net/cert/nss_cert_database_unittest.cc - Issue 992733002: Remove //net (except for Android test stuff) and sdch

Side by Side Diff: net/cert/nss_cert_database_unittest.cc

Issue 992733002: Remove //net (except for Android test stuff) and sdch (Closed) Base URL: git@github.com:domokit/mojo.git@master

Patch Set: Created 5 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
	(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.

4

5 #include <cert.h>

6 #include <certdb.h>

7 #include <pk11pub.h>

8

9 #include <algorithm>

10

11 #include "base/bind.h"

12 #include "base/files/file_path.h"

13 #include "base/files/file_util.h"

14 #include "base/lazy_instance.h"

15 #include "base/message_loop/message_loop.h"

16 #include "base/message_loop/message_loop_proxy.h"

17 #include "base/run_loop.h"

18 #include "base/strings/string16.h"

19 #include "base/strings/string_util.h"

20 #include "base/strings/utf_string_conversions.h"

21 #include "crypto/scoped_nss_types.h"

22 #include "crypto/scoped_test_nss_db.h"

23 #include "net/base/crypto_module.h"

24 #include "net/base/net_errors.h"

25 #include "net/base/test_data_directory.h"

26 #include "net/cert/cert_status_flags.h"

27 #include "net/cert/cert_verify_proc_nss.h"

28 #include "net/cert/cert_verify_result.h"

29 #include "net/cert/nss_cert_database.h"

30 #include "net/cert/x509_certificate.h"

31 #include "net/test/cert_test_util.h"

32 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"

33 #include "testing/gtest/include/gtest/gtest.h"

34

35 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use

36 // the new name of the macro.

37 #if !defined(CERTDB_TERMINAL_RECORD)

38 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER

39 #endif

40

41 using base::ASCIIToUTF16;

42

43 namespace net {

44

45 namespace {

46

47 void SwapCertList(CertificateList* destination,

48 scoped_ptr<CertificateList> source) {

49 ASSERT_TRUE(destination);

50 destination->swap(*source);

51 }

52

53 } // namespace

54

55 class CertDatabaseNSSTest : public testing::Test {

56 public:

57 void SetUp() override {

58 ASSERT_TRUE(test_nssdb_.is_open());

59 cert_db_.reset(new NSSCertDatabase(

60 crypto::ScopedPK11Slot(

61 PK11_ReferenceSlot(test_nssdb_.slot())) /* public slot */,

62 crypto::ScopedPK11Slot(

63 PK11_ReferenceSlot(test_nssdb_.slot())) /* private slot */));

64 public_module_ = cert_db_->GetPublicModule();

65

66 // Test db should be empty at start of test.

67 EXPECT_EQ(0U, ListCerts().size());

68 }

69

70 void TearDown() override {

71 // Run the message loop to process any observer callbacks (e.g. for the

72 // ClientSocketFactory singleton) so that the scoped ref ptrs created in

73 // NSSCertDatabase::NotifyObservers* get released.

74 base::MessageLoop::current()->RunUntilIdle();

75 }

76

77 protected:

78 net::CryptoModule* GetPublicModule() {

79 return public_module_.get();

80 }

81

82 static std::string ReadTestFile(const std::string& name) {

83 std::string result;

84 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);

85 EXPECT_TRUE(base::ReadFileToString(cert_path, &result));

86 return result;

87 }

88

89 static bool ReadCertIntoList(const std::string& name,

90 CertificateList* certs) {

91 scoped_refptr<X509Certificate> cert(

92 ImportCertFromFile(GetTestCertsDirectory(), name));

93 if (!cert.get())

94 return false;

95

96 certs->push_back(cert);

97 return true;

98 }

99

100 CertificateList ListCerts() {

101 CertificateList result;

102 CERTCertList* cert_list = PK11_ListCertsInSlot(test_nssdb_.slot());

103 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);

104 !CERT_LIST_END(node, cert_list);

105 node = CERT_LIST_NEXT(node)) {

106 result.push_back(X509Certificate::CreateFromHandle(

107 node->cert, X509Certificate::OSCertHandles()));

108 }

109 CERT_DestroyCertList(cert_list);

110

111 // Sort the result so that test comparisons can be deterministic.

