| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" | 5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" |
| 6 | 6 |
| 7 #include "base/memory/ref_counted.h" | 7 #include "base/memory/ref_counted.h" |
| 8 #include "base/memory/scoped_ptr.h" | 8 #include "base/memory/scoped_ptr.h" |
| 9 #include "base/message_loop.h" | 9 #include "base/message_loop.h" |
| 10 #include "base/run_loop.h" | 10 #include "base/run_loop.h" |
| (...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 99 TestingProfileManager profile_manager_; | 99 TestingProfileManager profile_manager_; |
| 100 TestingProfile* profile_; | 100 TestingProfile* profile_; |
| 101 MockCertTrustAnchorProvider trust_provider_; | 101 MockCertTrustAnchorProvider trust_provider_; |
| 102 scoped_ptr<PolicyCertVerifier> cert_verifier_; | 102 scoped_ptr<PolicyCertVerifier> cert_verifier_; |
| 103 const net::CertificateList empty_cert_list_; | 103 const net::CertificateList empty_cert_list_; |
| 104 }; | 104 }; |
| 105 | 105 |
| 106 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { | 106 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { |
| 107 scoped_refptr<net::X509Certificate> cert = | 107 scoped_refptr<net::X509Certificate> cert = |
| 108 LoadCertificate("ok_cert.pem", net::SERVER_CERT); | 108 LoadCertificate("ok_cert.pem", net::SERVER_CERT); |
| 109 ASSERT_TRUE(cert); | 109 ASSERT_TRUE(cert.get()); |
| 110 | 110 |
| 111 // |cert| is untrusted, so Verify() fails. | 111 // |cert| is untrusted, so Verify() fails. |
| 112 net::CertVerifyResult verify_result; | 112 net::CertVerifyResult verify_result; |
| 113 net::TestCompletionCallback callback; | 113 net::TestCompletionCallback callback; |
| 114 net::CertVerifier::RequestHandle request_handle; | 114 net::CertVerifier::RequestHandle request_handle; |
| 115 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 115 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
| 116 .WillOnce(ReturnRef(empty_cert_list_)); | 116 .WillOnce(ReturnRef(empty_cert_list_)); |
| 117 int error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 117 int error = cert_verifier_->Verify(cert.get(), |
| 118 &verify_result, callback.callback(), | 118 "127.0.0.1", |
| 119 &request_handle, net::BoundNetLog()); | 119 0, |
| 120 NULL, |
| 121 &verify_result, |
| 122 callback.callback(), |
| 123 &request_handle, |
| 124 net::BoundNetLog()); |
| 120 Mock::VerifyAndClearExpectations(&trust_provider_); | 125 Mock::VerifyAndClearExpectations(&trust_provider_); |
| 121 ASSERT_EQ(net::ERR_IO_PENDING, error); | 126 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 122 ASSERT_TRUE(request_handle); | 127 ASSERT_TRUE(request_handle); |
| 123 error = callback.WaitForResult(); | 128 error = callback.WaitForResult(); |
| 124 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 129 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 125 | 130 |
| 126 // Issuing the same request again hits the cache. This tests the synchronous | 131 // Issuing the same request again hits the cache. This tests the synchronous |
| 127 // path. | 132 // path. |
| 128 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 133 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
| 129 .WillOnce(ReturnRef(empty_cert_list_)); | 134 .WillOnce(ReturnRef(empty_cert_list_)); |
| 130 error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 135 error = cert_verifier_->Verify(cert.get(), |
| 131 &verify_result, callback.callback(), | 136 "127.0.0.1", |
| 132 &request_handle, net::BoundNetLog()); | 137 0, |
| 138 NULL, |
| 139 &verify_result, |
| 140 callback.callback(), |
| 141 &request_handle, |
