| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <pk11pub.h> | 6 #include <pk11pub.h> |
| 7 | 7 |
| 8 #include <algorithm> | 8 #include <algorithm> |
| 9 | 9 |
| 10 #include "base/crypto/scoped_nss_types.h" | 10 #include "base/crypto/scoped_nss_types.h" |
| 11 #include "base/file_path.h" | 11 #include "base/file_path.h" |
| 12 #include "base/file_util.h" | 12 #include "base/file_util.h" |
| 13 #include "base/nss_util.h" | 13 #include "base/nss_util.h" |
| 14 #include "base/nss_util_internal.h" | 14 #include "base/nss_util_internal.h" |
| 15 #include "base/path_service.h" | 15 #include "base/path_service.h" |
| 16 #include "base/scoped_temp_dir.h" | 16 #include "base/scoped_temp_dir.h" |
| 17 #include "base/singleton.h" | 17 #include "base/singleton.h" |
| 18 #include "base/string_util.h" | 18 #include "base/string_util.h" |
| 19 #include "base/utf_string_conversions.h" | 19 #include "base/utf_string_conversions.h" |
| 20 #include "net/base/cert_database.h" | 20 #include "net/base/cert_database.h" |
| 21 #include "net/base/cert_status_flags.h" | 21 #include "net/base/cert_status_flags.h" |
| 22 #include "net/base/cert_verify_result.h" | 22 #include "net/base/cert_verify_result.h" |
| 23 #include "net/base/crypto_module.h" |
| 23 #include "net/base/net_errors.h" | 24 #include "net/base/net_errors.h" |
| 24 #include "net/base/x509_certificate.h" | 25 #include "net/base/x509_certificate.h" |
| 25 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | 26 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
| 26 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" | 27 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" |
| 27 #include "testing/gtest/include/gtest/gtest.h" | 28 #include "testing/gtest/include/gtest/gtest.h" |
| 28 | 29 |
| 29 namespace psm = mozilla_security_manager; | 30 namespace psm = mozilla_security_manager; |
| 30 | 31 |
| 31 namespace net { | 32 namespace net { |
| 32 | 33 |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 100 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is | 101 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is |
| 101 // fixed, switch back to using a separate userdb for each test. | 102 // fixed, switch back to using a separate userdb for each test. |
| 102 // (When doing so, remember to add some standalone tests of DeleteCert since it | 103 // (When doing so, remember to add some standalone tests of DeleteCert since it |
| 103 // won't be tested by TearDown anymore.) | 104 // won't be tested by TearDown anymore.) |
| 104 class CertDatabaseNSSTest : public testing::Test { | 105 class CertDatabaseNSSTest : public testing::Test { |
| 105 public: | 106 public: |
| 106 virtual void SetUp() { | 107 virtual void SetUp() { |
| 107 ASSERT_TRUE(temp_db_dir_.CreateUniqueTempDir()); | 108 ASSERT_TRUE(temp_db_dir_.CreateUniqueTempDir()); |
| 108 ASSERT_TRUE( | 109 ASSERT_TRUE( |
| 109 base::OpenTestNSSDB(temp_db_dir_.path(), "CertDatabaseNSSTest db")); | 110 base::OpenTestNSSDB(temp_db_dir_.path(), "CertDatabaseNSSTest db")); |
| 110 slot_.reset(base::GetDefaultNSSKeySlot()); | 111 slot_ = cert_db_.GetDefaultModule(); |
| 111 | 112 |
| 112 // Test db should be empty at start of test. | 113 // Test db should be empty at start of test. |
| 113 EXPECT_EQ(0U, ListCertsInSlot(slot_.get()).size()); | 114 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 114 } | 115 } |
| 115 virtual void TearDown() { | 116 virtual void TearDown() { |
| 116 // Don't try to cleanup if the setup failed. | 117 // Don't try to cleanup if the setup failed. |
| 117 ASSERT_TRUE(slot_.get()); | 118 ASSERT_TRUE(slot_->os_module_handle()); |
| 118 | 119 |
| 119 EXPECT_TRUE(CleanupSlotContents(slot_.get())); | 120 EXPECT_TRUE(CleanupSlotContents(slot_->os_module_handle())); |
| 120 EXPECT_EQ(0U, ListCertsInSlot(slot_.get()).size()); | 121 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 121 } | 122 } |
| 122 | 123 |
| 123 protected: | 124 protected: |
| 124 base::ScopedPK11Slot slot_; | 125 scoped_refptr<CryptoModule> slot_; |
| 125 CertDatabase cert_db_; | 126 CertDatabase cert_db_; |
| 126 | 127 |
| 127 private: | 128 private: |
| 128 ScopedTempDir temp_db_dir_; | 129 ScopedTempDir temp_db_dir_; |
| 129 }; | 130 }; |
| 130 | 131 |
| 131 TEST_F(CertDatabaseNSSTest, ListCerts) { | 132 TEST_F(CertDatabaseNSSTest, ListCerts) { |
| 132 // This test isn't terribly useful, though it will at least let valgrind test | 133 // This test isn't terribly useful, though it will at least let valgrind test |
| 133 // for leaks. | 134 // for leaks. |
| 134 CertificateList certs; | 135 CertificateList certs; |
| 135 cert_db_.ListCerts(&certs); | 136 cert_db_.ListCerts(&certs); |
| 136 // The test DB is empty, but let's assume there will always be something in | 137 // The test DB is empty, but let's assume there will always be something in |
| 137 // the other slots. | 138 // the other slots. |
| 138 EXPECT_LT(0U, certs.size()); | 139 EXPECT_LT(0U, certs.size()); |
| 139 } | 140 } |
| 140 | 141 |
| 141 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { | 142 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { |
