OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <cert.h> | 5 #include <cert.h> |
6 #include <certdb.h> | 6 #include <certdb.h> |
7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 | 10 |
(...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
109 CertificateList certs = ListCertsInSlot(slot_->os_module_handle()); | 109 CertificateList certs = ListCertsInSlot(slot_->os_module_handle()); |
110 CERTCertTrust default_trust = {0}; | 110 CERTCertTrust default_trust = {0}; |
111 for (size_t i = 0; i < certs.size(); ++i) { | 111 for (size_t i = 0; i < certs.size(); ++i) { |
112 // Reset cert trust values to defaults before deleting. Otherwise NSS | 112 // Reset cert trust values to defaults before deleting. Otherwise NSS |
113 // somehow seems to remember the trust which can break following tests. | 113 // somehow seems to remember the trust which can break following tests. |
114 SECStatus srv = CERT_ChangeCertTrust( | 114 SECStatus srv = CERT_ChangeCertTrust( |
115 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); | 115 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); |
116 if (srv != SECSuccess) | 116 if (srv != SECSuccess) |
117 ok = false; | 117 ok = false; |
118 | 118 |
119 if (!cert_db_->DeleteCertAndKey(certs[i])) | 119 if (!cert_db_->DeleteCertAndKey(certs[i].get())) |
120 ok = false; | 120 ok = false; |
121 } | 121 } |
122 return ok; | 122 return ok; |
123 } | 123 } |
124 | 124 |
125 crypto::ScopedTestNSSDB test_nssdb_; | 125 crypto::ScopedTestNSSDB test_nssdb_; |
126 }; | 126 }; |
127 | 127 |
128 TEST_F(CertDatabaseNSSTest, ListCerts) { | 128 TEST_F(CertDatabaseNSSTest, ListCerts) { |
129 // This test isn't terribly useful, though it will at least let valgrind test | 129 // This test isn't terribly useful, though it will at least let valgrind test |
130 // for leaks. | 130 // for leaks. |
131 CertificateList certs; | 131 CertificateList certs; |
132 cert_db_->ListCerts(&certs); | 132 cert_db_->ListCerts(&certs); |
133 // The test DB is empty, but let's assume there will always be something in | 133 // The test DB is empty, but let's assume there will always be something in |
134 // the other slots. | 134 // the other slots. |
135 EXPECT_LT(0U, certs.size()); | 135 EXPECT_LT(0U, certs.size()); |
136 } | 136 } |
137 | 137 |
138 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { | 138 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { |
139 std::string pkcs12_data = ReadTestFile("client.p12"); | 139 std::string pkcs12_data = ReadTestFile("client.p12"); |
140 | 140 |
141 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, | 141 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, |
142 cert_db_->ImportFromPKCS12(slot_, | 142 cert_db_->ImportFromPKCS12(slot_.get(), |
143 pkcs12_data, | 143 pkcs12_data, |
144 base::string16(), | 144 base::string16(), |
145 true, // is_extractable | 145 true, // is_extractable |
146 NULL)); | 146 NULL)); |
147 | 147 |
148 // Test db should still be empty. | 148 // Test db should still be empty. |
149 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 149 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
150 } | 150 } |
151 | 151 |
152 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) { | 152 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) { |
153 std::string pkcs12_data = ReadTestFile("client.p12"); | 153 std::string pkcs12_data = ReadTestFile("client.p12"); |
154 | 154 |
155 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 155 EXPECT_EQ(OK, |
156 pkcs12_data, | 156 cert_db_->ImportFromPKCS12(slot_.get(), |
157 ASCIIToUTF16("12345"), | 157 pkcs12_data, |
158 true, // is_extractable | 158 ASCIIToUTF16("12345"), |
159 NULL)); | 159 true, // is_extractable |
| 160 NULL)); |
160 | 161 |
161 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 162 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
162 ASSERT_EQ(1U, cert_list.size()); | 163 ASSERT_EQ(1U, cert_list.size()); |
163 scoped_refptr<X509Certificate> cert(cert_list[0]); | 164 scoped_refptr<X509Certificate> cert(cert_list[0]); |
164 | 165 |
165 EXPECT_EQ("testusercert", | 166 EXPECT_EQ("testusercert", |
166 cert->subject().common_name); | 167 cert->subject().common_name); |
167 | 168 |
168 // TODO(mattm): move export test to separate test case? | 169 // TODO(mattm): move export test to separate test case? |
169 std::string exported_data; | 170 std::string exported_data; |
170 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 171 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
171 &exported_data)); | 172 &exported_data)); |
172 ASSERT_LT(0U, exported_data.size()); | 173 ASSERT_LT(0U, exported_data.size()); |
173 // TODO(mattm): further verification of exported data? | 174 // TODO(mattm): further verification of exported data? |
174 } | 175 } |
175 | 176 |
176 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) { | 177 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) { |
