OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <cert.h> | 5 #include <cert.h> |
6 #include <pk11pub.h> | 6 #include <pk11pub.h> |
7 | 7 |
8 #include <algorithm> | 8 #include <algorithm> |
9 | 9 |
10 #include "base/crypto/scoped_nss_types.h" | 10 #include "base/crypto/scoped_nss_types.h" |
11 #include "base/file_path.h" | 11 #include "base/file_path.h" |
12 #include "base/file_util.h" | 12 #include "base/file_util.h" |
13 #include "base/nss_util.h" | 13 #include "base/nss_util.h" |
14 #include "base/nss_util_internal.h" | 14 #include "base/nss_util_internal.h" |
15 #include "base/path_service.h" | 15 #include "base/path_service.h" |
16 #include "base/scoped_temp_dir.h" | 16 #include "base/scoped_temp_dir.h" |
17 #include "base/singleton.h" | 17 #include "base/singleton.h" |
18 #include "base/string_util.h" | 18 #include "base/string_util.h" |
19 #include "base/utf_string_conversions.h" | 19 #include "base/utf_string_conversions.h" |
20 #include "net/base/cert_database.h" | 20 #include "net/base/cert_database.h" |
21 #include "net/base/cert_status_flags.h" | 21 #include "net/base/cert_status_flags.h" |
22 #include "net/base/cert_verify_result.h" | 22 #include "net/base/cert_verify_result.h" |
| 23 #include "net/base/crypto_module.h" |
23 #include "net/base/net_errors.h" | 24 #include "net/base/net_errors.h" |
24 #include "net/base/x509_certificate.h" | 25 #include "net/base/x509_certificate.h" |
25 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | 26 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
26 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" | 27 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" |
27 #include "testing/gtest/include/gtest/gtest.h" | 28 #include "testing/gtest/include/gtest/gtest.h" |
28 | 29 |
29 namespace psm = mozilla_security_manager; | 30 namespace psm = mozilla_security_manager; |
30 | 31 |
31 namespace net { | 32 namespace net { |
32 | 33 |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
100 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is | 101 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is |
101 // fixed, switch back to using a separate userdb for each test. | 102 // fixed, switch back to using a separate userdb for each test. |
102 // (When doing so, remember to add some standalone tests of DeleteCert since it | 103 // (When doing so, remember to add some standalone tests of DeleteCert since it |
103 // won't be tested by TearDown anymore.) | 104 // won't be tested by TearDown anymore.) |
104 class CertDatabaseNSSTest : public testing::Test { | 105 class CertDatabaseNSSTest : public testing::Test { |
105 public: | 106 public: |
106 virtual void SetUp() { | 107 virtual void SetUp() { |
107 ASSERT_TRUE(temp_db_dir_.CreateUniqueTempDir()); | 108 ASSERT_TRUE(temp_db_dir_.CreateUniqueTempDir()); |
108 ASSERT_TRUE( | 109 ASSERT_TRUE( |
109 base::OpenTestNSSDB(temp_db_dir_.path(), "CertDatabaseNSSTest db")); | 110 base::OpenTestNSSDB(temp_db_dir_.path(), "CertDatabaseNSSTest db")); |
110 slot_.reset(base::GetDefaultNSSKeySlot()); | 111 slot_ = cert_db_.GetDefaultModule(); |
111 | 112 |
112 // Test db should be empty at start of test. | 113 // Test db should be empty at start of test. |
113 EXPECT_EQ(0U, ListCertsInSlot(slot_.get()).size()); | 114 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
114 } | 115 } |
115 virtual void TearDown() { | 116 virtual void TearDown() { |
116 // Don't try to cleanup if the setup failed. | 117 // Don't try to cleanup if the setup failed. |
117 ASSERT_TRUE(slot_.get()); | 118 ASSERT_TRUE(slot_->os_module_handle()); |
118 | 119 |
119 EXPECT_TRUE(CleanupSlotContents(slot_.get())); | 120 EXPECT_TRUE(CleanupSlotContents(slot_->os_module_handle())); |
120 EXPECT_EQ(0U, ListCertsInSlot(slot_.get()).size()); | 121 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
121 } | 122 } |
122 | 123 |
123 protected: | 124 protected: |
124 base::ScopedPK11Slot slot_; | 125 scoped_refptr<CryptoModule> slot_; |
125 CertDatabase cert_db_; | 126 CertDatabase cert_db_; |
126 | 127 |
127 private: | 128 private: |
128 ScopedTempDir temp_db_dir_; | 129 ScopedTempDir temp_db_dir_; |
129 }; | 130 }; |
130 | 131 |
131 TEST_F(CertDatabaseNSSTest, ListCerts) { | 132 TEST_F(CertDatabaseNSSTest, ListCerts) { |
132 // This test isn't terribly useful, though it will at least let valgrind test | 133 // This test isn't terribly useful, though it will at least let valgrind test |
133 // for leaks. | 134 // for leaks. |
134 CertificateList certs; | 135 CertificateList certs; |
135 cert_db_.ListCerts(&certs); | 136 cert_db_.ListCerts(&certs); |
136 // The test DB is empty, but let's assume there will always be something in | 137 // The test DB is empty, but let's assume there will always be something in |
137 // the other slots. | 138 // the other slots. |
138 EXPECT_LT(0U, certs.size()); | 139 EXPECT_LT(0U, certs.size()); |
139 } | 140 } |
140 | 141 |
141 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { | 142 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { |
