search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Supervised user whitelists: Cleanup
[chromium-blink-merge.git] / net / cert / nss_cert_database_unittest.cc
blob9b026cc472734355527e491987faa80b2cb495da
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <cert.h>
6 #include <certdb.h>
7 #include <pk11pub.h>
8
9 #include <algorithm>
10
11 #include "base/bind.h"
12 #include "base/files/file_path.h"
13 #include "base/files/file_util.h"
14 #include "base/lazy_instance.h"
15 #include "base/message_loop/message_loop.h"
16 #include "base/message_loop/message_loop_proxy.h"
17 #include "base/run_loop.h"
18 #include "base/strings/string16.h"
19 #include "base/strings/string_util.h"
20 #include "base/strings/utf_string_conversions.h"
21 #include "crypto/scoped_nss_types.h"
22 #include "crypto/scoped_test_nss_db.h"
23 #include "net/base/crypto_module.h"
24 #include "net/base/net_errors.h"
25 #include "net/base/test_data_directory.h"
26 #include "net/cert/cert_status_flags.h"
27 #include "net/cert/cert_verify_proc_nss.h"
28 #include "net/cert/cert_verify_result.h"
29 #include "net/cert/nss_cert_database.h"
30 #include "net/cert/x509_certificate.h"
31 #include "net/test/cert_test_util.h"
32 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
33 #include "testing/gtest/include/gtest/gtest.h"
34
35 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
36 // the new name of the macro.
37 #if !defined(CERTDB_TERMINAL_RECORD)
38 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
39 #endif
40
41 using base::ASCIIToUTF16;
42
43 namespace net {
44
45 namespace {
46
47 void SwapCertList(CertificateList* destination,
48 scoped_ptr<CertificateList> source) {
49 ASSERT_TRUE(destination);
50 destination->swap(*source);
51 }
52
53 } // namespace
54
55 class CertDatabaseNSSTest : public testing::Test {
56 public:
57 void SetUp() override {
58 ASSERT_TRUE(test_nssdb_.is_open());
59 cert_db_.reset(new NSSCertDatabase(
60 crypto::ScopedPK11Slot(
61 PK11_ReferenceSlot(test_nssdb_.slot())) /* public slot */,
62 crypto::ScopedPK11Slot(
63 PK11_ReferenceSlot(test_nssdb_.slot())) /* private slot */));
64 public_module_ = cert_db_->GetPublicModule();
65
66 // Test db should be empty at start of test.
67 EXPECT_EQ(0U, ListCerts().size());
68 }
69
70 void TearDown() override {
71 // Run the message loop to process any observer callbacks (e.g. for the
72 // ClientSocketFactory singleton) so that the scoped ref ptrs created in
73 // NSSCertDatabase::NotifyObservers* get released.
74 base::MessageLoop::current()->RunUntilIdle();
75 }
76
77 protected:
78 CryptoModule* GetPublicModule() { return public_module_.get(); }
79
80 static std::string ReadTestFile(const std::string& name) {
81 std::string result;
82 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
83 EXPECT_TRUE(base::ReadFileToString(cert_path, &result));
84 return result;
85 }
86
87 static bool ReadCertIntoList(const std::string& name,
88 CertificateList* certs) {
89 scoped_refptr<X509Certificate> cert(
90 ImportCertFromFile(GetTestCertsDirectory(), name));
91 if (!cert.get())
92 return false;
93
94 certs->push_back(cert);
95 return true;
96 }
97
98 CertificateList ListCerts() {
99 CertificateList result;
100 CERTCertList* cert_list = PK11_ListCertsInSlot(test_nssdb_.slot());
101 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
102 !CERT_LIST_END(node, cert_list);
103 node = CERT_LIST_NEXT(node)) {
104 result.push_back(X509Certificate::CreateFromHandle(
105 node->cert, X509Certificate::OSCertHandles()));
106 }
107 CERT_DestroyCertList(cert_list);
108
109 // Sort the result so that test comparisons can be deterministic.
