| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" | |
| 6 | |
| 7 #include "base/bind.h" | |
| 8 #include "base/bind_helpers.h" | |
| 9 #include "base/callback.h" | |
| 10 #include "base/memory/ref_counted.h" | |
| 11 #include "base/memory/scoped_ptr.h" | |
| 12 #include "base/run_loop.h" | |
| 13 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h" | |
| 14 #include "content/public/browser/browser_thread.h" | |
| 15 #include "content/public/test/test_browser_thread_bundle.h" | |
| 16 #include "crypto/nss_util.h" | |
| 17 #include "crypto/nss_util_internal.h" | |
| 18 #include "net/base/net_log.h" | |
| 19 #include "net/base/test_completion_callback.h" | |
| 20 #include "net/base/test_data_directory.h" | |
| 21 #include "net/cert/cert_trust_anchor_provider.h" | |
| 22 #include "net/cert/cert_verify_result.h" | |
| 23 #include "net/cert/nss_cert_database.h" | |
| 24 #include "net/cert/x509_certificate.h" | |
| 25 #include "net/test/cert_test_util.h" | |
| 26 #include "testing/gtest/include/gtest/gtest.h" | |
| 27 | |
| 28 namespace policy { | |
| 29 | |
| 30 // This is actually a unit test, but is linked with browser_tests because | |
| 31 // importing a certificate into the NSS test database persists for the duration | |
| 32 // of a process; since each browser_test runs in a separate process then this | |
| 33 // won't affect subsequent tests. | |
| 34 // This can be moved to the unittests target once the TODO in ~ScopedTestNSSDB | |
| 35 // is fixed. | |
| 36 class PolicyCertVerifierTest : public testing::Test { | |
| 37 public: | |
| 38 PolicyCertVerifierTest() : cert_db_(NULL), trust_anchor_used_(false) {} | |
| 39 | |
| 40 virtual ~PolicyCertVerifierTest() {} | |
| 41 | |
| 42 virtual void SetUp() OVERRIDE { | |
| 43 ASSERT_TRUE(test_nssdb_.is_open()); | |
| 44 cert_db_ = net::NSSCertDatabase::GetInstance(); | |
| 45 | |
| 46 cert_verifier_.reset(new PolicyCertVerifier(base::Bind( | |
| 47 &PolicyCertVerifierTest::OnTrustAnchorUsed, base::Unretained(this)))); | |
| 48 cert_verifier_->InitializeOnIOThread(new chromeos::CertVerifyProcChromeOS( | |
| 49 crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot()))); | |
| 50 | |
| 51 test_ca_cert_ = LoadCertificate("root_ca_cert.pem", net::CA_CERT); | |
| 52 ASSERT_TRUE(test_ca_cert_); | |
| 53 test_server_cert_ = LoadCertificate("ok_cert.pem", net::SERVER_CERT); | |
| 54 ASSERT_TRUE(test_server_cert_); | |
| 55 test_ca_cert_list_.push_back(test_ca_cert_); | |
| 56 } | |
| 57 | |
| 58 virtual void TearDown() OVERRIDE { | |
| 59 // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise | |
| 60 // BrowserThread::CurrentlyOn checks fail. | |
| 61 cert_verifier_.reset(); | |
| 62 } | |
| 63 | |
| 64 protected: | |
| 65 int VerifyTestServerCert(const net::TestCompletionCallback& test_callback, | |
| 66 net::CertVerifyResult* verify_result, | |
| 67 net::CertVerifier::RequestHandle* request_handle) { | |
| 68 return cert_verifier_->Verify(test_server_cert_.get(), | |
| 69 "127.0.0.1", | |
| 70 0, | |
| 71 NULL, | |
| 72 verify_result, | |
| 73 test_callback.callback(), | |
| 74 request_handle, | |
| 75 net::BoundNetLog()); | |
| 76 } | |
| 77 | |
| 78 bool SupportsAdditionalTrustAnchors() { | |
| 79 scoped_refptr<net::CertVerifyProc> proc = | |
| 80 net::CertVerifyProc::CreateDefault(); | |
| 81 return proc->SupportsAdditionalTrustAnchors(); | |
| 82 } | |
| 83 | |
| 84 // Returns whether |cert_verifier| signalled usage of one of the additional | |
| 85 // trust anchors (i.e. of |test_ca_cert_|) for the first time or since the | |
| 86 // last call of this function. | |
| 87 bool WasTrustAnchorUsedAndReset() { | |
| 88 base::RunLoop().RunUntilIdle(); | |
| 89 bool result = trust_anchor_used_; | |
| 90 trust_anchor_used_ = false; | |
| 91 return result; | |
| 92 } | |
| 93 | |
| 94 // |test_ca_cert_| is the issuer of |test_server_cert_|. | |
| 95 scoped_refptr<net::X509Certificate> test_ca_cert_; | |
| 96 scoped_refptr<net::X509Certificate> test_server_cert_; | |
| 97 net::CertificateList test_ca_cert_list_; | |
| 98 net::NSSCertDatabase* cert_db_; | |
| 99 scoped_ptr<PolicyCertVerifier> cert_verifier_; | |
| 100 | |
| 101 private: | |
| 102 void OnTrustAnchorUsed() { | |
| 103 trust_anchor_used_ = true; | |
| 104 } | |
| 105 | |
| 106 scoped_refptr<net::X509Certificate> LoadCertificate(const std::string& name, | |
| 107 net::CertType type) { | |
| 108 scoped_refptr<net::X509Certificate> cert = | |
| 109 net::ImportCertFromFile(net::GetTestCertsDirectory(), name); | |
| 110 | |
| 111 // No certificate is trusted right after it's loaded. | |
| 112 net::NSSCertDatabase::TrustBits trust = | |
| 113 cert_db_->GetCertTrust(cert.get(), type); | |
| 114 EXPECT_EQ(net::NSSCertDatabase::TRUST_DEFAULT, trust); | |
| 115 | |
| 116 return cert; | |
| 117 } | |
| 118 | |
| 119 bool trust_anchor_used_; | |
| 120 crypto::ScopedTestNSSDB test_nssdb_; | |
| 121 content::TestBrowserThreadBundle thread_bundle_; | |
| 122 }; | |
| 123 | |
| 124 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { | |
| 125 // |test_server_cert_| is untrusted, so Verify() fails. | |
