Index: chromeos/cert_loader_unittest.cc |
diff --git a/chromeos/cert_loader_unittest.cc b/chromeos/cert_loader_unittest.cc |
index 405cf29d91a1a4608552380c5661ccb840ca1972..4d7b96c4112e1d31997215a35155e1db9dde4a33 100644 |
--- a/chromeos/cert_loader_unittest.cc |
+++ b/chromeos/cert_loader_unittest.cc |
@@ -38,6 +38,20 @@ bool IsCertInCertificateList(const net::X509Certificate* cert, |
return false; |
} |
+size_t CountCertOccurencesInCertificateList( |
+ const net::X509Certificate* cert, |
+ const net::CertificateList& cert_list) { |
+ size_t count = 0; |
+ for (net::CertificateList::const_iterator it = cert_list.begin(); |
+ it != cert_list.end(); ++it) { |
+ if (net::X509Certificate::IsSameOSCert((*it)->os_cert_handle(), |
+ cert->os_cert_handle())) { |
+ ++count; |
+ } |
+ } |
+ return count; |
+} |
+ |
class TestNSSCertDatabase : public net::NSSCertDatabaseChromeOS { |
public: |
TestNSSCertDatabase(crypto::ScopedPK11Slot public_slot, |
@@ -52,6 +66,18 @@ class TestNSSCertDatabase : public net::NSSCertDatabaseChromeOS { |
} |
}; |
+// Describes a client certificate along with a key, stored in |
+// net::GetTestCertsDirectory(). |
+struct TestClientCertWithKey { |
+ const char* cert_pem_filename; |
+ const char* key_pk8_filename; |
+}; |
+ |
+const TestClientCertWithKey TEST_CLIENT_CERT_1 = {"client_1.pem", |
+ "client_1.pk8"}; |
+const TestClientCertWithKey TEST_CLIENT_CERT_2 = {"client_2.pem", |
+ "client_2.pk8"}; |
+ |
class CertLoaderTest : public testing::Test, |
public CertLoader::Observer { |
public: |
@@ -78,7 +104,7 @@ class CertLoaderTest : public testing::Test, |
protected: |
void StartCertLoaderWithPrimaryDB() { |
CreateCertDatabase(&primary_db_, &primary_certdb_); |
- cert_loader_->StartWithNSSDB(primary_certdb_.get()); |
+ cert_loader_->SetUserNSSDB(primary_certdb_.get()); |
base::RunLoop().RunUntilIdle(); |
GetAndResetCertificatesLoadedEventsCount(); |
@@ -89,7 +115,7 @@ class CertLoaderTest : public testing::Test, |
void StartCertLoaderWithPrimaryDBAndSystemToken() { |
CreateCertDatabase(&primary_db_, &primary_certdb_); |
AddSystemToken(primary_certdb_.get()); |
- cert_loader_->StartWithNSSDB(primary_certdb_.get()); |
+ cert_loader_->SetUserNSSDB(primary_certdb_.get()); |
base::RunLoop().RunUntilIdle(); |
GetAndResetCertificatesLoadedEventsCount(); |
@@ -140,27 +166,45 @@ class CertLoaderTest : public testing::Test, |
ASSERT_TRUE(failed.empty()); |
} |
- // Import a client cert and key into a PKCS11 slot. Then notify |
- // |database_to_notify| (which is presumably using that slot) that new |
- // certificates are available. |
+ // Import a client cert described by |test_cert| and key into a PKCS11 slot. |
+ // Then notify |database_to_notify| (which is presumably using that slot) that |
+ // new certificates are available. |
scoped_refptr<net::X509Certificate> ImportClientCertAndKey( |
TestNSSCertDatabase* database_to_notify, |
- PK11SlotInfo* slot_to_use) { |
+ PK11SlotInfo* slot_to_use, |
+ const TestClientCertWithKey& test_cert) { |
// Import a client cert signed by that CA. |
scoped_refptr<net::X509Certificate> client_cert( |
- net::ImportClientCertAndKeyFromFile(net::GetTestCertsDirectory(), |
- "client_1.pem", "client_1.pk8", |
- slot_to_use)); |
+ net::ImportClientCertAndKeyFromFile( |
+ net::GetTestCertsDirectory(), test_cert.cert_pem_filename, |
+ test_cert.key_pk8_filename, slot_to_use)); |
database_to_notify->NotifyObserversCertDBChanged(); |
return client_cert; |
} |
+ // Import |TEST_CLIENT_CERT_1| into a PKCS11 slot. Then notify |
+ // |database_to_notify| (which is presumably using that slot) that new |
+ // certificates are avialable. |
+ scoped_refptr<net::X509Certificate> ImportClientCertAndKey( |
+ TestNSSCertDatabase* database_to_notify, |
+ PK11SlotInfo* slot_to_use) { |
+ return ImportClientCertAndKey(database_to_notify, slot_to_use, |
+ TEST_CLIENT_CERT_1); |
+ } |
+ |
// Import a client cert into |database|'s private slot. |
scoped_refptr<net::X509Certificate> ImportClientCertAndKey( |
TestNSSCertDatabase* database) { |
return ImportClientCertAndKey(database, database->GetPrivateSlot().get()); |
