| OLD | NEW |
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chromeos/network/onc/onc_certificate_importer.h" | |
| 6 | |
| 7 #include <cert.h> | |
| 8 #include <certdb.h> | |
| 9 #include <keyhi.h> | |
| 10 #include <pk11pub.h> | |
| 11 #include <string> | |
| 12 | |
| 13 #include "base/logging.h" | |
| 14 #include "base/strings/string_number_conversions.h" | |
| 15 #include "base/values.h" | |
| 16 #include "chromeos/network/onc/onc_constants.h" | |
| 17 #include "chromeos/network/onc/onc_test_utils.h" | |
| 18 #include "crypto/nss_util.h" | |
| 19 #include "net/base/crypto_module.h" | |
| 20 #include "net/cert/cert_type.h" | |
| 21 #include "net/cert/nss_cert_database.h" | |
| 22 #include "net/cert/x509_certificate.h" | |
| 23 #include "testing/gtest/include/gtest/gtest.h" | |
| 24 | |
| 25 namespace chromeos { | |
| 26 namespace onc { | |
| 27 | |
| 28 #if defined(USE_NSS) | |
| 29 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use | |
| 30 // the new name of the macro. | |
| 31 #if !defined(CERTDB_TERMINAL_RECORD) | |
| 32 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER | |
| 33 #endif | |
| 34 | |
| 35 net::CertType GetCertType(net::X509Certificate::OSCertHandle cert) { | |
| 36 CERTCertTrust trust = {0}; | |
| 37 CERT_GetCertTrust(cert, &trust); | |
| 38 | |
| 39 unsigned all_flags = trust.sslFlags | trust.emailFlags | | |
| 40 trust.objectSigningFlags; | |
| 41 | |
| 42 if (cert->nickname && (all_flags & CERTDB_USER)) | |
| 43 return net::USER_CERT; | |
| 44 if ((all_flags & CERTDB_VALID_CA) || CERT_IsCACert(cert, NULL)) | |
| 45 return net::CA_CERT; | |
| 46 // TODO(mattm): http://crbug.com/128633. | |
| 47 if (trust.sslFlags & CERTDB_TERMINAL_RECORD) | |
| 48 return net::SERVER_CERT; | |
| 49 return net::UNKNOWN_CERT; | |
| 50 } | |
| 51 #else | |
| 52 net::CertType GetCertType(net::X509Certificate::OSCertHandle cert) { | |
| 53 NOTIMPLEMENTED(); | |
| 54 return net::UNKNOWN_CERT; | |
| 55 } | |
| 56 #endif // USE_NSS | |
| 57 | |
| 58 class ONCCertificateImporterTest : public testing::Test { | |
| 59 public: | |
| 60 virtual void SetUp() { | |
| 61 ASSERT_TRUE(test_nssdb_.is_open()); | |
| 62 | |
| 63 slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule(); | |
| 64 | |
| 65 // Don't run the test if the setup failed. | |
| 66 ASSERT_TRUE(slot_->os_module_handle()); | |
| 67 | |
| 68 // Test db should be empty at start of test. | |
| 69 EXPECT_EQ(0ul, ListCertsInSlot().size()); | |
| 70 } | |
| 71 | |
| 72 virtual void TearDown() { | |
| 73 EXPECT_TRUE(CleanupSlotContents()); | |
| 74 EXPECT_EQ(0ul, ListCertsInSlot().size()); | |
| 75 } | |
| 76 | |
| 77 virtual ~ONCCertificateImporterTest() {} | |
| 78 | |
| 79 protected: | |
| 80 void AddCertificatesFromFile( | |
| 81 std::string filename, | |
| 82 CertificateImporter::ParseResult expected_parse_result) { | |
| 83 scoped_ptr<base::DictionaryValue> onc = | |
| 84 test_utils::ReadTestDictionary(filename); | |
| 85 base::Value* certificates_value = NULL; | |
| 86 base::ListValue* certificates = NULL; | |
| 87 onc->RemoveWithoutPathExpansion(toplevel_config::kCertificates, | |
| 88 &certificates_value); | |
| 89 certificates_value->GetAsList(&certificates); | |