| 142 std::string pkcs12_data = ReadTestFile("client.p12"); | 143 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 143 | 144 |
| 144 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, | 145 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, |
| 145 cert_db_.ImportFromPKCS12(pkcs12_data, ASCIIToUTF16(""))); | 146 cert_db_.ImportFromPKCS12(slot_, |
| 147 pkcs12_data, |
| 148 ASCIIToUTF16(""))); |
| 146 | 149 |
| 147 // Test db should still be empty. | 150 // Test db should still be empty. |
| 148 EXPECT_EQ(0U, ListCertsInSlot(slot_.get()).size()); | 151 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 149 } | 152 } |
| 150 | 153 |
| 151 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AndExportAgain) { | 154 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AndExportAgain) { |
| 152 std::string pkcs12_data = ReadTestFile("client.p12"); | 155 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 153 | 156 |
| 154 EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(pkcs12_data, ASCIIToUTF16("12345"))); | 157 EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(slot_, |
| 158 pkcs12_data, |
| 159 ASCIIToUTF16("12345"))); |
| 155 | 160 |
| 156 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 161 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 157 ASSERT_EQ(1U, cert_list.size()); | 162 ASSERT_EQ(1U, cert_list.size()); |
| 158 scoped_refptr<X509Certificate> cert(cert_list[0]); | 163 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 159 | 164 |
| 160 EXPECT_EQ("testusercert", | 165 EXPECT_EQ("testusercert", |
| 161 cert->subject().common_name); | 166 cert->subject().common_name); |
| 162 | 167 |
| 163 // TODO(mattm): move export test to seperate test case? | 168 // TODO(mattm): move export test to seperate test case? |
| 164 std::string exported_data; | 169 std::string exported_data; |
| 165 EXPECT_EQ(1, cert_db_.ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 170 EXPECT_EQ(1, cert_db_.ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
| 166 &exported_data)); | 171 &exported_data)); |
| (...skipping 10 matching lines...) Expand all Loading... |
| 177 ASSERT_EQ(1U, certs.size()); | 182 ASSERT_EQ(1U, certs.size()); |
| 178 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 183 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 179 | 184 |
| 180 // Import it. | 185 // Import it. |
| 181 CertDatabase::ImportCertFailureList failed; | 186 CertDatabase::ImportCertFailureList failed; |
| 182 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, | 187 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, |
| 183 &failed)); | 188 &failed)); |
| 184 | 189 |
| 185 EXPECT_EQ(0U, failed.size()); | 190 EXPECT_EQ(0U, failed.size()); |
| 186 | 191 |
| 187 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 192 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 188 ASSERT_EQ(1U, cert_list.size()); | 193 ASSERT_EQ(1U, cert_list.size()); |
| 189 scoped_refptr<X509Certificate> cert(cert_list[0]); | 194 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 190 EXPECT_EQ("Test CA", cert->subject().common_name); | 195 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 191 | 196 |
| 192 EXPECT_EQ(CertDatabase::TRUSTED_SSL, | 197 EXPECT_EQ(CertDatabase::TRUSTED_SSL, |
| 193 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 198 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 194 | 199 |
| 195 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 200 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); |
| 196 EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 201 EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); |
| 197 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 202 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); |
| (...skipping 11 matching lines...) Expand all Loading... |
| 209 ASSERT_EQ(1U, certs.size()); | 214 ASSERT_EQ(1U, certs.size()); |
| 210 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 215 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 211 | 216 |
| 212 // Import it. | 217 // Import it. |
| 213 CertDatabase::ImportCertFailureList failed; | 218 CertDatabase::ImportCertFailureList failed; |
| 214 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, | 219 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, |
| 215 &failed)); | 220 &failed)); |
| 216 | 221 |
| 217 EXPECT_EQ(0U, failed.size()); | 222 EXPECT_EQ(0U, failed.size()); |
| 218 | 223 |
| 219 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 224 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 220 ASSERT_EQ(1U, cert_list.size()); | 225 ASSERT_EQ(1U, cert_list.size()); |
| 221 scoped_refptr<X509Certificate> cert(cert_list[0]); | 226 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 222 EXPECT_EQ("Test CA", cert->subject().common_name); | 227 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 223 | 228 |
| 224 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, | 229 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, |
| 225 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 230 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 226 | 231 |
