OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/nss_profile_filter_chromeos.h" | 5 #include "net/cert/nss_profile_filter_chromeos.h" |
6 | 6 |
7 #include <cert.h> | 7 #include <cert.h> |
8 #include <pk11pub.h> | 8 #include <pk11pub.h> |
9 #include <secmod.h> | 9 #include <secmod.h> |
10 | 10 |
11 #include "crypto/nss_util_internal.h" | 11 #include "crypto/nss_util_internal.h" |
12 #include "crypto/scoped_nss_types.h" | 12 #include "crypto/scoped_nss_types.h" |
13 #include "crypto/scoped_test_nss_chromeos_user.h" | 13 #include "crypto/scoped_test_nss_chromeos_user.h" |
| 14 #include "crypto/scoped_test_nss_db.h" |
14 #include "net/base/test_data_directory.h" | 15 #include "net/base/test_data_directory.h" |
15 #include "net/test/cert_test_util.h" | 16 #include "net/test/cert_test_util.h" |
16 #include "testing/gtest/include/gtest/gtest.h" | 17 #include "testing/gtest/include/gtest/gtest.h" |
17 | 18 |
18 namespace net { | 19 namespace net { |
19 | 20 |
20 namespace { | 21 namespace { |
21 | 22 |
22 crypto::ScopedPK11Slot GetRootCertsSlot() { | 23 crypto::ScopedPK11Slot GetRootCertsSlot() { |
23 crypto::AutoSECMODListReadLock auto_lock; | 24 crypto::AutoSECMODListReadLock auto_lock; |
(...skipping 27 matching lines...) Expand all Loading... |
51 return result; | 52 return result; |
52 } | 53 } |
53 | 54 |
54 } | 55 } |
55 | 56 |
56 class NSSProfileFilterChromeOSTest : public testing::Test { | 57 class NSSProfileFilterChromeOSTest : public testing::Test { |
57 public: | 58 public: |
58 NSSProfileFilterChromeOSTest() : user_1_("user1"), user_2_("user2") {} | 59 NSSProfileFilterChromeOSTest() : user_1_("user1"), user_2_("user2") {} |
59 | 60 |
60 virtual void SetUp() OVERRIDE { | 61 virtual void SetUp() OVERRIDE { |
61 // Initialize nss_util slots. | 62 ASSERT_TRUE(system_slot_user_.is_open()); |
62 ASSERT_TRUE(user_1_.constructed_successfully()); | 63 ASSERT_TRUE(user_1_.constructed_successfully()); |
63 ASSERT_TRUE(user_2_.constructed_successfully()); | 64 ASSERT_TRUE(user_2_.constructed_successfully()); |
64 user_1_.FinishInit(); | 65 user_1_.FinishInit(); |
65 user_2_.FinishInit(); | 66 user_2_.FinishInit(); |
66 | 67 |
67 // TODO(mattm): more accurately test public/private slot filtering somehow. | 68 // TODO(mattm): more accurately test public/private slot filtering somehow. |
68 // (The slots used to initialize a profile filter should be separate slots | 69 // (The slots used to initialize a profile filter should be separate slots |
69 // in separate modules, while ScopedTestNSSChromeOSUser uses the same slot | 70 // in separate modules, while ScopedTestNSSChromeOSUser uses the same slot |
70 // for both.) | 71 // for both.) |
71 crypto::ScopedPK11Slot private_slot_1(crypto::GetPrivateSlotForChromeOSUser( | 72 crypto::ScopedPK11Slot private_slot_1(crypto::GetPrivateSlotForChromeOSUser( |
72 user_1_.username_hash(), | 73 user_1_.username_hash(), |
73 base::Callback<void(crypto::ScopedPK11Slot)>())); | 74 base::Callback<void(crypto::ScopedPK11Slot)>())); |
74 ASSERT_TRUE(private_slot_1.get()); | 75 ASSERT_TRUE(private_slot_1.get()); |
75 profile_filter_1_.Init( | 76 profile_filter_1_.Init( |
76 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()), | 77 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()), |
77 private_slot_1.Pass()); | 78 private_slot_1.Pass(), |
| 79 get_system_slot()); |
78 | 80 |
79 profile_filter_1_copy_ = profile_filter_1_; | 81 profile_filter_1_copy_ = profile_filter_1_; |
80 | 82 |
81 crypto::ScopedPK11Slot private_slot_2(crypto::GetPrivateSlotForChromeOSUser( | 83 crypto::ScopedPK11Slot private_slot_2(crypto::GetPrivateSlotForChromeOSUser( |