177 std::string pkcs12_data = ReadTestFile("client.p12"); | 178 std::string pkcs12_data = ReadTestFile("client.p12"); |
178 | 179 |
179 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 180 EXPECT_EQ(OK, |
180 pkcs12_data, | 181 cert_db_->ImportFromPKCS12(slot_.get(), |
181 ASCIIToUTF16("12345"), | 182 pkcs12_data, |
182 true, // is_extractable | 183 ASCIIToUTF16("12345"), |
183 NULL)); | 184 true, // is_extractable |
| 185 NULL)); |
184 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); | 186 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); |
185 | 187 |
186 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like | 188 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like |
187 // it's ever used. This test verifies that. | 189 // it's ever used. This test verifies that. |
188 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 190 EXPECT_EQ(OK, |
189 pkcs12_data, | 191 cert_db_->ImportFromPKCS12(slot_.get(), |
190 ASCIIToUTF16("12345"), | 192 pkcs12_data, |
191 true, // is_extractable | 193 ASCIIToUTF16("12345"), |
192 NULL)); | 194 true, // is_extractable |
| 195 NULL)); |
193 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); | 196 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); |
194 } | 197 } |
195 | 198 |
196 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) { | 199 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) { |
197 std::string pkcs12_data = ReadTestFile("client.p12"); | 200 std::string pkcs12_data = ReadTestFile("client.p12"); |
198 | 201 |
199 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 202 EXPECT_EQ(OK, |
200 pkcs12_data, | 203 cert_db_->ImportFromPKCS12(slot_.get(), |
201 ASCIIToUTF16("12345"), | 204 pkcs12_data, |
202 false, // is_extractable | 205 ASCIIToUTF16("12345"), |
203 NULL)); | 206 false, // is_extractable |
| 207 NULL)); |
204 | 208 |
205 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 209 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
206 ASSERT_EQ(1U, cert_list.size()); | 210 ASSERT_EQ(1U, cert_list.size()); |
207 scoped_refptr<X509Certificate> cert(cert_list[0]); | 211 scoped_refptr<X509Certificate> cert(cert_list[0]); |
208 | 212 |
209 EXPECT_EQ("testusercert", | 213 EXPECT_EQ("testusercert", |
210 cert->subject().common_name); | 214 cert->subject().common_name); |
211 | 215 |
212 std::string exported_data; | 216 std::string exported_data; |
213 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 217 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
214 &exported_data)); | 218 &exported_data)); |
215 } | 219 } |
216 | 220 |
217 // Importing a PKCS#12 file with a certificate but no corresponding | 221 // Importing a PKCS#12 file with a certificate but no corresponding |
218 // private key should not mark an existing private key as unextractable. | 222 // private key should not mark an existing private key as unextractable. |
219 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) { | 223 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) { |
220 std::string pkcs12_data = ReadTestFile("client.p12"); | 224 std::string pkcs12_data = ReadTestFile("client.p12"); |
221 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 225 EXPECT_EQ(OK, |
222 pkcs12_data, | 226 cert_db_->ImportFromPKCS12(slot_.get(), |
223 ASCIIToUTF16("12345"), | 227 pkcs12_data, |
224 true, // is_extractable | 228 ASCIIToUTF16("12345"), |
225 NULL)); | 229 true, // is_extractable |
| 230 NULL)); |
226 | 231 |
227 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 232 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
228 ASSERT_EQ(1U, cert_list.size()); | 233 ASSERT_EQ(1U, cert_list.size()); |
229 | 234 |
230 // Now import a PKCS#12 file with just a certificate but no private key. | 235 // Now import a PKCS#12 file with just a certificate but no private key. |
231 pkcs12_data = ReadTestFile("client-nokey.p12"); | 236 pkcs12_data = ReadTestFile("client-nokey.p12"); |
232 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_, | 237 EXPECT_EQ(OK, |
233 pkcs12_data, | 238 cert_db_->ImportFromPKCS12(slot_.get(), |
234 ASCIIToUTF16("12345"), | 239 pkcs12_data, |
235 false, // is_extractable | 240 ASCIIToUTF16("12345"), |
236 NULL)); | 241 false, // is_extractable |
| 242 NULL)); |
237 | 243 |
238 cert_list = ListCertsInSlot(slot_->os_module_handle()); | 244 cert_list = ListCertsInSlot(slot_->os_module_handle()); |
239 ASSERT_EQ(1U, cert_list.size()); | 245 ASSERT_EQ(1U, cert_list.size()); |
240 | 246 |
241 // Make sure the imported private key is still extractable. | 247 // Make sure the imported private key is still extractable. |
242 std::string exported_data; | 248 std::string exported_data; |
243 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), | 249 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), |
244 &exported_data)); | 250 &exported_data)); |
245 ASSERT_LT(0U, exported_data.size()); | 251 ASSERT_LT(0U, exported_data.size()); |
246 } | 252 } |
247 | 253 |
