OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" | 5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h" |
6 | 6 |
7 #include "base/memory/ref_counted.h" | 7 #include "base/memory/ref_counted.h" |
8 #include "base/memory/scoped_ptr.h" | 8 #include "base/memory/scoped_ptr.h" |
9 #include "base/message_loop.h" | 9 #include "base/message_loop.h" |
10 #include "base/run_loop.h" | 10 #include "base/run_loop.h" |
(...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
99 TestingProfileManager profile_manager_; | 99 TestingProfileManager profile_manager_; |
100 TestingProfile* profile_; | 100 TestingProfile* profile_; |
101 MockCertTrustAnchorProvider trust_provider_; | 101 MockCertTrustAnchorProvider trust_provider_; |
102 scoped_ptr<PolicyCertVerifier> cert_verifier_; | 102 scoped_ptr<PolicyCertVerifier> cert_verifier_; |
103 const net::CertificateList empty_cert_list_; | 103 const net::CertificateList empty_cert_list_; |
104 }; | 104 }; |
105 | 105 |
106 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { | 106 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) { |
107 scoped_refptr<net::X509Certificate> cert = | 107 scoped_refptr<net::X509Certificate> cert = |
108 LoadCertificate("ok_cert.pem", net::SERVER_CERT); | 108 LoadCertificate("ok_cert.pem", net::SERVER_CERT); |
109 ASSERT_TRUE(cert); | 109 ASSERT_TRUE(cert.get()); |
110 | 110 |
111 // |cert| is untrusted, so Verify() fails. | 111 // |cert| is untrusted, so Verify() fails. |
112 net::CertVerifyResult verify_result; | 112 net::CertVerifyResult verify_result; |
113 net::TestCompletionCallback callback; | 113 net::TestCompletionCallback callback; |
114 net::CertVerifier::RequestHandle request_handle; | 114 net::CertVerifier::RequestHandle request_handle; |
115 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 115 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
116 .WillOnce(ReturnRef(empty_cert_list_)); | 116 .WillOnce(ReturnRef(empty_cert_list_)); |
117 int error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 117 int error = cert_verifier_->Verify(cert.get(), |
118 &verify_result, callback.callback(), | 118 "127.0.0.1", |
119 &request_handle, net::BoundNetLog()); | 119 0, |
| 120 NULL, |
| 121 &verify_result, |
| 122 callback.callback(), |
| 123 &request_handle, |
| 124 net::BoundNetLog()); |
120 Mock::VerifyAndClearExpectations(&trust_provider_); | 125 Mock::VerifyAndClearExpectations(&trust_provider_); |
121 ASSERT_EQ(net::ERR_IO_PENDING, error); | 126 ASSERT_EQ(net::ERR_IO_PENDING, error); |
122 ASSERT_TRUE(request_handle); | 127 ASSERT_TRUE(request_handle); |
123 error = callback.WaitForResult(); | 128 error = callback.WaitForResult(); |
124 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 129 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
125 | 130 |
126 // Issuing the same request again hits the cache. This tests the synchronous | 131 // Issuing the same request again hits the cache. This tests the synchronous |
127 // path. | 132 // path. |
128 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 133 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
129 .WillOnce(ReturnRef(empty_cert_list_)); | 134 .WillOnce(ReturnRef(empty_cert_list_)); |
130 error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 135 error = cert_verifier_->Verify(cert.get(), |
131 &verify_result, callback.callback(), | 136 "127.0.0.1", |
132 &request_handle, net::BoundNetLog()); | 137 0, |
| 138 NULL, |
| 139 &verify_result, |
| 140 callback.callback(), |
| 141 &request_handle, |
| 142 net::BoundNetLog()); |
133 Mock::VerifyAndClearExpectations(&trust_provider_); | 143 Mock::VerifyAndClearExpectations(&trust_provider_); |
134 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 144 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
135 | 145 |
136 // The profile is not tainted. | 146 // The profile is not tainted. |
137 base::RunLoop().RunUntilIdle(); | 147 base::RunLoop().RunUntilIdle(); |
138 EXPECT_FALSE( | 148 EXPECT_FALSE( |
139 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 149 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
140 } | 150 } |
141 | 151 |
142 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { | 152 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) { |
143 // |ca_cert| is the issuer of |cert|. | 153 // |ca_cert| is the issuer of |cert|. |
