| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <certdb.h> | 6 #include <certdb.h> |
| 7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 51 ASSERT_TRUE(destination); | 51 ASSERT_TRUE(destination); |
| 52 destination->swap(*source); | 52 destination->swap(*source); |
| 53 } | 53 } |
| 54 | 54 |
| 55 } // namespace | 55 } // namespace |
| 56 | 56 |
| 57 class CertDatabaseNSSTest : public testing::Test { | 57 class CertDatabaseNSSTest : public testing::Test { |
| 58 public: | 58 public: |
| 59 virtual void SetUp() { | 59 virtual void SetUp() { |
| 60 ASSERT_TRUE(test_nssdb_.is_open()); | 60 ASSERT_TRUE(test_nssdb_.is_open()); |
| 61 cert_db_ = NSSCertDatabase::GetInstance(); | 61 cert_db_.reset(new NSSCertDatabase( |
| 62 slot_ = cert_db_->GetPublicModule(); | 62 crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot()))); |
| 63 | 63 |
| 64 // Test db should be empty at start of test. | 64 // Test db should be empty at start of test. |
| 65 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 65 EXPECT_EQ(0U, ListCerts().size()); |
| 66 } | 66 } |
| 67 | 67 |
| 68 virtual void TearDown() { | 68 virtual void TearDown() { |
| 69 // Don't try to cleanup if the setup failed. | |
| 70 ASSERT_TRUE(slot_->os_module_handle()); | |
| 71 | |
| 72 EXPECT_TRUE(CleanupSlotContents()); | |
| 73 | |
| 74 // Run the message loop to process any observer callbacks (e.g. for the | 69 // Run the message loop to process any observer callbacks (e.g. for the |
| 75 // ClientSocketFactory singleton) so that the scoped ref ptrs created in | 70 // ClientSocketFactory singleton) so that the scoped ref ptrs created in |
| 76 // NSSCertDatabase::NotifyObservers* get released. | 71 // NSSCertDatabase::NotifyObservers* get released. |
| 77 base::MessageLoop::current()->RunUntilIdle(); | 72 base::MessageLoop::current()->RunUntilIdle(); |
| 78 | |
| 79 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | |
| 80 } | 73 } |
| 81 | 74 |
| 82 protected: | 75 protected: |
| 76 net::CryptoModule* GetPublicModule() { |
| 77 return cert_db_->GetPublicModule(); |
| 78 } |
| 79 |
| 83 static std::string ReadTestFile(const std::string& name) { | 80 static std::string ReadTestFile(const std::string& name) { |
| 84 std::string result; | 81 std::string result; |
| 85 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name); | 82 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name); |
| 86 EXPECT_TRUE(base::ReadFileToString(cert_path, &result)); | 83 EXPECT_TRUE(base::ReadFileToString(cert_path, &result)); |
| 87 return result; | 84 return result; |
| 88 } | 85 } |
| 89 | 86 |
| 90 static bool ReadCertIntoList(const std::string& name, | 87 static bool ReadCertIntoList(const std::string& name, |
| 91 CertificateList* certs) { | 88 CertificateList* certs) { |
| 92 scoped_refptr<X509Certificate> cert( | 89 scoped_refptr<X509Certificate> cert( |
| 93 ImportCertFromFile(GetTestCertsDirectory(), name)); | 90 ImportCertFromFile(GetTestCertsDirectory(), name)); |
| 94 if (!cert.get()) | 91 if (!cert.get()) |
| 95 return false; | 92 return false; |
| 96 | 93 |
| 97 certs->push_back(cert); | 94 certs->push_back(cert); |
| 98 return true; | 95 return true; |
| 99 } | 96 } |
| 100 | 97 |
| 101 static CertificateList ListCertsInSlot(PK11SlotInfo* slot) { | 98 CertificateList ListCerts() { |
| 102 CertificateList result; | 99 CertificateList result; |
| 103 CERTCertList* cert_list = PK11_ListCertsInSlot(slot); | 100 |
| 101 CERTCertList* cert_list = |
| 102 PK11_ListCertsInSlot(cert_db_->GetPublicSlot().get()); |
| 104 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); | 103 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); |
| 105 !CERT_LIST_END(node, cert_list); | 104 !CERT_LIST_END(node, cert_list); |
| 106 node = CERT_LIST_NEXT(node)) { | 105 node = CERT_LIST_NEXT(node)) { |
| 107 result.push_back(X509Certificate::CreateFromHandle( | 106 result.push_back(X509Certificate::CreateFromHandle( |
| 108 node->cert, X509Certificate::OSCertHandles())); | 107 node->cert, X509Certificate::OSCertHandles())); |
| 109 } | 108 } |
| 110 CERT_DestroyCertList(cert_list); | 109 CERT_DestroyCertList(cert_list); |
| 111 | 110 |
| 112 // Sort the result so that test comparisons can be deterministic. | 111 // Sort the result so that test comparisons can be deterministic. |
| 113 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); | 112 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); |
| 114 return result; | 113 return result; |
| 115 } | 114 } |
| 116 | 115 |
| 117 scoped_refptr<CryptoModule> slot_; | 116 scoped_ptr<NSSCertDatabase> cert_db_; |
| 118 NSSCertDatabase* cert_db_; | |
| 119 const CertificateList empty_cert_list_; | 117 const CertificateList empty_cert_list_; |
| 120 | |
| 121 private: | |
| 122 bool CleanupSlotContents() { | |
| 123 bool ok = true; | |
| 124 CertificateList certs = ListCertsInSlot(slot_->os_module_handle()); | |
| 125 CERTCertTrust default_trust = {0}; | |
| 126 for (size_t i = 0; i < certs.size(); ++i) { | |
| 127 // Reset cert trust values to defaults before deleting. Otherwise NSS | |
| 128 // somehow seems to remember the trust which can break following tests. | |
| 129 SECStatus srv = CERT_ChangeCertTrust( | |
| 130 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); | |
| 131 if (srv != SECSuccess) | |
| 132 ok = false; | |
| 133 | |
| 134 if (!cert_db_->DeleteCertAndKey(certs[i].get())) | |