142 std::string pkcs12_data = ReadTestFile("client.p12"); | 143 std::string pkcs12_data = ReadTestFile("client.p12"); |
143 | 144 |
144 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, | 145 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, |
145 cert_db_.ImportFromPKCS12(pkcs12_data, ASCIIToUTF16(""))); | 146 cert_db_.ImportFromPKCS12(slot_, |
| 147 pkcs12_data, |
| 148 ASCIIToUTF16(""))); |
146 | 149 |
147 // Test db should still be empty. | 150 // Test db should still be empty. |
148 EXPECT_EQ(0U, ListCertsInSlot(slot_.get()).size()); | 151 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
149 } | 152 } |
150 | 153 |
151 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AndExportAgain) { | 154 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AndExportAgain) { |
152 std::string pkcs12_data = ReadTestFile("client.p12"); | 155 std::string pkcs12_data = ReadTestFile("client.p12"); |
153 | 156 |
154 EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(pkcs12_data, ASCIIToUTF16("12345"))); | 157 EXPECT_EQ(OK, cert_db_.ImportFromPKCS12(slot_, |
| 158 pkcs12_data, |
| 159 ASCIIToUTF16("12345"))); |
155 | 160 |
156 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 161 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
157 ASSERT_EQ(1U, cert_list.size()); | 162 ASSERT_EQ(1U, cert_list.size()); |
158 scoped_refptr<X509Certificate> cert(cert_list[0]); | 163 scoped_refptr<X509Certificate> cert(cert_list[0]); |
159 | 164 |
160 EXPECT_EQ("testusercert", | 165 EXPECT_EQ("testusercert", |
161 cert->subject().common_name); | 166 cert->subject().common_name); |
162 | 167 |
163 // TODO(mattm): move export test to seperate test case? | 168 // TODO(mattm): move export test to seperate test case? |
164 std::string exported_data; | 169 std::string exported_data; |
165 EXPECT_EQ(1, cert_db_.ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 170 EXPECT_EQ(1, cert_db_.ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
166 &exported_data)); | 171 &exported_data)); |
(...skipping 10 matching lines...) Expand all Loading... |
177 ASSERT_EQ(1U, certs.size()); | 182 ASSERT_EQ(1U, certs.size()); |
178 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 183 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
179 | 184 |
180 // Import it. | 185 // Import it. |
181 CertDatabase::ImportCertFailureList failed; | 186 CertDatabase::ImportCertFailureList failed; |
182 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, | 187 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, |
183 &failed)); | 188 &failed)); |
184 | 189 |
185 EXPECT_EQ(0U, failed.size()); | 190 EXPECT_EQ(0U, failed.size()); |
186 | 191 |
187 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 192 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
188 ASSERT_EQ(1U, cert_list.size()); | 193 ASSERT_EQ(1U, cert_list.size()); |
189 scoped_refptr<X509Certificate> cert(cert_list[0]); | 194 scoped_refptr<X509Certificate> cert(cert_list[0]); |
190 EXPECT_EQ("Test CA", cert->subject().common_name); | 195 EXPECT_EQ("Test CA", cert->subject().common_name); |
191 | 196 |
192 EXPECT_EQ(CertDatabase::TRUSTED_SSL, | 197 EXPECT_EQ(CertDatabase::TRUSTED_SSL, |
193 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 198 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
194 | 199 |
195 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 200 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); |
196 EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 201 EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); |
197 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 202 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); |
(...skipping 11 matching lines...) Expand all Loading... |
209 ASSERT_EQ(1U, certs.size()); | 214 ASSERT_EQ(1U, certs.size()); |
210 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 215 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
211 | 216 |
212 // Import it. | 217 // Import it. |
213 CertDatabase::ImportCertFailureList failed; | 218 CertDatabase::ImportCertFailureList failed; |
214 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, | 219 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, |
215 &failed)); | 220 &failed)); |
216 | 221 |
217 EXPECT_EQ(0U, failed.size()); | 222 EXPECT_EQ(0U, failed.size()); |
218 | 223 |
219 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 224 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
220 ASSERT_EQ(1U, cert_list.size()); | 225 ASSERT_EQ(1U, cert_list.size()); |
221 scoped_refptr<X509Certificate> cert(cert_list[0]); | 226 scoped_refptr<X509Certificate> cert(cert_list[0]); |
222 EXPECT_EQ("Test CA", cert->subject().common_name); | 227 EXPECT_EQ("Test CA", cert->subject().common_name); |
223 | 228 |
224 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, | 229 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, |
225 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 230 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
