| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <certdb.h> |
| 6 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 7 | 8 |
| 8 #include <algorithm> | 9 #include <algorithm> |
| 9 | 10 |
| 10 #include "base/file_path.h" | 11 #include "base/file_path.h" |
| 11 #include "base/file_util.h" | 12 #include "base/file_util.h" |
| 12 #include "base/lazy_instance.h" | 13 #include "base/lazy_instance.h" |
| 13 #include "base/message_loop.h" | 14 #include "base/message_loop.h" |
| 14 #include "base/path_service.h" | 15 #include "base/path_service.h" |
| 15 #include "base/string16.h" | 16 #include "base/string16.h" |
| 16 #include "base/string_util.h" | 17 #include "base/string_util.h" |
| 17 #include "base/utf_string_conversions.h" | 18 #include "base/utf_string_conversions.h" |
| 18 #include "crypto/nss_util.h" | 19 #include "crypto/nss_util.h" |
| 19 #include "crypto/nss_util_internal.h" | 20 #include "crypto/nss_util_internal.h" |
| 20 #include "crypto/scoped_nss_types.h" | 21 #include "crypto/scoped_nss_types.h" |
| 21 #include "net/base/cert_database.h" | 22 #include "net/base/cert_database.h" |
| 22 #include "net/base/cert_status_flags.h" | 23 #include "net/base/cert_status_flags.h" |
| 23 #include "net/base/cert_test_util.h" | 24 #include "net/base/cert_test_util.h" |
| 24 #include "net/base/cert_verify_proc.h" | 25 #include "net/base/cert_verify_proc.h" |
| 25 #include "net/base/cert_verify_result.h" | 26 #include "net/base/cert_verify_result.h" |
| 26 #include "net/base/crypto_module.h" | 27 #include "net/base/crypto_module.h" |
| 27 #include "net/base/net_errors.h" | 28 #include "net/base/net_errors.h" |
| 28 #include "net/base/x509_certificate.h" | 29 #include "net/base/x509_certificate.h" |
| 29 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h" | |
| 30 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | 30 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" |
| 31 #include "testing/gtest/include/gtest/gtest.h" | 31 #include "testing/gtest/include/gtest/gtest.h" |
| 32 | 32 |
| 33 namespace psm = mozilla_security_manager; | 33 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use |
| 34 // the new name of the macro. |
| 35 #if !defined(CERTDB_TERMINAL_RECORD) |
| 36 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER |
| 37 #endif |
| 34 | 38 |
| 35 namespace net { | 39 namespace net { |
| 36 | 40 |
| 37 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is | 41 // TODO(mattm): when https://bugzilla.mozilla.org/show_bug.cgi?id=588269 is |
| 38 // fixed, switch back to using a separate userdb for each test. | 42 // fixed, switch back to using a separate userdb for each test. |
| 39 // (When doing so, remember to add some standalone tests of DeleteCert since it | 43 // (When doing so, remember to add some standalone tests of DeleteCert since it |
| 40 // won't be tested by TearDown anymore.) | 44 // won't be tested by TearDown anymore.) |
| 41 class CertDatabaseNSSTest : public testing::Test { | 45 class CertDatabaseNSSTest : public testing::Test { |
| 42 public: | 46 public: |
| 43 static void SetUpTestCase() { | 47 static void SetUpTestCase() { |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 104 } | 108 } |
| 105 | 109 |
| 106 scoped_refptr<CryptoModule> slot_; | 110 scoped_refptr<CryptoModule> slot_; |
| 107 CertDatabase cert_db_; | 111 CertDatabase cert_db_; |
| 108 | 112 |
| 109 private: | 113 private: |
| 110 static bool CleanupSlotContents(PK11SlotInfo* slot) { | 114 static bool CleanupSlotContents(PK11SlotInfo* slot) { |
| 111 CertDatabase cert_db; | 115 CertDatabase cert_db; |
| 112 bool ok = true; | 116 bool ok = true; |
| 113 CertificateList certs = ListCertsInSlot(slot); | 117 CertificateList certs = ListCertsInSlot(slot); |
| 118 CERTCertTrust default_trust = {0}; |
| 114 for (size_t i = 0; i < certs.size(); ++i) { | 119 for (size_t i = 0; i < certs.size(); ++i) { |
| 120 // Reset cert trust values to defaults before deleting. Otherwise NSS |
| 121 // somehow seems to remember the trust which can break following tests. |
| 122 SECStatus srv = CERT_ChangeCertTrust( |
| 123 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); |
| 124 if (srv != SECSuccess) |
| 125 ok = false; |
| 126 |