| 135 ok = false; | |
| 136 } | |
| 137 return ok; | |
| 138 } | |
| 139 | |
| 140 crypto::ScopedTestNSSDB test_nssdb_; | 118 crypto::ScopedTestNSSDB test_nssdb_; |
| 141 }; | 119 }; |
| 142 | 120 |
| 143 TEST_F(CertDatabaseNSSTest, ListCertsSync) { | 121 TEST_F(CertDatabaseNSSTest, ListCertsSync) { |
| 144 // This test isn't terribly useful, though it will at least let valgrind test | 122 // This test isn't terribly useful, though it will at least let valgrind test |
| 145 // for leaks. | 123 // for leaks. |
| 146 CertificateList certs; | 124 CertificateList certs; |
| 147 cert_db_->ListCertsSync(&certs); | 125 cert_db_->ListCertsSync(&certs); |
| 148 // The test DB is empty, but let's assume there will always be something in | 126 // The test DB is empty, but let's assume there will always be something in |
| 149 // the other slots. | 127 // the other slots. |
| (...skipping 12 matching lines...) Expand all Loading... |
| 162 | 140 |
| 163 // The test DB is empty, but let's assume there will always be something in | 141 // The test DB is empty, but let's assume there will always be something in |
| 164 // the other slots. | 142 // the other slots. |
| 165 EXPECT_LT(0U, certs.size()); | 143 EXPECT_LT(0U, certs.size()); |
| 166 } | 144 } |
| 167 | 145 |
| 168 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { | 146 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { |
| 169 std::string pkcs12_data = ReadTestFile("client.p12"); | 147 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 170 | 148 |
| 171 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, | 149 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, |
| 172 cert_db_->ImportFromPKCS12(slot_.get(), | 150 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 173 pkcs12_data, | 151 pkcs12_data, |
| 174 base::string16(), | 152 base::string16(), |
| 175 true, // is_extractable | 153 true, // is_extractable |
| 176 NULL)); | 154 NULL)); |
| 177 | 155 |
| 178 // Test db should still be empty. | 156 // Test db should still be empty. |
| 179 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 157 EXPECT_EQ(0U, ListCerts().size()); |
| 180 } | 158 } |
| 181 | 159 |
| 182 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) { | 160 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) { |
| 183 std::string pkcs12_data = ReadTestFile("client.p12"); | 161 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 184 | 162 |
| 185 EXPECT_EQ(OK, | 163 EXPECT_EQ(OK, |
| 186 cert_db_->ImportFromPKCS12(slot_.get(), | 164 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 187 pkcs12_data, | 165 pkcs12_data, |
| 188 ASCIIToUTF16("12345"), | 166 ASCIIToUTF16("12345"), |
| 189 true, // is_extractable | 167 true, // is_extractable |
| 190 NULL)); | 168 NULL)); |
| 191 | 169 |
| 192 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 170 CertificateList cert_list = ListCerts(); |
| 193 ASSERT_EQ(1U, cert_list.size()); | 171 ASSERT_EQ(1U, cert_list.size()); |
| 194 scoped_refptr<X509Certificate> cert(cert_list[0]); | 172 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 195 | 173 |
| 196 EXPECT_EQ("testusercert", | 174 EXPECT_EQ("testusercert", |
| 197 cert->subject().common_name); | 175 cert->subject().common_name); |
| 198 | 176 |
| 199 // TODO(mattm): move export test to separate test case? | 177 // TODO(mattm): move export test to separate test case? |
| 200 std::string exported_data; | 178 std::string exported_data; |
| 201 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 179 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
| 202 &exported_data)); | 180 &exported_data)); |
| 203 ASSERT_LT(0U, exported_data.size()); | 181 ASSERT_LT(0U, exported_data.size()); |
| 204 // TODO(mattm): further verification of exported data? | 182 // TODO(mattm): further verification of exported data? |
| 205 } | 183 } |
| 206 | 184 |
| 207 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) { | 185 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) { |
| 208 std::string pkcs12_data = ReadTestFile("client.p12"); | 186 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 209 | 187 |
| 210 EXPECT_EQ(OK, | 188 EXPECT_EQ(OK, |
| 211 cert_db_->ImportFromPKCS12(slot_.get(), | 189 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 212 pkcs12_data, | 190 pkcs12_data, |
| 213 ASCIIToUTF16("12345"), | 191 ASCIIToUTF16("12345"), |
| 214 true, // is_extractable | 192 true, // is_extractable |
| 215 NULL)); | 193 NULL)); |
| 216 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); | 194 EXPECT_EQ(1U, ListCerts().size()); |
| 217 | 195 |
| 218 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like | 196 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like |
| 219 // it's ever used. This test verifies that. | 197 // it's ever used. This test verifies that. |
| 220 EXPECT_EQ(OK, | 198 EXPECT_EQ(OK, |
| 221 cert_db_->ImportFromPKCS12(slot_.get(), | 199 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 222 pkcs12_data, | 200 pkcs12_data, |
| 223 ASCIIToUTF16("12345"), | 201 ASCIIToUTF16("12345"), |
| 224 true, // is_extractable | 202 true, // is_extractable |
| 225 NULL)); | 203 NULL)); |
| 226 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); | 204 EXPECT_EQ(1U, ListCerts().size()); |
| 227 } | 205 } |
| 228 | 206 |
| 229 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) { | 207 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) { |
