| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/network/network_cert_migrator.h" | 5 #include "chromeos/network/network_cert_migrator.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 | 8 |
| 9 #include "base/file_util.h" | 9 #include "base/file_util.h" |
| 10 #include "base/files/file_path.h" | 10 #include "base/files/file_path.h" |
| 11 #include "base/run_loop.h" | 11 #include "base/run_loop.h" |
| 12 #include "base/strings/string_number_conversions.h" |
| 12 #include "chromeos/cert_loader.h" | 13 #include "chromeos/cert_loader.h" |
| 13 #include "chromeos/dbus/dbus_thread_manager.h" | 14 #include "chromeos/dbus/dbus_thread_manager.h" |
| 15 #include "chromeos/dbus/shill_profile_client.h" |
| 14 #include "chromeos/dbus/shill_service_client.h" | 16 #include "chromeos/dbus/shill_service_client.h" |
| 15 #include "chromeos/network/network_state_handler.h" | 17 #include "chromeos/network/network_state_handler.h" |
| 16 #include "chromeos/tpm_token_loader.h" | 18 #include "chromeos/tpm_token_loader.h" |
| 17 #include "crypto/nss_util_internal.h" | 19 #include "crypto/nss_util_internal.h" |
| 18 #include "crypto/scoped_test_nss_chromeos_user.h" | 20 #include "crypto/scoped_test_nss_chromeos_user.h" |
| 19 #include "net/base/crypto_module.h" | 21 #include "net/base/crypto_module.h" |
| 20 #include "net/base/net_errors.h" | 22 #include "net/base/net_errors.h" |
| 21 #include "net/base/test_data_directory.h" | 23 #include "net/base/test_data_directory.h" |
| 22 #include "net/cert/nss_cert_database_chromeos.h" | 24 #include "net/cert/nss_cert_database_chromeos.h" |
| 23 #include "net/cert/x509_certificate.h" | 25 #include "net/cert/x509_certificate.h" |
| 24 #include "net/test/cert_test_util.h" | 26 #include "net/test/cert_test_util.h" |
| 25 #include "testing/gtest/include/gtest/gtest.h" | 27 #include "testing/gtest/include/gtest/gtest.h" |
| 26 #include "third_party/cros_system_api/dbus/service_constants.h" | 28 #include "third_party/cros_system_api/dbus/service_constants.h" |
| 27 | 29 |
| 28 namespace chromeos { | 30 namespace chromeos { |
| 29 | 31 |
| 30 namespace { | 32 namespace { |
| 31 | 33 |
| 32 const char* kWifiStub = "wifi_stub"; | 34 const char* kWifiStub = "wifi_stub"; |
| 35 const char* kEthernetEapStub = "ethernet_eap_stub"; |
| 33 const char* kVPNStub = "vpn_stub"; | 36 const char* kVPNStub = "vpn_stub"; |
| 34 const char* kNSSNickname = "nss_nickname"; | 37 const char* kNSSNickname = "nss_nickname"; |
| 35 const char* kFakePEM = "pem"; | 38 const char* kFakePEM = "pem"; |
| 39 const char* kProfile = "/profile/profile1"; |
| 36 | 40 |
| 37 } // namespace | 41 } // namespace |
| 38 | 42 |
| 39 class NetworkCertMigratorTest : public testing::Test { | 43 class NetworkCertMigratorTest : public testing::Test { |
| 40 public: | 44 public: |
| 41 NetworkCertMigratorTest() : service_test_(NULL), | 45 NetworkCertMigratorTest() : service_test_(NULL), |
| 42 user_("user_hash") { | 46 user_("user_hash") { |
| 43 } | 47 } |
| 44 virtual ~NetworkCertMigratorTest() {} | 48 virtual ~NetworkCertMigratorTest() {} |
| 45 | 49 |
| 46 virtual void SetUp() OVERRIDE { | 50 virtual void SetUp() OVERRIDE { |
| 47 // Initialize NSS db for the user. | 51 // Initialize NSS db for the user. |
