OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" | 5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" |
6 | 6 |
| 7 #include <memory> |
| 8 |
7 #include "base/bind.h" | 9 #include "base/bind.h" |
8 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
9 #include "base/callback.h" | 11 #include "base/callback.h" |
10 #include "base/memory/ref_counted.h" | 12 #include "base/memory/ref_counted.h" |
11 #include "base/memory/scoped_ptr.h" | |
12 #include "base/run_loop.h" | 13 #include "base/run_loop.h" |
13 #include "base/thread_task_runner_handle.h" | 14 #include "base/thread_task_runner_handle.h" |
14 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h" | 15 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h" |
15 #include "content/public/browser/browser_thread.h" | 16 #include "content/public/browser/browser_thread.h" |
16 #include "content/public/test/test_browser_thread_bundle.h" | 17 #include "content/public/test/test_browser_thread_bundle.h" |
17 #include "crypto/nss_util_internal.h" | 18 #include "crypto/nss_util_internal.h" |
18 #include "crypto/scoped_test_nss_chromeos_user.h" | 19 #include "crypto/scoped_test_nss_chromeos_user.h" |
19 #include "net/base/test_completion_callback.h" | 20 #include "net/base/test_completion_callback.h" |
20 #include "net/base/test_data_directory.h" | 21 #include "net/base/test_data_directory.h" |
21 #include "net/cert/cert_trust_anchor_provider.h" | 22 #include "net/cert/cert_trust_anchor_provider.h" |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
59 test_ca_cert_list_.push_back(test_ca_cert_); | 60 test_ca_cert_list_.push_back(test_ca_cert_); |
60 } | 61 } |
61 | 62 |
62 void TearDown() override { | 63 void TearDown() override { |
63 // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise | 64 // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise |
64 // BrowserThread::CurrentlyOn checks fail. | 65 // BrowserThread::CurrentlyOn checks fail. |
65 cert_verifier_.reset(); | 66 cert_verifier_.reset(); |
66 } | 67 } |
67 | 68 |
68 protected: | 69 protected: |
69 int VerifyTestServerCert(const net::TestCompletionCallback& test_callback, | 70 int VerifyTestServerCert( |
70 net::CertVerifyResult* verify_result, | 71 const net::TestCompletionCallback& test_callback, |
71 scoped_ptr<net::CertVerifier::Request>* request) { | 72 net::CertVerifyResult* verify_result, |
| 73 std::unique_ptr<net::CertVerifier::Request>* request) { |
72 return cert_verifier_->Verify( | 74 return cert_verifier_->Verify( |
73 test_server_cert_.get(), "127.0.0.1", std::string(), 0, NULL, | 75 test_server_cert_.get(), "127.0.0.1", std::string(), 0, NULL, |
74 verify_result, test_callback.callback(), request, net::BoundNetLog()); | 76 verify_result, test_callback.callback(), request, net::BoundNetLog()); |
75 } | 77 } |
76 | 78 |
77 bool SupportsAdditionalTrustAnchors() { | 79 bool SupportsAdditionalTrustAnchors() { |
78 scoped_refptr<net::CertVerifyProc> proc = | 80 scoped_refptr<net::CertVerifyProc> proc = |
79 net::CertVerifyProc::CreateDefault(); | 81 net::CertVerifyProc::CreateDefault(); |
80 return proc->SupportsAdditionalTrustAnchors(); | 82 return proc->SupportsAdditionalTrustAnchors(); |
81 } | 83 } |
82 | 84 |
83 // Returns whether |cert_verifier| signalled usage of one of the additional | 85 // Returns whether |cert_verifier| signalled usage of one of the additional |
84 // trust anchors (i.e. of |test_ca_cert_|) for the first time or since the | 86 // trust anchors (i.e. of |test_ca_cert_|) for the first time or since the |
85 // last call of this function. | 87 // last call of this function. |
86 bool WasTrustAnchorUsedAndReset() { | 88 bool WasTrustAnchorUsedAndReset() { |
87 base::RunLoop().RunUntilIdle(); | 89 base::RunLoop().RunUntilIdle(); |
88 bool result = trust_anchor_used_; | 90 bool result = trust_anchor_used_; |
