| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/nss_cert_database.h" | 5 #include "net/cert/nss_cert_database.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <certdb.h> | 8 #include <certdb.h> |
| 9 #include <pk11pub.h> | 9 #include <pk11pub.h> |
| 10 | 10 |
| (...skipping 12 matching lines...) Expand all Loading... |
| 23 #include "crypto/scoped_nss_types.h" | 23 #include "crypto/scoped_nss_types.h" |
| 24 #include "crypto/scoped_test_nss_db.h" | 24 #include "crypto/scoped_test_nss_db.h" |
| 25 #include "net/base/crypto_module.h" | 25 #include "net/base/crypto_module.h" |
| 26 #include "net/base/hash_value.h" | 26 #include "net/base/hash_value.h" |
| 27 #include "net/base/net_errors.h" | 27 #include "net/base/net_errors.h" |
| 28 #include "net/cert/cert_status_flags.h" | 28 #include "net/cert/cert_status_flags.h" |
| 29 #include "net/cert/cert_verify_proc_nss.h" | 29 #include "net/cert/cert_verify_proc_nss.h" |
| 30 #include "net/cert/cert_verify_result.h" | 30 #include "net/cert/cert_verify_result.h" |
| 31 #include "net/cert/x509_certificate.h" | 31 #include "net/cert/x509_certificate.h" |
| 32 #include "net/test/cert_test_util.h" | 32 #include "net/test/cert_test_util.h" |
| 33 #include "net/test/gtest_util.h" |
| 33 #include "net/test/test_data_directory.h" | 34 #include "net/test/test_data_directory.h" |
| 34 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | 35 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
| 36 #include "testing/gmock/include/gmock/gmock.h" |
| 35 #include "testing/gtest/include/gtest/gtest.h" | 37 #include "testing/gtest/include/gtest/gtest.h" |
| 36 | 38 |
| 39 using net::test::IsError; |
| 40 using net::test::IsOk; |
| 41 |
| 37 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use | 42 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use |
| 38 // the new name of the macro. | 43 // the new name of the macro. |
| 39 #if !defined(CERTDB_TERMINAL_RECORD) | 44 #if !defined(CERTDB_TERMINAL_RECORD) |
| 40 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER | 45 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER |
| 41 #endif | 46 #endif |
| 42 | 47 |
| 43 using base::ASCIIToUTF16; | 48 using base::ASCIIToUTF16; |
| 44 | 49 |
| 45 namespace net { | 50 namespace net { |
| 46 | 51 |
| (...skipping 336 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 383 | 388 |
| 384 // Import it. | 389 // Import it. |
| 385 NSSCertDatabase::ImportCertFailureList failed; | 390 NSSCertDatabase::ImportCertFailureList failed; |
| 386 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, | 391 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, |
| 387 &failed)); | 392 &failed)); |
| 388 ASSERT_EQ(1U, failed.size()); | 393 ASSERT_EQ(1U, failed.size()); |
| 389 // Note: this compares pointers directly. It's okay in this case because | 394 // Note: this compares pointers directly. It's okay in this case because |
| 390 // ImportCACerts returns the same pointers that were passed in. In the | 395 // ImportCACerts returns the same pointers that were passed in. In the |
| 391 // general case IsSameOSCert should be used. | 396 // general case IsSameOSCert should be used. |
| 392 EXPECT_EQ(certs[0], failed[0].certificate); | 397 EXPECT_EQ(certs[0], failed[0].certificate); |
| 393 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); | 398 EXPECT_THAT(failed[0].net_error, IsError(ERR_IMPORT_CA_CERT_NOT_CA)); |
| 394 | 399 |
| 395 EXPECT_EQ(0U, ListCerts().size()); | 400 EXPECT_EQ(0U, ListCerts().size()); |
| 396 } | 401 } |
| 397 | 402 |
| 398 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { | 403 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { |
| 399 CertificateList certs; | 404 CertificateList certs; |
| 400 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 405 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 401 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 406 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 402 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 407 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
| 403 | 408 |
| 404 // Import it. | 409 // Import it. |
| 405 NSSCertDatabase::ImportCertFailureList failed; | 410 NSSCertDatabase::ImportCertFailureList failed; |
| 406 // Have to specify email trust for the cert verification of the child cert to | 411 // Have to specify email trust for the cert verification of the child cert to |
| 407 // work (see | 412 // work (see |
| 408 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 | 413 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 |
| 409 // "XXX This choice of trustType seems arbitrary.") | 414 // "XXX This choice of trustType seems arbitrary.") |
| 410 EXPECT_TRUE(cert_db_->ImportCACerts( | 415 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 411 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, | 416 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 412 &failed)); | 417 &failed)); |
| 413 | 418 |
| 414 ASSERT_EQ(2U, failed.size()); | 419 ASSERT_EQ(2U, failed.size()); |
| 415 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 420 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 416 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. | 421 EXPECT_THAT(failed[0].net_error, |
| 422 IsError(ERR_FAILED)); // The certificate expired. |