248 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) { | 254 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) { |
249 std::string pkcs12_data = "Foobarbaz"; | 255 std::string pkcs12_data = "Foobarbaz"; |
250 | 256 |
251 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE, | 257 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE, |
252 cert_db_->ImportFromPKCS12(slot_, | 258 cert_db_->ImportFromPKCS12(slot_.get(), |
253 pkcs12_data, | 259 pkcs12_data, |
254 base::string16(), | 260 base::string16(), |
255 true, // is_extractable | 261 true, // is_extractable |
256 NULL)); | 262 NULL)); |
257 | 263 |
258 // Test db should still be empty. | 264 // Test db should still be empty. |
259 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 265 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
260 } | 266 } |
261 | 267 |
262 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { | 268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { |
(...skipping 271 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
534 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); | 540 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); |
535 | 541 |
536 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 542 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
537 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); | 543 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); |
538 | 544 |
539 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); | 545 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); |
540 | 546 |
541 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 547 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
542 int flags = 0; | 548 int flags = 0; |
543 CertVerifyResult verify_result; | 549 CertVerifyResult verify_result; |
544 int error = verify_proc->Verify(goog_cert, "www.google.com", flags, | 550 int error = verify_proc->Verify(goog_cert.get(), |
545 NULL, empty_cert_list_, &verify_result); | 551 "www.google.com", |
| 552 flags, |
| 553 NULL, |
| 554 empty_cert_list_, |
| 555 &verify_result); |
546 EXPECT_EQ(OK, error); | 556 EXPECT_EQ(OK, error); |
547 EXPECT_EQ(0U, verify_result.cert_status); | 557 EXPECT_EQ(0U, verify_result.cert_status); |
548 } | 558 } |
549 | 559 |
550 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { | 560 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { |
551 CertificateList certs; | 561 CertificateList certs; |
552 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); | 562 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); |
553 | 563 |
554 NSSCertDatabase::ImportCertFailureList failed; | 564 NSSCertDatabase::ImportCertFailureList failed; |
555 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 565 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
556 &failed)); | 566 &failed)); |
557 | 567 |
558 EXPECT_EQ(0U, failed.size()); | 568 EXPECT_EQ(0U, failed.size()); |
559 | 569 |
560 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 570 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
561 ASSERT_EQ(1U, cert_list.size()); | 571 ASSERT_EQ(1U, cert_list.size()); |
562 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 572 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
563 | 573 |
564 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 574 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
565 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 575 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
566 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); | 576 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); |
567 | 577 |
568 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 578 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
569 int flags = 0; | 579 int flags = 0; |
570 CertVerifyResult verify_result; | 580 CertVerifyResult verify_result; |
571 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 581 int error = verify_proc->Verify(puny_cert.get(), |
572 NULL, empty_cert_list_, &verify_result); | 582 "xn--wgv71a119e.com", |
| 583 flags, |
| 584 NULL, |
| 585 empty_cert_list_, |
| 586 &verify_result); |
573 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 587 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
574 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); | 588 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); |
575 } | 589 } |
576 | 590 |
577 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { | 591 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { |
578 // When using CERT_PKIXVerifyCert (which we do), server trust only works from | 592 // When using CERT_PKIXVerifyCert (which we do), server trust only works from |
579 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. | 593 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. |
580 if (!NSS_VersionCheck("3.13.4")) { | 594 if (!NSS_VersionCheck("3.13.4")) { |
581 LOG(INFO) << "test skipped on NSS < 3.13.4"; | 595 LOG(INFO) << "test skipped on NSS < 3.13.4"; |
