| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <certdb.h> | 6 #include <certdb.h> |
| 7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 51 ASSERT_TRUE(destination); | 51 ASSERT_TRUE(destination); |
| 52 destination->swap(*source); | 52 destination->swap(*source); |
| 53 } | 53 } |
| 54 | 54 |
| 55 } // namespace | 55 } // namespace |
| 56 | 56 |
| 57 class CertDatabaseNSSTest : public testing::Test { | 57 class CertDatabaseNSSTest : public testing::Test { |
| 58 public: | 58 public: |
| 59 virtual void SetUp() { | 59 virtual void SetUp() { |
| 60 ASSERT_TRUE(test_nssdb_.is_open()); | 60 ASSERT_TRUE(test_nssdb_.is_open()); |
| 61 cert_db_ = NSSCertDatabase::GetInstance(); | 61 cert_db_.reset(new NSSCertDatabase( |
| 62 slot_ = cert_db_->GetPublicModule(); | 62 crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot()), |
| 63 crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot()))); |
| 64 public_module_ = cert_db_->GetPublicModule(); |
| 63 | 65 |
| 64 // Test db should be empty at start of test. | 66 // Test db should be empty at start of test. |
| 65 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 67 EXPECT_EQ(0U, ListCerts().size()); |
| 66 } | 68 } |
| 67 | 69 |
| 68 virtual void TearDown() { | 70 virtual void TearDown() { |
| 69 // Don't try to cleanup if the setup failed. | |
| 70 ASSERT_TRUE(slot_->os_module_handle()); | |
| 71 | |
| 72 EXPECT_TRUE(CleanupSlotContents()); | |
| 73 | |
| 74 // Run the message loop to process any observer callbacks (e.g. for the | 71 // Run the message loop to process any observer callbacks (e.g. for the |
| 75 // ClientSocketFactory singleton) so that the scoped ref ptrs created in | 72 // ClientSocketFactory singleton) so that the scoped ref ptrs created in |
| 76 // NSSCertDatabase::NotifyObservers* get released. | 73 // NSSCertDatabase::NotifyObservers* get released. |
| 77 base::MessageLoop::current()->RunUntilIdle(); | 74 base::MessageLoop::current()->RunUntilIdle(); |
| 78 | |
| 79 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | |
| 80 } | 75 } |
| 81 | 76 |
| 82 protected: | 77 protected: |
| 78 net::CryptoModule* GetPublicModule() { |
| 79 return public_module_.get(); |
| 80 } |
| 81 |
| 83 static std::string ReadTestFile(const std::string& name) { | 82 static std::string ReadTestFile(const std::string& name) { |
| 84 std::string result; | 83 std::string result; |
| 85 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name); | 84 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name); |
| 86 EXPECT_TRUE(base::ReadFileToString(cert_path, &result)); | 85 EXPECT_TRUE(base::ReadFileToString(cert_path, &result)); |
| 87 return result; | 86 return result; |
| 88 } | 87 } |
| 89 | 88 |
| 90 static bool ReadCertIntoList(const std::string& name, | 89 static bool ReadCertIntoList(const std::string& name, |
| 91 CertificateList* certs) { | 90 CertificateList* certs) { |
| 92 scoped_refptr<X509Certificate> cert( | 91 scoped_refptr<X509Certificate> cert( |
| 93 ImportCertFromFile(GetTestCertsDirectory(), name)); | 92 ImportCertFromFile(GetTestCertsDirectory(), name)); |
| 94 if (!cert.get()) | 93 if (!cert.get()) |
| 95 return false; | 94 return false; |
| 96 | 95 |
| 97 certs->push_back(cert); | 96 certs->push_back(cert); |
| 98 return true; | 97 return true; |
| 99 } | 98 } |
| 100 | 99 |
| 101 static CertificateList ListCertsInSlot(PK11SlotInfo* slot) { | 100 CertificateList ListCerts() { |
| 102 CertificateList result; | 101 CertificateList result; |
| 103 CERTCertList* cert_list = PK11_ListCertsInSlot(slot); | 102 |
| 103 CERTCertList* cert_list = |
| 104 PK11_ListCertsInSlot(cert_db_->GetPublicSlot().get()); |
| 104 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | 105 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
| 105 !CERT_LIST_END(node, cert_list); | 106 !CERT_LIST_END(node, cert_list); |
| 106 node = CERT_LIST_NEXT(node)) { | 107 node = CERT_LIST_NEXT(node)) { |
| 107 result.push_back(X509Certificate::CreateFromHandle( | 108 result.push_back(X509Certificate::CreateFromHandle( |
| 108 node->cert, X509Certificate::OSCertHandles())); | 109 node->cert, X509Certificate::OSCertHandles())); |
| 109 } | 110 } |
| 110 CERT_DestroyCertList(cert_list); | 111 CERT_DestroyCertList(cert_list); |
| 111 | 112 |
| 112 // Sort the result so that test comparisons can be deterministic. | 113 // Sort the result so that test comparisons can be deterministic. |
| 113 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); | 114 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); |
| 114 return result; | 115 return result; |
| 115 } | 116 } |
| 116 | 117 |
| 117 scoped_refptr<CryptoModule> slot_; | 118 scoped_ptr<NSSCertDatabase> cert_db_; |
| 118 NSSCertDatabase* cert_db_; | |
| 119 const CertificateList empty_cert_list_; | 119 const CertificateList empty_cert_list_; |
| 120 | |
| 121 private: | |
| 122 bool CleanupSlotContents() { | |
| 123 bool ok = true; | |
| 124 CertificateList certs = ListCertsInSlot(slot_->os_module_handle()); | |
| 125 CERTCertTrust default_trust = {0}; | |
| 126 for (size_t i = 0; i < certs.size(); ++i) { | |
| 127 // Reset cert trust values to defaults before deleting. Otherwise NSS | |
| 128 // somehow seems to remember the trust which can break following tests. | |
| 129 SECStatus srv = CERT_ChangeCertTrust( | |
| 130 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); | |
| 131 if (srv != SECSuccess) | |
| 132 ok = false; | |