| 142 net::BoundNetLog()); |
| 133 Mock::VerifyAndClearExpectations(&trust_provider_); | 143 Mock::VerifyAndClearExpectations(&trust_provider_); |
| 134 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 144 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 135 | 145 |
| 136 // The profile is not tainted. | 146 // The profile is not tainted. |
| 137 base::RunLoop().RunUntilIdle(); | 147 base::RunLoop().RunUntilIdle(); |
| 138 EXPECT_FALSE( | 148 EXPECT_FALSE( |
| 139 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 149 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
| 140 } | 150 } |
| 141 | 151 |
| 142 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { | 152 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { |
| 143 // |ca_cert| is the issuer of |cert|. | 153 // |ca_cert| is the issuer of |cert|. |
| 144 scoped_refptr<net::X509Certificate> ca_cert = | 154 scoped_refptr<net::X509Certificate> ca_cert = |
| 145 LoadCertificate("root_ca_cert.crt", net::CA_CERT); | 155 LoadCertificate("root_ca_cert.crt", net::CA_CERT); |
| 146 ASSERT_TRUE(ca_cert); | 156 ASSERT_TRUE(ca_cert.get()); |
| 147 scoped_refptr<net::X509Certificate> cert = | 157 scoped_refptr<net::X509Certificate> cert = |
| 148 LoadCertificate("ok_cert.pem", net::SERVER_CERT); | 158 LoadCertificate("ok_cert.pem", net::SERVER_CERT); |
| 149 ASSERT_TRUE(cert); | 159 ASSERT_TRUE(cert.get()); |
| 150 | 160 |
| 151 // Make the database trust |ca_cert|. | 161 // Make the database trust |ca_cert|. |
| 152 net::CertificateList import_list; | 162 net::CertificateList import_list; |
| 153 import_list.push_back(ca_cert); | 163 import_list.push_back(ca_cert); |
| 154 net::NSSCertDatabase::ImportCertFailureList failure_list; | 164 net::NSSCertDatabase::ImportCertFailureList failure_list; |
| 155 ASSERT_TRUE(cert_db_->ImportCACerts( | 165 ASSERT_TRUE(cert_db_->ImportCACerts( |
| 156 import_list, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); | 166 import_list, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); |
| 157 ASSERT_TRUE(failure_list.empty()); | 167 ASSERT_TRUE(failure_list.empty()); |
| 158 | 168 |
| 159 // Verify that it is now trusted. | 169 // Verify that it is now trusted. |
| 160 net::NSSCertDatabase::TrustBits trust = | 170 net::NSSCertDatabase::TrustBits trust = |
| 161 cert_db_->GetCertTrust(ca_cert.get(), net::CA_CERT); | 171 cert_db_->GetCertTrust(ca_cert.get(), net::CA_CERT); |
| 162 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); | 172 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); |
| 163 | 173 |
| 164 // Verify() successfully verifies |cert| after it was imported. | 174 // Verify() successfully verifies |cert| after it was imported. |
| 165 net::CertVerifyResult verify_result; | 175 net::CertVerifyResult verify_result; |
| 166 net::TestCompletionCallback callback; | 176 net::TestCompletionCallback callback; |
| 167 net::CertVerifier::RequestHandle request_handle; | 177 net::CertVerifier::RequestHandle request_handle; |
| 168 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 178 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
| 169 .WillOnce(ReturnRef(empty_cert_list_)); | 179 .WillOnce(ReturnRef(empty_cert_list_)); |
| 170 int error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 180 int error = cert_verifier_->Verify(cert.get(), |
| 171 &verify_result, callback.callback(), | 181 "127.0.0.1", |
| 172 &request_handle, net::BoundNetLog()); | 182 0, |
| 183 NULL, |
| 184 &verify_result, |
| 185 callback.callback(), |
| 186 &request_handle, |
| 187 net::BoundNetLog()); |