| 115 if (!cert_db.DeleteCertAndKey(certs[i])) | 127 if (!cert_db.DeleteCertAndKey(certs[i])) |
| 116 ok = false; | 128 ok = false; |
| 117 } | 129 } |
| 118 return ok; | 130 return ok; |
| 119 } | 131 } |
| 120 }; | 132 }; |
| 121 | 133 |
| 122 TEST_F(CertDatabaseNSSTest, ListCerts) { | 134 TEST_F(CertDatabaseNSSTest, ListCerts) { |
| 123 // This test isn't terribly useful, though it will at least let valgrind test | 135 // This test isn't terribly useful, though it will at least let valgrind test |
| 124 // for leaks. | 136 // for leaks. |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 268 EXPECT_EQ(0U, failed.size()); | 280 EXPECT_EQ(0U, failed.size()); |
| 269 | 281 |
| 270 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 271 ASSERT_EQ(1U, cert_list.size()); | 283 ASSERT_EQ(1U, cert_list.size()); |
| 272 scoped_refptr<X509Certificate> cert(cert_list[0]); | 284 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 273 EXPECT_EQ("Test CA", cert->subject().common_name); | 285 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 274 | 286 |
| 275 EXPECT_EQ(CertDatabase::TRUSTED_SSL, | 287 EXPECT_EQ(CertDatabase::TRUSTED_SSL, |
| 276 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 288 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 277 | 289 |
| 278 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 279 EXPECT_TRUE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 291 CERTDB_TRUSTED_CLIENT_CA), |
| 280 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 292 cert->os_cert_handle()->trust->sslFlags); |
| 281 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); | 293 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 282 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 294 cert->os_cert_handle()->trust->emailFlags); |
| 283 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 295 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 296 cert->os_cert_handle()->trust->objectSigningFlags); |
| 284 } | 297 } |
| 285 | 298 |
| 286 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { | 299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { |
| 287 CertificateList certs = CreateCertificateListFromFile( | 300 CertificateList certs = CreateCertificateListFromFile( |
| 288 GetTestCertsDirectory(), "root_ca_cert.crt", | 301 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 289 X509Certificate::FORMAT_AUTO); | 302 X509Certificate::FORMAT_AUTO); |
| 290 ASSERT_EQ(1U, certs.size()); | 303 ASSERT_EQ(1U, certs.size()); |
| 291 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 292 | 305 |
| 293 // Import it. | 306 // Import it. |
| 294 CertDatabase::ImportCertFailureList failed; | 307 CertDatabase::ImportCertFailureList failed; |
| 295 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, | 308 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_EMAIL, |
| 296 &failed)); | 309 &failed)); |
| 297 | 310 |
| 298 EXPECT_EQ(0U, failed.size()); | 311 EXPECT_EQ(0U, failed.size()); |
| 299 | 312 |
| 300 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 301 ASSERT_EQ(1U, cert_list.size()); | 314 ASSERT_EQ(1U, cert_list.size()); |
| 302 scoped_refptr<X509Certificate> cert(cert_list[0]); | 315 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 303 EXPECT_EQ("Test CA", cert->subject().common_name); | 316 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 304 | 317 |
| 305 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, | 318 EXPECT_EQ(CertDatabase::TRUSTED_EMAIL, |
| 306 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 319 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 307 | 320 |
| 308 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 321 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 309 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 322 cert->os_cert_handle()->trust->sslFlags); |
| 310 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 311 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); | 324 CERTDB_TRUSTED_CLIENT_CA), |
| 312 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 325 cert->os_cert_handle()->trust->emailFlags); |
| 326 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 327 cert->os_cert_handle()->trust->objectSigningFlags); |
| 313 } | 328 } |