226 | 231 |
227 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 232 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); |
228 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 233 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); |
229 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 234 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); |
(...skipping 10 matching lines...) Expand all Loading... |
240 ASSERT_EQ(1U, certs.size()); | 245 ASSERT_EQ(1U, certs.size()); |
241 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 246 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
242 | 247 |
243 // Import it. | 248 // Import it. |
244 CertDatabase::ImportCertFailureList failed; | 249 CertDatabase::ImportCertFailureList failed; |
245 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, | 250 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, |
246 &failed)); | 251 &failed)); |
247 | 252 |
248 EXPECT_EQ(0U, failed.size()); | 253 EXPECT_EQ(0U, failed.size()); |
249 | 254 |
250 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 255 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
251 ASSERT_EQ(1U, cert_list.size()); | 256 ASSERT_EQ(1U, cert_list.size()); |
252 scoped_refptr<X509Certificate> cert(cert_list[0]); | 257 scoped_refptr<X509Certificate> cert(cert_list[0]); |
253 EXPECT_EQ("Test CA", cert->subject().common_name); | 258 EXPECT_EQ("Test CA", cert->subject().common_name); |
254 | 259 |
255 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, | 260 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, |
256 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 261 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
257 | 262 |
258 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 263 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); |
259 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 264 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); |
260 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 265 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); |
(...skipping 14 matching lines...) Expand all Loading... |
275 CertDatabase::ImportCertFailureList failed; | 280 CertDatabase::ImportCertFailureList failed; |
276 EXPECT_EQ(true, | 281 EXPECT_EQ(true, |
277 cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, &failed)); | 282 cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_SSL, &failed)); |
278 ASSERT_EQ(1U, failed.size()); | 283 ASSERT_EQ(1U, failed.size()); |
279 // Note: this compares pointers directly. It's okay in this case because | 284 // Note: this compares pointers directly. It's okay in this case because |
280 // ImportCACerts returns the same pointers that were passed in. In the | 285 // ImportCACerts returns the same pointers that were passed in. In the |
281 // general case IsSameOSCert should be used. | 286 // general case IsSameOSCert should be used. |
282 EXPECT_EQ(certs[0], failed[0].certificate); | 287 EXPECT_EQ(certs[0], failed[0].certificate); |
283 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); | 288 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); |
284 | 289 |
285 EXPECT_EQ(0U, ListCertsInSlot(slot_.get()).size()); | 290 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
286 } | 291 } |
287 | 292 |
288 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { | 293 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { |
289 CertificateList certs; | 294 CertificateList certs; |
290 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 295 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
291 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 296 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
292 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 297 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
293 | 298 |
294 // Import it. | 299 // Import it. |
295 CertDatabase::ImportCertFailureList failed; | 300 CertDatabase::ImportCertFailureList failed; |
296 // Have to specify email trust for the cert verification of the child cert to | 301 // Have to specify email trust for the cert verification of the child cert to |
297 // work (see | 302 // work (see |
298 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 | 303 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7
52 |
299 // "XXX This choice of trustType seems arbitrary.") | 304 // "XXX This choice of trustType seems arbitrary.") |
300 EXPECT_EQ(true, cert_db_.ImportCACerts( | 305 EXPECT_EQ(true, cert_db_.ImportCACerts( |
301 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 306 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
302 &failed)); | 307 &failed)); |
303 | 308 |
304 ASSERT_EQ(1U, failed.size()); | 309 ASSERT_EQ(1U, failed.size()); |
305 EXPECT_EQ("www.us.army.mil", failed[0].certificate->subject().common_name); | 310 EXPECT_EQ("www.us.army.mil", failed[0].certificate->subject().common_name); |
306 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); | 311 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); |