| 417 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); | 423 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); |
| 418 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); | 424 EXPECT_THAT(failed[1].net_error, IsError(ERR_IMPORT_CA_CERT_NOT_CA)); |
| 419 | 425 |
| 420 CertificateList cert_list = ListCerts(); | 426 CertificateList cert_list = ListCerts(); |
| 421 ASSERT_EQ(1U, cert_list.size()); | 427 ASSERT_EQ(1U, cert_list.size()); |
| 422 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 428 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 423 } | 429 } |
| 424 | 430 |
| 425 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { | 431 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { |
| 426 CertificateList certs; | 432 CertificateList certs; |
| 427 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 433 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 428 | 434 |
| (...skipping 13 matching lines...) Expand all Loading... |
| 442 | 448 |
| 443 // Now import with the other certs in the list too. Even though the root is | 449 // Now import with the other certs in the list too. Even though the root is |
| 444 // already present, we should still import the rest. | 450 // already present, we should still import the rest. |
| 445 failed.clear(); | 451 failed.clear(); |
| 446 EXPECT_TRUE(cert_db_->ImportCACerts( | 452 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 447 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, | 453 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 448 &failed)); | 454 &failed)); |
| 449 | 455 |
| 450 ASSERT_EQ(3U, failed.size()); | 456 ASSERT_EQ(3U, failed.size()); |
| 451 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); | 457 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); |
| 452 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); | 458 EXPECT_THAT(failed[0].net_error, IsError(ERR_IMPORT_CERT_ALREADY_EXISTS)); |
| 453 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 459 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 454 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. | 460 EXPECT_THAT(failed[1].net_error, |
| 461 IsError(ERR_FAILED)); // The certificate expired. |
| 455 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name); | 462 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name); |
| 456 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error); | 463 EXPECT_THAT(failed[2].net_error, IsError(ERR_IMPORT_CA_CERT_NOT_CA)); |
| 457 | 464 |
| 458 cert_list = ListCerts(); | 465 cert_list = ListCerts(); |
| 459 ASSERT_EQ(1U, cert_list.size()); | 466 ASSERT_EQ(1U, cert_list.size()); |
| 460 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 467 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 461 } | 468 } |
| 462 | 469 |
| 463 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { | 470 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { |
| 464 CertificateList certs; | 471 CertificateList certs; |
| 465 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 472 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 466 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 473 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 467 | 474 |
| 468 // Import it. | 475 // Import it. |
| 469 NSSCertDatabase::ImportCertFailureList failed; | 476 NSSCertDatabase::ImportCertFailureList failed; |
| 470 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT, | 477 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 471 &failed)); | 478 &failed)); |
| 472 | 479 |
| 473 ASSERT_EQ(1U, failed.size()); | 480 ASSERT_EQ(1U, failed.size()); |
| 474 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 481 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 475 // TODO(mattm): should check for net error equivalent of | 482 // TODO(mattm): should check for net error equivalent of |
| 476 // SEC_ERROR_UNTRUSTED_ISSUER | 483 // SEC_ERROR_UNTRUSTED_ISSUER |
| 477 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 484 EXPECT_THAT(failed[0].net_error, IsError(ERR_FAILED)); |
| 478 | 485 |
| 479 CertificateList cert_list = ListCerts(); | 486 CertificateList cert_list = ListCerts(); |
| 480 ASSERT_EQ(1U, cert_list.size()); | 487 ASSERT_EQ(1U, cert_list.size()); |
| 481 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 488 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 482 } | 489 } |
| 483 | 490 |
| 484 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { | 491 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { |
| 485 CertificateList certs; | 492 CertificateList certs; |
| 486 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 493 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 487 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 494 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 488 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 495 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 489 | 496 |
| 490 // Import it. | 497 // Import it. |
| 491 NSSCertDatabase::ImportCertFailureList failed; | 498 NSSCertDatabase::ImportCertFailureList failed; |
| 492 EXPECT_TRUE(cert_db_->ImportCACerts( | 499 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 493 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, | 500 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 494 &failed)); | 501 &failed)); |
