Chromium Code Reviews Chromium Code Reviews
Issue 13035003:
Added a PolicyCertVerifier that uses the trust anchors from the ONC policies. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/network/onc/onc_certificate_importer.h" | 5 #include "chromeos/network/onc/onc_certificate_importer.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <certdb.h> | 8 #include <certdb.h> |
| 9 #include <keyhi.h> | 9 #include <keyhi.h> |
| 10 #include <pk11pub.h> | 10 #include <pk11pub.h> |
| (...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 83 scoped_ptr<base::DictionaryValue> onc = | 83 scoped_ptr<base::DictionaryValue> onc = |
| 84 test_utils::ReadTestDictionary(filename); | 84 test_utils::ReadTestDictionary(filename); |
| 85 base::ListValue* certificates = NULL; | 85 base::ListValue* certificates = NULL; |
| 86 onc->GetListWithoutPathExpansion(toplevel_config::kCertificates, | 86 onc->GetListWithoutPathExpansion(toplevel_config::kCertificates, |
| 87 &certificates); | 87 &certificates); |
| 88 | 88 |
| 89 base::DictionaryValue* certificate = NULL; | 89 base::DictionaryValue* certificate = NULL; |
| 90 certificates->GetDictionary(0, &certificate); | 90 certificates->GetDictionary(0, &certificate); |
| 91 certificate->GetStringWithoutPathExpansion(certificate::kGUID, guid); | 91 certificate->GetStringWithoutPathExpansion(certificate::kGUID, guid); |
| 92 | 92 |
| 93 web_trust_certificates_.clear(); | |
| 93 CertificateImporter importer(true /* allow web trust */); | 94 CertificateImporter importer(true /* allow web trust */); |
| 94 EXPECT_EQ(CertificateImporter::IMPORT_OK, | 95 EXPECT_EQ(CertificateImporter::IMPORT_OK, |
| 95 importer.ParseAndStoreCertificates(*certificates)); | 96 importer.ParseAndStoreCertificates(*certificates, |
| 97 &web_trust_certificates_)); | |
| 96 | 98 |
| 97 net::CertificateList result_list; | 99 result_list_.clear(); |
| 98 CertificateImporter::ListCertsWithNickname(*guid, &result_list); | 100 CertificateImporter::ListCertsWithNickname(*guid, &result_list_); |
| 99 ASSERT_EQ(1ul, result_list.size()); | 101 ASSERT_EQ(1ul, result_list_.size()); |
| 100 EXPECT_EQ(expected_type, GetCertType(result_list[0]->os_cert_handle())); | 102 EXPECT_EQ(expected_type, GetCertType(result_list_[0]->os_cert_handle())); |
| 101 } | 103 } |
| 102 | 104 |
| 103 scoped_refptr<net::CryptoModule> slot_; | 105 scoped_refptr<net::CryptoModule> slot_; |
| 106 net::CertificateList result_list_; | |
| 107 net::CertificateList web_trust_certificates_; | |
| 104 | 108 |
| 105 private: | 109 private: |
| 106 net::CertificateList ListCertsInSlot(PK11SlotInfo* slot) { | 110 net::CertificateList ListCertsInSlot(PK11SlotInfo* slot) { |
| 107 net::CertificateList result; | 111 net::CertificateList result; |
| 108 CERTCertList* cert_list = PK11_ListCertsInSlot(slot); | 112 CERTCertList* cert_list = PK11_ListCertsInSlot(slot); |
| 109 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | 113 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
| 110 !CERT_LIST_END(node, cert_list); | 114 !CERT_LIST_END(node, cert_list); |
| 111 node = CERT_LIST_NEXT(node)) { | 115 node = CERT_LIST_NEXT(node)) { |
| 112 result.push_back(net::X509Certificate::CreateFromHandle( | 116 result.push_back(net::X509Certificate::CreateFromHandle( |
| 113 node->cert, net::X509Certificate::OSCertHandles())); | 117 node->cert, net::X509Certificate::OSCertHandles())); |
| (...skipping 14 matching lines...) Expand all Loading... | |
| 128 } | 132 } |
| 129 return ok; | 133 return ok; |
| 130 } | 134 } |
| 131 | 135 |
| 132 crypto::ScopedTestNSSDB test_nssdb_; | 136 crypto::ScopedTestNSSDB test_nssdb_; |
| 133 }; | 137 }; |
| 134 | 138 |
| 135 TEST_F(ONCCertificateImporterTest, AddClientCertificate) { | 139 TEST_F(ONCCertificateImporterTest, AddClientCertificate) { |
| 136 std::string guid; | 140 std::string guid; |
| 137 AddCertificateFromFile("certificate-client.onc", net::USER_CERT, &guid); | 141 AddCertificateFromFile("certificate-client.onc", net::USER_CERT, &guid); |
| 142 EXPECT_TRUE(web_trust_certificates_.empty()); | |
| 138 | 143 |
| 139 SECKEYPrivateKeyList* privkey_list = | 144 SECKEYPrivateKeyList* privkey_list = |
| 140 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | 145 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); |
| 141 EXPECT_TRUE(privkey_list); | 146 EXPECT_TRUE(privkey_list); |
| 142 if (privkey_list) { | 147 if (privkey_list) { |
| 143 SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(privkey_list); | 148 SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(privkey_list); |
| 144 int count = 0; | 149 int count = 0; |
| 145 while (!PRIVKEY_LIST_END(node, privkey_list)) { | 150 while (!PRIVKEY_LIST_END(node, privkey_list)) { |