582 return; | 596 return; |
(...skipping 13 matching lines...) Expand all Loading... |
596 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); | 610 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); |
597 | 611 |
598 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, | 612 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
599 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); | 613 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); |
600 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), | 614 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), |
601 puny_cert->os_cert_handle()->trust->sslFlags); | 615 puny_cert->os_cert_handle()->trust->sslFlags); |
602 | 616 |
603 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 617 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
604 int flags = 0; | 618 int flags = 0; |
605 CertVerifyResult verify_result; | 619 CertVerifyResult verify_result; |
606 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags, | 620 int error = verify_proc->Verify(puny_cert.get(), |
607 NULL, empty_cert_list_, &verify_result); | 621 "xn--wgv71a119e.com", |
| 622 flags, |
| 623 NULL, |
| 624 empty_cert_list_, |
| 625 &verify_result); |
608 EXPECT_EQ(OK, error); | 626 EXPECT_EQ(OK, error); |
609 EXPECT_EQ(0U, verify_result.cert_status); | 627 EXPECT_EQ(0U, verify_result.cert_status); |
610 } | 628 } |
611 | 629 |
612 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { | 630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { |
613 CertificateList ca_certs = CreateCertificateListFromFile( | 631 CertificateList ca_certs = CreateCertificateListFromFile( |
614 GetTestCertsDirectory(), "root_ca_cert.crt", | 632 GetTestCertsDirectory(), "root_ca_cert.crt", |
615 X509Certificate::FORMAT_AUTO); | 633 X509Certificate::FORMAT_AUTO); |
616 ASSERT_EQ(1U, ca_certs.size()); | 634 ASSERT_EQ(1U, ca_certs.size()); |
617 | 635 |
(...skipping 10 matching lines...) Expand all Loading... |
628 | 646 |
629 // Import server cert with default trust. | 647 // Import server cert with default trust. |
630 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, | 648 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, |
631 &failed)); | 649 &failed)); |
632 EXPECT_EQ(0U, failed.size()); | 650 EXPECT_EQ(0U, failed.size()); |
633 | 651 |
634 // Server cert should verify. | 652 // Server cert should verify. |
635 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 653 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
636 int flags = 0; | 654 int flags = 0; |
637 CertVerifyResult verify_result; | 655 CertVerifyResult verify_result; |
638 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 656 int error = verify_proc->Verify(certs[0].get(), |
639 NULL, empty_cert_list_, &verify_result); | 657 "127.0.0.1", |
| 658 flags, |
| 659 NULL, |
| 660 empty_cert_list_, |
| 661 &verify_result); |
640 EXPECT_EQ(OK, error); | 662 EXPECT_EQ(OK, error); |
641 EXPECT_EQ(0U, verify_result.cert_status); | 663 EXPECT_EQ(0U, verify_result.cert_status); |
642 } | 664 } |
643 | 665 |
644 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { | 666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { |
645 // Explicit distrust only works starting in NSS 3.13. | 667 // Explicit distrust only works starting in NSS 3.13. |
646 if (!NSS_VersionCheck("3.13")) { | 668 if (!NSS_VersionCheck("3.13")) { |
647 LOG(INFO) << "test skipped on NSS < 3.13"; | 669 LOG(INFO) << "test skipped on NSS < 3.13"; |
648 return; | 670 return; |
649 } | 671 } |
(...skipping 13 matching lines...) Expand all Loading... |
663 GetTestCertsDirectory(), "ok_cert.pem", | 685 GetTestCertsDirectory(), "ok_cert.pem", |
664 X509Certificate::FORMAT_AUTO); | 686 X509Certificate::FORMAT_AUTO); |
665 ASSERT_EQ(1U, certs.size()); | 687 ASSERT_EQ(1U, certs.size()); |
666 | 688 |
667 // Import server cert without inheriting trust from issuer (explicit | 689 // Import server cert without inheriting trust from issuer (explicit |
668 // distrust). | 690 // distrust). |
669 EXPECT_TRUE(cert_db_->ImportServerCert( | 691 EXPECT_TRUE(cert_db_->ImportServerCert( |
670 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed)); | 692 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed)); |
671 EXPECT_EQ(0U, failed.size()); | 693 EXPECT_EQ(0U, failed.size()); |
672 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, | 694 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, |
673 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 695 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
674 | 696 |
675 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 697 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
676 certs[0]->os_cert_handle()->trust->sslFlags); | 698 certs[0]->os_cert_handle()->trust->sslFlags); |
677 | 699 |
678 // Server cert should fail to verify. | 700 // Server cert should fail to verify. |
679 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 701 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
