Enable system NSS key slot.

net/ssl/client_cert_store_chromeos_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/ssl/client_cert_store_chromeos.h"
 
 #include <string>
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/file_util.h"
 #include "base/run_loop.h"
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 #include "crypto/rsa_private_key.h"
 #include "crypto/scoped_test_nss_chromeos_user.h"
+#include "crypto/scoped_test_system_nss_key_slot.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/cert_type.h"
 #include "net/cert/x509_certificate.h"
 #include "net/ssl/client_cert_store_unittest-inl.h"
 #include "net/test/cert_test_util.h"
 
 namespace net {
 
 namespace {
 
 bool ImportClientCertToSlot(const scoped_refptr<X509Certificate>& cert,
                             PK11SlotInfo* slot) {
   std::string nickname = cert->GetDefaultNickname(USER_CERT);
   {
     crypto::AutoNSSWriteLock lock;
     SECStatus rv = PK11_ImportCert(slot,
                                    cert->os_cert_handle(),
                                    CK_INVALID_HANDLE,
                                    nickname.c_str(),
                                    PR_FALSE);
     if (rv != SECSuccess) {
       LOG(ERROR) << "Could not import cert";
       return false;
     }
   }
   return true;
 }
 
+enum ReadFromSlot {
+  READ_FROM_SLOT_USER,
+  READ_FROM_SLOT_SYSTEM
+};
+
+enum SystemSlotAvailability {
+  SYSTEM_SLOT_AVAILABILITY_ENABLED,
+  SYSTEM_SLOT_AVAILABILITY_DISABLED
+};
+
 }  // namespace
 
 // Define a delegate to be used for instantiating the parameterized test set
 // ClientCertStoreTest.
+template <ReadFromSlot read_from,
+          SystemSlotAvailability system_slot_availability>
 class ClientCertStoreChromeOSTestDelegate {
  public:
   ClientCertStoreChromeOSTestDelegate()
       : user_("scopeduser"),
-        store_(user_.username_hash(),
+        store_(system_slot_availability == SYSTEM_SLOT_AVAILABILITY_ENABLED,
+               user_.username_hash(),
                ClientCertStoreChromeOS::PasswordDelegateFactory()) {
     // Defer futher initialization and checks to SelectClientCerts, because the
     // constructor doesn't allow us to return an initialization result. Could be
     // cleaned up by adding an Init() function.
   }
 
   // Called by the ClientCertStoreTest tests.
   // |inpurt_certs| contains certificates to select from. Because
   // ClientCertStoreChromeOS filters also for the right slot, we have to import
   // the certs at first.
   // Since the certs are imported, the store can be tested by using its public
   // interface (GetClientCerts), which will read the certs from NSS.
   bool SelectClientCerts(const CertificateList& input_certs,
                          const SSLCertRequestInfo& cert_request_info,
                          CertificateList* selected_certs) {
     if (!user_.constructed_successfully()) {
       LOG(ERROR) << "Scoped test user DB could not be constructed.";
       return false;
     }
     user_.FinishInit();
 
-    crypto::ScopedPK11Slot slot(
-        crypto::GetPublicSlotForChromeOSUser(user_.username_hash()));
+    crypto::ScopedPK11Slot slot;
+    switch (read_from) {
+      case READ_FROM_SLOT_USER:
+        slot = crypto::GetPublicSlotForChromeOSUser(user_.username_hash());
+        break;
+      case READ_FROM_SLOT_SYSTEM:
+        slot.reset(PK11_ReferenceSlot(system_db_.slot()));
+        break;
+      default:
+        CHECK(false);
+    }
     if (!slot) {
-      LOG(ERROR) << "Could not get the user's public slot";
+      LOG(ERROR) << "Could not get the NSS key slot";
       return false;
     }
 
     // Only user certs are considered for the cert request, which means that the
     // private key must be known to NSS. Import all private keys for certs that
     // are used througout the test.
     if (!ImportSensitiveKeyFromFile(
             GetTestCertsDirectory(), "client_1.pk8", slot.get()) ||
         !ImportSensitiveKeyFromFile(
             GetTestCertsDirectory(), "client_2.pk8", slot.get())) {
       return false;
     }
 
     for (CertificateList::const_iterator it = input_certs.begin();
          it != input_certs.end();
          ++it) {
       if (!ImportClientCertToSlot(*it, slot.get()))
         return false;
     }
     base::RunLoop run_loop;
     store_.GetClientCerts(
         cert_request_info, selected_certs, run_loop.QuitClosure());
     run_loop.Run();
     return true;
   }
 
  private:
   crypto::ScopedTestNSSChromeOSUser user_;
+  crypto::ScopedTestSystemNSSKeySlot system_db_;
   ClientCertStoreChromeOS store_;
 };
 