| 227 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 232 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); |
| 228 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 233 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); |
| 229 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 234 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); |
| (...skipping 10 matching lines...) Expand all Loading... |
| 240 ASSERT_EQ(1U, certs.size()); | 245 ASSERT_EQ(1U, certs.size()); |
| 241 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 246 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 242 | 247 |
| 243 // Import it. | 248 // Import it. |
| 244 CertDatabase::ImportCertFailureList failed; | 249 CertDatabase::ImportCertFailureList failed; |
| 245 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, | 250 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, |
| 246 &failed)); | 251 &failed)); |
| 247 | 252 |
| 248 EXPECT_EQ(0U, failed.size()); | 253 EXPECT_EQ(0U, failed.size()); |
| 249 | 254 |
| 250 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 255 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 251 ASSERT_EQ(1U, cert_list.size()); | 256 ASSERT_EQ(1U, cert_list.size()); |
| 252 scoped_refptr<X509Certificate> cert(cert_list[0]); | 257 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 253 EXPECT_EQ("Test CA", cert->subject().common_name); | 258 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 254 | 259 |
| 255 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, | 260 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, |
| 256 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 261 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 257 | 262 |
| 258 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 263 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); |
| 259 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 264 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); |
| 260 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 265 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); |
| (...skipping 14 matching lines...) Expand all Loading... |
| 275 CertDatabase::ImportCertFailureList failed; | 280 CertDatabase::ImportCertFailureList failed; |
| 276 EXPECT_EQ(true, | 281 EXPECT_EQ(true, |
| 277 cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, &failed)); | 282 cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, &failed)); |
| 278 ASSERT_EQ(1U, failed.size()); | 283 ASSERT_EQ(1U, failed.size()); |
| 279 // Note: this compares pointers directly. It's okay in this case because | 284 // Note: this compares pointers directly. It's okay in this case because |
| 280 // ImportCACerts returns the same pointers that were passed in. In the | 285 // ImportCACerts returns the same pointers that were passed in. In the |
| 281 // general case IsSameOSCert should be used. | 286 // general case IsSameOSCert should be used. |
| 282 EXPECT_EQ(certs[0], failed[0].certificate); | 287 EXPECT_EQ(certs[0], failed[0].certificate); |
| 283 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); | 288 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); |
| 284 | 289 |
| 285 EXPECT_EQ(0U, ListCertsInSlot(slot_.get()).size()); | 290 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 286 } | 291 } |
| 287 | 292 |
| 288 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { | 293 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { |
| 289 CertificateList certs; | 294 CertificateList certs; |
| 290 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 295 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 291 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 296 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 292 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 297 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
| 293 | 298 |
| 294 // Import it. | 299 // Import it. |
| 295 CertDatabase::ImportCertFailureList failed; | 300 CertDatabase::ImportCertFailureList failed; |
| 296 // Have to specify email trust for the cert verification of the child cert to | 301 // Have to specify email trust for the cert verification of the child cert to |
| 297 // work (see | 302 // work (see |
| 298 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 | 303 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 |
| 299 // "XXX This choice of trustType seems arbitrary.") | 304 // "XXX This choice of trustType seems arbitrary.") |
| 300 EXPECT_EQ(true, cert_db_.ImportCACerts( | 305 EXPECT_EQ(true, cert_db_.ImportCACerts( |
| 301 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 306 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
| 302 &failed)); | 307 &failed)); |
| 303 | 308 |
| 304 ASSERT_EQ(1U, failed.size()); | 309 ASSERT_EQ(1U, failed.size()); |
| 305 EXPECT_EQ("www.us.army.mil", failed[0].certificate->subject().common_name); | 310 EXPECT_EQ("www.us.army.mil", failed[0].certificate->subject().common_name); |
| 306 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); | 311 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); |
| 307 | 312 |
