More platformKeys api tests for the new system token.

chrome/test/data/extensions/api_test/enterprise_platform_keys/basic.js

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Must be packed to ../enterprise_platform_keys.crx using the private key
 // ../enterprise_platform_keys.pem .
 
 'use strict';
 
+var systemTokenEnabled = (location.href.indexOf("systemTokenEnabled") != -1);
+
 var assertEq = chrome.test.assertEq;
 var assertTrue = chrome.test.assertTrue;
 var assertThrows = chrome.test.assertThrows;
 var fail = chrome.test.fail;
 var succeed = chrome.test.succeed;
 var callbackPass = chrome.test.callbackPass;
 var callbackFail= chrome.test.callbackFail;
 
 // openssl req -new -x509 -key privkey.pem \
 //   -outform der -out cert.der -days 36500
@@ skipping 218 matching lines @@
 function sortCerts(certs) {
   return certs.sort(compareArrays);
 }
 
 /**
  * Checks whether the certificates currently stored in |token| match
  * |expectedCerts| by comparing to the result of platformKeys.getCertificates.
  * The order of |expectedCerts| is ignored. Afterwards calls |callback|.
  */
 function assertCertsStored(token, expectedCerts, callback) {
+  if (!token) {
+    if (callback)
+      callback();
+    return;
+  }
   chrome.enterprise.platformKeys.getCertificates(
       token.id,
       callbackPass(function(actualCerts) {
         assertEq(expectedCerts.length,
                  actualCerts.length,
                  'Number of stored certs not as expected');
         if (expectedCerts.length == actualCerts.length) {
           actualCerts = actualCerts.map(
               function(buffer) { return new Uint8Array(buffer); });
           actualCerts = sortCerts(actualCerts);
@@ skipping 36 matching lines @@
   assertTrue(!!chrome.enterprise.platformKeys.getTokens,
              "No getTokens function.");
   assertTrue(!!chrome.enterprise.platformKeys.importCertificate,
              "No importCertificate function.");
   assertTrue(!!chrome.enterprise.platformKeys.removeCertificate,
              "No removeCertificate function.");
 
   getTokens(function(userToken, systemToken) {
     if (!userToken)
       fail('no user token');
-    if (userToken.id != 'user')
-      fail('user token is not named "user".');
+    assertEq('user', userToken.id);
 
-    if (!systemToken)
-      fail('no system token');
-    if (systemToken.id != 'system')
-      fail('system token is not named "system".');
+    if (systemTokenEnabled) {
+      if (!systemToken)
+        fail('no system token');
+      assertEq('system', systemToken.id);
+    } else {
+      assertEq(null,
+               systemToken,
+               'system token is disabled, but found the token nonetheless.');
+    }
 
     callback(userToken, systemToken);
   });
 }
 
 function checkAlgorithmIsCopiedOnRead(key) {
   var algorithm = key.algorithm;
   var originalAlgorithm = {
     name: algorithm.name,
     modulusLength: algorithm.modulusLength,
@@ skipping 103 matching lines @@
                   return window.crypto.subtle.verify(
                       algorithm, webCryptoPublicKey, cachedSignature, data);
                 }),
             function(error) { fail("Import failed: " + error); })
       .then(callbackPass(function(success) {
     assertEq(true, success, "Signature invalid.");
     callback(cachedKeyPair);
   }), function(error) { fail("Verification failed: " + error); });
 }
 