110 std::sort(result.begin(), result.end(), X509Certificate::LessThan());
111 return result;
112 }
113
114 scoped_ptr<NSSCertDatabase> cert_db_;
115 const CertificateList empty_cert_list_;
116 crypto::ScopedTestNSSDB test_nssdb_;
117 scoped_refptr<CryptoModule> public_module_;
118 };
119
120 TEST_F(CertDatabaseNSSTest, ListCertsSync) {
121 // This test isn't terribly useful, though it will at least let valgrind test
122 // for leaks.
123 CertificateList certs;
124 cert_db_->ListCertsSync(&certs);
125 // The test DB is empty, but let's assume there will always be something in
126 // the other slots.
127 EXPECT_LT(0U, certs.size());
128 }
129
130 TEST_F(CertDatabaseNSSTest, ListCerts) {
131 // This test isn't terribly useful, though it will at least let valgrind test
132 // for leaks.
133 CertificateList certs;
134 cert_db_->SetSlowTaskRunnerForTest(base::MessageLoopProxy::current());
135 cert_db_->ListCerts(base::Bind(&SwapCertList, base::Unretained(&certs)));
136 EXPECT_EQ(0U, certs.size());
137
138 base::RunLoop().RunUntilIdle();
139
140 // The test DB is empty, but let's assume there will always be something in
141 // the other slots.
142 EXPECT_LT(0U, certs.size());
143 }
144
145 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
146 std::string pkcs12_data = ReadTestFile("client.p12");
147
148 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
149 cert_db_->ImportFromPKCS12(GetPublicModule(),
150 pkcs12_data,
151 base::string16(),
152 true, // is_extractable
153 NULL));
154
155 // Test db should still be empty.
156 EXPECT_EQ(0U, ListCerts().size());
157 }
158
159 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
160 std::string pkcs12_data = ReadTestFile("client.p12");
161
162 EXPECT_EQ(OK,
163 cert_db_->ImportFromPKCS12(GetPublicModule(),
164 pkcs12_data,
165 ASCIIToUTF16("12345"),
166 true, // is_extractable
167 NULL));
168
169 CertificateList cert_list = ListCerts();
170 ASSERT_EQ(1U, cert_list.size());
171 scoped_refptr<X509Certificate> cert(cert_list[0]);
172
173 EXPECT_EQ("testusercert",
174 cert->subject().common_name);
175
176 // TODO(mattm): move export test to separate test case?
177 std::string exported_data;
178 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
179 &exported_data));
180 ASSERT_LT(0U, exported_data.size());
181 // TODO(mattm): further verification of exported data?
182 }
183
184 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
185 std::string pkcs12_data = ReadTestFile("client.p12");
186
187 EXPECT_EQ(OK,
188 cert_db_->ImportFromPKCS12(GetPublicModule(),
189 pkcs12_data,
190 ASCIIToUTF16("12345"),
191 true, // is_extractable
192 NULL));
193 EXPECT_EQ(1U, ListCerts().size());
194
195 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
196 // it's ever used. This test verifies that.
197 EXPECT_EQ(OK,
198 cert_db_->ImportFromPKCS12(GetPublicModule(),
199 pkcs12_data,
200 ASCIIToUTF16("12345"),
201 true, // is_extractable
202 NULL));
203 EXPECT_EQ(1U, ListCerts().size());
204 }
205
206 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
207 std::string pkcs12_data = ReadTestFile("client.p12");
208
209 EXPECT_EQ(OK,
210 cert_db_->ImportFromPKCS12(GetPublicModule(),
211 pkcs12_data,
212 ASCIIToUTF16("12345"),
213 false, // is_extractable
214 NULL));
215
216 CertificateList cert_list = ListCerts();
217 ASSERT_EQ(1U, cert_list.size());
218 scoped_refptr<X509Certificate> cert(cert_list[0]);
219
220 EXPECT_EQ("testusercert",
221 cert->subject().common_name);
222
223 std::string exported_data;
224 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
225 &exported_data));
226 }
227
228 // Importing a PKCS#12 file with a certificate but no corresponding
229 // private key should not mark an existing private key as unextractable.
