Rewrite AndroidSyncSettings to be significantly simpler.
[chromium-blink-merge.git] / net / cert / nss_cert_database_unittest.cc
blob3c83d0562a1b48ab1d2eed2a4043f1c2273023d6
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include <cert.h>
6 #include <certdb.h>
7 #include <pk11pub.h>
9 #include <algorithm>
11 #include "base/bind.h"
12 #include "base/files/file_path.h"
13 #include "base/files/file_util.h"
14 #include "base/lazy_instance.h"
15 #include "base/message_loop/message_loop.h"
16 #include "base/message_loop/message_loop_proxy.h"
17 #include "base/run_loop.h"
18 #include "base/strings/string16.h"
19 #include "base/strings/string_util.h"
20 #include "base/strings/utf_string_conversions.h"
21 #include "crypto/scoped_nss_types.h"
22 #include "crypto/scoped_test_nss_db.h"
23 #include "net/base/crypto_module.h"
24 #include "net/base/net_errors.h"
25 #include "net/base/test_data_directory.h"
26 #include "net/cert/cert_status_flags.h"
27 #include "net/cert/cert_verify_proc_nss.h"
28 #include "net/cert/cert_verify_result.h"
29 #include "net/cert/nss_cert_database.h"
30 #include "net/cert/x509_certificate.h"
31 #include "net/test/cert_test_util.h"
32 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
33 #include "testing/gtest/include/gtest/gtest.h"
35 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
36 // the new name of the macro.
37 #if !defined(CERTDB_TERMINAL_RECORD)
38 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
39 #endif
41 using base::ASCIIToUTF16;
43 namespace net {
45 namespace {
47 void SwapCertList(CertificateList* destination,
48 scoped_ptr<CertificateList> source) {
49 ASSERT_TRUE(destination);
50 destination->swap(*source);
53 } // namespace
55 class CertDatabaseNSSTest : public testing::Test {
56 public:
57 void SetUp() override {
58 ASSERT_TRUE(test_nssdb_.is_open());
59 cert_db_.reset(new NSSCertDatabase(
60 crypto::ScopedPK11Slot(
61 PK11_ReferenceSlot(test_nssdb_.slot())) /* public slot */,
62 crypto::ScopedPK11Slot(
63 PK11_ReferenceSlot(test_nssdb_.slot())) /* private slot */));
64 public_module_ = cert_db_->GetPublicModule();
66 // Test db should be empty at start of test.
67 EXPECT_EQ(0U, ListCerts().size());
70 void TearDown() override {
71 // Run the message loop to process any observer callbacks (e.g. for the
72 // ClientSocketFactory singleton) so that the scoped ref ptrs created in
73 // NSSCertDatabase::NotifyObservers* get released.
74 base::MessageLoop::current()->RunUntilIdle();
77 protected:
78 net::CryptoModule* GetPublicModule() {
79 return public_module_.get();
82 static std::string ReadTestFile(const std::string& name) {
83 std::string result;
84 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
85 EXPECT_TRUE(base::ReadFileToString(cert_path, &result));
86 return result;
89 static bool ReadCertIntoList(const std::string& name,
90 CertificateList* certs) {
91 scoped_refptr<X509Certificate> cert(
92 ImportCertFromFile(GetTestCertsDirectory(), name));
93 if (!cert.get())
94 return false;
96 certs->push_back(cert);
97 return true;
100 CertificateList ListCerts() {
101 CertificateList result;
102 CERTCertList* cert_list = PK11_ListCertsInSlot(test_nssdb_.slot());
103 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
104 !CERT_LIST_END(node, cert_list);
105 node = CERT_LIST_NEXT(node)) {
106 result.push_back(X509Certificate::CreateFromHandle(
107 node->cert, X509Certificate::OSCertHandles()));
109 CERT_DestroyCertList(cert_list);
111 // Sort the result so that test comparisons can be deterministic.
112 std::sort(result.begin(), result.end(), X509Certificate::LessThan());
113 return result;
116 scoped_ptr<NSSCertDatabase> cert_db_;
117 const CertificateList empty_cert_list_;
118 crypto::ScopedTestNSSDB test_nssdb_;
119 scoped_refptr<net::CryptoModule> public_module_;
122 TEST_F(CertDatabaseNSSTest, ListCertsSync) {
123 // This test isn't terribly useful, though it will at least let valgrind test
124 // for leaks.
