| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/nss_profile_filter_chromeos.h" | 5 #include "net/cert/nss_profile_filter_chromeos.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <pk11pub.h> | 8 #include <pk11pub.h> |
| 9 #include <secmod.h> | 9 #include <secmod.h> |
| 10 | 10 |
| 11 #include "crypto/nss_util_internal.h" | 11 #include "crypto/nss_util_internal.h" |
| 12 #include "crypto/scoped_nss_types.h" | 12 #include "crypto/scoped_nss_types.h" |
| 13 #include "crypto/scoped_test_nss_chromeos_user.h" | 13 #include "crypto/scoped_test_nss_chromeos_user.h" |
| 14 #include "crypto/scoped_test_nss_db.h" |
| 14 #include "net/base/test_data_directory.h" | 15 #include "net/base/test_data_directory.h" |
| 15 #include "net/test/cert_test_util.h" | 16 #include "net/test/cert_test_util.h" |
| 16 #include "testing/gtest/include/gtest/gtest.h" | 17 #include "testing/gtest/include/gtest/gtest.h" |
| 17 | 18 |
| 18 namespace net { | 19 namespace net { |
| 19 | 20 |
| 20 namespace { | 21 namespace { |
| 21 | 22 |
| 22 crypto::ScopedPK11Slot GetRootCertsSlot() { | 23 crypto::ScopedPK11Slot GetRootCertsSlot() { |
| 23 crypto::AutoSECMODListReadLock auto_lock; | 24 crypto::AutoSECMODListReadLock auto_lock; |
| (...skipping 27 matching lines...) Expand all Loading... |
| 51 return result; | 52 return result; |
| 52 } | 53 } |
| 53 | 54 |
| 54 } | 55 } |
| 55 | 56 |
| 56 class NSSProfileFilterChromeOSTest : public testing::Test { | 57 class NSSProfileFilterChromeOSTest : public testing::Test { |
| 57 public: | 58 public: |
| 58 NSSProfileFilterChromeOSTest() : user_1_("user1"), user_2_("user2") {} | 59 NSSProfileFilterChromeOSTest() : user_1_("user1"), user_2_("user2") {} |
| 59 | 60 |
| 60 virtual void SetUp() OVERRIDE { | 61 virtual void SetUp() OVERRIDE { |
| 61 // Initialize nss_util slots. | 62 ASSERT_TRUE(system_slot_user_.is_open()); |
| 62 ASSERT_TRUE(user_1_.constructed_successfully()); | 63 ASSERT_TRUE(user_1_.constructed_successfully()); |
| 63 ASSERT_TRUE(user_2_.constructed_successfully()); | 64 ASSERT_TRUE(user_2_.constructed_successfully()); |
| 64 user_1_.FinishInit(); | 65 user_1_.FinishInit(); |
| 65 user_2_.FinishInit(); | 66 user_2_.FinishInit(); |
| 66 | 67 |
| 67 // TODO(mattm): more accurately test public/private slot filtering somehow. | 68 // TODO(mattm): more accurately test public/private slot filtering somehow. |
| 68 // (The slots used to initialize a profile filter should be separate slots | 69 // (The slots used to initialize a profile filter should be separate slots |
| 69 // in separate modules, while ScopedTestNSSChromeOSUser uses the same slot | 70 // in separate modules, while ScopedTestNSSChromeOSUser uses the same slot |
| 70 // for both.) | 71 // for both.) |
| 71 crypto::ScopedPK11Slot private_slot_1(crypto::GetPrivateSlotForChromeOSUser( | 72 crypto::ScopedPK11Slot private_slot_1(crypto::GetPrivateSlotForChromeOSUser( |
| 72 user_1_.username_hash(), | 73 user_1_.username_hash(), |
| 73 base::Callback<void(crypto::ScopedPK11Slot)>())); | 74 base::Callback<void(crypto::ScopedPK11Slot)>())); |
| 74 ASSERT_TRUE(private_slot_1.get()); | 75 ASSERT_TRUE(private_slot_1.get()); |
| 75 profile_filter_1_.Init( | 76 profile_filter_1_.Init( |
| 76 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()), | 77 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()), |
| 77 private_slot_1.Pass()); | 78 private_slot_1.Pass(), |
| 79 get_system_slot()); |
| 78 | 80 |
| 79 profile_filter_1_copy_ = profile_filter_1_; | 81 profile_filter_1_copy_ = profile_filter_1_; |
| 80 | 82 |
| 81 crypto::ScopedPK11Slot private_slot_2(crypto::GetPrivateSlotForChromeOSUser( | 83 crypto::ScopedPK11Slot private_slot_2(crypto::GetPrivateSlotForChromeOSUser( |
| 82 user_2_.username_hash(), | 84 user_2_.username_hash(), |
