| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <certdb.h> | 6 #include <certdb.h> |
| 7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| (...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 109 CertificateList certs = ListCertsInSlot(slot_->os_module_handle()); | 109 CertificateList certs = ListCertsInSlot(slot_->os_module_handle()); |
| 110 CERTCertTrust default_trust = {0}; | 110 CERTCertTrust default_trust = {0}; |
| 111 for (size_t i = 0; i < certs.size(); ++i) { | 111 for (size_t i = 0; i < certs.size(); ++i) { |
| 112 // Reset cert trust values to defaults before deleting. Otherwise NSS | 112 // Reset cert trust values to defaults before deleting. Otherwise NSS |
| 113 // somehow seems to remember the trust which can break following tests. | 113 // somehow seems to remember the trust which can break following tests. |
| 114 SECStatus srv = CERT_ChangeCertTrust( | 114 SECStatus srv = CERT_ChangeCertTrust( |
| 115 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); | 115 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); |
| 116 if (srv != SECSuccess) | 116 if (srv != SECSuccess) |
| 117 ok = false; | 117 ok = false; |
| 118 | 118 |
| 119 if (!cert_db_->DeleteCertAndKey(certs[i])) | 119 if (!cert_db_->DeleteCertAndKey(certs[i].get())) |
| 120 ok = false; | 120 ok = false; |
| 121 } | 121 } |
| 122 return ok; | 122 return ok; |
| 123 } | 123 } |
| 124 | 124 |
| 125 crypto::ScopedTestNSSDB test_nssdb_; | 125 crypto::ScopedTestNSSDB test_nssdb_; |
| 126 }; | 126 }; |
| 127 | 127 |
| 128 TEST_F(CertDatabaseNSSTest, ListCerts) { | 128 TEST_F(CertDatabaseNSSTest, ListCerts) { |
| 129 // This test isn't terribly useful, though it will at least let valgrind test | 129 // This test isn't terribly useful, though it will at least let valgrind test |
| 130 // for leaks. | 130 // for leaks. |
| 131 CertificateList certs; | 131 CertificateList certs; |
| 132 cert_db_->ListCerts(&certs); | 132 cert_db_->ListCerts(&certs); |
| 133 // The test DB is empty, but let's assume there will always be something in | 133 // The test DB is empty, but let's assume there will always be something in |
| 134 // the other slots. | 134 // the other slots. |
| 135 EXPECT_LT(0U, certs.size()); | 135 EXPECT_LT(0U, certs.size()); |
| 136 } | 136 } |
| 137 | 137 |
| 138 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { | 138 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { |
| 139 std::string pkcs12_data = ReadTestFile("client.p12"); | 139 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 140 | 140 |
| 141 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, | 141 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, |
| 142 cert_db_->ImportFromPKCS12(slot_, | 142 cert_db_->ImportFromPKCS12(slot_.get(), |
| 143 pkcs12_data, | 143 pkcs12_data, |
| 144 base::string16(), | 144 base::string16(), |
| 145 true, // is_extractable | 145 true, // is_extractable |
| 146 NULL)); | 146 NULL)); |
| 147 | 147 |
| 148 // Test db should still be empty. | 148 // Test db should still be empty. |
| 149 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 149 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 150 } | 150 } |
| 151 | 151 |
| 152 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) { | 152 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) { |
| 153 std::string pkcs12_data = ReadTestFile("client.p12"); | 153 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 154 | 154 |
| 155 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 155 EXPECT_EQ(OK, |
| 156 pkcs12_data, | 156 cert_db_->ImportFromPKCS12(slot_.get(), |
| 157 ASCIIToUTF16("12345"), | 157 pkcs12_data, |
| 158 true, // is_extractable | 158 ASCIIToUTF16("12345"), |
| 159 NULL)); | 159 true, // is_extractable |
| 160 NULL)); |
| 160 | 161 |
| 161 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 162 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 162 ASSERT_EQ(1U, cert_list.size()); | 163 ASSERT_EQ(1U, cert_list.size()); |
| 163 scoped_refptr<X509Certificate> cert(cert_list[0]); | 164 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 164 | 165 |
| 165 EXPECT_EQ("testusercert", | 166 EXPECT_EQ("testusercert", |
| 166 cert->subject().common_name); | 167 cert->subject().common_name); |
| 167 | 168 |
| 168 // TODO(mattm): move export test to separate test case? | 169 // TODO(mattm): move export test to separate test case? |
| 169 std::string exported_data; | 170 std::string exported_data; |
| 170 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 171 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
| 171 &exported_data)); | 172 &exported_data)); |
| 172 ASSERT_LT(0U, exported_data.size()); | 173 ASSERT_LT(0U, exported_data.size()); |
| 173 // TODO(mattm): further verification of exported data? | 174 // TODO(mattm): further verification of exported data? |
| 174 } | 175 } |
| 175 | 176 |
| 176 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) { | 177 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) { |
| 177 std::string pkcs12_data = ReadTestFile("client.p12"); | 178 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 178 | 179 |