| 314 | 329 |
| 315 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { | 330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { |
| 316 CertificateList certs = CreateCertificateListFromFile( | 331 CertificateList certs = CreateCertificateListFromFile( |
| 317 GetTestCertsDirectory(), "root_ca_cert.crt", | 332 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 318 X509Certificate::FORMAT_AUTO); | 333 X509Certificate::FORMAT_AUTO); |
| 319 ASSERT_EQ(1U, certs.size()); | 334 ASSERT_EQ(1U, certs.size()); |
| 320 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 321 | 336 |
| 322 // Import it. | 337 // Import it. |
| 323 CertDatabase::ImportCertFailureList failed; | 338 CertDatabase::ImportCertFailureList failed; |
| 324 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, | 339 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUSTED_OBJ_SIGN, |
| 325 &failed)); | 340 &failed)); |
| 326 | 341 |
| 327 EXPECT_EQ(0U, failed.size()); | 342 EXPECT_EQ(0U, failed.size()); |
| 328 | 343 |
| 329 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 330 ASSERT_EQ(1U, cert_list.size()); | 345 ASSERT_EQ(1U, cert_list.size()); |
| 331 scoped_refptr<X509Certificate> cert(cert_list[0]); | 346 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 332 EXPECT_EQ("Test CA", cert->subject().common_name); | 347 EXPECT_EQ("Test CA", cert->subject().common_name); |
| 333 | 348 |
| 334 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, | 349 EXPECT_EQ(CertDatabase::TRUSTED_OBJ_SIGN, |
| 335 cert_db_.GetCertTrust(cert.get(), CA_CERT)); | 350 cert_db_.GetCertTrust(cert.get(), CA_CERT)); |
| 336 | 351 |
| 337 psm::nsNSSCertTrust trust(cert->os_cert_handle()->trust); | 352 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 338 EXPECT_FALSE(trust.HasTrustedCA(PR_TRUE, PR_FALSE, PR_FALSE)); | 353 cert->os_cert_handle()->trust->sslFlags); |
| 339 EXPECT_FALSE(trust.HasTrustedCA(PR_FALSE, PR_TRUE, PR_FALSE)); | 354 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 340 EXPECT_TRUE(trust.HasTrustedCA(PR_FALSE, PR_FALSE, PR_TRUE)); | 355 cert->os_cert_handle()->trust->emailFlags); |
| 341 EXPECT_TRUE(trust.HasCA(PR_TRUE, PR_TRUE, PR_TRUE)); | 356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 357 CERTDB_TRUSTED_CLIENT_CA), |
| 358 cert->os_cert_handle()->trust->objectSigningFlags); |
| 342 } | 359 } |
| 343 | 360 |
| 344 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { | 361 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { |
| 345 CertificateList certs = CreateCertificateListFromFile( | 362 CertificateList certs = CreateCertificateListFromFile( |
| 346 GetTestCertsDirectory(), "google.single.pem", | 363 GetTestCertsDirectory(), "google.single.pem", |
| 347 X509Certificate::FORMAT_AUTO); | 364 X509Certificate::FORMAT_AUTO); |
| 348 ASSERT_EQ(1U, certs.size()); | 365 ASSERT_EQ(1U, certs.size()); |
| 349 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 366 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 350 | 367 |
| 351 // Import it. | 368 // Import it. |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 425 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); | 442 EXPECT_EQ("DOD CA-17", cert_list[1]->subject().common_name); |
| 426 } | 443 } |
| 427 | 444 |
| 428 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { | 445 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { |
| 429 CertificateList certs; | 446 CertificateList certs; |
| 430 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); | 447 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); |
| 431 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 448 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 432 | 449 |
| 433 // Import it. | 450 // Import it. |
| 434 CertDatabase::ImportCertFailureList failed; | 451 CertDatabase::ImportCertFailureList failed; |
| 435 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::UNTRUSTED, &failed)); | 452 EXPECT_TRUE(cert_db_.ImportCACerts(certs, CertDatabase::TRUST_DEFAULT, |
| 453 &failed)); |
| 436 | 454 |
| 437 ASSERT_EQ(1U, failed.size()); | 455 ASSERT_EQ(1U, failed.size()); |
| 438 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); | 456 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); |