| 495 | 502 |
| 496 EXPECT_EQ(2U, failed.size()); | 503 EXPECT_EQ(2U, failed.size()); |
| 497 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 504 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
| 498 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. | 505 EXPECT_THAT(failed[0].net_error, |
| 506 IsError(ERR_FAILED)); // The certificate expired. |
| 499 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 507 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 500 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. | 508 EXPECT_THAT(failed[1].net_error, |
| 509 IsError(ERR_FAILED)); // The certificate expired. |
| 501 | 510 |
| 502 CertificateList cert_list = ListCerts(); | 511 CertificateList cert_list = ListCerts(); |
| 503 ASSERT_EQ(1U, cert_list.size()); | 512 ASSERT_EQ(1U, cert_list.size()); |
| 504 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 513 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 505 } | 514 } |
| 506 | 515 |
| 507 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { | 516 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { |
| 508 CertificateList certs = CreateCertificateListFromFile( | 517 CertificateList certs = CreateCertificateListFromFile( |
| 509 GetTestCertsDirectory(), "root_ca_cert.pem", | 518 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 510 X509Certificate::FORMAT_AUTO); | 519 X509Certificate::FORMAT_AUTO); |
| 511 ASSERT_EQ(1U, certs.size()); | 520 ASSERT_EQ(1U, certs.size()); |
| 512 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 521 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 513 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 522 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 514 | 523 |
| 515 // Import it. | 524 // Import it. |
| 516 NSSCertDatabase::ImportCertFailureList failed; | 525 NSSCertDatabase::ImportCertFailureList failed; |
| 517 EXPECT_TRUE(cert_db_->ImportCACerts( | 526 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 518 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | | 527 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | |
| 519 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); | 528 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); |
| 520 | 529 |
| 521 ASSERT_EQ(2U, failed.size()); | 530 ASSERT_EQ(2U, failed.size()); |
| 522 // TODO(mattm): should check for net error equivalent of | 531 // TODO(mattm): should check for net error equivalent of |
| 523 // SEC_ERROR_UNKNOWN_ISSUER | 532 // SEC_ERROR_UNKNOWN_ISSUER |
| 524 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 533 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
| 525 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 534 EXPECT_THAT(failed[0].net_error, IsError(ERR_FAILED)); |
| 526 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 535 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 527 EXPECT_EQ(ERR_FAILED, failed[1].net_error); | 536 EXPECT_THAT(failed[1].net_error, IsError(ERR_FAILED)); |
| 528 | 537 |
| 529 CertificateList cert_list = ListCerts(); | 538 CertificateList cert_list = ListCerts(); |
| 530 ASSERT_EQ(1U, cert_list.size()); | 539 ASSERT_EQ(1U, cert_list.size()); |
| 531 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name); | 540 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name); |
| 532 } | 541 } |
| 533 | 542 |
| 534 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired | 543 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired |
| 535 // certificate. | 544 // certificate. |
| 536 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { | 545 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { |
| 537 // Need to import intermediate cert for the verify of google cert, otherwise | 546 // Need to import intermediate cert for the verify of google cert, otherwise |
| (...skipping 21 matching lines...) Expand all Loading... |
| 559 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); | 568 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 560 | 569 |
| 561 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); | 570 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
| 562 | 571 |
| 563 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 572 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 564 int flags = 0; | 573 int flags = 0; |
| 565 CertVerifyResult verify_result; | 574 CertVerifyResult verify_result; |
| 566 int error = | 575 int error = |
| 567 verify_proc->Verify(goog_cert.get(), "www.google.com", std::string(), | 576 verify_proc->Verify(goog_cert.get(), "www.google.com", std::string(), |
| 568 flags, NULL, empty_cert_list_, &verify_result); | 577 flags, NULL, empty_cert_list_, &verify_result); |
| 569 EXPECT_EQ(OK, error); | 578 EXPECT_THAT(error, IsOk()); |
| 570 EXPECT_EQ(0U, verify_result.cert_status); | 579 EXPECT_EQ(0U, verify_result.cert_status); |
| 571 } | 580 } |
| 572 | 581 |
| 573 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 582 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 574 CertificateList certs; | 583 CertificateList certs; |
| 575 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); | 584 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); |
| 576 | 585 |
| 577 NSSCertDatabase::ImportCertFailureList failed; | 586 NSSCertDatabase::ImportCertFailureList failed; |
