| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "base/files/file_path.h" | |
| 6 #include "build/build_config.h" | |
| 7 #include "net/base/net_errors.h" | |
| 8 #include "net/base/test_data_directory.h" | |
| 9 #include "net/cert/cert_status_flags.h" | |
| 10 #include "net/cert/cert_verify_proc.h" | |
| 11 #include "net/cert/cert_verify_result.h" | |
| 12 #include "net/cert/test_root_certs.h" | |
| 13 #include "net/cert/x509_certificate.h" | |
| 14 #include "net/test/cert_test_util.h" | |
| 15 #include "testing/gtest/include/gtest/gtest.h" | |
| 16 | |
| 17 #if defined(USE_NSS) || defined(OS_IOS) | |
| 18 #include <nss.h> | |
| 19 #endif | |
| 20 | |
| 21 namespace net { | |
| 22 | |
| 23 namespace { | |
| 24 | |
| 25 // The local test root certificate. | |
| 26 const char kRootCertificateFile[] = "root_ca_cert.pem"; | |
| 27 // A certificate issued by the local test root for 127.0.0.1. | |
| 28 const char kGoodCertificateFile[] = "ok_cert.pem"; | |
| 29 | |
| 30 } // namespace | |
| 31 | |
| 32 // Test basic functionality when adding from an existing X509Certificate. | |
| 33 TEST(TestRootCertsTest, AddFromPointer) { | |
| 34 scoped_refptr<X509Certificate> root_cert = | |
| 35 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile); | |
| 36 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); | |
| 37 | |
| 38 TestRootCerts* test_roots = TestRootCerts::GetInstance(); | |
| 39 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); | |
| 40 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 41 | |
| 42 EXPECT_TRUE(test_roots->Add(root_cert.get())); | |
| 43 EXPECT_FALSE(test_roots->IsEmpty()); | |
| 44 | |
| 45 test_roots->Clear(); | |
| 46 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 47 } | |
| 48 | |
| 49 // Test basic functionality when adding directly from a file, which should | |
| 50 // behave the same as when adding from an existing certificate. | |
| 51 TEST(TestRootCertsTest, AddFromFile) { | |
| 52 TestRootCerts* test_roots = TestRootCerts::GetInstance(); | |
| 53 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); | |
| 54 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 55 | |
| 56 base::FilePath cert_path = | |
| 57 GetTestCertsDirectory().AppendASCII(kRootCertificateFile); | |
| 58 EXPECT_TRUE(test_roots->AddFromFile(cert_path)); | |
| 59 EXPECT_FALSE(test_roots->IsEmpty()); | |
| 60 | |
| 61 test_roots->Clear(); | |
| 62 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 63 } | |
| 64 | |
| 65 // Test that TestRootCerts actually adds the appropriate trust status flags | |
| 66 // when requested, and that the trusted status is cleared once the root is | |
| 67 // removed the TestRootCerts. This test acts as a canary/sanity check for | |
| 68 // the results of the rest of net_unittests, ensuring that the trust status | |
| 69 // is properly being set and cleared. | |
| 70 TEST(TestRootCertsTest, OverrideTrust) { | |
| 71 #if defined(USE_NSS) || defined(OS_IOS) | |
| 72 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { | |
| 73 // See http://bugzil.la/863947 for details | |
| 74 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; | |
| 75 return; | |
| 76 } | |
| 77 #endif | |
| 78 | |
| 79 TestRootCerts* test_roots = TestRootCerts::GetInstance(); | |
| 80 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); | |
| 81 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 82 | |
| 83 scoped_refptr<X509Certificate> test_cert = | |
| 84 ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile); | |
| 85 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert.get()); | |
| 86 | |
| 87 // Test that the good certificate fails verification, because the root | |
| 88 // certificate should not yet be trusted. | |
| 89 int flags = 0; | |
| 90 CertVerifyResult bad_verify_result; | |
| 91 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | |
