| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/internal/trust_store_nss.h" | 5 #include "net/cert/internal/trust_store_nss.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <certdb.h> | 8 #include <certdb.h> |
| 9 | 9 |
| 10 #include "base/bind.h" | |
| 11 #include "base/memory/ptr_util.h" | 10 #include "base/memory/ptr_util.h" |
| 12 #include "base/run_loop.h" | |
| 13 #include "base/strings/string_number_conversions.h" | 11 #include "base/strings/string_number_conversions.h" |
| 14 #include "base/threading/thread_task_runner_handle.h" | |
| 15 #include "crypto/scoped_test_nss_db.h" | 12 #include "crypto/scoped_test_nss_db.h" |
| 16 #include "net/cert/internal/test_helpers.h" | 13 #include "net/cert/internal/test_helpers.h" |
| 17 #include "net/cert/internal/trust_store_test_helpers.h" | |
| 18 #include "net/cert/scoped_nss_types.h" | 14 #include "net/cert/scoped_nss_types.h" |
| 19 #include "net/cert/x509_certificate.h" | 15 #include "net/cert/x509_certificate.h" |
| 20 #include "testing/gtest/include/gtest/gtest.h" | 16 #include "testing/gtest/include/gtest/gtest.h" |
| 21 | 17 |
| 22 namespace net { | 18 namespace net { |
| 23 | 19 |
| 24 namespace { | 20 namespace { |
| 25 | 21 |
| 26 void NotCalled(TrustAnchors anchors) { | |
| 27 ADD_FAILURE() << "NotCalled was called"; | |
| 28 } | |
| 29 | |
| 30 class TrustStoreNSSTest : public testing::Test { | 22 class TrustStoreNSSTest : public testing::Test { |
| 31 public: | 23 public: |
| 32 void SetUp() override { | 24 void SetUp() override { |
| 33 ASSERT_TRUE(test_nssdb_.is_open()); | 25 ASSERT_TRUE(test_nssdb_.is_open()); |
| 34 | 26 |
| 35 ParsedCertificateList chain; | 27 ParsedCertificateList chain; |
| 36 bool unused_verify_result; | 28 bool unused_verify_result; |
| 37 der::GeneralizedTime unused_time; | 29 der::GeneralizedTime unused_time; |
| 38 std::string unused_errors; | 30 std::string unused_errors; |
| 39 | 31 |
| (...skipping 14 matching lines...) Expand all Loading... |
| 54 &chain, &unused_root, &unused_time, &unused_verify_result, | 46 &chain, &unused_root, &unused_time, &unused_verify_result, |
| 55 &unused_errors); | 47 &unused_errors); |
| 56 ASSERT_EQ(4U, chain.size()); | 48 ASSERT_EQ(4U, chain.size()); |
| 57 newintermediate_ = chain[1]; | 49 newintermediate_ = chain[1]; |
| 58 newroot_ = TrustAnchor::CreateFromCertificateNoConstraints(chain[2]); | 50 newroot_ = TrustAnchor::CreateFromCertificateNoConstraints(chain[2]); |
| 59 newrootrollover_ = chain[3]; | 51 newrootrollover_ = chain[3]; |
| 60 ASSERT_TRUE(newintermediate_); | 52 ASSERT_TRUE(newintermediate_); |
| 61 ASSERT_TRUE(newroot_); | 53 ASSERT_TRUE(newroot_); |
| 62 ASSERT_TRUE(newrootrollover_); | 54 ASSERT_TRUE(newrootrollover_); |
| 63 | 55 |
| 64 trust_store_nss_.reset( | 56 trust_store_nss_.reset(new TrustStoreNSS(trustSSL)); |
| 65 new TrustStoreNSS(trustSSL, base::ThreadTaskRunnerHandle::Get())); | |
| 66 } | 57 } |
| 67 | 58 |
| 68 std::string GetUniqueNickname() { | 59 std::string GetUniqueNickname() { |