| 133 | |
| 134 if (!cert_db_->DeleteCertAndKey(certs[i].get())) | |
| 135 ok = false; | |
| 136 } | |
| 137 return ok; | |
| 138 } | |
| 139 | |
| 140 crypto::ScopedTestNSSDB test_nssdb_; | 120 crypto::ScopedTestNSSDB test_nssdb_; |
| 121 scoped_refptr<net::CryptoModule> public_module_; |
| 141 }; | 122 }; |
| 142 | 123 |
| 143 TEST_F(CertDatabaseNSSTest, ListCertsSync) { | 124 TEST_F(CertDatabaseNSSTest, ListCertsSync) { |
| 144 // This test isn't terribly useful, though it will at least let valgrind test | 125 // This test isn't terribly useful, though it will at least let valgrind test |
| 145 // for leaks. | 126 // for leaks. |
| 146 CertificateList certs; | 127 CertificateList certs; |
| 147 cert_db_->ListCertsSync(&certs); | 128 cert_db_->ListCertsSync(&certs); |
| 148 // The test DB is empty, but let's assume there will always be something in | 129 // The test DB is empty, but let's assume there will always be something in |
| 149 // the other slots. | 130 // the other slots. |
| 150 EXPECT_LT(0U, certs.size()); | 131 EXPECT_LT(0U, certs.size()); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 162 | 143 |
| 163 // The test DB is empty, but let's assume there will always be something in | 144 // The test DB is empty, but let's assume there will always be something in |
| 164 // the other slots. | 145 // the other slots. |
| 165 EXPECT_LT(0U, certs.size()); | 146 EXPECT_LT(0U, certs.size()); |
| 166 } | 147 } |
| 167 | 148 |
| 168 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { | 149 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { |
| 169 std::string pkcs12_data = ReadTestFile("client.p12"); | 150 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 170 | 151 |
| 171 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, | 152 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, |
| 172 cert_db_->ImportFromPKCS12(slot_.get(), | 153 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 173 pkcs12_data, | 154 pkcs12_data, |
| 174 base::string16(), | 155 base::string16(), |
| 175 true, // is_extractable | 156 true, // is_extractable |
| 176 NULL)); | 157 NULL)); |
| 177 | 158 |
| 178 // Test db should still be empty. | 159 // Test db should still be empty. |
| 179 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 160 EXPECT_EQ(0U, ListCerts().size()); |
| 180 } | 161 } |
| 181 | 162 |
| 182 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) { | 163 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) { |
| 183 std::string pkcs12_data = ReadTestFile("client.p12"); | 164 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 184 | 165 |
| 185 EXPECT_EQ(OK, | 166 EXPECT_EQ(OK, |
| 186 cert_db_->ImportFromPKCS12(slot_.get(), | 167 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 187 pkcs12_data, | 168 pkcs12_data, |
| 188 ASCIIToUTF16("12345"), | 169 ASCIIToUTF16("12345"), |
| 189 true, // is_extractable | 170 true, // is_extractable |
| 190 NULL)); | 171 NULL)); |
| 191 | 172 |
| 192 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 173 CertificateList cert_list = ListCerts(); |
| 193 ASSERT_EQ(1U, cert_list.size()); | 174 ASSERT_EQ(1U, cert_list.size()); |
| 194 scoped_refptr<X509Certificate> cert(cert_list[0]); | 175 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 195 | 176 |
| 196 EXPECT_EQ("testusercert", | 177 EXPECT_EQ("testusercert", |
| 197 cert->subject().common_name); | 178 cert->subject().common_name); |
| 198 | 179 |
| 199 // TODO(mattm): move export test to separate test case? | 180 // TODO(mattm): move export test to separate test case? |
| 200 std::string exported_data; | 181 std::string exported_data; |
| 201 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 182 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
| 202 &exported_data)); | 183 &exported_data)); |
| 203 ASSERT_LT(0U, exported_data.size()); | 184 ASSERT_LT(0U, exported_data.size()); |
| 204 // TODO(mattm): further verification of exported data? | 185 // TODO(mattm): further verification of exported data? |
| 205 } | 186 } |
| 206 | 187 |
| 207 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) { | 188 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) { |
| 208 std::string pkcs12_data = ReadTestFile("client.p12"); | 189 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 209 | 190 |
| 210 EXPECT_EQ(OK, | 191 EXPECT_EQ(OK, |
| 211 cert_db_->ImportFromPKCS12(slot_.get(), | 192 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 212 pkcs12_data, | 193 pkcs12_data, |
| 213 ASCIIToUTF16("12345"), | 194 ASCIIToUTF16("12345"), |
| 214 true, // is_extractable | 195 true, // is_extractable |
| 215 NULL)); | 196 NULL)); |
| 216 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); | 197 EXPECT_EQ(1U, ListCerts().size()); |
| 217 | 198 |
| 218 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like | 199 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like |
| 219 // it's ever used. This test verifies that. | 200 // it's ever used. This test verifies that. |
| 220 EXPECT_EQ(OK, | 201 EXPECT_EQ(OK, |
| 221 cert_db_->ImportFromPKCS12(slot_.get(), | 202 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 222 pkcs12_data, | 203 pkcs12_data, |
| 223 ASCIIToUTF16("12345"), | 204 ASCIIToUTF16("12345"), |
| 224 true, // is_extractable | 205 true, // is_extractable |
| 225 NULL)); | 206 NULL)); |
| 226 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); | 207 EXPECT_EQ(1U, ListCerts().size()); |
