| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" | 5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" |
| 6 | 6 |
| 7 #include <memory> |
| 8 |
| 7 #include "base/bind.h" | 9 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| 9 #include "base/callback.h" | 11 #include "base/callback.h" |
| 10 #include "base/memory/ref_counted.h" | 12 #include "base/memory/ref_counted.h" |
| 11 #include "base/memory/scoped_ptr.h" | |
| 12 #include "base/run_loop.h" | 13 #include "base/run_loop.h" |
| 13 #include "base/thread_task_runner_handle.h" | 14 #include "base/thread_task_runner_handle.h" |
| 14 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h" | 15 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h" |
| 15 #include "content/public/browser/browser_thread.h" | 16 #include "content/public/browser/browser_thread.h" |
| 16 #include "content/public/test/test_browser_thread_bundle.h" | 17 #include "content/public/test/test_browser_thread_bundle.h" |
| 17 #include "crypto/nss_util_internal.h" | 18 #include "crypto/nss_util_internal.h" |
| 18 #include "crypto/scoped_test_nss_chromeos_user.h" | 19 #include "crypto/scoped_test_nss_chromeos_user.h" |
| 19 #include "net/base/test_completion_callback.h" | 20 #include "net/base/test_completion_callback.h" |
| 20 #include "net/base/test_data_directory.h" | 21 #include "net/base/test_data_directory.h" |
| 21 #include "net/cert/cert_trust_anchor_provider.h" | 22 #include "net/cert/cert_trust_anchor_provider.h" |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 59 test_ca_cert_list_.push_back(test_ca_cert_); | 60 test_ca_cert_list_.push_back(test_ca_cert_); |
| 60 } | 61 } |
| 61 | 62 |
| 62 void TearDown() override { | 63 void TearDown() override { |
| 63 // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise | 64 // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise |
| 64 // BrowserThread::CurrentlyOn checks fail. | 65 // BrowserThread::CurrentlyOn checks fail. |
| 65 cert_verifier_.reset(); | 66 cert_verifier_.reset(); |
| 66 } | 67 } |
| 67 | 68 |
| 68 protected: | 69 protected: |
| 69 int VerifyTestServerCert(const net::TestCompletionCallback& test_callback, | 70 int VerifyTestServerCert( |
| 70 net::CertVerifyResult* verify_result, | 71 const net::TestCompletionCallback& test_callback, |
| 71 scoped_ptr<net::CertVerifier::Request>* request) { | 72 net::CertVerifyResult* verify_result, |
| 73 std::unique_ptr<net::CertVerifier::Request>* request) { |
| 72 return cert_verifier_->Verify( | 74 return cert_verifier_->Verify( |
| 73 test_server_cert_.get(), "127.0.0.1", std::string(), 0, NULL, | 75 test_server_cert_.get(), "127.0.0.1", std::string(), 0, NULL, |
| 74 verify_result, test_callback.callback(), request, net::BoundNetLog()); | 76 verify_result, test_callback.callback(), request, net::BoundNetLog()); |
| 75 } | 77 } |
| 76 | 78 |
| 77 bool SupportsAdditionalTrustAnchors() { | 79 bool SupportsAdditionalTrustAnchors() { |
| 78 scoped_refptr<net::CertVerifyProc> proc = | 80 scoped_refptr<net::CertVerifyProc> proc = |
| 79 net::CertVerifyProc::CreateDefault(); | 81 net::CertVerifyProc::CreateDefault(); |
| 80 return proc->SupportsAdditionalTrustAnchors(); | 82 return proc->SupportsAdditionalTrustAnchors(); |
| 81 } | 83 } |
| 82 | 84 |
| 83 // Returns whether |cert_verifier| signalled usage of one of the additional | 85 // Returns whether |cert_verifier| signalled usage of one of the additional |
| 84 // trust anchors (i.e. of |test_ca_cert_|) for the first time or since the | 86 // trust anchors (i.e. of |test_ca_cert_|) for the first time or since the |
| 85 // last call of this function. | 87 // last call of this function. |
| 86 bool WasTrustAnchorUsedAndReset() { | 88 bool WasTrustAnchorUsedAndReset() { |
| 87 base::RunLoop().RunUntilIdle(); | 89 base::RunLoop().RunUntilIdle(); |
| 88 bool result = trust_anchor_used_; | 90 bool result = trust_anchor_used_; |
| 89 trust_anchor_used_ = false; | 91 trust_anchor_used_ = false; |
| 90 return result; | 92 return result; |