| 48 ASSERT_TRUE(user_.constructed_successfully()); | 52 ASSERT_TRUE(user_.constructed_successfully()); |
| 49 user_.FinishInit(); | 53 user_.FinishInit(); |
| 50 test_nssdb_.reset(new net::NSSCertDatabaseChromeOS( | 54 test_nssdb_.reset(new net::NSSCertDatabaseChromeOS( |
| 51 crypto::GetPublicSlotForChromeOSUser(user_.username_hash()), | 55 crypto::GetPublicSlotForChromeOSUser(user_.username_hash()), |
| 52 crypto::GetPrivateSlotForChromeOSUser( | 56 crypto::GetPrivateSlotForChromeOSUser( |
| 53 user_.username_hash(), | 57 user_.username_hash(), |
| 54 base::Callback<void(crypto::ScopedPK11Slot)>()))); | 58 base::Callback<void(crypto::ScopedPK11Slot)>()))); |
| 55 test_nssdb_->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy()); | 59 test_nssdb_->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy()); |
| 56 | 60 |
| 57 DBusThreadManager::InitializeWithStub(); | 61 DBusThreadManager::InitializeWithStub(); |
| 58 service_test_ = | 62 service_test_ = |
| 59 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); | 63 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); |
| 64 DBusThreadManager::Get() |
| 65 ->GetShillProfileClient() |
| 66 ->GetTestInterface() |
| 67 ->AddProfile(kProfile, "" /* userhash */); |
| 60 base::RunLoop().RunUntilIdle(); | 68 base::RunLoop().RunUntilIdle(); |
| 61 service_test_->ClearServices(); | 69 service_test_->ClearServices(); |
| 62 base::RunLoop().RunUntilIdle(); | 70 base::RunLoop().RunUntilIdle(); |
| 63 | 71 |
| 64 CertLoader::Initialize(); | 72 CertLoader::Initialize(); |
| 65 CertLoader* cert_loader_ = CertLoader::Get(); | 73 CertLoader* cert_loader_ = CertLoader::Get(); |
| 66 cert_loader_->StartWithNSSDB(test_nssdb_.get()); | 74 cert_loader_->StartWithNSSDB(test_nssdb_.get()); |
| 67 } | 75 } |
| 68 | 76 |
| 69 virtual void TearDown() OVERRIDE { | 77 virtual void TearDown() OVERRIDE { |
| (...skipping 21 matching lines...) Expand all Loading... |
| 91 test_ca_cert_ = net::X509Certificate::CreateFromBytesWithNickname( | 99 test_ca_cert_ = net::X509Certificate::CreateFromBytesWithNickname( |
| 92 der_encoded.data(), der_encoded.size(), kNSSNickname); | 100 der_encoded.data(), der_encoded.size(), kNSSNickname); |
| 93 net::CertificateList cert_list; | 101 net::CertificateList cert_list; |
| 94 cert_list.push_back(test_ca_cert_); | 102 cert_list.push_back(test_ca_cert_); |
| 95 net::NSSCertDatabase::ImportCertFailureList failures; | 103 net::NSSCertDatabase::ImportCertFailureList failures; |
| 96 EXPECT_TRUE(test_nssdb_->ImportCACerts( | 104 EXPECT_TRUE(test_nssdb_->ImportCACerts( |
| 97 cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures)); | 105 cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures)); |
| 98 ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error); | 106 ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error); |
| 99 } | 107 } |
| 100 | 108 |
| 109 void SetupTestClientCert() { |
| 110 std::string pkcs12_data; |
| 111 ASSERT_TRUE(base::ReadFileToString( |
| 112 net::GetTestCertsDirectory().Append("websocket_client_cert.p12"), |
| 113 &pkcs12_data)); |
| 114 |
| 115 net::CertificateList client_cert_list; |
| 116 scoped_refptr<net::CryptoModule> module(net::CryptoModule::CreateFromHandle( |
