search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add signalSyncPoint to the WebGraphicsContext3D command buffer impls.
[chromium-blink-merge.git] / net / cert / nss_cert_database_unittest.cc
blobaa1bc25bbb369ea7ea0b8c5fb4d9209b62443c2c
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <cert.h>
6 #include <certdb.h>
7 #include <pk11pub.h>
8
9 #include <algorithm>
10
11 #include "base/file_util.h"
12 #include "base/files/file_path.h"
13 #include "base/lazy_instance.h"
14 #include "base/message_loop.h"
15 #include "base/path_service.h"
16 #include "base/string16.h"
17 #include "base/string_util.h"
18 #include "base/utf_string_conversions.h"
19 #include "crypto/nss_util.h"
20 #include "crypto/nss_util_internal.h"
21 #include "crypto/scoped_nss_types.h"
22 #include "net/base/crypto_module.h"
23 #include "net/base/net_errors.h"
24 #include "net/base/test_data_directory.h"
25 #include "net/cert/cert_status_flags.h"
26 #include "net/cert/cert_verify_proc_nss.h"
27 #include "net/cert/cert_verify_result.h"
28 #include "net/cert/nss_cert_database.h"
29 #include "net/cert/x509_certificate.h"
30 #include "net/test/cert_test_util.h"
31 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
32 #include "testing/gtest/include/gtest/gtest.h"
33
34 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
35 // the new name of the macro.
36 #if !defined(CERTDB_TERMINAL_RECORD)
37 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
38 #endif
39
40 namespace net {
41
42 class CertDatabaseNSSTest : public testing::Test {
43 public:
44 virtual void SetUp() {
45 ASSERT_TRUE(test_nssdb_.is_open());
46 cert_db_ = NSSCertDatabase::GetInstance();
47 slot_ = cert_db_->GetPublicModule();
48
49 // Test db should be empty at start of test.
50 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
51 }
52
53 virtual void TearDown() {
54 // Don't try to cleanup if the setup failed.
55 ASSERT_TRUE(slot_->os_module_handle());
56
57 EXPECT_TRUE(CleanupSlotContents());
58
59 // Run the message loop to process any observer callbacks (e.g. for the
60 // ClientSocketFactory singleton) so that the scoped ref ptrs created in
61 // NSSCertDatabase::NotifyObservers* get released.
62 MessageLoop::current()->RunUntilIdle();
63
64 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
65 }
66
67 protected:
68 static std::string ReadTestFile(const std::string& name) {
69 std::string result;
70 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
71 EXPECT_TRUE(file_util::ReadFileToString(cert_path, &result));
72 return result;
73 }
74
75 static bool ReadCertIntoList(const std::string& name,
76 CertificateList* certs) {
77 scoped_refptr<X509Certificate> cert(
78 ImportCertFromFile(GetTestCertsDirectory(), name));
79 if (!cert.get())
80 return false;
81
82 certs->push_back(cert);
83 return true;
84 }
85
86 static CertificateList ListCertsInSlot(PK11SlotInfo* slot) {
87 CertificateList result;
88 CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
89 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
90 !CERT_LIST_END(node, cert_list);
91 node = CERT_LIST_NEXT(node)) {
92 result.push_back(X509Certificate::CreateFromHandle(
93 node->cert, X509Certificate::OSCertHandles()));
94 }
95 CERT_DestroyCertList(cert_list);
96
97 // Sort the result so that test comparisons can be deterministic.
98 std::sort(result.begin(), result.end(), X509Certificate::LessThan());
99 return result;
100 }
101
102 scoped_refptr<CryptoModule> slot_;
103 NSSCertDatabase* cert_db_;
104 const CertificateList empty_cert_list_;
105
106 private:
107 bool CleanupSlotContents() {
108 bool ok = true;
109 CertificateList certs = ListCertsInSlot(slot_->os_module_handle());
110 CERTCertTrust default_trust = {0};
111 for (size_t i = 0; i < certs.size(); ++i) {
112 // Reset cert trust values to defaults before deleting. Otherwise NSS
113 // somehow seems to remember the trust which can break following tests.