| 91 } | 93 } |
| 92 | 94 |
| 93 // |test_ca_cert_| is the issuer of |test_server_cert_|. | 95 // |test_ca_cert_| is the issuer of |test_server_cert_|. |
| 94 scoped_refptr<net::X509Certificate> test_ca_cert_; | 96 scoped_refptr<net::X509Certificate> test_ca_cert_; |
| 95 scoped_refptr<net::X509Certificate> test_server_cert_; | 97 scoped_refptr<net::X509Certificate> test_server_cert_; |
| 96 net::CertificateList test_ca_cert_list_; | 98 net::CertificateList test_ca_cert_list_; |
| 97 scoped_ptr<net::NSSCertDatabaseChromeOS> test_cert_db_; | 99 std::unique_ptr<net::NSSCertDatabaseChromeOS> test_cert_db_; |
| 98 scoped_ptr<PolicyCertVerifier> cert_verifier_; | 100 std::unique_ptr<PolicyCertVerifier> cert_verifier_; |
| 99 | 101 |
| 100 private: | 102 private: |
| 101 void OnTrustAnchorUsed() { | 103 void OnTrustAnchorUsed() { |
| 102 trust_anchor_used_ = true; | 104 trust_anchor_used_ = true; |
| 103 } | 105 } |
| 104 | 106 |
| 105 scoped_refptr<net::X509Certificate> LoadCertificate(const std::string& name, | 107 scoped_refptr<net::X509Certificate> LoadCertificate(const std::string& name, |
| 106 net::CertType type) { | 108 net::CertType type) { |
| 107 scoped_refptr<net::X509Certificate> cert = | 109 scoped_refptr<net::X509Certificate> cert = |
| 108 net::ImportCertFromFile(net::GetTestCertsDirectory(), name); | 110 net::ImportCertFromFile(net::GetTestCertsDirectory(), name); |
| 109 | 111 |
| 110 // No certificate is trusted right after it's loaded. | 112 // No certificate is trusted right after it's loaded. |
| 111 net::NSSCertDatabase::TrustBits trust = | 113 net::NSSCertDatabase::TrustBits trust = |
| 112 test_cert_db_->GetCertTrust(cert.get(), type); | 114 test_cert_db_->GetCertTrust(cert.get(), type); |
| 113 EXPECT_EQ(net::NSSCertDatabase::TRUST_DEFAULT, trust); | 115 EXPECT_EQ(net::NSSCertDatabase::TRUST_DEFAULT, trust); |
| 114 | 116 |
| 115 return cert; | 117 return cert; |
| 116 } | 118 } |
| 117 | 119 |
| 118 bool trust_anchor_used_; | 120 bool trust_anchor_used_; |
| 119 crypto::ScopedTestNSSChromeOSUser test_nss_user_; | 121 crypto::ScopedTestNSSChromeOSUser test_nss_user_; |
| 120 content::TestBrowserThreadBundle thread_bundle_; | 122 content::TestBrowserThreadBundle thread_bundle_; |
| 121 }; | 123 }; |
| 122 | 124 |
| 123 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { | 125 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { |
| 124 // |test_server_cert_| is untrusted, so Verify() fails. | 126 // |test_server_cert_| is untrusted, so Verify() fails. |
| 125 { | 127 { |
| 126 net::CertVerifyResult verify_result; | 128 net::CertVerifyResult verify_result; |
| 127 net::TestCompletionCallback callback; | 129 net::TestCompletionCallback callback; |
| 128 scoped_ptr<net::CertVerifier::Request> request; | 130 std::unique_ptr<net::CertVerifier::Request> request; |
| 129 int error = VerifyTestServerCert(callback, &verify_result, &request); | 131 int error = VerifyTestServerCert(callback, &verify_result, &request); |
| 130 ASSERT_EQ(net::ERR_IO_PENDING, error); | 132 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 131 EXPECT_TRUE(request); | 133 EXPECT_TRUE(request); |
| 132 error = callback.WaitForResult(); | 134 error = callback.WaitForResult(); |
| 133 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 135 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 134 } | 136 } |
| 135 | 137 |
| 136 // Issuing the same request again hits the cache. This tests the synchronous | 138 // Issuing the same request again hits the cache. This tests the synchronous |
| 137 // path. | 139 // path. |
| 138 { | 140 { |
| 139 net::CertVerifyResult verify_result; | 141 net::CertVerifyResult verify_result; |
| 140 net::TestCompletionCallback callback; | 142 net::TestCompletionCallback callback; |
| 141 scoped_ptr<net::CertVerifier::Request> request; | 143 std::unique_ptr<net::CertVerifier::Request> request; |
| 142 int error = VerifyTestServerCert(callback, &verify_result, &request); | 144 int error = VerifyTestServerCert(callback, &verify_result, &request); |