144 scoped_refptr<net::X509Certificate> ca_cert = | 154 scoped_refptr<net::X509Certificate> ca_cert = |
145 LoadCertificate("root_ca_cert.crt", net::CA_CERT); | 155 LoadCertificate("root_ca_cert.crt", net::CA_CERT); |
146 ASSERT_TRUE(ca_cert); | 156 ASSERT_TRUE(ca_cert.get()); |
147 scoped_refptr<net::X509Certificate> cert = | 157 scoped_refptr<net::X509Certificate> cert = |
148 LoadCertificate("ok_cert.pem", net::SERVER_CERT); | 158 LoadCertificate("ok_cert.pem", net::SERVER_CERT); |
149 ASSERT_TRUE(cert); | 159 ASSERT_TRUE(cert.get()); |
150 | 160 |
151 // Make the database trust |ca_cert|. | 161 // Make the database trust |ca_cert|. |
152 net::CertificateList import_list; | 162 net::CertificateList import_list; |
153 import_list.push_back(ca_cert); | 163 import_list.push_back(ca_cert); |
154 net::NSSCertDatabase::ImportCertFailureList failure_list; | 164 net::NSSCertDatabase::ImportCertFailureList failure_list; |
155 ASSERT_TRUE(cert_db_->ImportCACerts( | 165 ASSERT_TRUE(cert_db_->ImportCACerts( |
156 import_list, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); | 166 import_list, net::NSSCertDatabase::TRUSTED_SSL, &failure_list)); |
157 ASSERT_TRUE(failure_list.empty()); | 167 ASSERT_TRUE(failure_list.empty()); |
158 | 168 |
159 // Verify that it is now trusted. | 169 // Verify that it is now trusted. |
160 net::NSSCertDatabase::TrustBits trust = | 170 net::NSSCertDatabase::TrustBits trust = |
161 cert_db_->GetCertTrust(ca_cert.get(), net::CA_CERT); | 171 cert_db_->GetCertTrust(ca_cert.get(), net::CA_CERT); |
162 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); | 172 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust); |
163 | 173 |
164 // Verify() successfully verifies |cert| after it was imported. | 174 // Verify() successfully verifies |cert| after it was imported. |
165 net::CertVerifyResult verify_result; | 175 net::CertVerifyResult verify_result; |
166 net::TestCompletionCallback callback; | 176 net::TestCompletionCallback callback; |
167 net::CertVerifier::RequestHandle request_handle; | 177 net::CertVerifier::RequestHandle request_handle; |
168 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 178 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
169 .WillOnce(ReturnRef(empty_cert_list_)); | 179 .WillOnce(ReturnRef(empty_cert_list_)); |
170 int error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 180 int error = cert_verifier_->Verify(cert.get(), |
171 &verify_result, callback.callback(), | 181 "127.0.0.1", |
172 &request_handle, net::BoundNetLog()); | 182 0, |
| 183 NULL, |
| 184 &verify_result, |
| 185 callback.callback(), |
| 186 &request_handle, |
| 187 net::BoundNetLog()); |
173 Mock::VerifyAndClearExpectations(&trust_provider_); | 188 Mock::VerifyAndClearExpectations(&trust_provider_); |
174 ASSERT_EQ(net::ERR_IO_PENDING, error); | 189 ASSERT_EQ(net::ERR_IO_PENDING, error); |
175 ASSERT_TRUE(request_handle); | 190 ASSERT_TRUE(request_handle); |
176 error = callback.WaitForResult(); | 191 error = callback.WaitForResult(); |
177 EXPECT_EQ(net::OK, error); | 192 EXPECT_EQ(net::OK, error); |
178 | 193 |
179 // The profile is not tainted, since the certificate is trusted from the | 194 // The profile is not tainted, since the certificate is trusted from the |
180 // database. | 195 // database. |
181 base::RunLoop().RunUntilIdle(); | 196 base::RunLoop().RunUntilIdle(); |
182 EXPECT_FALSE( | 197 EXPECT_FALSE( |
183 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 198 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
184 } | 199 } |
185 | 200 |
186 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { | 201 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) { |
187 if (!SupportsAdditionalTrustAnchors()) { | 202 if (!SupportsAdditionalTrustAnchors()) { |
188 LOG(INFO) << "Test skipped on this platform. NSS >= 3.14.2 required."; | 203 LOG(INFO) << "Test skipped on this platform. NSS >= 3.14.2 required."; |
189 return; | 204 return; |
190 } | 205 } |
191 | 206 |
192 // |ca_cert| is the issuer of |cert|. | 207 // |ca_cert| is the issuer of |cert|. |
193 scoped_refptr<net::X509Certificate> ca_cert = | 208 scoped_refptr<net::X509Certificate> ca_cert = |
194 LoadCertificate("root_ca_cert.crt", net::CA_CERT); | 209 LoadCertificate("root_ca_cert.crt", net::CA_CERT); |
195 ASSERT_TRUE(ca_cert); | 210 ASSERT_TRUE(ca_cert.get()); |