680 int flags = 0; | 702 int flags = 0; |
681 CertVerifyResult verify_result; | 703 CertVerifyResult verify_result; |
682 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 704 int error = verify_proc->Verify(certs[0].get(), |
683 NULL, empty_cert_list_, &verify_result); | 705 "127.0.0.1", |
| 706 flags, |
| 707 NULL, |
| 708 empty_cert_list_, |
| 709 &verify_result); |
684 EXPECT_EQ(ERR_CERT_REVOKED, error); | 710 EXPECT_EQ(ERR_CERT_REVOKED, error); |
685 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 711 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
686 } | 712 } |
687 | 713 |
688 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { | 714 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { |
689 CertificateList ca_certs = CreateCertificateListFromFile( | 715 CertificateList ca_certs = CreateCertificateListFromFile( |
690 GetTestCertsDirectory(), "2048-rsa-root.pem", | 716 GetTestCertsDirectory(), "2048-rsa-root.pem", |
691 X509Certificate::FORMAT_AUTO); | 717 X509Certificate::FORMAT_AUTO); |
692 ASSERT_EQ(1U, ca_certs.size()); | 718 ASSERT_EQ(1U, ca_certs.size()); |
693 | 719 |
(...skipping 16 matching lines...) Expand all Loading... |
710 CertificateList certs = CreateCertificateListFromFile( | 736 CertificateList certs = CreateCertificateListFromFile( |
711 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 737 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
712 X509Certificate::FORMAT_AUTO); | 738 X509Certificate::FORMAT_AUTO); |
713 ASSERT_EQ(1U, certs.size()); | 739 ASSERT_EQ(1U, certs.size()); |
714 | 740 |
715 // Import server cert with default trust. | 741 // Import server cert with default trust. |
716 EXPECT_TRUE(cert_db_->ImportServerCert( | 742 EXPECT_TRUE(cert_db_->ImportServerCert( |
717 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 743 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
718 EXPECT_EQ(0U, failed.size()); | 744 EXPECT_EQ(0U, failed.size()); |
719 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 745 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
720 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 746 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
721 | 747 |
722 // Server cert should verify. | 748 // Server cert should verify. |
723 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 749 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
724 int flags = 0; | 750 int flags = 0; |
725 CertVerifyResult verify_result; | 751 CertVerifyResult verify_result; |
726 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 752 int error = verify_proc->Verify(certs[0].get(), |
727 NULL, empty_cert_list_, &verify_result); | 753 "127.0.0.1", |
| 754 flags, |
| 755 NULL, |
| 756 empty_cert_list_, |
| 757 &verify_result); |
728 EXPECT_EQ(OK, error); | 758 EXPECT_EQ(OK, error); |
729 EXPECT_EQ(0U, verify_result.cert_status); | 759 EXPECT_EQ(0U, verify_result.cert_status); |
730 | 760 |
731 // Explicit distrust only works starting in NSS 3.13. | 761 // Explicit distrust only works starting in NSS 3.13. |
732 if (!NSS_VersionCheck("3.13")) { | 762 if (!NSS_VersionCheck("3.13")) { |
733 LOG(INFO) << "test partially skipped on NSS < 3.13"; | 763 LOG(INFO) << "test partially skipped on NSS < 3.13"; |
734 return; | 764 return; |
735 } | 765 } |
736 | 766 |
737 // Trust the root cert and distrust the intermediate. | 767 // Trust the root cert and distrust the intermediate. |
738 EXPECT_TRUE(cert_db_->SetCertTrust( | 768 EXPECT_TRUE(cert_db_->SetCertTrust( |
739 ca_certs[0], CA_CERT, NSSCertDatabase::TRUSTED_SSL)); | 769 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL)); |
740 EXPECT_TRUE(cert_db_->SetCertTrust( | 770 EXPECT_TRUE(cert_db_->SetCertTrust( |
741 intermediate_certs[0], CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); | 771 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); |
742 EXPECT_EQ( | 772 EXPECT_EQ( |
743 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), | 773 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), |
744 ca_certs[0]->os_cert_handle()->trust->sslFlags); | 774 ca_certs[0]->os_cert_handle()->trust->sslFlags); |
745 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 775 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
746 ca_certs[0]->os_cert_handle()->trust->emailFlags); | 776 ca_certs[0]->os_cert_handle()->trust->emailFlags); |
747 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 777 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
748 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 778 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
749 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), | 779 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), |
750 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); | 780 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); |
751 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 781 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