| 227 } | 208 } |
| 228 | 209 |
| 229 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) { | 210 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) { |
| 230 std::string pkcs12_data = ReadTestFile("client.p12"); | 211 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 231 | 212 |
| 232 EXPECT_EQ(OK, | 213 EXPECT_EQ(OK, |
| 233 cert_db_->ImportFromPKCS12(slot_.get(), | 214 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 234 pkcs12_data, | 215 pkcs12_data, |
| 235 ASCIIToUTF16("12345"), | 216 ASCIIToUTF16("12345"), |
| 236 false, // is_extractable | 217 false, // is_extractable |
| 237 NULL)); | 218 NULL)); |
| 238 | 219 |
| 239 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 220 CertificateList cert_list = ListCerts(); |
| 240 ASSERT_EQ(1U, cert_list.size()); | 221 ASSERT_EQ(1U, cert_list.size()); |
| 241 scoped_refptr<X509Certificate> cert(cert_list[0]); | 222 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 242 | 223 |
| 243 EXPECT_EQ("testusercert", | 224 EXPECT_EQ("testusercert", |
| 244 cert->subject().common_name); | 225 cert->subject().common_name); |
| 245 | 226 |
| 246 std::string exported_data; | 227 std::string exported_data; |
| 247 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 228 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
| 248 &exported_data)); | 229 &exported_data)); |
| 249 } | 230 } |
| 250 | 231 |
| 251 // Importing a PKCS#12 file with a certificate but no corresponding | 232 // Importing a PKCS#12 file with a certificate but no corresponding |
| 252 // private key should not mark an existing private key as unextractable. | 233 // private key should not mark an existing private key as unextractable. |
| 253 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) { | 234 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) { |
| 254 std::string pkcs12_data = ReadTestFile("client.p12"); | 235 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 255 EXPECT_EQ(OK, | 236 EXPECT_EQ(OK, |
| 256 cert_db_->ImportFromPKCS12(slot_.get(), | 237 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 257 pkcs12_data, | 238 pkcs12_data, |
| 258 ASCIIToUTF16("12345"), | 239 ASCIIToUTF16("12345"), |
| 259 true, // is_extractable | 240 true, // is_extractable |
| 260 NULL)); | 241 NULL)); |
| 261 | 242 |
| 262 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 243 CertificateList cert_list = ListCerts(); |
| 263 ASSERT_EQ(1U, cert_list.size()); | 244 ASSERT_EQ(1U, cert_list.size()); |
| 264 | 245 |
| 265 // Now import a PKCS#12 file with just a certificate but no private key. | 246 // Now import a PKCS#12 file with just a certificate but no private key. |
| 266 pkcs12_data = ReadTestFile("client-nokey.p12"); | 247 pkcs12_data = ReadTestFile("client-nokey.p12"); |
| 267 EXPECT_EQ(OK, | 248 EXPECT_EQ(OK, |
| 268 cert_db_->ImportFromPKCS12(slot_.get(), | 249 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 269 pkcs12_data, | 250 pkcs12_data, |
| 270 ASCIIToUTF16("12345"), | 251 ASCIIToUTF16("12345"), |
| 271 false, // is_extractable | 252 false, // is_extractable |
| 272 NULL)); | 253 NULL)); |
| 273 | 254 |
| 274 cert_list = ListCertsInSlot(slot_->os_module_handle()); | 255 cert_list = ListCerts(); |
| 275 ASSERT_EQ(1U, cert_list.size()); | 256 ASSERT_EQ(1U, cert_list.size()); |
| 276 | 257 |
| 277 // Make sure the imported private key is still extractable. | 258 // Make sure the imported private key is still extractable. |
| 278 std::string exported_data; | 259 std::string exported_data; |
| 279 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 260 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
| 280 &exported_data)); | 261 &exported_data)); |
| 281 ASSERT_LT(0U, exported_data.size()); | 262 ASSERT_LT(0U, exported_data.size()); |
| 282 } | 263 } |
| 283 | 264 |
| 284 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) { | 265 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) { |
| 285 std::string pkcs12_data = "Foobarbaz"; | 266 std::string pkcs12_data = "Foobarbaz"; |
| 286 | 267 |
| 287 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE, | 268 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE, |
| 288 cert_db_->ImportFromPKCS12(slot_.get(), | 269 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 289 pkcs12_data, | 270 pkcs12_data, |
| 290 base::string16(), | 271 base::string16(), |
| 291 true, // is_extractable | 272 true, // is_extractable |
| 292 NULL)); | 273 NULL)); |
| 293 | 274 |
| 294 // Test db should still be empty. | 275 // Test db should still be empty. |
| 295 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 276 EXPECT_EQ(0U, ListCerts().size()); |
| 296 } | 277 } |
| 297 | 278 |
| 298 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { | 279 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { |
| 299 CertificateList certs = CreateCertificateListFromFile( | 280 CertificateList certs = CreateCertificateListFromFile( |
| 300 GetTestCertsDirectory(), "root_ca_cert.pem", | 281 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 301 X509Certificate::FORMAT_AUTO); | 282 X509Certificate::FORMAT_AUTO); |
| 302 ASSERT_EQ(1U, certs.size()); | 283 ASSERT_EQ(1U, certs.size()); |
| 303 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 284 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 304 | 285 |
| 305 // Import it. | 286 // Import it. |
| 306 NSSCertDatabase::ImportCertFailureList failed; | 287 NSSCertDatabase::ImportCertFailureList failed; |