114 SECStatus srv = CERT_ChangeCertTrust(
115 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust);
116 if (srv != SECSuccess)
117 ok = false;
118
119 if (!cert_db_->DeleteCertAndKey(certs[i]))
120 ok = false;
121 }
122 return ok;
123 }
124
125 crypto::ScopedTestNSSDB test_nssdb_;
126 };
127
128 TEST_F(CertDatabaseNSSTest, ListCerts) {
129 // This test isn't terribly useful, though it will at least let valgrind test
130 // for leaks.
131 CertificateList certs;
132 cert_db_->ListCerts(&certs);
133 // The test DB is empty, but let's assume there will always be something in
134 // the other slots.
135 EXPECT_LT(0U, certs.size());
136 }
137
138 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
139 std::string pkcs12_data = ReadTestFile("client.p12");
140
141 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
142 cert_db_->ImportFromPKCS12(slot_,
143 pkcs12_data,
144 base::string16(),
145 true, // is_extractable
146 NULL));
147
148 // Test db should still be empty.
149 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
150 }
151
152 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
153 std::string pkcs12_data = ReadTestFile("client.p12");
154
155 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_,
156 pkcs12_data,
157 ASCIIToUTF16("12345"),
158 true, // is_extractable
159 NULL));
160
161 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
162 ASSERT_EQ(1U, cert_list.size());
163 scoped_refptr<X509Certificate> cert(cert_list[0]);
164
165 EXPECT_EQ("testusercert",
166 cert->subject().common_name);
167
168 // TODO(mattm): move export test to separate test case?
169 std::string exported_data;
170 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
171 &exported_data));
172 ASSERT_LT(0U, exported_data.size());
173 // TODO(mattm): further verification of exported data?
174 }
175
176 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
177 std::string pkcs12_data = ReadTestFile("client.p12");
178
179 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_,
180 pkcs12_data,
181 ASCIIToUTF16("12345"),
182 true, // is_extractable
183 NULL));
184 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
185
186 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
187 // it's ever used. This test verifies that.
188 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_,
189 pkcs12_data,
190 ASCIIToUTF16("12345"),
191 true, // is_extractable
192 NULL));
193 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
194 }
195
196 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
197 std::string pkcs12_data = ReadTestFile("client.p12");
198
199 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_,
200 pkcs12_data,
201 ASCIIToUTF16("12345"),
202 false, // is_extractable
203 NULL));
204
205 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
206 ASSERT_EQ(1U, cert_list.size());
207 scoped_refptr<X509Certificate> cert(cert_list[0]);
208
209 EXPECT_EQ("testusercert",
210 cert->subject().common_name);
211
212 std::string exported_data;
213 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
214 &exported_data));
215 }
216
217 // Importing a PKCS#12 file with a certificate but no corresponding
218 // private key should not mark an existing private key as unextractable.
219 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
220 std::string pkcs12_data = ReadTestFile("client.p12");
221 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_,
222 pkcs12_data,
223 ASCIIToUTF16("12345"),
224 true, // is_extractable
225 NULL));
226
227 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
228 ASSERT_EQ(1U, cert_list.size());
229
230 // Now import a PKCS#12 file with just a certificate but no private key.
231 pkcs12_data = ReadTestFile("client-nokey.p12");
232 EXPECT_EQ(OK, cert_db_->ImportFromPKCS12(slot_,
233 pkcs12_data,
234 ASCIIToUTF16("12345"),
235 false, // is_extractable
236 NULL));
237
238 cert_list = ListCertsInSlot(slot_->os_module_handle());
239 ASSERT_EQ(1U, cert_list.size());
240
241 // Make sure the imported private key is still extractable.
242 std::string exported_data;
243 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
244 &exported_data));
245 ASSERT_LT(0U, exported_data.size());
246 }
247
248 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
249 std::string pkcs12_data = "Foobarbaz";
250
251 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
252 cert_db_->ImportFromPKCS12(slot_,
253 pkcs12_data,
254 base::string16(),
255 true, // is_extractable
256 NULL));
257
258 // Test db should still be empty.
259 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
260 }
261
262 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
263 CertificateList certs = CreateCertificateListFromFile(
264 GetTestCertsDirectory(), "root_ca_cert.crt",
265 X509Certificate::FORMAT_AUTO);
266 ASSERT_EQ(1U, certs.size());
267 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
268
269 // Import it.