196 scoped_refptr<net::X509Certificate> cert = | 211 scoped_refptr<net::X509Certificate> cert = |
197 LoadCertificate("ok_cert.pem", net::SERVER_CERT); | 212 LoadCertificate("ok_cert.pem", net::SERVER_CERT); |
198 ASSERT_TRUE(cert); | 213 ASSERT_TRUE(cert.get()); |
199 | 214 |
200 net::CertificateList additional_trust_anchors; | 215 net::CertificateList additional_trust_anchors; |
201 additional_trust_anchors.push_back(ca_cert); | 216 additional_trust_anchors.push_back(ca_cert); |
202 | 217 |
203 // Verify() successfully verifies |cert|, using |ca_cert| from the list of | 218 // Verify() successfully verifies |cert|, using |ca_cert| from the list of |
204 // |additional_trust_anchors|. | 219 // |additional_trust_anchors|. |
205 net::CertVerifyResult verify_result; | 220 net::CertVerifyResult verify_result; |
206 net::TestCompletionCallback callback; | 221 net::TestCompletionCallback callback; |
207 net::CertVerifier::RequestHandle request_handle; | 222 net::CertVerifier::RequestHandle request_handle; |
208 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 223 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
209 .WillOnce(ReturnRef(additional_trust_anchors)); | 224 .WillOnce(ReturnRef(additional_trust_anchors)); |
210 int error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 225 int error = cert_verifier_->Verify(cert.get(), |
211 &verify_result, callback.callback(), | 226 "127.0.0.1", |
212 &request_handle, net::BoundNetLog()); | 227 0, |
| 228 NULL, |
| 229 &verify_result, |
| 230 callback.callback(), |
| 231 &request_handle, |
| 232 net::BoundNetLog()); |
213 Mock::VerifyAndClearExpectations(&trust_provider_); | 233 Mock::VerifyAndClearExpectations(&trust_provider_); |
214 ASSERT_EQ(net::ERR_IO_PENDING, error); | 234 ASSERT_EQ(net::ERR_IO_PENDING, error); |
215 ASSERT_TRUE(request_handle); | 235 ASSERT_TRUE(request_handle); |
216 error = callback.WaitForResult(); | 236 error = callback.WaitForResult(); |
217 EXPECT_EQ(net::OK, error); | 237 EXPECT_EQ(net::OK, error); |
218 | 238 |
219 // The profile becomes tainted after using the trust anchors that came from | 239 // The profile becomes tainted after using the trust anchors that came from |
220 // the policy configuration. | 240 // the policy configuration. |
221 base::RunLoop().RunUntilIdle(); | 241 base::RunLoop().RunUntilIdle(); |
222 EXPECT_TRUE( | 242 EXPECT_TRUE( |
223 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 243 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
224 } | 244 } |
225 | 245 |
226 TEST_F(PolicyCertVerifierTest, ProfileRemainsTainted) { | 246 TEST_F(PolicyCertVerifierTest, ProfileRemainsTainted) { |
227 if (!SupportsAdditionalTrustAnchors()) { | 247 if (!SupportsAdditionalTrustAnchors()) { |
228 LOG(INFO) << "Test skipped on this platform. NSS >= 3.14.2 required."; | 248 LOG(INFO) << "Test skipped on this platform. NSS >= 3.14.2 required."; |
229 return; | 249 return; |
230 } | 250 } |
231 | 251 |
232 // |ca_cert| is the issuer of |cert|. | 252 // |ca_cert| is the issuer of |cert|. |
233 scoped_refptr<net::X509Certificate> ca_cert = | 253 scoped_refptr<net::X509Certificate> ca_cert = |
234 LoadCertificate("root_ca_cert.crt", net::CA_CERT); | 254 LoadCertificate("root_ca_cert.crt", net::CA_CERT); |
235 ASSERT_TRUE(ca_cert); | 255 ASSERT_TRUE(ca_cert.get()); |
236 scoped_refptr<net::X509Certificate> cert = | 256 scoped_refptr<net::X509Certificate> cert = |
237 LoadCertificate("ok_cert.pem", net::SERVER_CERT); | 257 LoadCertificate("ok_cert.pem", net::SERVER_CERT); |
238 ASSERT_TRUE(cert); | 258 ASSERT_TRUE(cert.get()); |
239 | 259 |
240 net::CertificateList additional_trust_anchors; | 260 net::CertificateList additional_trust_anchors; |
241 additional_trust_anchors.push_back(ca_cert); | 261 additional_trust_anchors.push_back(ca_cert); |
242 | 262 |
243 // |cert| is untrusted, so Verify() fails. | 263 // |cert| is untrusted, so Verify() fails. |
244 net::CertVerifyResult verify_result; | 264 net::CertVerifyResult verify_result; |
245 net::TestCompletionCallback callback; | 265 net::TestCompletionCallback callback; |
246 net::CertVerifier::RequestHandle request_handle; | 266 net::CertVerifier::RequestHandle request_handle; |
247 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 267 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
