net/ssl/client_cert_store_chromeos_unittest.cc - Issue 424523002: Enable system NSS key slot.

Unified Diff: net/ssl/client_cert_store_chromeos_unittest.cc

Issue 424523002: Enable system NSS key slot. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: net/ssl/client_cert_store_chromeos_unittest.cc

diff --git a/net/ssl/client_cert_store_chromeos_unittest.cc b/net/ssl/client_cert_store_chromeos_unittest.cc

index 3bd6d60718a736538aaad98d5c22aefbce13d00c..4c5bd709d3fc20e98e67757a32c463d8715e98b6 100644

--- a/net/ssl/client_cert_store_chromeos_unittest.cc

+++ b/net/ssl/client_cert_store_chromeos_unittest.cc

@@ -14,6 +14,7 @@

#include "crypto/nss_util_internal.h"

#include "crypto/rsa_private_key.h"

#include "crypto/scoped_test_nss_chromeos_user.h"

+#include "crypto/scoped_test_system_nss_key_slot.h"

#include "net/base/test_data_directory.h"

#include "net/cert/cert_type.h"

#include "net/cert/x509_certificate.h"

@@ -46,11 +47,14 @@ bool ImportClientCertToSlot(const scoped_refptr<X509Certificate>& cert,

// Define a delegate to be used for instantiating the parameterized test set

// ClientCertStoreTest.

+template <bool read_from_user_slot, bool enable_user_slot>

Ryan Sleevi 2014/07/29 00:23:16 You can use enums here to make these types more de

pneubeck (no reviews) 2014/07/29 16:00:15 Yeah, you're right. Should be much more readable n

class ClientCertStoreChromeOSTestDelegate {

public:

ClientCertStoreChromeOSTestDelegate()

: user_("scopeduser"),

- store_(user_.username_hash(),

+ system_db_(true /* skip TPM initialization */),

+ store_(enable_user_slot,

+ user_.username_hash(),

ClientCertStoreChromeOS::PasswordDelegateFactory()) {

// Defer futher initialization and checks to SelectClientCerts, because the

// constructor doesn't allow us to return an initialization result. Could be

@@ -72,10 +76,13 @@ class ClientCertStoreChromeOSTestDelegate {

}

user_.FinishInit();

- crypto::ScopedPK11Slot slot(

- crypto::GetPublicSlotForChromeOSUser(user_.username_hash()));

+ crypto::ScopedPK11Slot slot;

+ if (read_from_user_slot)

+ slot = crypto::GetPublicSlotForChromeOSUser(user_.username_hash());

+ else

+ slot.reset(PK11_ReferenceSlot(system_db_.slot()));

if (!slot) {

- LOG(ERROR) << "Could not get the user's public slot";

+ LOG(ERROR) << "Could not get the NSS key slot";

return false;

}

@@ -104,6 +111,7 @@ class ClientCertStoreChromeOSTestDelegate {

private:

crypto::ScopedTestNSSChromeOSUser user_;

+ crypto::ScopedTestSystemNSSKeySlot system_db_;

ClientCertStoreChromeOS store_;

};

@@ -112,26 +120,43 @@ class ClientCertStoreChromeOSTestDelegate {

// To verify that this delegation is functional, run the same filtering tests as

// for the other implementations. These tests are defined in

// client_cert_store_unittest-inl.h and are instantiated for each platform.

-INSTANTIATE_TYPED_TEST_CASE_P(ChromeOS,

+// In this case, all requested certs are read from the user's slot and the

+// system slot is not enabled in the store.

+typedef ClientCertStoreChromeOSTestDelegate<true /* read from user slot */,

+ false /* disable system slot */>

+ DelegateReadUserDisableSystem;

+INSTANTIATE_TYPED_TEST_CASE_P(ChromeOS_ReadUserDisableSystem,

+ ClientCertStoreTest,

+ DelegateReadUserDisableSystem);

+// In this case, all requested certs are read from the user's slot and the

+// system slot is enabled in the store.

