Chromium Code Reviews Chromium Code Reviews
Issue 20087002:
Add migration from CaCert NSS nicknames to PEM. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: chromeos/network/network_cert_migrator_unittest.cc |
| diff --git a/chromeos/network/network_cert_migrator_unittest.cc b/chromeos/network/network_cert_migrator_unittest.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..7bdd74c8a22b2c25b7086437a5667ca45cb6f8bb |
| --- /dev/null |
| +++ b/chromeos/network/network_cert_migrator_unittest.cc |
| @@ -0,0 +1,242 @@ |
| +// Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "chromeos/network/network_cert_migrator.h" |
| + |
| +#include <cert.h> |
| + |
| +#include "base/file_util.h" |
| +#include "base/files/file_path.h" |
| +#include "base/run_loop.h" |
| +#include "chromeos/dbus/dbus_thread_manager.h" |
| +#include "chromeos/dbus/shill_service_client.h" |
| +#include "chromeos/login/login_state.h" |
| +#include "chromeos/network/network_state_handler.h" |
| +#include "crypto/nss_util.h" |
| +#include "net/base/crypto_module.h" |
| +#include "net/base/net_errors.h" |
| +#include "net/base/test_data_directory.h" |
| +#include "net/cert/nss_cert_database.h" |
| +#include "net/cert/x509_certificate.h" |
| +#include "net/test/cert_test_util.h" |
| +#include "testing/gtest/include/gtest/gtest.h" |
| +#include "third_party/cros_system_api/dbus/service_constants.h" |
| + |
| +namespace chromeos { |
| + |
| +namespace { |
| + |
| +const char* kWifiStub = "wifi_stub"; |
| +const char* kVPNStub = "vpn_stub"; |
| +const char* kNSSNickname = "nss_nickname"; |
| +const char* kFakePEM = "pem"; |
| + |
| +} // namespace |
| + |
| +class NetworkCertMigratorTest : public testing::Test { |
| + public: |
| + NetworkCertMigratorTest() {} |
| + virtual ~NetworkCertMigratorTest() {} |
| + |
| + virtual void SetUp() OVERRIDE { |
| + ASSERT_TRUE(test_nssdb_.is_open()); |
| + slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule(); |
| + ASSERT_TRUE(slot_->os_module_handle()); |
| + |
| + LoginState::Initialize(); |
| + |
| + DBusThreadManager::InitializeWithStub(); |
| + service_test_ = |
| + DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); |
| + message_loop_.RunUntilIdle(); |
| + service_test_->ClearServices(); |
| + message_loop_.RunUntilIdle(); |
| + } |
| + |
| + virtual void TearDown() OVERRIDE { |
| + network_cert_migrator_.reset(); |
| + network_state_handler_.reset(); |
| + CertLoader::Shutdown(); |
| + DBusThreadManager::Shutdown(); |
| + LoginState::Shutdown(); |
| + CleanupTestCert(); |
| + } |
| + |
| + protected: |
| + void SetupTestCACert() { |
| + scoped_refptr<net::X509Certificate> cert_wo_nickname = |
| + net::CreateCertificateListFromFile(net::GetTestCertsDirectory(), |
| + "eku-test-root.pem", |
| + net::X509Certificate::FORMAT_AUTO) |
| + .back(); |
| + net::X509Certificate::GetPEMEncoded(cert_wo_nickname->os_cert_handle(), |
| + &test_ca_cert_pem_); |
| + std::string der_encoded; |
| + net::X509Certificate::GetDEREncoded(cert_wo_nickname->os_cert_handle(), |
| + &der_encoded); |
| + cert_wo_nickname = NULL; |
| + |
| + test_ca_cert_ = net::X509Certificate::CreateFromBytesWithNickname( |
| + der_encoded.data(), der_encoded.size(), kNSSNickname); |
| + net::NSSCertDatabase* cert_database = net::NSSCertDatabase::GetInstance(); |
| + net::CertificateList cert_list; |
| + cert_list.push_back(test_ca_cert_); |
| + net::NSSCertDatabase::ImportCertFailureList failures; |
| + EXPECT_TRUE(cert_database->ImportCACerts( |
| + cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures)); |
| + ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error); |
| + } |
| + |
| + void SetupNetworkHandlers() { |
| + CertLoader::Initialize(message_loop_.message_loop_proxy()); |
| + CertLoader::Get()->SetCryptoTaskRunner(message_loop_.message_loop_proxy()); |
|
stevenjb
2013/07/29 17:53:03
I don't like the inconsistency here. Rather than f
pneubeck (no reviews)
2013/08/05 08:51:22
Done.
