Chromium Code Reviews Chromium Code Reviews
Issue 330213002:
*wip* NSS: handle chromeos system slot. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/nss_profile_filter_chromeos.h" | 5 #include "net/cert/nss_profile_filter_chromeos.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <pk11pub.h> | 8 #include <pk11pub.h> |
| 9 #include <secmod.h> | 9 #include <secmod.h> |
| 10 | 10 |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 48 | 48 |
| 49 // Sort the result so that test comparisons can be deterministic. | 49 // Sort the result so that test comparisons can be deterministic. |
| 50 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); | 50 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); |
| 51 return result; | 51 return result; |
| 52 } | 52 } |
| 53 | 53 |
| 54 } | 54 } |
| 55 | 55 |
| 56 class NSSProfileFilterChromeOSTest : public testing::Test { | 56 class NSSProfileFilterChromeOSTest : public testing::Test { |
| 57 public: | 57 public: |
| 58 NSSProfileFilterChromeOSTest() : user_1_("user1"), user_2_("user2") {} | 58 NSSProfileFilterChromeOSTest() |
| 59 : system_slot_user_("sys"), user_1_("user1"), user_2_("user2") {} | |
| 59 | 60 |
| 60 virtual void SetUp() OVERRIDE { | 61 virtual void SetUp() OVERRIDE { |
| 61 // Initialize nss_util slots. | 62 // Initialize nss_util slots. |
| 63 ASSERT_TRUE(system_slot_user_.constructed_successfully()); | |
| 62 ASSERT_TRUE(user_1_.constructed_successfully()); | 64 ASSERT_TRUE(user_1_.constructed_successfully()); |
| 63 ASSERT_TRUE(user_2_.constructed_successfully()); | 65 ASSERT_TRUE(user_2_.constructed_successfully()); |
| 66 system_slot_user_.FinishInit(); | |
| 64 user_1_.FinishInit(); | 67 user_1_.FinishInit(); |
| 65 user_2_.FinishInit(); | 68 user_2_.FinishInit(); |
| 66 | 69 |
| 67 // TODO(mattm): more accurately test public/private slot filtering somehow. | 70 // TODO(mattm): more accurately test public/private slot filtering somehow. |
| 68 // (The slots used to initialize a profile filter should be separate slots | 71 // (The slots used to initialize a profile filter should be separate slots |
| 69 // in separate modules, while ScopedTestNSSChromeOSUser uses the same slot | 72 // in separate modules, while ScopedTestNSSChromeOSUser uses the same slot |
| 70 // for both.) | 73 // for both.) |
| 71 crypto::ScopedPK11Slot private_slot_1(crypto::GetPrivateSlotForChromeOSUser( | 74 crypto::ScopedPK11Slot private_slot_1(crypto::GetPrivateSlotForChromeOSUser( |
| 72 user_1_.username_hash(), | 75 user_1_.username_hash(), |
| 73 base::Callback<void(crypto::ScopedPK11Slot)>())); | 76 base::Callback<void(crypto::ScopedPK11Slot)>())); |
| 74 ASSERT_TRUE(private_slot_1.get()); | 77 ASSERT_TRUE(private_slot_1.get()); |
| 75 profile_filter_1_.Init( | 78 profile_filter_1_.Init( |
| 76 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()), | 79 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()), |
| 77 private_slot_1.Pass()); | 80 private_slot_1.Pass(), |
| 81 get_system_slot()); | |
| 78 | 82 |
| 79 profile_filter_1_copy_ = profile_filter_1_; | 83 profile_filter_1_copy_ = profile_filter_1_; |
| 80 | 84 |
| 81 crypto::ScopedPK11Slot private_slot_2(crypto::GetPrivateSlotForChromeOSUser( | 85 crypto::ScopedPK11Slot private_slot_2(crypto::GetPrivateSlotForChromeOSUser( |
| 82 user_2_.username_hash(), | 86 user_2_.username_hash(), |
| 83 base::Callback<void(crypto::ScopedPK11Slot)>())); | 87 base::Callback<void(crypto::ScopedPK11Slot)>())); |
| 84 ASSERT_TRUE(private_slot_2.get()); | 88 ASSERT_TRUE(private_slot_2.get()); |
| 85 profile_filter_2_.Init( | 89 profile_filter_2_.Init( |
| 86 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()), | 90 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()), |
| 87 private_slot_2.Pass()); | 91 private_slot_2.Pass(), |
| 92 get_system_slot()); | |
| 88 | 93 |
| 89 certs_ = CreateCertificateListFromFile(GetTestCertsDirectory(), | 94 certs_ = CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 90 "root_ca_cert.pem", | 95 "root_ca_cert.pem", |
| 91 X509Certificate::FORMAT_AUTO); | 96 X509Certificate::FORMAT_AUTO); |
| 92 ASSERT_EQ(1U, certs_.size()); | 97 ASSERT_EQ(1U, certs_.size()); |
| 93 } | 98 } |
| 94 | 99 |
| 100 crypto::ScopedPK11Slot get_system_slot() { | |
| 101 return crypto::GetPublicSlotForChromeOSUser( | |
| 102 system_slot_user_.username_hash()); | |
| 103 } | |
| 104 | |
| 95 protected: | 105 protected: |
| 96 CertificateList certs_; | 106 CertificateList certs_; |
| 107 // Using ScopedTestNSSChromeOSUser for the system slot is a bit of a hack. | |
| 108 // Can't use ScopedTestNSS because it changes the result of | |
|
pneubeck (no reviews)
2014/06/13 12:40:42
ScopedTestNSS -> ScopedTestNSSDB
mattm
2014/06/24 03:16:46
Done.