112 std::sort(result.begin(), result.end(), X509Certificate::LessThan());

113 return result;

114 }

115

116 scoped_ptr<NSSCertDatabase> cert_db_;

117 const CertificateList empty_cert_list_;

118 crypto::ScopedTestNSSDB test_nssdb_;

119 scoped_refptr<net::CryptoModule> public_module_;

120 };

121

122 TEST_F(CertDatabaseNSSTest, ListCertsSync) {

123 // This test isn't terribly useful, though it will at least let valgrind test

124 // for leaks.

125 CertificateList certs;

126 cert_db_->ListCertsSync(&certs);

127 // The test DB is empty, but let's assume there will always be something in

128 // the other slots.

129 EXPECT_LT(0U, certs.size());

130 }

131

132 TEST_F(CertDatabaseNSSTest, ListCerts) {

133 // This test isn't terribly useful, though it will at least let valgrind test

134 // for leaks.

135 CertificateList certs;

136 cert_db_->SetSlowTaskRunnerForTest(base::MessageLoopProxy::current());

137 cert_db_->ListCerts(base::Bind(&SwapCertList, base::Unretained(&certs)));

138 EXPECT_EQ(0U, certs.size());

139

140 base::RunLoop().RunUntilIdle();

141

142 // The test DB is empty, but let's assume there will always be something in

143 // the other slots.

144 EXPECT_LT(0U, certs.size());

145 }

146

147 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {

148 std::string pkcs12_data = ReadTestFile("client.p12");

149

150 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,

151 cert_db_->ImportFromPKCS12(GetPublicModule(),

152 pkcs12_data,

153 base::string16(),

154 true, // is_extractable

155 NULL));

156

157 // Test db should still be empty.

158 EXPECT_EQ(0U, ListCerts().size());

159 }

160

161 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {

162 std::string pkcs12_data = ReadTestFile("client.p12");

163

164 EXPECT_EQ(OK,

165 cert_db_->ImportFromPKCS12(GetPublicModule(),

166 pkcs12_data,

167 ASCIIToUTF16("12345"),

168 true, // is_extractable

169 NULL));

170

171 CertificateList cert_list = ListCerts();

172 ASSERT_EQ(1U, cert_list.size());

173 scoped_refptr<X509Certificate> cert(cert_list[0]);

174

175 EXPECT_EQ("testusercert",

176 cert->subject().common_name);

177

178 // TODO(mattm): move export test to separate test case?

179 std::string exported_data;

180 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),

181 &exported_data));

182 ASSERT_LT(0U, exported_data.size());

183 // TODO(mattm): further verification of exported data?

184 }

185

186 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {

187 std::string pkcs12_data = ReadTestFile("client.p12");

188

189 EXPECT_EQ(OK,

190 cert_db_->ImportFromPKCS12(GetPublicModule(),

191 pkcs12_data,

192 ASCIIToUTF16("12345"),

193 true, // is_extractable

194 NULL));

195 EXPECT_EQ(1U, ListCerts().size());

196

197 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like

198 // it's ever used. This test verifies that.

199 EXPECT_EQ(OK,

200 cert_db_->ImportFromPKCS12(GetPublicModule(),

201 pkcs12_data,

202 ASCIIToUTF16("12345"),

203 true, // is_extractable

204 NULL));

205 EXPECT_EQ(1U, ListCerts().size());

206 }

207

208 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {

209 std::string pkcs12_data = ReadTestFile("client.p12");

210

211 EXPECT_EQ(OK,

212 cert_db_->ImportFromPKCS12(GetPublicModule(),

213 pkcs12_data,

214 ASCIIToUTF16("12345"),

215 false, // is_extractable

216 NULL));

217

218 CertificateList cert_list = ListCerts();

219 ASSERT_EQ(1U, cert_list.size());

220 scoped_refptr<X509Certificate> cert(cert_list[0]);

221

222 EXPECT_EQ("testusercert",

223 cert->subject().common_name);

224

225 std::string exported_data;

226 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),

227 &exported_data));

228 }

229

230 // Importing a PKCS#12 file with a certificate but no corresponding

231 // private key should not mark an existing private key as unextractable.

232 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {

233 std::string pkcs12_data = ReadTestFile("client.p12");

234 EXPECT_EQ(OK,

235 cert_db_->ImportFromPKCS12(GetPublicModule(),

236 pkcs12_data,

237 ASCIIToUTF16("12345"),

238 true, // is_extractable

239 NULL));

240

241 CertificateList cert_list = ListCerts();

242 ASSERT_EQ(1U, cert_list.size());

243

244 // Now import a PKCS#12 file with just a certificate but no private key.