125 CertificateList certs;
126 cert_db_->ListCertsSync(&certs);
127 // The test DB is empty, but let's assume there will always be something in
128 // the other slots.
129 EXPECT_LT(0U, certs.size());
132 TEST_F(CertDatabaseNSSTest, ListCerts) {
133 // This test isn't terribly useful, though it will at least let valgrind test
134 // for leaks.
135 CertificateList certs;
136 cert_db_->SetSlowTaskRunnerForTest(base::MessageLoopProxy::current());
137 cert_db_->ListCerts(base::Bind(&SwapCertList, base::Unretained(&certs)));
138 EXPECT_EQ(0U, certs.size());
140 base::RunLoop().RunUntilIdle();
142 // The test DB is empty, but let's assume there will always be something in
143 // the other slots.
144 EXPECT_LT(0U, certs.size());
147 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
148 std::string pkcs12_data = ReadTestFile("client.p12");
150 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
151 cert_db_->ImportFromPKCS12(GetPublicModule(),
152 pkcs12_data,
153 base::string16(),
154 true, // is_extractable
155 NULL));
157 // Test db should still be empty.
158 EXPECT_EQ(0U, ListCerts().size());
161 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
162 std::string pkcs12_data = ReadTestFile("client.p12");
164 EXPECT_EQ(OK,
165 cert_db_->ImportFromPKCS12(GetPublicModule(),
166 pkcs12_data,
167 ASCIIToUTF16("12345"),
168 true, // is_extractable
169 NULL));
171 CertificateList cert_list = ListCerts();
172 ASSERT_EQ(1U, cert_list.size());
173 scoped_refptr<X509Certificate> cert(cert_list[0]);
175 EXPECT_EQ("testusercert",
176 cert->subject().common_name);
178 // TODO(mattm): move export test to separate test case?
179 std::string exported_data;
180 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
181 &exported_data));
182 ASSERT_LT(0U, exported_data.size());
183 // TODO(mattm): further verification of exported data?
186 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
187 std::string pkcs12_data = ReadTestFile("client.p12");
189 EXPECT_EQ(OK,
190 cert_db_->ImportFromPKCS12(GetPublicModule(),
191 pkcs12_data,
192 ASCIIToUTF16("12345"),
193 true, // is_extractable
194 NULL));
195 EXPECT_EQ(1U, ListCerts().size());
197 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
198 // it's ever used. This test verifies that.
199 EXPECT_EQ(OK,
200 cert_db_->ImportFromPKCS12(GetPublicModule(),
201 pkcs12_data,
202 ASCIIToUTF16("12345"),
203 true, // is_extractable
204 NULL));
205 EXPECT_EQ(1U, ListCerts().size());
208 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
209 std::string pkcs12_data = ReadTestFile("client.p12");
211 EXPECT_EQ(OK,
212 cert_db_->ImportFromPKCS12(GetPublicModule(),
213 pkcs12_data,
214 ASCIIToUTF16("12345"),
215 false, // is_extractable
216 NULL));
218 CertificateList cert_list = ListCerts();
219 ASSERT_EQ(1U, cert_list.size());
220 scoped_refptr<X509Certificate> cert(cert_list[0]);
222 EXPECT_EQ("testusercert",
223 cert->subject().common_name);
225 std::string exported_data;
226 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
227 &exported_data));
230 // Importing a PKCS#12 file with a certificate but no corresponding
231 // private key should not mark an existing private key as unextractable.
232 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
233 std::string pkcs12_data = ReadTestFile("client.p12");
234 EXPECT_EQ(OK,
235 cert_db_->ImportFromPKCS12(GetPublicModule(),
236 pkcs12_data,
237 ASCIIToUTF16("12345"),
238 true, // is_extractable
239 NULL));
241 CertificateList cert_list = ListCerts();
242 ASSERT_EQ(1U, cert_list.size());
244 // Now import a PKCS#12 file with just a certificate but no private key.