+function testInitiallyNoCerts(token) {
+  assertCertsStored(token, []);
+}
+
+function testHasSubtleCryptoMethods(token) {
+  assertTrue(!!token.subtleCrypto.generateKey,
+             "token has no generateKey method");
+  assertTrue(!!token.subtleCrypto.sign, "token has no sign method");
+  assertTrue(!!token.subtleCrypto.exportKey,
+             "token has no exportKey method");
+  succeed();
+}
+
+// Generates a key and signs some data with it. Verifies the signature using
+// WebCrypto. Verifies also that a second sign operation fails.
+function testGenerateKeyAndSign(token) {
+  var algorithm = {
+    name: "RSASSA-PKCS1-v1_5",
+    // RsaHashedKeyGenParams
+    modulusLength: 512,
+    // Equivalent to 65537
+    publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+    hash: {
+      name: "SHA-1",
+    }
+  };
+
+  // Some random data to sign.
+  var data = new Uint8Array([0, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 6]);
+  generateKeyAndVerify(token,
+                       algorithm,
+                       data,
+                       callbackPass(function(keyPair) {
+    // Try to sign data with the same key a second time, which
+    // must fail.
+    var signParams = {name: 'RSASSA-PKCS1-v1_5'};
+    token.subtleCrypto.sign(signParams, keyPair.privateKey, data).then(
+        function(signature) { fail("Second sign call was expected to fail."); },
+        callbackPass(function(error) {
+      assertTrue(error instanceof Error);
+      assertEq('The operation failed for an operation-specific reason',
+               error.message);
+    }));
+  }));
+}
+
+// Generates a key and signs some data with other parameters. Verifies the
+// signature using WebCrypto.
+function testGenerateKeyAndSignOtherParameters(token) {
+  var algorithm = {
+    name: "RSASSA-PKCS1-v1_5",
+    // RsaHashedKeyGenParams
+    modulusLength: 1024,
+    // Equivalent to 65537
+    publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+    hash: {
+      name: "SHA-512",
+    }
+  };
+
+  // Some random data to sign.
+  var data = new Uint8Array([5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 0, 0, 254]);
+  generateKeyAndVerify(token, algorithm, data, callbackPass());
+}
+
+// Call generate key with invalid algorithm parameter, missing
+// modulusLength.
+function testAlgorithmParameterMissingModulusLength(token) {
+  var algorithm = {
+    name: "RSASSA-PKCS1-v1_5",
+    // Equivalent to 65537
+    publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+    hash: {
+      name: "SHA-1",
+    }
+  };
+  token.subtleCrypto.generateKey(algorithm, false, ['sign'])
+      .then(function(keyPair) { fail('generateKey was expected to fail'); },
+            callbackPass(function(error) {
+    assertTrue(error instanceof Error);
+    assertEq('A required parameter was missing or out-of-range', error.message);
+  }));
+}
+
+// Call generate key with invalid algorithm parameter, missing hash.
+function testAlgorithmParameterMissingHash(token) {
+  var algorithm = {
+    name: 'RSASSA-PKCS1-v1_5',
+    modulusLength: 512,
+    // Equivalent to 65537
+    publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+  };
+  token.subtleCrypto.generateKey(algorithm, false, ['sign'])
+      .then(function(keyPair) { fail('generateKey was expected to fail'); },
+            callbackPass(function(error) {
+    assertEq(
+        new Error('Error: A required parameter was missing our out-of-range'),
+        error);
+  }));
+}
+
+// Call generate key with invalid algorithm parameter, unsupported public
+// exponent.
+function testAlgorithmParameterUnsupportedPublicExponent(token) {
+  var algorithm = {
+    name: 'RSASSA-PKCS1-v1_5',
+    modulusLength: 512,
+                   // Different from 65537.
+    publicExponent: new Uint8Array([0x01, 0x01]),
+  };
+  token.subtleCrypto.generateKey(algorithm, false, ['sign'])
+      .then(function(keyPair) { fail('generateKey was expected to fail'); },
+            callbackPass(function(error) {
+    assertTrue(error instanceof Error);
+    assertEq('A required parameter was missing or out-of-range', error.message);
+  }));
+}
+
+function testImportInvalidCert(token) {
+  var invalidCert = new ArrayBuffer(16);
+  chrome.enterprise.platformKeys.importCertificate(
+      token.id,
+      invalidCert,
+      callbackFail('Certificate is not a valid X.509 certificate.'));
+}
+
+function testRemoveUnknownCert(token) {
+  chrome.enterprise.platformKeys.removeCertificate(
+      token.id, cert2.buffer, callbackFail('Certificate could not be found.'));
+}
+
+function testRemoveInvalidCert(token) {
+  var invalidCert = new ArrayBuffer(16);
+  chrome.enterprise.platformKeys.removeCertificate(
+      token.id,
+      invalidCert,
+      callbackFail('Certificate is not a valid X.509 certificate.'));
+}
+
+function bindTestsToToken(tests, token) {
+  var result = [];
+  for (var i = 0; i < tests.length; i++) {
+    var boundFunction = tests[i].bind(undefined, token)
+    boundFunction.generatedName = tests[i].name;
+    result.push(boundFunction);
+  }
+  return result;

[Joao da Silva, 2014/07/30 15:29:49]

How about:

return tests.map(function(test) {
  var bound = test.bind(undefined, token);
  bound.generatedName = test.name;
  return bound;
});

[pneubeck (no reviews), 2014/08/02 19:09:12]

Done.