| 179 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 180 EXPECT_EQ(OK, |
| 180 pkcs12_data, | 181 cert_db_->ImportFromPKCS12(slot_.get(), |
| 181 ASCIIToUTF16("12345"), | 182 pkcs12_data, |
| 182 true, // is_extractable | 183 ASCIIToUTF16("12345"), |
| 183 NULL)); | 184 true, // is_extractable |
| 185 NULL)); |
| 184 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); | 186 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 185 | 187 |
| 186 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like | 188 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like |
| 187 // it's ever used. This test verifies that. | 189 // it's ever used. This test verifies that. |
| 188 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 190 EXPECT_EQ(OK, |
| 189 pkcs12_data, | 191 cert_db_->ImportFromPKCS12(slot_.get(), |
| 190 ASCIIToUTF16("12345"), | 192 pkcs12_data, |
| 191 true, // is_extractable | 193 ASCIIToUTF16("12345"), |
| 192 NULL)); | 194 true, // is_extractable |
| 195 NULL)); |
| 193 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); | 196 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 194 } | 197 } |
| 195 | 198 |
| 196 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) { | 199 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) { |
| 197 std::string pkcs12_data = ReadTestFile("client.p12"); | 200 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 198 | 201 |
| 199 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 202 EXPECT_EQ(OK, |
| 200 pkcs12_data, | 203 cert_db_->ImportFromPKCS12(slot_.get(), |
| 201 ASCIIToUTF16("12345"), | 204 pkcs12_data, |
| 202 false, // is_extractable | 205 ASCIIToUTF16("12345"), |
| 203 NULL)); | 206 false, // is_extractable |
| 207 NULL)); |
| 204 | 208 |
| 205 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 209 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 206 ASSERT_EQ(1U, cert_list.size()); | 210 ASSERT_EQ(1U, cert_list.size()); |
| 207 scoped_refptr<X509Certificate> cert(cert_list[0]); | 211 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 208 | 212 |
| 209 EXPECT_EQ("testusercert", | 213 EXPECT_EQ("testusercert", |
| 210 cert->subject().common_name); | 214 cert->subject().common_name); |
| 211 | 215 |
| 212 std::string exported_data; | 216 std::string exported_data; |
| 213 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 217 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
| 214 &exported_data)); | 218 &exported_data)); |
| 215 } | 219 } |
| 216 | 220 |
| 217 // Importing a PKCS#12 file with a certificate but no corresponding | 221 // Importing a PKCS#12 file with a certificate but no corresponding |
| 218 // private key should not mark an existing private key as unextractable. | 222 // private key should not mark an existing private key as unextractable. |
| 219 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) { | 223 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) { |
| 220 std::string pkcs12_data = ReadTestFile("client.p12"); | 224 std::string pkcs12_data = ReadTestFile("client.p12"); |
| 221 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 225 EXPECT_EQ(OK, |
| 222 pkcs12_data, | 226 cert_db_->ImportFromPKCS12(slot_.get(), |
| 223 ASCIIToUTF16("12345"), | 227 pkcs12_data, |
| 224 true, // is_extractable | 228 ASCIIToUTF16("12345"), |
| 225 NULL)); | 229 true, // is_extractable |
| 230 NULL)); |
| 226 | 231 |
| 227 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 232 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 228 ASSERT_EQ(1U, cert_list.size()); | 233 ASSERT_EQ(1U, cert_list.size()); |
| 229 | 234 |
| 230 // Now import a PKCS#12 file with just a certificate but no private key. | 235 // Now import a PKCS#12 file with just a certificate but no private key. |
| 231 pkcs12_data = ReadTestFile("client-nokey.p12"); | 236 pkcs12_data = ReadTestFile("client-nokey.p12"); |
| 232 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 237 EXPECT_EQ(OK, |
| 233 pkcs12_data, | 238 cert_db_->ImportFromPKCS12(slot_.get(), |
| 234 ASCIIToUTF16("12345"), | 239 pkcs12_data, |
| 235 false, // is_extractable | 240 ASCIIToUTF16("12345"), |
| 236 NULL)); | 241 false, // is_extractable |
| 242 NULL)); |
| 237 | 243 |
| 238 cert_list = ListCertsInSlot(slot_->os_module_handle()); | 244 cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 239 ASSERT_EQ(1U, cert_list.size()); | 245 ASSERT_EQ(1U, cert_list.size()); |
| 240 | 246 |
| 241 // Make sure the imported private key is still extractable. | 247 // Make sure the imported private key is still extractable. |
| 242 std::string exported_data; | 248 std::string exported_data; |
| 243 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 249 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
| 244 &exported_data)); | 250 &exported_data)); |
| 245 ASSERT_LT(0U, exported_data.size()); | 251 ASSERT_LT(0U, exported_data.size()); |
| 246 } | 252 } |
| 247 | 253 |
| 248 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) { | 254 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) { |