| 308 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 309 ASSERT_EQ(2U, cert_list.size()); | 314 ASSERT_EQ(2U, cert_list.size()); |
| 310 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 315 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 311 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); | 316 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); |
| 312 } | 317 } |
| 313 | 318 |
| 314 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { | 319 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { |
| 315 CertificateList certs; | 320 CertificateList certs; |
| 316 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 321 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 317 | 322 |
| 318 // First import just the root. | 323 // First import just the root. |
| 319 CertDatabase::ImportCertFailureList failed; | 324 CertDatabase::ImportCertFailureList failed; |
| 320 EXPECT_EQ(true, cert_db_.ImportCACerts( | 325 EXPECT_EQ(true, cert_db_.ImportCACerts( |
| 321 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 326 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
| 322 &failed)); | 327 &failed)); |
| 323 | 328 |
| 324 EXPECT_EQ(0U, failed.size()); | 329 EXPECT_EQ(0U, failed.size()); |
| 325 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 330 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 326 ASSERT_EQ(1U, cert_list.size()); | 331 ASSERT_EQ(1U, cert_list.size()); |
| 327 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 332 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 328 | 333 |
| 329 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 334 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 330 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 335 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
| 331 | 336 |
| 332 // Now import with the other certs in the list too. Even though the root is | 337 // Now import with the other certs in the list too. Even though the root is |
| 333 // already present, we should still import the rest. | 338 // already present, we should still import the rest. |
| 334 failed.clear(); | 339 failed.clear(); |
| 335 EXPECT_EQ(true, cert_db_.ImportCACerts( | 340 EXPECT_EQ(true, cert_db_.ImportCACerts( |
| 336 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 341 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
| 337 &failed)); | 342 &failed)); |
| 338 | 343 |
| 339 ASSERT_EQ(2U, failed.size()); | 344 ASSERT_EQ(2U, failed.size()); |
| 340 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); | 345 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); |
| 341 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); | 346 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); |
| 342 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); | 347 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); |
| 343 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); | 348 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); |
| 344 | 349 |
| 345 cert_list = ListCertsInSlot(slot_.get()); | 350 cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 346 ASSERT_EQ(2U, cert_list.size()); | 351 ASSERT_EQ(2U, cert_list.size()); |
| 347 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 352 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 348 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); | 353 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); |
| 349 } | 354 } |
| 350 | 355 |
| 351 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { | 356 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { |
| 352 CertificateList certs; | 357 CertificateList certs; |
| 353 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 358 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 354 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 359 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 355 | 360 |
| 356 // Import it. | 361 // Import it. |
| 357 CertDatabase::ImportCertFailureList failed; | 362 CertDatabase::ImportCertFailureList failed; |
| 358 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, | 363 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, |
| 359 &failed)); | 364 &failed)); |
| 360 | 365 |
| 361 ASSERT_EQ(1U, failed.size()); | 366 ASSERT_EQ(1U, failed.size()); |
| 362 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 367 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 363 // TODO(mattm): should check for net error equivalent of | 368 // TODO(mattm): should check for net error equivalent of |
| 364 // SEC_ERROR_UNTRUSTED_ISSUER | 369 // SEC_ERROR_UNTRUSTED_ISSUER |
| 365 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 370 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 366 | 371 |
| 367 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 372 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 368 ASSERT_EQ(1U, cert_list.size()); | 373 ASSERT_EQ(1U, cert_list.size()); |
| 369 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 374 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 370 } | 375 } |
| 371 | 376 |
| 372 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { | 377 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { |
