Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(161)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chromeos/network/client_cert_resolver_unittest.cc

Issue 135193007: Use user specific NSSDatabase in CertLoader. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: return of slow task runner Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« chromeos/cert_loader_unittest.cc ('K') | « chromeos/network/client_cert_resolver.cc ('k') | chromeos/network/client_cert_util.h » ('j') | chromeos/network/network_cert_migrator_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 #include "chromeos/network/client_cert_resolver.h" 4 #include "chromeos/network/client_cert_resolver.h"
5 5
6 #include <cert.h> 6 #include <cert.h>
7 #include <pk11pub.h> 7 #include <pk11pub.h>
8 8
9 #include "base/file_util.h" 9 #include "base/file_util.h"
10 #include "base/files/file_path.h" 10 #include "base/files/file_path.h"
11 #include "base/json/json_reader.h" 11 #include "base/json/json_reader.h"
12 #include "base/run_loop.h" 12 #include "base/run_loop.h"
13 #include "base/strings/stringprintf.h" 13 #include "base/strings/stringprintf.h"
14 #include "base/values.h" 14 #include "base/values.h"
15 #include "chromeos/cert_loader.h" 15 #include "chromeos/cert_loader.h"
16 #include "chromeos/dbus/dbus_thread_manager.h" 16 #include "chromeos/dbus/dbus_thread_manager.h"
17 #include "chromeos/dbus/shill_profile_client.h" 17 #include "chromeos/dbus/shill_profile_client.h"
18 #include "chromeos/dbus/shill_service_client.h" 18 #include "chromeos/dbus/shill_service_client.h"
19 #include "chromeos/login/login_state.h" 19 #include "chromeos/login/login_state.h"
pneubeck (no reviews) 2014/01/24 13:18:02 unused?
tbarzic 2014/01/25 00:26:27 Done.
20 #include "chromeos/network/managed_network_configuration_handler_impl.h" 20 #include "chromeos/network/managed_network_configuration_handler_impl.h"
21 #include "chromeos/network/network_configuration_handler.h" 21 #include "chromeos/network/network_configuration_handler.h"
22 #include "chromeos/network/network_profile_handler.h" 22 #include "chromeos/network/network_profile_handler.h"
23 #include "chromeos/network/network_state_handler.h" 23 #include "chromeos/network/network_state_handler.h"
24 #include "chromeos/tpm_token_loader.h" 24 #include "chromeos/tpm_token_loader.h"
25 #include "crypto/nss_util.h" 25 #include "crypto/nss_util.h"
26 #include "crypto/nss_util_internal.h"
26 #include "net/base/crypto_module.h" 27 #include "net/base/crypto_module.h"
27 #include "net/base/net_errors.h" 28 #include "net/base/net_errors.h"
28 #include "net/base/test_data_directory.h" 29 #include "net/base/test_data_directory.h"
29 #include "net/cert/nss_cert_database.h" 30 #include "net/cert/nss_cert_database_chromeos.h"
30 #include "net/cert/x509_certificate.h" 31 #include "net/cert/x509_certificate.h"
31 #include "net/test/cert_test_util.h" 32 #include "net/test/cert_test_util.h"
32 #include "testing/gtest/include/gtest/gtest.h" 33 #include "testing/gtest/include/gtest/gtest.h"
33 #include "third_party/cros_system_api/dbus/service_constants.h" 34 #include "third_party/cros_system_api/dbus/service_constants.h"
34 35
35 namespace chromeos { 36 namespace chromeos {
36 37
37 namespace { 38 namespace {
38 39
39 const char* kWifiStub = "wifi_stub"; 40 const char* kWifiStub = "wifi_stub";
40 const char* kWifiSSID = "wifi_ssid"; 41 const char* kWifiSSID = "wifi_ssid";
41 const char* kUserProfilePath = "user_profile"; 42 const char* kUserProfilePath = "user_profile";
42 const char* kUserHash = "user_hash"; 43 const char* kUserHash = "user_hash";
43 44
44 } // namespace 45 } // namespace
45 46
46 class ClientCertResolverTest : public testing::Test { 47 class ClientCertResolverTest : public testing::Test {
47 public: 48 public:
48 ClientCertResolverTest() {} 49 ClientCertResolverTest() : service_test_(NULL),
50 profile_test_(NULL),
51 user_(kUserHash) {
52 }
49 virtual ~ClientCertResolverTest() {} 53 virtual ~ClientCertResolverTest() {}
50 54
51 virtual void SetUp() OVERRIDE { 55 virtual void SetUp() OVERRIDE {
52 ASSERT_TRUE(test_nssdb_.is_open()); 56 // Initialize NSS db for the user.
53 slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule(); 57 ASSERT_TRUE(user_.constructed_successfully());
54 ASSERT_TRUE(slot_->os_module_handle()); 58 user_.FinishInit();
55 59 slot_ = crypto::GetPrivateSlotForChromeOSUser(
pneubeck (no reviews) 2014/01/24 13:18:02 nit: maybe rename slot_ to private_slot_
tbarzic 2014/01/25 00:26:27 Done.
