OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chromeos/network/onc/onc_certificate_importer.h" | 5 #include "chromeos/network/onc/onc_certificate_importer_impl.h" |
6 | 6 |
7 #include <cert.h> | 7 #include <cert.h> |
8 #include <certdb.h> | 8 #include <certdb.h> |
9 #include <keyhi.h> | 9 #include <keyhi.h> |
10 #include <pk11pub.h> | 10 #include <pk11pub.h> |
11 #include <string> | 11 #include <string> |
12 | 12 |
13 #include "base/logging.h" | 13 #include "base/logging.h" |
14 #include "base/strings/string_number_conversions.h" | 14 #include "base/strings/string_number_conversions.h" |
15 #include "base/values.h" | 15 #include "base/values.h" |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
48 return net::SERVER_CERT; | 48 return net::SERVER_CERT; |
49 return net::UNKNOWN_CERT; | 49 return net::UNKNOWN_CERT; |
50 } | 50 } |
51 #else | 51 #else |
52 net::CertType GetCertType(net::X509Certificate::OSCertHandle cert) { | 52 net::CertType GetCertType(net::X509Certificate::OSCertHandle cert) { |
53 NOTIMPLEMENTED(); | 53 NOTIMPLEMENTED(); |
54 return net::UNKNOWN_CERT; | 54 return net::UNKNOWN_CERT; |
55 } | 55 } |
56 #endif // USE_NSS | 56 #endif // USE_NSS |
57 | 57 |
58 class ONCCertificateImporterTest : public testing::Test { | 58 class ONCCertificateImporterImplTest : public testing::Test { |
59 public: | 59 public: |
60 virtual void SetUp() { | 60 virtual void SetUp() { |
61 ASSERT_TRUE(test_nssdb_.is_open()); | 61 ASSERT_TRUE(test_nssdb_.is_open()); |
62 | 62 |
63 slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule(); | 63 slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule(); |
64 | 64 |
65 // Don't run the test if the setup failed. | 65 // Don't run the test if the setup failed. |
66 ASSERT_TRUE(slot_->os_module_handle()); | 66 ASSERT_TRUE(slot_->os_module_handle()); |
67 | 67 |
68 // Test db should be empty at start of test. | 68 // Test db should be empty at start of test. |
69 EXPECT_EQ(0ul, ListCertsInSlot().size()); | 69 EXPECT_EQ(0ul, ListCertsInSlot().size()); |
70 } | 70 } |
71 | 71 |
72 virtual void TearDown() { | 72 virtual void TearDown() { |
73 EXPECT_TRUE(CleanupSlotContents()); | 73 EXPECT_TRUE(CleanupSlotContents()); |
74 EXPECT_EQ(0ul, ListCertsInSlot().size()); | 74 EXPECT_EQ(0ul, ListCertsInSlot().size()); |
75 } | 75 } |
76 | 76 |
77 virtual ~ONCCertificateImporterTest() {} | 77 virtual ~ONCCertificateImporterImplTest() {} |
78 | 78 |
79 protected: | 79 protected: |
80 void AddCertificatesFromFile( | 80 void AddCertificatesFromFile(std::string filename, bool expected_success) { |
81 std::string filename, | |
82 CertificateImporter::ParseResult expected_parse_result) { | |
83 scoped_ptr<base::DictionaryValue> onc = | 81 scoped_ptr<base::DictionaryValue> onc = |
84 test_utils::ReadTestDictionary(filename); | 82 test_utils::ReadTestDictionary(filename); |
85 base::Value* certificates_value = NULL; | 83 base::Value* certificates_value = NULL; |
86 base::ListValue* certificates = NULL; | 84 base::ListValue* certificates = NULL; |
87 onc->RemoveWithoutPathExpansion(toplevel_config::kCertificates, | 85 onc->RemoveWithoutPathExpansion(toplevel_config::kCertificates, |
88 &certificates_value); | 86 &certificates_value); |
89 certificates_value->GetAsList(&certificates); | 87 certificates_value->GetAsList(&certificates); |
90 onc_certificates_.reset(certificates); | 88 onc_certificates_.reset(certificates); |
91 | 89 |
92 web_trust_certificates_.clear(); | 90 web_trust_certificates_.clear(); |
93 imported_server_and_ca_certs_.clear(); | 91 imported_server_and_ca_certs_.clear(); |
94 CertificateImporter importer(true /* allow web trust */); | 92 CertificateImporterImpl importer; |
95 EXPECT_EQ(expected_parse_result, | 93 EXPECT_EQ( |