+}
+
 function runTests(userToken, systemToken) {
-  chrome.test.runTests([
-    function hasSubtleCryptoMethods() {
-      assertTrue(!!userToken.subtleCrypto.generateKey,
-                 "user token has no generateKey method");
-      assertTrue(!!userToken.subtleCrypto.sign,
-                 "user token has no sign method");
-      assertTrue(!!userToken.subtleCrypto.exportKey,
-                 "user token has no exportKey method");
-      succeed();
-    },
-
-    function initiallyNoCerts() {
-      assertCertsStored(userToken, []);
-      assertCertsStored(systemToken, []);
-    },
-
-    // Generates a key and signs some data with it. Verifies the signature using
-    // WebCrypto. Verifies also that a second sign operation fails.
-    function generateKeyAndSign() {
-      var algorithm = {
-        name: "RSASSA-PKCS1-v1_5",
-        // RsaHashedKeyGenParams
-        modulusLength: 512,
-        // Equivalent to 65537
-        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-        hash: {
-          name: "SHA-1",
-        }
-      };
-
-      // Some random data to sign.
-      var data = new Uint8Array([0, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 6]);
-      generateKeyAndVerify(userToken,
-                           algorithm,
-                           data,
-                           callbackPass(function(keyPair) {
-        // Try to sign data with the same key a second time, which
-        // must fail.
-        var signParams = {name: 'RSASSA-PKCS1-v1_5'};
-        userToken.subtleCrypto.sign(signParams, keyPair.privateKey, data).then(
-            function(signature) {
-              fail("Second sign call was expected to fail.");
-            },
-            callbackPass(function(error) {
-          assertTrue(error instanceof Error);
-          assertEq('The operation failed for an operation-specific reason',
-                   error.message);
-        }));
-      }));
-    },
-
-    // Generates a key and signs some data with other parameters. Verifies the
-    // signature using WebCrypto.
-    function generateKeyAndSignOtherParameters() {
-      var algorithm = {
-        name: "RSASSA-PKCS1-v1_5",
-        // RsaHashedKeyGenParams
-        modulusLength: 1024,
-        // Equivalent to 65537
-        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-        hash: {
-          name: "SHA-512",
-        }
-      };
-
-      // Some random data to sign.
-      var data = new Uint8Array([5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 0, 0, 254]);
-      generateKeyAndVerify(userToken, algorithm, data, callbackPass());
-    },
-
+  // These tests don't depend on keys being loaded on C++ side (which will be
+  // removed by tests below) and are run for each available token.
+  var testsIndependentOfKeysWithTokenParameter = [
+    testInitiallyNoCerts,
+    testHasSubtleCryptoMethods,
+    testRemoveUnknownCert,
+    testGenerateKeyAndSign,
+    testGenerateKeyAndSignOtherParameters,
+    testAlgorithmParameterMissingModulusLength,
+    testAlgorithmParameterMissingHash,
+    testAlgorithmParameterUnsupportedPublicExponent,
+    testImportInvalidCert,
+    testRemoveInvalidCert,
+  ];
+  var testsIndependentOfKeys =
+      bindTestsToToken(testsIndependentOfKeysWithTokenParameter, userToken);
+  if (systemToken) {
+    testsIndependentOfKeys.concat(bindTestsToToken(
+        testsIndependentOfKeysWithTokenParameter, systemToken));
+  }
+
+  // These tests are not parameterized and work with the keys loaded by the C++
+  // side and potentially remove these keys from the tokens.
+  var testsNotParameterized = [
     // Importing a cert should fail, if the private key is stored in another
     // token.
-    // This uses the cert that refers to the privateKeyPkcs8, which was imported
-    // on C++'s side.
+    // This uses the certs that refers to the privateKeyPkcs8User and
+    // privateKeyPkcs8System keys, which were imported on C++'s side.
     function importCertWithKeyInOtherToken() {
-      chrome.enterprise.platformKeys.importCertificate(
-          systemToken.id, cert1a.buffer, callbackFail('Key not found.'));
+      if (!systemToken) {
+        succeed();
+        return;
+      }
+
+      function importToSystemWithKeyInUserToken(callback) {
+        chrome.enterprise.platformKeys.importCertificate(
+            systemToken.id,
+            cert1a.buffer,
+            callbackFail('Key not found.', callback));
+      }
+      function importToUserWithKeyInSystemToken(callback) {
+        chrome.enterprise.platformKeys.importCertificate(
+            userToken.id,
+            certSystem.buffer,
+            callbackFail('Key not found.', callback));
+      }
+
+      importToSystemWithKeyInUserToken(
+          importToUserWithKeyInSystemToken.bind(null, null));
     },
 