| 307 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, | 288 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, |
| 308 &failed)); | 289 &failed)); |
| 309 | 290 |
| 310 EXPECT_EQ(0U, failed.size()); | 291 EXPECT_EQ(0U, failed.size()); |
| 311 | 292 |
| 312 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 293 CertificateList cert_list = ListCerts(); |
| 313 ASSERT_EQ(1U, cert_list.size()); | 294 ASSERT_EQ(1U, cert_list.size()); |
| 314 scoped_refptr<X509Certificate> cert(cert_list[0]); | 295 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 315 EXPECT_EQ("Test Root CA", cert->subject().common_name); | 296 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
| 316 | 297 |
| 317 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, | 298 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
| 318 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 299 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
| 319 | 300 |
| 320 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 301 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 321 CERTDB_TRUSTED_CLIENT_CA), | 302 CERTDB_TRUSTED_CLIENT_CA), |
| 322 cert->os_cert_handle()->trust->sslFlags); | 303 cert->os_cert_handle()->trust->sslFlags); |
| (...skipping 10 matching lines...) Expand all Loading... |
| 333 ASSERT_EQ(1U, certs.size()); | 314 ASSERT_EQ(1U, certs.size()); |
| 334 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 315 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 335 | 316 |
| 336 // Import it. | 317 // Import it. |
| 337 NSSCertDatabase::ImportCertFailureList failed; | 318 NSSCertDatabase::ImportCertFailureList failed; |
| 338 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, | 319 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, |
| 339 &failed)); | 320 &failed)); |
| 340 | 321 |
| 341 EXPECT_EQ(0U, failed.size()); | 322 EXPECT_EQ(0U, failed.size()); |
| 342 | 323 |
| 343 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 324 CertificateList cert_list = ListCerts(); |
| 344 ASSERT_EQ(1U, cert_list.size()); | 325 ASSERT_EQ(1U, cert_list.size()); |
| 345 scoped_refptr<X509Certificate> cert(cert_list[0]); | 326 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 346 EXPECT_EQ("Test Root CA", cert->subject().common_name); | 327 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
| 347 | 328 |
| 348 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, | 329 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, |
| 349 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 330 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
| 350 | 331 |
| 351 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 332 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 352 cert->os_cert_handle()->trust->sslFlags); | 333 cert->os_cert_handle()->trust->sslFlags); |
| 353 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 334 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| (...skipping 10 matching lines...) Expand all Loading... |
| 364 ASSERT_EQ(1U, certs.size()); | 345 ASSERT_EQ(1U, certs.size()); |
| 365 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 346 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 366 | 347 |
| 367 // Import it. | 348 // Import it. |
| 368 NSSCertDatabase::ImportCertFailureList failed; | 349 NSSCertDatabase::ImportCertFailureList failed; |
| 369 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, | 350 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, |
| 370 &failed)); | 351 &failed)); |
| 371 | 352 |
| 372 EXPECT_EQ(0U, failed.size()); | 353 EXPECT_EQ(0U, failed.size()); |
| 373 | 354 |
| 374 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 355 CertificateList cert_list = ListCerts(); |
| 375 ASSERT_EQ(1U, cert_list.size()); | 356 ASSERT_EQ(1U, cert_list.size()); |
| 376 scoped_refptr<X509Certificate> cert(cert_list[0]); | 357 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 377 EXPECT_EQ("Test Root CA", cert->subject().common_name); | 358 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
| 378 | 359 |
| 379 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, | 360 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, |
| 380 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 361 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
| 381 | 362 |
| 382 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 363 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 383 cert->os_cert_handle()->trust->sslFlags); | 364 cert->os_cert_handle()->trust->sslFlags); |
| 384 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 365 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| (...skipping 14 matching lines...) Expand all Loading... |
| 399 NSSCertDatabase::ImportCertFailureList failed; | 380 NSSCertDatabase::ImportCertFailureList failed; |
| 400 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, | 381 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, |
| 401 &failed)); | 382 &failed)); |
| 402 ASSERT_EQ(1U, failed.size()); | 383 ASSERT_EQ(1U, failed.size()); |
| 403 // Note: this compares pointers directly. It's okay in this case because | 384 // Note: this compares pointers directly. It's okay in this case because |
| 404 // ImportCACerts returns the same pointers that were passed in. In the | 385 // ImportCACerts returns the same pointers that were passed in. In the |