| 69 return "trust_store_nss_unittest" + base::UintToString(nickname_counter_++); | 60 return "trust_store_nss_unittest" + base::UintToString(nickname_counter_++); |
| 70 } | 61 } |
| 71 | 62 |
| 72 void AddCertToNSS(const ParsedCertificate* cert) { | 63 void AddCertToNSS(const ParsedCertificate* cert) { |
| 73 std::string nickname = GetUniqueNickname(); | 64 std::string nickname = GetUniqueNickname(); |
| 74 ScopedCERTCertificate nss_cert( | 65 ScopedCERTCertificate nss_cert( |
| 75 X509Certificate::CreateOSCertHandleFromBytesWithNickname( | 66 X509Certificate::CreateOSCertHandleFromBytesWithNickname( |
| (...skipping 29 matching lines...) Expand all Loading... |
| 105 | 96 |
| 106 CERTCertTrust trust = {0}; | 97 CERTCertTrust trust = {0}; |
| 107 trust.sslFlags = | 98 trust.sslFlags = |
| 108 CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA | CERTDB_VALID_CA; | 99 CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA | CERTDB_VALID_CA; |
| 109 SECStatus srv = | 100 SECStatus srv = |
| 110 CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nss_cert.get(), &trust); | 101 CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nss_cert.get(), &trust); |
| 111 ASSERT_EQ(SECSuccess, srv); | 102 ASSERT_EQ(SECSuccess, srv); |
| 112 } | 103 } |
| 113 | 104 |
| 114 protected: | 105 protected: |
| 115 void ExpectTrustStoreContains(tracked_objects::Location loc, | 106 bool TrustStoreContains(scoped_refptr<ParsedCertificate> cert, |
| 116 scoped_refptr<ParsedCertificate> cert, | 107 TrustAnchors expected_matches) { |
| 117 TrustAnchors expected_async_matches) { | 108 TrustAnchors matches; |
| 118 SCOPED_TRACE(loc.ToString()); | 109 trust_store_nss_->FindTrustAnchorsForCert(cert, &matches); |
| 119 | 110 |
| 120 TrustAnchors sync_matches; | |
| 121 TrustAnchorResultRecorder anchor_results; | |
| 122 std::unique_ptr<TrustStore::Request> req; | |
| 123 trust_store_nss_->FindTrustAnchorsForCert(cert, anchor_results.Callback(), | |
| 124 &sync_matches, &req); | |
| 125 ASSERT_TRUE(req); | |
| 126 EXPECT_TRUE(sync_matches.empty()); | |
| 127 | |
| 128 anchor_results.Run(); | |
| 129 std::vector<der::Input> der_result_matches; | 111 std::vector<der::Input> der_result_matches; |
| 130 for (const auto& it : anchor_results.matches()) | 112 for (const auto& it : matches) |
| 131 der_result_matches.push_back(it->cert()->der_cert()); | 113 der_result_matches.push_back(it->cert()->der_cert()); |
| 132 std::sort(der_result_matches.begin(), der_result_matches.end()); | 114 std::sort(der_result_matches.begin(), der_result_matches.end()); |
| 133 | 115 |
| 134 std::vector<der::Input> der_expected_matches; | 116 std::vector<der::Input> der_expected_matches; |
| 135 for (const auto& it : expected_async_matches) | 117 for (const auto& it : expected_matches) |
| 136 der_expected_matches.push_back(it->cert()->der_cert()); | 118 der_expected_matches.push_back(it->cert()->der_cert()); |
| 137 std::sort(der_expected_matches.begin(), der_expected_matches.end()); | 119 std::sort(der_expected_matches.begin(), der_expected_matches.end()); |
| 138 | 120 |
| 121 if (der_expected_matches == der_result_matches) |
| 122 return true; |
