| Index: chromeos/cert_loader_unittest.cc
|
| diff --git a/chromeos/cert_loader_unittest.cc b/chromeos/cert_loader_unittest.cc
|
| index 405cf29d91a1a4608552380c5661ccb840ca1972..404e9bb4c9065411e14ec08e3f205d039d4d2b19 100644
|
| --- a/chromeos/cert_loader_unittest.cc
|
| +++ b/chromeos/cert_loader_unittest.cc
|
| @@ -38,6 +38,20 @@ bool IsCertInCertificateList(const net::X509Certificate* cert,
|
| return false;
|
| }
|
|
|
| +size_t CountCertOccurencesInCertificateList(
|
| + const net::X509Certificate* cert,
|
| + const net::CertificateList& cert_list) {
|
| + size_t count = 0;
|
| + for (net::CertificateList::const_iterator it = cert_list.begin();
|
| + it != cert_list.end(); ++it) {
|
| + if (net::X509Certificate::IsSameOSCert((*it)->os_cert_handle(),
|
| + cert->os_cert_handle())) {
|
| + ++count;
|
| + }
|
| + }
|
| + return count;
|
| +}
|
| +
|
| class TestNSSCertDatabase : public net::NSSCertDatabaseChromeOS {
|
| public:
|
| TestNSSCertDatabase(crypto::ScopedPK11Slot public_slot,
|
| @@ -52,6 +66,18 @@ class TestNSSCertDatabase : public net::NSSCertDatabaseChromeOS {
|
| }
|
| };
|
|
|
| +// Describes a client certificate along with a key, stored in
|
| +// net::GetTestCertsDirectory().
|
| +struct TestClientCertWithKey {
|
| + const char* cert_pem_filename;
|
| + const char* key_pk8_filename;
|
| +};
|
| +
|
| +const TestClientCertWithKey TEST_CLIENT_CERT_1 = {"client_1.pem",
|
| + "client_1.pk8"};
|
| +const TestClientCertWithKey TEST_CLIENT_CERT_2 = {"client_2.pem",
|
| + "client_2.pk8"};
|
| +
|
| class CertLoaderTest : public testing::Test,
|
| public CertLoader::Observer {
|
| public:
|
| @@ -78,7 +104,7 @@ class CertLoaderTest : public testing::Test,
|
| protected:
|
| void StartCertLoaderWithPrimaryDB() {
|
| CreateCertDatabase(&primary_db_, &primary_certdb_);
|
| - cert_loader_->StartWithNSSDB(primary_certdb_.get());
|
| + cert_loader_->StartWithUserNSSDB(primary_certdb_.get());
|
|
|
| base::RunLoop().RunUntilIdle();
|
| GetAndResetCertificatesLoadedEventsCount();
|
| @@ -89,7 +115,7 @@ class CertLoaderTest : public testing::Test,
|
| void StartCertLoaderWithPrimaryDBAndSystemToken() {
|
| CreateCertDatabase(&primary_db_, &primary_certdb_);
|
| AddSystemToken(primary_certdb_.get());
|
| - cert_loader_->StartWithNSSDB(primary_certdb_.get());
|
| + cert_loader_->StartWithUserNSSDB(primary_certdb_.get());
|
|
|
| base::RunLoop().RunUntilIdle();
|
| GetAndResetCertificatesLoadedEventsCount();
|
| @@ -140,27 +166,45 @@ class CertLoaderTest : public testing::Test,
|
| ASSERT_TRUE(failed.empty());
|
| }
|
|
|
| - // Import a client cert and key into a PKCS11 slot. Then notify
|
| - // |database_to_notify| (which is presumably using that slot) that new
|
| - // certificates are available.
|
| + // Import a client cert described by |test_cert| and key into a PKCS11 slot.
|
| + // Then notify |database_to_notify| (which is presumably using that slot) that
|
| + // new certificates are available.