752 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); | 782 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); |
753 EXPECT_EQ( | 783 EXPECT_EQ( |
754 unsigned(CERTDB_VALID_CA), | 784 unsigned(CERTDB_VALID_CA), |
755 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); | 785 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); |
756 | 786 |
757 // Server cert should fail to verify. | 787 // Server cert should fail to verify. |
758 CertVerifyResult verify_result2; | 788 CertVerifyResult verify_result2; |
759 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 789 error = verify_proc->Verify(certs[0].get(), |
760 NULL, empty_cert_list_, &verify_result2); | 790 "127.0.0.1", |
| 791 flags, |
| 792 NULL, |
| 793 empty_cert_list_, |
| 794 &verify_result2); |
761 EXPECT_EQ(ERR_CERT_REVOKED, error); | 795 EXPECT_EQ(ERR_CERT_REVOKED, error); |
762 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); | 796 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); |
763 } | 797 } |
764 | 798 |
765 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { | 799 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { |
766 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { | 800 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { |
767 // See http://bugzil.la/863947 for details. | 801 // See http://bugzil.la/863947 for details. |
768 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; | 802 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; |
769 return; | 803 return; |
770 } | 804 } |
(...skipping 13 matching lines...) Expand all Loading... |
784 CertificateList certs = CreateCertificateListFromFile( | 818 CertificateList certs = CreateCertificateListFromFile( |
785 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 819 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
786 X509Certificate::FORMAT_AUTO); | 820 X509Certificate::FORMAT_AUTO); |
787 ASSERT_EQ(1U, certs.size()); | 821 ASSERT_EQ(1U, certs.size()); |
788 | 822 |
789 // Import server cert with default trust. | 823 // Import server cert with default trust. |
790 EXPECT_TRUE(cert_db_->ImportServerCert( | 824 EXPECT_TRUE(cert_db_->ImportServerCert( |
791 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 825 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
792 EXPECT_EQ(0U, failed.size()); | 826 EXPECT_EQ(0U, failed.size()); |
793 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 827 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
794 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 828 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
795 | 829 |
796 // Server cert should verify. | 830 // Server cert should verify. |
797 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 831 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
798 int flags = 0; | 832 int flags = 0; |
799 CertVerifyResult verify_result; | 833 CertVerifyResult verify_result; |
800 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 834 int error = verify_proc->Verify(certs[0].get(), |
801 NULL, empty_cert_list_, &verify_result); | 835 "127.0.0.1", |
| 836 flags, |
| 837 NULL, |
| 838 empty_cert_list_, |
| 839 &verify_result); |
802 EXPECT_EQ(OK, error); | 840 EXPECT_EQ(OK, error); |
803 EXPECT_EQ(0U, verify_result.cert_status); | 841 EXPECT_EQ(0U, verify_result.cert_status); |
804 | 842 |
805 // Without explicit trust of the intermediate, verification should fail. | 843 // Without explicit trust of the intermediate, verification should fail. |
806 EXPECT_TRUE(cert_db_->SetCertTrust( | 844 EXPECT_TRUE(cert_db_->SetCertTrust( |
807 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 845 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
808 | 846 |
809 // Server cert should fail to verify. | 847 // Server cert should fail to verify. |
810 CertVerifyResult verify_result2; | 848 CertVerifyResult verify_result2; |
811 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 849 error = verify_proc->Verify(certs[0].get(), |
812 NULL, empty_cert_list_, &verify_result2); | 850 "127.0.0.1", |
| 851 flags, |
| 852 NULL, |
| 853 empty_cert_list_, |
| 854 &verify_result2); |
813 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 855 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
814 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 856 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
815 } | 857 } |
816 | 858 |
817 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { | 859 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { |
818 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { | 860 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { |
819 // See http://bugzil.la/863947 for details. | 861 // See http://bugzil.la/863947 for details. |
820 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; | 862 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; |
821 return; | 863 return; |
822 } | 864 } |
(...skipping 23 matching lines...) Expand all Loading... |