| 249 std::string pkcs12_data = "Foobarbaz"; | 255 std::string pkcs12_data = "Foobarbaz"; |
| 250 | 256 |
| 251 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE, | 257 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE, |
| 252 cert_db_->ImportFromPKCS12(slot_, | 258 cert_db_->ImportFromPKCS12(slot_.get(), |
| 253 pkcs12_data, | 259 pkcs12_data, |
| 254 base::string16(), | 260 base::string16(), |
| 255 true, // is_extractable | 261 true, // is_extractable |
| 256 NULL)); | 262 NULL)); |
| 257 | 263 |
| 258 // Test db should still be empty. | 264 // Test db should still be empty. |
| 259 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 265 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 260 } | 266 } |
| 261 | 267 |
| 262 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { | 268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { |
| (...skipping 271 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 534 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 540 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
| 535 | 541 |
| 536 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 542 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 537 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); | 543 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); |
| 538 | 544 |
| 539 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); | 545 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
| 540 | 546 |
| 541 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 547 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 542 int flags = 0; | 548 int flags = 0; |
| 543 CertVerifyResult verify_result; | 549 CertVerifyResult verify_result; |
| 544 int error = verify_proc->Verify(goog_cert, "www.google.com", flags, | 550 int error = verify_proc->Verify(goog_cert.get(), |
| 545 NULL, empty_cert_list_, &verify_result); | 551 "www.google.com", |
| 552 flags, |
| 553 NULL, |
| 554 empty_cert_list_, |
| 555 &verify_result); |
| 546 EXPECT_EQ(OK, error); | 556 EXPECT_EQ(OK, error); |
| 547 EXPECT_EQ(0U, verify_result.cert_status); | 557 EXPECT_EQ(0U, verify_result.cert_status); |
| 548 } | 558 } |
| 549 | 559 |
| 550 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 560 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
| 551 CertificateList certs; | 561 CertificateList certs; |
| 552 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 562 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
| 553 | 563 |
| 554 NSSCertDatabase::ImportCertFailureList failed; | 564 NSSCertDatabase::ImportCertFailureList failed; |
| 555 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 565 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 556 &failed)); | 566 &failed)); |
| 557 | 567 |
| 558 EXPECT_EQ(0U, failed.size()); | 568 EXPECT_EQ(0U, failed.size()); |
| 559 | 569 |
| 560 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 570 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 561 ASSERT_EQ(1U, cert_list.size()); | 571 ASSERT_EQ(1U, cert_list.size()); |
| 562 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 572 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 563 | 573 |
| 564 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 574 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 565 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 575 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 566 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); | 576 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
| 567 | 577 |
| 568 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 578 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 569 int flags = 0; | 579 int flags = 0; |
| 570 CertVerifyResult verify_result; | 580 CertVerifyResult verify_result; |
| 571 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 581 int error = verify_proc->Verify(puny_cert.get(), |
| 572 NULL, empty_cert_list_, &verify_result); | 582 "xn--wgv71a119e.com", |
| 583 flags, |
| 584 NULL, |
| 585 empty_cert_list_, |
| 586 &verify_result); |
| 573 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 587 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 574 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 588 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
| 575 } | 589 } |
| 576 | 590 |
| 577 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { | 591 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { |
| 578 // When using CERT_PKIXVerifyCert (which we do), server trust only works from | 592 // When using CERT_PKIXVerifyCert (which we do), server trust only works from |
| 579 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. | 593 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. |
| 580 if (!NSS_VersionCheck("3.13.4")) { | 594 if (!NSS_VersionCheck("3.13.4")) { |
| 581 LOG(INFO) << "test skipped on NSS < 3.13.4"; | 595 LOG(INFO) << "test skipped on NSS < 3.13.4"; |
| 582 return; | 596 return; |
| (...skipping 13 matching lines...) Expand all Loading... |