96 importer.ParseAndStoreCertificates( | 94 expected_success, |
97 *certificates, | 95 importer.ParseAndStoreCertificates(true, // allow web trust |
98 &web_trust_certificates_, | 96 *certificates, |
99 &imported_server_and_ca_certs_)); | 97 &web_trust_certificates_, |
| 98 &imported_server_and_ca_certs_)); |
100 | 99 |
101 result_list_.clear(); | 100 result_list_.clear(); |
102 result_list_ = ListCertsInSlot(); | 101 result_list_ = ListCertsInSlot(); |
103 } | 102 } |
104 | 103 |
105 void AddCertificateFromFile(std::string filename, | 104 void AddCertificateFromFile(std::string filename, |
106 net::CertType expected_type, | 105 net::CertType expected_type, |
107 std::string* guid) { | 106 std::string* guid) { |
108 std::string guid_temporary; | 107 std::string guid_temporary; |
109 if (!guid) | 108 if (!guid) |
110 guid = &guid_temporary; | 109 guid = &guid_temporary; |
111 | 110 |
112 AddCertificatesFromFile(filename, CertificateImporter::IMPORT_OK); | 111 AddCertificatesFromFile(filename, true); |
113 ASSERT_EQ(1ul, result_list_.size()); | 112 ASSERT_EQ(1ul, result_list_.size()); |
114 EXPECT_EQ(expected_type, GetCertType(result_list_[0]->os_cert_handle())); | 113 EXPECT_EQ(expected_type, GetCertType(result_list_[0]->os_cert_handle())); |
115 | 114 |
116 base::DictionaryValue* certificate = NULL; | 115 base::DictionaryValue* certificate = NULL; |
117 onc_certificates_->GetDictionary(0, &certificate); | 116 onc_certificates_->GetDictionary(0, &certificate); |
118 certificate->GetStringWithoutPathExpansion(certificate::kGUID, guid); | 117 certificate->GetStringWithoutPathExpansion(certificate::kGUID, guid); |
119 | 118 |
120 if (expected_type == net::SERVER_CERT || expected_type == net::CA_CERT) { | 119 if (expected_type == net::SERVER_CERT || expected_type == net::CA_CERT) { |
121 EXPECT_EQ(1u, imported_server_and_ca_certs_.size()); | 120 EXPECT_EQ(1u, imported_server_and_ca_certs_.size()); |
122 EXPECT_TRUE(imported_server_and_ca_certs_[*guid]->Equals( | 121 EXPECT_TRUE(imported_server_and_ca_certs_[*guid]->Equals( |
123 result_list_[0])); | 122 result_list_[0])); |
124 } else { // net::USER_CERT | 123 } else { // net::USER_CERT |
125 EXPECT_TRUE(imported_server_and_ca_certs_.empty()); | 124 EXPECT_TRUE(imported_server_and_ca_certs_.empty()); |
126 CertificateImporter::ListCertsWithNickname(*guid, &result_list_); | 125 CertificateImporterImpl::ListCertsWithNickname(*guid, &result_list_); |
127 } | 126 } |
128 } | 127 } |
129 | 128 |
130 scoped_ptr<base::ListValue> onc_certificates_; | 129 scoped_ptr<base::ListValue> onc_certificates_; |
131 scoped_refptr<net::CryptoModule> slot_; | 130 scoped_refptr<net::CryptoModule> slot_; |
132 net::CertificateList result_list_; | 131 net::CertificateList result_list_; |
133 net::CertificateList web_trust_certificates_; | 132 net::CertificateList web_trust_certificates_; |
134 CertificateImporter::CertsByGUID imported_server_and_ca_certs_; | 133 CertificateImporterImpl::CertsByGUID imported_server_and_ca_certs_; |
135 | 134 |
136 private: | 135 private: |
137 net::CertificateList ListCertsInSlot() { | 136 net::CertificateList ListCertsInSlot() { |
138 net::CertificateList result; | 137 net::CertificateList result; |
139 CERTCertList* cert_list = PK11_ListCertsInSlot(slot_->os_module_handle()); | 138 CERTCertList* cert_list = PK11_ListCertsInSlot(slot_->os_module_handle()); |
140 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | 139 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
141 !CERT_LIST_END(node, cert_list); | 140 !CERT_LIST_END(node, cert_list); |
142 node = CERT_LIST_NEXT(node)) { | 141 node = CERT_LIST_NEXT(node)) { |
143 result.push_back(net::X509Certificate::CreateFromHandle( | 142 result.push_back(net::X509Certificate::CreateFromHandle( |