| 230 std::string pkcs12_data = ReadTestFile("client.p12"); | 208 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 231 | 209 |
| 232 EXPECT_EQ(OK, | 210 EXPECT_EQ(OK, |
| 233 cert_db_->ImportFromPKCS12(slot_.get(), | 211 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 234 pkcs12_data, | 212 pkcs12_data, |
| 235 ASCIIToUTF16("12345"), | 213 ASCIIToUTF16("12345"), |
| 236 false, // is_extractable | 214 false, // is_extractable |
| 237 NULL)); | 215 NULL)); |
| 238 | 216 |
| 239 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 217 CertificateList cert_list = ListCerts(); |
| 240 ASSERT_EQ(1U, cert_list.size()); | 218 ASSERT_EQ(1U, cert_list.size()); |
| 241 scoped_refptr<X509Certificate> cert(cert_list[0]); | 219 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 242 | 220 |
| 243 EXPECT_EQ("testusercert", | 221 EXPECT_EQ("testusercert", |
| 244 cert->subject().common_name); | 222 cert->subject().common_name); |
| 245 | 223 |
| 246 std::string exported_data; | 224 std::string exported_data; |
| 247 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 225 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
| 248 &exported_data)); | 226 &exported_data)); |
| 249 } | 227 } |
| 250 | 228 |
| 251 // Importing a PKCS#12 file with a certificate but no corresponding | 229 // Importing a PKCS#12 file with a certificate but no corresponding |
| 252 // private key should not mark an existing private key as unextractable. | 230 // private key should not mark an existing private key as unextractable. |
| 253 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) { | 231 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) { |
| 254 std::string pkcs12_data = ReadTestFile("client.p12"); | 232 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 255 EXPECT_EQ(OK, | 233 EXPECT_EQ(OK, |
| 256 cert_db_->ImportFromPKCS12(slot_.get(), | 234 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 257 pkcs12_data, | 235 pkcs12_data, |
| 258 ASCIIToUTF16("12345"), | 236 ASCIIToUTF16("12345"), |
| 259 true, // is_extractable | 237 true, // is_extractable |
| 260 NULL)); | 238 NULL)); |
| 261 | 239 |
| 262 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 240 CertificateList cert_list = ListCerts(); |
| 263 ASSERT_EQ(1U, cert_list.size()); | 241 ASSERT_EQ(1U, cert_list.size()); |
| 264 | 242 |
| 265 // Now import a PKCS#12 file with just a certificate but no private key. | 243 // Now import a PKCS#12 file with just a certificate but no private key. |
| 266 pkcs12_data = ReadTestFile("client-nokey.p12"); | 244 pkcs12_data = ReadTestFile("client-nokey.p12"); |
| 267 EXPECT_EQ(OK, | 245 EXPECT_EQ(OK, |
| 268 cert_db_->ImportFromPKCS12(slot_.get(), | 246 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 269 pkcs12_data, | 247 pkcs12_data, |
| 270 ASCIIToUTF16("12345"), | 248 ASCIIToUTF16("12345"), |
| 271 false, // is_extractable | 249 false, // is_extractable |
| 272 NULL)); | 250 NULL)); |
| 273 | 251 |
| 274 cert_list = ListCertsInSlot(slot_->os_module_handle()); | 252 cert_list = ListCerts(); |
| 275 ASSERT_EQ(1U, cert_list.size()); | 253 ASSERT_EQ(1U, cert_list.size()); |
| 276 | 254 |
| 277 // Make sure the imported private key is still extractable. | 255 // Make sure the imported private key is still extractable. |
| 278 std::string exported_data; | 256 std::string exported_data; |
| 279 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 257 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
| 280 &exported_data)); | 258 &exported_data)); |
| 281 ASSERT_LT(0U, exported_data.size()); | 259 ASSERT_LT(0U, exported_data.size()); |
| 282 } | 260 } |
| 283 | 261 |
| 284 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) { | 262 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) { |
| 285 std::string pkcs12_data = "Foobarbaz"; | 263 std::string pkcs12_data = "Foobarbaz"; |
| 286 | 264 |
| 287 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE, | 265 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE, |
| 288 cert_db_->ImportFromPKCS12(slot_.get(), | 266 cert_db_->ImportFromPKCS12(GetPublicModule(), |
| 289 pkcs12_data, | 267 pkcs12_data, |
| 290 base::string16(), | 268 base::string16(), |
| 291 true, // is_extractable | 269 true, // is_extractable |
| 292 NULL)); | 270 NULL)); |
| 293 | 271 |
| 294 // Test db should still be empty. | 272 // Test db should still be empty. |
| 295 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 273 EXPECT_EQ(0U, ListCerts().size()); |
| 296 } | 274 } |
| 297 | 275 |
| 298 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { | 276 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { |
| 299 CertificateList certs = CreateCertificateListFromFile( | 277 CertificateList certs = CreateCertificateListFromFile( |
| 300 GetTestCertsDirectory(), "root_ca_cert.pem", | 278 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 301 X509Certificate::FORMAT_AUTO); | 279 X509Certificate::FORMAT_AUTO); |
| 302 ASSERT_EQ(1U, certs.size()); | 280 ASSERT_EQ(1U, certs.size()); |
| 303 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 281 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 304 | 282 |
| 305 // Import it. | 283 // Import it. |
| 306 NSSCertDatabase::ImportCertFailureList failed; | 284 NSSCertDatabase::ImportCertFailureList failed; |
| 307 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, | 285 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, |
