This source file includes following definitions.
- SwapCertList
- SetUp
- TearDown
- ReadTestFile
- ReadCertIntoList
- ListCertsInSlot
- CleanupSlotContents
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
- TEST_F
#include <cert.h>
#include <certdb.h>
#include <pk11pub.h>
#include <algorithm>
#include "base/bind.h"
#include "base/file_util.h"
#include "base/files/file_path.h"
#include "base/lazy_instance.h"
#include "base/message_loop/message_loop.h"
#include "base/message_loop/message_loop_proxy.h"
#include "base/path_service.h"
#include "base/run_loop.h"
#include "base/strings/string16.h"
#include "base/strings/string_util.h"
#include "base/strings/utf_string_conversions.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_nss_types.h"
#include "net/base/crypto_module.h"
#include "net/base/net_errors.h"
#include "net/base/test_data_directory.h"
#include "net/cert/cert_status_flags.h"
#include "net/cert/cert_verify_proc_nss.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/nss_cert_database.h"
#include "net/cert/x509_certificate.h"
#include "net/test/cert_test_util.h"
#include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
#include "testing/gtest/include/gtest/gtest.h"
#if !defined(CERTDB_TERMINAL_RECORD)
#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
#endif
using base::ASCIIToUTF16;
namespace net {
namespace {
void SwapCertList(CertificateList* destination,
scoped_ptr<CertificateList> source) {
ASSERT_TRUE(destination);
destination->swap(*source);
}
}
class CertDatabaseNSSTest : public testing::Test {
public:
virtual void SetUp() {
ASSERT_TRUE(test_nssdb_.is_open());
cert_db_ = NSSCertDatabase::GetInstance();
slot_ = cert_db_->GetPublicModule();
EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
}
virtual void TearDown() {
ASSERT_TRUE(slot_->os_module_handle());
EXPECT_TRUE(CleanupSlotContents());
base::MessageLoop::current()->RunUntilIdle();
EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
}
protected:
static std::string ReadTestFile(const std::string& name) {
std::string result;
base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
EXPECT_TRUE(base::ReadFileToString(cert_path, &result));
return result;
}
static bool ReadCertIntoList(const std::string& name,
CertificateList* certs) {
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), name));
if (!cert.get())
return false;
certs->push_back(cert);
return true;
}
static CertificateList ListCertsInSlot(PK11SlotInfo* slot) {
CertificateList result;
CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
!CERT_LIST_END(node, cert_list);
node = CERT_LIST_NEXT(node)) {
result.push_back(X509Certificate::CreateFromHandle(
node->cert, X509Certificate::OSCertHandles()));
}
CERT_DestroyCertList(cert_list);
std::sort(result.begin(), result.end(), X509Certificate::LessThan());
return result;
}
scoped_refptr<CryptoModule> slot_;
NSSCertDatabase* cert_db_;
const CertificateList empty_cert_list_;
private:
bool CleanupSlotContents() {
bool ok = true;
CertificateList certs = ListCertsInSlot(slot_->os_module_handle());
CERTCertTrust default_trust = {0};
for (size_t i = 0; i < certs.size(); ++i) {
SECStatus srv = CERT_ChangeCertTrust(
CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust);
if (srv != SECSuccess)
ok = false;
if (!cert_db_->DeleteCertAndKey(certs[i].get()))
ok = false;
}
return ok;
}
crypto::ScopedTestNSSDB test_nssdb_;
};
TEST_F(CertDatabaseNSSTest, ListCertsSync) {
CertificateList certs;
cert_db_->ListCertsSync(&certs);
EXPECT_LT(0U, certs.size());
}
TEST_F(CertDatabaseNSSTest, ListCerts) {
CertificateList certs;
cert_db_->SetSlowTaskRunnerForTest(base::MessageLoopProxy::current());
cert_db_->ListCerts(base::Bind(&SwapCertList, base::Unretained(&certs)));
EXPECT_EQ(0U, certs.size());
base::RunLoop().RunUntilIdle();
EXPECT_LT(0U, certs.size());
}
TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
std::string pkcs12_data = ReadTestFile("client.p12");
EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
cert_db_->ImportFromPKCS12(slot_.get(),
pkcs12_data,
base::string16(),
true,
NULL));
EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
}
TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
std::string pkcs12_data = ReadTestFile("client.p12");
EXPECT_EQ(OK,
cert_db_->ImportFromPKCS12(slot_.get(),
pkcs12_data,
ASCIIToUTF16("12345"),
true,
NULL));
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
EXPECT_EQ("testusercert",
cert->subject().common_name);
std::string exported_data;
EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
&exported_data));
ASSERT_LT(0U, exported_data.size());
}
TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
std::string pkcs12_data = ReadTestFile("client.p12");
EXPECT_EQ(OK,
cert_db_->ImportFromPKCS12(slot_.get(),
pkcs12_data,
ASCIIToUTF16("12345"),
true,
NULL));
EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
EXPECT_EQ(OK,
cert_db_->ImportFromPKCS12(slot_.get(),
pkcs12_data,
ASCIIToUTF16("12345"),