230 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
231 std::string pkcs12_data = ReadTestFile("client.p12");
232 EXPECT_EQ(OK,
233 cert_db_->ImportFromPKCS12(GetPublicModule(),
234 pkcs12_data,
235 ASCIIToUTF16("12345"),
236 true, // is_extractable
237 NULL));
238
239 CertificateList cert_list = ListCerts();
240 ASSERT_EQ(1U, cert_list.size());
241
242 // Now import a PKCS#12 file with just a certificate but no private key.
243 pkcs12_data = ReadTestFile("client-nokey.p12");
244 EXPECT_EQ(OK,
245 cert_db_->ImportFromPKCS12(GetPublicModule(),
246 pkcs12_data,
247 ASCIIToUTF16("12345"),
248 false, // is_extractable
249 NULL));
250
251 cert_list = ListCerts();
252 ASSERT_EQ(1U, cert_list.size());
253
254 // Make sure the imported private key is still extractable.
255 std::string exported_data;
256 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
257 &exported_data));
258 ASSERT_LT(0U, exported_data.size());
259 }
260
261 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
262 std::string pkcs12_data = "Foobarbaz";
263
264 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
265 cert_db_->ImportFromPKCS12(GetPublicModule(),
266 pkcs12_data,
267 base::string16(),
268 true, // is_extractable
269 NULL));
270
271 // Test db should still be empty.
272 EXPECT_EQ(0U, ListCerts().size());
273 }
274
275 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
276 CertificateList certs = CreateCertificateListFromFile(
277 GetTestCertsDirectory(), "root_ca_cert.pem",
278 X509Certificate::FORMAT_AUTO);
279 ASSERT_EQ(1U, certs.size());
280 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
281
282 // Import it.
283 NSSCertDatabase::ImportCertFailureList failed;
284 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
285 &failed));
286
287 EXPECT_EQ(0U, failed.size());
288
289 CertificateList cert_list = ListCerts();
290 ASSERT_EQ(1U, cert_list.size());
291 scoped_refptr<X509Certificate> cert(cert_list[0]);
292 EXPECT_EQ("Test Root CA", cert->subject().common_name);
293
294 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
295 cert_db_->GetCertTrust(cert.get(), CA_CERT));
296
297 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
298 CERTDB_TRUSTED_CLIENT_CA),
299 cert->os_cert_handle()->trust->sslFlags);
300 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
301 cert->os_cert_handle()->trust->emailFlags);
302 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
303 cert->os_cert_handle()->trust->objectSigningFlags);
304 }
305
306 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
307 CertificateList certs = CreateCertificateListFromFile(
308 GetTestCertsDirectory(), "root_ca_cert.pem",
309 X509Certificate::FORMAT_AUTO);
310 ASSERT_EQ(1U, certs.size());
311 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
312
313 // Import it.
314 NSSCertDatabase::ImportCertFailureList failed;
315 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL,
316 &failed));
317
318 EXPECT_EQ(0U, failed.size());
319
320 CertificateList cert_list = ListCerts();
321 ASSERT_EQ(1U, cert_list.size());
322 scoped_refptr<X509Certificate> cert(cert_list[0]);
323 EXPECT_EQ("Test Root CA", cert->subject().common_name);
324
325 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL,
326 cert_db_->GetCertTrust(cert.get(), CA_CERT));
327
328 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
329 cert->os_cert_handle()->trust->sslFlags);
330 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
331 CERTDB_TRUSTED_CLIENT_CA),
332 cert->os_cert_handle()->trust->emailFlags);
333 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
334 cert->os_cert_handle()->trust->objectSigningFlags);
335 }
336
337 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
338 CertificateList certs = CreateCertificateListFromFile(
339 GetTestCertsDirectory(), "root_ca_cert.pem",
340 X509Certificate::FORMAT_AUTO);
341 ASSERT_EQ(1U, certs.size());
342 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
343
344 // Import it.