| 373 CertificateList certs; | 378 CertificateList certs; |
| 374 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 379 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 375 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 380 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 376 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 381 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 377 | 382 |
| 378 // Import it. | 383 // Import it. |
| 379 CertDatabase::ImportCertFailureList failed; | 384 CertDatabase::ImportCertFailureList failed; |
| 380 EXPECT_EQ(true, cert_db_.ImportCACerts( | 385 EXPECT_EQ(true, cert_db_.ImportCACerts( |
| 381 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 386 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
| 382 &failed)); | 387 &failed)); |
| 383 | 388 |
| 384 EXPECT_EQ(0U, failed.size()); | 389 EXPECT_EQ(0U, failed.size()); |
| 385 | 390 |
| 386 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 391 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 387 ASSERT_EQ(3U, cert_list.size()); | 392 ASSERT_EQ(3U, cert_list.size()); |
| 388 EXPECT_EQ("DOD CA-13", cert_list[0]->subject().common_name); | 393 EXPECT_EQ("DOD CA-13", cert_list[0]->subject().common_name); |
| 389 EXPECT_EQ("DoD Root CA 2", cert_list[1]->subject().common_name); | 394 EXPECT_EQ("DoD Root CA 2", cert_list[1]->subject().common_name); |
| 390 EXPECT_EQ("DOD CA-17", cert_list[2]->subject().common_name); | 395 EXPECT_EQ("DOD CA-17", cert_list[2]->subject().common_name); |
| 391 } | 396 } |
| 392 | 397 |
| 393 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { | 398 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { |
| 394 std::string cert_data = ReadTestFile("root_ca_cert.crt"); | 399 std::string cert_data = ReadTestFile("root_ca_cert.crt"); |
| 395 CertificateList certs = | 400 CertificateList certs = |
| 396 X509Certificate::CreateCertificateListFromBytes( | 401 X509Certificate::CreateCertificateListFromBytes( |
| 397 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); | 402 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); |
| 398 ASSERT_EQ(1U, certs.size()); | 403 ASSERT_EQ(1U, certs.size()); |
| 399 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 404 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 400 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 405 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 401 | 406 |
| 402 // Import it. | 407 // Import it. |
| 403 CertDatabase::ImportCertFailureList failed; | 408 CertDatabase::ImportCertFailureList failed; |
| 404 EXPECT_EQ(true, cert_db_.ImportCACerts( | 409 EXPECT_EQ(true, cert_db_.ImportCACerts( |
| 405 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL | | 410 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL | |
| 406 CertDatabase::TRUSTED_OBJ_SIGN, &failed)); | 411 CertDatabase::TRUSTED_OBJ_SIGN, &failed)); |
| 407 | 412 |
| 408 ASSERT_EQ(2U, failed.size()); | 413 ASSERT_EQ(2U, failed.size()); |
| 409 // TODO(mattm): should check for net error equivalent of | 414 // TODO(mattm): should check for net error equivalent of |
| 410 // SEC_ERROR_UNKNOWN_ISSUER | 415 // SEC_ERROR_UNKNOWN_ISSUER |
| 411 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 416 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
| 412 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 417 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 413 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 418 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 414 EXPECT_EQ(ERR_FAILED, failed[1].net_error); | 419 EXPECT_EQ(ERR_FAILED, failed[1].net_error); |
| 415 | 420 |
| 416 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 421 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 417 ASSERT_EQ(1U, cert_list.size()); | 422 ASSERT_EQ(1U, cert_list.size()); |
| 418 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name); | 423 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name); |
| 419 } | 424 } |
| 420 | 425 |
| 421 TEST_F(CertDatabaseNSSTest, ImportServerCert) { | 426 TEST_F(CertDatabaseNSSTest, ImportServerCert) { |
| 422 // Need to import intermediate cert for the verify of google cert, otherwise | 427 // Need to import intermediate cert for the verify of google cert, otherwise |
| 423 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which | 428 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which |
| 424 // will cause OCSPCreateSession on the main thread, which is not allowed. | 429 // will cause OCSPCreateSession on the main thread, which is not allowed. |
| 425 std::string cert_data = ReadTestFile("google.chain.pem"); | 430 std::string cert_data = ReadTestFile("google.chain.pem"); |
| 426 CertificateList certs = | 431 CertificateList certs = |
| 427 X509Certificate::CreateCertificateListFromBytes( | 432 X509Certificate::CreateCertificateListFromBytes( |
| 428 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); | 433 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); |
| 429 ASSERT_EQ(2U, certs.size()); | 434 ASSERT_EQ(2U, certs.size()); |