846 CertificateList certs = CreateCertificateListFromFile( | 888 CertificateList certs = CreateCertificateListFromFile( |
847 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 889 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
848 X509Certificate::FORMAT_AUTO); | 890 X509Certificate::FORMAT_AUTO); |
849 ASSERT_EQ(1U, certs.size()); | 891 ASSERT_EQ(1U, certs.size()); |
850 | 892 |
851 // Import server cert with default trust. | 893 // Import server cert with default trust. |
852 EXPECT_TRUE(cert_db_->ImportServerCert( | 894 EXPECT_TRUE(cert_db_->ImportServerCert( |
853 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 895 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
854 EXPECT_EQ(0U, failed.size()); | 896 EXPECT_EQ(0U, failed.size()); |
855 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 897 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
856 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 898 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
857 | 899 |
858 // Server cert should verify. | 900 // Server cert should verify. |
859 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 901 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
860 int flags = 0; | 902 int flags = 0; |
861 CertVerifyResult verify_result; | 903 CertVerifyResult verify_result; |
862 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 904 int error = verify_proc->Verify(certs[0].get(), |
863 NULL, empty_cert_list_, &verify_result); | 905 "127.0.0.1", |
| 906 flags, |
| 907 NULL, |
| 908 empty_cert_list_, |
| 909 &verify_result); |
864 EXPECT_EQ(OK, error); | 910 EXPECT_EQ(OK, error); |
865 EXPECT_EQ(0U, verify_result.cert_status); | 911 EXPECT_EQ(0U, verify_result.cert_status); |
866 | 912 |
867 // Without explicit trust of the intermediate, verification should fail. | 913 // Without explicit trust of the intermediate, verification should fail. |
868 EXPECT_TRUE(cert_db_->SetCertTrust( | 914 EXPECT_TRUE(cert_db_->SetCertTrust( |
869 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 915 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
870 | 916 |
871 // Server cert should fail to verify. | 917 // Server cert should fail to verify. |
872 CertVerifyResult verify_result2; | 918 CertVerifyResult verify_result2; |
873 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 919 error = verify_proc->Verify(certs[0].get(), |
874 NULL, empty_cert_list_, &verify_result2); | 920 "127.0.0.1", |
| 921 flags, |
| 922 NULL, |
| 923 empty_cert_list_, |
| 924 &verify_result2); |
875 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); | 925 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); |
876 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); | 926 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); |
877 } | 927 } |
878 | 928 |
879 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { | 929 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { |
880 // Explicit distrust only works starting in NSS 3.13. | 930 // Explicit distrust only works starting in NSS 3.13. |
881 if (!NSS_VersionCheck("3.13")) { | 931 if (!NSS_VersionCheck("3.13")) { |
882 LOG(INFO) << "test skipped on NSS < 3.13"; | 932 LOG(INFO) << "test skipped on NSS < 3.13"; |
883 return; | 933 return; |
884 } | 934 } |
(...skipping 23 matching lines...) Expand all Loading... |
908 CertificateList certs = CreateCertificateListFromFile( | 958 CertificateList certs = CreateCertificateListFromFile( |
909 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", | 959 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", |
910 X509Certificate::FORMAT_AUTO); | 960 X509Certificate::FORMAT_AUTO); |
911 ASSERT_EQ(1U, certs.size()); | 961 ASSERT_EQ(1U, certs.size()); |
912 | 962 |
913 // Import server cert with default trust. | 963 // Import server cert with default trust. |
914 EXPECT_TRUE(cert_db_->ImportServerCert( | 964 EXPECT_TRUE(cert_db_->ImportServerCert( |
915 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 965 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
916 EXPECT_EQ(0U, failed.size()); | 966 EXPECT_EQ(0U, failed.size()); |
917 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 967 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
918 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 968 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
919 | 969 |
920 // Server cert should not verify. | 970 // Server cert should not verify. |
921 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); | 971 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); |
922 int flags = 0; | 972 int flags = 0; |
923 CertVerifyResult verify_result; | 973 CertVerifyResult verify_result; |
924 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 974 int error = verify_proc->Verify(certs[0].get(), |
925 NULL, empty_cert_list_, &verify_result); | 975 "127.0.0.1", |
| 976 flags, |
| 977 NULL, |
| 978 empty_cert_list_, |
| 979 &verify_result); |