| 308 &failed)); | 286 &failed)); |
| 309 | 287 |
| 310 EXPECT_EQ(0U, failed.size()); | 288 EXPECT_EQ(0U, failed.size()); |
| 311 | 289 |
| 312 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 290 CertificateList cert_list = ListCerts(); |
| 313 ASSERT_EQ(1U, cert_list.size()); | 291 ASSERT_EQ(1U, cert_list.size()); |
| 314 scoped_refptr<X509Certificate> cert(cert_list[0]); | 292 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 315 EXPECT_EQ("Test Root CA", cert->subject().common_name); | 293 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
| 316 | 294 |
| 317 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, | 295 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
| 318 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 296 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
| 319 | 297 |
| 320 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 298 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 321 CERTDB_TRUSTED_CLIENT_CA), | 299 CERTDB_TRUSTED_CLIENT_CA), |
| 322 cert->os_cert_handle()->trust->sslFlags); | 300 cert->os_cert_handle()->trust->sslFlags); |
| (...skipping 10 matching lines...) Expand all Loading... |
| 333 ASSERT_EQ(1U, certs.size()); | 311 ASSERT_EQ(1U, certs.size()); |
| 334 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 312 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 335 | 313 |
| 336 // Import it. | 314 // Import it. |
| 337 NSSCertDatabase::ImportCertFailureList failed; | 315 NSSCertDatabase::ImportCertFailureList failed; |
| 338 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, | 316 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, |
| 339 &failed)); | 317 &failed)); |
| 340 | 318 |
| 341 EXPECT_EQ(0U, failed.size()); | 319 EXPECT_EQ(0U, failed.size()); |
| 342 | 320 |
| 343 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 321 CertificateList cert_list = ListCerts(); |
| 344 ASSERT_EQ(1U, cert_list.size()); | 322 ASSERT_EQ(1U, cert_list.size()); |
| 345 scoped_refptr<X509Certificate> cert(cert_list[0]); | 323 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 346 EXPECT_EQ("Test Root CA", cert->subject().common_name); | 324 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
| 347 | 325 |
| 348 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, | 326 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, |
| 349 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 327 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
| 350 | 328 |
| 351 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 329 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 352 cert->os_cert_handle()->trust->sslFlags); | 330 cert->os_cert_handle()->trust->sslFlags); |
| 353 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 331 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| (...skipping 10 matching lines...) Expand all Loading... |
| 364 ASSERT_EQ(1U, certs.size()); | 342 ASSERT_EQ(1U, certs.size()); |
| 365 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 343 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 366 | 344 |
| 367 // Import it. | 345 // Import it. |
| 368 NSSCertDatabase::ImportCertFailureList failed; | 346 NSSCertDatabase::ImportCertFailureList failed; |
| 369 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, | 347 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, |
| 370 &failed)); | 348 &failed)); |
| 371 | 349 |
| 372 EXPECT_EQ(0U, failed.size()); | 350 EXPECT_EQ(0U, failed.size()); |
| 373 | 351 |
| 374 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 352 CertificateList cert_list = ListCerts(); |
| 375 ASSERT_EQ(1U, cert_list.size()); | 353 ASSERT_EQ(1U, cert_list.size()); |
| 376 scoped_refptr<X509Certificate> cert(cert_list[0]); | 354 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 377 EXPECT_EQ("Test Root CA", cert->subject().common_name); | 355 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
| 378 | 356 |
| 379 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, | 357 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, |
| 380 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 358 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
| 381 | 359 |
| 382 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 360 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 383 cert->os_cert_handle()->trust->sslFlags); | 361 cert->os_cert_handle()->trust->sslFlags); |
| 384 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 362 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| (...skipping 14 matching lines...) Expand all Loading... |
| 399 NSSCertDatabase::ImportCertFailureList failed; | 377 NSSCertDatabase::ImportCertFailureList failed; |
| 400 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, | 378 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, |
| 401 &failed)); | 379 &failed)); |
| 402 ASSERT_EQ(1U, failed.size()); | 380 ASSERT_EQ(1U, failed.size()); |
| 403 // Note: this compares pointers directly. It's okay in this case because | 381 // Note: this compares pointers directly. It's okay in this case because |
| 404 // ImportCACerts returns the same pointers that were passed in. In the | 382 // ImportCACerts returns the same pointers that were passed in. In the |
| 405 // general case IsSameOSCert should be used. | 383 // general case IsSameOSCert should be used. |
| 406 EXPECT_EQ(certs[0], failed[0].certificate); | 384 EXPECT_EQ(certs[0], failed[0].certificate); |