| 405 // general case IsSameOSCert should be used. | 386 // general case IsSameOSCert should be used. |
| 406 EXPECT_EQ(certs[0], failed[0].certificate); | 387 EXPECT_EQ(certs[0], failed[0].certificate); |
| 407 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); | 388 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); |
| 408 | 389 |
| 409 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 390 EXPECT_EQ(0U, ListCerts().size()); |
| 410 } | 391 } |
| 411 | 392 |
| 412 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { | 393 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { |
| 413 CertificateList certs; | 394 CertificateList certs; |
| 414 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 395 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 415 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 396 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 416 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 397 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
| 417 | 398 |
| 418 // Import it. | 399 // Import it. |
| 419 NSSCertDatabase::ImportCertFailureList failed; | 400 NSSCertDatabase::ImportCertFailureList failed; |
| 420 // Have to specify email trust for the cert verification of the child cert to | 401 // Have to specify email trust for the cert verification of the child cert to |
| 421 // work (see | 402 // work (see |
| 422 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 | 403 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 |
| 423 // "XXX This choice of trustType seems arbitrary.") | 404 // "XXX This choice of trustType seems arbitrary.") |
| 424 EXPECT_TRUE(cert_db_->ImportCACerts( | 405 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 425 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, | 406 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 426 &failed)); | 407 &failed)); |
| 427 | 408 |
| 428 ASSERT_EQ(2U, failed.size()); | 409 ASSERT_EQ(2U, failed.size()); |
| 429 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 410 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 430 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. | 411 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. |
| 431 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); | 412 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); |
| 432 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); | 413 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); |
| 433 | 414 |
| 434 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 415 CertificateList cert_list = ListCerts(); |
| 435 ASSERT_EQ(1U, cert_list.size()); | 416 ASSERT_EQ(1U, cert_list.size()); |
| 436 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 417 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 437 } | 418 } |
| 438 | 419 |
| 439 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { | 420 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { |
| 440 CertificateList certs; | 421 CertificateList certs; |
| 441 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 422 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 442 | 423 |
| 443 // First import just the root. | 424 // First import just the root. |
| 444 NSSCertDatabase::ImportCertFailureList failed; | 425 NSSCertDatabase::ImportCertFailureList failed; |
| 445 EXPECT_TRUE(cert_db_->ImportCACerts( | 426 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 446 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, | 427 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 447 &failed)); | 428 &failed)); |
| 448 | 429 |
| 449 EXPECT_EQ(0U, failed.size()); | 430 EXPECT_EQ(0U, failed.size()); |
| 450 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 431 CertificateList cert_list = ListCerts(); |
| 451 ASSERT_EQ(1U, cert_list.size()); | 432 ASSERT_EQ(1U, cert_list.size()); |
| 452 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 433 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 453 | 434 |
| 454 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 435 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 455 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 436 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
| 456 | 437 |
| 457 // Now import with the other certs in the list too. Even though the root is | 438 // Now import with the other certs in the list too. Even though the root is |
| 458 // already present, we should still import the rest. | 439 // already present, we should still import the rest. |
| 459 failed.clear(); | 440 failed.clear(); |
| 460 EXPECT_TRUE(cert_db_->ImportCACerts( | 441 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 461 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, | 442 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 462 &failed)); | 443 &failed)); |
| 463 | 444 |
| 464 ASSERT_EQ(3U, failed.size()); | 445 ASSERT_EQ(3U, failed.size()); |
| 465 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); | 446 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); |
| 466 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); | 447 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); |
| 467 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 448 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 468 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. | 449 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. |
| 469 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name); | 450 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name); |
