OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <cert.h> | 5 #include <cert.h> |
6 #include <certdb.h> | 6 #include <certdb.h> |
7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 | 10 |
(...skipping 249 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
260 base::string16(), | 260 base::string16(), |
261 true, // is_extractable | 261 true, // is_extractable |
262 NULL)); | 262 NULL)); |
263 | 263 |
264 // Test db should still be empty. | 264 // Test db should still be empty. |
265 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); | 265 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); |
266 } | 266 } |
267 | 267 |
268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { | 268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { |
269 CertificateList certs = CreateCertificateListFromFile( | 269 CertificateList certs = CreateCertificateListFromFile( |
270 GetTestCertsDirectory(), "root_ca_cert.crt", | 270 GetTestCertsDirectory(), "root_ca_cert.pem", |
271 X509Certificate::FORMAT_AUTO); | 271 X509Certificate::FORMAT_AUTO); |
272 ASSERT_EQ(1U, certs.size()); | 272 ASSERT_EQ(1U, certs.size()); |
273 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 273 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
274 | 274 |
275 // Import it. | 275 // Import it. |
276 NSSCertDatabase::ImportCertFailureList failed; | 276 NSSCertDatabase::ImportCertFailureList failed; |
277 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, | 277 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, |
278 &failed)); | 278 &failed)); |
279 | 279 |
280 EXPECT_EQ(0U, failed.size()); | 280 EXPECT_EQ(0U, failed.size()); |
281 | 281 |
282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
283 ASSERT_EQ(1U, cert_list.size()); | 283 ASSERT_EQ(1U, cert_list.size()); |
284 scoped_refptr<X509Certificate> cert(cert_list[0]); | 284 scoped_refptr<X509Certificate> cert(cert_list[0]); |
285 EXPECT_EQ("Test CA", cert->subject().common_name); | 285 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
286 | 286 |
287 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, | 287 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, |
288 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 288 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
289 | 289 |
290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
291 CERTDB_TRUSTED_CLIENT_CA), | 291 CERTDB_TRUSTED_CLIENT_CA), |
292 cert->os_cert_handle()->trust->sslFlags); | 292 cert->os_cert_handle()->trust->sslFlags); |
293 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 293 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
294 cert->os_cert_handle()->trust->emailFlags); | 294 cert->os_cert_handle()->trust->emailFlags); |
295 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 295 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
296 cert->os_cert_handle()->trust->objectSigningFlags); | 296 cert->os_cert_handle()->trust->objectSigningFlags); |
297 } | 297 } |
298 | 298 |
299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { | 299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { |
300 CertificateList certs = CreateCertificateListFromFile( | 300 CertificateList certs = CreateCertificateListFromFile( |
301 GetTestCertsDirectory(), "root_ca_cert.crt", | 301 GetTestCertsDirectory(), "root_ca_cert.pem", |
302 X509Certificate::FORMAT_AUTO); | 302 X509Certificate::FORMAT_AUTO); |
303 ASSERT_EQ(1U, certs.size()); | 303 ASSERT_EQ(1U, certs.size()); |
304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
305 | 305 |
306 // Import it. | 306 // Import it. |
307 NSSCertDatabase::ImportCertFailureList failed; | 307 NSSCertDatabase::ImportCertFailureList failed; |
308 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, | 308 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, |
309 &failed)); | 309 &failed)); |
310 | 310 |
311 EXPECT_EQ(0U, failed.size()); | 311 EXPECT_EQ(0U, failed.size()); |
312 | 312 |
313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
314 ASSERT_EQ(1U, cert_list.size()); | 314 ASSERT_EQ(1U, cert_list.size()); |
315 scoped_refptr<X509Certificate> cert(cert_list[0]); | 315 scoped_refptr<X509Certificate> cert(cert_list[0]); |
316 EXPECT_EQ("Test CA", cert->subject().common_name); | 316 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
317 | 317 |
318 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, | 318 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, |
319 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 319 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
320 | 320 |
321 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 321 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
322 cert->os_cert_handle()->trust->sslFlags); | 322 cert->os_cert_handle()->trust->sslFlags); |
323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
324 CERTDB_TRUSTED_CLIENT_CA), | 324 CERTDB_TRUSTED_CLIENT_CA), |
325 cert->os_cert_handle()->trust->emailFlags); | 325 cert->os_cert_handle()->trust->emailFlags); |
326 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 326 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