|
| scoped_refptr<net::X509Certificate> ImportClientCertAndKey(
|
| TestNSSCertDatabase* database_to_notify,
|
| - PK11SlotInfo* slot_to_use) {
|
| + PK11SlotInfo* slot_to_use,
|
| + const TestClientCertWithKey& test_cert) {
|
| // Import a client cert signed by that CA.
|
| scoped_refptr<net::X509Certificate> client_cert(
|
| - net::ImportClientCertAndKeyFromFile(net::GetTestCertsDirectory(),
|
| - "client_1.pem", "client_1.pk8",
|
| - slot_to_use));
|
| + net::ImportClientCertAndKeyFromFile(
|
| + net::GetTestCertsDirectory(), test_cert.cert_pem_filename,
|
| + test_cert.key_pk8_filename, slot_to_use));
|
| database_to_notify->NotifyObserversCertDBChanged();
|
| return client_cert;
|
| }
|
|
|
| + // Import |TEST_CLIENT_CERT_1| into a PKCS11 slot. Then notify
|
| + // |database_to_notify| (which is presumably using that slot) that new
|
| + // certificates are avialable.
|
| + scoped_refptr<net::X509Certificate> ImportClientCertAndKey(
|
| + TestNSSCertDatabase* database_to_notify,
|
| + PK11SlotInfo* slot_to_use) {
|
| + return ImportClientCertAndKey(database_to_notify, slot_to_use,
|
| + TEST_CLIENT_CERT_1);
|
| + }
|
| +
|
| // Import a client cert into |database|'s private slot.
|
| scoped_refptr<net::X509Certificate> ImportClientCertAndKey(
|
| TestNSSCertDatabase* database) {
|
| return ImportClientCertAndKey(database, database->GetPrivateSlot().get());
|
| }
|
|
|
| + // Adds the PKCS11 slot from |system_db_| to |certdb| as system slot.
|
| + void AddSystemToken(TestNSSCertDatabase* certdb) {
|
| + ASSERT_TRUE(system_db_.is_open());
|
| + certdb->SetSystemSlot(
|
| + crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_db_.slot())));
|
| + }
|
| +
|
| CertLoader* cert_loader_;
|
|
|
| // The user is primary as the one whose certificates CertLoader handles, it
|
| @@ -172,32 +216,30 @@ class CertLoaderTest : public testing::Test,
|
| // Additional NSS DB simulating the system token.
|
| crypto::ScopedTestNSSDB system_db_;
|
|
|
| + // A NSSCertDatabase which only uses the system token (simulated by
|
| + // system_db_).
|
| + std::unique_ptr<TestNSSCertDatabase> system_certdb_;
|
| +
|
| base::MessageLoop message_loop_;
|
|
|
| private:
|
| - // Adds the PKCS11 slot from |system_db_| to |certdb| as system slot.
|
| - void AddSystemToken(TestNSSCertDatabase* certdb) {
|
| - ASSERT_TRUE(system_db_.is_open());
|
| - certdb->SetSystemSlot(
|
| - crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_db_.slot())));
|
| - }
|
| -
|
| base::test::ScopedTaskScheduler scoped_task_scheduler_;
|
| size_t certificates_loaded_events_count_;
|
| };
|
|
|
| } // namespace
|
|
|
| -TEST_F(CertLoaderTest, Basic) {
|
| +TEST_F(CertLoaderTest, BasicOnlyUserDB) {
|
| EXPECT_FALSE(cert_loader_->CertificatesLoading());
|
| EXPECT_FALSE(cert_loader_->certificates_loaded());
|
|
|
| CreateCertDatabase(&primary_db_, &primary_certdb_);
|
| - cert_loader_->StartWithNSSDB(primary_certdb_.get());
|
| + cert_loader_->StartWithUserNSSDB(primary_certdb_.get());
|
|
|
| EXPECT_FALSE(cert_loader_->certificates_loaded());
|
| EXPECT_TRUE(cert_loader_->CertificatesLoading());
|
| EXPECT_TRUE(cert_loader_->all_certs().empty());
|
| + EXPECT_TRUE(cert_loader_->system_certs().empty());
|
|
|
| ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
|
| base::RunLoop().RunUntilIdle();
|
| @@ -208,6 +250,140 @@ TEST_F(CertLoaderTest, Basic) {
|
|
|
| // Default CA cert roots should get loaded.