82 user_2_.username_hash(), | 84 user_2_.username_hash(), |
83 base::Callback<void(crypto::ScopedPK11Slot)>())); | 85 base::Callback<void(crypto::ScopedPK11Slot)>())); |
84 ASSERT_TRUE(private_slot_2.get()); | 86 ASSERT_TRUE(private_slot_2.get()); |
85 profile_filter_2_.Init( | 87 profile_filter_2_.Init( |
86 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()), | 88 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()), |
87 private_slot_2.Pass()); | 89 private_slot_2.Pass(), |
| 90 crypto::ScopedPK11Slot() /* no system slot */); |
88 | 91 |
89 certs_ = CreateCertificateListFromFile(GetTestCertsDirectory(), | 92 certs_ = CreateCertificateListFromFile(GetTestCertsDirectory(), |
90 "root_ca_cert.pem", | 93 "root_ca_cert.pem", |
91 X509Certificate::FORMAT_AUTO); | 94 X509Certificate::FORMAT_AUTO); |
92 ASSERT_EQ(1U, certs_.size()); | 95 ASSERT_EQ(1U, certs_.size()); |
93 } | 96 } |
94 | 97 |
| 98 crypto::ScopedPK11Slot get_system_slot() { |
| 99 return crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_slot_user_.slot())); |
| 100 } |
| 101 |
95 protected: | 102 protected: |
96 CertificateList certs_; | 103 CertificateList certs_; |
| 104 crypto::ScopedTestNSSDB system_slot_user_; |
97 crypto::ScopedTestNSSChromeOSUser user_1_; | 105 crypto::ScopedTestNSSChromeOSUser user_1_; |
98 crypto::ScopedTestNSSChromeOSUser user_2_; | 106 crypto::ScopedTestNSSChromeOSUser user_2_; |
99 NSSProfileFilterChromeOS no_slots_profile_filter_; | 107 NSSProfileFilterChromeOS no_slots_profile_filter_; |
100 NSSProfileFilterChromeOS profile_filter_1_; | 108 NSSProfileFilterChromeOS profile_filter_1_; |
101 NSSProfileFilterChromeOS profile_filter_2_; | 109 NSSProfileFilterChromeOS profile_filter_2_; |
102 NSSProfileFilterChromeOS profile_filter_1_copy_; | 110 NSSProfileFilterChromeOS profile_filter_1_copy_; |
103 }; | 111 }; |
104 | 112 |
105 TEST_F(NSSProfileFilterChromeOSTest, TempCertNotAllowed) { | 113 TEST_F(NSSProfileFilterChromeOSTest, TempCertNotAllowed) { |
106 EXPECT_EQ(NULL, certs_[0]->os_cert_handle()->slot); | 114 EXPECT_EQ(NULL, certs_[0]->os_cert_handle()->slot); |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
141 ASSERT_FALSE(root_certs.empty()); | 149 ASSERT_FALSE(root_certs.empty()); |
142 EXPECT_TRUE( | 150 EXPECT_TRUE( |
143 no_slots_profile_filter_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 151 no_slots_profile_filter_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
144 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 152 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
145 EXPECT_TRUE( | 153 EXPECT_TRUE( |
146 profile_filter_1_copy_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 154 profile_filter_1_copy_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
147 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 155 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
148 } | 156 } |
149 | 157 |
150 TEST_F(NSSProfileFilterChromeOSTest, SoftwareSlots) { | 158 TEST_F(NSSProfileFilterChromeOSTest, SoftwareSlots) { |
| 159 crypto::ScopedPK11Slot system_slot(get_system_slot()); |
151 crypto::ScopedPK11Slot slot_1( | 160 crypto::ScopedPK11Slot slot_1( |
152 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash())); | 161 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash())); |
153 ASSERT_TRUE(slot_1); | 162 ASSERT_TRUE(slot_1); |
154 crypto::ScopedPK11Slot slot_2( | 163 crypto::ScopedPK11Slot slot_2( |
155 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash())); | 164 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash())); |
156 ASSERT_TRUE(slot_2); | 165 ASSERT_TRUE(slot_2); |
157 | 166 |