| 90 onc_certificates_.reset(certificates); | |
| 91 | |
| 92 web_trust_certificates_.clear(); | |
| 93 imported_server_and_ca_certs_.clear(); | |
| 94 CertificateImporter importer(true /* allow web trust */); | |
| 95 EXPECT_EQ(expected_parse_result, | |
| 96 importer.ParseAndStoreCertificates( | |
| 97 *certificates, | |
| 98 &web_trust_certificates_, | |
| 99 &imported_server_and_ca_certs_)); | |
| 100 | |
| 101 result_list_.clear(); | |
| 102 result_list_ = ListCertsInSlot(); | |
| 103 } | |
| 104 | |
| 105 void AddCertificateFromFile(std::string filename, | |
| 106 net::CertType expected_type, | |
| 107 std::string* guid) { | |
| 108 std::string guid_temporary; | |
| 109 if (!guid) | |
| 110 guid = &guid_temporary; | |
| 111 | |
| 112 AddCertificatesFromFile(filename, CertificateImporter::IMPORT_OK); | |
| 113 ASSERT_EQ(1ul, result_list_.size()); | |
| 114 EXPECT_EQ(expected_type, GetCertType(result_list_[0]->os_cert_handle())); | |
| 115 | |
| 116 base::DictionaryValue* certificate = NULL; | |
| 117 onc_certificates_->GetDictionary(0, &certificate); | |
| 118 certificate->GetStringWithoutPathExpansion(certificate::kGUID, guid); | |
| 119 | |
| 120 if (expected_type == net::SERVER_CERT || expected_type == net::CA_CERT) { | |
| 121 EXPECT_EQ(1u, imported_server_and_ca_certs_.size()); | |
| 122 EXPECT_TRUE(imported_server_and_ca_certs_[*guid]->Equals( | |
| 123 result_list_[0])); | |
| 124 } else { // net::USER_CERT | |
| 125 EXPECT_TRUE(imported_server_and_ca_certs_.empty()); | |
| 126 CertificateImporter::ListCertsWithNickname(*guid, &result_list_); | |
| 127 } | |
| 128 } | |
| 129 | |
| 130 scoped_ptr<base::ListValue> onc_certificates_; | |
| 131 scoped_refptr<net::CryptoModule> slot_; | |
| 132 net::CertificateList result_list_; | |
| 133 net::CertificateList web_trust_certificates_; | |
| 134 CertificateImporter::CertsByGUID imported_server_and_ca_certs_; | |
| 135 | |
| 136 private: | |
| 137 net::CertificateList ListCertsInSlot() { | |
| 138 net::CertificateList result; | |
| 139 CERTCertList* cert_list = PK11_ListCertsInSlot(slot_->os_module_handle()); | |
| 140 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | |
| 141 !CERT_LIST_END(node, cert_list); | |
| 142 node = CERT_LIST_NEXT(node)) { | |
| 143 result.push_back(net::X509Certificate::CreateFromHandle( | |
| 144 node->cert, net::X509Certificate::OSCertHandles())); | |
| 145 } | |
| 146 CERT_DestroyCertList(cert_list); | |
| 147 | |
| 148 // Sort the result so that test comparisons can be deterministic. | |
| 149 std::sort(result.begin(), result.end(), net::X509Certificate::LessThan()); | |
| 150 return result; | |
| 151 } | |
| 152 | |
| 153 bool CleanupSlotContents() { | |
| 154 bool ok = true; | |
| 155 net::CertificateList certs = ListCertsInSlot(); | |
| 156 for (size_t i = 0; i < certs.size(); ++i) { | |
| 157 if (!net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(certs[i] | |
| 158 .get())) | |
| 159 ok = false; | |
| 160 } | |
| 161 return ok; | |
| 162 } | |
| 163 | |
| 164 crypto::ScopedTestNSSDB test_nssdb_; | |
| 165 }; | |
| 166 | |
| 167 TEST_F(ONCCertificateImporterTest, MultipleCertificates) { | |