| 596 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 610 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
| 597 | 611 |
| 598 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, | 612 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
| 599 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 613 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
| 600 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), | 614 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), |
| 601 puny_cert->os_cert_handle()->trust->sslFlags); | 615 puny_cert->os_cert_handle()->trust->sslFlags); |
| 602 | 616 |
| 603 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 617 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 604 int flags = 0; | 618 int flags = 0; |
| 605 CertVerifyResult verify_result; | 619 CertVerifyResult verify_result; |
| 606 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 620 int error = verify_proc->Verify(puny_cert.get(), |
| 607 NULL, empty_cert_list_, &verify_result); | 621 "xn--wgv71a119e.com", |
| 622 flags, |
| 623 NULL, |
| 624 empty_cert_list_, |
| 625 &verify_result); |
| 608 EXPECT_EQ(OK, error); | 626 EXPECT_EQ(OK, error); |
| 609 EXPECT_EQ(0U, verify_result.cert_status); | 627 EXPECT_EQ(0U, verify_result.cert_status); |
| 610 } | 628 } |
| 611 | 629 |
| 612 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { | 630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { |
| 613 CertificateList ca_certs = CreateCertificateListFromFile( | 631 CertificateList ca_certs = CreateCertificateListFromFile( |
| 614 GetTestCertsDirectory(), "root_ca_cert.crt", | 632 GetTestCertsDirectory(), "root_ca_cert.crt", |
| 615 X509Certificate::FORMAT_AUTO); | 633 X509Certificate::FORMAT_AUTO); |
| 616 ASSERT_EQ(1U, ca_certs.size()); | 634 ASSERT_EQ(1U, ca_certs.size()); |
| 617 | 635 |
| (...skipping 10 matching lines...) Expand all Loading... |
| 628 | 646 |
| 629 // Import server cert with default trust. | 647 // Import server cert with default trust. |
| 630 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 648 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
| 631 &failed)); | 649 &failed)); |
| 632 EXPECT_EQ(0U, failed.size()); | 650 EXPECT_EQ(0U, failed.size()); |
| 633 | 651 |
| 634 // Server cert should verify. | 652 // Server cert should verify. |
| 635 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 653 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 636 int flags = 0; | 654 int flags = 0; |
| 637 CertVerifyResult verify_result; | 655 CertVerifyResult verify_result; |
| 638 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 656 int error = verify_proc->Verify(certs[0].get(), |
| 639 NULL, empty_cert_list_, &verify_result); | 657 "127.0.0.1", |
| 658 flags, |
| 659 NULL, |
| 660 empty_cert_list_, |
| 661 &verify_result); |
| 640 EXPECT_EQ(OK, error); | 662 EXPECT_EQ(OK, error); |
| 641 EXPECT_EQ(0U, verify_result.cert_status); | 663 EXPECT_EQ(0U, verify_result.cert_status); |
| 642 } | 664 } |
| 643 | 665 |
| 644 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { | 666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { |
| 645 // Explicit distrust only works starting in NSS 3.13. | 667 // Explicit distrust only works starting in NSS 3.13. |
| 646 if (!NSS_VersionCheck("3.13")) { | 668 if (!NSS_VersionCheck("3.13")) { |
| 647 LOG(INFO) << "test skipped on NSS < 3.13"; | 669 LOG(INFO) << "test skipped on NSS < 3.13"; |
| 648 return; | 670 return; |
| 649 } | 671 } |
| (...skipping 13 matching lines...) Expand all Loading... |
| 663 GetTestCertsDirectory(), "ok_cert.pem", | 685 GetTestCertsDirectory(), "ok_cert.pem", |
| 664 X509Certificate::FORMAT_AUTO); | 686 X509Certificate::FORMAT_AUTO); |
| 665 ASSERT_EQ(1U, certs.size()); | 687 ASSERT_EQ(1U, certs.size()); |
| 666 | 688 |
| 667 // Import server cert without inheriting trust from issuer (explicit | 689 // Import server cert without inheriting trust from issuer (explicit |
| 668 // distrust). | 690 // distrust). |
| 669 EXPECT_TRUE(cert_db_->ImportServerCert( | 691 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 670 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed)); | 692 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed)); |
| 671 EXPECT_EQ(0U, failed.size()); | 693 EXPECT_EQ(0U, failed.size()); |
| 672 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, | 694 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, |
| 673 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 695 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 674 | 696 |
| 675 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 697 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 676 certs[0]->os_cert_handle()->trust->sslFlags); | 698 certs[0]->os_cert_handle()->trust->sslFlags); |
| 677 | 699 |
| 678 // Server cert should fail to verify. | 700 // Server cert should fail to verify. |
| 679 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 701 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 680 int flags = 0; | 702 int flags = 0; |
| 681 CertVerifyResult verify_result; | 703 CertVerifyResult verify_result; |
