Chromium Code Reviews Chromium Code Reviews
Issue 2828713002:
Enable client certificate patterns in device ONC policy (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/cert_loader.h" | 5 #include "chromeos/cert_loader.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include <memory> | 9 #include <memory> |
| 10 #include <utility> | 10 #include <utility> |
| (...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 73 | 73 |
| 74 protected: | 74 protected: |
| 75 void StartCertLoaderWithPrimaryDB() { | 75 void StartCertLoaderWithPrimaryDB() { |
| 76 CreateCertDatabase(&primary_db_, &primary_certdb_); | 76 CreateCertDatabase(&primary_db_, &primary_certdb_); |
| 77 cert_loader_->StartWithNSSDB(primary_certdb_.get()); | 77 cert_loader_->StartWithNSSDB(primary_certdb_.get()); |
| 78 | 78 |
| 79 base::RunLoop().RunUntilIdle(); | 79 base::RunLoop().RunUntilIdle(); |
| 80 GetAndResetCertificatesLoadedEventsCount(); | 80 GetAndResetCertificatesLoadedEventsCount(); |
| 81 } | 81 } |
| 82 | 82 |
| 83 void StartCertLoaderWithPrimaryDBAndSystemToken() { | |
| 84 CreateCertDatabase(&primary_db_, &primary_certdb_); | |
| 85 AddSystemToken(primary_certdb_.get()); | |
| 86 cert_loader_->StartWithNSSDB(primary_certdb_.get()); | |
| 87 | |
| 88 base::RunLoop().RunUntilIdle(); | |
| 89 GetAndResetCertificatesLoadedEventsCount(); | |
| 90 } | |
| 91 | |
| 83 // CertLoader::Observer: | 92 // CertLoader::Observer: |
| 84 // The test keeps count of times the observer method was called. | 93 // The test keeps count of times the observer method was called. |
| 85 void OnCertificatesLoaded(const net::CertificateList& cert_list, | 94 void OnCertificatesLoaded(const net::CertificateList& cert_list, |
| 86 bool initial_load) override { | 95 bool initial_load) override { |
| 87 EXPECT_TRUE(certificates_loaded_events_count_ == 0 || !initial_load); | 96 EXPECT_TRUE(certificates_loaded_events_count_ == 0 || !initial_load); |
| 88 certificates_loaded_events_count_++; | 97 certificates_loaded_events_count_++; |
| 89 } | 98 } |
| 90 | 99 |
| 91 // Returns the number of |OnCertificatesLoaded| calls observed since the | 100 // Returns the number of |OnCertificatesLoaded| calls observed since the |
| 92 // last call to this method equals |value|. | 101 // last call to this method equals |value|. |
| 93 size_t GetAndResetCertificatesLoadedEventsCount() { | 102 size_t GetAndResetCertificatesLoadedEventsCount() { |
| 94 size_t result = certificates_loaded_events_count_; | 103 size_t result = certificates_loaded_events_count_; |
| 95 certificates_loaded_events_count_ = 0; | 104 certificates_loaded_events_count_ = 0; |
| 96 return result; | 105 return result; |
| 97 } | 106 } |
| 98 | 107 |
| 99 void CreateCertDatabase(crypto::ScopedTestNSSDB* db, | 108 void CreateCertDatabase(crypto::ScopedTestNSSDB* db, |
| 100 std::unique_ptr<TestNSSCertDatabase>* certdb) { | 109 std::unique_ptr<TestNSSCertDatabase>* certdb) { |
| 101 ASSERT_TRUE(db->is_open()); | 110 ASSERT_TRUE(db->is_open()); |
| 102 | 111 |
| 103 certdb->reset(new TestNSSCertDatabase( | 112 certdb->reset(new TestNSSCertDatabase( |
| 104 crypto::ScopedPK11Slot(PK11_ReferenceSlot(db->slot())), | 113 crypto::ScopedPK11Slot(PK11_ReferenceSlot(db->slot())), |
| 105 crypto::ScopedPK11Slot(PK11_ReferenceSlot(db->slot())))); | 114 crypto::ScopedPK11Slot(PK11_ReferenceSlot(db->slot())))); |
| 106 (*certdb)->SetSlowTaskRunnerForTest(message_loop_.task_runner()); | 115 (*certdb)->SetSlowTaskRunnerForTest(message_loop_.task_runner()); |
| 107 } | 116 } |
| 108 | 117 |
| 118 void AddSystemToken(TestNSSCertDatabase* certdb) { | |
|
emaxx
2017/04/20 20:10:39
nit: As this method is not going to be used from t
pmarko
2017/04/24 14:49:56
Done.