| 407 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); | 385 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); |
| 408 | 386 |
| 409 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 387 EXPECT_EQ(0U, ListCerts().size()); |
| 410 } | 388 } |
| 411 | 389 |
| 412 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { | 390 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { |
| 413 CertificateList certs; | 391 CertificateList certs; |
| 414 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 392 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 415 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 393 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 416 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 394 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
| 417 | 395 |
| 418 // Import it. | 396 // Import it. |
| 419 NSSCertDatabase::ImportCertFailureList failed; | 397 NSSCertDatabase::ImportCertFailureList failed; |
| 420 // Have to specify email trust for the cert verification of the child cert to | 398 // Have to specify email trust for the cert verification of the child cert to |
| 421 // work (see | 399 // work (see |
| 422 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 | 400 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 |
| 423 // "XXX This choice of trustType seems arbitrary.") | 401 // "XXX This choice of trustType seems arbitrary.") |
| 424 EXPECT_TRUE(cert_db_->ImportCACerts( | 402 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 425 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, | 403 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 426 &failed)); | 404 &failed)); |
| 427 | 405 |
| 428 ASSERT_EQ(2U, failed.size()); | 406 ASSERT_EQ(2U, failed.size()); |
| 429 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 407 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 430 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. | 408 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. |
| 431 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); | 409 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); |
| 432 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); | 410 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); |
| 433 | 411 |
| 434 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 412 CertificateList cert_list = ListCerts(); |
| 435 ASSERT_EQ(1U, cert_list.size()); | 413 ASSERT_EQ(1U, cert_list.size()); |
| 436 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 414 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 437 } | 415 } |
| 438 | 416 |
| 439 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { | 417 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { |
| 440 CertificateList certs; | 418 CertificateList certs; |
| 441 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 419 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 442 | 420 |
| 443 // First import just the root. | 421 // First import just the root. |
| 444 NSSCertDatabase::ImportCertFailureList failed; | 422 NSSCertDatabase::ImportCertFailureList failed; |
| 445 EXPECT_TRUE(cert_db_->ImportCACerts( | 423 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 446 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, | 424 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 447 &failed)); | 425 &failed)); |
| 448 | 426 |
| 449 EXPECT_EQ(0U, failed.size()); | 427 EXPECT_EQ(0U, failed.size()); |
| 450 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 428 CertificateList cert_list = ListCerts(); |
| 451 ASSERT_EQ(1U, cert_list.size()); | 429 ASSERT_EQ(1U, cert_list.size()); |
| 452 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 430 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 453 | 431 |
| 454 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 432 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 455 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 433 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
| 456 | 434 |
| 457 // Now import with the other certs in the list too. Even though the root is | 435 // Now import with the other certs in the list too. Even though the root is |
| 458 // already present, we should still import the rest. | 436 // already present, we should still import the rest. |
| 459 failed.clear(); | 437 failed.clear(); |
| 460 EXPECT_TRUE(cert_db_->ImportCACerts( | 438 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 461 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, | 439 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 462 &failed)); | 440 &failed)); |
| 463 | 441 |
| 464 ASSERT_EQ(3U, failed.size()); | 442 ASSERT_EQ(3U, failed.size()); |
| 465 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); | 443 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); |
| 466 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); | 444 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); |
| 467 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 445 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 468 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. | 446 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. |
| 469 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name); | 447 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name); |