245 pkcs12_data = ReadTestFile("client-nokey.p12");

246 EXPECT_EQ(OK,

247 cert_db_->ImportFromPKCS12(GetPublicModule(),

248 pkcs12_data,

249 ASCIIToUTF16("12345"),

250 false, // is_extractable

251 NULL));

252

253 cert_list = ListCerts();

254 ASSERT_EQ(1U, cert_list.size());

255

256 // Make sure the imported private key is still extractable.

257 std::string exported_data;

258 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),

259 &exported_data));

260 ASSERT_LT(0U, exported_data.size());

261 }

262

263 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {

264 std::string pkcs12_data = "Foobarbaz";

265

266 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,

267 cert_db_->ImportFromPKCS12(GetPublicModule(),

268 pkcs12_data,

269 base::string16(),

270 true, // is_extractable

271 NULL));

272

273 // Test db should still be empty.

274 EXPECT_EQ(0U, ListCerts().size());

275 }

276

277 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {

278 CertificateList certs = CreateCertificateListFromFile(

279 GetTestCertsDirectory(), "root_ca_cert.pem",

280 X509Certificate::FORMAT_AUTO);

281 ASSERT_EQ(1U, certs.size());

282 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);

283

284 // Import it.

285 NSSCertDatabase::ImportCertFailureList failed;

286 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,

287 &failed));

288

289 EXPECT_EQ(0U, failed.size());

290

291 CertificateList cert_list = ListCerts();

292 ASSERT_EQ(1U, cert_list.size());

293 scoped_refptr<X509Certificate> cert(cert_list[0]);

294 EXPECT_EQ("Test Root CA", cert->subject().common_name);

295

296 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,

297 cert_db_->GetCertTrust(cert.get(), CA_CERT));

298

299 EXPECT_EQ(unsigned(CERTDB_VALID_CA \| CERTDB_TRUSTED_CA \|

300 CERTDB_TRUSTED_CLIENT_CA),

301 cert->os_cert_handle()->trust->sslFlags);

302 EXPECT_EQ(unsigned(CERTDB_VALID_CA),

303 cert->os_cert_handle()->trust->emailFlags);

304 EXPECT_EQ(unsigned(CERTDB_VALID_CA),

305 cert->os_cert_handle()->trust->objectSigningFlags);

306 }

307

308 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {

309 CertificateList certs = CreateCertificateListFromFile(

310 GetTestCertsDirectory(), "root_ca_cert.pem",

311 X509Certificate::FORMAT_AUTO);

312 ASSERT_EQ(1U, certs.size());

313 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);

314

315 // Import it.

316 NSSCertDatabase::ImportCertFailureList failed;

317 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL,

318 &failed));

319

320 EXPECT_EQ(0U, failed.size());

321

322 CertificateList cert_list = ListCerts();

323 ASSERT_EQ(1U, cert_list.size());

324 scoped_refptr<X509Certificate> cert(cert_list[0]);

325 EXPECT_EQ("Test Root CA", cert->subject().common_name);

326

327 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL,

328 cert_db_->GetCertTrust(cert.get(), CA_CERT));

329

330 EXPECT_EQ(unsigned(CERTDB_VALID_CA),

331 cert->os_cert_handle()->trust->sslFlags);

332 EXPECT_EQ(unsigned(CERTDB_VALID_CA \| CERTDB_TRUSTED_CA \|

333 CERTDB_TRUSTED_CLIENT_CA),

334 cert->os_cert_handle()->trust->emailFlags);

335 EXPECT_EQ(unsigned(CERTDB_VALID_CA),

336 cert->os_cert_handle()->trust->objectSigningFlags);

337 }

338

339 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {

340 CertificateList certs = CreateCertificateListFromFile(

341 GetTestCertsDirectory(), "root_ca_cert.pem",

342 X509Certificate::FORMAT_AUTO);

343 ASSERT_EQ(1U, certs.size());

344 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);

345

346 // Import it.