158 scoped_refptr<X509Certificate> cert_1 = certs_[0]; | 167 scoped_refptr<X509Certificate> cert_1 = certs_[0]; |
159 CertificateList certs_2 = CreateCertificateListFromFile( | 168 CertificateList certs_2 = CreateCertificateListFromFile( |
160 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); | 169 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); |
161 ASSERT_EQ(1U, certs_2.size()); | 170 ASSERT_EQ(1U, certs_2.size()); |
162 scoped_refptr<X509Certificate> cert_2 = certs_2[0]; | 171 scoped_refptr<X509Certificate> cert_2 = certs_2[0]; |
| 172 CertificateList system_certs = |
| 173 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 174 "mit.davidben.der", |
| 175 X509Certificate::FORMAT_AUTO); |
| 176 ASSERT_EQ(1U, system_certs.size()); |
| 177 scoped_refptr<X509Certificate> system_cert = system_certs[0]; |
163 | 178 |
164 ASSERT_EQ(SECSuccess, | 179 ASSERT_EQ(SECSuccess, |
165 PK11_ImportCert(slot_1.get(), | 180 PK11_ImportCert(slot_1.get(), |
166 cert_1->os_cert_handle(), | 181 cert_1->os_cert_handle(), |
167 CK_INVALID_HANDLE, | 182 CK_INVALID_HANDLE, |
168 "cert1", | 183 "cert1", |
169 PR_FALSE /* includeTrust (unused) */)); | 184 PR_FALSE /* includeTrust (unused) */)); |
170 | 185 |
171 ASSERT_EQ(SECSuccess, | 186 ASSERT_EQ(SECSuccess, |
172 PK11_ImportCert(slot_2.get(), | 187 PK11_ImportCert(slot_2.get(), |
173 cert_2->os_cert_handle(), | 188 cert_2->os_cert_handle(), |
174 CK_INVALID_HANDLE, | 189 CK_INVALID_HANDLE, |
175 "cert2", | 190 "cert2", |
176 PR_FALSE /* includeTrust (unused) */)); | 191 PR_FALSE /* includeTrust (unused) */)); |
| 192 ASSERT_EQ(SECSuccess, |
| 193 PK11_ImportCert(system_slot.get(), |
| 194 system_cert->os_cert_handle(), |
| 195 CK_INVALID_HANDLE, |
| 196 "systemcert", |
| 197 PR_FALSE /* includeTrust (unused) */)); |
177 | 198 |
178 EXPECT_FALSE( | 199 EXPECT_FALSE( |
179 no_slots_profile_filter_.IsCertAllowed(cert_1->os_cert_handle())); | 200 no_slots_profile_filter_.IsCertAllowed(cert_1->os_cert_handle())); |
180 EXPECT_FALSE( | 201 EXPECT_FALSE( |
181 no_slots_profile_filter_.IsCertAllowed(cert_2->os_cert_handle())); | 202 no_slots_profile_filter_.IsCertAllowed(cert_2->os_cert_handle())); |
| 203 EXPECT_FALSE( |
| 204 no_slots_profile_filter_.IsCertAllowed(system_cert->os_cert_handle())); |
182 | 205 |
183 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(cert_1->os_cert_handle())); | 206 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(cert_1->os_cert_handle())); |
184 EXPECT_TRUE(profile_filter_1_copy_.IsCertAllowed(cert_1->os_cert_handle())); | 207 EXPECT_TRUE(profile_filter_1_copy_.IsCertAllowed(cert_1->os_cert_handle())); |
185 EXPECT_FALSE(profile_filter_1_.IsCertAllowed(cert_2->os_cert_handle())); | 208 EXPECT_FALSE(profile_filter_1_.IsCertAllowed(cert_2->os_cert_handle())); |
186 EXPECT_FALSE(profile_filter_1_copy_.IsCertAllowed(cert_2->os_cert_handle())); | 209 EXPECT_FALSE(profile_filter_1_copy_.IsCertAllowed(cert_2->os_cert_handle())); |
| 210 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(system_cert->os_cert_handle())); |
| 211 EXPECT_TRUE( |
| 212 profile_filter_1_copy_.IsCertAllowed(system_cert->os_cert_handle())); |
187 | 213 |
188 EXPECT_FALSE(profile_filter_2_.IsCertAllowed(cert_1->os_cert_handle())); | 214 EXPECT_FALSE(profile_filter_2_.IsCertAllowed(cert_1->os_cert_handle())); |
189 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(cert_2->os_cert_handle())); | 215 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(cert_2->os_cert_handle())); |
| 216 EXPECT_FALSE(profile_filter_2_.IsCertAllowed(system_cert->os_cert_handle())); |
190 } | 217 } |
191 | 218 |
192 } // namespace net | 219 } // namespace net |
OLD | NEW |