248 .WillOnce(ReturnRef(empty_cert_list_)); | 268 .WillOnce(ReturnRef(empty_cert_list_)); |
249 int error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 269 int error = cert_verifier_->Verify(cert.get(), |
250 &verify_result, callback.callback(), | 270 "127.0.0.1", |
251 &request_handle, net::BoundNetLog()); | 271 0, |
| 272 NULL, |
| 273 &verify_result, |
| 274 callback.callback(), |
| 275 &request_handle, |
| 276 net::BoundNetLog()); |
252 Mock::VerifyAndClearExpectations(&trust_provider_); | 277 Mock::VerifyAndClearExpectations(&trust_provider_); |
253 ASSERT_EQ(net::ERR_IO_PENDING, error); | 278 ASSERT_EQ(net::ERR_IO_PENDING, error); |
254 ASSERT_TRUE(request_handle); | 279 ASSERT_TRUE(request_handle); |
255 error = callback.WaitForResult(); | 280 error = callback.WaitForResult(); |
256 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 281 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
257 | 282 |
258 // The profile is not tainted. | 283 // The profile is not tainted. |
259 base::RunLoop().RunUntilIdle(); | 284 base::RunLoop().RunUntilIdle(); |
260 EXPECT_FALSE( | 285 EXPECT_FALSE( |
261 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 286 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
262 | 287 |
263 // Verify() again with the additional trust anchors. | 288 // Verify() again with the additional trust anchors. |
264 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 289 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
265 .WillOnce(ReturnRef(additional_trust_anchors)); | 290 .WillOnce(ReturnRef(additional_trust_anchors)); |
266 error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 291 error = cert_verifier_->Verify(cert.get(), |
267 &verify_result, callback.callback(), | 292 "127.0.0.1", |
268 &request_handle, net::BoundNetLog()); | 293 0, |
| 294 NULL, |
| 295 &verify_result, |
| 296 callback.callback(), |
| 297 &request_handle, |
| 298 net::BoundNetLog()); |
269 Mock::VerifyAndClearExpectations(&trust_provider_); | 299 Mock::VerifyAndClearExpectations(&trust_provider_); |
270 ASSERT_EQ(net::ERR_IO_PENDING, error); | 300 ASSERT_EQ(net::ERR_IO_PENDING, error); |
271 ASSERT_TRUE(request_handle); | 301 ASSERT_TRUE(request_handle); |
272 error = callback.WaitForResult(); | 302 error = callback.WaitForResult(); |
273 EXPECT_EQ(net::OK, error); | 303 EXPECT_EQ(net::OK, error); |
274 | 304 |
275 // The profile becomes tainted after using the trust anchors that came from | 305 // The profile becomes tainted after using the trust anchors that came from |
276 // the policy configuration. | 306 // the policy configuration. |
277 base::RunLoop().RunUntilIdle(); | 307 base::RunLoop().RunUntilIdle(); |
278 EXPECT_TRUE( | 308 EXPECT_TRUE( |
279 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 309 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
280 | 310 |
281 // Verifying after removing the trust anchors should now fail. | 311 // Verifying after removing the trust anchors should now fail. |
282 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) | 312 EXPECT_CALL(trust_provider_, GetAdditionalTrustAnchors()) |
283 .WillOnce(ReturnRef(empty_cert_list_)); | 313 .WillOnce(ReturnRef(empty_cert_list_)); |
284 error = cert_verifier_->Verify(cert, "127.0.0.1", 0, NULL, | 314 error = cert_verifier_->Verify(cert.get(), |
285 &verify_result, callback.callback(), | 315 "127.0.0.1", |
286 &request_handle, net::BoundNetLog()); | 316 0, |
| 317 NULL, |
| 318 &verify_result, |
| 319 callback.callback(), |
| 320 &request_handle, |
| 321 net::BoundNetLog()); |
287 Mock::VerifyAndClearExpectations(&trust_provider_); | 322 Mock::VerifyAndClearExpectations(&trust_provider_); |
288 // Note: this hits the cached result from the first Verify() in this test. | 323 // Note: this hits the cached result from the first Verify() in this test. |
289 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); | 324 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error); |
290 | 325 |
291 // The profile is still tainted. | 326 // The profile is still tainted. |
292 base::RunLoop().RunUntilIdle(); | 327 base::RunLoop().RunUntilIdle(); |
293 EXPECT_TRUE( | 328 EXPECT_TRUE( |
294 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); | 329 profile_->GetPrefs()->GetBoolean(prefs::kUsedPolicyCertificatesOnce)); |
295 } | 330 } |
296 | 331 |
297 } // namespace policy | 332 } // namespace policy |
OLD | NEW |