926 EXPECT_EQ(ERR_CERT_REVOKED, error); | 980 EXPECT_EQ(ERR_CERT_REVOKED, error); |
927 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); | 981 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); |
928 | 982 |
929 // Without explicit distrust of the intermediate, verification should succeed. | 983 // Without explicit distrust of the intermediate, verification should succeed. |
930 EXPECT_TRUE(cert_db_->SetCertTrust( | 984 EXPECT_TRUE(cert_db_->SetCertTrust( |
931 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); | 985 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); |
932 | 986 |
933 // Server cert should verify. | 987 // Server cert should verify. |
934 CertVerifyResult verify_result2; | 988 CertVerifyResult verify_result2; |
935 error = verify_proc->Verify(certs[0], "127.0.0.1", flags, | 989 error = verify_proc->Verify(certs[0].get(), |
936 NULL, empty_cert_list_, &verify_result2); | 990 "127.0.0.1", |
| 991 flags, |
| 992 NULL, |
| 993 empty_cert_list_, |
| 994 &verify_result2); |
937 EXPECT_EQ(OK, error); | 995 EXPECT_EQ(OK, error); |
938 EXPECT_EQ(0U, verify_result2.cert_status); | 996 EXPECT_EQ(0U, verify_result2.cert_status); |
939 } | 997 } |
940 | 998 |
941 // Importing two certificates with the same issuer and subject common name, | 999 // Importing two certificates with the same issuer and subject common name, |
942 // but overall distinct subject names, should succeed and generate a unique | 1000 // but overall distinct subject names, should succeed and generate a unique |
943 // nickname for the second certificate. | 1001 // nickname for the second certificate. |
944 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { | 1002 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { |
945 CertificateList certs = | 1003 CertificateList certs = |
946 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1004 CreateCertificateListFromFile(GetTestCertsDirectory(), |
947 "duplicate_cn_1.pem", | 1005 "duplicate_cn_1.pem", |
948 X509Certificate::FORMAT_AUTO); | 1006 X509Certificate::FORMAT_AUTO); |
949 ASSERT_EQ(1U, certs.size()); | 1007 ASSERT_EQ(1U, certs.size()); |
950 | 1008 |
951 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 1009 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
952 | 1010 |
953 // Import server cert with default trust. | 1011 // Import server cert with default trust. |
954 NSSCertDatabase::ImportCertFailureList failed; | 1012 NSSCertDatabase::ImportCertFailureList failed; |
955 EXPECT_TRUE(cert_db_->ImportServerCert( | 1013 EXPECT_TRUE(cert_db_->ImportServerCert( |
956 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 1014 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
957 EXPECT_EQ(0U, failed.size()); | 1015 EXPECT_EQ(0U, failed.size()); |
958 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 1016 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
959 cert_db_->GetCertTrust(certs[0], SERVER_CERT)); | 1017 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); |
960 | 1018 |
961 CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle()); | 1019 CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle()); |
962 ASSERT_EQ(1U, new_certs.size()); | 1020 ASSERT_EQ(1U, new_certs.size()); |
963 | 1021 |
964 // Now attempt to import a different certificate with the same common name. | 1022 // Now attempt to import a different certificate with the same common name. |
965 CertificateList certs2 = | 1023 CertificateList certs2 = |
966 CreateCertificateListFromFile(GetTestCertsDirectory(), | 1024 CreateCertificateListFromFile(GetTestCertsDirectory(), |
967 "duplicate_cn_2.pem", | 1025 "duplicate_cn_2.pem", |
968 X509Certificate::FORMAT_AUTO); | 1026 X509Certificate::FORMAT_AUTO); |
969 ASSERT_EQ(1U, certs2.size()); | 1027 ASSERT_EQ(1U, certs2.size()); |
970 | 1028 |
971 // Import server cert with default trust. | 1029 // Import server cert with default trust. |
972 EXPECT_TRUE(cert_db_->ImportServerCert( | 1030 EXPECT_TRUE(cert_db_->ImportServerCert( |
973 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); | 1031 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); |
974 EXPECT_EQ(0U, failed.size()); | 1032 EXPECT_EQ(0U, failed.size()); |
975 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 1033 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
976 cert_db_->GetCertTrust(certs2[0], SERVER_CERT)); | 1034 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); |
977 | 1035 |
978 new_certs = ListCertsInSlot(slot_->os_module_handle()); | 1036 new_certs = ListCertsInSlot(slot_->os_module_handle()); |
979 ASSERT_EQ(2U, new_certs.size()); | 1037 ASSERT_EQ(2U, new_certs.size()); |
980 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, | 1038 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, |
981 new_certs[1]->os_cert_handle()->nickname); | 1039 new_certs[1]->os_cert_handle()->nickname); |
982 } | 1040 } |
983 | 1041 |
984 } // namespace net | 1042 } // namespace net |
OLD | NEW |