-    // Imports and removes certificates for privateKeyPkcs8User, which was
+    // Imports and removes certificates for privateKeyPkcs8User and
+    // privateKeyPkcs8System (if the system token is enabled), which were
     // imported on C++'s side.
-    // Note: After this test, privateKeyPkcs8User is not stored anymore!
-    function importAndRemoveCertsToUserToken() {
-      runAsyncSequence([
-        chrome.enterprise.platformKeys.importCertificate.bind(
-            null, userToken.id, cert1a.buffer),
-        assertCertsStored.bind(null, userToken, [cert1a]),
-        // Importing the same cert again shouldn't change anything.
-        chrome.enterprise.platformKeys.importCertificate.bind(
-            null, userToken.id, cert1a.buffer),
-        assertCertsStored.bind(null, userToken, [cert1a]),
-        // Importing another certificate should succeed.
-        chrome.enterprise.platformKeys.importCertificate.bind(
-            null, userToken.id, cert1b.buffer),
-        assertCertsStored.bind(null, userToken, [cert1a, cert1b]),
-        // Shouldn't affect the system token.
-        assertCertsStored.bind(null, systemToken, []),
-        chrome.enterprise.platformKeys.removeCertificate.bind(
-            null, userToken.id, cert1a.buffer),
-        assertCertsStored.bind(null, userToken, [cert1b]),
-        chrome.enterprise.platformKeys.removeCertificate.bind(
-            null, userToken.id, cert1b.buffer),
-        assertCertsStored.bind(null, userToken, [])
-      ]);
+    // Note: After this test, privateKeyPkcs8User and privateKeyPkcs8System are
+    // not stored anymore!
+    function importAndRemoveCerts() {
+      if (systemToken) {
+        runAsyncSequence([
+          chrome.enterprise.platformKeys.importCertificate.bind(
+              null, userToken.id, cert1a.buffer),
+          assertCertsStored.bind(null, userToken, [cert1a]),
+
+          // Importing the same cert again shouldn't change anything.
+          chrome.enterprise.platformKeys.importCertificate.bind(
+              null, userToken.id, cert1a.buffer),
+          assertCertsStored.bind(null, userToken, [cert1a]),
+
+          // The system token should still be empty.
+          assertCertsStored.bind(null, systemToken, []),
+
+          // Importing to the system token should not affect the user token.
+          chrome.enterprise.platformKeys.importCertificate.bind(
+              null, systemToken.id, certSystem.buffer),
+          assertCertsStored.bind(null, systemToken, [certSystem]),
+          assertCertsStored.bind(null, userToken, [cert1a]),
+
+          // Importing the same cert again to the system token shouldn't change
+          // anything.
+          chrome.enterprise.platformKeys.importCertificate.bind(
+              null, systemToken.id, certSystem.buffer),
+          assertCertsStored.bind(null, systemToken, [certSystem]),
+
+          // Importing another certificate should succeed.
+          chrome.enterprise.platformKeys.importCertificate.bind(
+              null, userToken.id, cert1b.buffer),
+          assertCertsStored.bind(null, userToken, [cert1a, cert1b]),
+
+          // Remove cert1a.
+          chrome.enterprise.platformKeys.removeCertificate.bind(
+              null, userToken.id, cert1a.buffer),
+          assertCertsStored.bind(null, userToken, [cert1b]),
+
+          // Remove certSystem.
+          chrome.enterprise.platformKeys.removeCertificate.bind(
+              null, systemToken.id, certSystem.buffer),
+          assertCertsStored.bind(null, systemToken, []),
+          assertCertsStored.bind(null, userToken, [cert1b]),
+
+          // Remove cert1b.
+          chrome.enterprise.platformKeys.removeCertificate.bind(
+              null, userToken.id, cert1b.buffer),
+          assertCertsStored.bind(null, userToken, [])
+        ]);
+      } else {
+        runAsyncSequence([
+          chrome.enterprise.platformKeys.importCertificate.bind(
+              null, userToken.id, cert1a.buffer),
+          assertCertsStored.bind(null, userToken, [cert1a]),
+          // Importing the same cert again shouldn't change anything.
+          chrome.enterprise.platformKeys.importCertificate.bind(
+              null, userToken.id, cert1a.buffer),
+          assertCertsStored.bind(null, userToken, [cert1a]),
+          // Importing another certificate should succeed.
+          chrome.enterprise.platformKeys.importCertificate.bind(
+              null, userToken.id, cert1b.buffer),
+          assertCertsStored.bind(null, userToken, [cert1a, cert1b]),
+          chrome.enterprise.platformKeys.removeCertificate.bind(
+              null, userToken.id, cert1a.buffer),
+          assertCertsStored.bind(null, userToken, [cert1b]),
+          chrome.enterprise.platformKeys.removeCertificate.bind(
+              null, userToken.id, cert1b.buffer),
+          assertCertsStored.bind(null, userToken, [])
+        ]);
+      }
     },
 