56 LoginState::Initialize(); 60 user_.username_hash(),
61 base::Callback<void(crypto::ScopedPK11Slot)>());
62 ASSERT_TRUE(slot_.get());
63 test_nssdb_.reset(new net::NSSCertDatabaseChromeOS(
64 crypto::GetPublicSlotForChromeOSUser(user_.username_hash()),
65 crypto::GetPrivateSlotForChromeOSUser(
66 user_.username_hash(),
67 base::Callback<void(crypto::ScopedPK11Slot)>())));
57 68
58 DBusThreadManager::InitializeWithStub(); 69 DBusThreadManager::InitializeWithStub();
59 service_test_ = 70 service_test_ =
60 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); 71 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface();
61 profile_test_ = 72 profile_test_ =
62 DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface(); 73 DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface();
63 message_loop_.RunUntilIdle(); 74 base::RunLoop().RunUntilIdle();
64 service_test_->ClearServices(); 75 service_test_->ClearServices();
65 message_loop_.RunUntilIdle(); 76 base::RunLoop().RunUntilIdle();
66 77
67 TPMTokenLoader::Initialize(); 78 TPMTokenLoader::InitializeForTest();
68 TPMTokenLoader* tpm_token_loader = TPMTokenLoader::Get();
69 tpm_token_loader->InitializeTPMForTest();
70 tpm_token_loader->SetCryptoTaskRunner(message_loop_.message_loop_proxy());
71 79
72 CertLoader::Initialize(); 80 CertLoader::Initialize();
73 CertLoader::Get()->SetSlowTaskRunnerForTest( 81 CertLoader* cert_loader_ = CertLoader::Get();
74 message_loop_.message_loop_proxy()); 82 cert_loader_->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
83 cert_loader_->set_hardware_backed_for_test();
84 cert_loader_->StartWithNSSDB(test_nssdb_.get());
75 } 85 }
76 86
77 virtual void TearDown() OVERRIDE { 87 virtual void TearDown() OVERRIDE {
78 client_cert_resolver_.reset(); 88 client_cert_resolver_.reset();
79 managed_config_handler_.reset(); 89 managed_config_handler_.reset();
80 network_config_handler_.reset(); 90 network_config_handler_.reset();
81 network_profile_handler_.reset(); 91 network_profile_handler_.reset();
82 network_state_handler_.reset(); 92 network_state_handler_.reset();
83 CertLoader::Shutdown(); 93 CertLoader::Shutdown();
84 TPMTokenLoader::Shutdown(); 94 TPMTokenLoader::Shutdown();
85 DBusThreadManager::Shutdown(); 95 DBusThreadManager::Shutdown();
86 LoginState::Shutdown();
87 CleanupSlotContents(); 96 CleanupSlotContents();
88 } 97 }
89 98
90 protected: 99 protected:
91 // Imports a CA cert (stored as PEM in test_ca_cert_pem_) and a client 100 // Imports a CA cert (stored as PEM in test_ca_cert_pem_) and a client
92 // certificate signed by that CA. Its PKCS#11 ID is stored in 101 // certificate signed by that CA. Its PKCS#11 ID is stored in
93 // |test_pkcs11_id_|. 102 // |test_pkcs11_id_|.
94 void SetupTestCerts() { 103 void SetupTestCerts() {
95 // Import a CA cert. 104 // Import a CA cert.
96 net::NSSCertDatabase* cert_db = net::NSSCertDatabase::GetInstance();
97 net::CertificateList ca_cert_list = 105 net::CertificateList ca_cert_list =
98 net::CreateCertificateListFromFile(net::GetTestCertsDirectory(), 106 net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
99 "websocket_cacert.pem", 107 "websocket_cacert.pem",
100 net::X509Certificate::FORMAT_AUTO); 108 net::X509Certificate::FORMAT_AUTO);
101 ASSERT_TRUE(!ca_cert_list.empty()); 109 ASSERT_TRUE(!ca_cert_list.empty());
102 net::NSSCertDatabase::ImportCertFailureList failures; 110 net::NSSCertDatabase::ImportCertFailureList failures;
103 EXPECT_TRUE(cert_db->ImportCACerts( 111 EXPECT_TRUE(test_nssdb_->ImportCACerts(
104 ca_cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures)); 112 ca_cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures));
105 ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error); 113 ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error);
106 114
107 net::X509Certificate::GetPEMEncoded(ca_cert_list[0]->os_cert_handle(), 115 net::X509Certificate::GetPEMEncoded(ca_cert_list[0]->os_cert_handle(),
108 &test_ca_cert_pem_); 116 &test_ca_cert_pem_);
109 ASSERT_TRUE(!test_ca_cert_pem_.empty()); 117 ASSERT_TRUE(!test_ca_cert_pem_.empty());
110 118
111 // Import a client cert signed by that CA. 119 // Import a client cert signed by that CA.