| 470 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error); | 448 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error); |
| 471 | 449 |
| 472 cert_list = ListCertsInSlot(slot_->os_module_handle()); | 450 cert_list = ListCerts(); |
| 473 ASSERT_EQ(1U, cert_list.size()); | 451 ASSERT_EQ(1U, cert_list.size()); |
| 474 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 452 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 475 } | 453 } |
| 476 | 454 |
| 477 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { | 455 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { |
| 478 CertificateList certs; | 456 CertificateList certs; |
| 479 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 457 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 480 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 458 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 481 | 459 |
| 482 // Import it. | 460 // Import it. |
| 483 NSSCertDatabase::ImportCertFailureList failed; | 461 NSSCertDatabase::ImportCertFailureList failed; |
| 484 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT, | 462 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 485 &failed)); | 463 &failed)); |
| 486 | 464 |
| 487 ASSERT_EQ(1U, failed.size()); | 465 ASSERT_EQ(1U, failed.size()); |
| 488 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 466 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 489 // TODO(mattm): should check for net error equivalent of | 467 // TODO(mattm): should check for net error equivalent of |
| 490 // SEC_ERROR_UNTRUSTED_ISSUER | 468 // SEC_ERROR_UNTRUSTED_ISSUER |
| 491 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 469 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 492 | 470 |
| 493 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 471 CertificateList cert_list = ListCerts(); |
| 494 ASSERT_EQ(1U, cert_list.size()); | 472 ASSERT_EQ(1U, cert_list.size()); |
| 495 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 473 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 496 } | 474 } |
| 497 | 475 |
| 498 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { | 476 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { |
| 499 CertificateList certs; | 477 CertificateList certs; |
| 500 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 478 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 501 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 479 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 502 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 480 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 503 | 481 |
| 504 // Import it. | 482 // Import it. |
| 505 NSSCertDatabase::ImportCertFailureList failed; | 483 NSSCertDatabase::ImportCertFailureList failed; |
| 506 EXPECT_TRUE(cert_db_->ImportCACerts( | 484 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 507 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, | 485 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, |
| 508 &failed)); | 486 &failed)); |
| 509 | 487 |
| 510 EXPECT_EQ(2U, failed.size()); | 488 EXPECT_EQ(2U, failed.size()); |
| 511 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 489 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
| 512 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. | 490 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. |
| 513 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 491 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 514 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. | 492 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. |
| 515 | 493 |
| 516 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 494 CertificateList cert_list = ListCerts(); |
| 517 ASSERT_EQ(1U, cert_list.size()); | 495 ASSERT_EQ(1U, cert_list.size()); |
| 518 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 496 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 519 } | 497 } |
| 520 | 498 |
| 521 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { | 499 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { |
| 522 CertificateList certs = CreateCertificateListFromFile( | 500 CertificateList certs = CreateCertificateListFromFile( |
| 523 GetTestCertsDirectory(), "root_ca_cert.pem", | 501 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 524 X509Certificate::FORMAT_AUTO); | 502 X509Certificate::FORMAT_AUTO); |
| 525 ASSERT_EQ(1U, certs.size()); | 503 ASSERT_EQ(1U, certs.size()); |
| 526 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 504 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 527 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 505 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 528 | 506 |
| 529 // Import it. | 507 // Import it. |
| 530 NSSCertDatabase::ImportCertFailureList failed; | 508 NSSCertDatabase::ImportCertFailureList failed; |
| 531 EXPECT_TRUE(cert_db_->ImportCACerts( | 509 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 532 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | | 510 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | |
| 533 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); | 511 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); |
| 534 | 512 |
| 535 ASSERT_EQ(2U, failed.size()); | 513 ASSERT_EQ(2U, failed.size()); |
| 536 // TODO(mattm): should check for net error equivalent of | 514 // TODO(mattm): should check for net error equivalent of |
| 537 // SEC_ERROR_UNKNOWN_ISSUER | 515 // SEC_ERROR_UNKNOWN_ISSUER |