| 439 // TODO(mattm): should check for net error equivalent of | 457 // TODO(mattm): should check for net error equivalent of |
| 440 // SEC_ERROR_UNTRUSTED_ISSUER | 458 // SEC_ERROR_UNTRUSTED_ISSUER |
| 441 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 459 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 442 | 460 |
| 443 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 461 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 444 ASSERT_EQ(1U, cert_list.size()); | 462 ASSERT_EQ(1U, cert_list.size()); |
| 445 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 463 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 503 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { | 521 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { |
| 504 // Need to import intermediate cert for the verify of google cert, otherwise | 522 // Need to import intermediate cert for the verify of google cert, otherwise |
| 505 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which | 523 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which |
| 506 // will cause OCSPCreateSession on the main thread, which is not allowed. | 524 // will cause OCSPCreateSession on the main thread, which is not allowed. |
| 507 CertificateList certs = CreateCertificateListFromFile( | 525 CertificateList certs = CreateCertificateListFromFile( |
| 508 GetTestCertsDirectory(), "google.chain.pem", | 526 GetTestCertsDirectory(), "google.chain.pem", |
| 509 X509Certificate::FORMAT_AUTO); | 527 X509Certificate::FORMAT_AUTO); |
| 510 ASSERT_EQ(2U, certs.size()); | 528 ASSERT_EQ(2U, certs.size()); |
| 511 | 529 |
| 512 CertDatabase::ImportCertFailureList failed; | 530 CertDatabase::ImportCertFailureList failed; |
| 513 EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); | 531 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, |
| 532 &failed)); |
| 514 | 533 |
| 515 EXPECT_EQ(0U, failed.size()); | 534 EXPECT_EQ(0U, failed.size()); |
| 516 | 535 |
| 517 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 536 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 518 ASSERT_EQ(2U, cert_list.size()); | 537 ASSERT_EQ(2U, cert_list.size()); |
| 519 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); | 538 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); |
| 520 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); | 539 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); |
| 521 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); | 540 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); |
| 522 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 541 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 523 | 542 |
| 524 EXPECT_EQ(CertDatabase::UNTRUSTED, | 543 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 525 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); | 544 cert_db_.GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 526 psm::nsNSSCertTrust goog_trust(goog_cert->os_cert_handle()->trust); | 545 |
| 527 EXPECT_TRUE(goog_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | 546 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
| 528 | 547 |
| 529 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 548 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 530 int flags = 0; | 549 int flags = 0; |
| 531 CertVerifyResult verify_result; | 550 CertVerifyResult verify_result; |
| 532 int error = verify_proc->Verify(goog_cert, "www.google.com", flags, | 551 int error = verify_proc->Verify(goog_cert, "www.google.com", flags, |
| 533 NULL, &verify_result); | 552 NULL, &verify_result); |
| 534 EXPECT_EQ(OK, error); | 553 EXPECT_EQ(OK, error); |
| 535 EXPECT_EQ(0U, verify_result.cert_status); | 554 EXPECT_EQ(0U, verify_result.cert_status); |
| 536 } | 555 } |
| 537 | 556 |
| 538 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 557 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 539 CertificateList certs; | 558 CertificateList certs; |
| 540 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 559 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 541 | 560 |
| 542 CertDatabase::ImportCertFailureList failed; | 561 CertDatabase::ImportCertFailureList failed; |