245 pkcs12_data = ReadTestFile("client-nokey.p12");
246 EXPECT_EQ(OK,
247 cert_db_->ImportFromPKCS12(GetPublicModule(),
248 pkcs12_data,
249 ASCIIToUTF16("12345"),
250 false, // is_extractable
251 NULL));
253 cert_list = ListCerts();
254 ASSERT_EQ(1U, cert_list.size());
256 // Make sure the imported private key is still extractable.
257 std::string exported_data;
258 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
259 &exported_data));
260 ASSERT_LT(0U, exported_data.size());
263 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
264 std::string pkcs12_data = "Foobarbaz";
266 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
267 cert_db_->ImportFromPKCS12(GetPublicModule(),
268 pkcs12_data,
269 base::string16(),
270 true, // is_extractable
271 NULL));
273 // Test db should still be empty.
274 EXPECT_EQ(0U, ListCerts().size());
277 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
278 CertificateList certs = CreateCertificateListFromFile(
279 GetTestCertsDirectory(), "root_ca_cert.pem",
280 X509Certificate::FORMAT_AUTO);
281 ASSERT_EQ(1U, certs.size());
282 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
284 // Import it.
285 NSSCertDatabase::ImportCertFailureList failed;
286 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
287 &failed));
289 EXPECT_EQ(0U, failed.size());
291 CertificateList cert_list = ListCerts();
292 ASSERT_EQ(1U, cert_list.size());
293 scoped_refptr<X509Certificate> cert(cert_list[0]);
294 EXPECT_EQ("Test Root CA", cert->subject().common_name);
296 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
297 cert_db_->GetCertTrust(cert.get(), CA_CERT));
299 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
300 CERTDB_TRUSTED_CLIENT_CA),
301 cert->os_cert_handle()->trust->sslFlags);
302 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
303 cert->os_cert_handle()->trust->emailFlags);
304 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
305 cert->os_cert_handle()->trust->objectSigningFlags);
308 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
309 CertificateList certs = CreateCertificateListFromFile(
310 GetTestCertsDirectory(), "root_ca_cert.pem",
311 X509Certificate::FORMAT_AUTO);
312 ASSERT_EQ(1U, certs.size());
313 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
315 // Import it.
316 NSSCertDatabase::ImportCertFailureList failed;
317 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL,
318 &failed));
320 EXPECT_EQ(0U, failed.size());
322 CertificateList cert_list = ListCerts();
323 ASSERT_EQ(1U, cert_list.size());
324 scoped_refptr<X509Certificate> cert(cert_list[0]);
325 EXPECT_EQ("Test Root CA", cert->subject().common_name);
327 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL,
328 cert_db_->GetCertTrust(cert.get(), CA_CERT));
330 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
331 cert->os_cert_handle()->trust->sslFlags);
332 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
333 CERTDB_TRUSTED_CLIENT_CA),
334 cert->os_cert_handle()->trust->emailFlags);
335 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
336 cert->os_cert_handle()->trust->objectSigningFlags);
339 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
340 CertificateList certs = CreateCertificateListFromFile(
341 GetTestCertsDirectory(), "root_ca_cert.pem",
342 X509Certificate::FORMAT_AUTO);
343 ASSERT_EQ(1U, certs.size());
344 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
346 // Import it.
347 NSSCertDatabase::ImportCertFailureList failed;
348 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN,
349 &failed));
351 EXPECT_EQ(0U, failed.size());
353 CertificateList cert_list = ListCerts();
354 ASSERT_EQ(1U, cert_list.size());
355 scoped_refptr<X509Certificate> cert(cert_list[0]);
356 EXPECT_EQ("Test Root CA", cert->subject().common_name);
358 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN,
359 cert_db_->GetCertTrust(cert.get(), CA_CERT));
361 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
362 cert->os_cert_handle()->trust->sslFlags);
363 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
364 cert->os_cert_handle()->trust->emailFlags);
365 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
366 CERTDB_TRUSTED_CLIENT_CA),
367 cert->os_cert_handle()->trust->objectSigningFlags);
370 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
371 CertificateList certs = CreateCertificateListFromFile(
372 GetTestCertsDirectory(), "ok_cert.pem",
373 X509Certificate::FORMAT_AUTO);
374 ASSERT_EQ(1U, certs.size());
375 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
377 // Import it.