| 83 base::Callback<void(crypto::ScopedPK11Slot)>())); | 85 base::Callback<void(crypto::ScopedPK11Slot)>())); |
| 84 ASSERT_TRUE(private_slot_2.get()); | 86 ASSERT_TRUE(private_slot_2.get()); |
| 85 profile_filter_2_.Init( | 87 profile_filter_2_.Init( |
| 86 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()), | 88 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()), |
| 87 private_slot_2.Pass()); | 89 private_slot_2.Pass(), |
| 90 crypto::ScopedPK11Slot() /* no system slot */); |
| 88 | 91 |
| 89 certs_ = CreateCertificateListFromFile(GetTestCertsDirectory(), | 92 certs_ = CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 90 "root_ca_cert.pem", | 93 "root_ca_cert.pem", |
| 91 X509Certificate::FORMAT_AUTO); | 94 X509Certificate::FORMAT_AUTO); |
| 92 ASSERT_EQ(1U, certs_.size()); | 95 ASSERT_EQ(1U, certs_.size()); |
| 93 } | 96 } |
| 94 | 97 |
| 98 crypto::ScopedPK11Slot get_system_slot() { |
| 99 return crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_slot_user_.slot())); |
| 100 } |
| 101 |
| 95 protected: | 102 protected: |
| 96 CertificateList certs_; | 103 CertificateList certs_; |
| 104 crypto::ScopedTestNSSDB system_slot_user_; |
| 97 crypto::ScopedTestNSSChromeOSUser user_1_; | 105 crypto::ScopedTestNSSChromeOSUser user_1_; |
| 98 crypto::ScopedTestNSSChromeOSUser user_2_; | 106 crypto::ScopedTestNSSChromeOSUser user_2_; |
| 99 NSSProfileFilterChromeOS no_slots_profile_filter_; | 107 NSSProfileFilterChromeOS no_slots_profile_filter_; |
| 100 NSSProfileFilterChromeOS profile_filter_1_; | 108 NSSProfileFilterChromeOS profile_filter_1_; |
| 101 NSSProfileFilterChromeOS profile_filter_2_; | 109 NSSProfileFilterChromeOS profile_filter_2_; |
| 102 NSSProfileFilterChromeOS profile_filter_1_copy_; | 110 NSSProfileFilterChromeOS profile_filter_1_copy_; |
| 103 }; | 111 }; |
| 104 | 112 |
| 105 TEST_F(NSSProfileFilterChromeOSTest, TempCertNotAllowed) { | 113 TEST_F(NSSProfileFilterChromeOSTest, TempCertNotAllowed) { |
| 106 EXPECT_EQ(NULL, certs_[0]->os_cert_handle()->slot); | 114 EXPECT_EQ(NULL, certs_[0]->os_cert_handle()->slot); |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 141 ASSERT_FALSE(root_certs.empty()); | 149 ASSERT_FALSE(root_certs.empty()); |
| 142 EXPECT_TRUE( | 150 EXPECT_TRUE( |
| 143 no_slots_profile_filter_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 151 no_slots_profile_filter_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
| 144 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 152 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
| 145 EXPECT_TRUE( | 153 EXPECT_TRUE( |
| 146 profile_filter_1_copy_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 154 profile_filter_1_copy_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
| 147 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(root_certs[0]->os_cert_handle())); | 155 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(root_certs[0]->os_cert_handle())); |
| 148 } | 156 } |
| 149 | 157 |
| 150 TEST_F(NSSProfileFilterChromeOSTest, SoftwareSlots) { | 158 TEST_F(NSSProfileFilterChromeOSTest, SoftwareSlots) { |
| 159 crypto::ScopedPK11Slot system_slot(get_system_slot()); |
| 151 crypto::ScopedPK11Slot slot_1( | 160 crypto::ScopedPK11Slot slot_1( |
| 152 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash())); | 161 crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash())); |
| 153 ASSERT_TRUE(slot_1); | 162 ASSERT_TRUE(slot_1); |
| 154 crypto::ScopedPK11Slot slot_2( | 163 crypto::ScopedPK11Slot slot_2( |
| 155 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash())); | 164 crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash())); |
| 156 ASSERT_TRUE(slot_2); | 165 ASSERT_TRUE(slot_2); |
| 157 | 166 |
| 158 scoped_refptr<X509Certificate> cert_1 = certs_[0]; | 167 scoped_refptr<X509Certificate> cert_1 = certs_[0]; |