| 123 |
| 124 // Print some extra information for debugging. |
| 139 EXPECT_EQ(der_expected_matches, der_result_matches); | 125 EXPECT_EQ(der_expected_matches, der_result_matches); |
| 126 return false; |
| 140 } | 127 } |
| 141 | 128 |
| 142 scoped_refptr<TrustAnchor> oldroot_; | 129 scoped_refptr<TrustAnchor> oldroot_; |
| 143 scoped_refptr<TrustAnchor> newroot_; | 130 scoped_refptr<TrustAnchor> newroot_; |
| 144 | 131 |
| 145 scoped_refptr<ParsedCertificate> target_; | 132 scoped_refptr<ParsedCertificate> target_; |
| 146 scoped_refptr<ParsedCertificate> oldintermediate_; | 133 scoped_refptr<ParsedCertificate> oldintermediate_; |
| 147 scoped_refptr<ParsedCertificate> newintermediate_; | 134 scoped_refptr<ParsedCertificate> newintermediate_; |
| 148 scoped_refptr<ParsedCertificate> newrootrollover_; | 135 scoped_refptr<ParsedCertificate> newrootrollover_; |
| 149 crypto::ScopedTestNSSDB test_nssdb_; | 136 crypto::ScopedTestNSSDB test_nssdb_; |
| 150 std::unique_ptr<TrustStoreNSS> trust_store_nss_; | 137 std::unique_ptr<TrustStoreNSS> trust_store_nss_; |
| 151 unsigned nickname_counter_ = 0; | 138 unsigned nickname_counter_ = 0; |
| 152 }; | 139 }; |
| 153 | 140 |
| 154 // Without adding any certs to the NSS DB, should get no anchor results for any | 141 // Without adding any certs to the NSS DB, should get no anchor results for any |
| 155 // of the test certs. | 142 // of the test certs. |
| 156 TEST_F(TrustStoreNSSTest, CertsNotPresent) { | 143 TEST_F(TrustStoreNSSTest, CertsNotPresent) { |
| 157 ExpectTrustStoreContains(FROM_HERE, target_, TrustAnchors()); | 144 EXPECT_TRUE(TrustStoreContains(target_, TrustAnchors())); |
| 158 ExpectTrustStoreContains(FROM_HERE, newintermediate_, TrustAnchors()); | 145 EXPECT_TRUE(TrustStoreContains(newintermediate_, TrustAnchors())); |
| 159 ExpectTrustStoreContains(FROM_HERE, newroot_->cert(), TrustAnchors()); | 146 EXPECT_TRUE(TrustStoreContains(newroot_->cert(), TrustAnchors())); |
| 160 } | 147 } |
| 161 | 148 |
| 162 // If certs are present in NSS DB but aren't marked as trusted, should get no | 149 // If certs are present in NSS DB but aren't marked as trusted, should get no |
| 163 // anchor results for any of the test certs. | 150 // anchor results for any of the test certs. |
| 164 TEST_F(TrustStoreNSSTest, CertsPresentButNotTrusted) { | 151 TEST_F(TrustStoreNSSTest, CertsPresentButNotTrusted) { |
| 165 AddCertsToNSS(); | 152 AddCertsToNSS(); |
| 166 ExpectTrustStoreContains(FROM_HERE, newintermediate_, TrustAnchors()); | 153 EXPECT_TRUE(TrustStoreContains(newintermediate_, TrustAnchors())); |
| 167 ExpectTrustStoreContains(FROM_HERE, target_, TrustAnchors()); | 154 EXPECT_TRUE(TrustStoreContains(target_, TrustAnchors())); |
| 168 ExpectTrustStoreContains(FROM_HERE, newintermediate_, TrustAnchors()); | 155 EXPECT_TRUE(TrustStoreContains(newintermediate_, TrustAnchors())); |
| 169 ExpectTrustStoreContains(FROM_HERE, newroot_->cert(), TrustAnchors()); | 156 EXPECT_TRUE(TrustStoreContains(newroot_->cert(), TrustAnchors())); |
| 170 } | 157 } |
| 171 | 158 |