345 NSSCertDatabase::ImportCertFailureList failed;
346 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN,
347 &failed));
348
349 EXPECT_EQ(0U, failed.size());
350
351 CertificateList cert_list = ListCerts();
352 ASSERT_EQ(1U, cert_list.size());
353 scoped_refptr<X509Certificate> cert(cert_list[0]);
354 EXPECT_EQ("Test Root CA", cert->subject().common_name);
355
356 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN,
357 cert_db_->GetCertTrust(cert.get(), CA_CERT));
358
359 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
360 cert->os_cert_handle()->trust->sslFlags);
361 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
362 cert->os_cert_handle()->trust->emailFlags);
363 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
364 CERTDB_TRUSTED_CLIENT_CA),
365 cert->os_cert_handle()->trust->objectSigningFlags);
366 }
367
368 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
369 CertificateList certs = CreateCertificateListFromFile(
370 GetTestCertsDirectory(), "ok_cert.pem",
371 X509Certificate::FORMAT_AUTO);
372 ASSERT_EQ(1U, certs.size());
373 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
374
375 // Import it.
376 NSSCertDatabase::ImportCertFailureList failed;
377 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
378 &failed));
379 ASSERT_EQ(1U, failed.size());
380 // Note: this compares pointers directly. It's okay in this case because
381 // ImportCACerts returns the same pointers that were passed in. In the
382 // general case IsSameOSCert should be used.
383 EXPECT_EQ(certs[0], failed[0].certificate);
384 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
385
386 EXPECT_EQ(0U, ListCerts().size());
387 }
388
389 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
390 CertificateList certs;
391 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
392 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
393 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
394
395 // Import it.
396 NSSCertDatabase::ImportCertFailureList failed;
397 // Have to specify email trust for the cert verification of the child cert to
398 // work (see
399 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#752
400 // "XXX This choice of trustType seems arbitrary.")
401 EXPECT_TRUE(cert_db_->ImportCACerts(
402 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
403 &failed));
404
405 ASSERT_EQ(2U, failed.size());
406 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
407 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
408 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
409 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
410
411 CertificateList cert_list = ListCerts();
412 ASSERT_EQ(1U, cert_list.size());
413 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
414 }
415
416 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
417 CertificateList certs;
418 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
419
420 // First import just the root.
421 NSSCertDatabase::ImportCertFailureList failed;
422 EXPECT_TRUE(cert_db_->ImportCACerts(
423 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
424 &failed));
425
426 EXPECT_EQ(0U, failed.size());
427 CertificateList cert_list = ListCerts();
428 ASSERT_EQ(1U, cert_list.size());
429 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
430
431 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
432 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
433
434 // Now import with the other certs in the list too. Even though the root is
435 // already present, we should still import the rest.
436 failed.clear();
437 EXPECT_TRUE(cert_db_->ImportCACerts(
438 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
439 &failed));
440
441 ASSERT_EQ(3U, failed.size());
442 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name);
443 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error);
444 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
445 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
446 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
447 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
448
449 cert_list = ListCerts();
450 ASSERT_EQ(1U, cert_list.size());
451 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
452 }
453
454 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
455 CertificateList certs;
456 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
457 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
458
459 // Import it.
460 NSSCertDatabase::ImportCertFailureList failed;
461 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT,
462 &failed));
463
464 ASSERT_EQ(1U, failed.size());
465 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
466 // TODO(mattm): should check for net error equivalent of
467 // SEC_ERROR_UNTRUSTED_ISSUER
468 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
469
470 CertificateList cert_list = ListCerts();
471 ASSERT_EQ(1U, cert_list.size());
472 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
473 }
474
475 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
476 CertificateList certs;
477 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
478 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
479 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
480
481 // Import it.
482 NSSCertDatabase::ImportCertFailureList failed;
483 EXPECT_TRUE(cert_db_->ImportCACerts(
484 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
485 &failed));
486
487 EXPECT_EQ(2U, failed.size());
488 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
489 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
490 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
491 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
492
493 CertificateList cert_list = ListCerts();
494 ASSERT_EQ(1U, cert_list.size());
495 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
496 }
497
498 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
499 CertificateList certs = CreateCertificateListFromFile(
500 GetTestCertsDirectory(), "root_ca_cert.pem",
501 X509Certificate::FORMAT_AUTO);
502 ASSERT_EQ(1U, certs.size());
503 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
504 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
505
506 // Import it.
