| Index: net/cert/nss_cert_database_chromeos_unittest.cc
|
| diff --git a/net/cert/nss_cert_database_chromeos_unittest.cc b/net/cert/nss_cert_database_chromeos_unittest.cc
|
| index 465d25dde47d4a3c5bab3665e883eb7ebf13826d..69a970fa5e5afb7ac979045ff49fce0619a7dc04 100644
|
| --- a/net/cert/nss_cert_database_chromeos_unittest.cc
|
| +++ b/net/cert/nss_cert_database_chromeos_unittest.cc
|
| @@ -9,8 +9,12 @@
|
| #include "base/run_loop.h"
|
| #include "crypto/nss_util.h"
|
| #include "crypto/nss_util_internal.h"
|
| +#include "net/base/net_errors.h"
|
| #include "net/base/test_data_directory.h"
|
| #include "net/cert/cert_database.h"
|
| +#include "net/cert/cert_verify_proc.h"
|
| +#include "net/cert/cert_verify_proc_chromeos.h"
|
| +#include "net/cert/cert_verify_result.h"
|
| #include "net/test/cert_test_util.h"
|
| #include "testing/gtest/include/gtest/gtest.h"
|
|
|
| @@ -57,6 +61,18 @@ class NSSCertDatabaseChromeOSTest : public testing::Test,
|
| user_2_.username_hash(),
|
| base::Callback<void(crypto::ScopedPK11Slot)>())));
|
|
|
| + verify_proc_default_ = CertVerifyProc::CreateDefault();
|
| + verify_proc_1_ = new CertVerifyProcChromeOS(
|
| + crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()),
|
| + crypto::GetPrivateSlotForChromeOSUser(
|
| + user_1_.username_hash(),
|
| + base::Callback<void(crypto::ScopedPK11Slot)>()));
|
| + verify_proc_2_ = new CertVerifyProcChromeOS(
|
| + crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()),
|
| + crypto::GetPrivateSlotForChromeOSUser(
|
| + user_2_.username_hash(),
|
| + base::Callback<void(crypto::ScopedPK11Slot)>()));
|
| +
|
| // Add observer to CertDatabase for checking that notifications from
|
| // NSSCertDatabaseChromeOS are proxied to the CertDatabase.
|
| CertDatabase::GetInstance()->AddObserver(this);
|
| @@ -79,6 +95,21 @@ class NSSCertDatabaseChromeOSTest : public testing::Test,
|
| added_ca_.push_back(cert ? cert->os_cert_handle() : NULL);
|
| }
|
|
|
| + int Verify(CertVerifyProc* verify_proc,
|
| + X509Certificate* cert,
|
| + const std::string& hostname) {
|
| + int flags = 0;
|
| + CertVerifyResult verify_result;
|
| + CertificateList additional_trust_anchors;
|
| + int error = verify_proc->Verify(cert,
|
| + hostname,
|
| + flags,
|
| + NULL,
|
| + additional_trust_anchors,
|
| + &verify_result);
|
| + return error;
|
| + }
|
| +
|
| protected:
|
| bool observer_added_;
|
| // Certificates that were passed to the CertDatabase observers.
|
| @@ -89,6 +120,9 @@ class NSSCertDatabaseChromeOSTest : public testing::Test,
|
| crypto::ScopedTestNSSChromeOSUser user_2_;
|
| scoped_ptr<NSSCertDatabaseChromeOS> db_1_;
|
| scoped_ptr<NSSCertDatabaseChromeOS> db_2_;
|
| + scoped_refptr<CertVerifyProc> verify_proc_default_;
|
| + scoped_refptr<CertVerifyProc> verify_proc_1_;
|
| + scoped_refptr<CertVerifyProc> verify_proc_2_;
|
| };
|
|
|
| // Test that ListModules() on each user includes that user's NSS software slot,
|
| @@ -133,7 +167,7 @@ TEST_F(NSSCertDatabaseChromeOSTest, ImportCACerts) {
|
|
|
| CertificateList certs_2 =
|
| CreateCertificateListFromFile(GetTestCertsDirectory(),
|
| - "2048-rsa-root.pem",
|
| + "2048-rsa-intermediate.pem",
|
| X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(1U, certs_2.size());
|
|
|
| @@ -161,6 +195,35 @@ TEST_F(NSSCertDatabaseChromeOSTest, ImportCACerts) {
|
| EXPECT_TRUE(IsCertInCertificateList(certs_2[0], user_2_certlist));
|
| EXPECT_FALSE(IsCertInCertificateList(certs_2[0], user_1_certlist));
|
|
|
| + // Load matching server certs for testing trust.
|
| + CertificateList server_cert_1 = CreateCertificateListFromFile(
|
| + GetTestCertsDirectory(), "ok_cert.pem",
|
| + X509Certificate::FORMAT_AUTO);
|
| + ASSERT_EQ(1U, server_cert_1.size());
|
| + CertificateList server_cert_2 = CreateCertificateListFromFile(
|
| + GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
|
| + X509Certificate::FORMAT_AUTO);
|
| + ASSERT_EQ(1U, server_cert_1.size());
|
| +
|
| + // Imported CA certs are not trusted by default verifier.
|
| + EXPECT_EQ(
|
| + ERR_CERT_REVOKED,
|
| + Verify(verify_proc_default_.get(), server_cert_1[0].get(), "127.0.0.1"));
|
| + EXPECT_EQ(
|
| + ERR_CERT_REVOKED,
|
| + Verify(verify_proc_default_.get(), server_cert_2[0].get(), "127.0.0.1"));
|
| +
|
| + // Trust applies only to the user that imported the CA.
|
| + EXPECT_EQ(OK,
|
| + Verify(verify_proc_1_.get(), server_cert_1[0].get(), "127.0.0.1"));
|
| + EXPECT_EQ(ERR_CERT_REVOKED,
|
| + Verify(verify_proc_1_.get(), server_cert_2[0].get(), "127.0.0.1"));
|
| +
|
| + EXPECT_EQ(ERR_CERT_REVOKED,
|
| + Verify(verify_proc_2_.get(), server_cert_1[0].get(), "127.0.0.1"));
|
| + EXPECT_EQ(OK,
|
| + Verify(verify_proc_2_.get(), server_cert_2[0].get(), "127.0.0.1"));
|
| +
|
| // Run the message loop so the observer notifications get processed.
|
| base::RunLoop().RunUntilIdle();
|
| // Should have gotten two OnCACertChanged notifications.
|
|
|
Chromium Code Reviews
Issue 137553004:
NSS Cros multiprofile: trust roots added by a profile shouldn't apply to other profiles. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src