NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles.

net/cert/nss_cert_database_chromeos_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/nss_cert_database_chromeos.h"
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/run_loop.h"
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
+#include "net/base/net_errors.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/cert_database.h"
+#include "net/cert/cert_verify_proc.h"
+#include "net/cert/cert_verify_proc_chromeos.h"
+#include "net/cert/cert_verify_result.h"
 #include "net/test/cert_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
 namespace {
 
 bool IsCertInCertificateList(const X509Certificate* cert,
                              const CertificateList& cert_list) {
   for (CertificateList::const_iterator it = cert_list.begin();
@@ skipping 26 matching lines @@
         crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()),
         crypto::GetPrivateSlotForChromeOSUser(
             user_1_.username_hash(),
             base::Callback<void(crypto::ScopedPK11Slot)>())));
     db_2_.reset(new NSSCertDatabaseChromeOS(
         crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()),
         crypto::GetPrivateSlotForChromeOSUser(
             user_2_.username_hash(),
             base::Callback<void(crypto::ScopedPK11Slot)>())));
 
+    verify_proc_default_ = CertVerifyProc::CreateDefault();
+    verify_proc_1_ = new CertVerifyProcChromeOS(
+        crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()),
+        crypto::GetPrivateSlotForChromeOSUser(
+            user_1_.username_hash(),
+            base::Callback<void(crypto::ScopedPK11Slot)>()));
+    verify_proc_2_ = new CertVerifyProcChromeOS(
+        crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()),
+        crypto::GetPrivateSlotForChromeOSUser(
+            user_2_.username_hash(),
+            base::Callback<void(crypto::ScopedPK11Slot)>()));
+
     // Add observer to CertDatabase for checking that notifications from
     // NSSCertDatabaseChromeOS are proxied to the CertDatabase.
     CertDatabase::GetInstance()->AddObserver(this);
     observer_added_ = true;
   }
 
   virtual void TearDown() OVERRIDE {
     if (observer_added_)
       CertDatabase::GetInstance()->RemoveObserver(this);
   }
 
   // CertDatabase::Observer:
   virtual void OnCertAdded(const X509Certificate* cert) OVERRIDE {
     added_.push_back(cert ? cert->os_cert_handle() : NULL);
   }
 
   virtual void OnCertRemoved(const X509Certificate* cert) OVERRIDE {}
 
   virtual void OnCACertChanged(const X509Certificate* cert) OVERRIDE {
     added_ca_.push_back(cert ? cert->os_cert_handle() : NULL);
   }
 
+  int Verify(CertVerifyProc* verify_proc,
+             X509Certificate* cert,
+             const std::string& hostname) {
+    int flags = 0;
+    CertVerifyResult verify_result;
+    CertificateList additional_trust_anchors;
+    int error = verify_proc->Verify(cert,
+                                    hostname,
+                                    flags,
+                                    NULL,
+                                    additional_trust_anchors,
+                                    &verify_result);
+    return error;
+  }
+
  protected:
   bool observer_added_;
   // Certificates that were passed to the CertDatabase observers.
   std::vector<CERTCertificate*> added_ca_;
   std::vector<CERTCertificate*> added_;
 
   crypto::ScopedTestNSSChromeOSUser user_1_;
   crypto::ScopedTestNSSChromeOSUser user_2_;
   scoped_ptr<NSSCertDatabaseChromeOS> db_1_;
   scoped_ptr<NSSCertDatabaseChromeOS> db_2_;
+  scoped_refptr<CertVerifyProc> verify_proc_default_;
+  scoped_refptr<CertVerifyProc> verify_proc_1_;
+  scoped_refptr<CertVerifyProc> verify_proc_2_;
 };
 
 // Test that ListModules() on each user includes that user's NSS software slot,
 // and does not include the software slot of the other user. (Does not check the
 // private slot, since it is the same as the public slot in tests.)
 TEST_F(NSSCertDatabaseChromeOSTest, ListModules) {
   CryptoModuleList modules_1;
   CryptoModuleList modules_2;
 
   db_1_->ListModules(&modules_1, false /* need_rw */);
@@ skipping 24 matching lines @@
 TEST_F(NSSCertDatabaseChromeOSTest, ImportCACerts) {
   // Load test certs from disk.
   CertificateList certs_1 =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
                                     "root_ca_cert.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs_1.size());
 