270 NSSCertDatabase::ImportCertFailureList failed;
271 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
272 &failed));
273
274 EXPECT_EQ(0U, failed.size());
275
276 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
277 ASSERT_EQ(1U, cert_list.size());
278 scoped_refptr<X509Certificate> cert(cert_list[0]);
279 EXPECT_EQ("Test CA", cert->subject().common_name);
280
281 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
282 cert_db_->GetCertTrust(cert.get(), CA_CERT));
283
284 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
285 CERTDB_TRUSTED_CLIENT_CA),
286 cert->os_cert_handle()->trust->sslFlags);
287 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
288 cert->os_cert_handle()->trust->emailFlags);
289 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
290 cert->os_cert_handle()->trust->objectSigningFlags);
291 }
292
293 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
294 CertificateList certs = CreateCertificateListFromFile(
295 GetTestCertsDirectory(), "root_ca_cert.crt",
296 X509Certificate::FORMAT_AUTO);
297 ASSERT_EQ(1U, certs.size());
298 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
299
300 // Import it.
301 NSSCertDatabase::ImportCertFailureList failed;
302 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL,
303 &failed));
304
305 EXPECT_EQ(0U, failed.size());
306
307 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
308 ASSERT_EQ(1U, cert_list.size());
309 scoped_refptr<X509Certificate> cert(cert_list[0]);
310 EXPECT_EQ("Test CA", cert->subject().common_name);
311
312 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL,
313 cert_db_->GetCertTrust(cert.get(), CA_CERT));
314
315 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
316 cert->os_cert_handle()->trust->sslFlags);
317 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
318 CERTDB_TRUSTED_CLIENT_CA),
319 cert->os_cert_handle()->trust->emailFlags);
320 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
321 cert->os_cert_handle()->trust->objectSigningFlags);
322 }
323
324 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
325 CertificateList certs = CreateCertificateListFromFile(
326 GetTestCertsDirectory(), "root_ca_cert.crt",
327 X509Certificate::FORMAT_AUTO);
328 ASSERT_EQ(1U, certs.size());
329 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
330
331 // Import it.
332 NSSCertDatabase::ImportCertFailureList failed;
333 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN,
334 &failed));
335
336 EXPECT_EQ(0U, failed.size());
337
338 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
339 ASSERT_EQ(1U, cert_list.size());
340 scoped_refptr<X509Certificate> cert(cert_list[0]);
341 EXPECT_EQ("Test CA", cert->subject().common_name);
342
343 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN,
344 cert_db_->GetCertTrust(cert.get(), CA_CERT));
345
346 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
347 cert->os_cert_handle()->trust->sslFlags);
348 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
349 cert->os_cert_handle()->trust->emailFlags);
350 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
351 CERTDB_TRUSTED_CLIENT_CA),
352 cert->os_cert_handle()->trust->objectSigningFlags);
353 }
354
355 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
356 CertificateList certs = CreateCertificateListFromFile(
357 GetTestCertsDirectory(), "google.single.pem",
358 X509Certificate::FORMAT_AUTO);
359 ASSERT_EQ(1U, certs.size());
360 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
361
362 // Import it.
363 NSSCertDatabase::ImportCertFailureList failed;
364 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
365 &failed));
366 ASSERT_EQ(1U, failed.size());
367 // Note: this compares pointers directly. It's okay in this case because
368 // ImportCACerts returns the same pointers that were passed in. In the
369 // general case IsSameOSCert should be used.
370 EXPECT_EQ(certs[0], failed[0].certificate);
371 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
372
373 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
374 }
375
376 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
377 CertificateList certs;
378 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
379 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
380 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
381
382 // Import it.
383 NSSCertDatabase::ImportCertFailureList failed;
384 // Have to specify email trust for the cert verification of the child cert to
385 // work (see
386 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#752
387 // "XXX This choice of trustType seems arbitrary.")
388 EXPECT_TRUE(cert_db_->ImportCACerts(
389 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
390 &failed));
391
392 ASSERT_EQ(2U, failed.size());
393 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
394 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
395 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
396 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
397
398 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
399 ASSERT_EQ(1U, cert_list.size());
400 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
401 }
402
403 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
404 CertificateList certs;
405 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
406
407 // First import just the root.
408 NSSCertDatabase::ImportCertFailureList failed;
409 EXPECT_TRUE(cert_db_->ImportCACerts(
410 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
411 &failed));
412
413 EXPECT_EQ(0U, failed.size());
414 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
415 ASSERT_EQ(1U, cert_list.size());
416 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
417
418 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
419 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
420
421 // Now import with the other certs in the list too. Even though the root is
422 // already present, we should still import the rest.