| 682 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 704 int error = verify_proc->Verify(certs[0].get(), |
| 683 NULL, empty_cert_list_, &verify_result); | 705 "127.0.0.1", |
| 706 flags, |
| 707 NULL, |
| 708 empty_cert_list_, |
| 709 &verify_result); |
| 684 EXPECT_EQ(ERR_CERT_REVOKED, error); | 710 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 685 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 711 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 686 } | 712 } |
| 687 | 713 |
| 688 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { | 714 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { |
| 689 CertificateList ca_certs = CreateCertificateListFromFile( | 715 CertificateList ca_certs = CreateCertificateListFromFile( |
| 690 GetTestCertsDirectory(), "2048-rsa-root.pem", | 716 GetTestCertsDirectory(), "2048-rsa-root.pem", |
| 691 X509Certificate::FORMAT_AUTO); | 717 X509Certificate::FORMAT_AUTO); |
| 692 ASSERT_EQ(1U, ca_certs.size()); | 718 ASSERT_EQ(1U, ca_certs.size()); |
| 693 | 719 |
| (...skipping 16 matching lines...) Expand all Loading... |
| 710 CertificateList certs = CreateCertificateListFromFile( | 736 CertificateList certs = CreateCertificateListFromFile( |
| 711 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 737 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 712 X509Certificate::FORMAT_AUTO); | 738 X509Certificate::FORMAT_AUTO); |
| 713 ASSERT_EQ(1U, certs.size()); | 739 ASSERT_EQ(1U, certs.size()); |
| 714 | 740 |
| 715 // Import server cert with default trust. | 741 // Import server cert with default trust. |
| 716 EXPECT_TRUE(cert_db_->ImportServerCert( | 742 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 717 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 743 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 718 EXPECT_EQ(0U, failed.size()); | 744 EXPECT_EQ(0U, failed.size()); |
| 719 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 745 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 720 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 746 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 721 | 747 |
| 722 // Server cert should verify. | 748 // Server cert should verify. |
| 723 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 749 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 724 int flags = 0; | 750 int flags = 0; |
| 725 CertVerifyResult verify_result; | 751 CertVerifyResult verify_result; |
| 726 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 752 int error = verify_proc->Verify(certs[0].get(), |
| 727 NULL, empty_cert_list_, &verify_result); | 753 "127.0.0.1", |
| 754 flags, |
| 755 NULL, |
| 756 empty_cert_list_, |
| 757 &verify_result); |
| 728 EXPECT_EQ(OK, error); | 758 EXPECT_EQ(OK, error); |
| 729 EXPECT_EQ(0U, verify_result.cert_status); | 759 EXPECT_EQ(0U, verify_result.cert_status); |
| 730 | 760 |
| 731 // Explicit distrust only works starting in NSS 3.13. | 761 // Explicit distrust only works starting in NSS 3.13. |
| 732 if (!NSS_VersionCheck("3.13")) { | 762 if (!NSS_VersionCheck("3.13")) { |
| 733 LOG(INFO) << "test partially skipped on NSS < 3.13"; | 763 LOG(INFO) << "test partially skipped on NSS < 3.13"; |
| 734 return; | 764 return; |
| 735 } | 765 } |
| 736 | 766 |
| 737 // Trust the root cert and distrust the intermediate. | 767 // Trust the root cert and distrust the intermediate. |
| 738 EXPECT_TRUE(cert_db_->SetCertTrust( | 768 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 739 ca_certs[0], CA_CERT, NSSCertDatabase::TRUSTED_SSL)); | 769 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL)); |
| 740 EXPECT_TRUE(cert_db_->SetCertTrust( | 770 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 741 intermediate_certs[0], CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); | 771 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); |
| 742 EXPECT_EQ( | 772 EXPECT_EQ( |
| 743 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), | 773 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), |
| 744 ca_certs[0]->os_cert_handle()->trust->sslFlags); | 774 ca_certs[0]->os_cert_handle()->trust->sslFlags); |
| 745 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 775 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 746 ca_certs[0]->os_cert_handle()->trust->emailFlags); | 776 ca_certs[0]->os_cert_handle()->trust->emailFlags); |
| 747 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 777 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 748 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 778 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 749 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 779 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
| 750 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); | 780 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); |
| 751 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 781 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 752 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); | 782 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); |