| 143 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 145 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 144 } | 146 } |
| 145 | 147 |
| 146 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 148 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 147 } | 149 } |
| 148 | 150 |
| 149 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { | 151 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { |
| 150 // Make the database trust |test_ca_cert_|. | 152 // Make the database trust |test_ca_cert_|. |
| 151 net::NSSCertDatabase::ImportCertFailureList failure_list; | 153 net::NSSCertDatabase::ImportCertFailureList failure_list; |
| 152 ASSERT_TRUE(test_cert_db_->ImportCACerts( | 154 ASSERT_TRUE(test_cert_db_->ImportCACerts( |
| 153 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); | 155 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); |
| 154 ASSERT_TRUE(failure_list.empty()); | 156 ASSERT_TRUE(failure_list.empty()); |
| 155 | 157 |
| 156 // Verify that it is now trusted. | 158 // Verify that it is now trusted. |
| 157 net::NSSCertDatabase::TrustBits trust = | 159 net::NSSCertDatabase::TrustBits trust = |
| 158 test_cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT); | 160 test_cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT); |
| 159 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); | 161 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); |
| 160 | 162 |
| 161 // Verify() successfully verifies |test_server_cert_| after it was imported. | 163 // Verify() successfully verifies |test_server_cert_| after it was imported. |
| 162 net::CertVerifyResult verify_result; | 164 net::CertVerifyResult verify_result; |
| 163 net::TestCompletionCallback callback; | 165 net::TestCompletionCallback callback; |
| 164 scoped_ptr<net::CertVerifier::Request> request; | 166 std::unique_ptr<net::CertVerifier::Request> request; |
| 165 int error = VerifyTestServerCert(callback, &verify_result, &request); | 167 int error = VerifyTestServerCert(callback, &verify_result, &request); |
| 166 ASSERT_EQ(net::ERR_IO_PENDING, error); | 168 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 167 EXPECT_TRUE(request); | 169 EXPECT_TRUE(request); |
| 168 error = callback.WaitForResult(); | 170 error = callback.WaitForResult(); |
| 169 EXPECT_EQ(net::OK, error); | 171 EXPECT_EQ(net::OK, error); |
| 170 | 172 |
| 171 // The additional trust anchors were not used, since the certificate is | 173 // The additional trust anchors were not used, since the certificate is |
| 172 // trusted from the database. | 174 // trusted from the database. |
| 173 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 175 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 174 } | 176 } |
| 175 | 177 |
| 176 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { | 178 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { |
| 177 ASSERT_TRUE(SupportsAdditionalTrustAnchors()); | 179 ASSERT_TRUE(SupportsAdditionalTrustAnchors()); |
| 178 | 180 |
| 179 // |test_server_cert_| is untrusted, so Verify() fails. | 181 // |test_server_cert_| is untrusted, so Verify() fails. |
| 180 { | 182 { |
| 181 net::CertVerifyResult verify_result; | 183 net::CertVerifyResult verify_result; |
| 182 net::TestCompletionCallback callback; | 184 net::TestCompletionCallback callback; |
| 183 scoped_ptr<net::CertVerifier::Request> request; | 185 std::unique_ptr<net::CertVerifier::Request> request; |
| 184 int error = VerifyTestServerCert(callback, &verify_result, &request); | 186 int error = VerifyTestServerCert(callback, &verify_result, &request); |
| 185 ASSERT_EQ(net::ERR_IO_PENDING, error); | 187 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 186 EXPECT_TRUE(request); | 188 EXPECT_TRUE(request); |
| 187 error = callback.WaitForResult(); | 189 error = callback.WaitForResult(); |
| 188 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 190 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 189 } | 191 } |