307 | 312 |
308 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
309 ASSERT_EQ(2U, cert_list.size()); | 314 ASSERT_EQ(2U, cert_list.size()); |
310 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 315 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
311 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); | 316 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); |
312 } | 317 } |
313 | 318 |
314 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { | 319 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { |
315 CertificateList certs; | 320 CertificateList certs; |
316 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 321 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
317 | 322 |
318 // First import just the root. | 323 // First import just the root. |
319 CertDatabase::ImportCertFailureList failed; | 324 CertDatabase::ImportCertFailureList failed; |
320 EXPECT_EQ(true, cert_db_.ImportCACerts( | 325 EXPECT_EQ(true, cert_db_.ImportCACerts( |
321 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 326 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
322 &failed)); | 327 &failed)); |
323 | 328 |
324 EXPECT_EQ(0U, failed.size()); | 329 EXPECT_EQ(0U, failed.size()); |
325 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 330 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
326 ASSERT_EQ(1U, cert_list.size()); | 331 ASSERT_EQ(1U, cert_list.size()); |
327 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 332 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
328 | 333 |
329 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 334 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
330 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); | 335 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); |
331 | 336 |
332 // Now import with the other certs in the list too. Even though the root is | 337 // Now import with the other certs in the list too. Even though the root is |
333 // already present, we should still import the rest. | 338 // already present, we should still import the rest. |
334 failed.clear(); | 339 failed.clear(); |
335 EXPECT_EQ(true, cert_db_.ImportCACerts( | 340 EXPECT_EQ(true, cert_db_.ImportCACerts( |
336 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 341 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
337 &failed)); | 342 &failed)); |
338 | 343 |
339 ASSERT_EQ(2U, failed.size()); | 344 ASSERT_EQ(2U, failed.size()); |
340 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); | 345 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); |
341 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); | 346 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); |
342 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); | 347 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); |
343 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); | 348 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); |
344 | 349 |
345 cert_list = ListCertsInSlot(slot_.get()); | 350 cert_list = ListCertsInSlot(slot_->os_module_handle()); |
346 ASSERT_EQ(2U, cert_list.size()); | 351 ASSERT_EQ(2U, cert_list.size()); |
347 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 352 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
348 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); | 353 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); |
349 } | 354 } |
350 | 355 |
351 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { | 356 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { |
352 CertificateList certs; | 357 CertificateList certs; |
353 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 358 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
354 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 359 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
355 | 360 |
356 // Import it. | 361 // Import it. |
357 CertDatabase::ImportCertFailureList failed; | 362 CertDatabase::ImportCertFailureList failed; |
358 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, | 363 EXPECT_EQ(true, cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, |
359 &failed)); | 364 &failed)); |
360 | 365 |
361 ASSERT_EQ(1U, failed.size()); | 366 ASSERT_EQ(1U, failed.size()); |
362 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 367 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
363 // TODO(mattm): should check for net error equivalent of | 368 // TODO(mattm): should check for net error equivalent of |
364 // SEC_ERROR_UNTRUSTED_ISSUER | 369 // SEC_ERROR_UNTRUSTED_ISSUER |
365 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 370 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
366 | 371 |
367 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 372 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
368 ASSERT_EQ(1U, cert_list.size()); | 373 ASSERT_EQ(1U, cert_list.size()); |
369 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 374 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
370 } | 375 } |