| |
| 109 // GetPublicSlotForChromeOSUser for the other slots too. | |
| 110 crypto::ScopedTestNSSChromeOSUser system_slot_user_; | |
| 97 crypto::ScopedTestNSSChromeOSUser user_1_; | 111 crypto::ScopedTestNSSChromeOSUser user_1_; |
| 98 crypto::ScopedTestNSSChromeOSUser user_2_; | 112 crypto::ScopedTestNSSChromeOSUser user_2_; |
| 99 NSSProfileFilterChromeOS no_slots_profile_filter_; | 113 NSSProfileFilterChromeOS no_slots_profile_filter_; |
| 100 NSSProfileFilterChromeOS profile_filter_1_; | 114 NSSProfileFilterChromeOS profile_filter_1_; |
| 101 NSSProfileFilterChromeOS profile_filter_2_; | 115 NSSProfileFilterChromeOS profile_filter_2_; |
| 102 NSSProfileFilterChromeOS profile_filter_1_copy_; | 116 NSSProfileFilterChromeOS profile_filter_1_copy_; |
| 103 }; | 117 }; |
| 104 | 118 |
| 105 TEST_F(NSSProfileFilterChromeOSTest, TempCertNotAllowed) { | 119 TEST_F(NSSProfileFilterChromeOSTest, TempCertNotAllowed) { |
| 106 EXPECT_EQ(NULL, certs_[0]->os_cert_handle()->slot); | 120 EXPECT_EQ(NULL, certs_[0]->os_cert_handle()->slot); |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 141 ASSERT_FALSE(root_certs.empty()); | 155 ASSERT_FALSE(root_certs.empty()); |
| 142 EXPECT_TRUE( | 156 EXPECT_TRUE( |
| 143 no_slots_profile_filter_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 157 no_slots_profile_filter_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
| 144 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 158 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
| 145 EXPECT_TRUE( | 159 EXPECT_TRUE( |
| 146 profile_filter_1_copy_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 160 profile_filter_1_copy_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
| 147 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 161 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
| 148 } | 162 } |
| 149 | 163 |
| 150 TEST_F(NSSProfileFilterChromeOSTest, SoftwareSlots) { | 164 TEST_F(NSSProfileFilterChromeOSTest, SoftwareSlots) { |
| 165 crypto::ScopedPK11Slot system_slot(get_system_slot()); | |
| 151 crypto::ScopedPK11Slot slot_1( | 166 crypto::ScopedPK11Slot slot_1( |
| 152 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash())); | 167 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash())); |
| 153 ASSERT_TRUE(slot_1); | 168 ASSERT_TRUE(slot_1); |
| 154 crypto::ScopedPK11Slot slot_2( | 169 crypto::ScopedPK11Slot slot_2( |
| 155 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash())); | 170 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash())); |
| 156 ASSERT_TRUE(slot_2); | 171 ASSERT_TRUE(slot_2); |
| 157 | 172 |
| 158 scoped_refptr<X509Certificate> cert_1 = certs_[0]; | 173 scoped_refptr<X509Certificate> cert_1 = certs_[0]; |
| 159 CertificateList certs_2 = CreateCertificateListFromFile( | 174 CertificateList certs_2 = CreateCertificateListFromFile( |
| 160 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); | 175 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); |
| 161 ASSERT_EQ(1U, certs_2.size()); | 176 ASSERT_EQ(1U, certs_2.size()); |
| 162 scoped_refptr<X509Certificate> cert_2 = certs_2[0]; | 177 scoped_refptr<X509Certificate> cert_2 = certs_2[0]; |
| 178 CertificateList system_certs = | |
