Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(65)

Unified Diff: net/cert/test_root_certs_unittest.cc

Issue 5535006: Add unittests for net::TestRootCerts and regenerate test certificates (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fix another hardcoded string Created 7 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/test_root_certs_android.cc ('k') | net/data/ssl/certificates/README » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/test_root_certs_unittest.cc
diff --git a/net/cert/test_root_certs_unittest.cc b/net/cert/test_root_certs_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..67b547776572f65857603d8dc617489858bd85d5
--- /dev/null
+++ b/net/cert/test_root_certs_unittest.cc
@@ -0,0 +1,142 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/files/file_path.h"
+#include "build/build_config.h"
+#include "net/base/net_errors.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/cert_status_flags.h"
+#include "net/cert/cert_verify_proc.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/test_root_certs.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/cert_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+#if defined(USE_NSS) || defined(OS_IOS)
+#include <nss.h>
+#endif
+
+namespace net {
+
+namespace {
+
+// The local test root certificate.
+const char kRootCertificateFile[] = "root_ca_cert.pem";
+// A certificate issued by the local test root for 127.0.0.1.
+const char kGoodCertificateFile[] = "ok_cert.pem";
+
+} // namespace
+
+// Test basic functionality when adding from an existing X509Certificate.
+TEST(TestRootCertsTest, AddFromPointer) {
+ scoped_refptr<X509Certificate> root_cert =
+ ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
+
+ TestRootCerts* test_roots = TestRootCerts::GetInstance();
+ ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
+ EXPECT_TRUE(test_roots->IsEmpty());
+
+ EXPECT_TRUE(test_roots->Add(root_cert));
+ EXPECT_FALSE(test_roots->IsEmpty());
+
+ test_roots->Clear();
+ EXPECT_TRUE(test_roots->IsEmpty());
+}
+
+// Test basic functionality when adding directly from a file, which should
+// behave the same as when adding from an existing certificate.
+TEST(TestRootCertsTest, AddFromFile) {
+ TestRootCerts* test_roots = TestRootCerts::GetInstance();
+ ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
+ EXPECT_TRUE(test_roots->IsEmpty());
+
+ base::FilePath cert_path =
+ GetTestCertsDirectory().AppendASCII(kRootCertificateFile);
+ EXPECT_TRUE(test_roots->AddFromFile(cert_path));
+ EXPECT_FALSE(test_roots->IsEmpty());
+
+ test_roots->Clear();
+ EXPECT_TRUE(test_roots->IsEmpty());
+}
+
+// Test that TestRootCerts actually adds the appropriate trust status flags
+// when requested, and that the trusted status is cleared once the root is
+// removed the TestRootCerts. This test acts as a canary/sanity check for
+// the results of the rest of net_unittests, ensuring that the trust status
+// is properly being set and cleared.
+TEST(TestRootCertsTest, OverrideTrust) {
+#if defined(USE_NSS) || defined(OS_IOS)
+ if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
+ // See http://bugzil.la/863947 for details
+ LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
+ return;
+ }
+#endif
+
+ TestRootCerts* test_roots = TestRootCerts::GetInstance();
+ ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
+ EXPECT_TRUE(test_roots->IsEmpty());
+
+ scoped_refptr<X509Certificate> test_cert =
+ ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile);
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);
+
+ // Test that the good certificate fails verification, because the root
+ // certificate should not yet be trusted.
+ int flags = 0;
+ CertVerifyResult bad_verify_result;
+ scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+ int bad_status = verify_proc->Verify(test_cert,
+ "127.0.0.1",
+ flags,
+ NULL,
+ CertificateList(),
+ &bad_verify_result);
+ EXPECT_NE(OK, bad_status);
+ EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
+
+ // Add the root certificate and mark it as trusted.
+ EXPECT_TRUE(test_roots->AddFromFile(
+ GetTestCertsDirectory().AppendASCII(kRootCertificateFile)));
+ EXPECT_FALSE(test_roots->IsEmpty());
+
+ // Test that the certificate verification now succeeds, because the
+ // TestRootCerts is successfully imbuing trust.
+ CertVerifyResult good_verify_result;
+ int good_status = verify_proc->Verify(test_cert,
+ "127.0.0.1",
+ flags,
+ NULL,
+ CertificateList(),
+ &good_verify_result);
+ EXPECT_EQ(OK, good_status);
+ EXPECT_EQ(0u, good_verify_result.cert_status);
+
+ test_roots->Clear();
+ EXPECT_TRUE(test_roots->IsEmpty());
+
+ // Ensure that when the TestRootCerts is cleared, the trust settings
+ // revert to their original state, and don't linger. If trust status
+ // lingers, it will likely break other tests in net_unittests.
+ CertVerifyResult restored_verify_result;
+ int restored_status = verify_proc->Verify(test_cert,
+ "127.0.0.1",
+ flags,
+ NULL,
+ CertificateList(),
+ &restored_verify_result);
+ EXPECT_NE(OK, restored_status);
+ EXPECT_NE(0u,
+ restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
+ EXPECT_EQ(bad_status, restored_status);
+ EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status);
+}
+
+// TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that
+// TestRootCerts properly injects itself into the validation process. See
+// http://crbug.com/63958
+
+} // namespace net
« no previous file with comments | « net/cert/test_root_certs_android.cc ('k') | net/data/ssl/certificates/README » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698