 // ClientCertStoreChromeOS derives from ClientCertStoreNSS and delegates the
 // filtering by issuer to that base class.
 // To verify that this delegation is functional, run the same filtering tests as
 // for the other implementations. These tests are defined in
 // client_cert_store_unittest-inl.h and are instantiated for each platform.
-INSTANTIATE_TYPED_TEST_CASE_P(ChromeOS,
+
+// In this case, all requested certs are read from the user's slot and the
+// system slot is not enabled in the store.
+typedef ClientCertStoreChromeOSTestDelegate<READ_FROM_SLOT_USER,
+                                            SYSTEM_SLOT_AVAILABILITY_DISABLED>
+    DelegateReadUserDisableSystem;
+INSTANTIATE_TYPED_TEST_CASE_P(ChromeOS_ReadUserDisableSystem,
                               ClientCertStoreTest,
-                              ClientCertStoreChromeOSTestDelegate);
+                              DelegateReadUserDisableSystem);
+
+// In this case, all requested certs are read from the user's slot and the
+// system slot is enabled in the store.
+typedef ClientCertStoreChromeOSTestDelegate<READ_FROM_SLOT_USER,
+                                            SYSTEM_SLOT_AVAILABILITY_ENABLED>
+    DelegateReadUserEnableSystem;
+INSTANTIATE_TYPED_TEST_CASE_P(ChromeOS_ReadUserEnableSystem,
+                              ClientCertStoreTest,
+                              DelegateReadUserEnableSystem);
+
+// In this case, all requested certs are read from the system slot, therefore
+// the system slot is enabled in the store.
+typedef ClientCertStoreChromeOSTestDelegate<READ_FROM_SLOT_SYSTEM,
+                                            SYSTEM_SLOT_AVAILABILITY_ENABLED>
+    DelegateReadSystem;
+INSTANTIATE_TYPED_TEST_CASE_P(ChromeOS_ReadSystem,
+                              ClientCertStoreTest,
+                              DelegateReadSystem);
 
 class ClientCertStoreChromeOSTest : public ::testing::Test {
  public:
-  scoped_refptr<X509Certificate> ImportCertForUser(
-      const std::string& username_hash,
+  scoped_refptr<X509Certificate> ImportCertToSlot(
       const std::string& cert_filename,
-      const std::string& key_filename) {
-    crypto::ScopedPK11Slot slot(
-        crypto::GetPublicSlotForChromeOSUser(username_hash));
-    if (!slot) {
-      LOG(ERROR) << "No slot for user " << username_hash;
+      const std::string& key_filename,
+      PK11SlotInfo* slot) {
+    if (!ImportSensitiveKeyFromFile(
+            GetTestCertsDirectory(), key_filename, slot)) {
+      LOG(ERROR) << "Could not import private key from file " << key_filename;
       return NULL;
     }
 
-    if (!ImportSensitiveKeyFromFile(
-            GetTestCertsDirectory(), key_filename, slot.get())) {
-      LOG(ERROR) << "Could not import private key for user " << username_hash;
-      return NULL;
-    }
-
     scoped_refptr<X509Certificate> cert(
         ImportCertFromFile(GetTestCertsDirectory(), cert_filename));
 
     if (!cert) {
       LOG(ERROR) << "Failed to parse cert from file " << cert_filename;
       return NULL;
     }
 
-    if (!ImportClientCertToSlot(cert, slot.get()))
+    if (!ImportClientCertToSlot(cert, slot))
       return NULL;
 
     // |cert| continues to point to the original X509Certificate before the
     // import to |slot|. However this should not make a difference for this
     // test.
     return cert;
   }
+
+  scoped_refptr<X509Certificate> ImportCertForUser(
+      const std::string& username_hash,
+      const std::string& cert_filename,
+      const std::string& key_filename) {
+    crypto::ScopedPK11Slot slot(
+        crypto::GetPublicSlotForChromeOSUser(username_hash));
+    if (!slot) {
+      LOG(ERROR) << "No slot for user " << username_hash;
+      return NULL;
+    }
+
+    return ImportCertToSlot(cert_filename, key_filename, slot.get());
+  }
+
 };
 
 // Ensure that cert requests, that are started before the user's NSS DB is
 // initialized, will wait for the initialization and succeed afterwards.
 TEST_F(ClientCertStoreChromeOSTest, RequestWaitsForNSSInitAndSucceeds) {
   crypto::ScopedTestNSSChromeOSUser user("scopeduser");
   ASSERT_TRUE(user.constructed_successfully());
+
+  crypto::ScopedTestSystemNSSKeySlot system_slot;
+
   ClientCertStoreChromeOS store(
-      user.username_hash(), ClientCertStoreChromeOS::PasswordDelegateFactory());
+      true /* use system slot */,
+      user.username_hash(),
+      ClientCertStoreChromeOS::PasswordDelegateFactory());
   scoped_refptr<X509Certificate> cert_1(
       ImportCertForUser(user.username_hash(), "client_1.pem", "client_1.pk8"));
   ASSERT_TRUE(cert_1);
 
   // Request any client certificate, which is expected to match client_1.
   scoped_refptr<SSLCertRequestInfo> request_all(new SSLCertRequestInfo());
 
   base::RunLoop run_loop;
   store.GetClientCerts(
       *request_all, &request_all->client_certs, run_loop.QuitClosure());
@@ skipping 14 matching lines @@
   ASSERT_EQ(1u, request_all->client_certs.size());
 }
 
