| Index: net/base/cert_database_nss_unittest.cc
|
| diff --git a/net/base/cert_database_nss_unittest.cc b/net/base/cert_database_nss_unittest.cc
|
| index 75ea641e1235a3ae56424ff6d43ee6204d6680c1..c43150340cb413e1ca74b3b83905e32d44692dcd 100644
|
| --- a/net/base/cert_database_nss_unittest.cc
|
| +++ b/net/base/cert_database_nss_unittest.cc
|
| @@ -3,6 +3,7 @@
|
| // found in the LICENSE file.
|
|
|
| #include <cert.h>
|
| +#include <certdb.h>
|
| #include <pk11pub.h>
|
|
|
| #include <algorithm>
|
| @@ -26,11 +27,14 @@
|
| #include "net/base/crypto_module.h"
|
| #include "net/base/net_errors.h"
|
| #include "net/base/x509_certificate.h"
|
| -#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
|
| #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
|
| #include "testing/gtest/include/gtest/gtest.h"
|
|
|
| -namespace psm = mozilla_security_manager;
|
| +// In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
|
| +// the new name of the macro.
|
| +#if !defined(CERTDB_TERMINAL_RECORD)
|
| +#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
|
| +#endif
|
|
|
| namespace net {
|
|
|
| @@ -275,12 +279,13 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
|
| EXPECT_EQ(CertDatabase::TRUSTED_SSL,
|
| cert_db_.GetCertTrust(cert.get(), CA_CERT));
|
|
|
| - psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust);
|
| - EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE));
|
| - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE));
|
| - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE));
|
| - EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_TRUE, PR_TRUE));
|
| - EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE));
|
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
|
| + CERTDB_TRUSTED_CLIENT_CA),
|
| + cert->os_cert_handle()->trust->sslFlags);
|
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA),
|
| + cert->os_cert_handle()->trust->emailFlags);
|
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA),
|
| + cert->os_cert_handle()->trust->objectSigningFlags);
|
| }
|
|
|
| TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
|
| @@ -305,11 +310,13 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
|
| EXPECT_EQ(CertDatabase::TRUSTED_EMAIL,
|
| cert_db_.GetCertTrust(cert.get(), CA_CERT));
|
|
|
| - psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust);
|
| - EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE));
|
| - EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE));
|
| - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE));
|
| - EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE));
|
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA),
|
| + cert->os_cert_handle()->trust->sslFlags);
|
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
|
| + CERTDB_TRUSTED_CLIENT_CA),
|
| + cert->os_cert_handle()->trust->emailFlags);
|
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA),
|
| + cert->os_cert_handle()->trust->objectSigningFlags);
|
| }
|
|
|
| TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
|
| @@ -334,11 +341,13 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
|
| EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN,
|
| cert_db_.GetCertTrust(cert.get(), CA_CERT));
|
|
|
| - psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust);
|
| - EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE));
|
| - EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE));
|
| - EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE));
|
| - EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE));
|
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA),
|
| + cert->os_cert_handle()->trust->sslFlags);
|
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA),
|
| + cert->os_cert_handle()->trust->emailFlags);
|
| + EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
|
| + CERTDB_TRUSTED_CLIENT_CA),
|
| + cert->os_cert_handle()->trust->objectSigningFlags);
|
| }
|
|
|
| TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
|
| @@ -432,7 +441,8 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
|
|
|
| // Import it.
|
| CertDatabase::ImportCertFailureList failed;
|
| - EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, &failed));
|
| + EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUST_DEFAULT,
|
| + &failed));
|
|
|
| ASSERT_EQ(1U, failed.size());
|
| EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
|
| @@ -510,7 +520,8 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
|
| ASSERT_EQ(2U, certs.size());
|
|
|
| CertDatabase::ImportCertFailureList failed;
|
| - EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed));
|
| + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT,
|
| + &failed));
|
|
|
| EXPECT_EQ(0U, failed.size());
|
|
|
| @@ -521,10 +532,12 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
|
| EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
|
| EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
|
|
|
| - EXPECT_EQ(CertDatabase::UNTRUSTED,
|
| + EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
|
| cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT));
|
| - psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust);
|
| - EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE));
|
| +
|
| + EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
|
| + EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->emailFlags);
|
| + EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->objectSigningFlags);
|
|
|
| scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
|
| int flags = 0;
|
| @@ -540,7 +553,8 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
|
| ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
|
|
|
| CertDatabase::ImportCertFailureList failed;
|
| - EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed));
|
| + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT,
|
| + &failed));
|
|
|
| EXPECT_EQ(0U, failed.size());
|
|
|
| @@ -548,10 +562,11 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
|
| ASSERT_EQ(1U, cert_list.size());
|
| scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
|
|
|
| - EXPECT_EQ(CertDatabase::UNTRUSTED,
|
| + EXPECT_EQ(CertDatabase::TRUST_DEFAULT,
|
| cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT));
|
| - psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust);
|
| - EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE));
|
| + EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
|
| + EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags);
|
| + EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags);
|
|
|
| scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
|
| int flags = 0;
|
| @@ -574,4 +589,121 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
|
| EXPECT_EQ(0U, verify_result.cert_status);
|
| }
|
|
|
| +TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
|
| + // When using CERT_PKIXVerifyCert (which we do), server trust only works from
|
| + // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364.