+typedef ClientCertStoreChromeOSTestDelegate<true /* read from user slot */,

+ true /* enable system slot */>

+ DelegateReadUserEnableSystem;

+INSTANTIATE_TYPED_TEST_CASE_P(ChromeOS_ReadUserEnableSystem,

+ ClientCertStoreTest,

+ DelegateReadUserEnableSystem);

+// In this case, all requested certs are read from the system slot, therefore

+// the system slot is enabled in the store.

+typedef ClientCertStoreChromeOSTestDelegate<false /* read from system slot */,

+ true /* enable system slot */>

+ DelegateReadSystem;

+INSTANTIATE_TYPED_TEST_CASE_P(ChromeOS_ReadSystem,

ClientCertStoreTest,

- ClientCertStoreChromeOSTestDelegate);

+ DelegateReadSystem);

class ClientCertStoreChromeOSTest : public ::testing::Test {

public:

- scoped_refptr<X509Certificate> ImportCertForUser(

- const std::string& username_hash,

+ scoped_refptr<X509Certificate> ImportCertToSlot(

const std::string& cert_filename,

- const std::string& key_filename) {

- crypto::ScopedPK11Slot slot(

- crypto::GetPublicSlotForChromeOSUser(username_hash));

- if (!slot) {

- LOG(ERROR) << "No slot for user " << username_hash;

- return NULL;

- }

+ const std::string& key_filename,

+ PK11SlotInfo* slot) {

if (!ImportSensitiveKeyFromFile(

- GetTestCertsDirectory(), key_filename, slot.get())) {

- LOG(ERROR) << "Could not import private key for user " << username_hash;

+ GetTestCertsDirectory(), key_filename, slot)) {

+ LOG(ERROR) << "Could not import private key from file " << key_filename;

return NULL;

}

@@ -143,7 +168,7 @@ class ClientCertStoreChromeOSTest : public ::testing::Test {

return NULL;

}

- if (!ImportClientCertToSlot(cert, slot.get()))

+ if (!ImportClientCertToSlot(cert, slot))

return NULL;

// |cert| continues to point to the original X509Certificate before the

@@ -151,6 +176,21 @@ class ClientCertStoreChromeOSTest : public ::testing::Test {

// test.

return cert;

}

+ scoped_refptr<X509Certificate> ImportCertForUser(

+ const std::string& username_hash,

+ const std::string& cert_filename,

+ const std::string& key_filename) {

+ crypto::ScopedPK11Slot slot(

+ crypto::GetPublicSlotForChromeOSUser(username_hash));

+ if (!slot) {

+ LOG(ERROR) << "No slot for user " << username_hash;

+ return NULL;

+ }

+ return ImportCertToSlot(cert_filename, key_filename, slot.get());

+ }

};

// Ensure that cert requests, that are started before the user's NSS DB is

@@ -158,8 +198,14 @@ class ClientCertStoreChromeOSTest : public ::testing::Test {

TEST_F(ClientCertStoreChromeOSTest, RequestWaitsForNSSInitAndSucceeds) {

crypto::ScopedTestNSSChromeOSUser user("scopeduser");

ASSERT_TRUE(user.constructed_successfully());

+ crypto::ScopedTestSystemNSSKeySlot system_slot(

+ true /* skip TPM initialization */);

ClientCertStoreChromeOS store(

- user.username_hash(), ClientCertStoreChromeOS::PasswordDelegateFactory());

+ true /* use system slot */,

+ user.username_hash(),

+ ClientCertStoreChromeOS::PasswordDelegateFactory());

scoped_refptr<X509Certificate> cert_1(

ImportCertForUser(user.username_hash(), "client_1.pem", "client_1.pk8"));

ASSERT_TRUE(cert_1);

@@ -194,8 +240,13 @@ TEST_F(ClientCertStoreChromeOSTest, RequestsAfterNSSInitSucceed) {

ASSERT_TRUE(user.constructed_successfully());

user.FinishInit();