 // Ensure that cert requests, that are started after the user's NSS DB was
 // initialized, will succeed.
 TEST_F(ClientCertStoreChromeOSTest, RequestsAfterNSSInitSucceed) {
   crypto::ScopedTestNSSChromeOSUser user("scopeduser");
   ASSERT_TRUE(user.constructed_successfully());
   user.FinishInit();
 
+  crypto::ScopedTestSystemNSSKeySlot system_slot;
+
   ClientCertStoreChromeOS store(
-      user.username_hash(), ClientCertStoreChromeOS::PasswordDelegateFactory());
+      true /* use system slot */,
+      user.username_hash(),
+      ClientCertStoreChromeOS::PasswordDelegateFactory());
   scoped_refptr<X509Certificate> cert_1(
       ImportCertForUser(user.username_hash(), "client_1.pem", "client_1.pk8"));
   ASSERT_TRUE(cert_1);
 
   scoped_refptr<SSLCertRequestInfo> request_all(new SSLCertRequestInfo());
 
   base::RunLoop run_loop;
   store.GetClientCerts(
       *request_all, &request_all->client_certs, run_loop.QuitClosure());
   run_loop.Run();
 
   ASSERT_EQ(1u, request_all->client_certs.size());
 }
 
 // This verifies that a request in the context of User1 doesn't see certificates
 // of User2, and the other way round. We check both directions, to ensure that
 // the behavior doesn't depend on initialization order of the DBs, for example.
-TEST_F(ClientCertStoreChromeOSTest, RequestDoesCrossReadSecondDB) {
+TEST_F(ClientCertStoreChromeOSTest, RequestDoesCrossReadOtherUserDB) {
   crypto::ScopedTestNSSChromeOSUser user1("scopeduser1");
   ASSERT_TRUE(user1.constructed_successfully());
   crypto::ScopedTestNSSChromeOSUser user2("scopeduser2");
   ASSERT_TRUE(user2.constructed_successfully());
 
   user1.FinishInit();
   user2.FinishInit();
 
+  crypto::ScopedTestSystemNSSKeySlot system_slot;
+
   ClientCertStoreChromeOS store1(
+      true /* use system slot */,
       user1.username_hash(),
       ClientCertStoreChromeOS::PasswordDelegateFactory());
   ClientCertStoreChromeOS store2(
+      true /* use system slot */,
       user2.username_hash(),
       ClientCertStoreChromeOS::PasswordDelegateFactory());
 
   scoped_refptr<X509Certificate> cert_1(
       ImportCertForUser(user1.username_hash(), "client_1.pem", "client_1.pk8"));
   ASSERT_TRUE(cert_1);
   scoped_refptr<X509Certificate> cert_2(
       ImportCertForUser(user2.username_hash(), "client_2.pem", "client_2.pk8"));
   ASSERT_TRUE(cert_2);
 
@@ skipping 13 matching lines @@
 
   // store1 should only return certs of user1, namely cert_1.
   ASSERT_EQ(1u, selected_certs1.size());
   EXPECT_TRUE(cert_1->Equals(selected_certs1[0]));
 
   // store2 should only return certs of user2, namely cert_2.
   ASSERT_EQ(1u, selected_certs2.size());
   EXPECT_TRUE(cert_2->Equals(selected_certs2[0]));
 }
 
+// This verifies that a request in the context of User1 doesn't see certificates
+// of the system store if the system store is disabled.
+TEST_F(ClientCertStoreChromeOSTest, RequestDoesCrossReadSystemDB) {
+  crypto::ScopedTestNSSChromeOSUser user1("scopeduser1");
+  ASSERT_TRUE(user1.constructed_successfully());
+
+  user1.FinishInit();
+
+  crypto::ScopedTestSystemNSSKeySlot system_slot;
+
+  ClientCertStoreChromeOS store(
+      false /* do not use system slot */,
+      user1.username_hash(),
+      ClientCertStoreChromeOS::PasswordDelegateFactory());
+
+  scoped_refptr<X509Certificate> cert_1(
+      ImportCertForUser(user1.username_hash(), "client_1.pem", "client_1.pk8"));
+  ASSERT_TRUE(cert_1);
+  scoped_refptr<X509Certificate> cert_2(
+      ImportCertToSlot("client_2.pem", "client_2.pk8", system_slot.slot()));
+  ASSERT_TRUE(cert_2);
+
+  scoped_refptr<SSLCertRequestInfo> request_all(new SSLCertRequestInfo());
+
+  base::RunLoop run_loop;
+
+  CertificateList selected_certs;
+  store.GetClientCerts(*request_all, &selected_certs, run_loop.QuitClosure());
+
+  run_loop.Run();
+
+  // store should only return certs of the user, namely cert_1.
+  ASSERT_EQ(1u, selected_certs.size());
+  EXPECT_TRUE(cert_1->Equals(selected_certs[0]));
+}
+
 }  // namespace net