347 NSSCertDatabase::ImportCertFailureList failed;

348 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN,

349 &failed));

350

351 EXPECT_EQ(0U, failed.size());

352

353 CertificateList cert_list = ListCerts();

354 ASSERT_EQ(1U, cert_list.size());

355 scoped_refptr<X509Certificate> cert(cert_list[0]);

356 EXPECT_EQ("Test Root CA", cert->subject().common_name);

357

358 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN,

359 cert_db_->GetCertTrust(cert.get(), CA_CERT));

360

361 EXPECT_EQ(unsigned(CERTDB_VALID_CA),

362 cert->os_cert_handle()->trust->sslFlags);

363 EXPECT_EQ(unsigned(CERTDB_VALID_CA),

364 cert->os_cert_handle()->trust->emailFlags);

365 EXPECT_EQ(unsigned(CERTDB_VALID_CA \| CERTDB_TRUSTED_CA \|

366 CERTDB_TRUSTED_CLIENT_CA),

367 cert->os_cert_handle()->trust->objectSigningFlags);

368 }

369

370 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {

371 CertificateList certs = CreateCertificateListFromFile(

372 GetTestCertsDirectory(), "ok_cert.pem",

373 X509Certificate::FORMAT_AUTO);

374 ASSERT_EQ(1U, certs.size());

375 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);

376

377 // Import it.

378 NSSCertDatabase::ImportCertFailureList failed;

379 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,

380 &failed));

381 ASSERT_EQ(1U, failed.size());

382 // Note: this compares pointers directly. It's okay in this case because

383 // ImportCACerts returns the same pointers that were passed in. In the

384 // general case IsSameOSCert should be used.

385 EXPECT_EQ(certs[0], failed[0].certificate);

386 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);

387

388 EXPECT_EQ(0U, ListCerts().size());

389 }

390

391 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {

392 CertificateList certs;

393 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));

394 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));

395 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));

396

397 // Import it.

398 NSSCertDatabase::ImportCertFailureList failed;

399 // Have to specify email trust for the cert verification of the child cert to

400 // work (see

401 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#7 52

402 // "XXX This choice of trustType seems arbitrary.")

403 EXPECT_TRUE(cert_db_->ImportCACerts(

404 certs, NSSCertDatabase::TRUSTED_SSL \| NSSCertDatabase::TRUSTED_EMAIL,

405 &failed));

406

407 ASSERT_EQ(2U, failed.size());

408 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);

409 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.

410 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);

411 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);

412

413 CertificateList cert_list = ListCerts();

414 ASSERT_EQ(1U, cert_list.size());

415 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);

416 }

417

418 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {

419 CertificateList certs;

420 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));

421

422 // First import just the root.

423 NSSCertDatabase::ImportCertFailureList failed;

424 EXPECT_TRUE(cert_db_->ImportCACerts(

425 certs, NSSCertDatabase::TRUSTED_SSL \| NSSCertDatabase::TRUSTED_EMAIL,

426 &failed));

427

428 EXPECT_EQ(0U, failed.size());

429 CertificateList cert_list = ListCerts();

430 ASSERT_EQ(1U, cert_list.size());

431 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);

432

433 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));

434 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));

435

436 // Now import with the other certs in the list too. Even though the root is

437 // already present, we should still import the rest.

438 failed.clear();

439 EXPECT_TRUE(cert_db_->ImportCACerts(

440 certs, NSSCertDatabase::TRUSTED_SSL \| NSSCertDatabase::TRUSTED_EMAIL,

441 &failed));

442

443 ASSERT_EQ(3U, failed.size());

444 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name);

445 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error);

446 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);

447 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.

448 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);

449 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);

450

451 cert_list = ListCerts();

452 ASSERT_EQ(1U, cert_list.size());

453 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);

454 }

455

456 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {

457 CertificateList certs;

458 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));

459 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));

460

461 // Import it.

462 NSSCertDatabase::ImportCertFailureList failed;

463 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT,

464 &failed));

465

466 ASSERT_EQ(1U, failed.size());

467 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);

468 // TODO(mattm): should check for net error equivalent of

469 // SEC_ERROR_UNTRUSTED_ISSUER

470 EXPECT_EQ(ERR_FAILED, failed[0].net_error);

471

472 CertificateList cert_list = ListCerts();

473 ASSERT_EQ(1U, cert_list.size());

474 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);

475 }

476

477 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {

478 CertificateList certs;

479 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));

480 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));

481 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));

482

483 // Import it.

484 NSSCertDatabase::ImportCertFailureList failed;

485 EXPECT_TRUE(cert_db_->ImportCACerts(

486 certs, NSSCertDatabase::TRUSTED_SSL \| NSSCertDatabase::TRUSTED_EMAIL,

487 &failed));

488

489 EXPECT_EQ(2U, failed.size());

490 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);

491 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.

492 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);

493 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.