true,
NULL));
EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
}
TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
std::string pkcs12_data = ReadTestFile("client.p12");
EXPECT_EQ(OK,
cert_db_->ImportFromPKCS12(slot_.get(),
pkcs12_data,
ASCIIToUTF16("12345"),
false,
NULL));
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
EXPECT_EQ("testusercert",
cert->subject().common_name);
std::string exported_data;
EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
&exported_data));
}
TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
std::string pkcs12_data = ReadTestFile("client.p12");
EXPECT_EQ(OK,
cert_db_->ImportFromPKCS12(slot_.get(),
pkcs12_data,
ASCIIToUTF16("12345"),
true,
NULL));
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
pkcs12_data = ReadTestFile("client-nokey.p12");
EXPECT_EQ(OK,
cert_db_->ImportFromPKCS12(slot_.get(),
pkcs12_data,
ASCIIToUTF16("12345"),
false,
NULL));
cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
std::string exported_data;
EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
&exported_data));
ASSERT_LT(0U, exported_data.size());
}
TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
std::string pkcs12_data = "Foobarbaz";
EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
cert_db_->ImportFromPKCS12(slot_.get(),
pkcs12_data,
base::string16(),
true,
NULL));
EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
}
TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
EXPECT_EQ("Test Root CA", cert->subject().common_name);
EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
cert_db_->GetCertTrust(cert.get(), CA_CERT));
EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
CERTDB_TRUSTED_CLIENT_CA),
cert->os_cert_handle()->trust->sslFlags);
EXPECT_EQ(unsigned(CERTDB_VALID_CA),
cert->os_cert_handle()->trust->emailFlags);
EXPECT_EQ(unsigned(CERTDB_VALID_CA),
cert->os_cert_handle()->trust->objectSigningFlags);
}
TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
EXPECT_EQ("Test Root CA", cert->subject().common_name);
EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL,
cert_db_->GetCertTrust(cert.get(), CA_CERT));
EXPECT_EQ(unsigned(CERTDB_VALID_CA),
cert->os_cert_handle()->trust->sslFlags);
EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
CERTDB_TRUSTED_CLIENT_CA),
cert->os_cert_handle()->trust->emailFlags);
EXPECT_EQ(unsigned(CERTDB_VALID_CA),
cert->os_cert_handle()->trust->objectSigningFlags);
}
TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
EXPECT_EQ("Test Root CA", cert->subject().common_name);
EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN,
cert_db_->GetCertTrust(cert.get(), CA_CERT));
EXPECT_EQ(unsigned(CERTDB_VALID_CA),
cert->os_cert_handle()->trust->sslFlags);
EXPECT_EQ(unsigned(CERTDB_VALID_CA),
cert->os_cert_handle()->trust->emailFlags);
EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
CERTDB_TRUSTED_CLIENT_CA),
cert->os_cert_handle()->trust->objectSigningFlags);
}
TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "ok_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
&failed));
ASSERT_EQ(1U, failed.size());
EXPECT_EQ(certs[0], failed[0].certificate);
EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
}
TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
CertificateList certs;
ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(
certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
&failed));
ASSERT_EQ(2U, failed.size());
EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
EXPECT_EQ(ERR_FAILED, failed[0].net_error);
EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
}
TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
CertificateList certs;
ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(
certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
failed.clear();
EXPECT_TRUE(cert_db_->ImportCACerts(
certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
&failed));
ASSERT_EQ(3U, failed.size());
EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name);
EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error);
EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
EXPECT_EQ(ERR_FAILED, failed[1].net_error);
EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
}
TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
CertificateList certs;
ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT,
&failed));
ASSERT_EQ(1U, failed.size());
EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
EXPECT_EQ(ERR_FAILED, failed[0].net_error);
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
}
TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
CertificateList certs;
ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(
certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
&failed));
EXPECT_EQ(2U, failed.size());
EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
EXPECT_EQ(ERR_FAILED, failed[0].net_error);
EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
EXPECT_EQ(ERR_FAILED, failed[1].net_error);
