT_AUTO); |
| 90 ASSERT_EQ(1U, certs_.size()); |
| 91 } |
| 92 |
| 93 protected: |
| 94 CertificateList certs_; |
| 95 crypto::ScopedTestNSSChromeOSUser user_1_; |
| 96 crypto::ScopedTestNSSChromeOSUser user_2_; |
| 97 NSSProfileFilterChromeOS no_slots_profile_filter_; |
| 98 NSSProfileFilterChromeOS profile_filter_1_; |
| 99 NSSProfileFilterChromeOS profile_filter_2_; |
| 100 }; |
| 101 |
| 102 TEST_F(NSSProfileFilterChromeOSTest, TempCertAllowed) { |
| 103 EXPECT_EQ(NULL, certs_[0]->os_cert_handle()->slot); |
| 104 EXPECT_TRUE(no_slots_profile_filter_.IsCertAllowed(certs_[0])); |
| 105 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(certs_[0])); |
| 106 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(certs_[0])); |
| 107 } |
| 108 |
| 109 TEST_F(NSSProfileFilterChromeOSTest, InternalSlotAllowed) { |
| 110 crypto::ScopedPK11Slot internal_slot(PK11_GetInternalSlot()); |
| 111 ASSERT_TRUE(internal_slot.get()); |
| 112 EXPECT_TRUE(no_slots_profile_filter_.IsModuleAllowed(internal_slot.get())); |
| 113 EXPECT_TRUE(profile_filter_1_.IsModuleAllowed(internal_slot.get())); |
| 114 EXPECT_TRUE(profile_filter_2_.IsModuleAllowed(internal_slot.get())); |
| 115 |
| 116 crypto::ScopedPK11Slot internal_key_slot(PK11_GetInternalKeySlot()); |
| 117 ASSERT_TRUE(internal_key_slot.get()); |
| 118 EXPECT_TRUE( |
| 119 no_slots_profile_filter_.IsModuleAllowed(internal_key_slot.get())); |
| 120 EXPECT_TRUE(profile_filter_1_.IsModuleAllowed(internal_key_slot.get())); |
| 121 EXPECT_TRUE(profile_filter_2_.IsModuleAllowed(internal_key_slot.get())); |
| 122 } |
| 123 |
| 124 TEST_F(NSSProfileFilterChromeOSTest, RootCertsAllowed) { |
| 125 crypto::ScopedPK11Slot root_certs_slot(GetRootCertsSlot()); |
| 126 ASSERT_TRUE(root_certs_slot.get()); |
| 127 EXPECT_TRUE(no_slots_profile_filter_.IsModuleAllowed(root_certs_slot.get())); |
| 128 EXPECT_TRUE(profile_filter_1_.IsModuleAllowed(root_certs_slot.get())); |
| 129 EXPECT_TRUE(profile_filter_2_.IsModuleAllowed(root_certs_slot.get())); |
| 130 |
| 131 CertificateList root_certs(ListCertsInSlot(root_certs_slot.get())); |
| 132 ASSERT_FALSE(root_certs.empty()); |
| 133 EXPECT_TRUE(no_slots_profile_filter_.IsCertAllowed(root_certs[0])); |
| 134 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(root_certs[0])); |
| 135 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(root_certs[0])); |
| 136 } |
| 137 |
| 138 TEST_F(NSSProfileFilterChromeOSTest, SoftwareSlots) { |
| 139 crypto::ScopedPK11Slot slot_1( |
| 140 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash())); |
| 141 ASSERT_TRUE(slot_1); |
| 142 crypto::ScopedPK11Slot slot_2( |
| 143 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash())); |
| 144 ASSERT_TRUE(slot_2); |
| 145 |
| 146 scoped_refptr<X509Certificate> cert_1 = certs_[0]; |
| 147 CertificateList certs_2 = CreateCertificateListFromFile( |
| 148 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); |
| 149 ASSERT_EQ(1U, certs_2.size()); |
| 150 scoped_refptr<X509Certificate> cert_2 = certs_2[0]; |
| 151 |
| 152 ASSERT_EQ(SECSuccess, |
| 153 PK11_ImportCert(slot_1.get(), |
| 154 cert_1->os_cert_handle(), |
| 155 CK_INVALID_HANDLE, |
| 156 "cert1", |
| 157 PR_FALSE /* includeTrust (unused) */)); |
| 158 |
| 159 ASSERT_EQ(SECSuccess, |
| 160 PK11_ImportCert(slot_2.get(), |
| 161 cert_2->os_cert_handle(), |
| 162 CK_INVALID_HANDLE, |
| 163 "cert2", |
| 164 PR_FALSE /* includeTrust (unused) */)); |
| 165 |
| 166 EXPECT_FALSE(no_slots_profile_filter_.IsCertAllowed(cert_1)); |
| 167 EXPECT_FALSE(no_slots_profile_filter_.IsCertAllowed(cert_2)); |
| 168 |
| 169 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(cert_1)); |
| 170 EXPECT_FALSE(profile_filter_1_.IsCertAllowed(cert_2)); |
| 171 |
| 172 EXPECT_FALSE(profile_filter_2_.IsCertAllowed(cert_1)); |
| 173 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(cert_2)); |
| 174 } |
| 175 |
| 176 } // namespace net |
OLD | NEW |