| 117 test_nssdb_->GetPrivateSlot().get())); |
| 118 ASSERT_EQ( |
| 119 net::OK, |
| 120 test_nssdb_->ImportFromPKCS12( |
| 121 module, pkcs12_data, base::string16(), false, &client_cert_list)); |
| 122 ASSERT_TRUE(!client_cert_list.empty()); |
| 123 test_client_cert_ = client_cert_list[0]; |
| 124 |
| 125 int slot_id = -1; |
| 126 test_client_cert_pkcs11_id_ = CertLoader::GetPkcs11IdAndSlotForCert( |
| 127 *test_client_cert_, &slot_id); |
| 128 ASSERT_FALSE(test_client_cert_pkcs11_id_.empty()); |
| 129 ASSERT_NE(-1, slot_id); |
| 130 test_client_cert_slot_id_ = base::IntToString(slot_id); |
| 131 } |
| 132 |
| 101 void SetupNetworkHandlers() { | 133 void SetupNetworkHandlers() { |
| 102 network_state_handler_.reset(NetworkStateHandler::InitializeForTest()); | 134 network_state_handler_.reset(NetworkStateHandler::InitializeForTest()); |
| 103 network_cert_migrator_.reset(new NetworkCertMigrator); | 135 network_cert_migrator_.reset(new NetworkCertMigrator); |
| 104 network_cert_migrator_->Init(network_state_handler_.get()); | 136 network_cert_migrator_->Init(network_state_handler_.get()); |
| 105 } | 137 } |
| 106 | 138 |
| 107 void AddService(const std::string& network_id, | 139 void AddService(const std::string& network_id, |
| 108 const std::string& type, | 140 const std::string& type, |
| 109 const std::string& state) { | 141 const std::string& state) { |
| 110 service_test_->AddService(network_id /* service_path */, | 142 service_test_->AddService(network_id /* service_path */, |
| 111 network_id /* guid */, | 143 network_id /* guid */, |
| 112 network_id /* name */, | 144 network_id /* name */, |
| 113 type, | 145 type, |
| 114 state, | 146 state, |
| 115 true /* add_to_visible */); | 147 true /* add_to_visible */); |
| 148 |
| 149 // Ensure that the service appears as 'configured', i.e. is associated to a |
| 150 // Shill profile. |
| 151 service_test_->SetServiceProperty( |
| 152 network_id, shill::kProfileProperty, base::StringValue(kProfile)); |
| 116 } | 153 } |
| 117 | 154 |
| 118 void SetupWifiWithNss() { | 155 void SetupWifiWithNss() { |
| 119 AddService(kWifiStub, shill::kTypeWifi, shill::kStateOnline); | 156 AddService(kWifiStub, shill::kTypeWifi, shill::kStateOnline); |
| 120 service_test_->SetServiceProperty(kWifiStub, | 157 service_test_->SetServiceProperty(kWifiStub, |
| 121 shill::kEapCaCertNssProperty, | 158 shill::kEapCaCertNssProperty, |
| 122 base::StringValue(kNSSNickname)); | 159 base::StringValue(kNSSNickname)); |
| 123 } | 160 } |
| 124 | 161 |
| 162 void SetupNetworkWithEapCertId(bool wifi, const std::string& cert_id) { |
| 163 std::string type = wifi ? shill::kTypeWifi: shill::kTypeEthernetEap; |
| 164 std::string name = wifi ? kWifiStub : kEthernetEapStub; |
| 165 AddService(name, type, shill::kStateOnline); |
| 166 service_test_->SetServiceProperty( |
| 167 name, shill::kEapCertIdProperty, base::StringValue(cert_id)); |
| 168 service_test_->SetServiceProperty( |
| 169 name, shill::kEapKeyIdProperty, base::StringValue(cert_id)); |
| 170 |
| 171 if (wifi) { |
| 172 service_test_->SetServiceProperty( |
| 173 name, |
| 174 shill::kSecurityProperty, |
| 175 base::StringValue(shill::kSecurity8021x)); |
| 176 } |
| 177 } |
| 178 |
| 179 void GetEapCertId(bool wifi, std::string* cert_id) { |