507 NSSCertDatabase::ImportCertFailureList failed;
508 EXPECT_TRUE(cert_db_->ImportCACerts(
509 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL |
510 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed));
511
512 ASSERT_EQ(2U, failed.size());
513 // TODO(mattm): should check for net error equivalent of
514 // SEC_ERROR_UNKNOWN_ISSUER
515 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
516 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
517 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
518 EXPECT_EQ(ERR_FAILED, failed[1].net_error);
519
520 CertificateList cert_list = ListCerts();
521 ASSERT_EQ(1U, cert_list.size());
522 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);
523 }
524
525 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired
526 // certificate.
527 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
528 // Need to import intermediate cert for the verify of google cert, otherwise
529 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which
530 // will cause OCSPCreateSession on the main thread, which is not allowed.
531 CertificateList certs = CreateCertificateListFromFile(
532 GetTestCertsDirectory(), "google.chain.pem",
533 X509Certificate::FORMAT_AUTO);
534 ASSERT_EQ(2U, certs.size());
535
536 NSSCertDatabase::ImportCertFailureList failed;
537 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
538 &failed));
539
540 EXPECT_EQ(0U, failed.size());
541
542 CertificateList cert_list = ListCerts();
543 ASSERT_EQ(2U, cert_list.size());
544 scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
545 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
546 EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
547 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
548
549 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
550 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT));
551
552 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
553
554 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
555 int flags = 0;
556 CertVerifyResult verify_result;
557 int error = verify_proc->Verify(goog_cert.get(),
558 "www.google.com",
559 flags,
560 NULL,
561 empty_cert_list_,
562 &verify_result);
563 EXPECT_EQ(OK, error);
564 EXPECT_EQ(0U, verify_result.cert_status);
565 }
566
567 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
568 CertificateList certs;
569 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs));
570
571 NSSCertDatabase::ImportCertFailureList failed;
572 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
573 &failed));
574
575 EXPECT_EQ(0U, failed.size());
576
577 CertificateList cert_list = ListCerts();
578 ASSERT_EQ(1U, cert_list.size());
579 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
580
581 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
582 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
583 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
584
585 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
586 int flags = 0;
587 CertVerifyResult verify_result;
588 int error = verify_proc->Verify(puny_cert.get(),
589 "xn--wgv71a119e.com",
590 flags,
591 NULL,
592 empty_cert_list_,
593 &verify_result);
594 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
595 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
596 }
597
598 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
599 CertificateList certs;
600 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs));
601
602 NSSCertDatabase::ImportCertFailureList failed;
603 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL,
604 &failed));
605
606 EXPECT_EQ(0U, failed.size());
607
608 CertificateList cert_list = ListCerts();
609 ASSERT_EQ(1U, cert_list.size());
610 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
611
612 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
613 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
614 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
615 puny_cert->os_cert_handle()->trust->sslFlags);
616
617 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
618 int flags = 0;
619 CertVerifyResult verify_result;
620 int error = verify_proc->Verify(puny_cert.get(),
621 "xn--wgv71a119e.com",
622 flags,
623 NULL,
624 empty_cert_list_,
625 &verify_result);
626 EXPECT_EQ(OK, error);
627 EXPECT_EQ(0U, verify_result.cert_status);
628 }
629
630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
631 CertificateList ca_certs = CreateCertificateListFromFile(
632 GetTestCertsDirectory(), "root_ca_cert.pem",
633 X509Certificate::FORMAT_AUTO);
634 ASSERT_EQ(1U, ca_certs.size());
635
636 // Import CA cert and trust it.
637 NSSCertDatabase::ImportCertFailureList failed;
638 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
639 &failed));
640 EXPECT_EQ(0U, failed.size());
641
642 CertificateList certs = CreateCertificateListFromFile(
643 GetTestCertsDirectory(), "ok_cert.pem",
644 X509Certificate::FORMAT_AUTO);
645 ASSERT_EQ(1U, certs.size());
646
647 // Import server cert with default trust.
648 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
649 &failed));
650 EXPECT_EQ(0U, failed.size());
651
652 // Server cert should verify.
