net/ocsp/nss_ocsp_unittest.cc - Issue 15080007: Introduce unit test for NSS OCSP/AIA fetching

Side by Side Diff: net/ocsp/nss_ocsp_unittest.cc

Issue 15080007: Introduce unit test for NSS OCSP/AIA fetching (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "net/ocsp/nss_ocsp.h"

	6

	7 #include <string>

	8

	9 #include "base/file_util.h"

	10 #include "base/files/file_path.h"

	11 #include "base/logging.h"

	12 #include "base/memory/ref_counted.h"

	13 #include "net/base/net_errors.h"

	14 #include "net/base/test_completion_callback.h"

	15 #include "net/base/test_data_directory.h"

	16 #include "net/cert/cert_status_flags.h"

	17 #include "net/cert/cert_verifier.h"

	18 #include "net/cert/cert_verify_proc.h"

	19 #include "net/cert/cert_verify_proc_nss.h"

	20 #include "net/cert/cert_verify_result.h"

	21 #include "net/cert/multi_threaded_cert_verifier.h"

	22 #include "net/cert/test_root_certs.h"

	23 #include "net/cert/x509_certificate.h"

	24 #include "net/test/cert_test_util.h"

	25 #include "net/url_request/url_request_error_job.h"

	26 #include "net/url_request/url_request_filter.h"

	27 #include "net/url_request/url_request_test_job.h"

	28 #include "net/url_request/url_request_test_util.h"

	29 #include "testing/gtest/include/gtest/gtest.h"

	30

	31 namespace net {

	32

	33 namespace {

	34

	35 // Matches the caIssuers hostname from the generated certificate.

	36 const char kAiaHost[] = "aia-test.invalid";

	37

	38 // The number of times the intermediate was fetched via the URLRequest factory.

	39 int g_request_count = 0;

	40

	41 net::URLRequestJob* AiaResponseFactory(net::URLRequest* request,

	42 net::NetworkDelegate* network_delegate,

	43 const std::string& scheme) {

	44 // Returning a single DER-encoded cert, so the mime-type must be

	45 // application/pkix-cert per RFC 5280.

	46 static const char kAiaHeaders[] =

	47 "HTTP/1.1 200 OK\0"

	48 "Content-type: application/pkix-cert\0"

	49 "\0";

	50

	51 if (request->url().scheme() != "http" \|\|

	52 request->url().host() != kAiaHost) {
	pauljensen 2013/05/16 13:50:43 The URLRequestFilter should never use this to hand The URLRequestFilter should never use this to handle schemes or hosts other than what it was registered for, so you could just DCHECK here. Ryan Sleevi 2013/05/16 21:25:38 Fair enough. I don't suppose there's a way to setu Show quoted text On 2013/05/16 13:50:43, pauljensen wrote: > The URLRequestFilter should never use this to handle schemes or hosts other than > what it was registered for, so you could just DCHECK here. Fair enough. I don't suppose there's a way to setup a filter for all URLRequests, is there? That is, similar how we can intercept all DNS, intercept all URL requests... pauljensen 2013/05/17 03:45:22 You can insert the ProtocolHandler into the URLReq Show quoted text On 2013/05/16 21:25:38, Ryan Sleevi wrote: > On 2013/05/16 13:50:43, pauljensen wrote: > > The URLRequestFilter should never use this to handle schemes or hosts other > than > > what it was registered for, so you could just DCHECK here. > > Fair enough. I don't suppose there's a way to setup a filter for all > URLRequests, is there? That is, similar how we can intercept all DNS, intercept > all URL requests... You can insert the ProtocolHandler into the URLRequestJobFactory rather than URLRequestFilter. Some tests already do this; see AddTestInterceptor().
	53 return new net::URLRequestErrorJob(

	54 request, network_delegate, net::ERR_BLOCKED_BY_ADMINISTRATOR);

	55 }

	56

	57 ++g_request_count;

	58

	59 std::string file_contents;

	60 if (!file_util::ReadFileToString(

	61 GetTestCertsDirectory().AppendASCII("aia-intermediate.der"),

	62 &file_contents)) {

	63 return new net::URLRequestErrorJob(

	64 request, network_delegate, ERR_ACCESS_DENIED);