| 179 CreateCertificateListFromFile(GetTestCertsDirectory(), | |
| 180 "mit.davidben.der", | |
| 181 X509Certificate::FORMAT_AUTO); | |
| 182 ASSERT_EQ(1U, system_certs.size()); | |
| 183 scoped_refptr<X509Certificate> system_cert = system_certs[0]; | |
| 163 | 184 |
| 164 ASSERT_EQ(SECSuccess, | 185 ASSERT_EQ(SECSuccess, |
| 165 PK11_ImportCert(slot_1.get(), | 186 PK11_ImportCert(slot_1.get(), |
| 166 cert_1->os_cert_handle(), | 187 cert_1->os_cert_handle(), |
| 167 CK_INVALID_HANDLE, | 188 CK_INVALID_HANDLE, |
| 168 "cert1", | 189 "cert1", |
| 169 PR_FALSE /* includeTrust (unused) */)); | 190 PR_FALSE /* includeTrust (unused) */)); |
| 170 | 191 |
| 171 ASSERT_EQ(SECSuccess, | 192 ASSERT_EQ(SECSuccess, |
| 172 PK11_ImportCert(slot_2.get(), | 193 PK11_ImportCert(slot_2.get(), |
| 173 cert_2->os_cert_handle(), | 194 cert_2->os_cert_handle(), |
| 174 CK_INVALID_HANDLE, | 195 CK_INVALID_HANDLE, |
| 175 "cert2", | 196 "cert2", |
| 176 PR_FALSE /* includeTrust (unused) */)); | 197 PR_FALSE /* includeTrust (unused) */)); |
| 198 ASSERT_EQ(SECSuccess, | |
| 199 PK11_ImportCert(system_slot.get(), | |
| 200 system_cert->os_cert_handle(), | |
| 201 CK_INVALID_HANDLE, | |
| 202 "systemcert", | |
| 203 PR_FALSE /* includeTrust (unused) */)); | |
| 177 | 204 |
| 178 EXPECT_FALSE( | 205 EXPECT_FALSE( |
| 179 no_slots_profile_filter_.IsCertAllowed(cert_1->os_cert_handle())); | 206 no_slots_profile_filter_.IsCertAllowed(cert_1->os_cert_handle())); |
| 180 EXPECT_FALSE( | 207 EXPECT_FALSE( |
| 181 no_slots_profile_filter_.IsCertAllowed(cert_2->os_cert_handle())); | 208 no_slots_profile_filter_.IsCertAllowed(cert_2->os_cert_handle())); |
| 209 EXPECT_FALSE( | |
| 210 no_slots_profile_filter_.IsCertAllowed(system_cert->os_cert_handle())); | |
| 182 | 211 |
| 183 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(cert_1->os_cert_handle())); | 212 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(cert_1->os_cert_handle())); |
| 184 EXPECT_TRUE(profile_filter_1_copy_.IsCertAllowed(cert_1->os_cert_handle())); | 213 EXPECT_TRUE(profile_filter_1_copy_.IsCertAllowed(cert_1->os_cert_handle())); |
| 185 EXPECT_FALSE(profile_filter_1_.IsCertAllowed(cert_2->os_cert_handle())); | 214 EXPECT_FALSE(profile_filter_1_.IsCertAllowed(cert_2->os_cert_handle())); |
| 186 EXPECT_FALSE(profile_filter_1_copy_.IsCertAllowed(cert_2->os_cert_handle())); | 215 EXPECT_FALSE(profile_filter_1_copy_.IsCertAllowed(cert_2->os_cert_handle())); |
| 216 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(system_cert->os_cert_handle())); | |
| 217 EXPECT_TRUE( | |
| 218 profile_filter_1_copy_.IsCertAllowed(system_cert->os_cert_handle())); | |
| 187 | 219 |
| 188 EXPECT_FALSE(profile_filter_2_.IsCertAllowed(cert_1->os_cert_handle())); | 220 EXPECT_FALSE(profile_filter_2_.IsCertAllowed(cert_1->os_cert_handle())); |
| 189 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(cert_2->os_cert_handle())); | 221 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(cert_2->os_cert_handle())); |
| 222 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(system_cert->os_cert_handle())); | |
| 190 } | 223 } |
| 191 | 224 |
| 192 } // namespace net | 225 } // namespace net |
| OLD | NEW |