653 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
654 int flags = 0;
655 CertVerifyResult verify_result;
656 int error = verify_proc->Verify(certs[0].get(),
657 "127.0.0.1",
658 flags,
659 NULL,
660 empty_cert_list_,
661 &verify_result);
662 EXPECT_EQ(OK, error);
663 EXPECT_EQ(0U, verify_result.cert_status);
664 }
665
666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
667 CertificateList ca_certs = CreateCertificateListFromFile(
668 GetTestCertsDirectory(), "root_ca_cert.pem",
669 X509Certificate::FORMAT_AUTO);
670 ASSERT_EQ(1U, ca_certs.size());
671
672 // Import CA cert and trust it.
673 NSSCertDatabase::ImportCertFailureList failed;
674 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
675 &failed));
676 EXPECT_EQ(0U, failed.size());
677
678 CertificateList certs = CreateCertificateListFromFile(
679 GetTestCertsDirectory(), "ok_cert.pem",
680 X509Certificate::FORMAT_AUTO);
681 ASSERT_EQ(1U, certs.size());
682
683 // Import server cert without inheriting trust from issuer (explicit
684 // distrust).
685 EXPECT_TRUE(cert_db_->ImportServerCert(
686 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
687 EXPECT_EQ(0U, failed.size());
688 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL,
689 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
690
691 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
692 certs[0]->os_cert_handle()->trust->sslFlags);
693
694 // Server cert should fail to verify.
695 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
696 int flags = 0;
697 CertVerifyResult verify_result;
698 int error = verify_proc->Verify(certs[0].get(),
699 "127.0.0.1",
700 flags,
701 NULL,
702 empty_cert_list_,
703 &verify_result);
704 EXPECT_EQ(ERR_CERT_REVOKED, error);
705 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
706 }
707
708 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
709 CertificateList ca_certs = CreateCertificateListFromFile(
710 GetTestCertsDirectory(), "2048-rsa-root.pem",
711 X509Certificate::FORMAT_AUTO);
712 ASSERT_EQ(1U, ca_certs.size());
713
714 // Import Root CA cert and distrust it.
715 NSSCertDatabase::ImportCertFailureList failed;
716 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL,
717 &failed));
718 EXPECT_EQ(0U, failed.size());
719
720 CertificateList intermediate_certs = CreateCertificateListFromFile(
721 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
722 X509Certificate::FORMAT_AUTO);
723 ASSERT_EQ(1U, intermediate_certs.size());
724
725 // Import Intermediate CA cert and trust it.
726 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
727 NSSCertDatabase::TRUSTED_SSL, &failed));
728 EXPECT_EQ(0U, failed.size());
729
730 CertificateList certs = CreateCertificateListFromFile(
731 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
732 X509Certificate::FORMAT_AUTO);
733 ASSERT_EQ(1U, certs.size());
734
735 // Import server cert with default trust.
736 EXPECT_TRUE(cert_db_->ImportServerCert(
737 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
738 EXPECT_EQ(0U, failed.size());
739 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
740 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
741
742 // Server cert should verify.
743 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
744 int flags = 0;
745 CertVerifyResult verify_result;
746 int error = verify_proc->Verify(certs[0].get(),
747 "127.0.0.1",
748 flags,
749 NULL,
750 empty_cert_list_,
751 &verify_result);
752 EXPECT_EQ(OK, error);
753 EXPECT_EQ(0U, verify_result.cert_status);
754
755 // Trust the root cert and distrust the intermediate.
756 EXPECT_TRUE(cert_db_->SetCertTrust(
757 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL));
758 EXPECT_TRUE(cert_db_->SetCertTrust(
759 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL));
760 EXPECT_EQ(
761 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA),
762 ca_certs[0]->os_cert_handle()->trust->sslFlags);
763 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
764 ca_certs[0]->os_cert_handle()->trust->emailFlags);
765 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
766 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);
767 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
768 intermediate_certs[0]->os_cert_handle()->trust->sslFlags);
769 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
770 intermediate_certs[0]->os_cert_handle()->trust->emailFlags);
771 EXPECT_EQ(
772 unsigned(CERTDB_VALID_CA),
773 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);
774
775 // Server cert should fail to verify.