| 753 EXPECT_EQ( | 783 EXPECT_EQ( |
| 754 unsigned(CERTDB_VALID_CA), | 784 unsigned(CERTDB_VALID_CA), |
| 755 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 785 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
| 756 | 786 |
| 757 // Server cert should fail to verify. | 787 // Server cert should fail to verify. |
| 758 CertVerifyResult verify_result2; | 788 CertVerifyResult verify_result2; |
| 759 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 789 error = verify_proc->Verify(certs[0].get(), |
| 760 NULL, empty_cert_list_, &verify_result2); | 790 "127.0.0.1", |
| 791 flags, |
| 792 NULL, |
| 793 empty_cert_list_, |
| 794 &verify_result2); |
| 761 EXPECT_EQ(ERR_CERT_REVOKED, error); | 795 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 762 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); | 796 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); |
| 763 } | 797 } |
| 764 | 798 |
| 765 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { | 799 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { |
| 766 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { | 800 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { |
| 767 // See http://bugzil.la/863947 for details. | 801 // See http://bugzil.la/863947 for details. |
| 768 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; | 802 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; |
| 769 return; | 803 return; |
| 770 } | 804 } |
| (...skipping 13 matching lines...) Expand all Loading... |
| 784 CertificateList certs = CreateCertificateListFromFile( | 818 CertificateList certs = CreateCertificateListFromFile( |
| 785 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 819 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 786 X509Certificate::FORMAT_AUTO); | 820 X509Certificate::FORMAT_AUTO); |
| 787 ASSERT_EQ(1U, certs.size()); | 821 ASSERT_EQ(1U, certs.size()); |
| 788 | 822 |
| 789 // Import server cert with default trust. | 823 // Import server cert with default trust. |
| 790 EXPECT_TRUE(cert_db_->ImportServerCert( | 824 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 791 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 825 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 792 EXPECT_EQ(0U, failed.size()); | 826 EXPECT_EQ(0U, failed.size()); |
| 793 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 827 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 794 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 828 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 795 | 829 |
| 796 // Server cert should verify. | 830 // Server cert should verify. |
| 797 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 831 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 798 int flags = 0; | 832 int flags = 0; |
| 799 CertVerifyResult verify_result; | 833 CertVerifyResult verify_result; |
| 800 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 834 int error = verify_proc->Verify(certs[0].get(), |
| 801 NULL, empty_cert_list_, &verify_result); | 835 "127.0.0.1", |
| 836 flags, |
| 837 NULL, |
| 838 empty_cert_list_, |
| 839 &verify_result); |
| 802 EXPECT_EQ(OK, error); | 840 EXPECT_EQ(OK, error); |
| 803 EXPECT_EQ(0U, verify_result.cert_status); | 841 EXPECT_EQ(0U, verify_result.cert_status); |
| 804 | 842 |
| 805 // Without explicit trust of the intermediate, verification should fail. | 843 // Without explicit trust of the intermediate, verification should fail. |
| 806 EXPECT_TRUE(cert_db_->SetCertTrust( | 844 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 807 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 845 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 808 | 846 |
| 809 // Server cert should fail to verify. | 847 // Server cert should fail to verify. |
| 810 CertVerifyResult verify_result2; | 848 CertVerifyResult verify_result2; |
| 811 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 849 error = verify_proc->Verify(certs[0].get(), |
| 812 NULL, empty_cert_list_, &verify_result2); | 850 "127.0.0.1", |
| 851 flags, |
| 852 NULL, |
| 853 empty_cert_list_, |
| 854 &verify_result2); |
| 813 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 855 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 814 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 856 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 815 } | 857 } |
| 816 | 858 |
| 817 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { | 859 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { |
| 818 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { | 860 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { |
| 819 // See http://bugzil.la/863947 for details. | 861 // See http://bugzil.la/863947 for details. |
| 820 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; | 862 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; |
| 821 return; | 863 return; |
| 822 } | 864 } |
| (...skipping 23 matching lines...) Expand all Loading... |
| 846 CertificateList certs = CreateCertificateListFromFile( | 888 CertificateList certs = CreateCertificateListFromFile( |