371 | 376 |
372 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { | 377 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { |
373 CertificateList certs; | 378 CertificateList certs; |
374 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 379 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
375 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 380 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
376 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 381 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
377 | 382 |
378 // Import it. | 383 // Import it. |
379 CertDatabase::ImportCertFailureList failed; | 384 CertDatabase::ImportCertFailureList failed; |
380 EXPECT_EQ(true, cert_db_.ImportCACerts( | 385 EXPECT_EQ(true, cert_db_.ImportCACerts( |
381 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, | 386 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL, |
382 &failed)); | 387 &failed)); |
383 | 388 |
384 EXPECT_EQ(0U, failed.size()); | 389 EXPECT_EQ(0U, failed.size()); |
385 | 390 |
386 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 391 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
387 ASSERT_EQ(3U, cert_list.size()); | 392 ASSERT_EQ(3U, cert_list.size()); |
388 EXPECT_EQ("DOD CA-13", cert_list[0]->subject().common_name); | 393 EXPECT_EQ("DOD CA-13", cert_list[0]->subject().common_name); |
389 EXPECT_EQ("DoD Root CA 2", cert_list[1]->subject().common_name); | 394 EXPECT_EQ("DoD Root CA 2", cert_list[1]->subject().common_name); |
390 EXPECT_EQ("DOD CA-17", cert_list[2]->subject().common_name); | 395 EXPECT_EQ("DOD CA-17", cert_list[2]->subject().common_name); |
391 } | 396 } |
392 | 397 |
393 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { | 398 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { |
394 std::string cert_data = ReadTestFile("root_ca_cert.crt"); | 399 std::string cert_data = ReadTestFile("root_ca_cert.crt"); |
395 CertificateList certs = | 400 CertificateList certs = |
396 X509Certificate::CreateCertificateListFromBytes( | 401 X509Certificate::CreateCertificateListFromBytes( |
397 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); | 402 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); |
398 ASSERT_EQ(1U, certs.size()); | 403 ASSERT_EQ(1U, certs.size()); |
399 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 404 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
400 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 405 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
401 | 406 |
402 // Import it. | 407 // Import it. |
403 CertDatabase::ImportCertFailureList failed; | 408 CertDatabase::ImportCertFailureList failed; |
404 EXPECT_EQ(true, cert_db_.ImportCACerts( | 409 EXPECT_EQ(true, cert_db_.ImportCACerts( |
405 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL | | 410 certs, CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL | |
406 CertDatabase::TRUSTED_OBJ_SIGN, &failed)); | 411 CertDatabase::TRUSTED_OBJ_SIGN, &failed)); |
407 | 412 |
408 ASSERT_EQ(2U, failed.size()); | 413 ASSERT_EQ(2U, failed.size()); |
409 // TODO(mattm): should check for net error equivalent of | 414 // TODO(mattm): should check for net error equivalent of |
410 // SEC_ERROR_UNKNOWN_ISSUER | 415 // SEC_ERROR_UNKNOWN_ISSUER |
411 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 416 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
412 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 417 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
413 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 418 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
414 EXPECT_EQ(ERR_FAILED, failed[1].net_error); | 419 EXPECT_EQ(ERR_FAILED, failed[1].net_error); |
415 | 420 |
416 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 421 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
417 ASSERT_EQ(1U, cert_list.size()); | 422 ASSERT_EQ(1U, cert_list.size()); |
418 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name); | 423 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name); |
419 } | 424 } |
420 | 425 |
421 TEST_F(CertDatabaseNSSTest, ImportServerCert) { | 426 TEST_F(CertDatabaseNSSTest, ImportServerCert) { |
422 // Need to import intermediate cert for the verify of google cert, otherwise | 427 // Need to import intermediate cert for the verify of google cert, otherwise |
423 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which | 428 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which |
424 // will cause OCSPCreateSession on the main thread, which is not allowed. | 429 // will cause OCSPCreateSession on the main thread, which is not allowed. |
425 std::string cert_data = ReadTestFile("google.chain.pem"); | 430 std::string cert_data = ReadTestFile("google.chain.pem"); |
426 CertificateList certs = | 431 CertificateList certs = |
427 X509Certificate::CreateCertificateListFromBytes( | 432 X509Certificate::CreateCertificateListFromBytes( |
428 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); | 433 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); |