| 172 // A self-signed CA certificate is trusted. FindTrustAnchorsForCert should | 159 // A self-signed CA certificate is trusted. FindTrustAnchorsForCert should |
| 173 // return the cert on any intermediates with a matching issuer, and on any | 160 // return the cert on any intermediates with a matching issuer, and on any |
| 174 // matching self-signed/self-issued CA certs. | 161 // matching self-signed/self-issued CA certs. |
| 175 TEST_F(TrustStoreNSSTest, TrustedCA) { | 162 TEST_F(TrustStoreNSSTest, TrustedCA) { |
| 176 AddCertsToNSS(); | 163 AddCertsToNSS(); |
| 177 TrustCert(newroot_.get()); | 164 TrustCert(newroot_.get()); |
| 178 ExpectTrustStoreContains(FROM_HERE, target_, TrustAnchors()); | 165 EXPECT_TRUE(TrustStoreContains(target_, TrustAnchors())); |
| 179 ExpectTrustStoreContains(FROM_HERE, newintermediate_, {newroot_}); | 166 EXPECT_TRUE(TrustStoreContains(newintermediate_, {newroot_})); |
| 180 ExpectTrustStoreContains(FROM_HERE, oldintermediate_, {newroot_}); | 167 EXPECT_TRUE(TrustStoreContains(oldintermediate_, {newroot_})); |
| 181 ExpectTrustStoreContains(FROM_HERE, newrootrollover_, {newroot_}); | 168 EXPECT_TRUE(TrustStoreContains(newrootrollover_, {newroot_})); |
| 182 ExpectTrustStoreContains(FROM_HERE, oldroot_->cert(), {newroot_}); | 169 EXPECT_TRUE(TrustStoreContains(oldroot_->cert(), {newroot_})); |
| 183 ExpectTrustStoreContains(FROM_HERE, newroot_->cert(), {newroot_}); | 170 EXPECT_TRUE(TrustStoreContains(newroot_->cert(), {newroot_})); |
| 184 } | 171 } |
| 185 | 172 |
| 186 // When an intermediate certificate is trusted, FindTrustAnchorsForCert should | 173 // When an intermediate certificate is trusted, FindTrustAnchorsForCert should |
| 187 // return that cert on any certs issued by the intermediate, but not for the | 174 // return that cert on any certs issued by the intermediate, but not for the |
| 188 // intermediate itself (or the CAs). | 175 // intermediate itself (or the CAs). |
| 189 TEST_F(TrustStoreNSSTest, TrustedIntermediate) { | 176 TEST_F(TrustStoreNSSTest, TrustedIntermediate) { |
| 190 AddCertsToNSS(); | 177 AddCertsToNSS(); |
| 191 TrustCert(newintermediate_.get()); | 178 TrustCert(newintermediate_.get()); |
| 192 ExpectTrustStoreContains( | 179 EXPECT_TRUE(TrustStoreContains( |
| 193 FROM_HERE, target_, | 180 target_, |
| 194 {TrustAnchor::CreateFromCertificateNoConstraints(newintermediate_)}); | 181 {TrustAnchor::CreateFromCertificateNoConstraints(newintermediate_)})); |
| 195 ExpectTrustStoreContains(FROM_HERE, newintermediate_, TrustAnchors()); | 182 EXPECT_TRUE(TrustStoreContains(newintermediate_, TrustAnchors())); |
| 196 ExpectTrustStoreContains(FROM_HERE, oldintermediate_, TrustAnchors()); | 183 EXPECT_TRUE(TrustStoreContains(oldintermediate_, TrustAnchors())); |
| 197 ExpectTrustStoreContains(FROM_HERE, newrootrollover_, TrustAnchors()); | 184 EXPECT_TRUE(TrustStoreContains(newrootrollover_, TrustAnchors())); |
| 198 ExpectTrustStoreContains(FROM_HERE, oldroot_->cert(), TrustAnchors()); | 185 EXPECT_TRUE(TrustStoreContains(oldroot_->cert(), TrustAnchors())); |