| 92 int bad_status = verify_proc->Verify(test_cert.get(), | |
| 93 "127.0.0.1", | |
| 94 flags, | |
| 95 NULL, | |
| 96 CertificateList(), | |
| 97 &bad_verify_result); | |
| 98 EXPECT_NE(OK, bad_status); | |
| 99 EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); | |
| 100 | |
| 101 // Add the root certificate and mark it as trusted. | |
| 102 EXPECT_TRUE(test_roots->AddFromFile( | |
| 103 GetTestCertsDirectory().AppendASCII(kRootCertificateFile))); | |
| 104 EXPECT_FALSE(test_roots->IsEmpty()); | |
| 105 | |
| 106 // Test that the certificate verification now succeeds, because the | |
| 107 // TestRootCerts is successfully imbuing trust. | |
| 108 CertVerifyResult good_verify_result; | |
| 109 int good_status = verify_proc->Verify(test_cert.get(), | |
| 110 "127.0.0.1", | |
| 111 flags, | |
| 112 NULL, | |
| 113 CertificateList(), | |
| 114 &good_verify_result); | |
| 115 EXPECT_EQ(OK, good_status); | |
| 116 EXPECT_EQ(0u, good_verify_result.cert_status); | |
| 117 | |
| 118 test_roots->Clear(); | |
| 119 EXPECT_TRUE(test_roots->IsEmpty()); | |
| 120 | |
| 121 // Ensure that when the TestRootCerts is cleared, the trust settings | |
| 122 // revert to their original state, and don't linger. If trust status | |
| 123 // lingers, it will likely break other tests in net_unittests. | |
| 124 CertVerifyResult restored_verify_result; | |
| 125 int restored_status = verify_proc->Verify(test_cert.get(), | |
| 126 "127.0.0.1", | |
| 127 flags, | |
| 128 NULL, | |
| 129 CertificateList(), | |
| 130 &restored_verify_result); | |
| 131 EXPECT_NE(OK, restored_status); | |
| 132 EXPECT_NE(0u, | |
| 133 restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); | |
| 134 EXPECT_EQ(bad_status, restored_status); | |
| 135 EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status); | |
| 136 } | |
| 137 | |
| 138 #if defined(USE_NSS) || (defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)) | |
| 139 TEST(TestRootCertsTest, Contains) { | |
| 140 // Another test root certificate. | |
| 141 const char kRootCertificateFile2[] = "2048-rsa-root.pem"; | |
| 142 | |
| 143 TestRootCerts* test_roots = TestRootCerts::GetInstance(); | |
| 144 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); | |
| 145 | |
| 146 scoped_refptr<X509Certificate> root_cert_1 = | |
| 147 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile); | |
| 148 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_1.get()); | |
| 149 | |
| 150 scoped_refptr<X509Certificate> root_cert_2 = | |
| 151 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile2); | |
| 152 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_2.get()); | |
| 153 | |
| 154 EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle())); | |
| 155 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle())); | |
| 156 | |
| 157 EXPECT_TRUE(test_roots->Add(root_cert_1.get())); | |
| 158 EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle())); | |
| 159 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle())); | |
| 160 | |
| 161 EXPECT_TRUE(test_roots->Add(root_cert_2.get())); | |
| 162 EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle())); | |
| 163 EXPECT_TRUE(test_roots->Contains(root_cert_2->os_cert_handle())); | |
| 164 | |
| 165 test_roots->Clear(); | |
| 166 EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle())); | |
| 167 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle())); | |
| 168 } | |
| 169 #endif | |
| 170 | |
| 171 // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that | |
| 172 // TestRootCerts properly injects itself into the validation process. See | |
| 173 // http://crbug.com/63958 | |
| 174 | |
| 175 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 992733002:
Remove //net (except for Android test stuff) and sdch (Closed)
Base URL: git@github.com:domokit/mojo.git@master