494

495 CertificateList cert_list = ListCerts();

496 ASSERT_EQ(1U, cert_list.size());

497 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);

498 }

499

500 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {

501 CertificateList certs = CreateCertificateListFromFile(

502 GetTestCertsDirectory(), "root_ca_cert.pem",

503 X509Certificate::FORMAT_AUTO);

504 ASSERT_EQ(1U, certs.size());

505 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));

506 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));

507

508 // Import it.

509 NSSCertDatabase::ImportCertFailureList failed;

510 EXPECT_TRUE(cert_db_->ImportCACerts(

511 certs, NSSCertDatabase::TRUSTED_SSL \| NSSCertDatabase::TRUSTED_EMAIL \|

512 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed));

513

514 ASSERT_EQ(2U, failed.size());

515 // TODO(mattm): should check for net error equivalent of

516 // SEC_ERROR_UNKNOWN_ISSUER

517 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);

518 EXPECT_EQ(ERR_FAILED, failed[0].net_error);

519 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);

520 EXPECT_EQ(ERR_FAILED, failed[1].net_error);

521

522 CertificateList cert_list = ListCerts();

523 ASSERT_EQ(1U, cert_list.size());

524 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);

525 }

526

527 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired

528 // certificate.

529 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {

530 // Need to import intermediate cert for the verify of google cert, otherwise

531 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which

532 // will cause OCSPCreateSession on the main thread, which is not allowed.

533 CertificateList certs = CreateCertificateListFromFile(

534 GetTestCertsDirectory(), "google.chain.pem",

535 X509Certificate::FORMAT_AUTO);

536 ASSERT_EQ(2U, certs.size());

537

538 NSSCertDatabase::ImportCertFailureList failed;

539 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,

540 &failed));

541

542 EXPECT_EQ(0U, failed.size());

543

544 CertificateList cert_list = ListCerts();

545 ASSERT_EQ(2U, cert_list.size());

546 scoped_refptr<X509Certificate> goog_cert(cert_list[0]);

547 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);

548 EXPECT_EQ("www.google.com", goog_cert->subject().common_name);

549 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);

550

551 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,

552 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT));

553

554 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);

555

556 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());

557 int flags = 0;

558 CertVerifyResult verify_result;

559 int error = verify_proc->Verify(goog_cert.get(),

560 "www.google.com",

561 flags,

562 NULL,

563 empty_cert_list_,

564 &verify_result);

565 EXPECT_EQ(OK, error);

566 EXPECT_EQ(0U, verify_result.cert_status);

567 }

568

569 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {

570 CertificateList certs;

571 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs));

572

573 NSSCertDatabase::ImportCertFailureList failed;

574 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,

575 &failed));

576

577 EXPECT_EQ(0U, failed.size());

578

579 CertificateList cert_list = ListCerts();

580 ASSERT_EQ(1U, cert_list.size());

581 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);

582

583 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,

584 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));

585 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);

586

587 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());

588 int flags = 0;

589 CertVerifyResult verify_result;

590 int error = verify_proc->Verify(puny_cert.get(),

591 "xn--wgv71a119e.com",

592 flags,

593 NULL,

594 empty_cert_list_,

595 &verify_result);

596 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);

597 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);

598 }

599

600 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {

601 CertificateList certs;

602 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs));

603

604 NSSCertDatabase::ImportCertFailureList failed;

605 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL,

606 &failed));

607

608 EXPECT_EQ(0U, failed.size());

609

610 CertificateList cert_list = ListCerts();

611 ASSERT_EQ(1U, cert_list.size());

612 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);

613

614 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,

615 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));

616 EXPECT_EQ(unsigned(CERTDB_TRUSTED \| CERTDB_TERMINAL_RECORD),

617 puny_cert->os_cert_handle()->trust->sslFlags);

618

619 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());

620 int flags = 0;

621 CertVerifyResult verify_result;

622 int error = verify_proc->Verify(puny_cert.get(),

623 "xn--wgv71a119e.com",

624 flags,

625 NULL,

626 empty_cert_list_,

627 &verify_result);

628 EXPECT_EQ(OK, error);

629 EXPECT_EQ(0U, verify_result.cert_status);

630 }

631

632 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {

633 CertificateList ca_certs = CreateCertificateListFromFile(

634 GetTestCertsDirectory(), "root_ca_cert.pem",

635 X509Certificate::FORMAT_AUTO);

636 ASSERT_EQ(1U, ca_certs.size());

637

638 // Import CA cert and trust it.