89 trust_anchor_used_ = false; | 91 trust_anchor_used_ = false; |
90 return result; | 92 return result; |
91 } | 93 } |
92 | 94 |
93 // |test_ca_cert_| is the issuer of |test_server_cert_|. | 95 // |test_ca_cert_| is the issuer of |test_server_cert_|. |
94 scoped_refptr<net::X509Certificate> test_ca_cert_; | 96 scoped_refptr<net::X509Certificate> test_ca_cert_; |
95 scoped_refptr<net::X509Certificate> test_server_cert_; | 97 scoped_refptr<net::X509Certificate> test_server_cert_; |
96 net::CertificateList test_ca_cert_list_; | 98 net::CertificateList test_ca_cert_list_; |
97 scoped_ptr<net::NSSCertDatabaseChromeOS> test_cert_db_; | 99 std::unique_ptr<net::NSSCertDatabaseChromeOS> test_cert_db_; |
98 scoped_ptr<PolicyCertVerifier> cert_verifier_; | 100 std::unique_ptr<PolicyCertVerifier> cert_verifier_; |
99 | 101 |
100 private: | 102 private: |
101 void OnTrustAnchorUsed() { | 103 void OnTrustAnchorUsed() { |
102 trust_anchor_used_ = true; | 104 trust_anchor_used_ = true; |
103 } | 105 } |
104 | 106 |
105 scoped_refptr<net::X509Certificate> LoadCertificate(const std::string& name, | 107 scoped_refptr<net::X509Certificate> LoadCertificate(const std::string& name, |
106 net::CertType type) { | 108 net::CertType type) { |
107 scoped_refptr<net::X509Certificate> cert = | 109 scoped_refptr<net::X509Certificate> cert = |
108 net::ImportCertFromFile(net::GetTestCertsDirectory(), name); | 110 net::ImportCertFromFile(net::GetTestCertsDirectory(), name); |
109 | 111 |
110 // No certificate is trusted right after it's loaded. | 112 // No certificate is trusted right after it's loaded. |
111 net::NSSCertDatabase::TrustBits trust = | 113 net::NSSCertDatabase::TrustBits trust = |
112 test_cert_db_->GetCertTrust(cert.get(), type); | 114 test_cert_db_->GetCertTrust(cert.get(), type); |
113 EXPECT_EQ(net::NSSCertDatabase::TRUST_DEFAULT, trust); | 115 EXPECT_EQ(net::NSSCertDatabase::TRUST_DEFAULT, trust); |
114 | 116 |
115 return cert; | 117 return cert; |
116 } | 118 } |
117 | 119 |
118 bool trust_anchor_used_; | 120 bool trust_anchor_used_; |
119 crypto::ScopedTestNSSChromeOSUser test_nss_user_; | 121 crypto::ScopedTestNSSChromeOSUser test_nss_user_; |
120 content::TestBrowserThreadBundle thread_bundle_; | 122 content::TestBrowserThreadBundle thread_bundle_; |
121 }; | 123 }; |
122 | 124 |
123 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { | 125 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { |
124 // |test_server_cert_| is untrusted, so Verify() fails. | 126 // |test_server_cert_| is untrusted, so Verify() fails. |
125 { | 127 { |
126 net::CertVerifyResult verify_result; | 128 net::CertVerifyResult verify_result; |
127 net::TestCompletionCallback callback; | 129 net::TestCompletionCallback callback; |
128 scoped_ptr<net::CertVerifier::Request> request; | 130 std::unique_ptr<net::CertVerifier::Request> request; |
129 int error = VerifyTestServerCert(callback, &verify_result, &request); | 131 int error = VerifyTestServerCert(callback, &verify_result, &request); |
130 ASSERT_EQ(net::ERR_IO_PENDING, error); | 132 ASSERT_EQ(net::ERR_IO_PENDING, error); |
131 EXPECT_TRUE(request); | 133 EXPECT_TRUE(request); |
132 error = callback.WaitForResult(); | 134 error = callback.WaitForResult(); |
133 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 135 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
134 } | 136 } |
135 | 137 |
136 // Issuing the same request again hits the cache. This tests the synchronous | 138 // Issuing the same request again hits the cache. This tests the synchronous |
137 // path. | 139 // path. |
138 { | 140 { |
139 net::CertVerifyResult verify_result; | 141 net::CertVerifyResult verify_result; |
140 net::TestCompletionCallback callback; | 142 net::TestCompletionCallback callback; |
141 scoped_ptr<net::CertVerifier::Request> request; | 143 std::unique_ptr<net::CertVerifier::Request> request; |