|
| EXPECT_FALSE(cert_loader_->all_certs().empty());
|
| + EXPECT_TRUE(cert_loader_->system_certs().empty());
|
| +}
|
| +
|
| +TEST_F(CertLoaderTest, BasicOnlySystemDB) {
|
| + EXPECT_FALSE(cert_loader_->CertificatesLoading());
|
| + EXPECT_FALSE(cert_loader_->certificates_loaded());
|
| +
|
| + CreateCertDatabase(&system_db_, &system_certdb_);
|
| + cert_loader_->StartWithSystemNSSDB(system_certdb_.get());
|
| +
|
| + EXPECT_FALSE(cert_loader_->certificates_loaded());
|
| + EXPECT_TRUE(cert_loader_->CertificatesLoading());
|
| + EXPECT_TRUE(cert_loader_->all_certs().empty());
|
| +
|
| + ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
|
| + base::RunLoop().RunUntilIdle();
|
| + EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
|
| +
|
| + EXPECT_TRUE(cert_loader_->certificates_loaded());
|
| + EXPECT_FALSE(cert_loader_->CertificatesLoading());
|
| +
|
| + // Default CA cert roots should get loaded.
|
| + EXPECT_FALSE(cert_loader_->all_certs().empty());
|
| +}
|
| +
|
| +// Tests the CertLoader with a system DB and then with an additional user DB
|
| +// which does not have access to the system token.
|
| +TEST_F(CertLoaderTest, SystemAndUnaffiliatedUserDB) {
|
| + CreateCertDatabase(&system_db_, &system_certdb_);
|
| + scoped_refptr<net::X509Certificate> system_token_cert(ImportClientCertAndKey(
|
| + system_certdb_.get(), system_db_.slot(), TEST_CLIENT_CERT_1));
|
| +
|
| + CreateCertDatabase(&primary_db_, &primary_certdb_);
|
| + scoped_refptr<net::X509Certificate> user_token_cert(ImportClientCertAndKey(
|
| + primary_certdb_.get(), primary_db_.slot(), TEST_CLIENT_CERT_2));
|
| +
|
| + base::RunLoop().RunUntilIdle();
|
| +
|
| + EXPECT_FALSE(cert_loader_->CertificatesLoading());
|
| + EXPECT_FALSE(cert_loader_->certificates_loaded());
|
| +
|
| + cert_loader_->StartWithSystemNSSDB(system_certdb_.get());
|
| +
|
| + EXPECT_FALSE(cert_loader_->certificates_loaded());
|
| + EXPECT_TRUE(cert_loader_->CertificatesLoading());
|
| + EXPECT_TRUE(cert_loader_->all_certs().empty());
|
| + EXPECT_TRUE(cert_loader_->system_certs().empty());
|
| +
|
| + ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
|
| + base::RunLoop().RunUntilIdle();
|
| + EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
|
| +
|
| + EXPECT_TRUE(cert_loader_->certificates_loaded());
|
| + EXPECT_FALSE(cert_loader_->CertificatesLoading());
|
| +
|
| + EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(),
|
| + cert_loader_->system_certs()));
|
| + EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(),
|
| + cert_loader_->all_certs()));
|
| +
|
| + cert_loader_->StartWithUserNSSDB(primary_certdb_.get());
|
| +
|
| + EXPECT_TRUE(cert_loader_->certificates_loaded());
|
| + EXPECT_TRUE(cert_loader_->CertificatesLoading());
|
| + EXPECT_FALSE(cert_loader_->all_certs().empty());
|
| + EXPECT_FALSE(cert_loader_->system_certs().empty());
|
| +
|
| + ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
|
| + base::RunLoop().RunUntilIdle();
|
| + EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
|
| +
|
| + EXPECT_TRUE(cert_loader_->certificates_loaded());
|
| + EXPECT_FALSE(cert_loader_->CertificatesLoading());
|
| +
|
| + EXPECT_FALSE(IsCertInCertificateList(user_token_cert.get(),
|
| + cert_loader_->system_certs()));
|
| + EXPECT_TRUE(IsCertInCertificateList(user_token_cert.get(),
|
| + cert_loader_->all_certs()));
|
| +}
|
| +
|
| +// Tests the CertLoader with a system DB and then with an additional user DB
|
| +// which has access to the system token.