| 430 | 435 |
| 431 CertDatabase::ImportCertFailureList failed; | 436 CertDatabase::ImportCertFailureList failed; |
| 432 EXPECT_EQ(true, cert_db_.ImportServerCert(certs, &failed)); | 437 EXPECT_EQ(true, cert_db_.ImportServerCert(certs, &failed)); |
| 433 | 438 |
| 434 EXPECT_EQ(0U, failed.size()); | 439 EXPECT_EQ(0U, failed.size()); |
| 435 | 440 |
| 436 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 441 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 437 ASSERT_EQ(2U, cert_list.size()); | 442 ASSERT_EQ(2U, cert_list.size()); |
| 438 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); | 443 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); |
| 439 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); | 444 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); |
| 440 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); | 445 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); |
| 441 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 446 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 442 | 447 |
| 443 EXPECT_EQ(CertDatabase::UNTRUSTED, | 448 EXPECT_EQ(CertDatabase::UNTRUSTED, |
| 444 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); | 449 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 445 psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); | 450 psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); |
| 446 EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 451 EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); |
| 447 | 452 |
| 448 int flags = 0; | 453 int flags = 0; |
| 449 CertVerifyResult verify_result; | 454 CertVerifyResult verify_result; |
| 450 int error = goog_cert->Verify("www.google.com", flags, &verify_result); | 455 int error = goog_cert->Verify("www.google.com", flags, &verify_result); |
| 451 EXPECT_EQ(OK, error); | 456 EXPECT_EQ(OK, error); |
| 452 EXPECT_EQ(0, verify_result.cert_status); | 457 EXPECT_EQ(0, verify_result.cert_status); |
| 453 } | 458 } |
| 454 | 459 |
| 455 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 460 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 456 CertificateList certs; | 461 CertificateList certs; |
| 457 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 462 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 458 | 463 |
| 459 CertDatabase::ImportCertFailureList failed; | 464 CertDatabase::ImportCertFailureList failed; |
| 460 EXPECT_EQ(true, cert_db_.ImportServerCert(certs, &failed)); | 465 EXPECT_EQ(true, cert_db_.ImportServerCert(certs, &failed)); |
| 461 | 466 |
| 462 EXPECT_EQ(0U, failed.size()); | 467 EXPECT_EQ(0U, failed.size()); |
| 463 | 468 |
| 464 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 469 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 465 ASSERT_EQ(1U, cert_list.size()); | 470 ASSERT_EQ(1U, cert_list.size()); |
| 466 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 471 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 467 | 472 |
| 468 EXPECT_EQ(CertDatabase::UNTRUSTED, | 473 EXPECT_EQ(CertDatabase::UNTRUSTED, |
| 469 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); | 474 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 470 psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); | 475 psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); |
| 471 EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 476 EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); |
| 472 | 477 |
| 473 int flags = 0; | 478 int flags = 0; |
| 474 CertVerifyResult verify_result; | 479 CertVerifyResult verify_result; |
| 475 int error = puny_cert->Verify("xn--wgv71a119e.com", flags, &verify_result); | 480 int error = puny_cert->Verify("xn--wgv71a119e.com", flags, &verify_result); |
| 476 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 481 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 477 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 482 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 478 | 483 |
| 479 // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not | 484 // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not |
| 480 // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 | 485 // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 |
| 481 EXPECT_TRUE(cert_db_.SetCertTrust( | 486 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 482 puny_cert.get(), CA_CERT, | 487 puny_cert.get(), CA_CERT, |
| 483 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); | 488 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); |
| 484 | 489 |
| 485 verify_result.Reset(); | 490 verify_result.Reset(); |
| 486 error = puny_cert->Verify("xn--wgv71a119e.com", flags, &verify_result); | 491 error = puny_cert->Verify("xn--wgv71a119e.com", flags, &verify_result); |
| 487 EXPECT_EQ(OK, error); | 492 EXPECT_EQ(OK, error); |
| 488 EXPECT_EQ(0, verify_result.cert_status); | 493 EXPECT_EQ(0, verify_result.cert_status); |
| 489 } | 494 } |
| 490 | 495 |
| 491 } // namespace net | 496 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 5686002:
NSS: PKCS 11 password prompt. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src