| 180 cert_id->clear(); |
| 181 |
| 182 std::string name = wifi ? kWifiStub : kEthernetEapStub; |
| 183 const base::DictionaryValue* properties = |
| 184 service_test_->GetServiceProperties(name); |
| 185 properties->GetStringWithoutPathExpansion(shill::kEapCertIdProperty, |
| 186 cert_id); |
| 187 } |
| 188 |
| 189 void SetupVpnWithCertId(bool open_vpn, |
| 190 const std::string& slot_id, |
| 191 const std::string& pkcs11_id) { |
| 192 AddService(kVPNStub, shill::kTypeVPN, shill::kStateIdle); |
| 193 base::DictionaryValue provider; |
| 194 if (open_vpn) { |
| 195 provider.SetStringWithoutPathExpansion(shill::kTypeProperty, |
| 196 shill::kProviderOpenVpn); |
| 197 provider.SetStringWithoutPathExpansion( |
| 198 shill::kOpenVPNClientCertIdProperty, pkcs11_id); |
| 199 } else { |
| 200 provider.SetStringWithoutPathExpansion(shill::kTypeProperty, |
| 201 shill::kProviderL2tpIpsec); |
| 202 provider.SetStringWithoutPathExpansion( |
| 203 shill::kL2tpIpsecClientCertSlotProperty, slot_id); |
| 204 provider.SetStringWithoutPathExpansion( |
| 205 shill::kL2tpIpsecClientCertIdProperty, pkcs11_id); |
| 206 } |
| 207 service_test_->SetServiceProperty( |
| 208 kVPNStub, shill::kProviderProperty, provider); |
| 209 } |
| 210 |
| 211 void GetVpnCertId(bool open_vpn, |
| 212 std::string* slot_id, |
| 213 std::string* pkcs11_id) { |
| 214 slot_id->clear(); |
| 215 pkcs11_id->clear(); |
| 216 |
| 217 const base::DictionaryValue* properties = |
| 218 service_test_->GetServiceProperties(kVPNStub); |
| 219 ASSERT_TRUE(properties); |
| 220 const base::DictionaryValue* provider = NULL; |
| 221 properties->GetDictionaryWithoutPathExpansion(shill::kProviderProperty, |
| 222 &provider); |
| 223 if (!provider) |
| 224 return; |
| 225 if (open_vpn) { |
| 226 provider->GetStringWithoutPathExpansion( |
| 227 shill::kOpenVPNClientCertIdProperty, pkcs11_id); |
| 228 } else { |
| 229 provider->GetStringWithoutPathExpansion( |
| 230 shill::kL2tpIpsecClientCertSlotProperty, slot_id); |
| 231 provider->GetStringWithoutPathExpansion( |
| 232 shill::kL2tpIpsecClientCertIdProperty, pkcs11_id); |
| 233 } |
| 234 } |
| 235 |
| 125 void GetEapCACertProperties(std::string* nss_nickname, std::string* ca_pem) { | 236 void GetEapCACertProperties(std::string* nss_nickname, std::string* ca_pem) { |
| 126 nss_nickname->clear(); | 237 nss_nickname->clear(); |
| 127 ca_pem->clear(); | 238 ca_pem->clear(); |
| 128 const base::DictionaryValue* properties = | 239 const base::DictionaryValue* properties = |
| 129 service_test_->GetServiceProperties(kWifiStub); | 240 service_test_->GetServiceProperties(kWifiStub); |
| 130 properties->GetStringWithoutPathExpansion(shill::kEapCaCertNssProperty, | 241 properties->GetStringWithoutPathExpansion(shill::kEapCaCertNssProperty, |
| 131 nss_nickname); | 242 nss_nickname); |
| 132 const base::ListValue* ca_pems = NULL; | 243 const base::ListValue* ca_pems = NULL; |
| 133 properties->GetListWithoutPathExpansion(shill::kEapCaCertPemProperty, | 244 properties->GetListWithoutPathExpansion(shill::kEapCaCertPemProperty, |
| 134 &ca_pems); | 245 &ca_pems); |
| (...skipping 29 matching lines...) Expand all Loading... |
| 164 const base::ListValue* ca_pems = NULL; | 275 const base::ListValue* ca_pems = NULL; |