| 578 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 587 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 579 &failed)); | 588 &failed)); |
| 580 | 589 |
| 581 EXPECT_EQ(0U, failed.size()); | 590 EXPECT_EQ(0U, failed.size()); |
| 582 | 591 |
| 583 CertificateList cert_list = ListCerts(); | 592 CertificateList cert_list = ListCerts(); |
| 584 ASSERT_EQ(1U, cert_list.size()); | 593 ASSERT_EQ(1U, cert_list.size()); |
| 585 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 594 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 586 | 595 |
| 587 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 596 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 588 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 597 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 589 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); | 598 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
| 590 | 599 |
| 591 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 600 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 592 int flags = 0; | 601 int flags = 0; |
| 593 CertVerifyResult verify_result; | 602 CertVerifyResult verify_result; |
| 594 int error = | 603 int error = |
| 595 verify_proc->Verify(puny_cert.get(), "xn--wgv71a119e.com", std::string(), | 604 verify_proc->Verify(puny_cert.get(), "xn--wgv71a119e.com", std::string(), |
| 596 flags, NULL, empty_cert_list_, &verify_result); | 605 flags, NULL, empty_cert_list_, &verify_result); |
| 597 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 606 EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID)); |
| 598 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 607 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 599 } | 608 } |
| 600 | 609 |
| 601 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { | 610 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { |
| 602 CertificateList certs; | 611 CertificateList certs; |
| 603 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); | 612 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); |
| 604 | 613 |
| 605 NSSCertDatabase::ImportCertFailureList failed; | 614 NSSCertDatabase::ImportCertFailureList failed; |
| 606 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, | 615 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, |
| 607 &failed)); | 616 &failed)); |
| 608 | 617 |
| 609 EXPECT_EQ(0U, failed.size()); | 618 EXPECT_EQ(0U, failed.size()); |
| 610 | 619 |
| 611 CertificateList cert_list = ListCerts(); | 620 CertificateList cert_list = ListCerts(); |
| 612 ASSERT_EQ(1U, cert_list.size()); | 621 ASSERT_EQ(1U, cert_list.size()); |
| 613 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 622 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 614 | 623 |
| 615 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, | 624 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
| 616 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 625 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 617 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), | 626 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), |
| 618 puny_cert->os_cert_handle()->trust->sslFlags); | 627 puny_cert->os_cert_handle()->trust->sslFlags); |
| 619 | 628 |
| 620 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 629 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 621 int flags = 0; | 630 int flags = 0; |
| 622 CertVerifyResult verify_result; | 631 CertVerifyResult verify_result; |
| 623 int error = | 632 int error = |
| 624 verify_proc->Verify(puny_cert.get(), "xn--wgv71a119e.com", std::string(), | 633 verify_proc->Verify(puny_cert.get(), "xn--wgv71a119e.com", std::string(), |
| 625 flags, NULL, empty_cert_list_, &verify_result); | 634 flags, NULL, empty_cert_list_, &verify_result); |
| 626 EXPECT_EQ(OK, error); | 635 EXPECT_THAT(error, IsOk()); |
| 627 EXPECT_EQ(0U, verify_result.cert_status); | 636 EXPECT_EQ(0U, verify_result.cert_status); |
| 628 } | 637 } |
| 629 | 638 |
| 630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { | 639 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { |
| 631 CertificateList ca_certs = CreateCertificateListFromFile( | 640 CertificateList ca_certs = CreateCertificateListFromFile( |
| 632 GetTestCertsDirectory(), "root_ca_cert.pem", | 641 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 633 X509Certificate::FORMAT_AUTO); | 642 X509Certificate::FORMAT_AUTO); |
| 634 ASSERT_EQ(1U, ca_certs.size()); | 643 ASSERT_EQ(1U, ca_certs.size()); |
| 635 | 644 |
| 636 // Import CA cert and trust it. | 645 // Import CA cert and trust it. |
| (...skipping 12 matching lines...) Expand all Loading... |
| 649 &failed)); | 658 &failed)); |
| 650 EXPECT_EQ(0U, failed.size()); | 659 EXPECT_EQ(0U, failed.size()); |
| 651 | 660 |
| 652 // Server cert should verify. | 661 // Server cert should verify. |
| 653 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 662 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 654 int flags = 0; | 663 int flags = 0; |
| 655 CertVerifyResult verify_result; | 664 CertVerifyResult verify_result; |
| 656 int error = | 665 int error = |
| 657 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, | 666 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 658 NULL, empty_cert_list_, &verify_result); | 667 NULL, empty_cert_list_, &verify_result); |