| 543 EXPECT_TRUE(cert_db_.ImportServerCert(certs, &failed)); | 562 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, |
| 563 &failed)); |
| 544 | 564 |
| 545 EXPECT_EQ(0U, failed.size()); | 565 EXPECT_EQ(0U, failed.size()); |
| 546 | 566 |
| 547 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 567 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 548 ASSERT_EQ(1U, cert_list.size()); | 568 ASSERT_EQ(1U, cert_list.size()); |
| 549 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 569 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 550 | 570 |
| 551 EXPECT_EQ(CertDatabase::UNTRUSTED, | 571 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 552 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); | 572 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 553 psm::nsNSSCertTrust puny_trust(puny_cert->os_cert_handle()->trust); | 573 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
| 554 EXPECT_TRUE(puny_trust.HasPeer(PR_TRUE, PR_TRUE, PR_TRUE)); | |
| 555 | 574 |
| 556 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); | 575 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 557 int flags = 0; | 576 int flags = 0; |
| 558 CertVerifyResult verify_result; | 577 CertVerifyResult verify_result; |
| 559 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 578 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, |
| 560 NULL, &verify_result); | 579 NULL, &verify_result); |
| 561 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 580 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 562 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 581 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 563 | 582 } |
| 564 // TODO(mattm): this should be SERVER_CERT, not CA_CERT, but that does not | 583 |
| 565 // work due to NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=531160 | 584 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { |
| 566 EXPECT_TRUE(cert_db_.SetCertTrust( | 585 // When using CERT_PKIXVerifyCert (which we do), server trust only works from |
| 567 puny_cert.get(), CA_CERT, | 586 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. |
| 568 CertDatabase::TRUSTED_SSL | CertDatabase::TRUSTED_EMAIL)); | 587 if (!NSS_VersionCheck("3.13.4")) { |
| 569 | 588 LOG(INFO) << "test skipped on NSS < 3.13.4"; |
| 570 verify_result.Reset(); | 589 return; |
| 571 error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 590 } |
| 572 NULL, &verify_result); | 591 |
| 573 EXPECT_EQ(OK, error); | 592 CertificateList certs; |
| 574 EXPECT_EQ(0U, verify_result.cert_status); | 593 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 594 |
| 595 CertDatabase::ImportCertFailureList failed; |
| 596 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUSTED_SSL, |
| 597 &failed)); |
| 598 |
| 599 EXPECT_EQ(0U, failed.size()); |
| 600 |
| 601 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 602 ASSERT_EQ(1U, cert_list.size()); |
| 603 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 604 |
| 605 EXPECT_EQ(CertDatabase::TRUSTED_SSL, |
| 606 cert_db_.GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 607 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), |
| 608 puny_cert->os_cert_handle()->trust->sslFlags); |
| 609 |
| 610 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 611 int flags = 0; |
| 612 CertVerifyResult verify_result; |
| 613 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, |
| 614 NULL, &verify_result); |
| 615 EXPECT_EQ(OK, error); |
| 616 EXPECT_EQ(0U, verify_result.cert_status); |
| 617 } |
| 618 |
| 619 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { |
| 620 CertificateList ca_certs = CreateCertificateListFromFile( |
| 621 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 622 X509Certificate::FORMAT_AUTO); |
| 623 ASSERT_EQ(1U, ca_certs.size()); |
| 624 |
| 625 // Import CA cert and trust it. |
| 626 CertDatabase::ImportCertFailureList failed; |
| 627 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, |
| 628 &failed)); |
| 629 EXPECT_EQ(0U, failed.size()); |
| 630 |
| 631 CertificateList certs = CreateCertificateListFromFile( |
| 632 GetTestCertsDirectory(), "ok_cert.pem", |
| 633 X509Certificate::FORMAT_AUTO); |
| 634 ASSERT_EQ(1U, certs.size()); |
| 635 |