| 173 Mock::VerifyAndClearExpectations(&trust_provider_); | 188 Mock::VerifyAndClearExpectations(&trust_provider_); |
| 174 ASSERT_EQ(net::ERR_IO_PENDING, error); | 189 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 175 ASSERT_TRUE(request_handle); | 190 ASSERT_TRUE(request_handle); |
| 176 error = callback.WaitForResult(); | 191 error = callback.WaitForResult(); |
| 177 EXPECT_EQ(net::OK, error); | 192 EXPECT_EQ(net::OK, error); |
| 178 | 193 |
| 179 // The profile is not tainted, since the certificate is trusted from the | 194 // The profile is not tainted, since the certificate is trusted from the |
| 180 // database. | 195 // database. |
| 181 base::RunLoop().RunUntilIdle(); | 196 base::RunLoop().RunUntilIdle(); |
| 182 EXPECT_FALSE( | 197 EXPECT_FALSE( |
| 183 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 198 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
| 184 } | 199 } |
| 185 | 200 |
| 186 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { | 201 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { |
| 187 if (!SupportsAdditionalTrustAnchors()) { | 202 if (!SupportsAdditionalTrustAnchors()) { |
| 188 LOG(INFO) << "Test skipped on this platform. NSS >= 3.14.2 required."; | 203 LOG(INFO) << "Test skipped on this platform. NSS >= 3.14.2 required."; |
| 189 return; | 204 return; |
| 190 } | 205 } |
| 191 | 206 |
| 192 // |ca_cert| is the issuer of |cert|. | 207 // |ca_cert| is the issuer of |cert|. |
| 193 scoped_refptr<net::X509Certificate> ca_cert = | 208 scoped_refptr<net::X509Certificate> ca_cert = |
| 194 LoadCertificate("root_ca_cert.crt", net::CA_CERT); | 209 LoadCertificate("root_ca_cert.crt", net::CA_CERT); |
| 195 ASSERT_TRUE(ca_cert); | 210 ASSERT_TRUE(ca_cert.get()); |
| 196 scoped_refptr<net::X509Certificate> cert = | 211 scoped_refptr<net::X509Certificate> cert = |
| 197 LoadCertificate("ok_cert.pem", net::SERVER_CERT); | 212 LoadCertificate("ok_cert.pem", net::SERVER_CERT); |
| 198 ASSERT_TRUE(cert); | 213 ASSERT_TRUE(cert.get()); |
| 199 | 214 |
| 200 net::CertificateList additional_trust_anchors; | 215 net::CertificateList additional_trust_anchors; |
| 201 additional_trust_anchors.push_back(ca_cert); | 216 additional_trust_anchors.push_back(ca_cert); |
| 202 | 217 |
| 203 // Verify() successfully verifies |cert|, using |ca_cert| from the list of | 218 // Verify() successfully verifies |cert|, using |ca_cert| from the list of |
| 204 // |additional_trust_anchors|. | 219 // |additional_trust_anchors|. |
| 205 net::CertVerifyResult verify_result; | 220 net::CertVerifyResult verify_result; |
| 206 net::TestCompletionCallback callback; | 221 net::TestCompletionCallback callback; |
| 207 net::CertVerifier::RequestHandle request_handle; | 222 net::CertVerifier::RequestHandle request_handle; |
| 208 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 223 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
| 209 .WillOnce(ReturnRef(additional_trust_anchors)); | 224 .WillOnce(ReturnRef(additional_trust_anchors)); |
| 210 int error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 225 int error = cert_verifier_->Verify(cert.get(), |
| 211 &verify_result, callback.callback(), | 226 "127.0.0.1", |
| 212 &request_handle, net::BoundNetLog()); | 227 0, |
| 228 NULL, |
| 229 &verify_result, |
| 230 callback.callback(), |
| 231 &request_handle, |
| 232 net::BoundNetLog()); |
| 213 Mock::VerifyAndClearExpectations(&trust_provider_); | 233 Mock::VerifyAndClearExpectations(&trust_provider_); |
| 214 ASSERT_EQ(net::ERR_IO_PENDING, error); | 234 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 215 ASSERT_TRUE(request_handle); | 235 ASSERT_TRUE(request_handle); |