639 NSSCertDatabase::ImportCertFailureList failed;

640 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,

641 &failed));

642 EXPECT_EQ(0U, failed.size());

643

644 CertificateList certs = CreateCertificateListFromFile(

645 GetTestCertsDirectory(), "ok_cert.pem",

646 X509Certificate::FORMAT_AUTO);

647 ASSERT_EQ(1U, certs.size());

648

649 // Import server cert with default trust.

650 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,

651 &failed));

652 EXPECT_EQ(0U, failed.size());

653

654 // Server cert should verify.

655 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());

656 int flags = 0;

657 CertVerifyResult verify_result;

658 int error = verify_proc->Verify(certs[0].get(),

659 "127.0.0.1",

660 flags,

661 NULL,

662 empty_cert_list_,

663 &verify_result);

664 EXPECT_EQ(OK, error);

665 EXPECT_EQ(0U, verify_result.cert_status);

666 }

667

668 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {

669 CertificateList ca_certs = CreateCertificateListFromFile(

670 GetTestCertsDirectory(), "root_ca_cert.pem",

671 X509Certificate::FORMAT_AUTO);

672 ASSERT_EQ(1U, ca_certs.size());

673

674 // Import CA cert and trust it.

675 NSSCertDatabase::ImportCertFailureList failed;

676 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,

677 &failed));

678 EXPECT_EQ(0U, failed.size());

679

680 CertificateList certs = CreateCertificateListFromFile(

681 GetTestCertsDirectory(), "ok_cert.pem",

682 X509Certificate::FORMAT_AUTO);

683 ASSERT_EQ(1U, certs.size());

684

685 // Import server cert without inheriting trust from issuer (explicit

686 // distrust).

687 EXPECT_TRUE(cert_db_->ImportServerCert(

688 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));

689 EXPECT_EQ(0U, failed.size());

690 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL,

691 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));

692

693 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),

694 certs[0]->os_cert_handle()->trust->sslFlags);

695

696 // Server cert should fail to verify.

697 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());

698 int flags = 0;

699 CertVerifyResult verify_result;

700 int error = verify_proc->Verify(certs[0].get(),

701 "127.0.0.1",

702 flags,

703 NULL,

704 empty_cert_list_,

705 &verify_result);

706 EXPECT_EQ(ERR_CERT_REVOKED, error);

707 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);

708 }

709

710 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {

711 CertificateList ca_certs = CreateCertificateListFromFile(

712 GetTestCertsDirectory(), "2048-rsa-root.pem",

713 X509Certificate::FORMAT_AUTO);

714 ASSERT_EQ(1U, ca_certs.size());

715

716 // Import Root CA cert and distrust it.

717 NSSCertDatabase::ImportCertFailureList failed;

718 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL,

719 &failed));

720 EXPECT_EQ(0U, failed.size());

721

722 CertificateList intermediate_certs = CreateCertificateListFromFile(

723 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",

724 X509Certificate::FORMAT_AUTO);

725 ASSERT_EQ(1U, intermediate_certs.size());

726

727 // Import Intermediate CA cert and trust it.

728 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,

729 NSSCertDatabase::TRUSTED_SSL, &failed));

730 EXPECT_EQ(0U, failed.size());

731

732 CertificateList certs = CreateCertificateListFromFile(

733 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",

734 X509Certificate::FORMAT_AUTO);

735 ASSERT_EQ(1U, certs.size());

736

737 // Import server cert with default trust.

738 EXPECT_TRUE(cert_db_->ImportServerCert(

739 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));

740 EXPECT_EQ(0U, failed.size());

741 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,

742 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));

743

744 // Server cert should verify.

745 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());

746 int flags = 0;

747 CertVerifyResult verify_result;

748 int error = verify_proc->Verify(certs[0].get(),

749 "127.0.0.1",

750 flags,

751 NULL,

752 empty_cert_list_,

753 &verify_result);

754 EXPECT_EQ(OK, error);

755 EXPECT_EQ(0U, verify_result.cert_status);

756

757 // Trust the root cert and distrust the intermediate.

758 EXPECT_TRUE(cert_db_->SetCertTrust(

759 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL));

760 EXPECT_TRUE(cert_db_->SetCertTrust(

761 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL));

762 EXPECT_EQ(

763 unsigned(CERTDB_VALID_CA \| CERTDB_TRUSTED_CA \| CERTDB_TRUSTED_CLIENT_CA),

764 ca_certs[0]->os_cert_handle()->trust->sslFlags);

765 EXPECT_EQ(unsigned(CERTDB_VALID_CA),

766 ca_certs[0]->os_cert_handle()->trust->emailFlags);

767 EXPECT_EQ(unsigned(CERTDB_VALID_CA),

768 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);

769 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),

770 intermediate_certs[0]->os_cert_handle()->trust->sslFlags);

771 EXPECT_EQ(unsigned(CERTDB_VALID_CA),

772 intermediate_certs[0]->os_cert_handle()->trust->emailFlags);

773 EXPECT_EQ(

774 unsigned(CERTDB_VALID_CA),

775 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);

776

777 // Server cert should fail to verify.