| |
| 119 ASSERT_TRUE(system_db_.is_open()); | |
| 120 certdb->SetSystemSlot( | |
| 121 crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_db_.slot()))); | |
| 122 } | |
| 123 | |
| 109 void ImportCACert(const std::string& cert_file, | 124 void ImportCACert(const std::string& cert_file, |
| 110 net::NSSCertDatabase* database, | 125 net::NSSCertDatabase* database, |
| 111 net::CertificateList* imported_certs) { | 126 net::CertificateList* imported_certs) { |
| 112 ASSERT_TRUE(database); | 127 ASSERT_TRUE(database); |
| 113 ASSERT_TRUE(imported_certs); | 128 ASSERT_TRUE(imported_certs); |
| 114 | 129 |
| 115 *imported_certs = net::CreateCertificateListFromFile( | 130 *imported_certs = net::CreateCertificateListFromFile( |
| 116 net::GetTestCertsDirectory(), | 131 net::GetTestCertsDirectory(), |
| 117 cert_file, | 132 cert_file, |
| 118 net::X509Certificate::FORMAT_AUTO); | 133 net::X509Certificate::FORMAT_AUTO); |
| 119 ASSERT_EQ(1U, imported_certs->size()); | 134 ASSERT_EQ(1U, imported_certs->size()); |
| 120 | 135 |
| 121 net::NSSCertDatabase::ImportCertFailureList failed; | 136 net::NSSCertDatabase::ImportCertFailureList failed; |
| 122 ASSERT_TRUE(database->ImportCACerts(*imported_certs, | 137 ASSERT_TRUE(database->ImportCACerts(*imported_certs, |
| 123 net::NSSCertDatabase::TRUST_DEFAULT, | 138 net::NSSCertDatabase::TRUST_DEFAULT, |
| 124 &failed)); | 139 &failed)); |
| 125 ASSERT_TRUE(failed.empty()); | 140 ASSERT_TRUE(failed.empty()); |
| 126 } | 141 } |
| 127 | 142 |
| 143 // Import a client cert and key into a PKCS 11 slot. Then notify | |
|
emaxx
2017/04/20 20:10:39
nit: s/PKCS 11/PKCS11/
pmarko
2017/04/24 14:49:55
Done.
| |
| 144 // |database_to_notify| (which is presumably using that slot) that new | |
| 145 // certificates are available. | |
| 128 scoped_refptr<net::X509Certificate> ImportClientCertAndKey( | 146 scoped_refptr<net::X509Certificate> ImportClientCertAndKey( |
| 129 TestNSSCertDatabase* database) { | 147 TestNSSCertDatabase* database_to_notify, |
| 148 PK11SlotInfo* slot_to_use) { | |
| 130 // Import a client cert signed by that CA. | 149 // Import a client cert signed by that CA. |
| 131 scoped_refptr<net::X509Certificate> client_cert( | 150 scoped_refptr<net::X509Certificate> client_cert( |
| 132 net::ImportClientCertAndKeyFromFile(net::GetTestCertsDirectory(), | 151 net::ImportClientCertAndKeyFromFile(net::GetTestCertsDirectory(), |
| 133 "client_1.pem", "client_1.pk8", | 152 "client_1.pem", "client_1.pk8", |
| 134 database->GetPrivateSlot().get())); | 153 slot_to_use)); |
| 135 database->NotifyOfCertAdded(client_cert.get()); | 154 database_to_notify->NotifyOfCertAdded(client_cert.get()); |
|
emaxx
2017/04/20 20:10:39
Looks like this parameter is actually unused, so p
pmarko
2017/04/24 14:49:55
Done.