423 failed.clear();
424 EXPECT_TRUE(cert_db_->ImportCACerts(
425 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
426 &failed));
427
428 ASSERT_EQ(3U, failed.size());
429 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name);
430 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error);
431 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
432 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
433 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
434 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
435
436 cert_list = ListCertsInSlot(slot_->os_module_handle());
437 ASSERT_EQ(1U, cert_list.size());
438 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
439 }
440
441 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
442 CertificateList certs;
443 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
444 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
445
446 // Import it.
447 NSSCertDatabase::ImportCertFailureList failed;
448 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT,
449 &failed));
450
451 ASSERT_EQ(1U, failed.size());
452 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
453 // TODO(mattm): should check for net error equivalent of
454 // SEC_ERROR_UNTRUSTED_ISSUER
455 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
456
457 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
458 ASSERT_EQ(1U, cert_list.size());
459 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
460 }
461
462 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
463 CertificateList certs;
464 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
465 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
466 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
467
468 // Import it.
469 NSSCertDatabase::ImportCertFailureList failed;
470 EXPECT_TRUE(cert_db_->ImportCACerts(
471 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
472 &failed));
473
474 EXPECT_EQ(2U, failed.size());
475 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
476 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
477 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
478 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
479
480 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
481 ASSERT_EQ(1U, cert_list.size());
482 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
483 }
484
485 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
486 CertificateList certs = CreateCertificateListFromFile(
487 GetTestCertsDirectory(), "root_ca_cert.crt",
488 X509Certificate::FORMAT_AUTO);
489 ASSERT_EQ(1U, certs.size());
490 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
491 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
492
493 // Import it.
494 NSSCertDatabase::ImportCertFailureList failed;
495 EXPECT_TRUE(cert_db_->ImportCACerts(
496 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL |
497 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed));
498
499 ASSERT_EQ(2U, failed.size());
500 // TODO(mattm): should check for net error equivalent of
501 // SEC_ERROR_UNKNOWN_ISSUER
502 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
503 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
504 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
505 EXPECT_EQ(ERR_FAILED, failed[1].net_error);
506
507 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
508 ASSERT_EQ(1U, cert_list.size());
509 EXPECT_EQ("Test CA", cert_list[0]->subject().common_name);
510 }
511
512 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired
513 // certificate.
514 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
515 // Need to import intermediate cert for the verify of google cert, otherwise
516 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which
517 // will cause OCSPCreateSession on the main thread, which is not allowed.
518 CertificateList certs = CreateCertificateListFromFile(
519 GetTestCertsDirectory(), "google.chain.pem",
520 X509Certificate::FORMAT_AUTO);
521 ASSERT_EQ(2U, certs.size());
522
523 NSSCertDatabase::ImportCertFailureList failed;
524 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
525 &failed));
526
527 EXPECT_EQ(0U, failed.size());
528
529 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
530 ASSERT_EQ(2U, cert_list.size());
531 scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
532 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
533 EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
534 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
535
536 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
537 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT));
538
539 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
540
541 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
542 int flags = 0;
543 CertVerifyResult verify_result;
544 int error = verify_proc->Verify(goog_cert, "www.google.com", flags,
545 NULL, empty_cert_list_, &verify_result);
546 EXPECT_EQ(OK, error);
547 EXPECT_EQ(0U, verify_result.cert_status);
548 }
549
550 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
551 CertificateList certs;
552 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
553
554 NSSCertDatabase::ImportCertFailureList failed;
555 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
556 &failed));
557
558 EXPECT_EQ(0U, failed.size());
559
560 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
561 ASSERT_EQ(1U, cert_list.size());
562 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
563
564 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
565 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
566 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
567
568 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
569 int flags = 0;
570 CertVerifyResult verify_result;
571 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
572 NULL, empty_cert_list_, &verify_result);
573 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
574 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
575 }
576
577 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
578 // When using CERT_PKIXVerifyCert (which we do), server trust only works from
579 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364.