142 int error = VerifyTestServerCert(callback, &verify_result, &request); | 144 int error = VerifyTestServerCert(callback, &verify_result, &request); |
143 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 145 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
144 } | 146 } |
145 | 147 |
146 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 148 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
147 } | 149 } |
148 | 150 |
149 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { | 151 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { |
150 // Make the database trust |test_ca_cert_|. | 152 // Make the database trust |test_ca_cert_|. |
151 net::NSSCertDatabase::ImportCertFailureList failure_list; | 153 net::NSSCertDatabase::ImportCertFailureList failure_list; |
152 ASSERT_TRUE(test_cert_db_->ImportCACerts( | 154 ASSERT_TRUE(test_cert_db_->ImportCACerts( |
153 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); | 155 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); |
154 ASSERT_TRUE(failure_list.empty()); | 156 ASSERT_TRUE(failure_list.empty()); |
155 | 157 |
156 // Verify that it is now trusted. | 158 // Verify that it is now trusted. |
157 net::NSSCertDatabase::TrustBits trust = | 159 net::NSSCertDatabase::TrustBits trust = |
158 test_cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT); | 160 test_cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT); |
159 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); | 161 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); |
160 | 162 |
161 // Verify() successfully verifies |test_server_cert_| after it was imported. | 163 // Verify() successfully verifies |test_server_cert_| after it was imported. |
162 net::CertVerifyResult verify_result; | 164 net::CertVerifyResult verify_result; |
163 net::TestCompletionCallback callback; | 165 net::TestCompletionCallback callback; |
164 scoped_ptr<net::CertVerifier::Request> request; | 166 std::unique_ptr<net::CertVerifier::Request> request; |
165 int error = VerifyTestServerCert(callback, &verify_result, &request); | 167 int error = VerifyTestServerCert(callback, &verify_result, &request); |
166 ASSERT_EQ(net::ERR_IO_PENDING, error); | 168 ASSERT_EQ(net::ERR_IO_PENDING, error); |
167 EXPECT_TRUE(request); | 169 EXPECT_TRUE(request); |
168 error = callback.WaitForResult(); | 170 error = callback.WaitForResult(); |
169 EXPECT_EQ(net::OK, error); | 171 EXPECT_EQ(net::OK, error); |
170 | 172 |
171 // The additional trust anchors were not used, since the certificate is | 173 // The additional trust anchors were not used, since the certificate is |
172 // trusted from the database. | 174 // trusted from the database. |
173 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 175 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
174 } | 176 } |
175 | 177 |
176 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { | 178 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { |
177 ASSERT_TRUE(SupportsAdditionalTrustAnchors()); | 179 ASSERT_TRUE(SupportsAdditionalTrustAnchors()); |
178 | 180 |
179 // |test_server_cert_| is untrusted, so Verify() fails. | 181 // |test_server_cert_| is untrusted, so Verify() fails. |
180 { | 182 { |
181 net::CertVerifyResult verify_result; | 183 net::CertVerifyResult verify_result; |
182 net::TestCompletionCallback callback; | 184 net::TestCompletionCallback callback; |
183 scoped_ptr<net::CertVerifier::Request> request; | 185 std::unique_ptr<net::CertVerifier::Request> request; |
184 int error = VerifyTestServerCert(callback, &verify_result, &request); | 186 int error = VerifyTestServerCert(callback, &verify_result, &request); |
185 ASSERT_EQ(net::ERR_IO_PENDING, error); | 187 ASSERT_EQ(net::ERR_IO_PENDING, error); |
186 EXPECT_TRUE(request); | 188 EXPECT_TRUE(request); |
187 error = callback.WaitForResult(); | 189 error = callback.WaitForResult(); |