776 CertVerifyResult verify_result2;
777 error = verify_proc->Verify(certs[0].get(),
778 "127.0.0.1",
779 flags,
780 NULL,
781 empty_cert_list_,
782 &verify_result2);
783 EXPECT_EQ(ERR_CERT_REVOKED, error);
784 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);
785 }
786
787 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {
788 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
789 // See http://bugzil.la/863947 for details.
790 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
791 return;
792 }
793
794 NSSCertDatabase::ImportCertFailureList failed;
795
796 CertificateList intermediate_certs = CreateCertificateListFromFile(
797 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
798 X509Certificate::FORMAT_AUTO);
799 ASSERT_EQ(1U, intermediate_certs.size());
800
801 // Import Intermediate CA cert and trust it.
802 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
803 NSSCertDatabase::TRUSTED_SSL, &failed));
804 EXPECT_EQ(0U, failed.size());
805
806 CertificateList certs = CreateCertificateListFromFile(
807 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
808 X509Certificate::FORMAT_AUTO);
809 ASSERT_EQ(1U, certs.size());
810
811 // Import server cert with default trust.
812 EXPECT_TRUE(cert_db_->ImportServerCert(
813 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
814 EXPECT_EQ(0U, failed.size());
815 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
816 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
817
818 // Server cert should verify.
819 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
820 int flags = 0;
821 CertVerifyResult verify_result;
822 int error = verify_proc->Verify(certs[0].get(),
823 "127.0.0.1",
824 flags,
825 NULL,
826 empty_cert_list_,
827 &verify_result);
828 EXPECT_EQ(OK, error);
829 EXPECT_EQ(0U, verify_result.cert_status);
830
831 // Without explicit trust of the intermediate, verification should fail.
832 EXPECT_TRUE(cert_db_->SetCertTrust(
833 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
834
835 // Server cert should fail to verify.
836 CertVerifyResult verify_result2;
837 error = verify_proc->Verify(certs[0].get(),
838 "127.0.0.1",
839 flags,
840 NULL,
841 empty_cert_list_,
842 &verify_result2);
843 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
844 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
845 }
846
847 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {
848 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
849 // See http://bugzil.la/863947 for details.
850 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
851 return;
852 }
853
854 NSSCertDatabase::ImportCertFailureList failed;
855
856 CertificateList ca_certs = CreateCertificateListFromFile(
857 GetTestCertsDirectory(), "2048-rsa-root.pem",
858 X509Certificate::FORMAT_AUTO);
859 ASSERT_EQ(1U, ca_certs.size());
860
861 // Import Root CA cert and default trust it.
862 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT,
863 &failed));
864 EXPECT_EQ(0U, failed.size());
865
866 CertificateList intermediate_certs = CreateCertificateListFromFile(
867 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
868 X509Certificate::FORMAT_AUTO);
869 ASSERT_EQ(1U, intermediate_certs.size());
870
871 // Import Intermediate CA cert and trust it.
872 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
873 NSSCertDatabase::TRUSTED_SSL, &failed));
874 EXPECT_EQ(0U, failed.size());
875
876 CertificateList certs = CreateCertificateListFromFile(
877 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
878 X509Certificate::FORMAT_AUTO);
879 ASSERT_EQ(1U, certs.size());
880
881 // Import server cert with default trust.
882 EXPECT_TRUE(cert_db_->ImportServerCert(
883 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
884 EXPECT_EQ(0U, failed.size());
885 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
886 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
887
888 // Server cert should verify.
889 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
890 int flags = 0;
891 CertVerifyResult verify_result;
892 int error = verify_proc->Verify(certs[0].get(),
893 "127.0.0.1",
894 flags,
895 NULL,
896 empty_cert_list_,
897 &verify_result);
898 EXPECT_EQ(OK, error);
899 EXPECT_EQ(0U, verify_result.cert_status);
900
901 // Without explicit trust of the intermediate, verification should fail.
902 EXPECT_TRUE(cert_db_->SetCertTrust(
903 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
904
905 // Server cert should fail to verify.