} |
+ // Adds the PKCS11 slot from |system_db_| to |certdb| as system slot. |
+ void AddSystemToken(TestNSSCertDatabase* certdb) { |
+ ASSERT_TRUE(system_db_.is_open()); |
+ certdb->SetSystemSlot( |
+ crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_db_.slot()))); |
+ } |
+ |
CertLoader* cert_loader_; |
// The user is primary as the one whose certificates CertLoader handles, it |
@@ -172,42 +216,174 @@ class CertLoaderTest : public testing::Test, |
// Additional NSS DB simulating the system token. |
crypto::ScopedTestNSSDB system_db_; |
+ // A NSSCertDatabase which only uses the system token (simulated by |
+ // system_db_). |
+ std::unique_ptr<TestNSSCertDatabase> system_certdb_; |
+ |
base::MessageLoop message_loop_; |
private: |
- // Adds the PKCS11 slot from |system_db_| to |certdb| as system slot. |
- void AddSystemToken(TestNSSCertDatabase* certdb) { |
- ASSERT_TRUE(system_db_.is_open()); |
- certdb->SetSystemSlot( |
- crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_db_.slot()))); |
- } |
- |
base::test::ScopedTaskScheduler scoped_task_scheduler_; |
size_t certificates_loaded_events_count_; |
}; |
} // namespace |
-TEST_F(CertLoaderTest, Basic) { |
- EXPECT_FALSE(cert_loader_->CertificatesLoading()); |
- EXPECT_FALSE(cert_loader_->certificates_loaded()); |
+TEST_F(CertLoaderTest, BasicOnlyUserDB) { |
+ EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running()); |
+ EXPECT_FALSE(cert_loader_->initial_load_finished()); |
CreateCertDatabase(&primary_db_, &primary_certdb_); |
- cert_loader_->StartWithNSSDB(primary_certdb_.get()); |
+ cert_loader_->SetUserNSSDB(primary_certdb_.get()); |
- EXPECT_FALSE(cert_loader_->certificates_loaded()); |
- EXPECT_TRUE(cert_loader_->CertificatesLoading()); |
+ EXPECT_FALSE(cert_loader_->initial_load_finished()); |
+ EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running()); |
EXPECT_TRUE(cert_loader_->all_certs().empty()); |
+ EXPECT_TRUE(cert_loader_->system_certs().empty()); |
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); |
base::RunLoop().RunUntilIdle(); |
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); |
- EXPECT_TRUE(cert_loader_->certificates_loaded()); |
- EXPECT_FALSE(cert_loader_->CertificatesLoading()); |
+ EXPECT_TRUE(cert_loader_->initial_load_finished()); |
+ EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running()); |
// Default CA cert roots should get loaded. |
EXPECT_FALSE(cert_loader_->all_certs().empty()); |
+ EXPECT_TRUE(cert_loader_->system_certs().empty()); |
+} |
+ |
+TEST_F(CertLoaderTest, BasicOnlySystemDB) { |
+ EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running()); |
+ EXPECT_FALSE(cert_loader_->initial_load_finished()); |
+ |
+ CreateCertDatabase(&system_db_, &system_certdb_); |
+ cert_loader_->SetSystemNSSDB(system_certdb_.get()); |
+ |
+ EXPECT_FALSE(cert_loader_->initial_load_finished()); |
+ EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running()); |
+ EXPECT_TRUE(cert_loader_->all_certs().empty()); |
+ |
+ ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); |
+ base::RunLoop().RunUntilIdle(); |
+ EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); |
+ |
+ EXPECT_TRUE(cert_loader_->initial_load_finished()); |
+ EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running()); |
+ |
+ // Default CA cert roots should get loaded. |
+ EXPECT_FALSE(cert_loader_->all_certs().empty()); |
+} |
+ |
+// Tests the CertLoader with a system DB and then with an additional user DB |
+// which does not have access to the system token. |
+TEST_F(CertLoaderTest, SystemAndUnaffiliatedUserDB) { |
+ CreateCertDatabase(&system_db_, &system_certdb_); |
+ scoped_refptr<net::X509Certificate> system_token_cert(ImportClientCertAndKey( |
+ system_certdb_.get(), system_db_.slot(), TEST_CLIENT_CERT_1)); |
+ |
+ CreateCertDatabase(&primary_db_, &primary_certdb_); |
+ scoped_refptr<net::X509Certificate> user_token_cert(ImportClientCertAndKey( |
+ primary_certdb_.get(), primary_db_.slot(), TEST_CLIENT_CERT_2)); |
+ |
+ base::RunLoop().RunUntilIdle(); |
+ |
+ EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running()); |
