| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <cert.h> | 5 #include <cert.h> |
| 6 #include <certdb.h> | 6 #include <certdb.h> |
| 7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| (...skipping 249 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 260 base::string16(), | 260 base::string16(), |
| 261 true, // is_extractable | 261 true, // is_extractable |
| 262 NULL)); | 262 NULL)); |
| 263 | 263 |
| 264 // Test db should still be empty. | 264 // Test db should still be empty. |
| 265 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 265 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
| 266 } | 266 } |
| 267 | 267 |
| 268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { | 268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { |
| 269 CertificateList certs = CreateCertificateListFromFile( | 269 CertificateList certs = CreateCertificateListFromFile( |
| 270 GetTestCertsDirectory(), "root_ca_cert.crt", | 270 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 271 X509Certificate::FORMAT_AUTO); | 271 X509Certificate::FORMAT_AUTO); |
| 272 ASSERT_EQ(1U, certs.size()); | 272 ASSERT_EQ(1U, certs.size()); |
| 273 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 273 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 274 | 274 |
| 275 // Import it. | 275 // Import it. |
| 276 NSSCertDatabase::ImportCertFailureList failed; | 276 NSSCertDatabase::ImportCertFailureList failed; |
| 277 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, | 277 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, |
| 278 &failed)); | 278 &failed)); |
| 279 | 279 |
| 280 EXPECT_EQ(0U, failed.size()); | 280 EXPECT_EQ(0U, failed.size()); |
| 281 | 281 |
| 282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 283 ASSERT_EQ(1U, cert_list.size()); | 283 ASSERT_EQ(1U, cert_list.size()); |
| 284 scoped_refptr<X509Certificate> cert(cert_list[0]); | 284 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 285 EXPECT_EQ("Test CA", cert->subject().common_name); | 285 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
| 286 | 286 |
| 287 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, | 287 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
| 288 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 288 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
| 289 | 289 |
| 290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 291 CERTDB_TRUSTED_CLIENT_CA), | 291 CERTDB_TRUSTED_CLIENT_CA), |
| 292 cert->os_cert_handle()->trust->sslFlags); | 292 cert->os_cert_handle()->trust->sslFlags); |
| 293 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 293 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 294 cert->os_cert_handle()->trust->emailFlags); | 294 cert->os_cert_handle()->trust->emailFlags); |
| 295 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 295 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 296 cert->os_cert_handle()->trust->objectSigningFlags); | 296 cert->os_cert_handle()->trust->objectSigningFlags); |
| 297 } | 297 } |
| 298 | 298 |
| 299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { | 299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { |
| 300 CertificateList certs = CreateCertificateListFromFile( | 300 CertificateList certs = CreateCertificateListFromFile( |
| 301 GetTestCertsDirectory(), "root_ca_cert.crt", | 301 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 302 X509Certificate::FORMAT_AUTO); | 302 X509Certificate::FORMAT_AUTO); |
| 303 ASSERT_EQ(1U, certs.size()); | 303 ASSERT_EQ(1U, certs.size()); |
| 304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 305 | 305 |
| 306 // Import it. | 306 // Import it. |
| 307 NSSCertDatabase::ImportCertFailureList failed; | 307 NSSCertDatabase::ImportCertFailureList failed; |
| 308 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, | 308 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, |
| 309 &failed)); | 309 &failed)); |
| 310 | 310 |
| 311 EXPECT_EQ(0U, failed.size()); | 311 EXPECT_EQ(0U, failed.size()); |
| 312 | 312 |
| 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 314 ASSERT_EQ(1U, cert_list.size()); | 314 ASSERT_EQ(1U, cert_list.size()); |
| 315 scoped_refptr<X509Certificate> cert(cert_list[0]); | 315 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 316 EXPECT_EQ("Test CA", cert->subject().common_name); | 316 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
| 317 | 317 |
| 318 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, | 318 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, |
| 319 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 319 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
| 320 | 320 |
| 321 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 321 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 322 cert->os_cert_handle()->trust->sslFlags); | 322 cert->os_cert_handle()->trust->sslFlags); |
| 323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 324 CERTDB_TRUSTED_CLIENT_CA), | 324 CERTDB_TRUSTED_CLIENT_CA), |
| 325 cert->os_cert_handle()->trust->emailFlags); | 325 cert->os_cert_handle()->trust->emailFlags); |