| 538 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 516 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
| 539 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 517 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 540 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 518 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 541 EXPECT_EQ(ERR_FAILED, failed[1].net_error); | 519 EXPECT_EQ(ERR_FAILED, failed[1].net_error); |
| 542 | 520 |
| 543 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 521 CertificateList cert_list = ListCerts(); |
| 544 ASSERT_EQ(1U, cert_list.size()); | 522 ASSERT_EQ(1U, cert_list.size()); |
| 545 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name); | 523 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name); |
| 546 } | 524 } |
| 547 | 525 |
| 548 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired | 526 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired |
| 549 // certificate. | 527 // certificate. |
| 550 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { | 528 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { |
| 551 // Need to import intermediate cert for the verify of google cert, otherwise | 529 // Need to import intermediate cert for the verify of google cert, otherwise |
| 552 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which | 530 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which |
| 553 // will cause OCSPCreateSession on the main thread, which is not allowed. | 531 // will cause OCSPCreateSession on the main thread, which is not allowed. |
| 554 CertificateList certs = CreateCertificateListFromFile( | 532 CertificateList certs = CreateCertificateListFromFile( |
| 555 GetTestCertsDirectory(), "google.chain.pem", | 533 GetTestCertsDirectory(), "google.chain.pem", |
| 556 X509Certificate::FORMAT_AUTO); | 534 X509Certificate::FORMAT_AUTO); |
| 557 ASSERT_EQ(2U, certs.size()); | 535 ASSERT_EQ(2U, certs.size()); |
| 558 | 536 |
| 559 NSSCertDatabase::ImportCertFailureList failed; | 537 NSSCertDatabase::ImportCertFailureList failed; |
| 560 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 538 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 561 &failed)); | 539 &failed)); |
| 562 | 540 |
| 563 EXPECT_EQ(0U, failed.size()); | 541 EXPECT_EQ(0U, failed.size()); |
| 564 | 542 |
| 565 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 543 CertificateList cert_list = ListCerts(); |
| 566 ASSERT_EQ(2U, cert_list.size()); | 544 ASSERT_EQ(2U, cert_list.size()); |
| 567 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); | 545 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); |
| 568 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); | 546 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); |
| 569 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); | 547 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); |
| 570 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 548 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 571 | 549 |
| 572 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 550 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 573 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); | 551 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 574 | 552 |
| 575 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); | 553 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
| (...skipping 14 matching lines...) Expand all Loading... |
| 590 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 568 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 591 CertificateList certs; | 569 CertificateList certs; |
| 592 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 570 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 593 | 571 |
| 594 NSSCertDatabase::ImportCertFailureList failed; | 572 NSSCertDatabase::ImportCertFailureList failed; |
| 595 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 573 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 596 &failed)); | 574 &failed)); |
| 597 | 575 |
| 598 EXPECT_EQ(0U, failed.size()); | 576 EXPECT_EQ(0U, failed.size()); |
| 599 | 577 |
| 600 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 578 CertificateList cert_list = ListCerts(); |
| 601 ASSERT_EQ(1U, cert_list.size()); | 579 ASSERT_EQ(1U, cert_list.size()); |
| 602 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 580 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 603 | 581 |
| 604 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 582 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 605 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 583 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 606 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); | 584 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
| 607 | 585 |
| 608 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 586 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 609 int flags = 0; | 587 int flags = 0; |
| 610 CertVerifyResult verify_result; | 588 CertVerifyResult verify_result; |
| (...skipping 10 matching lines...) Expand all Loading... |
| 621 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { | 599 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { |
| 622 CertificateList certs; | 600 CertificateList certs; |
| 623 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 601 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 624 | 602 |