144 node->cert, net::X509Certificate::OSCertHandles())); | 143 node->cert, net::X509Certificate::OSCertHandles())); |
(...skipping 12 matching lines...) Expand all Loading... |
157 if (!net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(certs[i] | 156 if (!net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(certs[i] |
158 .get())) | 157 .get())) |
159 ok = false; | 158 ok = false; |
160 } | 159 } |
161 return ok; | 160 return ok; |
162 } | 161 } |
163 | 162 |
164 crypto::ScopedTestNSSDB test_nssdb_; | 163 crypto::ScopedTestNSSDB test_nssdb_; |
165 }; | 164 }; |
166 | 165 |
167 TEST_F(ONCCertificateImporterTest, MultipleCertificates) { | 166 TEST_F(ONCCertificateImporterImplTest, MultipleCertificates) { |
168 AddCertificatesFromFile("managed_toplevel2.onc", | 167 AddCertificatesFromFile("managed_toplevel2.onc", true); |
169 CertificateImporter::IMPORT_OK); | |
170 EXPECT_EQ(onc_certificates_->GetSize(), result_list_.size()); | 168 EXPECT_EQ(onc_certificates_->GetSize(), result_list_.size()); |
171 EXPECT_EQ(2ul, imported_server_and_ca_certs_.size()); | 169 EXPECT_EQ(2ul, imported_server_and_ca_certs_.size()); |
172 } | 170 } |
173 | 171 |
174 TEST_F(ONCCertificateImporterTest, MultipleCertificatesWithFailures) { | 172 TEST_F(ONCCertificateImporterImplTest, MultipleCertificatesWithFailures) { |
175 AddCertificatesFromFile("toplevel_partially_invalid.onc", | 173 AddCertificatesFromFile("toplevel_partially_invalid.onc", false); |
176 CertificateImporter::IMPORT_INCOMPLETE); | |
177 EXPECT_EQ(3ul, onc_certificates_->GetSize()); | 174 EXPECT_EQ(3ul, onc_certificates_->GetSize()); |
178 EXPECT_EQ(1ul, result_list_.size()); | 175 EXPECT_EQ(1ul, result_list_.size()); |
179 EXPECT_TRUE(imported_server_and_ca_certs_.empty()); | 176 EXPECT_TRUE(imported_server_and_ca_certs_.empty()); |
180 } | 177 } |
181 | 178 |
182 TEST_F(ONCCertificateImporterTest, AddClientCertificate) { | 179 TEST_F(ONCCertificateImporterImplTest, AddClientCertificate) { |
183 std::string guid; | 180 std::string guid; |
184 AddCertificateFromFile("certificate-client.onc", net::USER_CERT, &guid); | 181 AddCertificateFromFile("certificate-client.onc", net::USER_CERT, &guid); |
185 EXPECT_TRUE(web_trust_certificates_.empty()); | 182 EXPECT_TRUE(web_trust_certificates_.empty()); |
186 | 183 |
187 SECKEYPrivateKeyList* privkey_list = | 184 SECKEYPrivateKeyList* privkey_list = |
188 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | 185 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); |
189 EXPECT_TRUE(privkey_list); | 186 EXPECT_TRUE(privkey_list); |
190 if (privkey_list) { | 187 if (privkey_list) { |
191 SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(privkey_list); | 188 SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(privkey_list); |
192 int count = 0; | 189 int count = 0; |
(...skipping 16 matching lines...) Expand all Loading... |
209 int count = 0; | 206 int count = 0; |
210 while (!PUBKEY_LIST_END(node, pubkey_list)) { | 207 while (!PUBKEY_LIST_END(node, pubkey_list)) { |
211 count++; | 208 count++; |
212 node = PUBKEY_LIST_NEXT(node); | 209 node = PUBKEY_LIST_NEXT(node); |
213 } | 210 } |
214 EXPECT_EQ(1, count); | 211 EXPECT_EQ(1, count); |
215 SECKEY_DestroyPublicKeyList(pubkey_list); | 212 SECKEY_DestroyPublicKeyList(pubkey_list); |
216 } | 213 } |
217 } | 214 } |
218 | 215 |
219 TEST_F(ONCCertificateImporterTest, AddServerCertificateWithWebTrust) { | 216 TEST_F(ONCCertificateImporterImplTest, AddServerCertificateWithWebTrust) { |
220 AddCertificateFromFile("certificate-server.onc", net::SERVER_CERT, NULL); | 217 AddCertificateFromFile("certificate-server.onc", net::SERVER_CERT, NULL); |
221 | 218 |
222 SECKEYPrivateKeyList* privkey_list = | 219 SECKEYPrivateKeyList* privkey_list = |