112 scoped_refptr<net::CryptoModule> crypt_module = cert_db->GetPrivateModule();
113 std::string pkcs12_data; 120 std::string pkcs12_data;
114 ASSERT_TRUE(base::ReadFileToString( 121 ASSERT_TRUE(base::ReadFileToString(
115 net::GetTestCertsDirectory().Append("websocket_client_cert.p12"), 122 net::GetTestCertsDirectory().Append("websocket_client_cert.p12"),
116 &pkcs12_data)); 123 &pkcs12_data));
117 124
118 net::CertificateList client_cert_list; 125 net::CertificateList client_cert_list;
119 ASSERT_EQ(net::OK, 126 scoped_refptr<net::CryptoModule> module(
120 cert_db->ImportFromPKCS12(crypt_module.get(), 127 net::CryptoModule::CreateFromHandle(slot_.get()));
121 pkcs12_data, 128 ASSERT_EQ(
122 base::string16(), 129 net::OK,
123 false, 130 test_nssdb_->ImportFromPKCS12(
124 &client_cert_list)); 131 module, pkcs12_data, base::string16(), false, &client_cert_list));
125 ASSERT_TRUE(!client_cert_list.empty()); 132 ASSERT_TRUE(!client_cert_list.empty());
126 test_pkcs11_id_ = CertLoader::GetPkcs11IdForCert(*client_cert_list[0]); 133 test_pkcs11_id_ = CertLoader::GetPkcs11IdForCert(*client_cert_list[0]);
127 ASSERT_TRUE(!test_pkcs11_id_.empty()); 134 ASSERT_TRUE(!test_pkcs11_id_.empty());
128 } 135 }
129 136
130 void SetupNetworkHandlers() { 137 void SetupNetworkHandlers() {
131 network_state_handler_.reset(NetworkStateHandler::InitializeForTest()); 138 network_state_handler_.reset(NetworkStateHandler::InitializeForTest());
132 network_profile_handler_.reset(new NetworkProfileHandler()); 139 network_profile_handler_.reset(new NetworkProfileHandler());
133 network_config_handler_.reset(new NetworkConfigurationHandler()); 140 network_config_handler_.reset(new NetworkConfigurationHandler());
134 managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl()); 141 managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl());
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after
212 219
213 ShillServiceClient::TestInterface* service_test_; 220 ShillServiceClient::TestInterface* service_test_;
214 ShillProfileClient::TestInterface* profile_test_; 221 ShillProfileClient::TestInterface* profile_test_;
215 std::string test_pkcs11_id_; 222 std::string test_pkcs11_id_;
216 scoped_refptr<net::X509Certificate> test_ca_cert_; 223 scoped_refptr<net::X509Certificate> test_ca_cert_;
217 std::string test_ca_cert_pem_; 224 std::string test_ca_cert_pem_;
218 base::MessageLoop message_loop_; 225 base::MessageLoop message_loop_;
219 226
220 private: 227 private:
221 void CleanupSlotContents() { 228 void CleanupSlotContents() {
222 CERTCertList* cert_list = PK11_ListCertsInSlot(slot_->os_module_handle()); 229 CERTCertList* cert_list = PK11_ListCertsInSlot(slot_.get());
230
223 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 231 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
224 !CERT_LIST_END(node, cert_list); 232 !CERT_LIST_END(node, cert_list);
225 node = CERT_LIST_NEXT(node)) { 233 node = CERT_LIST_NEXT(node)) {
226 scoped_refptr<net::X509Certificate> cert( 234 scoped_refptr<net::X509Certificate> cert(
227 net::X509Certificate::CreateFromHandle( 235 net::X509Certificate::CreateFromHandle(
228 node->cert, net::X509Certificate::OSCertHandles())); 236 node->cert, net::X509Certificate::OSCertHandles()));
229 net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(cert.get()); 237 test_nssdb_->DeleteCertAndKey(cert.get());
230 } 238 }
239
231 CERT_DestroyCertList(cert_list); 240 CERT_DestroyCertList(cert_list);
232 } 241 }
233 242
234 scoped_ptr<NetworkStateHandler> network_state_handler_; 243 scoped_ptr<NetworkStateHandler> network_state_handler_;
235 scoped_ptr<NetworkProfileHandler> network_profile_handler_; 244 scoped_ptr<NetworkProfileHandler> network_profile_handler_;
236 scoped_ptr<NetworkConfigurationHandler> network_config_handler_; 245 scoped_ptr<NetworkConfigurationHandler> network_config_handler_;