   CertificateList certs_2 =
       CreateCertificateListFromFile(GetTestCertsDirectory(),
-                                    "2048-rsa-root.pem",
+                                    "2048-rsa-intermediate.pem",
                                     X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs_2.size());
 
   // Import one cert for each user.
   NSSCertDatabase::ImportCertFailureList failed;
   EXPECT_TRUE(
       db_1_->ImportCACerts(certs_1, NSSCertDatabase::TRUSTED_SSL, &failed));
   EXPECT_EQ(0U, failed.size());
   failed.clear();
   EXPECT_TRUE(
       db_2_->ImportCACerts(certs_2, NSSCertDatabase::TRUSTED_SSL, &failed));
   EXPECT_EQ(0U, failed.size());
 
   // Get cert list for each user.
   CertificateList user_1_certlist;
   CertificateList user_2_certlist;
   db_1_->ListCerts(&user_1_certlist);
   db_2_->ListCerts(&user_2_certlist);
 
   // Check that the imported certs only shows up in the list for the user that
   // imported them.
   EXPECT_TRUE(IsCertInCertificateList(certs_1[0], user_1_certlist));
   EXPECT_FALSE(IsCertInCertificateList(certs_1[0], user_2_certlist));
 
   EXPECT_TRUE(IsCertInCertificateList(certs_2[0], user_2_certlist));
   EXPECT_FALSE(IsCertInCertificateList(certs_2[0], user_1_certlist));
 
+  // Load matching server certs for testing trust.
+  CertificateList server_cert_1 = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "ok_cert.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, server_cert_1.size());
+  CertificateList server_cert_2 = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, server_cert_1.size());
+
+  // Imported CA certs are not trusted by default verifier.
+  EXPECT_EQ(
+      ERR_CERT_REVOKED,
+      Verify(verify_proc_default_.get(), server_cert_1[0].get(), "127.0.0.1"));
+  EXPECT_EQ(
+      ERR_CERT_REVOKED,
+      Verify(verify_proc_default_.get(), server_cert_2[0].get(), "127.0.0.1"));
+
+  // Trust applies only to the user that imported the CA.
+  EXPECT_EQ(OK,
+            Verify(verify_proc_1_.get(), server_cert_1[0].get(), "127.0.0.1"));
+  EXPECT_EQ(ERR_CERT_REVOKED,
+            Verify(verify_proc_1_.get(), server_cert_2[0].get(), "127.0.0.1"));
+
+  EXPECT_EQ(ERR_CERT_REVOKED,
+            Verify(verify_proc_2_.get(), server_cert_1[0].get(), "127.0.0.1"));
+  EXPECT_EQ(OK,
+            Verify(verify_proc_2_.get(), server_cert_2[0].get(), "127.0.0.1"));
+
   // Run the message loop so the observer notifications get processed.
   base::RunLoop().RunUntilIdle();
   // Should have gotten two OnCACertChanged notifications.
   ASSERT_EQ(2U, added_ca_.size());
   // TODO(mattm): make NSSCertDatabase actually pass the cert to the callback,
   // and enable these checks:
   // EXPECT_EQ(certs_1[0]->os_cert_handle(), added_ca_[0]);
   // EXPECT_EQ(certs_2[0]->os_cert_handle(), added_ca_[1]);
   EXPECT_EQ(0U, added_.size());
 }
@@ skipping 39 matching lines @@
 
   // Run the message loop so the observer notifications get processed.
   base::RunLoop().RunUntilIdle();
   // TODO(mattm): ImportServerCert doesn't actually cause any observers to
   // fire. Is that correct?
   EXPECT_EQ(0U, added_ca_.size());
   EXPECT_EQ(0U, added_.size());
 }
 
 }  // namespace net