223 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | 220 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); |
224 EXPECT_FALSE(privkey_list); | 221 EXPECT_FALSE(privkey_list); |
225 | 222 |
226 SECKEYPublicKeyList* pubkey_list = | 223 SECKEYPublicKeyList* pubkey_list = |
227 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); | 224 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); |
228 EXPECT_FALSE(pubkey_list); | 225 EXPECT_FALSE(pubkey_list); |
229 | 226 |
230 ASSERT_EQ(1u, web_trust_certificates_.size()); | 227 ASSERT_EQ(1u, web_trust_certificates_.size()); |
231 ASSERT_EQ(1u, result_list_.size()); | 228 ASSERT_EQ(1u, result_list_.size()); |
232 EXPECT_TRUE(CERT_CompareCerts(result_list_[0]->os_cert_handle(), | 229 EXPECT_TRUE(CERT_CompareCerts(result_list_[0]->os_cert_handle(), |
233 web_trust_certificates_[0]->os_cert_handle())); | 230 web_trust_certificates_[0]->os_cert_handle())); |
234 } | 231 } |
235 | 232 |
236 TEST_F(ONCCertificateImporterTest, AddWebAuthorityCertificateWithWebTrust) { | 233 TEST_F(ONCCertificateImporterImplTest, AddWebAuthorityCertificateWithWebTrust) { |
237 AddCertificateFromFile("certificate-web-authority.onc", net::CA_CERT, NULL); | 234 AddCertificateFromFile("certificate-web-authority.onc", net::CA_CERT, NULL); |
238 | 235 |
239 SECKEYPrivateKeyList* privkey_list = | 236 SECKEYPrivateKeyList* privkey_list = |
240 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | 237 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); |
241 EXPECT_FALSE(privkey_list); | 238 EXPECT_FALSE(privkey_list); |
242 | 239 |
243 SECKEYPublicKeyList* pubkey_list = | 240 SECKEYPublicKeyList* pubkey_list = |
244 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); | 241 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); |
245 EXPECT_FALSE(pubkey_list); | 242 EXPECT_FALSE(pubkey_list); |
246 | 243 |
247 ASSERT_EQ(1u, web_trust_certificates_.size()); | 244 ASSERT_EQ(1u, web_trust_certificates_.size()); |
248 ASSERT_EQ(1u, result_list_.size()); | 245 ASSERT_EQ(1u, result_list_.size()); |
249 EXPECT_TRUE(CERT_CompareCerts(result_list_[0]->os_cert_handle(), | 246 EXPECT_TRUE(CERT_CompareCerts(result_list_[0]->os_cert_handle(), |
250 web_trust_certificates_[0]->os_cert_handle())); | 247 web_trust_certificates_[0]->os_cert_handle())); |
251 } | 248 } |
252 | 249 |
253 TEST_F(ONCCertificateImporterTest, AddAuthorityCertificateWithoutWebTrust) { | 250 TEST_F(ONCCertificateImporterImplTest, AddAuthorityCertificateWithoutWebTrust) { |
254 AddCertificateFromFile("certificate-authority.onc", net::CA_CERT, NULL); | 251 AddCertificateFromFile("certificate-authority.onc", net::CA_CERT, NULL); |
255 EXPECT_TRUE(web_trust_certificates_.empty()); | 252 EXPECT_TRUE(web_trust_certificates_.empty()); |
256 | 253 |
257 SECKEYPrivateKeyList* privkey_list = | 254 SECKEYPrivateKeyList* privkey_list = |
258 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); | 255 PK11_ListPrivKeysInSlot(slot_->os_module_handle(), NULL, NULL); |
259 EXPECT_FALSE(privkey_list); | 256 EXPECT_FALSE(privkey_list); |
260 | 257 |
261 SECKEYPublicKeyList* pubkey_list = | 258 SECKEYPublicKeyList* pubkey_list = |
262 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); | 259 PK11_ListPublicKeysInSlot(slot_->os_module_handle(), NULL); |
263 EXPECT_FALSE(pubkey_list); | 260 EXPECT_FALSE(pubkey_list); |
264 } | 261 } |
265 | 262 |
266 struct CertParam { | 263 struct CertParam { |
267 CertParam(net::CertType certificate_type, | 264 CertParam(net::CertType certificate_type, |
268 const char* original_filename, | 265 const char* original_filename, |
269 const char* update_filename) | 266 const char* update_filename) |