| 126 { | |
| 127 net::CertVerifyResult verify_result; | |
| 128 net::TestCompletionCallback callback; | |
| 129 net::CertVerifier::RequestHandle request_handle = NULL; | |
| 130 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | |
| 131 ASSERT_EQ(net::ERR_IO_PENDING, error); | |
| 132 EXPECT_TRUE(request_handle); | |
| 133 error = callback.WaitForResult(); | |
| 134 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | |
| 135 } | |
| 136 | |
| 137 // Issuing the same request again hits the cache. This tests the synchronous | |
| 138 // path. | |
| 139 { | |
| 140 net::CertVerifyResult verify_result; | |
| 141 net::TestCompletionCallback callback; | |
| 142 net::CertVerifier::RequestHandle request_handle = NULL; | |
| 143 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | |
| 144 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | |
| 145 } | |
| 146 | |
| 147 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | |
| 148 } | |
| 149 | |
| 150 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { | |
| 151 // Make the database trust |test_ca_cert_|. | |
| 152 net::NSSCertDatabase::ImportCertFailureList failure_list; | |
| 153 ASSERT_TRUE(cert_db_->ImportCACerts( | |
| 154 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); | |
| 155 ASSERT_TRUE(failure_list.empty()); | |
| 156 | |
| 157 // Verify that it is now trusted. | |
| 158 net::NSSCertDatabase::TrustBits trust = | |
| 159 cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT); | |
| 160 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); | |
| 161 | |
| 162 // Verify() successfully verifies |test_server_cert_| after it was imported. | |
| 163 net::CertVerifyResult verify_result; | |
| 164 net::TestCompletionCallback callback; | |
| 165 net::CertVerifier::RequestHandle request_handle = NULL; | |
| 166 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | |
| 167 ASSERT_EQ(net::ERR_IO_PENDING, error); | |
| 168 EXPECT_TRUE(request_handle); | |
| 169 error = callback.WaitForResult(); | |
| 170 EXPECT_EQ(net::OK, error); | |
| 171 | |
| 172 // The additional trust anchors were not used, since the certificate is | |
| 173 // trusted from the database. | |
| 174 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | |
| 175 } | |
| 176 | |
| 177 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { | |
| 178 ASSERT_TRUE(SupportsAdditionalTrustAnchors()); | |
| 179 | |
| 180 // |test_server_cert_| is untrusted, so Verify() fails. | |
| 181 { | |
| 182 net::CertVerifyResult verify_result; | |
| 183 net::TestCompletionCallback callback; | |
| 184 net::CertVerifier::RequestHandle request_handle = NULL; | |
| 185 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | |
| 186 ASSERT_EQ(net::ERR_IO_PENDING, error); | |
| 187 EXPECT_TRUE(request_handle); | |
| 188 error = callback.WaitForResult(); | |
| 189 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | |
| 190 } | |
| 191 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | |
| 192 | |
| 193 // Verify() again with the additional trust anchors. | |
| 194 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); | |
| 195 { | |
| 196 net::CertVerifyResult verify_result; | |
| 197 net::TestCompletionCallback callback; | |
| 198 net::CertVerifier::RequestHandle request_handle = NULL; | |
| 199 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | |
| 200 ASSERT_EQ(net::ERR_IO_PENDING, error); | |
| 201 EXPECT_TRUE(request_handle); | |
| 202 error = callback.WaitForResult(); | |
| 203 EXPECT_EQ(net::OK, error); | |
| 204 } | |
| 205 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); | |
| 206 | |
| 207 // Verify() again with the additional trust anchors will hit the cache. | |
| 208 cert_verifier_->SetTrustAnchors(test_ca_cert_list_); | |
| 209 { | |
| 210 net::CertVerifyResult verify_result; | |
| 211 net::TestCompletionCallback callback; | |
| 212 net::CertVerifier::RequestHandle request_handle = NULL; | |
| 213 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | |
| 214 EXPECT_EQ(net::OK, error); | |
| 215 } | |
| 216 EXPECT_TRUE(WasTrustAnchorUsedAndReset()); | |
| 217 | |
| 218 // Verifying after removing the trust anchors should now fail. | |
| 219 cert_verifier_->SetTrustAnchors(net::CertificateList()); | |
| 220 { | |
| 221 net::CertVerifyResult verify_result; | |
| 222 net::TestCompletionCallback callback; | |
| 223 net::CertVerifier::RequestHandle request_handle = NULL; | |
| 224 int error = VerifyTestServerCert(callback, &verify_result, &request_handle); | |
| 225 // Note: this hits the cached result from the first Verify() in this test. | |
| 226 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | |
| 227 } | |
| 228 // The additional trust anchors were reset, thus |cert_verifier_| should not | |
| 229 // signal it's usage anymore. | |
| 230 EXPECT_FALSE(WasTrustAnchorUsedAndReset()); | |
| 231 } | |
| 232 | |
| 233 } // namespace policy | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 407443008:
Fix cert DB usage in PolicyCertVerifier test. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src