-    // Imports and removes certificates for privateKeyPkcs8System, which was
-    // imported on C++'s side.
-    // Note: After this test, privateKeyPkcs8System is not stored anymore!
-    function importAndRemoveCertsToSystemToken() {
-      runAsyncSequence([
-        chrome.enterprise.platformKeys.importCertificate.bind(
-            null, systemToken.id, certSystem.buffer),
-        assertCertsStored.bind(null, systemToken, [certSystem]),
-        // Importing the same cert again shouldn't change anything.
-        chrome.enterprise.platformKeys.importCertificate.bind(
-            null, systemToken.id, certSystem.buffer),
-        assertCertsStored.bind(null, systemToken, [certSystem]),
-        // Shouldn't affect the user token.
-        assertCertsStored.bind(null, userToken, []),
-        chrome.enterprise.platformKeys.removeCertificate.bind(
-            null, systemToken.id, certSystem.buffer),
-        assertCertsStored.bind(null, systemToken, []),
-      ]);
+    function getCertsInvalidToken() {
+      chrome.enterprise.platformKeys.getCertificates(
+          'invalid token id', callbackFail('The token is not valid.'));
     },
 
-    // Call generate key with invalid algorithm parameter, missing
-    // modulusLength.
-    function algorithmParameterMissingModulusLength() {
-      var algorithm = {
-        name: "RSASSA-PKCS1-v1_5",
-        // Equivalent to 65537
-        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-        hash: {
-          name: "SHA-1",
-        }
-      };
-      userToken.subtleCrypto.generateKey(algorithm, false, ['sign']).then(
-          function(keyPair) { fail('generateKey was expected to fail'); },
-          callbackPass(function(error) {
-      assertTrue(error instanceof Error);
-      assertEq('A required parameter was missing or out-of-range',
-               error.message);
-      }));
-    },
-
-    // Call generate key with invalid algorithm parameter, missing hash.
-    function algorithmParameterMissingHash() {
-      var algorithm = {
-        name: 'RSASSA-PKCS1-v1_5',
-        modulusLength: 512,
-        // Equivalent to 65537
-        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-      };
-      userToken.subtleCrypto.generateKey(algorithm, false, ['sign']).then(
-          function(keyPair) { fail('generateKey was expected to fail'); },
-          callbackPass(function(error) {
-      assertEq(
-          new Error('Error: A required parameter was missing our out-of-range'),
-          error);
-      }));
-    },
-
-    // Call generate key with invalid algorithm parameter, unsupported public
-    // exponent.
-    function algorithmParameterUnsupportedPublicExponent() {
-      var algorithm = {
-        name: 'RSASSA-PKCS1-v1_5',
-        modulusLength: 512,
-        // Different from 65537.
-        publicExponent: new Uint8Array([0x01, 0x01]),
-      };
-      userToken.subtleCrypto.generateKey(algorithm, false, ['sign']).then(
-          function(keyPair) { fail('generateKey was expected to fail'); },
-          callbackPass(function(error) {
-      assertTrue(error instanceof Error);
-      assertEq('A required parameter was missing or out-of-range',
-               error.message);
-      }));
-    },
-
     // Imports a certificate for which no private key was imported/generated
     // before.
     function missingPrivateKey() {
       chrome.enterprise.platformKeys.importCertificate(
           userToken.id, cert2.buffer, callbackFail('Key not found.'));

[Joao da Silva, 2014/07/30 15:29:49]

Can this be tested with the systemToken too?

[pneubeck (no reviews), 2014/08/02 19:09:12]

Done.

-    },
+    }
+  ];
 
-    function importInvalidCert() {
-      var invalidCert = new ArrayBuffer(16);
-      chrome.enterprise.platformKeys.importCertificate(
-          userToken.id,
-          invalidCert,
-          callbackFail('Certificate is not a valid X.509 certificate.'));
-    },
-
-    function removeUnknownCert() {
-      chrome.enterprise.platformKeys.removeCertificate(
-          userToken.id,
-          cert2.buffer,
-          callbackFail('Certificate could not be found.'));
-    },
-
-    function removeInvalidCert() {
-      var invalidCert = new ArrayBuffer(16);
-      chrome.enterprise.platformKeys.removeCertificate(
-          userToken.id,
-          invalidCert,
-          callbackFail('Certificate is not a valid X.509 certificate.'));
-    },
-
-    function getCertsInvalidToken() {
-      chrome.enterprise.platformKeys.getCertificates(
-          'invalid token id', callbackFail('The token is not valid.'));
-    }
-  ]);
+  chrome.test.runTests(testsIndependentOfKeys.concat(testsNotParameterized));
 }
 
 beforeTests(runTests);