| 470 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error); | 451 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error); |
| 471 | 452 |
| 472 cert_list = ListCertsInSlot(slot_->os_module_handle()); | 453 cert_list = ListCerts(); |
| 473 ASSERT_EQ(1U, cert_list.size()); | 454 ASSERT_EQ(1U, cert_list.size()); |
| 474 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 455 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 475 } | 456 } |
| 476 | 457 |
| 477 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { | 458 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { |
| 478 CertificateList certs; | 459 CertificateList certs; |
| 479 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 460 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 480 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 461 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 481 | 462 |
| 482 // Import it. | 463 // Import it. |
| 483 NSSCertDatabase::ImportCertFailureList failed; | 464 NSSCertDatabase::ImportCertFailureList failed; |
| 484 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT, | 465 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 485 &failed)); | 466 &failed)); |
| 486 | 467 |
| 487 ASSERT_EQ(1U, failed.size()); | 468 ASSERT_EQ(1U, failed.size()); |
| 488 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 469 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 489 // TODO(mattm): should check for net error equivalent of | 470 // TODO(mattm): should check for net error equivalent of |
| 490 // SEC_ERROR_UNTRUSTED_ISSUER | 471 // SEC_ERROR_UNTRUSTED_ISSUER |
| 491 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 472 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 492 | 473 |
| 493 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 474 CertificateList cert_list = ListCerts(); |
| 494 ASSERT_EQ(1U, cert_list.size()); | 475 ASSERT_EQ(1U, cert_list.size()); |
| 495 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 476 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 496 } | 477 } |
| 497 | 478 |
| 498 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { | 479 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { |
| 499 CertificateList certs; | 480 CertificateList certs; |
| 500 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 481 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 501 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 482 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 502 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 483 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 503 | 484 |
| 504 // Import it. | 485 // Import it. |
| 505 NSSCertDatabase::ImportCertFailureList failed; | 486 NSSCertDatabase::ImportCertFailureList failed; |
| 506 EXPECT_TRUE(cert_db_->ImportCACerts( | 487 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 507 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, | 488 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 508 &failed)); | 489 &failed)); |
| 509 | 490 |
| 510 EXPECT_EQ(2U, failed.size()); | 491 EXPECT_EQ(2U, failed.size()); |
| 511 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 492 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
| 512 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. | 493 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. |
| 513 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 494 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 514 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. | 495 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. |
| 515 | 496 |
| 516 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 497 CertificateList cert_list = ListCerts(); |
| 517 ASSERT_EQ(1U, cert_list.size()); | 498 ASSERT_EQ(1U, cert_list.size()); |
| 518 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 499 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 519 } | 500 } |
| 520 | 501 |
| 521 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { | 502 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { |
| 522 CertificateList certs = CreateCertificateListFromFile( | 503 CertificateList certs = CreateCertificateListFromFile( |
| 523 GetTestCertsDirectory(), "root_ca_cert.pem", | 504 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 524 X509Certificate::FORMAT_AUTO); | 505 X509Certificate::FORMAT_AUTO); |
| 525 ASSERT_EQ(1U, certs.size()); | 506 ASSERT_EQ(1U, certs.size()); |
| 526 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 507 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 527 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 508 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 528 | 509 |
| 529 // Import it. | 510 // Import it. |
| 530 NSSCertDatabase::ImportCertFailureList failed; | 511 NSSCertDatabase::ImportCertFailureList failed; |
| 531 EXPECT_TRUE(cert_db_->ImportCACerts( | 512 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 532 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | | 513 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | |
| 533 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); | 514 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); |
| 534 | 515 |
| 535 ASSERT_EQ(2U, failed.size()); | 516 ASSERT_EQ(2U, failed.size()); |
| 536 // TODO(mattm): should check for net error equivalent of | 517 // TODO(mattm): should check for net error equivalent of |