| 636 // Import server cert with default trust. |
| 637 EXPECT_TRUE(cert_db_.ImportServerCert(certs, CertDatabase::TRUST_DEFAULT, |
| 638 &failed)); |
| 639 EXPECT_EQ(0U, failed.size()); |
| 640 |
| 641 // Server cert should verify. |
| 642 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 643 int flags = 0; |
| 644 CertVerifyResult verify_result; |
| 645 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 646 NULL, &verify_result); |
| 647 EXPECT_EQ(OK, error); |
| 648 EXPECT_EQ(0U, verify_result.cert_status); |
| 649 } |
| 650 |
| 651 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { |
| 652 // Explicit distrust only works starting in NSS 3.13. |
| 653 if (!NSS_VersionCheck("3.13")) { |
| 654 LOG(INFO) << "test skipped on NSS < 3.13"; |
| 655 return; |
| 656 } |
| 657 |
| 658 CertificateList ca_certs = CreateCertificateListFromFile( |
| 659 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 660 X509Certificate::FORMAT_AUTO); |
| 661 ASSERT_EQ(1U, ca_certs.size()); |
| 662 |
| 663 // Import CA cert and trust it. |
| 664 CertDatabase::ImportCertFailureList failed; |
| 665 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, |
| 666 &failed)); |
| 667 EXPECT_EQ(0U, failed.size()); |
| 668 |
| 669 CertificateList certs = CreateCertificateListFromFile( |
| 670 GetTestCertsDirectory(), "ok_cert.pem", |
| 671 X509Certificate::FORMAT_AUTO); |
| 672 ASSERT_EQ(1U, certs.size()); |
| 673 |
| 674 // Import server cert without inheriting trust from issuer (explicit |
| 675 // distrust). |
| 676 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 677 certs, CertDatabase::DISTRUSTED_SSL, &failed)); |
| 678 EXPECT_EQ(0U, failed.size()); |
| 679 EXPECT_EQ(CertDatabase::DISTRUSTED_SSL, |
| 680 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 681 |
| 682 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 683 certs[0]->os_cert_handle()->trust->sslFlags); |
| 684 |
| 685 // Server cert should fail to verify. |
| 686 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 687 int flags = 0; |
| 688 CertVerifyResult verify_result; |
| 689 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 690 NULL, &verify_result); |
| 691 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 692 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 693 } |
| 694 |
| 695 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { |
| 696 CertificateList ca_certs = CreateCertificateListFromFile( |
| 697 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 698 X509Certificate::FORMAT_AUTO); |
| 699 ASSERT_EQ(1U, ca_certs.size()); |
| 700 |
| 701 // Import Root CA cert and distrust it. |
| 702 CertDatabase::ImportCertFailureList failed; |
| 703 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::DISTRUSTED_SSL, |
| 704 &failed)); |
| 705 EXPECT_EQ(0U, failed.size()); |
| 706 |
| 707 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 708 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 709 X509Certificate::FORMAT_AUTO); |
| 710 ASSERT_EQ(1U, intermediate_certs.size()); |
| 711 |
| 712 // Import Intermediate CA cert and trust it. |
| 713 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 714 CertDatabase::TRUSTED_SSL, &failed)); |
| 715 EXPECT_EQ(0U, failed.size()); |
| 716 |
| 717 CertificateList certs = CreateCertificateListFromFile( |
| 718 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 719 X509Certificate::FORMAT_AUTO); |
| 720 ASSERT_EQ(1U, certs.size()); |
| 721 |
| 722 // Import server cert with default trust. |
| 723 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 724 certs, CertDatabase::TRUST_DEFAULT, &failed)); |
| 725 EXPECT_EQ(0U, failed.size()); |
| 726 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 727 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 728 |
| 729 // Server cert should verify. |
| 730 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 731 int flags = 0; |
| 732 CertVerifyResult verify_result; |
| 733 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 734 NULL, &verify_result); |
| 735 EXPECT_EQ(OK, error); |
| 736 EXPECT_EQ(0U, verify_result.cert_status); |
| 737 |
| 738 // Explicit distrust only works starting in NSS 3.13. |
| 739 if (!NSS_VersionCheck("3.13")) { |
| 740 LOG(INFO) << "test partially skipped on NSS < 3.13"; |