906 CertVerifyResult verify_result2;
907 error = verify_proc->Verify(certs[0].get(),
908 "127.0.0.1",
909 flags,
910 NULL,
911 empty_cert_list_,
912 &verify_result2);
913 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
914 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
915 }
916
917 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
918 NSSCertDatabase::ImportCertFailureList failed;
919
920 CertificateList ca_certs = CreateCertificateListFromFile(
921 GetTestCertsDirectory(), "2048-rsa-root.pem",
922 X509Certificate::FORMAT_AUTO);
923 ASSERT_EQ(1U, ca_certs.size());
924
925 // Import Root CA cert and trust it.
926 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
927 &failed));
928 EXPECT_EQ(0U, failed.size());
929
930 CertificateList intermediate_certs = CreateCertificateListFromFile(
931 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
932 X509Certificate::FORMAT_AUTO);
933 ASSERT_EQ(1U, intermediate_certs.size());
934
935 // Import Intermediate CA cert and distrust it.
936 EXPECT_TRUE(cert_db_->ImportCACerts(
937 intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
938 EXPECT_EQ(0U, failed.size());
939
940 CertificateList certs = CreateCertificateListFromFile(
941 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
942 X509Certificate::FORMAT_AUTO);
943 ASSERT_EQ(1U, certs.size());
944
945 // Import server cert with default trust.
946 EXPECT_TRUE(cert_db_->ImportServerCert(
947 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
948 EXPECT_EQ(0U, failed.size());
949 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
950 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
951
952 // Server cert should not verify.
953 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
954 int flags = 0;
955 CertVerifyResult verify_result;
956 int error = verify_proc->Verify(certs[0].get(),
957 "127.0.0.1",
958 flags,
959 NULL,
960 empty_cert_list_,
961 &verify_result);
962 EXPECT_EQ(ERR_CERT_REVOKED, error);
963 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
964
965 // Without explicit distrust of the intermediate, verification should succeed.
966 EXPECT_TRUE(cert_db_->SetCertTrust(
967 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
968
969 // Server cert should verify.
970 CertVerifyResult verify_result2;
971 error = verify_proc->Verify(certs[0].get(),
972 "127.0.0.1",
973 flags,
974 NULL,
975 empty_cert_list_,
976 &verify_result2);
977 EXPECT_EQ(OK, error);
978 EXPECT_EQ(0U, verify_result2.cert_status);
979 }
980
981 // Importing two certificates with the same issuer and subject common name,
982 // but overall distinct subject names, should succeed and generate a unique
983 // nickname for the second certificate.
984 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
985 CertificateList certs =
986 CreateCertificateListFromFile(GetTestCertsDirectory(),
987 "duplicate_cn_1.pem",
988 X509Certificate::FORMAT_AUTO);
989 ASSERT_EQ(1U, certs.size());
990
991 EXPECT_EQ(0U, ListCerts().size());
992
993 // Import server cert with default trust.
994 NSSCertDatabase::ImportCertFailureList failed;
995 EXPECT_TRUE(cert_db_->ImportServerCert(
996 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
997 EXPECT_EQ(0U, failed.size());
998 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
999 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
1000
1001 CertificateList new_certs = ListCerts();
1002 ASSERT_EQ(1U, new_certs.size());
1003
1004 // Now attempt to import a different certificate with the same common name.
1005 CertificateList certs2 =
1006 CreateCertificateListFromFile(GetTestCertsDirectory(),
1007 "duplicate_cn_2.pem",
1008 X509Certificate::FORMAT_AUTO);
1009 ASSERT_EQ(1U, certs2.size());
1010
1011 // Import server cert with default trust.
1012 EXPECT_TRUE(cert_db_->ImportServerCert(
1013 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed));
1014 EXPECT_EQ(0U, failed.size());
1015 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
1016 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT));
1017
1018 new_certs = ListCerts();
1019 ASSERT_EQ(2U, new_certs.size());
1020 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname,
1021 new_certs[1]->os_cert_handle()->nickname);
1022 }
1023
1024 } // namespace net