| 847 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 889 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 848 X509Certificate::FORMAT_AUTO); | 890 X509Certificate::FORMAT_AUTO); |
| 849 ASSERT_EQ(1U, certs.size()); | 891 ASSERT_EQ(1U, certs.size()); |
| 850 | 892 |
| 851 // Import server cert with default trust. | 893 // Import server cert with default trust. |
| 852 EXPECT_TRUE(cert_db_->ImportServerCert( | 894 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 853 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 895 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 854 EXPECT_EQ(0U, failed.size()); | 896 EXPECT_EQ(0U, failed.size()); |
| 855 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 897 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 856 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 898 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 857 | 899 |
| 858 // Server cert should verify. | 900 // Server cert should verify. |
| 859 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 901 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 860 int flags = 0; | 902 int flags = 0; |
| 861 CertVerifyResult verify_result; | 903 CertVerifyResult verify_result; |
| 862 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 904 int error = verify_proc->Verify(certs[0].get(), |
| 863 NULL, empty_cert_list_, &verify_result); | 905 "127.0.0.1", |
| 906 flags, |
| 907 NULL, |
| 908 empty_cert_list_, |
| 909 &verify_result); |
| 864 EXPECT_EQ(OK, error); | 910 EXPECT_EQ(OK, error); |
| 865 EXPECT_EQ(0U, verify_result.cert_status); | 911 EXPECT_EQ(0U, verify_result.cert_status); |
| 866 | 912 |
| 867 // Without explicit trust of the intermediate, verification should fail. | 913 // Without explicit trust of the intermediate, verification should fail. |
| 868 EXPECT_TRUE(cert_db_->SetCertTrust( | 914 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 869 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 915 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 870 | 916 |
| 871 // Server cert should fail to verify. | 917 // Server cert should fail to verify. |
| 872 CertVerifyResult verify_result2; | 918 CertVerifyResult verify_result2; |
| 873 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 919 error = verify_proc->Verify(certs[0].get(), |
| 874 NULL, empty_cert_list_, &verify_result2); | 920 "127.0.0.1", |
| 921 flags, |
| 922 NULL, |
| 923 empty_cert_list_, |
| 924 &verify_result2); |
| 875 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 925 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
| 876 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 926 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
| 877 } | 927 } |
| 878 | 928 |
| 879 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { | 929 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { |
| 880 // Explicit distrust only works starting in NSS 3.13. | 930 // Explicit distrust only works starting in NSS 3.13. |
| 881 if (!NSS_VersionCheck("3.13")) { | 931 if (!NSS_VersionCheck("3.13")) { |
| 882 LOG(INFO) << "test skipped on NSS < 3.13"; | 932 LOG(INFO) << "test skipped on NSS < 3.13"; |
| 883 return; | 933 return; |
| 884 } | 934 } |
| (...skipping 23 matching lines...) Expand all Loading... |
| 908 CertificateList certs = CreateCertificateListFromFile( | 958 CertificateList certs = CreateCertificateListFromFile( |
| 909 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 959 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
| 910 X509Certificate::FORMAT_AUTO); | 960 X509Certificate::FORMAT_AUTO); |
| 911 ASSERT_EQ(1U, certs.size()); | 961 ASSERT_EQ(1U, certs.size()); |
| 912 | 962 |
| 913 // Import server cert with default trust. | 963 // Import server cert with default trust. |
| 914 EXPECT_TRUE(cert_db_->ImportServerCert( | 964 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 915 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 965 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 916 EXPECT_EQ(0U, failed.size()); | 966 EXPECT_EQ(0U, failed.size()); |
| 917 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 967 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 918 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 968 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 919 | 969 |
| 920 // Server cert should not verify. | 970 // Server cert should not verify. |
| 921 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 971 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
| 922 int flags = 0; | 972 int flags = 0; |
| 923 CertVerifyResult verify_result; | 973 CertVerifyResult verify_result; |
| 924 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 974 int error = verify_proc->Verify(certs[0].get(), |
| 925 NULL, empty_cert_list_, &verify_result); | 975 "127.0.0.1", |
| 976 flags, |
| 977 NULL, |
| 978 empty_cert_list_, |
| 979 &verify_result); |
| 926 EXPECT_EQ(ERR_CERT_REVOKED, error); | 980 EXPECT_EQ(ERR_CERT_REVOKED, error); |
