Chromium Code Reviews Chromium Code Reviews
Issue 5535006:
Add unittests for net::TestRootCerts and regenerate test certificates (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "base/file_path.h" | |
| 6 #include "build/build_config.h" | |
| 7 #include "net/base/cert_status_flags.h" | |
| 8 #include "net/base/cert_test_util.h" | |
| 9 #include "net/base/cert_verify_result.h" | |
| 10 #include "net/base/net_errors.h" | |
| 11 #include "net/base/test_root_certs.h" | |
| 12 #include "net/base/x509_certificate.h" | |
| 13 #include "testing/gtest/include/gtest/gtest.h" | |
| 14 | |
| 15 namespace net { | |
| 16 | |
| 17 namespace { | |
| 18 | |
| 19 // The local test root certificate. | |
| 20 const char kRootCertificateFile[] = "root_ca_cert.pem"; | |
| 21 // A certificate issued by the local test root for 127.0.0.1. | |
| 22 const char kGoodCertificateFile[] = "ok_cert.pem"; | |
| 23 | |
| 24 } // namespace | |
| 25 | |
| 26 // Test basic functionality when adding from an existing X509Certificate. | |
| 27 TEST(TestRootCertsTest, AddFromPointer) { | |
| 28 scoped_refptr<X509Certificate> root_cert = | |
| 29 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile); | |
| 30 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); | |
| 31 | |
| 32 TestRootCerts* test_roots = TestRootCerts::GetInstance(); | |
| 33 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); | |
| 34 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 35 | |
| 36 EXPECT_TRUE(test_roots->Add(root_cert)); | |
| 37 EXPECT_FALSE(test_roots->IsEmpty()); | |
| 38 | |
| 39 test_roots->Clear(); | |
| 40 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 41 } | |
| 42 | |
| 43 // Test basic functionality when adding directly from a file, which should | |
| 44 // behave the same as when adding from an existing certificate. | |
| 45 TEST(TestRootCertsTest, AddFromFile) { | |
| 46 TestRootCerts* test_roots = TestRootCerts::GetInstance(); | |
| 47 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); | |
| 48 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 49 | |
| 50 FilePath cert_path = | |
| 51 GetTestCertsDirectory().AppendASCII(kRootCertificateFile); | |
| 52 EXPECT_TRUE(test_roots->AddFromFile(cert_path)); | |
| 53 EXPECT_FALSE(test_roots->IsEmpty()); | |
| 54 | |
| 55 test_roots->Clear(); | |
| 56 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 57 } | |
| 58 | |
| 59 // Test that TestRootCerts actually adds the appropriate trust status flags | |
| 60 // when requested, and that the trusted status is cleared once the root is | |
| 61 // removed the TestRootCerts. This test acts as a canary/sanity check for | |
| 62 // the results of the rest of net_unittests, ensuring that the trust status | |
| 63 // is properly being set and cleared as appropriate. | |
| 64 TEST(TestRootCertsTest, OverridesTrust) { | |
|
wtc
2010/12/08 19:58:22
Nit: OverridesTrust => OverrideTrust
for consisten
| |
| 65 TestRootCerts* test_roots = TestRootCerts::GetInstance(); | |
| 66 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); | |
| 67 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 68 | |
| 69 scoped_refptr<X509Certificate> test_cert = | |
| 70 ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile); | |
| 71 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert); | |
| 72 | |
| 73 // Test that the good certificate fails verification, because the root | |
| 74 // certificate should not yet be trusted. | |
| 75 int flags = 0; | |
| 76 CertVerifyResult bad_verify_result; | |
| 77 int bad_status = test_cert->Verify("127.0.0.1", flags, &bad_verify_result); | |
| 78 EXPECT_NE(OK, bad_status); | |
| 79 EXPECT_NE(0, bad_verify_result.cert_status & | |
| 80 CERT_STATUS_AUTHORITY_INVALID); | |
| 81 | |
| 82 // Add the root certificate and mark it as trusted. | |
| 83 EXPECT_TRUE(test_roots->AddFromFile( | |
| 84 GetTestCertsDirectory().AppendASCII(kRootCertificateFile))); | |
| 85 EXPECT_FALSE(test_roots->IsEmpty()); | |
| 86 | |
| 87 // Test that the certificate verification now succeeds, because the | |
| 88 // TestRootCerts is successfully imbuing trust. | |
| 89 CertVerifyResult good_verify_result; | |
| 90 int good_status = test_cert->Verify("127.0.0.1", flags, &good_verify_result); | |
| 91 EXPECT_EQ(OK, good_status); | |
| 92 EXPECT_EQ(0, good_verify_result.cert_status); | |
| 93 | |
| 94 test_roots->Clear(); | |
| 95 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 96 | |
| 97 // Ensure that when the TestRootCerts is cleared, the trust settings | |
| 98 // revert to their original state, and don't linger. If trust status | |
| 99 // lingers, it will likely break other tests in net_unittests. | |
| 100 CertVerifyResult restored_verify_result; | |
| 101 int restored_status = test_cert->Verify("127.0.0.1", flags, | |
| 102 &restored_verify_result); | |
| 103 EXPECT_NE(OK, restored_status); | |
| 104 EXPECT_NE(0, restored_verify_result.cert_status & | |
| 105 CERT_STATUS_AUTHORITY_INVALID); | |
| 106 EXPECT_EQ(bad_status, restored_status); | |
| 107 EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status); | |
| 108 } | |
| 109 | |
| 110 // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that | |
| 111 // TestRootCerts properly injects itself into the validation process. See | |
| 112 // http://crbug.com/63958 | |
| 113 | |
| 114 } // namespace net | |
| OLD | NEW |