+ crypto::ScopedTestSystemNSSKeySlot system_slot(

+ true /* skip TPM initialization */);

ClientCertStoreChromeOS store(

- user.username_hash(), ClientCertStoreChromeOS::PasswordDelegateFactory());

+ true /* use system slot */,

+ user.username_hash(),

+ ClientCertStoreChromeOS::PasswordDelegateFactory());

scoped_refptr<X509Certificate> cert_1(

ImportCertForUser(user.username_hash(), "client_1.pem", "client_1.pk8"));

ASSERT_TRUE(cert_1);

@@ -213,7 +264,7 @@ TEST_F(ClientCertStoreChromeOSTest, RequestsAfterNSSInitSucceed) {

// This verifies that a request in the context of User1 doesn't see certificates

// of User2, and the other way round. We check both directions, to ensure that

// the behavior doesn't depend on initialization order of the DBs, for example.

-TEST_F(ClientCertStoreChromeOSTest, RequestDoesCrossReadSecondDB) {

+TEST_F(ClientCertStoreChromeOSTest, RequestDoesCrossReadOtherUserDB) {

crypto::ScopedTestNSSChromeOSUser user1("scopeduser1");

ASSERT_TRUE(user1.constructed_successfully());

crypto::ScopedTestNSSChromeOSUser user2("scopeduser2");

@@ -222,10 +273,15 @@ TEST_F(ClientCertStoreChromeOSTest, RequestDoesCrossReadSecondDB) {

user1.FinishInit();

user2.FinishInit();

+ crypto::ScopedTestSystemNSSKeySlot system_slot(

+ true /* skip TPM initialization */);

ClientCertStoreChromeOS store1(

+ true /* use system slot */,

user1.username_hash(),

ClientCertStoreChromeOS::PasswordDelegateFactory());

ClientCertStoreChromeOS store2(

+ true /* use system slot */,

user2.username_hash(),

ClientCertStoreChromeOS::PasswordDelegateFactory());

@@ -259,4 +315,41 @@ TEST_F(ClientCertStoreChromeOSTest, RequestDoesCrossReadSecondDB) {

EXPECT_TRUE(cert_2->Equals(selected_certs2[0]));

}

+// This verifies that a request in the context of User1 doesn't see certificates

+// of the system store if the system store is disabled.

+TEST_F(ClientCertStoreChromeOSTest, RequestDoesCrossReadSystemDB) {

+ crypto::ScopedTestNSSChromeOSUser user1("scopeduser1");

+ ASSERT_TRUE(user1.constructed_successfully());

+ user1.FinishInit();

+ crypto::ScopedTestSystemNSSKeySlot system_slot(

+ true /* skip TPM initialization */);

+ ClientCertStoreChromeOS store(

+ false /* do not use system slot */,

+ user1.username_hash(),

+ ClientCertStoreChromeOS::PasswordDelegateFactory());

+ scoped_refptr<X509Certificate> cert_1(

+ ImportCertForUser(user1.username_hash(), "client_1.pem", "client_1.pk8"));

+ ASSERT_TRUE(cert_1);

+ scoped_refptr<X509Certificate> cert_2(

+ ImportCertToSlot("client_2.pem", "client_2.pk8", system_slot.slot()));

+ ASSERT_TRUE(cert_2);

+ scoped_refptr<SSLCertRequestInfo> request_all(new SSLCertRequestInfo());

+ base::RunLoop run_loop;

+ CertificateList selected_certs;

+ store.GetClientCerts(*request_all, &selected_certs, run_loop.QuitClosure());

+ run_loop.Run();

+ // store should only return certs of the user, namely cert_1.

+ ASSERT_EQ(1u, selected_certs.size());

+ EXPECT_TRUE(cert_1->Equals(selected_certs[0]));

} // namespace net

« net/ssl/client_cert_store_chromeos.cc ('K') | « net/ssl/client_cert_store_chromeos.cc ('k') | no next file » | no next file with comments »