| 199 ExpectTrustStoreContains(FROM_HERE, newroot_->cert(), TrustAnchors()); | 186 EXPECT_TRUE(TrustStoreContains(newroot_->cert(), TrustAnchors())); |
| 200 } | 187 } |
| 201 | 188 |
| 202 // Multiple self-signed CA certificates with the same name are trusted. | 189 // Multiple self-signed CA certificates with the same name are trusted. |
| 203 // FindTrustAnchorsForCert should return all these certs on any intermediates | 190 // FindTrustAnchorsForCert should return all these certs on any intermediates |
| 204 // with a matching issuer, and on any matching self-signed/self-issued CA certs. | 191 // with a matching issuer, and on any matching self-signed/self-issued CA certs. |
| 205 TEST_F(TrustStoreNSSTest, MultipleTrustedCAWithSameSubject) { | 192 TEST_F(TrustStoreNSSTest, MultipleTrustedCAWithSameSubject) { |
| 206 AddCertsToNSS(); | 193 AddCertsToNSS(); |
| 207 TrustCert(oldroot_.get()); | 194 TrustCert(oldroot_.get()); |
| 208 TrustCert(newroot_.get()); | 195 TrustCert(newroot_.get()); |
| 209 ExpectTrustStoreContains(FROM_HERE, target_, TrustAnchors()); | 196 EXPECT_TRUE(TrustStoreContains(target_, TrustAnchors())); |
| 210 ExpectTrustStoreContains(FROM_HERE, newintermediate_, {newroot_, oldroot_}); | 197 EXPECT_TRUE(TrustStoreContains(newintermediate_, {newroot_, oldroot_})); |
| 211 ExpectTrustStoreContains(FROM_HERE, oldintermediate_, {newroot_, oldroot_}); | 198 EXPECT_TRUE(TrustStoreContains(oldintermediate_, {newroot_, oldroot_})); |
| 212 ExpectTrustStoreContains(FROM_HERE, oldroot_->cert(), {newroot_, oldroot_}); | 199 EXPECT_TRUE(TrustStoreContains(oldroot_->cert(), {newroot_, oldroot_})); |
| 213 } | |
| 214 | |
| 215 // Cancel a FindTrustAnchorsForCert request before it has returned any results. | |
| 216 // Callback should not be called. | |
| 217 TEST_F(TrustStoreNSSTest, CancelRequest) { | |
| 218 std::unique_ptr<TrustStore::Request> req; | |
| 219 TrustAnchors sync_matches; | |
| 220 trust_store_nss_->FindTrustAnchorsForCert(target_, base::Bind(&NotCalled), | |
| 221 &sync_matches, &req); | |
| 222 ASSERT_TRUE(req); | |
| 223 req.reset(); | |
| 224 base::RunLoop().RunUntilIdle(); | |
| 225 } | |
| 226 | |
| 227 // Cancel a FindTrustAnchorsForCert request during the callback. Should not | |
| 228 // crash. | |
| 229 TEST_F(TrustStoreNSSTest, CancelRequestDuringCallback) { | |
| 230 AddCertsToNSS(); | |
| 231 TrustCert(newroot_.get()); | |
| 232 | |
| 233 base::RunLoop run_loop; | |
| 234 std::unique_ptr<TrustStore::Request> req; | |
| 235 TrustAnchors sync_matches; | |
| 236 trust_store_nss_->FindTrustAnchorsForCert( | |
| 237 newintermediate_, | |
| 238 base::Bind(&TrustStoreRequestDeleter, &req, run_loop.QuitClosure()), | |
| 239 &sync_matches, &req); | |
| 240 ASSERT_TRUE(req); | |
| 241 run_loop.Run(); | |
| 242 ASSERT_FALSE(req); | |
| 243 base::RunLoop().RunUntilIdle(); | |
| 244 } | 200 } |
| 245 | 201 |
| 246 } // namespace | 202 } // namespace |
| 247 | 203 |
| 248 } // namespace net | 204 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2453093004:
Remove dependence on a message loop for net::PathBuilder. (Closed)