| 165 const char* pem_property = open_vpn ? shill::kOpenVPNCaCertPemProperty | 276 const char* pem_property = open_vpn ? shill::kOpenVPNCaCertPemProperty |
| 166 : shill::kL2tpIpsecCaCertPemProperty; | 277 : shill::kL2tpIpsecCaCertPemProperty; |
| 167 provider->GetListWithoutPathExpansion(pem_property, &ca_pems); | 278 provider->GetListWithoutPathExpansion(pem_property, &ca_pems); |
| 168 if (ca_pems && !ca_pems->empty()) | 279 if (ca_pems && !ca_pems->empty()) |
| 169 ca_pems->GetString(0, ca_pem); | 280 ca_pems->GetString(0, ca_pem); |
| 170 } | 281 } |
| 171 | 282 |
| 172 ShillServiceClient::TestInterface* service_test_; | 283 ShillServiceClient::TestInterface* service_test_; |
| 173 scoped_refptr<net::X509Certificate> test_ca_cert_; | 284 scoped_refptr<net::X509Certificate> test_ca_cert_; |
| 285 scoped_refptr<net::X509Certificate> test_client_cert_; |
| 286 std::string test_client_cert_pkcs11_id_; |
| 287 std::string test_client_cert_slot_id_; |
| 174 std::string test_ca_cert_pem_; | 288 std::string test_ca_cert_pem_; |
| 175 base::MessageLoop message_loop_; | 289 base::MessageLoop message_loop_; |
| 176 | 290 |
| 177 private: | 291 private: |
| 178 void CleanupTestCert() { | 292 void CleanupTestCert() { |
| 179 ASSERT_TRUE(test_nssdb_->DeleteCertAndKey(test_ca_cert_.get())); | 293 if (test_ca_cert_) |
| 294 ASSERT_TRUE(test_nssdb_->DeleteCertAndKey(test_ca_cert_.get())); |
| 295 |
| 296 if (test_client_cert_) |
| 297 ASSERT_TRUE(test_nssdb_->DeleteCertAndKey(test_client_cert_.get())); |
| 180 } | 298 } |
| 181 | 299 |
| 182 scoped_ptr<NetworkStateHandler> network_state_handler_; | 300 scoped_ptr<NetworkStateHandler> network_state_handler_; |
| 183 scoped_ptr<NetworkCertMigrator> network_cert_migrator_; | 301 scoped_ptr<NetworkCertMigrator> network_cert_migrator_; |
| 184 crypto::ScopedTestNSSChromeOSUser user_; | 302 crypto::ScopedTestNSSChromeOSUser user_; |
| 185 scoped_ptr<net::NSSCertDatabaseChromeOS> test_nssdb_; | 303 scoped_ptr<net::NSSCertDatabaseChromeOS> test_nssdb_; |
| 186 | 304 |
| 187 DISALLOW_COPY_AND_ASSIGN(NetworkCertMigratorTest); | 305 DISALLOW_COPY_AND_ASSIGN(NetworkCertMigratorTest); |
| 188 }; | 306 }; |
| 189 | 307 |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 226 SetupTestCACert(); | 344 SetupTestCACert(); |
| 227 SetupNetworkHandlers(); | 345 SetupNetworkHandlers(); |
| 228 base::RunLoop().RunUntilIdle(); | 346 base::RunLoop().RunUntilIdle(); |
| 229 | 347 |
| 230 std::string nss_nickname, ca_pem; | 348 std::string nss_nickname, ca_pem; |
| 231 GetEapCACertProperties(&nss_nickname, &ca_pem); | 349 GetEapCACertProperties(&nss_nickname, &ca_pem); |
| 232 EXPECT_TRUE(nss_nickname.empty()); | 350 EXPECT_TRUE(nss_nickname.empty()); |
| 233 EXPECT_EQ(kFakePEM, ca_pem); | 351 EXPECT_EQ(kFakePEM, ca_pem); |
| 234 } | 352 } |
| 235 | 353 |
| 236 TEST_F(NetworkCertMigratorTest, MigrateOpenVpn) { | 354 TEST_F(NetworkCertMigratorTest, MigrateNssOpenVpn) { |
| 237 // Add a new network for migration before the handlers are initialized. | 355 // Add a new network for migration before the handlers are initialized. |
| 238 SetupVpnWithNss(true /* OpenVPN */); | 356 SetupVpnWithNss(true /* OpenVPN */); |
| 239 | 357 |