	65 }

	66

	67 return new net::URLRequestTestJob(

	68 request, network_delegate, kAiaHeaders, file_contents, true);

	69 }

	70

	71 } // namespace

	72

	73 class NssHttpTest : public ::testing::Test {

	74 public:

	75 NssHttpTest()

	76 : context_(false),

	77 verify_proc_(new CertVerifyProcNSS),

	78 verifier_(new MultiThreadedCertVerifier(verify_proc_)) {

	79 g_request_count = 0;

	80

	81 URLRequestFilter::GetInstance()->AddHostnameHandler(

	82 "http", kAiaHost, &AiaResponseFactory);

	83

	84 SetURLRequestContextForNSSHttpIO(&context_);

	85 EnsureNSSHttpIOInit();

	86 }

	87

	88 virtual ~NssHttpTest() {

	89 ShutdownNSSHttpIO();

	90

	91 URLRequestFilter::GetInstance()->RemoveHostnameHandler(

	92 "http", kAiaHost);

	93

	94 g_request_count = 0;

	95 }

	96

	97 CertVerifier* const verifier() const {

	98 return verifier_.get();

	99 }

	100

	101 protected:

	102 const CertificateList empty_cert_list_;

	103

	104 private:

	105 TestURLRequestContext context_;

	106 scoped_refptr<CertVerifyProc> verify_proc_;

	107 scoped_ptr<CertVerifier> verifier_;

	108 };

	109

	110 // Tests that when using NSS to verify certificates, and IO is enabled,

	111 // that a request to fetch missing intermediate certificates is

	112 // made successfully.

	113 TEST_F(NssHttpTest, TestAia) {

	114 scoped_refptr<X509Certificate> test_cert(

	115 ImportCertFromFile(GetTestCertsDirectory(), "aia-cert.pem"));

	116 ASSERT_TRUE(test_cert.get());

	117

	118 scoped_refptr<X509Certificate> test_root(

	119 ImportCertFromFile(GetTestCertsDirectory(), "aia-root.pem"));

	120 ASSERT_TRUE(test_root.get());

	121

	122 ScopedTestRoot scoped_root(test_root);

	123

	124 CertVerifyResult verify_result;

	125 TestCompletionCallback test_callback;

	126 CertVerifier::RequestHandle request_handle;

	127

	128 int flags = CertVerifier::VERIFY_CERT_IO_ENABLED;
	pauljensen 2013/05/16 13:50:43 Any reason you don't pass this directly? (i.e. ins Any reason you don't pass this directly? (i.e. instead of indirectly through a variable) Ryan Sleevi 2013/05/16 21:25:38 Mostly, consistency with most of our other calls t Show quoted text On 2013/05/16 13:50:43, pauljensen wrote: > Any reason you don't pass this directly? (i.e. instead of indirectly through a > variable) Mostly, consistency with most of our other calls to verify (eg: cert_verify_proc_unittest and friends), which is largely trying for ease of readability (particularly when flags is '0')
	129 int error = verifier()->Verify(

	130 test_cert, "aia-host.invalid", flags, NULL, &verify_result,

	131 test_callback.callback(), &request_handle, BoundNetLog());
	pauljensen 2013/05/16 13:50:43 The style guide says one argument per line when th The style guide says one argument per line when the indent-by-4 function call format is used. Ryan Sleevi 2013/05/16 21:25:38 Could swore I clang-format'd this, but fixed now. Show quoted text On 2013/05/16 13:50:43, pauljensen wrote: > The style guide says one argument per line when the indent-by-4 function call > format is used. Could swore I clang-format'd this, but fixed now.
	132 ASSERT_EQ(ERR_IO_PENDING, error);

	133

	134 error = test_callback.WaitForResult();

	135

	136 EXPECT_EQ(OK, error);

	137

	138 // Ensure that NSS made an AIA request for the missing intermediate.

	139 EXPECT_LT(0, g_request_count);

	140 }

	141

	142 } // namespace net

OLD	NEW

« net/net.gyp ('K') | « net/net.gyp ('k') | no next file » | no next file with comments »