580 if (!NSS_VersionCheck("3.13.4")) {
581 LOG(INFO) << "test skipped on NSS < 3.13.4";
582 return;
583 }
584
585 CertificateList certs;
586 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
587
588 NSSCertDatabase::ImportCertFailureList failed;
589 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL,
590 &failed));
591
592 EXPECT_EQ(0U, failed.size());
593
594 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
595 ASSERT_EQ(1U, cert_list.size());
596 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
597
598 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
599 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
600 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
601 puny_cert->os_cert_handle()->trust->sslFlags);
602
603 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
604 int flags = 0;
605 CertVerifyResult verify_result;
606 int error = verify_proc->Verify(puny_cert, "xn--wgv71a119e.com", flags,
607 NULL, empty_cert_list_, &verify_result);
608 EXPECT_EQ(OK, error);
609 EXPECT_EQ(0U, verify_result.cert_status);
610 }
611
612 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
613 CertificateList ca_certs = CreateCertificateListFromFile(
614 GetTestCertsDirectory(), "root_ca_cert.crt",
615 X509Certificate::FORMAT_AUTO);
616 ASSERT_EQ(1U, ca_certs.size());
617
618 // Import CA cert and trust it.
619 NSSCertDatabase::ImportCertFailureList failed;
620 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
621 &failed));
622 EXPECT_EQ(0U, failed.size());
623
624 CertificateList certs = CreateCertificateListFromFile(
625 GetTestCertsDirectory(), "ok_cert.pem",
626 X509Certificate::FORMAT_AUTO);
627 ASSERT_EQ(1U, certs.size());
628
629 // Import server cert with default trust.
630 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
631 &failed));
632 EXPECT_EQ(0U, failed.size());
633
634 // Server cert should verify.
635 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
636 int flags = 0;
637 CertVerifyResult verify_result;
638 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
639 NULL, empty_cert_list_, &verify_result);
640 EXPECT_EQ(OK, error);
641 EXPECT_EQ(0U, verify_result.cert_status);
642 }
643
644 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
645 // Explicit distrust only works starting in NSS 3.13.
646 if (!NSS_VersionCheck("3.13")) {
647 LOG(INFO) << "test skipped on NSS < 3.13";
648 return;
649 }
650
651 CertificateList ca_certs = CreateCertificateListFromFile(
652 GetTestCertsDirectory(), "root_ca_cert.crt",
653 X509Certificate::FORMAT_AUTO);
654 ASSERT_EQ(1U, ca_certs.size());
655
656 // Import CA cert and trust it.
657 NSSCertDatabase::ImportCertFailureList failed;
658 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
659 &failed));
660 EXPECT_EQ(0U, failed.size());
661
662 CertificateList certs = CreateCertificateListFromFile(
663 GetTestCertsDirectory(), "ok_cert.pem",
664 X509Certificate::FORMAT_AUTO);
665 ASSERT_EQ(1U, certs.size());
666
667 // Import server cert without inheriting trust from issuer (explicit
668 // distrust).
669 EXPECT_TRUE(cert_db_->ImportServerCert(
670 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
671 EXPECT_EQ(0U, failed.size());
672 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL,
673 cert_db_->GetCertTrust(certs[0], SERVER_CERT));
674
675 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
676 certs[0]->os_cert_handle()->trust->sslFlags);
677
678 // Server cert should fail to verify.
679 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
680 int flags = 0;
681 CertVerifyResult verify_result;
682 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
683 NULL, empty_cert_list_, &verify_result);
684 EXPECT_EQ(ERR_CERT_REVOKED, error);
685 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
686 }
687
688 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
689 CertificateList ca_certs = CreateCertificateListFromFile(
690 GetTestCertsDirectory(), "2048-rsa-root.pem",
691 X509Certificate::FORMAT_AUTO);
692 ASSERT_EQ(1U, ca_certs.size());
693
694 // Import Root CA cert and distrust it.
695 NSSCertDatabase::ImportCertFailureList failed;
696 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL,
697 &failed));
698 EXPECT_EQ(0U, failed.size());
699
700 CertificateList intermediate_certs = CreateCertificateListFromFile(
701 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
702 X509Certificate::FORMAT_AUTO);
703 ASSERT_EQ(1U, intermediate_certs.size());
704
705 // Import Intermediate CA cert and trust it.
706 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
707 NSSCertDatabase::TRUSTED_SSL, &failed));
708 EXPECT_EQ(0U, failed.size());
709
710 CertificateList certs = CreateCertificateListFromFile(
711 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
712 X509Certificate::FORMAT_AUTO);
713 ASSERT_EQ(1U, certs.size());
714
715 // Import server cert with default trust.