378 NSSCertDatabase::ImportCertFailureList failed;
379 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
380 &failed));
381 ASSERT_EQ(1U, failed.size());
382 // Note: this compares pointers directly. It's okay in this case because
383 // ImportCACerts returns the same pointers that were passed in. In the
384 // general case IsSameOSCert should be used.
385 EXPECT_EQ(certs[0], failed[0].certificate);
386 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
388 EXPECT_EQ(0U, ListCerts().size());
391 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
392 CertificateList certs;
393 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
394 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
395 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
397 // Import it.
398 NSSCertDatabase::ImportCertFailureList failed;
399 // Have to specify email trust for the cert verification of the child cert to
400 // work (see
401 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#752
402 // "XXX This choice of trustType seems arbitrary.")
403 EXPECT_TRUE(cert_db_->ImportCACerts(
404 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
405 &failed));
407 ASSERT_EQ(2U, failed.size());
408 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
409 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
410 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
411 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
413 CertificateList cert_list = ListCerts();
414 ASSERT_EQ(1U, cert_list.size());
415 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
418 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
419 CertificateList certs;
420 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
422 // First import just the root.
423 NSSCertDatabase::ImportCertFailureList failed;
424 EXPECT_TRUE(cert_db_->ImportCACerts(
425 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
426 &failed));
428 EXPECT_EQ(0U, failed.size());
429 CertificateList cert_list = ListCerts();
430 ASSERT_EQ(1U, cert_list.size());
431 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
433 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
434 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
436 // Now import with the other certs in the list too. Even though the root is
437 // already present, we should still import the rest.
438 failed.clear();
439 EXPECT_TRUE(cert_db_->ImportCACerts(
440 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
441 &failed));
443 ASSERT_EQ(3U, failed.size());
444 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name);
445 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error);
446 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
447 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
448 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
449 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
451 cert_list = ListCerts();
452 ASSERT_EQ(1U, cert_list.size());
453 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
456 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
457 CertificateList certs;
458 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
459 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
461 // Import it.
462 NSSCertDatabase::ImportCertFailureList failed;
463 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT,
464 &failed));
466 ASSERT_EQ(1U, failed.size());
467 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
468 // TODO(mattm): should check for net error equivalent of
469 // SEC_ERROR_UNTRUSTED_ISSUER
470 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
472 CertificateList cert_list = ListCerts();
473 ASSERT_EQ(1U, cert_list.size());
474 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
477 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
478 CertificateList certs;
479 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
480 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
481 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
483 // Import it.
484 NSSCertDatabase::ImportCertFailureList failed;
485 EXPECT_TRUE(cert_db_->ImportCACerts(
486 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
487 &failed));
489 EXPECT_EQ(2U, failed.size());
490 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
491 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
492 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
493 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
495 CertificateList cert_list = ListCerts();
496 ASSERT_EQ(1U, cert_list.size());
497 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
500 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
501 CertificateList certs = CreateCertificateListFromFile(
502 GetTestCertsDirectory(), "root_ca_cert.pem",
503 X509Certificate::FORMAT_AUTO);
504 ASSERT_EQ(1U, certs.size());
505 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
506 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
508 // Import it.
509 NSSCertDatabase::ImportCertFailureList failed;
510 EXPECT_TRUE(cert_db_->ImportCACerts(
511 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL |
512 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed));
514 ASSERT_EQ(2U, failed.size());
515 // TODO(mattm): should check for net error equivalent of
516 // SEC_ERROR_UNKNOWN_ISSUER
517 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
518 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
519 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
520 EXPECT_EQ(ERR_FAILED, failed[1].net_error);
522 CertificateList cert_list = ListCerts();
523 ASSERT_EQ(1U, cert_list.size());
524 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);
527 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired
528 // certificate.
529 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
530 // Need to import intermediate cert for the verify of google cert, otherwise
531 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which
532 // will cause OCSPCreateSession on the main thread, which is not allowed.