270 : cert_type(certificate_type), | 267 : cert_type(certificate_type), |
271 original_file(original_filename), | 268 original_file(original_filename), |
272 update_file(update_filename) {} | 269 update_file(update_filename) {} |
273 | 270 |
274 net::CertType cert_type; | 271 net::CertType cert_type; |
275 const char* original_file; | 272 const char* original_file; |
276 const char* update_file; | 273 const char* update_file; |
277 }; | 274 }; |
278 | 275 |
279 class ONCCertificateImporterTestWithParam : | 276 class ONCCertificateImporterImplTestWithParam : |
280 public ONCCertificateImporterTest, | 277 public ONCCertificateImporterImplTest, |
281 public testing::WithParamInterface<CertParam> { | 278 public testing::WithParamInterface<CertParam> { |
282 }; | 279 }; |
283 | 280 |
284 TEST_P(ONCCertificateImporterTestWithParam, UpdateCertificate) { | 281 TEST_P(ONCCertificateImporterImplTestWithParam, UpdateCertificate) { |
285 // First we import a certificate. | 282 // First we import a certificate. |
286 { | 283 { |
287 SCOPED_TRACE("Import original certificate"); | 284 SCOPED_TRACE("Import original certificate"); |
288 AddCertificateFromFile(GetParam().original_file, GetParam().cert_type, | 285 AddCertificateFromFile(GetParam().original_file, GetParam().cert_type, |
289 NULL); | 286 NULL); |
290 } | 287 } |
291 | 288 |
292 // Now we import the same certificate with a different GUID. In case of a | 289 // Now we import the same certificate with a different GUID. In case of a |
293 // client cert, the cert should be retrievable via the new GUID. | 290 // client cert, the cert should be retrievable via the new GUID. |
294 { | 291 { |
295 SCOPED_TRACE("Import updated certificate"); | 292 SCOPED_TRACE("Import updated certificate"); |
296 AddCertificateFromFile(GetParam().update_file, GetParam().cert_type, NULL); | 293 AddCertificateFromFile(GetParam().update_file, GetParam().cert_type, NULL); |
297 } | 294 } |
298 } | 295 } |
299 | 296 |
300 TEST_P(ONCCertificateImporterTestWithParam, ReimportCertificate) { | 297 TEST_P(ONCCertificateImporterImplTestWithParam, ReimportCertificate) { |
301 // Verify that reimporting a client certificate works. | 298 // Verify that reimporting a client certificate works. |
302 for (int i = 0; i < 2; ++i) { | 299 for (int i = 0; i < 2; ++i) { |
303 SCOPED_TRACE("Import certificate, iteration " + base::IntToString(i)); | 300 SCOPED_TRACE("Import certificate, iteration " + base::IntToString(i)); |
304 AddCertificateFromFile(GetParam().original_file, GetParam().cert_type, | 301 AddCertificateFromFile(GetParam().original_file, GetParam().cert_type, |
305 NULL); | 302 NULL); |
306 } | 303 } |
307 } | 304 } |
308 | 305 |
309 INSTANTIATE_TEST_CASE_P( | 306 INSTANTIATE_TEST_CASE_P( |
310 ONCCertificateImporterTestWithParam, | 307 ONCCertificateImporterImplTestWithParam, |
311 ONCCertificateImporterTestWithParam, | 308 ONCCertificateImporterImplTestWithParam, |
312 ::testing::Values( | 309 ::testing::Values( |
313 CertParam(net::USER_CERT, | 310 CertParam(net::USER_CERT, |
314 "certificate-client.onc", | 311 "certificate-client.onc", |
315 "certificate-client-update.onc"), | 312 "certificate-client-update.onc"), |
316 CertParam(net::SERVER_CERT, | 313 CertParam(net::SERVER_CERT, |
317 "certificate-server.onc", | 314 "certificate-server.onc", |
318 "certificate-server-update.onc"), | 315 "certificate-server-update.onc"), |
319 CertParam(net::CA_CERT, | 316 CertParam(net::CA_CERT, |
320 "certificate-web-authority.onc", | 317 "certificate-web-authority.onc", |
321 "certificate-web-authority-update.onc"))); | 318 "certificate-web-authority-update.onc"))); |
322 | 319 |
323 } // namespace onc | 320 } // namespace onc |
324 } // namespace chromeos | 321 } // namespace chromeos |
OLD | NEW |