|
| + network_state_handler_.reset(NetworkStateHandler::InitializeForTest()); |
| + network_cert_migrator_.reset(new NetworkCertMigrator); |
| + network_cert_migrator_->Init(network_state_handler_.get()); |
| + } |
| + |
| + void SetupWifiWithNss() { |
| + const bool add_to_visible = true; |
| + const bool add_to_watchlist = true; |
| + service_test_->AddService(kWifiStub, |
| + kWifiStub, |
| + flimflam::kTypeWifi, |
| + flimflam::kStateOnline, |
| + add_to_visible, |
| + add_to_watchlist); |
| + service_test_->SetServiceProperty(kWifiStub, |
| + flimflam::kEapCaCertNssProperty, |
| + base::StringValue(kNSSNickname)); |
| + } |
| + |
| + void GetEapCACertProperties(std::string* nss_nickname, std::string* ca_pem) { |
| + nss_nickname->clear(); |
| + ca_pem->clear(); |
| + const base::DictionaryValue* properties = |
| + service_test_->GetServiceProperties(kWifiStub); |
| + properties->GetStringWithoutPathExpansion(flimflam::kEapCaCertNssProperty, |
| + nss_nickname); |
| + const base::ListValue* ca_pems = NULL; |
| + properties->GetListWithoutPathExpansion(shill::kEapCaCertPemProperty, |
| + &ca_pems); |
| + if (ca_pems && !ca_pems->empty()) |
| + ca_pems->GetString(0, ca_pem); |
| + } |
| + |
| + void SetupVpnWithNss() { |
| + const bool add_to_visible = true; |
| + const bool add_to_watchlist = true; |
| + service_test_->AddService(kVPNStub, |
| + kVPNStub, |
| + flimflam::kTypeVPN, |
| + flimflam::kStateIdle, |
| + add_to_visible, |
| + add_to_watchlist); |
| + base::DictionaryValue provider; |
| + provider.SetStringWithoutPathExpansion(flimflam::kOpenVPNCaCertNSSProperty, |
| + kNSSNickname); |
| + service_test_->SetServiceProperty( |
| + kVPNStub, flimflam::kProviderProperty, provider); |
| + } |
| + |
| + void GetVpnCACertProperties(std::string* nss_nickname, std::string* ca_pem) { |
| + nss_nickname->clear(); |
| + ca_pem->clear(); |
| + const base::DictionaryValue* properties = |
| + service_test_->GetServiceProperties(kVPNStub); |
| + const base::DictionaryValue* provider = NULL; |
| + properties->GetDictionaryWithoutPathExpansion(flimflam::kProviderProperty, |
| + &provider); |
| + if (!provider) |
| + return; |
| + provider->GetStringWithoutPathExpansion(flimflam::kOpenVPNCaCertNSSProperty, |
| + nss_nickname); |
| + const base::ListValue* ca_pems = NULL; |
| + properties->GetListWithoutPathExpansion(shill::kOpenVPNCaCertPemProperty, |
| + &ca_pems); |
| + if (ca_pems && !ca_pems->empty()) |
| + ca_pems->GetString(0, ca_pem); |
| + } |
| + |
| + ShillServiceClient::TestInterface* service_test_; |
| + scoped_refptr<net::X509Certificate> test_ca_cert_; |
| + std::string test_ca_cert_pem_; |
| + base::MessageLoop message_loop_; |
| + |
| + private: |
| + void CleanupTestCert() { |
| + ASSERT_TRUE(net::NSSCertDatabase::GetInstance()->DeleteCertAndKey( |
| + test_ca_cert_.get())); |
| + } |
| + |
| + scoped_ptr<NetworkStateHandler> network_state_handler_; |
| + scoped_ptr<NetworkCertMigrator> network_cert_migrator_; |
| + scoped_refptr<net::CryptoModule> slot_; |
| + crypto::ScopedTestNSSDB test_nssdb_; |
| + |
| + DISALLOW_COPY_AND_ASSIGN(NetworkCertMigratorTest); |
| +}; |
| + |
| +TEST_F(NetworkCertMigratorTest, MigrateNssOnInitialization) { |
| + // Add a new network for migration before the handlers are initialized. |
| + SetupWifiWithNss(); |
| + |
| + SetupTestCACert(); |
| + SetupNetworkHandlers(); |
| + |
| + message_loop_.RunUntilIdle(); |
| + std::string nss_nickname, ca_pem; |
| + GetEapCACertProperties(&nss_nickname, &ca_pem); |
| + EXPECT_TRUE(nss_nickname.empty()); |
| + EXPECT_EQ(test_ca_cert_pem_, ca_pem); |
| +} |
| + |
| +TEST_F(NetworkCertMigratorTest, MigrateNssOnNetworkAppearance) { |
| + SetupTestCACert(); |
| + SetupNetworkHandlers(); |
| + message_loop_.RunUntilIdle(); |
| + |
| + // Add a new network for migration after the handlers are initialized. |
| + SetupWifiWithNss(); |
| + |
| + message_loop_.RunUntilIdle(); |
| + std::string nss_nickname, ca_pem; |
| + GetEapCACertProperties(&nss_nickname, &ca_pem); |
| + EXPECT_TRUE(nss_nickname.empty()); |
| + EXPECT_EQ(test_ca_cert_pem_, ca_pem); |
| +} |
| + |
| +TEST_F(NetworkCertMigratorTest, DoNotMigrateNssIfPemSet) { |
| + // Add a new network with an already set PEM property. |
| + SetupWifiWithNss(); |
| + base::ListValue ca_pems; |
| + ca_pems.AppendString(kFakePEM); |
| + service_test_->SetServiceProperty( |
| + kWifiStub, shill::kEapCaCertPemProperty, ca_pems); |
| + |
| + SetupTestCACert(); |
| + SetupNetworkHandlers(); |
| + message_loop_.RunUntilIdle(); |
| + |
| + std::string nss_nickname, ca_pem; |
| + GetEapCACertProperties(&nss_nickname, &ca_pem); |
| + EXPECT_TRUE(nss_nickname.empty()); |
| + EXPECT_EQ(kFakePEM, ca_pem); |
| +} |
| + |
| +TEST_F(NetworkCertMigratorTest, MigrateOpenVpn) { |
| + // Add a new network for migration before the handlers are initialized. |
| + SetupVpnWithNss(); |
| + |
| + SetupTestCACert(); |
| + SetupNetworkHandlers(); |
| + |
| + message_loop_.RunUntilIdle(); |
| + std::string nss_nickname, ca_pem; |
| + GetVpnCACertProperties(&nss_nickname, &ca_pem); |
| + EXPECT_TRUE(nss_nickname.empty()); |
| + EXPECT_EQ(test_ca_cert_pem_, ca_pem); |
| +} |
| + |
| +} // namespace chromeos |