| 146 char* name = PK11_GetPrivateKeyNickname(node->key); | 151 char* name = PK11_GetPrivateKeyNickname(node->key); |
| 147 EXPECT_STREQ(guid.c_str(), name); | 152 EXPECT_STREQ(guid.c_str(), name); |
| (...skipping 24 matching lines...) Expand all Loading... | |
| 172 std::string guid; | 177 std::string guid; |
| 173 AddCertificateFromFile("certificate-server.onc", net::SERVER_CERT, &guid); | 178 AddCertificateFromFile("certificate-server.onc", net::SERVER_CERT, &guid); |
| 174 | 179 |
| 175 SECKEYPrivateKeyList* privkey_list = | 180 SECKEYPrivateKeyList* privkey_list = |
| 176 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | 181 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); |
| 177 EXPECT_FALSE(privkey_list); | 182 EXPECT_FALSE(privkey_list); |
| 178 | 183 |
| 179 SECKEYPublicKeyList* pubkey_list = | 184 SECKEYPublicKeyList* pubkey_list = |
| 180 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); | 185 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); |
| 181 EXPECT_FALSE(pubkey_list); | 186 EXPECT_FALSE(pubkey_list); |
| 187 | |
| 188 ASSERT_EQ(1u, web_trust_certificates_.size()); | |
| 189 ASSERT_EQ(1u, result_list_.size()); | |
|
pneubeck (no reviews)
2013/03/26 11:04:50
remove this here or in AddCertificateFromFile
Joao da Silva
2013/03/31 19:22:14
This must stay in both places, because the first e
| |
| 190 EXPECT_TRUE(CERT_CompareCerts(result_list_[0]->os_cert_handle(), | |
| 191 web_trust_certificates_[0]->os_cert_handle())); | |
| 182 } | 192 } |
| 183 | 193 |
| 184 TEST_F(ONCCertificateImporterTest, AddWebAuthorityCertificate) { | 194 TEST_F(ONCCertificateImporterTest, AddWebAuthorityCertificate) { |
| 185 std::string guid; | 195 std::string guid; |
| 186 AddCertificateFromFile("certificate-web-authority.onc", net::CA_CERT, &guid); | 196 AddCertificateFromFile("certificate-web-authority.onc", net::CA_CERT, &guid); |
| 187 | 197 |
| 188 SECKEYPrivateKeyList* privkey_list = | 198 SECKEYPrivateKeyList* privkey_list = |
| 189 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | 199 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); |
| 190 EXPECT_FALSE(privkey_list); | 200 EXPECT_FALSE(privkey_list); |
| 191 | 201 |
| 192 SECKEYPublicKeyList* pubkey_list = | 202 SECKEYPublicKeyList* pubkey_list = |
| 193 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); | 203 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); |
| 194 EXPECT_FALSE(pubkey_list); | 204 EXPECT_FALSE(pubkey_list); |
| 205 | |
| 206 ASSERT_EQ(1u, web_trust_certificates_.size()); | |
| 207 ASSERT_EQ(1u, result_list_.size()); | |
|
pneubeck (no reviews)
2013/03/26 11:04:50
ditto
Joao da Silva
2013/03/31 19:22:14
See above
| |
| 208 EXPECT_TRUE(CERT_CompareCerts(result_list_[0]->os_cert_handle(), | |
| 209 web_trust_certificates_[0]->os_cert_handle())); | |
| 210 } | |
| 211 | |
| 212 TEST_F(ONCCertificateImporterTest, AddAuthorityCertificateWithoutWebTrust) { | |
| 213 std::string guid; | |
| 214 AddCertificateFromFile("certificate-authority.onc", net::CA_CERT, &guid); | |
| 215 EXPECT_TRUE(web_trust_certificates_.empty()); | |
| 216 | |
| 217 SECKEYPrivateKeyList* privkey_list = | |
| 218 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | |
| 219 EXPECT_FALSE(privkey_list); | |
| 220 | |
| 221 SECKEYPublicKeyList* pubkey_list = | |
| 222 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); | |
| 223 EXPECT_FALSE(pubkey_list); | |
| 195 } | 224 } |
| 196 | 225 |
| 197 class ONCCertificateImporterTestWithParam : | 226 class ONCCertificateImporterTestWithParam : |
| 198 public ONCCertificateImporterTest, | 227 public ONCCertificateImporterTest, |
| 199 public testing::WithParamInterface< | 228 public testing::WithParamInterface< |
| 200 std::pair<net::CertType, std::pair<const char*, const char*> > > { | 229 std::pair<net::CertType, std::pair<const char*, const char*> > > { |
| 201 protected: | 230 protected: |
| 202 net::CertType GetCertTypeParam() { | 231 net::CertType GetCertTypeParam() { |
| 203 return GetParam().first; | 232 return GetParam().first; |
| 204 } | 233 } |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 252 std::make_pair(net::SERVER_CERT, | 281 std::make_pair(net::SERVER_CERT, |
| 253 std::make_pair("certificate-server.onc", | 282 std::make_pair("certificate-server.onc", |
| 254 "certificate-server-update.onc")), | 283 "certificate-server-update.onc")), |
| 255 std::make_pair( | 284 std::make_pair( |
| 256 net::CA_CERT, | 285 net::CA_CERT, |
| 257 std::make_pair("certificate-web-authority.onc", | 286 std::make_pair("certificate-web-authority.onc", |
| 258 "certificate-web-authority-update.onc")))); | 287 "certificate-web-authority-update.onc")))); |
| 259 | 288 |
| 260 } // namespace onc | 289 } // namespace onc |
| 261 } // namespace chromeos | 290 } // namespace chromeos |
| OLD | NEW |