237 scoped_ptr<ManagedNetworkConfigurationHandlerImpl> managed_config_handler_; 246 scoped_ptr<ManagedNetworkConfigurationHandlerImpl> managed_config_handler_;
238 scoped_ptr<ClientCertResolver> client_cert_resolver_; 247 scoped_ptr<ClientCertResolver> client_cert_resolver_;
239 scoped_refptr<net::CryptoModule> slot_; 248 crypto::ScopedTestNSSChromeOSUser user_;
240 crypto::ScopedTestNSSDB test_nssdb_; 249 scoped_ptr<net::NSSCertDatabaseChromeOS> test_nssdb_;
250 crypto::ScopedPK11Slot slot_;
241 251
242 DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest); 252 DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest);
243 }; 253 };
244 254
245 TEST_F(ClientCertResolverTest, NoMatchingCertificates) { 255 TEST_F(ClientCertResolverTest, NoMatchingCertificates) {
246 SetupNetworkHandlers(); 256 SetupNetworkHandlers();
247 SetupPolicy(); 257 SetupPolicy();
248 message_loop_.RunUntilIdle(); 258 base::RunLoop().RunUntilIdle();
249 259
250 SetupWifi(); 260 SetupWifi();
251 message_loop_.RunUntilIdle(); 261 base::RunLoop().RunUntilIdle();
252 262
253 // Verify that no client certificate was configured. 263 // Verify that no client certificate was configured.
254 std::string pkcs11_id; 264 std::string pkcs11_id;
255 GetClientCertProperties(&pkcs11_id); 265 GetClientCertProperties(&pkcs11_id);
256 EXPECT_TRUE(pkcs11_id.empty()); 266 EXPECT_TRUE(pkcs11_id.empty());
257 } 267 }
258 268
259 TEST_F(ClientCertResolverTest, ResolveOnInitialization) { 269 TEST_F(ClientCertResolverTest, ResolveOnInitialization) {
260 SetupTestCerts(); 270 SetupTestCerts();
261 SetupNetworkHandlers(); 271 SetupNetworkHandlers();
262 SetupPolicy(); 272 SetupPolicy();
263 message_loop_.RunUntilIdle(); 273 base::RunLoop().RunUntilIdle();
264 274
265 SetupWifi(); 275 SetupWifi();
266 message_loop_.RunUntilIdle(); 276 base::RunLoop().RunUntilIdle();
267 277
268 // Verify that the resolver positively matched the pattern in the policy with 278 // Verify that the resolver positively matched the pattern in the policy with
269 // the test client cert and configured the network. 279 // the test client cert and configured the network.
270 std::string pkcs11_id; 280 std::string pkcs11_id;
271 GetClientCertProperties(&pkcs11_id); 281 GetClientCertProperties(&pkcs11_id);
272 EXPECT_EQ(test_pkcs11_id_, pkcs11_id); 282 EXPECT_EQ(test_pkcs11_id_, pkcs11_id);
273 } 283 }
274 284
275 TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) { 285 TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) {
276 SetupTestCerts(); 286 SetupTestCerts();
277 SetupNetworkHandlers(); 287 SetupNetworkHandlers();
278 message_loop_.RunUntilIdle(); 288 base::RunLoop().RunUntilIdle();
279 289
280 // The policy will trigger the creation of a new wifi service. 290 // The policy will trigger the creation of a new wifi service.
281 SetupPolicy(); 291 SetupPolicy();
282 message_loop_.RunUntilIdle(); 292 base::RunLoop().RunUntilIdle();
283 293
284 // Verify that the resolver positively matched the pattern in the policy with 294 // Verify that the resolver positively matched the pattern in the policy with
285 // the test client cert and configured the network. 295 // the test client cert and configured the network.
286 std::string pkcs11_id; 296 std::string pkcs11_id;
287 GetClientCertProperties(&pkcs11_id); 297 GetClientCertProperties(&pkcs11_id);
288 EXPECT_EQ(test_pkcs11_id_, pkcs11_id); 298 EXPECT_EQ(test_pkcs11_id_, pkcs11_id);
289 } 299 }
290 300
291 } // namespace chromeos 301 } // namespace chromeos
OLDNEW
« chromeos/cert_loader_unittest.cc ('K') | « chromeos/network/client_cert_resolver.cc ('k') | chromeos/network/client_cert_util.h » ('j') | chromeos/network/network_cert_migrator_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698