| 537 // SEC_ERROR_UNKNOWN_ISSUER | 518 // SEC_ERROR_UNKNOWN_ISSUER |
| 538 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 519 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
| 539 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 520 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 540 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 521 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 541 EXPECT_EQ(ERR_FAILED, failed[1].net_error); | 522 EXPECT_EQ(ERR_FAILED, failed[1].net_error); |
| 542 | 523 |
| 543 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 524 CertificateList cert_list = ListCerts(); |
| 544 ASSERT_EQ(1U, cert_list.size()); | 525 ASSERT_EQ(1U, cert_list.size()); |
| 545 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name); | 526 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name); |
| 546 } | 527 } |
| 547 | 528 |
| 548 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired | 529 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired |
| 549 // certificate. | 530 // certificate. |
| 550 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { | 531 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { |
| 551 // Need to import intermediate cert for the verify of google cert, otherwise | 532 // Need to import intermediate cert for the verify of google cert, otherwise |
| 552 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which | 533 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which |
| 553 // will cause OCSPCreateSession on the main thread, which is not allowed. | 534 // will cause OCSPCreateSession on the main thread, which is not allowed. |
| 554 CertificateList certs = CreateCertificateListFromFile( | 535 CertificateList certs = CreateCertificateListFromFile( |
| 555 GetTestCertsDirectory(), "google.chain.pem", | 536 GetTestCertsDirectory(), "google.chain.pem", |
| 556 X509Certificate::FORMAT_AUTO); | 537 X509Certificate::FORMAT_AUTO); |
| 557 ASSERT_EQ(2U, certs.size()); | 538 ASSERT_EQ(2U, certs.size()); |
| 558 | 539 |
| 559 NSSCertDatabase::ImportCertFailureList failed; | 540 NSSCertDatabase::ImportCertFailureList failed; |
| 560 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 541 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 561 &failed)); | 542 &failed)); |
| 562 | 543 |
| 563 EXPECT_EQ(0U, failed.size()); | 544 EXPECT_EQ(0U, failed.size()); |
| 564 | 545 |
| 565 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 546 CertificateList cert_list = ListCerts(); |
| 566 ASSERT_EQ(2U, cert_list.size()); | 547 ASSERT_EQ(2U, cert_list.size()); |
| 567 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); | 548 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); |
| 568 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); | 549 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); |
| 569 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); | 550 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); |
| 570 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 551 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 571 | 552 |
| 572 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 553 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 573 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); | 554 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 574 | 555 |
| 575 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); | 556 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
| (...skipping 14 matching lines...) Expand all Loading... |
| 590 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 571 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 591 CertificateList certs; | 572 CertificateList certs; |
| 592 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 573 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 593 | 574 |
| 594 NSSCertDatabase::ImportCertFailureList failed; | 575 NSSCertDatabase::ImportCertFailureList failed; |
| 595 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 576 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 596 &failed)); | 577 &failed)); |
| 597 | 578 |
| 598 EXPECT_EQ(0U, failed.size()); | 579 EXPECT_EQ(0U, failed.size()); |
| 599 | 580 |
| 600 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 581 CertificateList cert_list = ListCerts(); |
| 601 ASSERT_EQ(1U, cert_list.size()); | 582 ASSERT_EQ(1U, cert_list.size()); |
| 602 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 583 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 603 | 584 |
| 604 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 585 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 605 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 586 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 606 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); | 587 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
| 607 | 588 |
| 608 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 589 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 609 int flags = 0; | 590 int flags = 0; |
| 610 CertVerifyResult verify_result; | 591 CertVerifyResult verify_result; |
| (...skipping 10 matching lines...) Expand all Loading... |
| 621 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { | 602 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { |
| 622 CertificateList certs; | 603 CertificateList certs; |