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
}
TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(
certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL |
NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed));
ASSERT_EQ(2U, failed.size());
EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
EXPECT_EQ(ERR_FAILED, failed[0].net_error);
EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
EXPECT_EQ(ERR_FAILED, failed[1].net_error);
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);
}
TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "google.chain.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(2U, certs.size());
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(2U, cert_list.size());
scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT));
EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
int flags = 0;
CertVerifyResult verify_result;
int error = verify_proc->Verify(goog_cert.get(),
"www.google.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
}
TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
CertificateList certs;
ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
int flags = 0;
CertVerifyResult verify_result;
int error = verify_proc->Verify(puny_cert.get(),
"xn--wgv71a119e.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
}
TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
CertificateList certs;
ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
puny_cert->os_cert_handle()->trust->sslFlags);
scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
int flags = 0;
CertVerifyResult verify_result;
int error = verify_proc->Verify(puny_cert.get(),
"xn--wgv71a119e.com",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
}
TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
CertificateList ca_certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_certs.size());
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "ok_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
&failed));
EXPECT_EQ(0U, failed.size());
scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
int flags = 0;
CertVerifyResult verify_result;
int error = verify_proc->Verify(certs[0].get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
}
TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
CertificateList ca_certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "root_ca_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_certs.size());
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "ok_cert.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
EXPECT_TRUE(cert_db_->ImportServerCert(
certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
EXPECT_EQ(0U, failed.size());
EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL,
cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
certs[0]->os_cert_handle()->trust->sslFlags);
scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
int flags = 0;
CertVerifyResult verify_result;
int error = verify_proc->Verify(certs[0].get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(ERR_CERT_REVOKED, error);
EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
}
TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
CertificateList ca_certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "2048-rsa-root.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_certs.size());
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList intermediate_certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, intermediate_certs.size());
EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
NSSCertDatabase::TRUSTED_SSL, &failed));
EXPECT_EQ(0U, failed.size());
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
EXPECT_TRUE(cert_db_->ImportServerCert(
certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
EXPECT_EQ(0U, failed.size());
EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
int flags = 0;
CertVerifyResult verify_result;
int error = verify_proc->Verify(certs[0].get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
EXPECT_TRUE(cert_db_->SetCertTrust(
ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL));
EXPECT_TRUE(cert_db_->SetCertTrust(
intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL));
EXPECT_EQ(
unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA),
ca_certs[0]->os_cert_handle()->trust->sslFlags);
EXPECT_EQ(unsigned(CERTDB_VALID_CA),
ca_certs[0]->os_cert_handle()->trust->emailFlags);
EXPECT_EQ(unsigned(CERTDB_VALID_CA),
ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);
EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
intermediate_certs[0]->os_cert_handle()->trust->sslFlags);
EXPECT_EQ(unsigned(CERTDB_VALID_CA),
intermediate_certs[0]->os_cert_handle()->trust->emailFlags);
EXPECT_EQ(
unsigned(CERTDB_VALID_CA),
intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);
CertVerifyResult verify_result2;
error = verify_proc->Verify(certs[0].get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result2);