| 168 AddCertificatesFromFile("managed_toplevel2.onc", | |
| 169 CertificateImporter::IMPORT_OK); | |
| 170 EXPECT_EQ(onc_certificates_->GetSize(), result_list_.size()); | |
| 171 EXPECT_EQ(2ul, imported_server_and_ca_certs_.size()); | |
| 172 } | |
| 173 | |
| 174 TEST_F(ONCCertificateImporterTest, MultipleCertificatesWithFailures) { | |
| 175 AddCertificatesFromFile("toplevel_partially_invalid.onc", | |
| 176 CertificateImporter::IMPORT_INCOMPLETE); | |
| 177 EXPECT_EQ(3ul, onc_certificates_->GetSize()); | |
| 178 EXPECT_EQ(1ul, result_list_.size()); | |
| 179 EXPECT_TRUE(imported_server_and_ca_certs_.empty()); | |
| 180 } | |
| 181 | |
| 182 TEST_F(ONCCertificateImporterTest, AddClientCertificate) { | |
| 183 std::string guid; | |
| 184 AddCertificateFromFile("certificate-client.onc", net::USER_CERT, &guid); | |
| 185 EXPECT_TRUE(web_trust_certificates_.empty()); | |
| 186 | |
| 187 SECKEYPrivateKeyList* privkey_list = | |
| 188 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | |
| 189 EXPECT_TRUE(privkey_list); | |
| 190 if (privkey_list) { | |
| 191 SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(privkey_list); | |
| 192 int count = 0; | |
| 193 while (!PRIVKEY_LIST_END(node, privkey_list)) { | |
| 194 char* name = PK11_GetPrivateKeyNickname(node->key); | |
| 195 EXPECT_STREQ(guid.c_str(), name); | |
| 196 PORT_Free(name); | |
| 197 count++; | |
| 198 node = PRIVKEY_LIST_NEXT(node); | |
| 199 } | |
| 200 EXPECT_EQ(1, count); | |
| 201 SECKEY_DestroyPrivateKeyList(privkey_list); | |
| 202 } | |
| 203 | |
| 204 SECKEYPublicKeyList* pubkey_list = | |
| 205 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); | |
| 206 EXPECT_TRUE(pubkey_list); | |
| 207 if (pubkey_list) { | |
| 208 SECKEYPublicKeyListNode* node = PUBKEY_LIST_HEAD(pubkey_list); | |
| 209 int count = 0; | |
| 210 while (!PUBKEY_LIST_END(node, pubkey_list)) { | |
| 211 count++; | |
| 212 node = PUBKEY_LIST_NEXT(node); | |
| 213 } | |
| 214 EXPECT_EQ(1, count); | |
| 215 SECKEY_DestroyPublicKeyList(pubkey_list); | |
| 216 } | |
| 217 } | |
| 218 | |
| 219 TEST_F(ONCCertificateImporterTest, AddServerCertificateWithWebTrust) { | |
| 220 AddCertificateFromFile("certificate-server.onc", net::SERVER_CERT, NULL); | |
| 221 | |
| 222 SECKEYPrivateKeyList* privkey_list = | |
| 223 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | |
| 224 EXPECT_FALSE(privkey_list); | |
| 225 | |
| 226 SECKEYPublicKeyList* pubkey_list = | |
| 227 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); | |
| 228 EXPECT_FALSE(pubkey_list); | |
| 229 | |
| 230 ASSERT_EQ(1u, web_trust_certificates_.size()); | |
| 231 ASSERT_EQ(1u, result_list_.size()); | |
| 232 EXPECT_TRUE(CERT_CompareCerts(result_list_[0]->os_cert_handle(), | |
| 233 web_trust_certificates_[0]->os_cert_handle())); | |
| 234 } | |
| 235 | |
| 236 TEST_F(ONCCertificateImporterTest, AddWebAuthorityCertificateWithWebTrust) { | |
| 237 AddCertificateFromFile("certificate-web-authority.onc", net::CA_CERT, NULL); | |
| 238 | |
| 239 SECKEYPrivateKeyList* privkey_list = | |
| 240 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | |
| 241 EXPECT_FALSE(privkey_list); | |
| 242 | |
| 243 SECKEYPublicKeyList* pubkey_list = | |