| 623 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 604 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 624 | 605 |
| 625 NSSCertDatabase::ImportCertFailureList failed; | 606 NSSCertDatabase::ImportCertFailureList failed; |
| 626 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, | 607 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, |
| 627 &failed)); | 608 &failed)); |
| 628 | 609 |
| 629 EXPECT_EQ(0U, failed.size()); | 610 EXPECT_EQ(0U, failed.size()); |
| 630 | 611 |
| 631 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 612 CertificateList cert_list = ListCerts(); |
| 632 ASSERT_EQ(1U, cert_list.size()); | 613 ASSERT_EQ(1U, cert_list.size()); |
| 633 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 614 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 634 | 615 |
| 635 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, | 616 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
| 636 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 617 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 637 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), | 618 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), |
| 638 puny_cert->os_cert_handle()->trust->sslFlags); | 619 puny_cert->os_cert_handle()->trust->sslFlags); |
| 639 | 620 |
| 640 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 621 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 641 int flags = 0; | 622 int flags = 0; |
| (...skipping 362 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1004 // Importing two certificates with the same issuer and subject common name, | 985 // Importing two certificates with the same issuer and subject common name, |
| 1005 // but overall distinct subject names, should succeed and generate a unique | 986 // but overall distinct subject names, should succeed and generate a unique |
| 1006 // nickname for the second certificate. | 987 // nickname for the second certificate. |
| 1007 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { | 988 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { |
| 1008 CertificateList certs = | 989 CertificateList certs = |
| 1009 CreateCertificateListFromFile(GetTestCertsDirectory(), | 990 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 1010 "duplicate_cn_1.pem", | 991 "duplicate_cn_1.pem", |
| 1011 X509Certificate::FORMAT_AUTO); | 992 X509Certificate::FORMAT_AUTO); |
| 1012 ASSERT_EQ(1U, certs.size()); | 993 ASSERT_EQ(1U, certs.size()); |
| 1013 | 994 |
| 1014 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 995 EXPECT_EQ(0U, ListCerts().size()); |
| 1015 | 996 |
| 1016 // Import server cert with default trust. | 997 // Import server cert with default trust. |
| 1017 NSSCertDatabase::ImportCertFailureList failed; | 998 NSSCertDatabase::ImportCertFailureList failed; |
| 1018 EXPECT_TRUE(cert_db_->ImportServerCert( | 999 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 1019 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 1000 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 1020 EXPECT_EQ(0U, failed.size()); | 1001 EXPECT_EQ(0U, failed.size()); |
| 1021 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 1002 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 1022 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 1003 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 1023 | 1004 |
| 1024 CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle()); | 1005 CertificateList new_certs = ListCerts(); |
| 1025 ASSERT_EQ(1U, new_certs.size()); | 1006 ASSERT_EQ(1U, new_certs.size()); |
| 1026 | 1007 |
| 1027 // Now attempt to import a different certificate with the same common name. | 1008 // Now attempt to import a different certificate with the same common name. |
| 1028 CertificateList certs2 = | 1009 CertificateList certs2 = |
| 1029 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1010 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 1030 "duplicate_cn_2.pem", | 1011 "duplicate_cn_2.pem", |
| 1031 X509Certificate::FORMAT_AUTO); | 1012 X509Certificate::FORMAT_AUTO); |
| 1032 ASSERT_EQ(1U, certs2.size()); | 1013 ASSERT_EQ(1U, certs2.size()); |
| 1033 | 1014 |
| 1034 // Import server cert with default trust. | 1015 // Import server cert with default trust. |
| 1035 EXPECT_TRUE(cert_db_->ImportServerCert( | 1016 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 1036 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 1017 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 1037 EXPECT_EQ(0U, failed.size()); | 1018 EXPECT_EQ(0U, failed.size()); |
| 1038 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 1019 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 1039 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); | 1020 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); |
| 1040 | 1021 |
| 1041 new_certs = ListCertsInSlot(slot_->os_module_handle()); | 1022 new_certs = ListCerts(); |
| 1042 ASSERT_EQ(2U, new_certs.size()); | 1023 ASSERT_EQ(2U, new_certs.size()); |
| 1043 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, | 1024 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, |
| 1044 new_certs[1]->os_cert_handle()->nickname); | 1025 new_certs[1]->os_cert_handle()->nickname); |
| 1045 } | 1026 } |
| 1046 | 1027 |
| 1047 } // namespace net | 1028 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 405973003:
Remove the deprecated NSSCertDatabase::GetInstance() . (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src