778 CertVerifyResult verify_result2;

779 error = verify_proc->Verify(certs[0].get(),

780 "127.0.0.1",

781 flags,

782 NULL,

783 empty_cert_list_,

784 &verify_result2);

785 EXPECT_EQ(ERR_CERT_REVOKED, error);

786 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);

787 }

788

789 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {

790 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {

791 // See http://bugzil.la/863947 for details.

792 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";

793 return;

794 }

795

796 NSSCertDatabase::ImportCertFailureList failed;

797

798 CertificateList intermediate_certs = CreateCertificateListFromFile(

799 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",

800 X509Certificate::FORMAT_AUTO);

801 ASSERT_EQ(1U, intermediate_certs.size());

802

803 // Import Intermediate CA cert and trust it.

804 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,

805 NSSCertDatabase::TRUSTED_SSL, &failed));

806 EXPECT_EQ(0U, failed.size());

807

808 CertificateList certs = CreateCertificateListFromFile(

809 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",

810 X509Certificate::FORMAT_AUTO);

811 ASSERT_EQ(1U, certs.size());

812

813 // Import server cert with default trust.

814 EXPECT_TRUE(cert_db_->ImportServerCert(

815 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));

816 EXPECT_EQ(0U, failed.size());

817 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,

818 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));

819

820 // Server cert should verify.

821 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());

822 int flags = 0;

823 CertVerifyResult verify_result;

824 int error = verify_proc->Verify(certs[0].get(),

825 "127.0.0.1",

826 flags,

827 NULL,

828 empty_cert_list_,

829 &verify_result);

830 EXPECT_EQ(OK, error);

831 EXPECT_EQ(0U, verify_result.cert_status);

832

833 // Without explicit trust of the intermediate, verification should fail.

834 EXPECT_TRUE(cert_db_->SetCertTrust(

835 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));

836

837 // Server cert should fail to verify.

838 CertVerifyResult verify_result2;

839 error = verify_proc->Verify(certs[0].get(),

840 "127.0.0.1",

841 flags,

842 NULL,

843 empty_cert_list_,

844 &verify_result2);

845 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);

846 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);

847 }

848

849 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {

850 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {

851 // See http://bugzil.la/863947 for details.

852 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";

853 return;

854 }

855

856 NSSCertDatabase::ImportCertFailureList failed;

857

858 CertificateList ca_certs = CreateCertificateListFromFile(

859 GetTestCertsDirectory(), "2048-rsa-root.pem",

860 X509Certificate::FORMAT_AUTO);

861 ASSERT_EQ(1U, ca_certs.size());

862

863 // Import Root CA cert and default trust it.

864 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT,

865 &failed));

866 EXPECT_EQ(0U, failed.size());

867

868 CertificateList intermediate_certs = CreateCertificateListFromFile(

869 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",

870 X509Certificate::FORMAT_AUTO);

871 ASSERT_EQ(1U, intermediate_certs.size());

872

873 // Import Intermediate CA cert and trust it.

874 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,

875 NSSCertDatabase::TRUSTED_SSL, &failed));

876 EXPECT_EQ(0U, failed.size());

877

878 CertificateList certs = CreateCertificateListFromFile(

879 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",

880 X509Certificate::FORMAT_AUTO);

881 ASSERT_EQ(1U, certs.size());

882

883 // Import server cert with default trust.

884 EXPECT_TRUE(cert_db_->ImportServerCert(

885 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));

886 EXPECT_EQ(0U, failed.size());

887 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,

888 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));

889

890 // Server cert should verify.

891 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());

892 int flags = 0;

893 CertVerifyResult verify_result;

894 int error = verify_proc->Verify(certs[0].get(),

895 "127.0.0.1",

896 flags,

897 NULL,

898 empty_cert_list_,

899 &verify_result);

900 EXPECT_EQ(OK, error);

901 EXPECT_EQ(0U, verify_result.cert_status);

902

903 // Without explicit trust of the intermediate, verification should fail.