| 625 NSSCertDatabase::ImportCertFailureList failed; | 603 NSSCertDatabase::ImportCertFailureList failed; |
| 626 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, | 604 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, |
| 627 &failed)); | 605 &failed)); |
| 628 | 606 |
| 629 EXPECT_EQ(0U, failed.size()); | 607 EXPECT_EQ(0U, failed.size()); |
| 630 | 608 |
| 631 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 609 CertificateList cert_list = ListCerts(); |
| 632 ASSERT_EQ(1U, cert_list.size()); | 610 ASSERT_EQ(1U, cert_list.size()); |
| 633 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 611 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 634 | 612 |
| 635 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, | 613 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
| 636 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 614 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 637 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), | 615 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), |
| 638 puny_cert->os_cert_handle()->trust->sslFlags); | 616 puny_cert->os_cert_handle()->trust->sslFlags); |
| 639 | 617 |
| 640 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 618 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 641 int flags = 0; | 619 int flags = 0; |
| (...skipping 362 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1004 // Importing two certificates with the same issuer and subject common name, | 982 // Importing two certificates with the same issuer and subject common name, |
| 1005 // but overall distinct subject names, should succeed and generate a unique | 983 // but overall distinct subject names, should succeed and generate a unique |
| 1006 // nickname for the second certificate. | 984 // nickname for the second certificate. |
| 1007 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { | 985 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { |
| 1008 CertificateList certs = | 986 CertificateList certs = |
| 1009 CreateCertificateListFromFile(GetTestCertsDirectory(), | 987 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 1010 "duplicate_cn_1.pem", | 988 "duplicate_cn_1.pem", |
| 1011 X509Certificate::FORMAT_AUTO); | 989 X509Certificate::FORMAT_AUTO); |
| 1012 ASSERT_EQ(1U, certs.size()); | 990 ASSERT_EQ(1U, certs.size()); |
| 1013 | 991 |
| 1014 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 992 EXPECT_EQ(0U, ListCerts().size()); |
| 1015 | 993 |
| 1016 // Import server cert with default trust. | 994 // Import server cert with default trust. |
| 1017 NSSCertDatabase::ImportCertFailureList failed; | 995 NSSCertDatabase::ImportCertFailureList failed; |
| 1018 EXPECT_TRUE(cert_db_->ImportServerCert( | 996 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 1019 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 997 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 1020 EXPECT_EQ(0U, failed.size()); | 998 EXPECT_EQ(0U, failed.size()); |
| 1021 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 999 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 1022 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); | 1000 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 1023 | 1001 |
| 1024 CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle()); | 1002 CertificateList new_certs = ListCerts(); |
| 1025 ASSERT_EQ(1U, new_certs.size()); | 1003 ASSERT_EQ(1U, new_certs.size()); |
| 1026 | 1004 |
| 1027 // Now attempt to import a different certificate with the same common name. | 1005 // Now attempt to import a different certificate with the same common name. |
| 1028 CertificateList certs2 = | 1006 CertificateList certs2 = |
| 1029 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1007 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 1030 "duplicate_cn_2.pem", | 1008 "duplicate_cn_2.pem", |
| 1031 X509Certificate::FORMAT_AUTO); | 1009 X509Certificate::FORMAT_AUTO); |
| 1032 ASSERT_EQ(1U, certs2.size()); | 1010 ASSERT_EQ(1U, certs2.size()); |
| 1033 | 1011 |
| 1034 // Import server cert with default trust. | 1012 // Import server cert with default trust. |
| 1035 EXPECT_TRUE(cert_db_->ImportServerCert( | 1013 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 1036 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 1014 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 1037 EXPECT_EQ(0U, failed.size()); | 1015 EXPECT_EQ(0U, failed.size()); |
| 1038 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 1016 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 1039 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); | 1017 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); |
| 1040 | 1018 |
| 1041 new_certs = ListCertsInSlot(slot_->os_module_handle()); | 1019 new_certs = ListCerts(); |
| 1042 ASSERT_EQ(2U, new_certs.size()); | 1020 ASSERT_EQ(2U, new_certs.size()); |
| 1043 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, | 1021 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, |
| 1044 new_certs[1]->os_cert_handle()->nickname); | 1022 new_certs[1]->os_cert_handle()->nickname); |
| 1045 } | 1023 } |
| 1046 | 1024 |
| 1047 } // namespace net | 1025 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 405973003:
Remove the deprecated NSSCertDatabase::GetInstance() . (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src