188 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 190 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
189 } | 191 } |
190 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 192 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
191 | 193 |
192 // Verify() again with the additional trust anchors. | 194 // Verify() again with the additional trust anchors. |
193 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); | 195 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); |
194 { | 196 { |
195 net::CertVerifyResult verify_result; | 197 net::CertVerifyResult verify_result; |
196 net::TestCompletionCallback callback; | 198 net::TestCompletionCallback callback; |
197 scoped_ptr<net::CertVerifier::Request> request; | 199 std::unique_ptr<net::CertVerifier::Request> request; |
198 int error = VerifyTestServerCert(callback, &verify_result, &request); | 200 int error = VerifyTestServerCert(callback, &verify_result, &request); |
199 ASSERT_EQ(net::ERR_IO_PENDING, error); | 201 ASSERT_EQ(net::ERR_IO_PENDING, error); |
200 EXPECT_TRUE(request); | 202 EXPECT_TRUE(request); |
201 error = callback.WaitForResult(); | 203 error = callback.WaitForResult(); |
202 EXPECT_EQ(net::OK, error); | 204 EXPECT_EQ(net::OK, error); |
203 } | 205 } |
204 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); | 206 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); |
205 | 207 |
206 // Verify() again with the additional trust anchors will hit the cache. | 208 // Verify() again with the additional trust anchors will hit the cache. |
207 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); | 209 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); |
208 { | 210 { |
209 net::CertVerifyResult verify_result; | 211 net::CertVerifyResult verify_result; |
210 net::TestCompletionCallback callback; | 212 net::TestCompletionCallback callback; |
211 scoped_ptr<net::CertVerifier::Request> request; | 213 std::unique_ptr<net::CertVerifier::Request> request; |
212 int error = VerifyTestServerCert(callback, &verify_result, &request); | 214 int error = VerifyTestServerCert(callback, &verify_result, &request); |
213 EXPECT_EQ(net::OK, error); | 215 EXPECT_EQ(net::OK, error); |
214 } | 216 } |
215 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); | 217 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); |
216 | 218 |
217 // Verifying after removing the trust anchors should now fail. | 219 // Verifying after removing the trust anchors should now fail. |
218 cert_verifier_->SetTrustAnchors(net::CertificateList()); | 220 cert_verifier_->SetTrustAnchors(net::CertificateList()); |
219 { | 221 { |
220 net::CertVerifyResult verify_result; | 222 net::CertVerifyResult verify_result; |
221 net::TestCompletionCallback callback; | 223 net::TestCompletionCallback callback; |
222 scoped_ptr<net::CertVerifier::Request> request; | 224 std::unique_ptr<net::CertVerifier::Request> request; |
223 int error = VerifyTestServerCert(callback, &verify_result, &request); | 225 int error = VerifyTestServerCert(callback, &verify_result, &request); |
224 // Note: this hits the cached result from the first Verify() in this test. | 226 // Note: this hits the cached result from the first Verify() in this test. |
225 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 227 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
226 } | 228 } |
227 // The additional trust anchors were reset, thus |cert_verifier_| should not | 229 // The additional trust anchors were reset, thus |cert_verifier_| should not |
228 // signal it's usage anymore. | 230 // signal it's usage anymore. |
229 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 231 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
230 } | 232 } |
231 | 233 |
232 } // namespace policy | 234 } // namespace policy |
OLD | NEW |