904 EXPECT_TRUE(cert_db_->SetCertTrust(

905 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));

906

907 // Server cert should fail to verify.

908 CertVerifyResult verify_result2;

909 error = verify_proc->Verify(certs[0].get(),

910 "127.0.0.1",

911 flags,

912 NULL,

913 empty_cert_list_,

914 &verify_result2);

915 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);

916 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);

917 }

918

919 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {

920 NSSCertDatabase::ImportCertFailureList failed;

921

922 CertificateList ca_certs = CreateCertificateListFromFile(

923 GetTestCertsDirectory(), "2048-rsa-root.pem",

924 X509Certificate::FORMAT_AUTO);

925 ASSERT_EQ(1U, ca_certs.size());

926

927 // Import Root CA cert and trust it.

928 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,

929 &failed));

930 EXPECT_EQ(0U, failed.size());

931

932 CertificateList intermediate_certs = CreateCertificateListFromFile(

933 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",

934 X509Certificate::FORMAT_AUTO);

935 ASSERT_EQ(1U, intermediate_certs.size());

936

937 // Import Intermediate CA cert and distrust it.

938 EXPECT_TRUE(cert_db_->ImportCACerts(

939 intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));

940 EXPECT_EQ(0U, failed.size());

941

942 CertificateList certs = CreateCertificateListFromFile(

943 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",

944 X509Certificate::FORMAT_AUTO);

945 ASSERT_EQ(1U, certs.size());

946

947 // Import server cert with default trust.

948 EXPECT_TRUE(cert_db_->ImportServerCert(

949 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));

950 EXPECT_EQ(0U, failed.size());

951 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,

952 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));

953

954 // Server cert should not verify.

955 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());

956 int flags = 0;

957 CertVerifyResult verify_result;

958 int error = verify_proc->Verify(certs[0].get(),

959 "127.0.0.1",

960 flags,

961 NULL,

962 empty_cert_list_,

963 &verify_result);

964 EXPECT_EQ(ERR_CERT_REVOKED, error);

965 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);

966

967 // Without explicit distrust of the intermediate, verification should succeed.

968 EXPECT_TRUE(cert_db_->SetCertTrust(

969 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));

970

971 // Server cert should verify.

972 CertVerifyResult verify_result2;

973 error = verify_proc->Verify(certs[0].get(),

974 "127.0.0.1",

975 flags,

976 NULL,

977 empty_cert_list_,

978 &verify_result2);

979 EXPECT_EQ(OK, error);

980 EXPECT_EQ(0U, verify_result2.cert_status);

981 }

982

983 // Importing two certificates with the same issuer and subject common name,

984 // but overall distinct subject names, should succeed and generate a unique

985 // nickname for the second certificate.

986 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {

987 CertificateList certs =

988 CreateCertificateListFromFile(GetTestCertsDirectory(),

989 "duplicate_cn_1.pem",

990 X509Certificate::FORMAT_AUTO);

991 ASSERT_EQ(1U, certs.size());

992

993 EXPECT_EQ(0U, ListCerts().size());

994

995 // Import server cert with default trust.

996 NSSCertDatabase::ImportCertFailureList failed;

997 EXPECT_TRUE(cert_db_->ImportServerCert(

998 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));

999 EXPECT_EQ(0U, failed.size());

1000 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,

1001 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));

1002

1003 CertificateList new_certs = ListCerts();

1004 ASSERT_EQ(1U, new_certs.size());

1005

1006 // Now attempt to import a different certificate with the same common name.

1007 CertificateList certs2 =

1008 CreateCertificateListFromFile(GetTestCertsDirectory(),

1009 "duplicate_cn_2.pem",

1010 X509Certificate::FORMAT_AUTO);

1011 ASSERT_EQ(1U, certs2.size());

1012

1013 // Import server cert with default trust.

1014 EXPECT_TRUE(cert_db_->ImportServerCert(

1015 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed));

1016 EXPECT_EQ(0U, failed.size());

1017 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,

1018 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT));

1019

1020 new_certs = ListCerts();

1021 ASSERT_EQ(2U, new_certs.size());

1022 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname,

1023 new_certs[1]->os_cert_handle()->nickname);

1024 }

1025

1026 } // namespace net

OLD	NEW

« no previous file with comments | « net/cert/nss_cert_database_chromeos_unittest.cc ('k') | net/cert/nss_profile_filter_chromeos.h » ('j') | no next file with comments »