|
| + if (!NSS_VersionCheck("3.13.4")) {
|
| + LOG(INFO) << "test skipped on NSS < 3.13.4";
|
| + return;
|
| + }
|
| +
|
| + CertificateList certs;
|
| + ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
|
| +
|
| + CertDatabase::ImportCertFailureList failed;
|
| + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL,
|
| + &failed));
|
| +
|
| + EXPECT_EQ(0U, failed.size());
|
| +
|
| + CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
|
| + ASSERT_EQ(1U, cert_list.size());
|
| + scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
|
| +
|
| + EXPECT_EQ(CertDatabase::TRUSTED_SSL,
|
| + cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT));
|
| + EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
|
| + puny_cert->os_cert_handle()->trust->sslFlags);
|
| + EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->emailFlags);
|
| + EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->objectSigningFlags);
|
| +
|
| + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
|
| + int flags = 0;
|
| + CertVerifyResult verify_result;
|
| + int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
|
| + NULL, &verify_result);
|
| + EXPECT_EQ(OK, error);
|
| + EXPECT_EQ(0U, verify_result.cert_status);
|
| +}
|
| +
|
| +TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
|
| + CertificateList ca_certs = CreateCertificateListFromFile(
|
| + GetTestCertsDirectory(), "root_ca_cert.crt",
|
| + X509Certificate::FORMAT_AUTO);
|
| + ASSERT_EQ(1U, ca_certs.size());
|
| +
|
| + // Import CA cert and trust it.
|
| + CertDatabase::ImportCertFailureList failed;
|
| + EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
|
| + &failed));
|
| + EXPECT_EQ(0U, failed.size());
|
| +
|
| + CertificateList certs = CreateCertificateListFromFile(
|
| + GetTestCertsDirectory(), "ok_cert.pem",
|
| + X509Certificate::FORMAT_AUTO);
|
| + ASSERT_EQ(1U, certs.size());
|
| +
|
| + // Import server cert with default trust.
|
| + EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT,
|
| + &failed));
|
| + EXPECT_EQ(0U, failed.size());
|
| +
|
| + // Server cert should verify.
|
| + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
|
| + int flags = 0;
|
| + CertVerifyResult verify_result;
|
| + int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
|
| + NULL, &verify_result);
|
| + EXPECT_EQ(OK, error);
|
| + EXPECT_EQ(0U, verify_result.cert_status);
|
| +}
|
| +
|
| +TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
|
| + // Explicit distrust only works starting in NSS 3.13.
|
| + if (!NSS_VersionCheck("3.13")) {
|
| + LOG(INFO) << "test skipped on NSS < 3.13";
|
| + return;
|
| + }
|
| +
|
| + CertificateList ca_certs = CreateCertificateListFromFile(
|
| + GetTestCertsDirectory(), "root_ca_cert.crt",
|
| + X509Certificate::FORMAT_AUTO);
|
| + ASSERT_EQ(1U, ca_certs.size());
|
| +
|
| + // Import CA cert and trust it.
|
| + CertDatabase::ImportCertFailureList failed;
|
| + EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL,
|
| + &failed));
|
| + EXPECT_EQ(0U, failed.size());
|
| +
|
| + CertificateList certs = CreateCertificateListFromFile(
|
| + GetTestCertsDirectory(), "ok_cert.pem",
|
| + X509Certificate::FORMAT_AUTO);
|
| + ASSERT_EQ(1U, certs.size());
|
| +
|
| + // Import server cert without inheriting trust from issuer (explicit
|
| + // distrust).
|
| + EXPECT_TRUE(cert_db_.ImportServerCert(
|
| + certs, CertDatabase::DISTRUSTED_SSL, &failed));
|
| + EXPECT_EQ(0U, failed.size());
|
| + EXPECT_EQ(CertDatabase::DISTRUSTED_SSL,
|
| + cert_db_.GetCertTrust(certs[0], SERVER_CERT));
|
| +
|
| + EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
|
| + certs[0]->os_cert_handle()->trust->sslFlags);
|
| + EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
|
| + certs[0]->os_cert_handle()->trust->emailFlags);
|
| + EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
|
| + certs[0]->os_cert_handle()->trust->objectSigningFlags);
|
| +
|
| + // Server cert should fail to verify.
|
| + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
|
| + int flags = 0;
|
| + CertVerifyResult verify_result;
|
| + int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
|
| + NULL, &verify_result);
|
| + EXPECT_EQ(ERR_CERT_REVOKED, error);
|
| + EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
|
| +}
|
| +
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 9940001:
Fix imported server certs being distrusted in NSS 3.13. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src