429 ASSERT_EQ(2U, certs.size()); | 434 ASSERT_EQ(2U, certs.size()); |
430 | 435 |
431 CertDatabase::ImportCertFailureList failed; | 436 CertDatabase::ImportCertFailureList failed; |
432 EXPECT_EQ(true, cert_db_.ImportServerCert(certs, &failed)); | 437 EXPECT_EQ(true, cert_db_.ImportServerCert(certs, &failed)); |
433 | 438 |
434 EXPECT_EQ(0U, failed.size()); | 439 EXPECT_EQ(0U, failed.size()); |
435 | 440 |
436 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 441 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
437 ASSERT_EQ(2U, cert_list.size()); | 442 ASSERT_EQ(2U, cert_list.size()); |
438 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); | 443 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); |
439 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); | 444 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); |
440 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); | 445 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); |
441 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 446 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
442 | 447 |
443 EXPECT_EQ(CertDatabase::UNTRUSTED, | 448 EXPECT_EQ(CertDatabase::UNTRUSTED, |
444 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); | 449 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); |
445 psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); | 450 psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); |
446 EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 451 EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); |
447 | 452 |
448 int flags = 0; | 453 int flags = 0; |
449 CertVerifyResult verify_result; | 454 CertVerifyResult verify_result; |
450 int error = goog_cert->Verify("www.google.com", flags, &verify_result); | 455 int error = goog_cert->Verify("www.google.com", flags, &verify_result); |
451 EXPECT_EQ(OK, error); | 456 EXPECT_EQ(OK, error); |
452 EXPECT_EQ(0, verify_result.cert_status); | 457 EXPECT_EQ(0, verify_result.cert_status); |
453 } | 458 } |
454 | 459 |
455 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 460 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
456 CertificateList certs; | 461 CertificateList certs; |
457 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 462 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
458 | 463 |
459 CertDatabase::ImportCertFailureList failed; | 464 CertDatabase::ImportCertFailureList failed; |
460 EXPECT_EQ(true, cert_db_.ImportServerCert(certs, &failed)); | 465 EXPECT_EQ(true, cert_db_.ImportServerCert(certs, &failed)); |
461 | 466 |
462 EXPECT_EQ(0U, failed.size()); | 467 EXPECT_EQ(0U, failed.size()); |
463 | 468 |
464 CertificateList cert_list = ListCertsInSlot(slot_.get()); | 469 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
465 ASSERT_EQ(1U, cert_list.size()); | 470 ASSERT_EQ(1U, cert_list.size()); |
466 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 471 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
467 | 472 |
468 EXPECT_EQ(CertDatabase::UNTRUSTED, | 473 EXPECT_EQ(CertDatabase::UNTRUSTED, |
469 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); | 474 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
470 psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); | 475 psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); |
471 EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 476 EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); |
472 | 477 |
473 int flags = 0; | 478 int flags = 0; |
474 CertVerifyResult verify_result; | 479 CertVerifyResult verify_result; |
475 int error = puny_cert->Verify("xn--wgv71a119e.com", flags, &verify_result); | 480 int error = puny_cert->Verify("xn--wgv71a119e.com", flags, &verify_result); |
476 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 481 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
477 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 482 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
478 | 483 |
479 // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not | 484 // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not |
480 // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 | 485 // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 |
481 EXPECT_TRUE(cert_db_.SetCertTrust( | 486 EXPECT_TRUE(cert_db_.SetCertTrust( |
482 puny_cert.get(), CA_CERT, | 487 puny_cert.get(), CA_CERT, |
483 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); | 488 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); |
484 | 489 |
485 verify_result.Reset(); | 490 verify_result.Reset(); |
486 error = puny_cert->Verify("xn--wgv71a119e.com", flags, &verify_result); | 491 error = puny_cert->Verify("xn--wgv71a119e.com", flags, &verify_result); |
487 EXPECT_EQ(OK, error); | 492 EXPECT_EQ(OK, error); |
488 EXPECT_EQ(0, verify_result.cert_status); | 493 EXPECT_EQ(0, verify_result.cert_status); |
489 } | 494 } |
490 | 495 |
491 } // namespace net | 496 } // namespace net |
OLD | NEW |