+ EXPECT_FALSE(cert_loader_->initial_load_finished()); |
+ |
+ cert_loader_->SetSystemNSSDB(system_certdb_.get()); |
+ |
+ EXPECT_FALSE(cert_loader_->initial_load_finished()); |
+ EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running()); |
+ EXPECT_TRUE(cert_loader_->all_certs().empty()); |
+ EXPECT_TRUE(cert_loader_->system_certs().empty()); |
+ |
+ ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); |
+ base::RunLoop().RunUntilIdle(); |
+ EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); |
+ |
+ EXPECT_TRUE(cert_loader_->initial_load_finished()); |
+ EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running()); |
+ |
+ EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(), |
+ cert_loader_->system_certs())); |
+ EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(), |
+ cert_loader_->all_certs())); |
+ |
+ cert_loader_->SetUserNSSDB(primary_certdb_.get()); |
+ |
+ EXPECT_TRUE(cert_loader_->initial_load_finished()); |
+ EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running()); |
+ EXPECT_FALSE(cert_loader_->all_certs().empty()); |
+ EXPECT_FALSE(cert_loader_->system_certs().empty()); |
+ |
+ ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); |
+ base::RunLoop().RunUntilIdle(); |
+ EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); |
+ |
+ EXPECT_TRUE(cert_loader_->initial_load_finished()); |
+ EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running()); |
+ |
+ EXPECT_FALSE(IsCertInCertificateList(user_token_cert.get(), |
+ cert_loader_->system_certs())); |
+ EXPECT_TRUE(IsCertInCertificateList(user_token_cert.get(), |
+ cert_loader_->all_certs())); |
+} |
+ |
+// Tests the CertLoader with a system DB and then with an additional user DB |
+// which has access to the system token. |
+TEST_F(CertLoaderTest, SystemAndAffiliatedUserDB) { |
+ CreateCertDatabase(&system_db_, &system_certdb_); |
+ scoped_refptr<net::X509Certificate> system_token_cert(ImportClientCertAndKey( |
+ system_certdb_.get(), system_db_.slot(), TEST_CLIENT_CERT_1)); |
+ |
+ CreateCertDatabase(&primary_db_, &primary_certdb_); |
+ scoped_refptr<net::X509Certificate> user_token_cert(ImportClientCertAndKey( |
+ primary_certdb_.get(), primary_db_.slot(), TEST_CLIENT_CERT_2)); |
+ |
+ AddSystemToken(primary_certdb_.get()); |
+ base::RunLoop().RunUntilIdle(); |
+ |
+ EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running()); |
+ EXPECT_FALSE(cert_loader_->initial_load_finished()); |
+ |
+ cert_loader_->SetSystemNSSDB(system_certdb_.get()); |
+ |
+ EXPECT_FALSE(cert_loader_->initial_load_finished()); |
+ EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running()); |
+ EXPECT_TRUE(cert_loader_->all_certs().empty()); |
+ EXPECT_TRUE(cert_loader_->system_certs().empty()); |
+ |
+ ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); |
+ base::RunLoop().RunUntilIdle(); |
+ EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); |
+ |
+ EXPECT_TRUE(cert_loader_->initial_load_finished()); |
+ EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running()); |
+ |
+ EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(), |
+ cert_loader_->system_certs())); |
+ EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(), |
+ cert_loader_->all_certs())); |
+ |
+ cert_loader_->SetUserNSSDB(primary_certdb_.get()); |
+ |
+ EXPECT_TRUE(cert_loader_->initial_load_finished()); |
+ EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running()); |
+ EXPECT_FALSE(cert_loader_->all_certs().empty()); |
+ EXPECT_FALSE(cert_loader_->system_certs().empty()); |
+ |
+ ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); |
+ base::RunLoop().RunUntilIdle(); |
+ EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); |
+ |
+ EXPECT_TRUE(cert_loader_->initial_load_finished()); |
+ EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running()); |
+ |
+ EXPECT_FALSE(IsCertInCertificateList(user_token_cert.get(), |
+ cert_loader_->system_certs())); |
+ EXPECT_EQ(1U, CountCertOccurencesInCertificateList( |
+ user_token_cert.get(), cert_loader_->all_certs())); |
} |
TEST_F(CertLoaderTest, CertLoaderUpdatesCertListOnNewCert) { |