| 659 EXPECT_EQ(OK, error); | 668 EXPECT_THAT(error, IsOk()); |
| 660 EXPECT_EQ(0U, verify_result.cert_status); | 669 EXPECT_EQ(0U, verify_result.cert_status); |
| 661 } | 670 } |
| 662 | 671 |
| 663 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { | 672 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { |
| 664 CertificateList ca_certs = CreateCertificateListFromFile( | 673 CertificateList ca_certs = CreateCertificateListFromFile( |
| 665 GetTestCertsDirectory(), "root_ca_cert.pem", | 674 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 666 X509Certificate::FORMAT_AUTO); | 675 X509Certificate::FORMAT_AUTO); |
| 667 ASSERT_EQ(1U, ca_certs.size()); | 676 ASSERT_EQ(1U, ca_certs.size()); |
| 668 | 677 |
| 669 // Import CA cert and trust it. | 678 // Import CA cert and trust it. |
| (...skipping 18 matching lines...) Expand all Loading... |
| 688 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 697 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 689 certs[0]->os_cert_handle()->trust->sslFlags); | 698 certs[0]->os_cert_handle()->trust->sslFlags); |
| 690 | 699 |
| 691 // Server cert should fail to verify. | 700 // Server cert should fail to verify. |
| 692 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 701 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 693 int flags = 0; | 702 int flags = 0; |
| 694 CertVerifyResult verify_result; | 703 CertVerifyResult verify_result; |
| 695 int error = | 704 int error = |
| 696 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, | 705 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 697 NULL, empty_cert_list_, &verify_result); | 706 NULL, empty_cert_list_, &verify_result); |
| 698 EXPECT_EQ(ERR_CERT_REVOKED, error); | 707 EXPECT_THAT(error, IsError(ERR_CERT_REVOKED)); |
| 699 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 708 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 700 } | 709 } |
| 701 | 710 |
| 702 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { | 711 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { |
| 703 CertificateList ca_certs = CreateCertificateListFromFile( | 712 CertificateList ca_certs = CreateCertificateListFromFile( |
| 704 GetTestCertsDirectory(), "2048-rsa-root.pem", | 713 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 705 X509Certificate::FORMAT_AUTO); | 714 X509Certificate::FORMAT_AUTO); |
| 706 ASSERT_EQ(1U, ca_certs.size()); | 715 ASSERT_EQ(1U, ca_certs.size()); |
| 707 | 716 |
| 708 // Import Root CA cert and distrust it. | 717 // Import Root CA cert and distrust it. |
| (...skipping 24 matching lines...) Expand all Loading... |
| 733 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 742 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 734 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 743 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 735 | 744 |
| 736 // Server cert should verify. | 745 // Server cert should verify. |
| 737 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 746 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 738 int flags = 0; | 747 int flags = 0; |
| 739 CertVerifyResult verify_result; | 748 CertVerifyResult verify_result; |
| 740 int error = | 749 int error = |
| 741 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, | 750 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 742 NULL, empty_cert_list_, &verify_result); | 751 NULL, empty_cert_list_, &verify_result); |
| 743 EXPECT_EQ(OK, error); | 752 EXPECT_THAT(error, IsOk()); |
| 744 EXPECT_EQ(0U, verify_result.cert_status); | 753 EXPECT_EQ(0U, verify_result.cert_status); |
| 745 | 754 |
| 746 // Trust the root cert and distrust the intermediate. | 755 // Trust the root cert and distrust the intermediate. |
| 747 EXPECT_TRUE(cert_db_->SetCertTrust( | 756 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 748 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL)); | 757 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL)); |
| 749 EXPECT_TRUE(cert_db_->SetCertTrust( | 758 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 750 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); | 759 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); |
| 751 EXPECT_EQ( | 760 EXPECT_EQ( |
| 752 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), | 761 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), |
| 753 ca_certs[0]->os_cert_handle()->trust->sslFlags); | 762 ca_certs[0]->os_cert_handle()->trust->sslFlags); |
| 754 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 763 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 755 ca_certs[0]->os_cert_handle()->trust->emailFlags); | 764 ca_certs[0]->os_cert_handle()->trust->emailFlags); |
| 756 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 765 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 757 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 766 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 758 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 767 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 759 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); | 768 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); |
