chrome/browser/chromeos/policy/policy_cert_verifier_unittest.cc - Issue 419213003: Move PolicyCertVerifier test back to browser_tests.

Side by Side Diff: chrome/browser/chromeos/policy/policy_cert_verifier_unittest.cc

Issue 419213003: Move PolicyCertVerifier test back to browser_tests. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
	(Empty)
1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.

4

5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h"

6

7 #include "base/bind.h"

8 #include "base/bind_helpers.h"

9 #include "base/callback.h"

10 #include "base/memory/ref_counted.h"

11 #include "base/memory/scoped_ptr.h"

12 #include "base/run_loop.h"

13 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"

14 #include "content/public/browser/browser_thread.h"

15 #include "content/public/test/test_browser_thread_bundle.h"

16 #include "crypto/nss_util.h"

17 #include "crypto/nss_util_internal.h"

18 #include "net/base/net_log.h"

19 #include "net/base/test_completion_callback.h"

20 #include "net/base/test_data_directory.h"

21 #include "net/cert/cert_trust_anchor_provider.h"

22 #include "net/cert/cert_verify_result.h"

23 #include "net/cert/nss_cert_database_chromeos.h"

24 #include "net/cert/x509_certificate.h"

25 #include "net/test/cert_test_util.h"

26 #include "testing/gtest/include/gtest/gtest.h"

27

28 namespace policy {

29

30 class PolicyCertVerifierTest : public testing::Test {

31 public:

32 PolicyCertVerifierTest()

33 : trust_anchor_used_(false), test_nss_user_("user1") {}

34

35 virtual ~PolicyCertVerifierTest() {}

36

37 virtual void SetUp() OVERRIDE {

38 ASSERT_TRUE(test_nss_user_.constructed_successfully());

39 test_nss_user_.FinishInit();

40

41 test_cert_db_.reset(new net::NSSCertDatabaseChromeOS(

42 crypto::GetPublicSlotForChromeOSUser(test_nss_user_.username_hash()),

43 crypto::GetPrivateSlotForChromeOSUser(

44 test_nss_user_.username_hash(),

45 base::Callback<void(crypto::ScopedPK11Slot)>())));

46 test_cert_db_->SetSlowTaskRunnerForTest(base::MessageLoopProxy::current());

47

48 cert_verifier_.reset(new PolicyCertVerifier(base::Bind(

49 &PolicyCertVerifierTest::OnTrustAnchorUsed, base::Unretained(this))));

50 cert_verifier_->InitializeOnIOThread(new chromeos::CertVerifyProcChromeOS(

51 crypto::GetPublicSlotForChromeOSUser(test_nss_user_.username_hash())));

52

53 test_ca_cert_ = LoadCertificate("root_ca_cert.pem", net::CA_CERT);

54 ASSERT_TRUE(test_ca_cert_);

55 test_server_cert_ = LoadCertificate("ok_cert.pem", net::SERVER_CERT);

56 ASSERT_TRUE(test_server_cert_);

57 test_ca_cert_list_.push_back(test_ca_cert_);

58 }

59

60 virtual void TearDown() OVERRIDE {

61 // Destroy \|cert_verifier_\| before destroying the ThreadBundle, otherwise

62 // BrowserThread::CurrentlyOn checks fail.

63 cert_verifier_.reset();

64 }

65

66 protected:

67 int VerifyTestServerCert(const net::TestCompletionCallback& test_callback,

68 net::CertVerifyResult* verify_result,

69 net::CertVerifier::RequestHandle* request_handle) {

70 return cert_verifier_->Verify(test_server_cert_.get(),

71 "127.0.0.1",

72 0,

73 NULL,

74 verify_result,

75 test_callback.callback(),

76 request_handle,

77 net::BoundNetLog());

78 }

79

80 bool SupportsAdditionalTrustAnchors() {

81 scoped_refptr<net::CertVerifyProc> proc =

82 net::CertVerifyProc::CreateDefault();

83 return proc->SupportsAdditionalTrustAnchors();

84 }

85

86 // Returns whether \|cert_verifier\| signalled usage of one of the additional

87 // trust anchors (i.e. of \|test_ca_cert_\|) for the first time or since the

88 // last call of this function.

89 bool WasTrustAnchorUsedAndReset() {

90 base::RunLoop().RunUntilIdle();

91 bool result = trust_anchor_used_;

92 trust_anchor_used_ = false;

93 return result;

94 }

95

96 // \|test_ca_cert_\| is the issuer of \|test_server_cert_\|.

97 scoped_refptr<net::X509Certificate> test_ca_cert_;

98 scoped_refptr<net::X509Certificate> test_server_cert_;

99 net::CertificateList test_ca_cert_list_;

100 scoped_ptr<net::NSSCertDatabaseChromeOS> test_cert_db_;

101 scoped_ptr<PolicyCertVerifier> cert_verifier_;

102

103 private:

104 void OnTrustAnchorUsed() {

105 trust_anchor_used_ = true;

106 }

107

108 scoped_refptr<net::X509Certificate> LoadCertificate(const std::string& name,

109 net::CertType type) {

110 scoped_refptr<net::X509Certificate> cert =

111 net::ImportCertFromFile(net::GetTestCertsDirectory(), name);

112

113 // No certificate is trusted right after it's loaded.