EXPECT_EQ(ERR_CERT_REVOKED, error);
EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);
}
TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {
if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
return;
}
NSSCertDatabase::ImportCertFailureList failed;
CertificateList intermediate_certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, intermediate_certs.size());
EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
NSSCertDatabase::TRUSTED_SSL, &failed));
EXPECT_EQ(0U, failed.size());
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
EXPECT_TRUE(cert_db_->ImportServerCert(
certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
EXPECT_EQ(0U, failed.size());
EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
int flags = 0;
CertVerifyResult verify_result;
int error = verify_proc->Verify(certs[0].get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
EXPECT_TRUE(cert_db_->SetCertTrust(
intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
CertVerifyResult verify_result2;
error = verify_proc->Verify(certs[0].get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result2);
EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
}
TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {
if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
return;
}
NSSCertDatabase::ImportCertFailureList failed;
CertificateList ca_certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "2048-rsa-root.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_certs.size());
EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList intermediate_certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, intermediate_certs.size());
EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
NSSCertDatabase::TRUSTED_SSL, &failed));
EXPECT_EQ(0U, failed.size());
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
EXPECT_TRUE(cert_db_->ImportServerCert(
certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
EXPECT_EQ(0U, failed.size());
EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
int flags = 0;
CertVerifyResult verify_result;
int error = verify_proc->Verify(certs[0].get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result.cert_status);
EXPECT_TRUE(cert_db_->SetCertTrust(
intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
CertVerifyResult verify_result2;
error = verify_proc->Verify(certs[0].get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result2);
EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
}
TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
NSSCertDatabase::ImportCertFailureList failed;
CertificateList ca_certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "2048-rsa-root.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, ca_certs.size());
EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
&failed));
EXPECT_EQ(0U, failed.size());
CertificateList intermediate_certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, intermediate_certs.size());
EXPECT_TRUE(cert_db_->ImportCACerts(
intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
EXPECT_EQ(0U, failed.size());
CertificateList certs = CreateCertificateListFromFile(
GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
EXPECT_TRUE(cert_db_->ImportServerCert(
certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
EXPECT_EQ(0U, failed.size());
EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
int flags = 0;
CertVerifyResult verify_result;
int error = verify_proc->Verify(certs[0].get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result);
EXPECT_EQ(ERR_CERT_REVOKED, error);
EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
EXPECT_TRUE(cert_db_->SetCertTrust(
intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
CertVerifyResult verify_result2;
error = verify_proc->Verify(certs[0].get(),
"127.0.0.1",
flags,
NULL,
empty_cert_list_,
&verify_result2);
EXPECT_EQ(OK, error);
EXPECT_EQ(0U, verify_result2.cert_status);
}
TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
CertificateList certs =
CreateCertificateListFromFile(GetTestCertsDirectory(),
"duplicate_cn_1.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
NSSCertDatabase::ImportCertFailureList failed;
EXPECT_TRUE(cert_db_->ImportServerCert(
certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
EXPECT_EQ(0U, failed.size());
EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(1U, new_certs.size());
CertificateList certs2 =
CreateCertificateListFromFile(GetTestCertsDirectory(),
"duplicate_cn_2.pem",
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs2.size());
EXPECT_TRUE(cert_db_->ImportServerCert(
certs2, NSSCertDatabase::TRUST_DEFAULT, &failed));
EXPECT_EQ(0U, failed.size());
EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT));
new_certs = ListCertsInSlot(slot_->os_module_handle());
ASSERT_EQ(2U, new_certs.size());
EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname,
new_certs[1]->os_cert_handle()->nickname);
}
}