| 760 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 769 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 761 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); | 770 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); |
| 762 EXPECT_EQ( | 771 EXPECT_EQ( |
| 763 unsigned(CERTDB_VALID_CA), | 772 unsigned(CERTDB_VALID_CA), |
| 764 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 773 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 765 | 774 |
| 766 // Server cert should fail to verify. | 775 // Server cert should fail to verify. |
| 767 CertVerifyResult verify_result2; | 776 CertVerifyResult verify_result2; |
| 768 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, | 777 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 769 NULL, empty_cert_list_, &verify_result2); | 778 NULL, empty_cert_list_, &verify_result2); |
| 770 EXPECT_EQ(ERR_CERT_REVOKED, error); | 779 EXPECT_THAT(error, IsError(ERR_CERT_REVOKED)); |
| 771 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); | 780 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); |
| 772 } | 781 } |
| 773 | 782 |
| 774 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { | 783 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { |
| 775 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { | 784 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { |
| 776 // See http://bugzil.la/863947 for details. | 785 // See http://bugzil.la/863947 for details. |
| 777 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; | 786 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; |
| 778 return; | 787 return; |
| 779 } | 788 } |
| 780 | 789 |
| (...skipping 21 matching lines...) Expand all Loading... |
| 802 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 811 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 803 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 812 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 804 | 813 |
| 805 // Server cert should verify. | 814 // Server cert should verify. |
| 806 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 815 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 807 int flags = 0; | 816 int flags = 0; |
| 808 CertVerifyResult verify_result; | 817 CertVerifyResult verify_result; |
| 809 int error = | 818 int error = |
| 810 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, | 819 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 811 NULL, empty_cert_list_, &verify_result); | 820 NULL, empty_cert_list_, &verify_result); |
| 812 EXPECT_EQ(OK, error); | 821 EXPECT_THAT(error, IsOk()); |
| 813 EXPECT_EQ(0U, verify_result.cert_status); | 822 EXPECT_EQ(0U, verify_result.cert_status); |
| 814 | 823 |
| 815 // Without explicit trust of the intermediate, verification should fail. | 824 // Without explicit trust of the intermediate, verification should fail. |
| 816 EXPECT_TRUE(cert_db_->SetCertTrust( | 825 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 817 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 826 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 818 | 827 |
| 819 // Server cert should fail to verify. | 828 // Server cert should fail to verify. |
| 820 CertVerifyResult verify_result2; | 829 CertVerifyResult verify_result2; |
| 821 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, | 830 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 822 NULL, empty_cert_list_, &verify_result2); | 831 NULL, empty_cert_list_, &verify_result2); |
| 823 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 832 EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID)); |
| 824 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 833 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 825 } | 834 } |
| 826 | 835 |
| 827 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { | 836 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { |
| 828 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { | 837 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { |
| 829 // See http://bugzil.la/863947 for details. | 838 // See http://bugzil.la/863947 for details. |
| 830 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; | 839 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; |
| 831 return; | 840 return; |
| 832 } | 841 } |
| 833 | 842 |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 865 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 874 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 866 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 875 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 867 | 876 |
| 868 // Server cert should verify. | 877 // Server cert should verify. |
| 869 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 878 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 870 int flags = 0; | 879 int flags = 0; |
| 871 CertVerifyResult verify_result; | 880 CertVerifyResult verify_result; |
| 872 int error = | 881 int error = |
| 873 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, | 882 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 874 NULL, empty_cert_list_, &verify_result); | 883 NULL, empty_cert_list_, &verify_result); |
| 875 EXPECT_EQ(OK, error); | 884 EXPECT_THAT(error, IsOk()); |
| 876 EXPECT_EQ(0U, verify_result.cert_status); | 885 EXPECT_EQ(0U, verify_result.cert_status); |
| 877 | 886 |
