Index: chromeos/network/certificate_helper_unittest.cc |
diff --git a/chromeos/network/certificate_helper_unittest.cc b/chromeos/network/certificate_helper_unittest.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..a34bbd74b96b04363571b7ff9b74aacc4466a133 |
--- /dev/null |
+++ b/chromeos/network/certificate_helper_unittest.cc |
@@ -0,0 +1,89 @@ |
+// Copyright 2017 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "chromeos/network/certificate_helper.h" |
+ |
+#include "crypto/scoped_test_nss_db.h" |
+#include "net/cert/nss_cert_database.h" |
+#include "net/test/cert_test_util.h" |
+#include "net/test/test_data_directory.h" |
+#include "testing/gtest/include/gtest/gtest.h" |
+ |
+namespace chromeos { |
+ |
+TEST(CertificateHelperTest, GetCertNameOrNickname) { |
+ scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile( |
+ net::GetTestCertsDirectory(), "root_ca_cert.pem")); |
+ ASSERT_TRUE(cert.get()); |
+ EXPECT_EQ("Test Root CA", |
+ certificate::GetCertNameOrNickname(cert->os_cert_handle())); |
+ |
+ scoped_refptr<net::X509Certificate> punycode_cert(net::ImportCertFromFile( |
+ net::GetTestCertsDirectory(), "punycodetest.pem")); |
+ ASSERT_TRUE(punycode_cert.get()); |
+ EXPECT_EQ("xn--wgv71a119e.com", certificate::GetCertAsciiNameOrNickname( |
+ punycode_cert->os_cert_handle())); |
+ EXPECT_EQ("日本語.com", certificate::GetCertNameOrNickname( |
+ punycode_cert->os_cert_handle())); |
+ |
+ scoped_refptr<net::X509Certificate> no_cn_cert(net::ImportCertFromFile( |
+ net::GetTestCertsDirectory(), "no_subject_common_name_cert.pem")); |
+ ASSERT_TRUE(no_cn_cert.get()); |
+ // Temp cert has no nickname. |
+ EXPECT_EQ("", |
+ certificate::GetCertNameOrNickname(no_cn_cert->os_cert_handle())); |
+} |
+ |
+TEST(CertificateHelperTest, GetTypeCA) { |
+ scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile( |
+ net::GetTestCertsDirectory(), "root_ca_cert.pem")); |
+ ASSERT_TRUE(cert.get()); |
+ |
+ EXPECT_EQ(net::CA_CERT, certificate::GetCertType(cert->os_cert_handle())); |
+ |
+ crypto::ScopedTestNSSDB test_nssdb; |
+ net::NSSCertDatabase db(crypto::ScopedPK11Slot(PK11_ReferenceSlot( |
+ test_nssdb.slot())) /* public slot */, |
+ crypto::ScopedPK11Slot(PK11_ReferenceSlot( |
+ test_nssdb.slot())) /* private slot */); |
+ |
+ // Test that explicitly distrusted CA certs are still returned as CA_CERT |
+ // type. See http://crbug.com/96654. |
+ EXPECT_TRUE(db.SetCertTrust(cert.get(), net::CA_CERT, |
+ net::NSSCertDatabase::DISTRUSTED_SSL)); |
+ |
+ EXPECT_EQ(net::CA_CERT, certificate::GetCertType(cert->os_cert_handle())); |
+} |
+ |
+TEST(CertificateHelperTest, GetTypeServer) { |
+ scoped_refptr<net::X509Certificate> cert(net::ImportCertFromFile( |
+ net::GetTestCertsDirectory(), "google.single.der")); |
+ ASSERT_TRUE(cert.get()); |
+ |
+ // Test mozilla_security_manager::GetCertType with server certs and default |
+ // trust. Currently this doesn't work. |
+ // TODO(mattm): make mozilla_security_manager::GetCertType smarter so we can |
+ // tell server certs even if they have no trust bits set. |
+ EXPECT_EQ(net::OTHER_CERT, certificate::GetCertType(cert->os_cert_handle())); |
+ |
+ crypto::ScopedTestNSSDB test_nssdb; |
+ net::NSSCertDatabase db(crypto::ScopedPK11Slot(PK11_ReferenceSlot( |
+ test_nssdb.slot())) /* public slot */, |
+ crypto::ScopedPK11Slot(PK11_ReferenceSlot( |
+ test_nssdb.slot())) /* private slot */); |
+ |
+ // Test GetCertType with server certs and explicit trust. |
+ EXPECT_TRUE(db.SetCertTrust(cert.get(), net::SERVER_CERT, |
+ net::NSSCertDatabase::TRUSTED_SSL)); |
+ |
+ EXPECT_EQ(net::SERVER_CERT, certificate::GetCertType(cert->os_cert_handle())); |
+ |
+ // Test GetCertType with server certs and explicit distrust. |
+ EXPECT_TRUE(db.SetCertTrust(cert.get(), net::SERVER_CERT, |
+ net::NSSCertDatabase::DISTRUSTED_SSL)); |
+ |
+ EXPECT_EQ(net::SERVER_CERT, certificate::GetCertType(cert->os_cert_handle())); |
+} |
+ |
+} // namespace chromeos |