| 240 SetupTestCACert(); | 358 SetupTestCACert(); |
| 241 SetupNetworkHandlers(); | 359 SetupNetworkHandlers(); |
| 242 | 360 |
| 243 base::RunLoop().RunUntilIdle(); | 361 base::RunLoop().RunUntilIdle(); |
| 244 std::string nss_nickname, ca_pem; | 362 std::string nss_nickname, ca_pem; |
| 245 GetVpnCACertProperties(true /* OpenVPN */, &nss_nickname, &ca_pem); | 363 GetVpnCACertProperties(true /* OpenVPN */, &nss_nickname, &ca_pem); |
| 246 EXPECT_TRUE(nss_nickname.empty()); | 364 EXPECT_TRUE(nss_nickname.empty()); |
| 247 EXPECT_EQ(test_ca_cert_pem_, ca_pem); | 365 EXPECT_EQ(test_ca_cert_pem_, ca_pem); |
| 248 } | 366 } |
| 249 | 367 |
| 250 TEST_F(NetworkCertMigratorTest, MigrateIpsecVpn) { | 368 TEST_F(NetworkCertMigratorTest, MigrateNssIpsecVpn) { |
| 251 // Add a new network for migration before the handlers are initialized. | 369 // Add a new network for migration before the handlers are initialized. |
| 252 SetupVpnWithNss(false /* not OpenVPN */); | 370 SetupVpnWithNss(false /* not OpenVPN */); |
| 253 | 371 |
| 254 SetupTestCACert(); | 372 SetupTestCACert(); |
| 255 SetupNetworkHandlers(); | 373 SetupNetworkHandlers(); |
| 256 | 374 |
| 257 base::RunLoop().RunUntilIdle(); | 375 base::RunLoop().RunUntilIdle(); |
| 258 std::string nss_nickname, ca_pem; | 376 std::string nss_nickname, ca_pem; |
| 259 GetVpnCACertProperties(false /* not OpenVPN */, &nss_nickname, &ca_pem); | 377 GetVpnCACertProperties(false /* not OpenVPN */, &nss_nickname, &ca_pem); |
| 260 EXPECT_TRUE(nss_nickname.empty()); | 378 EXPECT_TRUE(nss_nickname.empty()); |
| 261 EXPECT_EQ(test_ca_cert_pem_, ca_pem); | 379 EXPECT_EQ(test_ca_cert_pem_, ca_pem); |
| 262 } | 380 } |
| 263 | 381 |
| 382 TEST_F(NetworkCertMigratorTest, MigrateEapCertIdNoMatchingCert) { |
| 383 SetupTestClientCert(); |
| 384 SetupNetworkHandlers(); |
| 385 base::RunLoop().RunUntilIdle(); |
| 386 |
| 387 // Add a new network for migration after the handlers are initialized. |
| 388 SetupNetworkWithEapCertId(true /* wifi */, "unknown pkcs11 id"); |
| 389 |
| 390 base::RunLoop().RunUntilIdle(); |
| 391 // Since the PKCS11 ID is unknown, the certificate configuration will be |
| 392 // cleared. |
| 393 std::string cert_id; |
| 394 GetEapCertId(true /* wifi */, &cert_id); |
| 395 EXPECT_EQ(std::string(), cert_id); |
| 396 } |
| 397 |
| 398 TEST_F(NetworkCertMigratorTest, MigrateEapCertIdNoSlotId) { |
| 399 SetupTestClientCert(); |
| 400 SetupNetworkHandlers(); |
| 401 base::RunLoop().RunUntilIdle(); |
| 402 |
| 403 // Add a new network for migration after the handlers are initialized. |
| 404 SetupNetworkWithEapCertId(true /* wifi */, test_client_cert_pkcs11_id_); |
| 405 |
| 406 base::RunLoop().RunUntilIdle(); |
| 407 |
| 408 std::string cert_id; |
| 409 GetEapCertId(true /* wifi */, &cert_id); |
| 410 std::string expected_cert_id = |
| 411 test_client_cert_slot_id_ + ":" + test_client_cert_pkcs11_id_; |
| 412 EXPECT_EQ(expected_cert_id, cert_id); |
| 413 } |
| 414 |
| 415 TEST_F(NetworkCertMigratorTest, MigrateWifiEapCertIdWrongSlotId) { |
| 416 SetupTestClientCert(); |
| 417 SetupNetworkHandlers(); |
| 418 base::RunLoop().RunUntilIdle(); |
| 419 |
| 420 // Add a new network for migration after the handlers are initialized. |
| 421 SetupNetworkWithEapCertId(true /* wifi */, |