| 878 // Without explicit trust of the intermediate, verification should fail. | 887 // Without explicit trust of the intermediate, verification should fail. |
| 879 EXPECT_TRUE(cert_db_->SetCertTrust( | 888 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 880 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 889 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 881 | 890 |
| 882 // Server cert should fail to verify. | 891 // Server cert should fail to verify. |
| 883 CertVerifyResult verify_result2; | 892 CertVerifyResult verify_result2; |
| 884 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, | 893 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 885 NULL, empty_cert_list_, &verify_result2); | 894 NULL, empty_cert_list_, &verify_result2); |
| 886 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 895 EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID)); |
| 887 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 896 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 888 } | 897 } |
| 889 | 898 |
| 890 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { | 899 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { |
| 891 NSSCertDatabase::ImportCertFailureList failed; | 900 NSSCertDatabase::ImportCertFailureList failed; |
| 892 | 901 |
| 893 CertificateList ca_certs = CreateCertificateListFromFile( | 902 CertificateList ca_certs = CreateCertificateListFromFile( |
| 894 GetTestCertsDirectory(), "2048-rsa-root.pem", | 903 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 895 X509Certificate::FORMAT_AUTO); | 904 X509Certificate::FORMAT_AUTO); |
| 896 ASSERT_EQ(1U, ca_certs.size()); | 905 ASSERT_EQ(1U, ca_certs.size()); |
| (...skipping 25 matching lines...) Expand all Loading... |
| 922 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 931 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 923 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 932 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 924 | 933 |
| 925 // Server cert should not verify. | 934 // Server cert should not verify. |
| 926 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 935 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 927 int flags = 0; | 936 int flags = 0; |
| 928 CertVerifyResult verify_result; | 937 CertVerifyResult verify_result; |
| 929 int error = | 938 int error = |
| 930 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, | 939 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 931 NULL, empty_cert_list_, &verify_result); | 940 NULL, empty_cert_list_, &verify_result); |
| 932 EXPECT_EQ(ERR_CERT_REVOKED, error); | 941 EXPECT_THAT(error, IsError(ERR_CERT_REVOKED)); |
| 933 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 942 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 934 | 943 |
| 935 // Without explicit distrust of the intermediate, verification should succeed. | 944 // Without explicit distrust of the intermediate, verification should succeed. |
| 936 EXPECT_TRUE(cert_db_->SetCertTrust( | 945 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 937 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 946 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 938 | 947 |
| 939 // Server cert should verify. | 948 // Server cert should verify. |
| 940 CertVerifyResult verify_result2; | 949 CertVerifyResult verify_result2; |
| 941 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, | 950 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags, |
| 942 NULL, empty_cert_list_, &verify_result2); | 951 NULL, empty_cert_list_, &verify_result2); |
| 943 EXPECT_EQ(OK, error); | 952 EXPECT_THAT(error, IsOk()); |
| 944 EXPECT_EQ(0U, verify_result2.cert_status); | 953 EXPECT_EQ(0U, verify_result2.cert_status); |
| 945 } | 954 } |
| 946 | 955 |
| 947 // Importing two certificates with the same issuer and subject common name, | 956 // Importing two certificates with the same issuer and subject common name, |
| 948 // but overall distinct subject names, should succeed and generate a unique | 957 // but overall distinct subject names, should succeed and generate a unique |
| 949 // nickname for the second certificate. | 958 // nickname for the second certificate. |
| 950 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { | 959 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { |
| 951 CertificateList certs = | 960 CertificateList certs = |
| 952 CreateCertificateListFromFile(GetTestCertsDirectory(), | 961 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 953 "duplicate_cn_1.pem", | 962 "duplicate_cn_1.pem", |
| (...skipping 27 matching lines...) Expand all Loading... |
| 981 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 990 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 982 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); | 991 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); |
| 983 | 992 |
| 984 new_certs = ListCerts(); | 993 new_certs = ListCerts(); |
| 985 ASSERT_EQ(2U, new_certs.size()); | 994 ASSERT_EQ(2U, new_certs.size()); |
| 986 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, | 995 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, |
| 987 new_certs[1]->os_cert_handle()->nickname); | 996 new_certs[1]->os_cert_handle()->nickname); |
| 988 } | 997 } |
| 989 | 998 |
| 990 } // namespace net | 999 } // namespace net |
| OLD | NEW |