| 216 error = callback.WaitForResult(); | 236 error = callback.WaitForResult(); |
| 217 EXPECT_EQ(net::OK, error); | 237 EXPECT_EQ(net::OK, error); |
| 218 | 238 |
| 219 // The profile becomes tainted after using the trust anchors that came from | 239 // The profile becomes tainted after using the trust anchors that came from |
| 220 // the policy configuration. | 240 // the policy configuration. |
| 221 base::RunLoop().RunUntilIdle(); | 241 base::RunLoop().RunUntilIdle(); |
| 222 EXPECT_TRUE( | 242 EXPECT_TRUE( |
| 223 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 243 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
| 224 } | 244 } |
| 225 | 245 |
| 226 TEST_F(PolicyCertVerifierTest, ProfileRemainsTainted) { | 246 TEST_F(PolicyCertVerifierTest, ProfileRemainsTainted) { |
| 227 if (!SupportsAdditionalTrustAnchors()) { | 247 if (!SupportsAdditionalTrustAnchors()) { |
| 228 LOG(INFO) << "Test skipped on this platform. NSS >= 3.14.2 required."; | 248 LOG(INFO) << "Test skipped on this platform. NSS >= 3.14.2 required."; |
| 229 return; | 249 return; |
| 230 } | 250 } |
| 231 | 251 |
| 232 // |ca_cert| is the issuer of |cert|. | 252 // |ca_cert| is the issuer of |cert|. |
| 233 scoped_refptr<net::X509Certificate> ca_cert = | 253 scoped_refptr<net::X509Certificate> ca_cert = |
| 234 LoadCertificate("root_ca_cert.crt", net::CA_CERT); | 254 LoadCertificate("root_ca_cert.crt", net::CA_CERT); |
| 235 ASSERT_TRUE(ca_cert); | 255 ASSERT_TRUE(ca_cert.get()); |
| 236 scoped_refptr<net::X509Certificate> cert = | 256 scoped_refptr<net::X509Certificate> cert = |
| 237 LoadCertificate("ok_cert.pem", net::SERVER_CERT); | 257 LoadCertificate("ok_cert.pem", net::SERVER_CERT); |
| 238 ASSERT_TRUE(cert); | 258 ASSERT_TRUE(cert.get()); |
| 239 | 259 |
| 240 net::CertificateList additional_trust_anchors; | 260 net::CertificateList additional_trust_anchors; |
| 241 additional_trust_anchors.push_back(ca_cert); | 261 additional_trust_anchors.push_back(ca_cert); |
| 242 | 262 |
| 243 // |cert| is untrusted, so Verify() fails. | 263 // |cert| is untrusted, so Verify() fails. |
| 244 net::CertVerifyResult verify_result; | 264 net::CertVerifyResult verify_result; |
| 245 net::TestCompletionCallback callback; | 265 net::TestCompletionCallback callback; |
| 246 net::CertVerifier::RequestHandle request_handle; | 266 net::CertVerifier::RequestHandle request_handle; |
| 247 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 267 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
| 248 .WillOnce(ReturnRef(empty_cert_list_)); | 268 .WillOnce(ReturnRef(empty_cert_list_)); |
| 249 int error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 269 int error = cert_verifier_->Verify(cert.get(), |
| 250 &verify_result, callback.callback(), | 270 "127.0.0.1", |
| 251 &request_handle, net::BoundNetLog()); | 271 0, |
| 272 NULL, |
| 273 &verify_result, |
| 274 callback.callback(), |
| 275 &request_handle, |
| 276 net::BoundNetLog()); |
| 252 Mock::VerifyAndClearExpectations(&trust_provider_); | 277 Mock::VerifyAndClearExpectations(&trust_provider_); |
| 253 ASSERT_EQ(net::ERR_IO_PENDING, error); | 278 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 254 ASSERT_TRUE(request_handle); | 279 ASSERT_TRUE(request_handle); |
| 255 error = callback.WaitForResult(); | 280 error = callback.WaitForResult(); |
| 256 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 281 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 257 | 282 |
| 258 // The profile is not tainted. | 283 // The profile is not tainted. |