533 CertificateList certs = CreateCertificateListFromFile(
534 GetTestCertsDirectory(), "google.chain.pem",
535 X509Certificate::FORMAT_AUTO);
536 ASSERT_EQ(2U, certs.size());
538 NSSCertDatabase::ImportCertFailureList failed;
539 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
540 &failed));
542 EXPECT_EQ(0U, failed.size());
544 CertificateList cert_list = ListCerts();
545 ASSERT_EQ(2U, cert_list.size());
546 scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
547 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
548 EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
549 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
551 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
552 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT));
554 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
556 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
557 int flags = 0;
558 CertVerifyResult verify_result;
559 int error = verify_proc->Verify(goog_cert.get(),
560 "www.google.com",
561 flags,
562 NULL,
563 empty_cert_list_,
564 &verify_result);
565 EXPECT_EQ(OK, error);
566 EXPECT_EQ(0U, verify_result.cert_status);
569 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
570 CertificateList certs;
571 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs));
573 NSSCertDatabase::ImportCertFailureList failed;
574 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
575 &failed));
577 EXPECT_EQ(0U, failed.size());
579 CertificateList cert_list = ListCerts();
580 ASSERT_EQ(1U, cert_list.size());
581 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
583 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
584 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
585 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
587 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
588 int flags = 0;
589 CertVerifyResult verify_result;
590 int error = verify_proc->Verify(puny_cert.get(),
591 "xn--wgv71a119e.com",
592 flags,
593 NULL,
594 empty_cert_list_,
595 &verify_result);
596 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
597 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
600 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
601 CertificateList certs;
602 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs));
604 NSSCertDatabase::ImportCertFailureList failed;
605 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL,
606 &failed));
608 EXPECT_EQ(0U, failed.size());
610 CertificateList cert_list = ListCerts();
611 ASSERT_EQ(1U, cert_list.size());
612 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
614 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
615 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
616 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
617 puny_cert->os_cert_handle()->trust->sslFlags);
619 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
620 int flags = 0;
621 CertVerifyResult verify_result;
622 int error = verify_proc->Verify(puny_cert.get(),
623 "xn--wgv71a119e.com",
624 flags,
625 NULL,
626 empty_cert_list_,
627 &verify_result);
628 EXPECT_EQ(OK, error);
629 EXPECT_EQ(0U, verify_result.cert_status);
632 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
633 CertificateList ca_certs = CreateCertificateListFromFile(
634 GetTestCertsDirectory(), "root_ca_cert.pem",
635 X509Certificate::FORMAT_AUTO);
636 ASSERT_EQ(1U, ca_certs.size());
638 // Import CA cert and trust it.
639 NSSCertDatabase::ImportCertFailureList failed;
640 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
641 &failed));
642 EXPECT_EQ(0U, failed.size());
644 CertificateList certs = CreateCertificateListFromFile(
645 GetTestCertsDirectory(), "ok_cert.pem",
646 X509Certificate::FORMAT_AUTO);
647 ASSERT_EQ(1U, certs.size());
649 // Import server cert with default trust.
650 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
651 &failed));
652 EXPECT_EQ(0U, failed.size());
654 // Server cert should verify.
655 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
656 int flags = 0;
657 CertVerifyResult verify_result;
658 int error = verify_proc->Verify(certs[0].get(),
659 "127.0.0.1",
660 flags,
661 NULL,
662 empty_cert_list_,
663 &verify_result);
664 EXPECT_EQ(OK, error);
665 EXPECT_EQ(0U, verify_result.cert_status);
668 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
669 CertificateList ca_certs = CreateCertificateListFromFile(
670 GetTestCertsDirectory(), "root_ca_cert.pem",
671 X509Certificate::FORMAT_AUTO);
672 ASSERT_EQ(1U, ca_certs.size());
674 // Import CA cert and trust it.
675 NSSCertDatabase::ImportCertFailureList failed;
676 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
677 &failed));
678 EXPECT_EQ(0U, failed.size());
680 CertificateList certs = CreateCertificateListFromFile(
681 GetTestCertsDirectory(), "ok_cert.pem",
682 X509Certificate::FORMAT_AUTO);
683 ASSERT_EQ(1U, certs.size());
685 // Import server cert without inheriting trust from issuer (explicit
686 // distrust).