| 326 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 326 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 327 cert->os_cert_handle()->trust->objectSigningFlags); | 327 cert->os_cert_handle()->trust->objectSigningFlags); |
| 328 } | 328 } |
| 329 | 329 |
| 330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { | 330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { |
| 331 CertificateList certs = CreateCertificateListFromFile( | 331 CertificateList certs = CreateCertificateListFromFile( |
| 332 GetTestCertsDirectory(), "root_ca_cert.crt", | 332 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 333 X509Certificate::FORMAT_AUTO); | 333 X509Certificate::FORMAT_AUTO); |
| 334 ASSERT_EQ(1U, certs.size()); | 334 ASSERT_EQ(1U, certs.size()); |
| 335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
| 336 | 336 |
| 337 // Import it. | 337 // Import it. |
| 338 NSSCertDatabase::ImportCertFailureList failed; | 338 NSSCertDatabase::ImportCertFailureList failed; |
| 339 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, | 339 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, |
| 340 &failed)); | 340 &failed)); |
| 341 | 341 |
| 342 EXPECT_EQ(0U, failed.size()); | 342 EXPECT_EQ(0U, failed.size()); |
| 343 | 343 |
| 344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 345 ASSERT_EQ(1U, cert_list.size()); | 345 ASSERT_EQ(1U, cert_list.size()); |
| 346 scoped_refptr<X509Certificate> cert(cert_list[0]); | 346 scoped_refptr<X509Certificate> cert(cert_list[0]); |
| 347 EXPECT_EQ("Test CA", cert->subject().common_name); | 347 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
| 348 | 348 |
| 349 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, | 349 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, |
| 350 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 350 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
| 351 | 351 |
| 352 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 352 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 353 cert->os_cert_handle()->trust->sslFlags); | 353 cert->os_cert_handle()->trust->sslFlags); |
| 354 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 354 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
| 355 cert->os_cert_handle()->trust->emailFlags); | 355 cert->os_cert_handle()->trust->emailFlags); |
| 356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
| 357 CERTDB_TRUSTED_CLIENT_CA), | 357 CERTDB_TRUSTED_CLIENT_CA), |
| (...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 483 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 483 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 484 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. | 484 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. |
| 485 | 485 |
| 486 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 486 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 487 ASSERT_EQ(1U, cert_list.size()); | 487 ASSERT_EQ(1U, cert_list.size()); |
| 488 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 488 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
| 489 } | 489 } |
| 490 | 490 |
| 491 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { | 491 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { |
| 492 CertificateList certs = CreateCertificateListFromFile( | 492 CertificateList certs = CreateCertificateListFromFile( |
| 493 GetTestCertsDirectory(), "root_ca_cert.crt", | 493 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 494 X509Certificate::FORMAT_AUTO); | 494 X509Certificate::FORMAT_AUTO); |
| 495 ASSERT_EQ(1U, certs.size()); | 495 ASSERT_EQ(1U, certs.size()); |
| 496 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 496 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
| 497 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 497 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
| 498 | 498 |
| 499 // Import it. | 499 // Import it. |
| 500 NSSCertDatabase::ImportCertFailureList failed; | 500 NSSCertDatabase::ImportCertFailureList failed; |
| 501 EXPECT_TRUE(cert_db_->ImportCACerts( | 501 EXPECT_TRUE(cert_db_->ImportCACerts( |
| 502 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | | 502 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | |
| 503 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); | 503 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); |
| 504 | 504 |
| 505 ASSERT_EQ(2U, failed.size()); | 505 ASSERT_EQ(2U, failed.size()); |
| 506 // TODO(mattm): should check for net error equivalent of | 506 // TODO(mattm): should check for net error equivalent of |
| 507 // SEC_ERROR_UNKNOWN_ISSUER | 507 // SEC_ERROR_UNKNOWN_ISSUER |
| 508 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 508 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
| 509 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 509 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
| 510 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 510 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
| 511 EXPECT_EQ(ERR_FAILED, failed[1].net_error); | 511 EXPECT_EQ(ERR_FAILED, failed[1].net_error); |
| 512 | 512 |
| 513 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 513 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
| 514 ASSERT_EQ(1U, cert_list.size()); | 514 ASSERT_EQ(1U, cert_list.size()); |