| 190 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 192 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 191 | 193 |
| 192 // Verify() again with the additional trust anchors. | 194 // Verify() again with the additional trust anchors. |
| 193 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); | 195 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); |
| 194 { | 196 { |
| 195 net::CertVerifyResult verify_result; | 197 net::CertVerifyResult verify_result; |
| 196 net::TestCompletionCallback callback; | 198 net::TestCompletionCallback callback; |
| 197 scoped_ptr<net::CertVerifier::Request> request; | 199 std::unique_ptr<net::CertVerifier::Request> request; |
| 198 int error = VerifyTestServerCert(callback, &verify_result, &request); | 200 int error = VerifyTestServerCert(callback, &verify_result, &request); |
| 199 ASSERT_EQ(net::ERR_IO_PENDING, error); | 201 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 200 EXPECT_TRUE(request); | 202 EXPECT_TRUE(request); |
| 201 error = callback.WaitForResult(); | 203 error = callback.WaitForResult(); |
| 202 EXPECT_EQ(net::OK, error); | 204 EXPECT_EQ(net::OK, error); |
| 203 } | 205 } |
| 204 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); | 206 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); |
| 205 | 207 |
| 206 // Verify() again with the additional trust anchors will hit the cache. | 208 // Verify() again with the additional trust anchors will hit the cache. |
| 207 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); | 209 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); |
| 208 { | 210 { |
| 209 net::CertVerifyResult verify_result; | 211 net::CertVerifyResult verify_result; |
| 210 net::TestCompletionCallback callback; | 212 net::TestCompletionCallback callback; |
| 211 scoped_ptr<net::CertVerifier::Request> request; | 213 std::unique_ptr<net::CertVerifier::Request> request; |
| 212 int error = VerifyTestServerCert(callback, &verify_result, &request); | 214 int error = VerifyTestServerCert(callback, &verify_result, &request); |
| 213 EXPECT_EQ(net::OK, error); | 215 EXPECT_EQ(net::OK, error); |
| 214 } | 216 } |
| 215 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); | 217 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); |
| 216 | 218 |
| 217 // Verifying after removing the trust anchors should now fail. | 219 // Verifying after removing the trust anchors should now fail. |
| 218 cert_verifier_->SetTrustAnchors(net::CertificateList()); | 220 cert_verifier_->SetTrustAnchors(net::CertificateList()); |
| 219 { | 221 { |
| 220 net::CertVerifyResult verify_result; | 222 net::CertVerifyResult verify_result; |
| 221 net::TestCompletionCallback callback; | 223 net::TestCompletionCallback callback; |
| 222 scoped_ptr<net::CertVerifier::Request> request; | 224 std::unique_ptr<net::CertVerifier::Request> request; |
| 223 int error = VerifyTestServerCert(callback, &verify_result, &request); | 225 int error = VerifyTestServerCert(callback, &verify_result, &request); |
| 224 // Note: this hits the cached result from the first Verify() in this test. | 226 // Note: this hits the cached result from the first Verify() in this test. |
| 225 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 227 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 226 } | 228 } |
| 227 // The additional trust anchors were reset, thus |cert_verifier_| should not | 229 // The additional trust anchors were reset, thus |cert_verifier_| should not |
| 228 // signal it's usage anymore. | 230 // signal it's usage anymore. |
| 229 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | 231 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); |
| 230 } | 232 } |
| 231 | 233 |
| 232 } // namespace policy | 234 } // namespace policy |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1870793002:
Convert //chrome/browser/chromeos from scoped_ptr to std::unique_ptr (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master