| 422 "123:" + test_client_cert_pkcs11_id_); |
| 423 |
| 424 base::RunLoop().RunUntilIdle(); |
| 425 |
| 426 std::string cert_id; |
| 427 GetEapCertId(true /* wifi */, &cert_id); |
| 428 std::string expected_cert_id = |
| 429 test_client_cert_slot_id_ + ":" + test_client_cert_pkcs11_id_; |
| 430 EXPECT_EQ(expected_cert_id, cert_id); |
| 431 } |
| 432 |
| 433 TEST_F(NetworkCertMigratorTest, DoNotChangeEapCertIdWithCorrectSlotId) { |
| 434 SetupTestClientCert(); |
| 435 SetupNetworkHandlers(); |
| 436 base::RunLoop().RunUntilIdle(); |
| 437 |
| 438 std::string expected_cert_id = |
| 439 test_client_cert_slot_id_ + ":" + test_client_cert_pkcs11_id_; |
| 440 |
| 441 // Add a new network for migration after the handlers are initialized. |
| 442 SetupNetworkWithEapCertId(true /* wifi */, expected_cert_id); |
| 443 |
| 444 base::RunLoop().RunUntilIdle(); |
| 445 |
| 446 std::string cert_id; |
| 447 GetEapCertId(true /* wifi */, &cert_id); |
| 448 EXPECT_EQ(expected_cert_id, cert_id); |
| 449 } |
| 450 |
| 451 TEST_F(NetworkCertMigratorTest, IgnoreOpenVPNCertId) { |
| 452 SetupTestClientCert(); |
| 453 SetupNetworkHandlers(); |
| 454 base::RunLoop().RunUntilIdle(); |
| 455 |
| 456 const char kPkcs11Id[] = "any slot id"; |
| 457 |
| 458 // Add a new network for migration after the handlers are initialized. |
| 459 SetupVpnWithCertId( |
| 460 true /* OpenVPN */, std::string() /* no slot id */, kPkcs11Id); |
| 461 |
| 462 base::RunLoop().RunUntilIdle(); |
| 463 |
| 464 std::string pkcs11_id; |
| 465 std::string unused_slot_id; |
| 466 GetVpnCertId(true /* OpenVPN */, &unused_slot_id, &pkcs11_id); |
| 467 EXPECT_EQ(kPkcs11Id, pkcs11_id); |
| 468 } |
| 469 |
| 470 TEST_F(NetworkCertMigratorTest, MigrateEthernetEapCertIdWrongSlotId) { |
| 471 SetupTestClientCert(); |
| 472 SetupNetworkHandlers(); |
| 473 base::RunLoop().RunUntilIdle(); |
| 474 |
| 475 // Add a new network for migration after the handlers are initialized. |
| 476 SetupNetworkWithEapCertId( |
| 477 false /* ethernet */, "123:" + test_client_cert_pkcs11_id_); |
| 478 |
| 479 base::RunLoop().RunUntilIdle(); |
| 480 |
| 481 std::string cert_id; |
| 482 GetEapCertId(false /* ethernet */, &cert_id); |
| 483 std::string expected_cert_id = |
| 484 test_client_cert_slot_id_ + ":" + test_client_cert_pkcs11_id_; |
| 485 EXPECT_EQ(expected_cert_id, cert_id); |
| 486 } |
| 487 |
| 488 TEST_F(NetworkCertMigratorTest, MigrateIpsecCertIdWrongSlotId) { |
| 489 SetupTestClientCert(); |
| 490 SetupNetworkHandlers(); |
| 491 base::RunLoop().RunUntilIdle(); |
| 492 |
| 493 // Add a new network for migration after the handlers are initialized. |
| 494 SetupVpnWithCertId(false /* IPsec */, "123", test_client_cert_pkcs11_id_); |
| 495 |
| 496 base::RunLoop().RunUntilIdle(); |
| 497 |
| 498 std::string pkcs11_id; |
| 499 std::string slot_id; |
| 500 GetVpnCertId(false /* IPsec */, &slot_id, &pkcs11_id); |
| 501 EXPECT_EQ(test_client_cert_pkcs11_id_, pkcs11_id); |
| 502 EXPECT_EQ(test_client_cert_slot_id_, slot_id); |
| 503 } |
| 504 |
| 264 } // namespace chromeos | 505 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 471183002:
Migrate Slot ID of client certs in network configuration. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src