| 159 CertificateList certs_2 = CreateCertificateListFromFile( | 168 CertificateList certs_2 = CreateCertificateListFromFile( |
| 160 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); | 169 GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO); |
| 161 ASSERT_EQ(1U, certs_2.size()); | 170 ASSERT_EQ(1U, certs_2.size()); |
| 162 scoped_refptr<X509Certificate> cert_2 = certs_2[0]; | 171 scoped_refptr<X509Certificate> cert_2 = certs_2[0]; |
| 172 CertificateList system_certs = |
| 173 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 174 "mit.davidben.der", |
| 175 X509Certificate::FORMAT_AUTO); |
| 176 ASSERT_EQ(1U, system_certs.size()); |
| 177 scoped_refptr<X509Certificate> system_cert = system_certs[0]; |
| 163 | 178 |
| 164 ASSERT_EQ(SECSuccess, | 179 ASSERT_EQ(SECSuccess, |
| 165 PK11_ImportCert(slot_1.get(), | 180 PK11_ImportCert(slot_1.get(), |
| 166 cert_1->os_cert_handle(), | 181 cert_1->os_cert_handle(), |
| 167 CK_INVALID_HANDLE, | 182 CK_INVALID_HANDLE, |
| 168 "cert1", | 183 "cert1", |
| 169 PR_FALSE /* includeTrust (unused) */)); | 184 PR_FALSE /* includeTrust (unused) */)); |
| 170 | 185 |
| 171 ASSERT_EQ(SECSuccess, | 186 ASSERT_EQ(SECSuccess, |
| 172 PK11_ImportCert(slot_2.get(), | 187 PK11_ImportCert(slot_2.get(), |
| 173 cert_2->os_cert_handle(), | 188 cert_2->os_cert_handle(), |
| 174 CK_INVALID_HANDLE, | 189 CK_INVALID_HANDLE, |
| 175 "cert2", | 190 "cert2", |
| 176 PR_FALSE /* includeTrust (unused) */)); | 191 PR_FALSE /* includeTrust (unused) */)); |
| 192 ASSERT_EQ(SECSuccess, |
| 193 PK11_ImportCert(system_slot.get(), |
| 194 system_cert->os_cert_handle(), |
| 195 CK_INVALID_HANDLE, |
| 196 "systemcert", |
| 197 PR_FALSE /* includeTrust (unused) */)); |
| 177 | 198 |
| 178 EXPECT_FALSE( | 199 EXPECT_FALSE( |
| 179 no_slots_profile_filter_.IsCertAllowed(cert_1->os_cert_handle())); | 200 no_slots_profile_filter_.IsCertAllowed(cert_1->os_cert_handle())); |
| 180 EXPECT_FALSE( | 201 EXPECT_FALSE( |
| 181 no_slots_profile_filter_.IsCertAllowed(cert_2->os_cert_handle())); | 202 no_slots_profile_filter_.IsCertAllowed(cert_2->os_cert_handle())); |
| 203 EXPECT_FALSE( |
| 204 no_slots_profile_filter_.IsCertAllowed(system_cert->os_cert_handle())); |
| 182 | 205 |
| 183 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(cert_1->os_cert_handle())); | 206 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(cert_1->os_cert_handle())); |
| 184 EXPECT_TRUE(profile_filter_1_copy_.IsCertAllowed(cert_1->os_cert_handle())); | 207 EXPECT_TRUE(profile_filter_1_copy_.IsCertAllowed(cert_1->os_cert_handle())); |
| 185 EXPECT_FALSE(profile_filter_1_.IsCertAllowed(cert_2->os_cert_handle())); | 208 EXPECT_FALSE(profile_filter_1_.IsCertAllowed(cert_2->os_cert_handle())); |
| 186 EXPECT_FALSE(profile_filter_1_copy_.IsCertAllowed(cert_2->os_cert_handle())); | 209 EXPECT_FALSE(profile_filter_1_copy_.IsCertAllowed(cert_2->os_cert_handle())); |
| 210 EXPECT_TRUE(profile_filter_1_.IsCertAllowed(system_cert->os_cert_handle())); |
| 211 EXPECT_TRUE( |
| 212 profile_filter_1_copy_.IsCertAllowed(system_cert->os_cert_handle())); |
| 187 | 213 |
| 188 EXPECT_FALSE(profile_filter_2_.IsCertAllowed(cert_1->os_cert_handle())); | 214 EXPECT_FALSE(profile_filter_2_.IsCertAllowed(cert_1->os_cert_handle())); |
| 189 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(cert_2->os_cert_handle())); | 215 EXPECT_TRUE(profile_filter_2_.IsCertAllowed(cert_2->os_cert_handle())); |
| 216 EXPECT_FALSE(profile_filter_2_.IsCertAllowed(system_cert->os_cert_handle())); |
| 190 } | 217 } |
| 191 | 218 |
| 192 } // namespace net | 219 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 424523002:
Enable system NSS key slot. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src