| 741 return; |
| 742 } |
| 743 |
| 744 // Trust the root cert and distrust the intermediate. |
| 745 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 746 ca_certs[0], CA_CERT, CertDatabase::TRUSTED_SSL)); |
| 747 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 748 intermediate_certs[0], CA_CERT, CertDatabase::DISTRUSTED_SSL)); |
| 749 EXPECT_EQ( |
| 750 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), |
| 751 ca_certs[0]->os_cert_handle()->trust->sslFlags); |
| 752 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 753 ca_certs[0]->os_cert_handle()->trust->emailFlags); |
| 754 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 755 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 756 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 757 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); |
| 758 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 759 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); |
| 760 EXPECT_EQ( |
| 761 unsigned(CERTDB_VALID_CA), |
| 762 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 763 |
| 764 // Server cert should fail to verify. |
| 765 CertVerifyResult verify_result2; |
| 766 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 767 NULL, &verify_result2); |
| 768 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 769 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); |
| 770 } |
| 771 |
| 772 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { |
| 773 CertDatabase::ImportCertFailureList failed; |
| 774 |
| 775 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 776 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 777 X509Certificate::FORMAT_AUTO); |
| 778 ASSERT_EQ(1U, intermediate_certs.size()); |
| 779 |
| 780 // Import Intermediate CA cert and trust it. |
| 781 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 782 CertDatabase::TRUSTED_SSL, &failed)); |
| 783 EXPECT_EQ(0U, failed.size()); |
| 784 |
| 785 CertificateList certs = CreateCertificateListFromFile( |
| 786 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 787 X509Certificate::FORMAT_AUTO); |
| 788 ASSERT_EQ(1U, certs.size()); |
| 789 |
| 790 // Import server cert with default trust. |
| 791 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 792 certs, CertDatabase::TRUST_DEFAULT, &failed)); |
| 793 EXPECT_EQ(0U, failed.size()); |
| 794 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 795 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 796 |
| 797 // Server cert should verify. |
| 798 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 799 int flags = 0; |
| 800 CertVerifyResult verify_result; |
| 801 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 802 NULL, &verify_result); |
| 803 EXPECT_EQ(OK, error); |
| 804 EXPECT_EQ(0U, verify_result.cert_status); |
| 805 |
| 806 // Without explicit trust of the intermediate, verification should fail. |
| 807 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 808 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); |
| 809 |
| 810 // Server cert should fail to verify. |
| 811 CertVerifyResult verify_result2; |
| 812 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 813 NULL, &verify_result2); |
| 814 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 815 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 816 } |
| 817 |
| 818 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { |
| 819 CertDatabase::ImportCertFailureList failed; |
| 820 |
| 821 CertificateList ca_certs = CreateCertificateListFromFile( |
| 822 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 823 X509Certificate::FORMAT_AUTO); |
| 824 ASSERT_EQ(1U, ca_certs.size()); |
| 825 |
| 826 // Import Root CA cert and default trust it. |
| 827 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUST_DEFAULT, |
| 828 &failed)); |
| 829 EXPECT_EQ(0U, failed.size()); |
| 830 |
| 831 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 832 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 833 X509Certificate::FORMAT_AUTO); |
| 834 ASSERT_EQ(1U, intermediate_certs.size()); |
| 835 |
| 836 // Import Intermediate CA cert and trust it. |
| 837 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 838 CertDatabase::TRUSTED_SSL, &failed)); |