| 244 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); | |
| 245 EXPECT_FALSE(pubkey_list); | |
| 246 | |
| 247 ASSERT_EQ(1u, web_trust_certificates_.size()); | |
| 248 ASSERT_EQ(1u, result_list_.size()); | |
| 249 EXPECT_TRUE(CERT_CompareCerts(result_list_[0]->os_cert_handle(), | |
| 250 web_trust_certificates_[0]->os_cert_handle())); | |
| 251 } | |
| 252 | |
| 253 TEST_F(ONCCertificateImporterTest, AddAuthorityCertificateWithoutWebTrust) { | |
| 254 AddCertificateFromFile("certificate-authority.onc", net::CA_CERT, NULL); | |
| 255 EXPECT_TRUE(web_trust_certificates_.empty()); | |
| 256 | |
| 257 SECKEYPrivateKeyList* privkey_list = | |
| 258 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | |
| 259 EXPECT_FALSE(privkey_list); | |
| 260 | |
| 261 SECKEYPublicKeyList* pubkey_list = | |
| 262 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); | |
| 263 EXPECT_FALSE(pubkey_list); | |
| 264 } | |
| 265 | |
| 266 struct CertParam { | |
| 267 CertParam(net::CertType certificate_type, | |
| 268 const char* original_filename, | |
| 269 const char* update_filename) | |
| 270 : cert_type(certificate_type), | |
| 271 original_file(original_filename), | |
| 272 update_file(update_filename) {} | |
| 273 | |
| 274 net::CertType cert_type; | |
| 275 const char* original_file; | |
| 276 const char* update_file; | |
| 277 }; | |
| 278 | |
| 279 class ONCCertificateImporterTestWithParam : | |
| 280 public ONCCertificateImporterTest, | |
| 281 public testing::WithParamInterface<CertParam> { | |
| 282 }; | |
| 283 | |
| 284 TEST_P(ONCCertificateImporterTestWithParam, UpdateCertificate) { | |
| 285 // First we import a certificate. | |
| 286 { | |
| 287 SCOPED_TRACE("Import original certificate"); | |
| 288 AddCertificateFromFile(GetParam().original_file, GetParam().cert_type, | |
| 289 NULL); | |
| 290 } | |
| 291 | |
| 292 // Now we import the same certificate with a different GUID. In case of a | |
| 293 // client cert, the cert should be retrievable via the new GUID. | |
| 294 { | |
| 295 SCOPED_TRACE("Import updated certificate"); | |
| 296 AddCertificateFromFile(GetParam().update_file, GetParam().cert_type, NULL); | |
| 297 } | |
| 298 } | |
| 299 | |
| 300 TEST_P(ONCCertificateImporterTestWithParam, ReimportCertificate) { | |
| 301 // Verify that reimporting a client certificate works. | |
| 302 for (int i = 0; i < 2; ++i) { | |
| 303 SCOPED_TRACE("Import certificate, iteration " + base::IntToString(i)); | |
| 304 AddCertificateFromFile(GetParam().original_file, GetParam().cert_type, | |
| 305 NULL); | |
| 306 } | |
| 307 } | |
| 308 | |
| 309 INSTANTIATE_TEST_CASE_P( | |
| 310 ONCCertificateImporterTestWithParam, | |
| 311 ONCCertificateImporterTestWithParam, | |
| 312 ::testing::Values( | |
| 313 CertParam(net::USER_CERT, | |
| 314 "certificate-client.onc", | |
| 315 "certificate-client-update.onc"), | |
| 316 CertParam(net::SERVER_CERT, | |
| 317 "certificate-server.onc", | |
| 318 "certificate-server-update.onc"), | |
| 319 CertParam(net::CA_CERT, | |
| 320 "certificate-web-authority.onc", | |
| 321 "certificate-web-authority-update.onc"))); | |
| 322 | |
| 323 } // namespace onc | |
| 324 } // namespace chromeos | |
| OLD | NEW |