716 EXPECT_TRUE(cert_db_->ImportServerCert(
717 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
718 EXPECT_EQ(0U, failed.size());
719 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
720 cert_db_->GetCertTrust(certs[0], SERVER_CERT));
721
722 // Server cert should verify.
723 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
724 int flags = 0;
725 CertVerifyResult verify_result;
726 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
727 NULL, empty_cert_list_, &verify_result);
728 EXPECT_EQ(OK, error);
729 EXPECT_EQ(0U, verify_result.cert_status);
730
731 // Explicit distrust only works starting in NSS 3.13.
732 if (!NSS_VersionCheck("3.13")) {
733 LOG(INFO) << "test partially skipped on NSS < 3.13";
734 return;
735 }
736
737 // Trust the root cert and distrust the intermediate.
738 EXPECT_TRUE(cert_db_->SetCertTrust(
739 ca_certs[0], CA_CERT, NSSCertDatabase::TRUSTED_SSL));
740 EXPECT_TRUE(cert_db_->SetCertTrust(
741 intermediate_certs[0], CA_CERT, NSSCertDatabase::DISTRUSTED_SSL));
742 EXPECT_EQ(
743 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA),
744 ca_certs[0]->os_cert_handle()->trust->sslFlags);
745 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
746 ca_certs[0]->os_cert_handle()->trust->emailFlags);
747 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
748 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);
749 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
750 intermediate_certs[0]->os_cert_handle()->trust->sslFlags);
751 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
752 intermediate_certs[0]->os_cert_handle()->trust->emailFlags);
753 EXPECT_EQ(
754 unsigned(CERTDB_VALID_CA),
755 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);
756
757 // Server cert should fail to verify.
758 CertVerifyResult verify_result2;
759 error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
760 NULL, empty_cert_list_, &verify_result2);
761 EXPECT_EQ(ERR_CERT_REVOKED, error);
762 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);
763 }
764
765 // Fails on Linux. crbug.com/224612
766 #if defined(OS_LINUX)
767 #define MAYBE_TrustIntermediateCa2 DISABLED_TrustIntermediateCa2
768 #else
769 #define MAYBE_TrustIntermediateCa2 TrustIntermediateCa2
770 #endif
771
772 TEST_F(CertDatabaseNSSTest, MAYBE_TrustIntermediateCa2) {
773 NSSCertDatabase::ImportCertFailureList failed;
774
775 CertificateList intermediate_certs = CreateCertificateListFromFile(
776 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
777 X509Certificate::FORMAT_AUTO);
778 ASSERT_EQ(1U, intermediate_certs.size());
779
780 // Import Intermediate CA cert and trust it.
781 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
782 NSSCertDatabase::TRUSTED_SSL, &failed));
783 EXPECT_EQ(0U, failed.size());
784
785 CertificateList certs = CreateCertificateListFromFile(
786 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
787 X509Certificate::FORMAT_AUTO);
788 ASSERT_EQ(1U, certs.size());
789
790 // Import server cert with default trust.
791 EXPECT_TRUE(cert_db_->ImportServerCert(
792 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
793 EXPECT_EQ(0U, failed.size());
794 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
795 cert_db_->GetCertTrust(certs[0], SERVER_CERT));
796
797 // Server cert should verify.
798 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
799 int flags = 0;
800 CertVerifyResult verify_result;
801 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
802 NULL, empty_cert_list_, &verify_result);
803 EXPECT_EQ(OK, error);
804 EXPECT_EQ(0U, verify_result.cert_status);
805
806 // Without explicit trust of the intermediate, verification should fail.
807 EXPECT_TRUE(cert_db_->SetCertTrust(
808 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
809
810 // Server cert should fail to verify.
811 CertVerifyResult verify_result2;
812 error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
813 NULL, empty_cert_list_, &verify_result2);
814 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
815 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
816 }
817
818 // Fails on Linux. crbug.com/224612
819 #if defined(OS_LINUX)
820 #define MAYBE_TrustIntermediateCa3 DISABLED_TrustIntermediateCa3
821 #else
822 #define MAYBE_TrustIntermediateCa3 TrustIntermediateCa3
823 #endif
824
825 TEST_F(CertDatabaseNSSTest, MAYBE_TrustIntermediateCa3) {
826 NSSCertDatabase::ImportCertFailureList failed;
827
828 CertificateList ca_certs = CreateCertificateListFromFile(
829 GetTestCertsDirectory(), "2048-rsa-root.pem",
830 X509Certificate::FORMAT_AUTO);
831 ASSERT_EQ(1U, ca_certs.size());
832
833 // Import Root CA cert and default trust it.