| 515 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name); | 515 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name); |
| 516 } | 516 } |
| 517 | 517 |
| 518 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired | 518 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired |
| 519 // certificate. | 519 // certificate. |
| 520 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { | 520 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { |
| 521 // Need to import intermediate cert for the verify of google cert, otherwise | 521 // Need to import intermediate cert for the verify of google cert, otherwise |
| 522 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which | 522 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which |
| 523 // will cause OCSPCreateSession on the main thread, which is not allowed. | 523 // will cause OCSPCreateSession on the main thread, which is not allowed. |
| 524 CertificateList certs = CreateCertificateListFromFile( | 524 CertificateList certs = CreateCertificateListFromFile( |
| 525 GetTestCertsDirectory(), "google.chain.pem", | 525 GetTestCertsDirectory(), "google.chain.pem", |
| (...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 622 flags, | 622 flags, |
| 623 NULL, | 623 NULL, |
| 624 empty_cert_list_, | 624 empty_cert_list_, |
| 625 &verify_result); | 625 &verify_result); |
| 626 EXPECT_EQ(OK, error); | 626 EXPECT_EQ(OK, error); |
| 627 EXPECT_EQ(0U, verify_result.cert_status); | 627 EXPECT_EQ(0U, verify_result.cert_status); |
| 628 } | 628 } |
| 629 | 629 |
| 630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { | 630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { |
| 631 CertificateList ca_certs = CreateCertificateListFromFile( | 631 CertificateList ca_certs = CreateCertificateListFromFile( |
| 632 GetTestCertsDirectory(), "root_ca_cert.crt", | 632 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 633 X509Certificate::FORMAT_AUTO); | 633 X509Certificate::FORMAT_AUTO); |
| 634 ASSERT_EQ(1U, ca_certs.size()); | 634 ASSERT_EQ(1U, ca_certs.size()); |
| 635 | 635 |
| 636 // Import CA cert and trust it. | 636 // Import CA cert and trust it. |
| 637 NSSCertDatabase::ImportCertFailureList failed; | 637 NSSCertDatabase::ImportCertFailureList failed; |
| 638 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, | 638 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, |
| 639 &failed)); | 639 &failed)); |
| 640 EXPECT_EQ(0U, failed.size()); | 640 EXPECT_EQ(0U, failed.size()); |
| 641 | 641 |
| 642 CertificateList certs = CreateCertificateListFromFile( | 642 CertificateList certs = CreateCertificateListFromFile( |
| (...skipping 21 matching lines...) Expand all Loading... |
| 664 } | 664 } |
| 665 | 665 |
| 666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { | 666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { |
| 667 // Explicit distrust only works starting in NSS 3.13. | 667 // Explicit distrust only works starting in NSS 3.13. |
| 668 if (!NSS_VersionCheck("3.13")) { | 668 if (!NSS_VersionCheck("3.13")) { |
| 669 LOG(INFO) << "test skipped on NSS < 3.13"; | 669 LOG(INFO) << "test skipped on NSS < 3.13"; |
| 670 return; | 670 return; |
| 671 } | 671 } |
| 672 | 672 |
| 673 CertificateList ca_certs = CreateCertificateListFromFile( | 673 CertificateList ca_certs = CreateCertificateListFromFile( |
| 674 GetTestCertsDirectory(), "root_ca_cert.crt", | 674 GetTestCertsDirectory(), "root_ca_cert.pem", |
| 675 X509Certificate::FORMAT_AUTO); | 675 X509Certificate::FORMAT_AUTO); |
| 676 ASSERT_EQ(1U, ca_certs.size()); | 676 ASSERT_EQ(1U, ca_certs.size()); |
| 677 | 677 |
| 678 // Import CA cert and trust it. | 678 // Import CA cert and trust it. |
| 679 NSSCertDatabase::ImportCertFailureList failed; | 679 NSSCertDatabase::ImportCertFailureList failed; |
| 680 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, | 680 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, |
| 681 &failed)); | 681 &failed)); |
| 682 EXPECT_EQ(0U, failed.size()); | 682 EXPECT_EQ(0U, failed.size()); |
| 683 | 683 |
| 684 CertificateList certs = CreateCertificateListFromFile( | 684 CertificateList certs = CreateCertificateListFromFile( |
| (...skipping 348 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1033 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 1033 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
| 1034 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); | 1034 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); |
| 1035 | 1035 |
| 1036 new_certs = ListCertsInSlot(slot_->os_module_handle()); | 1036 new_certs = ListCertsInSlot(slot_->os_module_handle()); |
| 1037 ASSERT_EQ(2U, new_certs.size()); | 1037 ASSERT_EQ(2U, new_certs.size()); |
| 1038 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, | 1038 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, |
| 1039 new_certs[1]->os_cert_handle()->nickname); | 1039 new_certs[1]->os_cert_handle()->nickname); |
| 1040 } | 1040 } |
| 1041 | 1041 |
| 1042 } // namespace net | 1042 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 5535006:
Add unittests for net::TestRootCerts and regenerate test certificates (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src