| 839 EXPECT_EQ(0U, failed.size()); |
| 840 |
| 841 CertificateList certs = CreateCertificateListFromFile( |
| 842 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 843 X509Certificate::FORMAT_AUTO); |
| 844 ASSERT_EQ(1U, certs.size()); |
| 845 |
| 846 // Import server cert with default trust. |
| 847 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 848 certs, CertDatabase::TRUST_DEFAULT, &failed)); |
| 849 EXPECT_EQ(0U, failed.size()); |
| 850 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 851 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 852 |
| 853 // Server cert should verify. |
| 854 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 855 int flags = 0; |
| 856 CertVerifyResult verify_result; |
| 857 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 858 NULL, &verify_result); |
| 859 EXPECT_EQ(OK, error); |
| 860 EXPECT_EQ(0U, verify_result.cert_status); |
| 861 |
| 862 // Without explicit trust of the intermediate, verification should fail. |
| 863 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 864 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); |
| 865 |
| 866 // Server cert should fail to verify. |
| 867 CertVerifyResult verify_result2; |
| 868 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 869 NULL, &verify_result2); |
| 870 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 871 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 872 } |
| 873 |
| 874 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { |
| 875 // Explicit distrust only works starting in NSS 3.13. |
| 876 if (!NSS_VersionCheck("3.13")) { |
| 877 LOG(INFO) << "test skipped on NSS < 3.13"; |
| 878 return; |
| 879 } |
| 880 |
| 881 CertDatabase::ImportCertFailureList failed; |
| 882 |
| 883 CertificateList ca_certs = CreateCertificateListFromFile( |
| 884 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 885 X509Certificate::FORMAT_AUTO); |
| 886 ASSERT_EQ(1U, ca_certs.size()); |
| 887 |
| 888 // Import Root CA cert and trust it. |
| 889 EXPECT_TRUE(cert_db_.ImportCACerts(ca_certs, CertDatabase::TRUSTED_SSL, |
| 890 &failed)); |
| 891 EXPECT_EQ(0U, failed.size()); |
| 892 |
| 893 CertificateList intermediate_certs = CreateCertificateListFromFile( |
| 894 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", |
| 895 X509Certificate::FORMAT_AUTO); |
| 896 ASSERT_EQ(1U, intermediate_certs.size()); |
| 897 |
| 898 // Import Intermediate CA cert and distrust it. |
| 899 EXPECT_TRUE(cert_db_.ImportCACerts(intermediate_certs, |
| 900 CertDatabase::DISTRUSTED_SSL, &failed)); |
| 901 EXPECT_EQ(0U, failed.size()); |
| 902 |
| 903 CertificateList certs = CreateCertificateListFromFile( |
| 904 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 905 X509Certificate::FORMAT_AUTO); |
| 906 ASSERT_EQ(1U, certs.size()); |
| 907 |
| 908 // Import server cert with default trust. |
| 909 EXPECT_TRUE(cert_db_.ImportServerCert( |
| 910 certs, CertDatabase::TRUST_DEFAULT, &failed)); |
| 911 EXPECT_EQ(0U, failed.size()); |
| 912 EXPECT_EQ(CertDatabase::TRUST_DEFAULT, |
| 913 cert_db_.GetCertTrust(certs[0], SERVER_CERT)); |
| 914 |
| 915 // Server cert should not verify. |
| 916 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); |
| 917 int flags = 0; |
| 918 CertVerifyResult verify_result; |
| 919 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 920 NULL, &verify_result); |
| 921 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 922 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 923 |
| 924 // Without explicit distrust of the intermediate, verification should succeed. |
| 925 EXPECT_TRUE(cert_db_.SetCertTrust( |
| 926 intermediate_certs[0], CA_CERT, CertDatabase::TRUST_DEFAULT)); |
| 927 |
| 928 // Server cert should verify. |
| 929 CertVerifyResult verify_result2; |
| 930 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, |
| 931 NULL, &verify_result2); |
| 932 EXPECT_EQ(OK, error); |
| 933 EXPECT_EQ(0U, verify_result2.cert_status); |
| 575 } | 934 } |
| 576 | 935 |
| 577 } // namespace net | 936 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10458069:
Reland: Fix imported server certs being distrusted in NSS 3.13. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src