327 cert->os_cert_handle()->trust->objectSigningFlags); | 327 cert->os_cert_handle()->trust->objectSigningFlags); |
328 } | 328 } |
329 | 329 |
330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { | 330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { |
331 CertificateList certs = CreateCertificateListFromFile( | 331 CertificateList certs = CreateCertificateListFromFile( |
332 GetTestCertsDirectory(), "root_ca_cert.crt", | 332 GetTestCertsDirectory(), "root_ca_cert.pem", |
333 X509Certificate::FORMAT_AUTO); | 333 X509Certificate::FORMAT_AUTO); |
334 ASSERT_EQ(1U, certs.size()); | 334 ASSERT_EQ(1U, certs.size()); |
335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); | 335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); |
336 | 336 |
337 // Import it. | 337 // Import it. |
338 NSSCertDatabase::ImportCertFailureList failed; | 338 NSSCertDatabase::ImportCertFailureList failed; |
339 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, | 339 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, |
340 &failed)); | 340 &failed)); |
341 | 341 |
342 EXPECT_EQ(0U, failed.size()); | 342 EXPECT_EQ(0U, failed.size()); |
343 | 343 |
344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
345 ASSERT_EQ(1U, cert_list.size()); | 345 ASSERT_EQ(1U, cert_list.size()); |
346 scoped_refptr<X509Certificate> cert(cert_list[0]); | 346 scoped_refptr<X509Certificate> cert(cert_list[0]); |
347 EXPECT_EQ("Test CA", cert->subject().common_name); | 347 EXPECT_EQ("Test Root CA", cert->subject().common_name); |
348 | 348 |
349 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, | 349 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, |
350 cert_db_->GetCertTrust(cert.get(), CA_CERT)); | 350 cert_db_->GetCertTrust(cert.get(), CA_CERT)); |
351 | 351 |
352 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 352 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
353 cert->os_cert_handle()->trust->sslFlags); | 353 cert->os_cert_handle()->trust->sslFlags); |
354 EXPECT_EQ(unsigned(CERTDB_VALID_CA), | 354 EXPECT_EQ(unsigned(CERTDB_VALID_CA), |
355 cert->os_cert_handle()->trust->emailFlags); | 355 cert->os_cert_handle()->trust->emailFlags); |
356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | | 356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | |
357 CERTDB_TRUSTED_CLIENT_CA), | 357 CERTDB_TRUSTED_CLIENT_CA), |
(...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
483 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 483 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
484 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. | 484 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. |
485 | 485 |
486 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 486 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
487 ASSERT_EQ(1U, cert_list.size()); | 487 ASSERT_EQ(1U, cert_list.size()); |
488 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); | 488 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); |
489 } | 489 } |
490 | 490 |
491 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { | 491 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { |
492 CertificateList certs = CreateCertificateListFromFile( | 492 CertificateList certs = CreateCertificateListFromFile( |
493 GetTestCertsDirectory(), "root_ca_cert.crt", | 493 GetTestCertsDirectory(), "root_ca_cert.pem", |
494 X509Certificate::FORMAT_AUTO); | 494 X509Certificate::FORMAT_AUTO); |
495 ASSERT_EQ(1U, certs.size()); | 495 ASSERT_EQ(1U, certs.size()); |
496 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); | 496 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); |
497 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); | 497 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); |
498 | 498 |
499 // Import it. | 499 // Import it. |
500 NSSCertDatabase::ImportCertFailureList failed; | 500 NSSCertDatabase::ImportCertFailureList failed; |
501 EXPECT_TRUE(cert_db_->ImportCACerts( | 501 EXPECT_TRUE(cert_db_->ImportCACerts( |
502 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | | 502 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | |
503 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); | 503 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); |
504 | 504 |
505 ASSERT_EQ(2U, failed.size()); | 505 ASSERT_EQ(2U, failed.size()); |
506 // TODO(mattm): should check for net error equivalent of | 506 // TODO(mattm): should check for net error equivalent of |
507 // SEC_ERROR_UNKNOWN_ISSUER | 507 // SEC_ERROR_UNKNOWN_ISSUER |
508 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); | 508 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); |
509 EXPECT_EQ(ERR_FAILED, failed[0].net_error); | 509 EXPECT_EQ(ERR_FAILED, failed[0].net_error); |
510 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); | 510 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); |
511 EXPECT_EQ(ERR_FAILED, failed[1].net_error); | 511 EXPECT_EQ(ERR_FAILED, failed[1].net_error); |
512 | 512 |