834 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT,
835 &failed));
836 EXPECT_EQ(0U, failed.size());
837
838 CertificateList intermediate_certs = CreateCertificateListFromFile(
839 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
840 X509Certificate::FORMAT_AUTO);
841 ASSERT_EQ(1U, intermediate_certs.size());
842
843 // Import Intermediate CA cert and trust it.
844 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
845 NSSCertDatabase::TRUSTED_SSL, &failed));
846 EXPECT_EQ(0U, failed.size());
847
848 CertificateList certs = CreateCertificateListFromFile(
849 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
850 X509Certificate::FORMAT_AUTO);
851 ASSERT_EQ(1U, certs.size());
852
853 // Import server cert with default trust.
854 EXPECT_TRUE(cert_db_->ImportServerCert(
855 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
856 EXPECT_EQ(0U, failed.size());
857 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
858 cert_db_->GetCertTrust(certs[0], SERVER_CERT));
859
860 // Server cert should verify.
861 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
862 int flags = 0;
863 CertVerifyResult verify_result;
864 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
865 NULL, empty_cert_list_, &verify_result);
866 EXPECT_EQ(OK, error);
867 EXPECT_EQ(0U, verify_result.cert_status);
868
869 // Without explicit trust of the intermediate, verification should fail.
870 EXPECT_TRUE(cert_db_->SetCertTrust(
871 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
872
873 // Server cert should fail to verify.
874 CertVerifyResult verify_result2;
875 error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
876 NULL, empty_cert_list_, &verify_result2);
877 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
878 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
879 }
880
881 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
882 // Explicit distrust only works starting in NSS 3.13.
883 if (!NSS_VersionCheck("3.13")) {
884 LOG(INFO) << "test skipped on NSS < 3.13";
885 return;
886 }
887
888 NSSCertDatabase::ImportCertFailureList failed;
889
890 CertificateList ca_certs = CreateCertificateListFromFile(
891 GetTestCertsDirectory(), "2048-rsa-root.pem",
892 X509Certificate::FORMAT_AUTO);
893 ASSERT_EQ(1U, ca_certs.size());
894
895 // Import Root CA cert and trust it.
896 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
897 &failed));
898 EXPECT_EQ(0U, failed.size());
899
900 CertificateList intermediate_certs = CreateCertificateListFromFile(
901 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
902 X509Certificate::FORMAT_AUTO);
903 ASSERT_EQ(1U, intermediate_certs.size());
904
905 // Import Intermediate CA cert and distrust it.
906 EXPECT_TRUE(cert_db_->ImportCACerts(
907 intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
908 EXPECT_EQ(0U, failed.size());
909
910 CertificateList certs = CreateCertificateListFromFile(
911 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
912 X509Certificate::FORMAT_AUTO);
913 ASSERT_EQ(1U, certs.size());
914
915 // Import server cert with default trust.
916 EXPECT_TRUE(cert_db_->ImportServerCert(
917 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
918 EXPECT_EQ(0U, failed.size());
919 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
920 cert_db_->GetCertTrust(certs[0], SERVER_CERT));
921
922 // Server cert should not verify.
923 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
924 int flags = 0;
925 CertVerifyResult verify_result;
926 int error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
927 NULL, empty_cert_list_, &verify_result);
928 EXPECT_EQ(ERR_CERT_REVOKED, error);
929 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
930
931 // Without explicit distrust of the intermediate, verification should succeed.
932 EXPECT_TRUE(cert_db_->SetCertTrust(
933 intermediate_certs[0], CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
934
935 // Server cert should verify.
936 CertVerifyResult verify_result2;
937 error = verify_proc->Verify(certs[0], "127.0.0.1", flags,
938 NULL, empty_cert_list_, &verify_result2);
939 EXPECT_EQ(OK, error);
940 EXPECT_EQ(0U, verify_result2.cert_status);
941 }
942
943 } // namespace net