| 259 base::RunLoop().RunUntilIdle(); | 284 base::RunLoop().RunUntilIdle(); |
| 260 EXPECT_FALSE( | 285 EXPECT_FALSE( |
| 261 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 286 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
| 262 | 287 |
| 263 // Verify() again with the additional trust anchors. | 288 // Verify() again with the additional trust anchors. |
| 264 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 289 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
| 265 .WillOnce(ReturnRef(additional_trust_anchors)); | 290 .WillOnce(ReturnRef(additional_trust_anchors)); |
| 266 error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 291 error = cert_verifier_->Verify(cert.get(), |
| 267 &verify_result, callback.callback(), | 292 "127.0.0.1", |
| 268 &request_handle, net::BoundNetLog()); | 293 0, |
| 294 NULL, |
| 295 &verify_result, |
| 296 callback.callback(), |
| 297 &request_handle, |
| 298 net::BoundNetLog()); |
| 269 Mock::VerifyAndClearExpectations(&trust_provider_); | 299 Mock::VerifyAndClearExpectations(&trust_provider_); |
| 270 ASSERT_EQ(net::ERR_IO_PENDING, error); | 300 ASSERT_EQ(net::ERR_IO_PENDING, error); |
| 271 ASSERT_TRUE(request_handle); | 301 ASSERT_TRUE(request_handle); |
| 272 error = callback.WaitForResult(); | 302 error = callback.WaitForResult(); |
| 273 EXPECT_EQ(net::OK, error); | 303 EXPECT_EQ(net::OK, error); |
| 274 | 304 |
| 275 // The profile becomes tainted after using the trust anchors that came from | 305 // The profile becomes tainted after using the trust anchors that came from |
| 276 // the policy configuration. | 306 // the policy configuration. |
| 277 base::RunLoop().RunUntilIdle(); | 307 base::RunLoop().RunUntilIdle(); |
| 278 EXPECT_TRUE( | 308 EXPECT_TRUE( |
| 279 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 309 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
| 280 | 310 |
| 281 // Verifying after removing the trust anchors should now fail. | 311 // Verifying after removing the trust anchors should now fail. |
| 282 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 312 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
| 283 .WillOnce(ReturnRef(empty_cert_list_)); | 313 .WillOnce(ReturnRef(empty_cert_list_)); |
| 284 error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 314 error = cert_verifier_->Verify(cert.get(), |
| 285 &verify_result, callback.callback(), | 315 "127.0.0.1", |
| 286 &request_handle, net::BoundNetLog()); | 316 0, |
| 317 NULL, |
| 318 &verify_result, |
| 319 callback.callback(), |
| 320 &request_handle, |
| 321 net::BoundNetLog()); |
| 287 Mock::VerifyAndClearExpectations(&trust_provider_); | 322 Mock::VerifyAndClearExpectations(&trust_provider_); |
| 288 // Note: this hits the cached result from the first Verify() in this test. | 323 // Note: this hits the cached result from the first Verify() in this test. |
| 289 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 324 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
| 290 | 325 |
| 291 // The profile is still tainted. | 326 // The profile is still tainted. |
| 292 base::RunLoop().RunUntilIdle(); | 327 base::RunLoop().RunUntilIdle(); |
| 293 EXPECT_TRUE( | 328 EXPECT_TRUE( |
| 294 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 329 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
| 295 } | 330 } |
| 296 | 331 |
| 297 } // namespace policy | 332 } // namespace policy |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 16998003:
Update CrOS to use scoped_refptr<T>::get() rather than implicit "operator T*" (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src