|
| +TEST_F(CertLoaderTest, SystemAndAffiliatedUserDB) {
|
| + CreateCertDatabase(&system_db_, &system_certdb_);
|
| + scoped_refptr<net::X509Certificate> system_token_cert(ImportClientCertAndKey(
|
| + system_certdb_.get(), system_db_.slot(), TEST_CLIENT_CERT_1));
|
| +
|
| + CreateCertDatabase(&primary_db_, &primary_certdb_);
|
| + scoped_refptr<net::X509Certificate> user_token_cert(ImportClientCertAndKey(
|
| + primary_certdb_.get(), primary_db_.slot(), TEST_CLIENT_CERT_2));
|
| +
|
| + AddSystemToken(primary_certdb_.get());
|
| + base::RunLoop().RunUntilIdle();
|
| +
|
| + EXPECT_FALSE(cert_loader_->CertificatesLoading());
|
| + EXPECT_FALSE(cert_loader_->certificates_loaded());
|
| +
|
| + cert_loader_->StartWithSystemNSSDB(system_certdb_.get());
|
| +
|
| + EXPECT_FALSE(cert_loader_->certificates_loaded());
|
| + EXPECT_TRUE(cert_loader_->CertificatesLoading());
|
| + EXPECT_TRUE(cert_loader_->all_certs().empty());
|
| + EXPECT_TRUE(cert_loader_->system_certs().empty());
|
| +
|
| + ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
|
| + base::RunLoop().RunUntilIdle();
|
| + EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
|
| +
|
| + EXPECT_TRUE(cert_loader_->certificates_loaded());
|
| + EXPECT_FALSE(cert_loader_->CertificatesLoading());
|
| +
|
| + EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(),
|
| + cert_loader_->system_certs()));
|
| + EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(),
|
| + cert_loader_->all_certs()));
|
| +
|
| + cert_loader_->StartWithUserNSSDB(primary_certdb_.get());
|
| +
|
| + EXPECT_TRUE(cert_loader_->certificates_loaded());
|
| + EXPECT_TRUE(cert_loader_->CertificatesLoading());
|
| + EXPECT_FALSE(cert_loader_->all_certs().empty());
|
| + EXPECT_FALSE(cert_loader_->system_certs().empty());
|
| +
|
| + ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
|
| + base::RunLoop().RunUntilIdle();
|
| + EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
|
| +
|
| + EXPECT_TRUE(cert_loader_->certificates_loaded());
|
| + EXPECT_FALSE(cert_loader_->CertificatesLoading());
|
| +
|
| + EXPECT_FALSE(IsCertInCertificateList(user_token_cert.get(),
|
| + cert_loader_->system_certs()));
|
| + EXPECT_EQ(1U, CountCertOccurencesInCertificateList(
|
| + user_token_cert.get(), cert_loader_->all_certs()));
|
| }
|
|
|
| TEST_F(CertLoaderTest, CertLoaderUpdatesCertListOnNewCert) {
|
|
|
Chromium Code Reviews
Issue 2858113003:
Enable device-wide EAP-TLS networks (Closed)