513 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); | 513 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); |
514 ASSERT_EQ(1U, cert_list.size()); | 514 ASSERT_EQ(1U, cert_list.size()); |
515 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name); | 515 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name); |
516 } | 516 } |
517 | 517 |
518 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired | 518 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired |
519 // certificate. | 519 // certificate. |
520 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { | 520 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { |
521 // Need to import intermediate cert for the verify of google cert, otherwise | 521 // Need to import intermediate cert for the verify of google cert, otherwise |
522 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which | 522 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which |
523 // will cause OCSPCreateSession on the main thread, which is not allowed. | 523 // will cause OCSPCreateSession on the main thread, which is not allowed. |
524 CertificateList certs = CreateCertificateListFromFile( | 524 CertificateList certs = CreateCertificateListFromFile( |
525 GetTestCertsDirectory(), "google.chain.pem", | 525 GetTestCertsDirectory(), "google.chain.pem", |
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
622 flags, | 622 flags, |
623 NULL, | 623 NULL, |
624 empty_cert_list_, | 624 empty_cert_list_, |
625 &verify_result); | 625 &verify_result); |
626 EXPECT_EQ(OK, error); | 626 EXPECT_EQ(OK, error); |
627 EXPECT_EQ(0U, verify_result.cert_status); | 627 EXPECT_EQ(0U, verify_result.cert_status); |
628 } | 628 } |
629 | 629 |
630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { | 630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { |
631 CertificateList ca_certs = CreateCertificateListFromFile( | 631 CertificateList ca_certs = CreateCertificateListFromFile( |
632 GetTestCertsDirectory(), "root_ca_cert.crt", | 632 GetTestCertsDirectory(), "root_ca_cert.pem", |
633 X509Certificate::FORMAT_AUTO); | 633 X509Certificate::FORMAT_AUTO); |
634 ASSERT_EQ(1U, ca_certs.size()); | 634 ASSERT_EQ(1U, ca_certs.size()); |
635 | 635 |
636 // Import CA cert and trust it. | 636 // Import CA cert and trust it. |
637 NSSCertDatabase::ImportCertFailureList failed; | 637 NSSCertDatabase::ImportCertFailureList failed; |
638 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, | 638 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, |
639 &failed)); | 639 &failed)); |
640 EXPECT_EQ(0U, failed.size()); | 640 EXPECT_EQ(0U, failed.size()); |
641 | 641 |
642 CertificateList certs = CreateCertificateListFromFile( | 642 CertificateList certs = CreateCertificateListFromFile( |
(...skipping 21 matching lines...) Expand all Loading... |
664 } | 664 } |
665 | 665 |
666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { | 666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { |
667 // Explicit distrust only works starting in NSS 3.13. | 667 // Explicit distrust only works starting in NSS 3.13. |
668 if (!NSS_VersionCheck("3.13")) { | 668 if (!NSS_VersionCheck("3.13")) { |
669 LOG(INFO) << "test skipped on NSS < 3.13"; | 669 LOG(INFO) << "test skipped on NSS < 3.13"; |
670 return; | 670 return; |
671 } | 671 } |
672 | 672 |
673 CertificateList ca_certs = CreateCertificateListFromFile( | 673 CertificateList ca_certs = CreateCertificateListFromFile( |
674 GetTestCertsDirectory(), "root_ca_cert.crt", | 674 GetTestCertsDirectory(), "root_ca_cert.pem", |
675 X509Certificate::FORMAT_AUTO); | 675 X509Certificate::FORMAT_AUTO); |
676 ASSERT_EQ(1U, ca_certs.size()); | 676 ASSERT_EQ(1U, ca_certs.size()); |
677 | 677 |
678 // Import CA cert and trust it. | 678 // Import CA cert and trust it. |
679 NSSCertDatabase::ImportCertFailureList failed; | 679 NSSCertDatabase::ImportCertFailureList failed; |
680 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, | 680 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, |
681 &failed)); | 681 &failed)); |
682 EXPECT_EQ(0U, failed.size()); | 682 EXPECT_EQ(0U, failed.size()); |
683 | 683 |
684 CertificateList certs = CreateCertificateListFromFile( | 684 CertificateList certs = CreateCertificateListFromFile( |
(...skipping 348 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1033 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, | 1033 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, |
1034 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); | 1034 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); |
1035 | 1035 |
1036 new_certs = ListCertsInSlot(slot_->os_module_handle()); | 1036 new_certs = ListCertsInSlot(slot_->os_module_handle()); |
1037 ASSERT_EQ(2U, new_certs.size()); | 1037 ASSERT_EQ(2U, new_certs.size()); |
1038 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, | 1038 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, |
1039 new_certs[1]->os_cert_handle()->nickname); | 1039 new_certs[1]->os_cert_handle()->nickname); |
1040 } | 1040 } |
1041 | 1041 |
1042 } // namespace net | 1042 } // namespace net |
OLD | NEW |