| 927 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 981 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
| 928 | 982 |
| 929 // Without explicit distrust of the intermediate, verification should succeed. | 983 // Without explicit distrust of the intermediate, verification should succeed. |
| 930 EXPECT_TRUE(cert_db_->SetCertTrust( | 984 EXPECT_TRUE(cert_db_->SetCertTrust( |
| 931 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 985 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
| 932 | 986 |
| 933 // Server cert should verify. | 987 // Server cert should verify. |
| 934 CertVerifyResult verify_result2; | 988 CertVerifyResult verify_result2; |
| 935 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 989 error = verify_proc->Verify(certs[0].get(), |
| 936 NULL, empty_cert_list_, &verify_result2); | 990 "127.0.0.1", |
| 991 flags, |
| 992 NULL, |
| 993 empty_cert_list_, |
| 994 &verify_result2); |
| 937 EXPECT_EQ(OK, error); | 995 EXPECT_EQ(OK, error); |
| 938 EXPECT_EQ(0U, verify_result2.cert_status); | 996 EXPECT_EQ(0U, verify_result2.cert_status); |
| 939 } | 997 } |
| 940 | 998 |
| 941 // Importing two certificates with the same issuer and subject common name, | 999 // Importing two certificates with the same issuer and subject common name, |
| 942 // but overall distinct subject names, should succeed and generate a unique | 1000 // but overall distinct subject names, should succeed and generate a unique |
| 943 // nickname for the second certificate. | 1001 // nickname for the second certificate. |
| 944 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { | 1002 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { |
| 945 CertificateList certs = | 1003 CertificateList certs = |
| 946 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1004 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 947 "duplicate_cn_1.pem", | 1005 "duplicate_cn_1.pem", |
| 948 X509Certificate::FORMAT_AUTO); | 1006 X509Certificate::FORMAT_AUTO); |
| 949 ASSERT_EQ(1U, certs.size()); | 1007 ASSERT_EQ(1U, certs.size()); |
| 950 | 1008 |
| 951 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 1009 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 952 | 1010 |
| 953 // Import server cert with default trust. | 1011 // Import server cert with default trust. |
| 954 NSSCertDatabase::ImportCertFailureList failed; | 1012 NSSCertDatabase::ImportCertFailureList failed; |
| 955 EXPECT_TRUE(cert_db_->ImportServerCert( | 1013 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 956 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 1014 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 957 EXPECT_EQ(0U, failed.size()); | 1015 EXPECT_EQ(0U, failed.size()); |
| 958 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 1016 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 959 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 1017 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
| 960 | 1018 |
| 961 CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle()); | 1019 CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle()); |
| 962 ASSERT_EQ(1U, new_certs.size()); | 1020 ASSERT_EQ(1U, new_certs.size()); |
| 963 | 1021 |
| 964 // Now attempt to import a different certificate with the same common name. | 1022 // Now attempt to import a different certificate with the same common name. |
| 965 CertificateList certs2 = | 1023 CertificateList certs2 = |
| 966 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1024 CreateCertificateListFromFile(GetTestCertsDirectory(), |
| 967 "duplicate_cn_2.pem", | 1025 "duplicate_cn_2.pem", |
| 968 X509Certificate::FORMAT_AUTO); | 1026 X509Certificate::FORMAT_AUTO); |
| 969 ASSERT_EQ(1U, certs2.size()); | 1027 ASSERT_EQ(1U, certs2.size()); |
| 970 | 1028 |
| 971 // Import server cert with default trust. | 1029 // Import server cert with default trust. |
| 972 EXPECT_TRUE(cert_db_->ImportServerCert( | 1030 EXPECT_TRUE(cert_db_->ImportServerCert( |
| 973 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 1031 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
| 974 EXPECT_EQ(0U, failed.size()); | 1032 EXPECT_EQ(0U, failed.size()); |
| 975 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 1033 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 976 cert_db_->GetCertTrust(certs2[0], SERVER_CERT)); | 1034 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); |
| 977 | 1035 |
| 978 new_certs = ListCertsInSlot(slot_->os_module_handle()); | 1036 new_certs = ListCertsInSlot(slot_->os_module_handle()); |
| 979 ASSERT_EQ(2U, new_certs.size()); | 1037 ASSERT_EQ(2U, new_certs.size()); |
| 980 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, | 1038 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, |
| 981 new_certs[1]->os_cert_handle()->nickname); | 1039 new_certs[1]->os_cert_handle()->nickname); |
| 982 } | 1040 } |
| 983 | 1041 |
| 984 } // namespace net | 1042 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 15829004:
Update net/ to use scoped_refptr<T>::get() rather than implicit "operator T*" (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src