| |
| 136 return client_cert; | 155 return client_cert; |
| 137 } | 156 } |
| 138 | 157 |
| 158 // Import a client cert into |database|'s private slot. | |
| 159 scoped_refptr<net::X509Certificate> ImportClientCertAndKey( | |
| 160 TestNSSCertDatabase* database) { | |
| 161 return ImportClientCertAndKey(database, database->GetPrivateSlot().get()); | |
| 162 } | |
| 163 | |
| 139 CertLoader* cert_loader_; | 164 CertLoader* cert_loader_; |
| 140 | 165 |
| 141 // The user is primary as the one whose certificates CertLoader handles, it | 166 // The user is primary as the one whose certificates CertLoader handles, it |
| 142 // has nothing to do with crypto::InitializeNSSForChromeOSUser is_primary_user | 167 // has nothing to do with crypto::InitializeNSSForChromeOSUser is_primary_user |
| 143 // parameter (which is irrelevant for these tests). | 168 // parameter (which is irrelevant for these tests). |
| 144 crypto::ScopedTestNSSDB primary_db_; | 169 crypto::ScopedTestNSSDB primary_db_; |
| 145 std::unique_ptr<TestNSSCertDatabase> primary_certdb_; | 170 std::unique_ptr<TestNSSCertDatabase> primary_certdb_; |
| 146 | 171 |
| 172 // Additional NSS DB simulating the system token. | |
| 173 crypto::ScopedTestNSSDB system_db_; | |
| 174 | |
| 147 base::MessageLoop message_loop_; | 175 base::MessageLoop message_loop_; |
| 148 | 176 |
| 149 private: | 177 private: |
| 150 size_t certificates_loaded_events_count_; | 178 size_t certificates_loaded_events_count_; |
| 151 }; | 179 }; |
| 152 | 180 |
| 153 } // namespace | 181 } // namespace |
| 154 | 182 |
| 155 TEST_F(CertLoaderTest, Basic) { | 183 TEST_F(CertLoaderTest, Basic) { |
| 156 EXPECT_FALSE(cert_loader_->CertificatesLoading()); | 184 EXPECT_FALSE(cert_loader_->CertificatesLoading()); |
| (...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 218 scoped_refptr<net::X509Certificate> cert( | 246 scoped_refptr<net::X509Certificate> cert( |
| 219 ImportClientCertAndKey(primary_certdb_.get())); | 247 ImportClientCertAndKey(primary_certdb_.get())); |
| 220 | 248 |
| 221 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); | 249 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); |
| 222 base::RunLoop().RunUntilIdle(); | 250 base::RunLoop().RunUntilIdle(); |
| 223 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); | 251 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); |
| 224 | 252 |
| 225 EXPECT_TRUE(IsCertInCertificateList(cert.get(), cert_loader_->cert_list())); | 253 EXPECT_TRUE(IsCertInCertificateList(cert.get(), cert_loader_->cert_list())); |
| 226 } | 254 } |
| 227 | 255 |
| 256 TEST_F(CertLoaderTest, ClientLoaderUpdateOnNewClientCertInSystemToken) { | |
| 257 StartCertLoaderWithPrimaryDBAndSystemToken(); | |
| 258 | |
| 259 EXPECT_TRUE(cert_loader_->system_cert_list().empty()); | |
| 260 scoped_refptr<net::X509Certificate> cert(ImportClientCertAndKey( | |
| 261 primary_certdb_.get(), primary_certdb_->GetSystemSlot().get())); | |
| 262 | |
| 263 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); | |
| 264 base::RunLoop().RunUntilIdle(); | |
| 265 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); | |
| 266 | |
| 267 EXPECT_TRUE(IsCertInCertificateList(cert.get(), cert_loader_->cert_list())); | |
| 268 EXPECT_EQ(1U, cert_loader_->system_cert_list().size()); | |
| 269 EXPECT_TRUE( | |
| 270 IsCertInCertificateList(cert.get(), cert_loader_->system_cert_list())); | |
| 271 } | |
| 272 | |
| 228 TEST_F(CertLoaderTest, CertLoaderNoUpdateOnNewClientCertInSecondaryDb) { | 273 TEST_F(CertLoaderTest, CertLoaderNoUpdateOnNewClientCertInSecondaryDb) { |
| 229 crypto::ScopedTestNSSDB secondary_db; | 274 crypto::ScopedTestNSSDB secondary_db; |
| 230 std::unique_ptr<TestNSSCertDatabase> secondary_certdb; | 275 std::unique_ptr<TestNSSCertDatabase> secondary_certdb; |
| 231 | 276 |
| 232 StartCertLoaderWithPrimaryDB(); | 277 StartCertLoaderWithPrimaryDB(); |
| 233 CreateCertDatabase(&secondary_db, &secondary_certdb); | 278 CreateCertDatabase(&secondary_db, &secondary_certdb); |
| 234 | 279 |
| 235 scoped_refptr<net::X509Certificate> cert( | 280 scoped_refptr<net::X509Certificate> cert( |
| 236 ImportClientCertAndKey(secondary_certdb.get())); | 281 ImportClientCertAndKey(secondary_certdb.get())); |
| 237 | 282 |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 277 ASSERT_TRUE(primary_certdb_->SetCertTrust(certs[0].get(), net::CA_CERT, | 322 ASSERT_TRUE(primary_certdb_->SetCertTrust(certs[0].get(), net::CA_CERT, |
| 278 net::NSSCertDatabase::TRUSTED_SSL)); | 323 net::NSSCertDatabase::TRUSTED_SSL)); |
| 279 | 324 |
| 280 // Cert trust change should trigger certificate reload in cert_loader_. | 325 // Cert trust change should trigger certificate reload in cert_loader_. |
| 281 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); | 326 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); |
| 282 base::RunLoop().RunUntilIdle(); | 327 base::RunLoop().RunUntilIdle(); |
| 283 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); | 328 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); |
| 284 } | 329 } |
| 285 | 330 |
| 286 } // namespace chromeos | 331 } // namespace chromeos |
| OLD | NEW |