114 net::NSSCertDatabase::TrustBits trust =

115 test_cert_db_->GetCertTrust(cert.get(), type);

116 EXPECT_EQ(net::NSSCertDatabase::TRUST_DEFAULT, trust);

117

118 return cert;

119 }

120

121 bool trust_anchor_used_;

122 crypto::ScopedTestNSSChromeOSUser test_nss_user_;

123 content::TestBrowserThreadBundle thread_bundle_;

124 };

125

126 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) {

127 // \|test_server_cert_\| is untrusted, so Verify() fails.

128 {

129 net::CertVerifyResult verify_result;

130 net::TestCompletionCallback callback;

131 net::CertVerifier::RequestHandle request_handle = NULL;

132 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);

133 ASSERT_EQ(net::ERR_IO_PENDING, error);

134 EXPECT_TRUE(request_handle);

135 error = callback.WaitForResult();

136 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);

137 }

138

139 // Issuing the same request again hits the cache. This tests the synchronous

140 // path.

141 {

142 net::CertVerifyResult verify_result;

143 net::TestCompletionCallback callback;

144 net::CertVerifier::RequestHandle request_handle = NULL;

145 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);

146 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);

147 }

148

149 EXPECT_FALSE(WasTrustAnchorUsedAndReset());

150 }

151

152 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) {

153 // Make the database trust \|test_ca_cert_\|.

154 net::NSSCertDatabase::ImportCertFailureList failure_list;

155 ASSERT_TRUE(test_cert_db_->ImportCACerts(

156 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list));

157 ASSERT_TRUE(failure_list.empty());

158

159 // Verify that it is now trusted.

160 net::NSSCertDatabase::TrustBits trust =

161 test_cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT);

162 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust);

163

164 // Verify() successfully verifies \|test_server_cert_\| after it was imported.

165 net::CertVerifyResult verify_result;

166 net::TestCompletionCallback callback;

167 net::CertVerifier::RequestHandle request_handle = NULL;

168 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);

169 ASSERT_EQ(net::ERR_IO_PENDING, error);

170 EXPECT_TRUE(request_handle);

171 error = callback.WaitForResult();

172 EXPECT_EQ(net::OK, error);

173

174 // The additional trust anchors were not used, since the certificate is

175 // trusted from the database.

176 EXPECT_FALSE(WasTrustAnchorUsedAndReset());

177 }

178

179 // http://crbug.com/396497

180 TEST_F(PolicyCertVerifierTest, DISABLED_VerifyUsingAdditionalTrustAnchor) {

181 ASSERT_TRUE(SupportsAdditionalTrustAnchors());

182

183 // \|test_server_cert_\| is untrusted, so Verify() fails.

184 {

185 net::CertVerifyResult verify_result;

186 net::TestCompletionCallback callback;

187 net::CertVerifier::RequestHandle request_handle = NULL;

188 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);

189 ASSERT_EQ(net::ERR_IO_PENDING, error);

190 EXPECT_TRUE(request_handle);

191 error = callback.WaitForResult();

192 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);

193 }

194 EXPECT_FALSE(WasTrustAnchorUsedAndReset());

195

196 // Verify() again with the additional trust anchors.

197 cert_verifier_->SetTrustAnchors(test_ca_cert_list_);

198 {

199 net::CertVerifyResult verify_result;

200 net::TestCompletionCallback callback;

201 net::CertVerifier::RequestHandle request_handle = NULL;

202 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);

203 ASSERT_EQ(net::ERR_IO_PENDING, error);

204 EXPECT_TRUE(request_handle);

205 error = callback.WaitForResult();

206 EXPECT_EQ(net::OK, error);

207 }

208 EXPECT_TRUE(WasTrustAnchorUsedAndReset());

209

210 // Verify() again with the additional trust anchors will hit the cache.

211 cert_verifier_->SetTrustAnchors(test_ca_cert_list_);

212 {

213 net::CertVerifyResult verify_result;

214 net::TestCompletionCallback callback;

215 net::CertVerifier::RequestHandle request_handle = NULL;

216 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);

217 EXPECT_EQ(net::OK, error);

218 }

219 EXPECT_TRUE(WasTrustAnchorUsedAndReset());

220

221 // Verifying after removing the trust anchors should now fail.

222 cert_verifier_->SetTrustAnchors(net::CertificateList());

223 {

224 net::CertVerifyResult verify_result;

225 net::TestCompletionCallback callback;

226 net::CertVerifier::RequestHandle request_handle = NULL;

227 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);

228 // Note: this hits the cached result from the first Verify() in this test.

229 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);

230 }

231 // The additional trust anchors were reset, thus \|cert_verifier_\| should not

232 // signal it's usage anymore.

233 EXPECT_FALSE(WasTrustAnchorUsedAndReset());

234 }

235

236 } // namespace policy

OLD	NEW

« no previous file with comments | « chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc ('k') | chrome/chrome_tests.gypi » ('j') | no next file with comments »