687 EXPECT_TRUE(cert_db_->ImportServerCert(
688 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
689 EXPECT_EQ(0U, failed.size());
690 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL,
691 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
693 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
694 certs[0]->os_cert_handle()->trust->sslFlags);
696 // Server cert should fail to verify.
697 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
698 int flags = 0;
699 CertVerifyResult verify_result;
700 int error = verify_proc->Verify(certs[0].get(),
701 "127.0.0.1",
702 flags,
703 NULL,
704 empty_cert_list_,
705 &verify_result);
706 EXPECT_EQ(ERR_CERT_REVOKED, error);
707 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
710 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
711 CertificateList ca_certs = CreateCertificateListFromFile(
712 GetTestCertsDirectory(), "2048-rsa-root.pem",
713 X509Certificate::FORMAT_AUTO);
714 ASSERT_EQ(1U, ca_certs.size());
716 // Import Root CA cert and distrust it.
717 NSSCertDatabase::ImportCertFailureList failed;
718 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL,
719 &failed));
720 EXPECT_EQ(0U, failed.size());
722 CertificateList intermediate_certs = CreateCertificateListFromFile(
723 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
724 X509Certificate::FORMAT_AUTO);
725 ASSERT_EQ(1U, intermediate_certs.size());
727 // Import Intermediate CA cert and trust it.
728 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
729 NSSCertDatabase::TRUSTED_SSL, &failed));
730 EXPECT_EQ(0U, failed.size());
732 CertificateList certs = CreateCertificateListFromFile(
733 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
734 X509Certificate::FORMAT_AUTO);
735 ASSERT_EQ(1U, certs.size());
737 // Import server cert with default trust.
738 EXPECT_TRUE(cert_db_->ImportServerCert(
739 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
740 EXPECT_EQ(0U, failed.size());
741 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
742 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
744 // Server cert should verify.
745 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
746 int flags = 0;
747 CertVerifyResult verify_result;
748 int error = verify_proc->Verify(certs[0].get(),
749 "127.0.0.1",
750 flags,
751 NULL,
752 empty_cert_list_,
753 &verify_result);
754 EXPECT_EQ(OK, error);
755 EXPECT_EQ(0U, verify_result.cert_status);
757 // Trust the root cert and distrust the intermediate.
758 EXPECT_TRUE(cert_db_->SetCertTrust(
759 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL));
760 EXPECT_TRUE(cert_db_->SetCertTrust(
761 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL));
762 EXPECT_EQ(
763 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA),
764 ca_certs[0]->os_cert_handle()->trust->sslFlags);
765 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
766 ca_certs[0]->os_cert_handle()->trust->emailFlags);
767 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
768 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);
769 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
770 intermediate_certs[0]->os_cert_handle()->trust->sslFlags);
771 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
772 intermediate_certs[0]->os_cert_handle()->trust->emailFlags);
773 EXPECT_EQ(
774 unsigned(CERTDB_VALID_CA),
775 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);
777 // Server cert should fail to verify.
778 CertVerifyResult verify_result2;
779 error = verify_proc->Verify(certs[0].get(),
780 "127.0.0.1",
781 flags,
782 NULL,
783 empty_cert_list_,
784 &verify_result2);
785 EXPECT_EQ(ERR_CERT_REVOKED, error);
786 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);
789 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {
790 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
791 // See http://bugzil.la/863947 for details.
792 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
793 return;
796 NSSCertDatabase::ImportCertFailureList failed;
798 CertificateList intermediate_certs = CreateCertificateListFromFile(
799 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
800 X509Certificate::FORMAT_AUTO);
801 ASSERT_EQ(1U, intermediate_certs.size());
803 // Import Intermediate CA cert and trust it.
804 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
805 NSSCertDatabase::TRUSTED_SSL, &failed));
806 EXPECT_EQ(0U, failed.size());
808 CertificateList certs = CreateCertificateListFromFile(
809 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
810 X509Certificate::FORMAT_AUTO);
811 ASSERT_EQ(1U, certs.size());
813 // Import server cert with default trust.
814 EXPECT_TRUE(cert_db_->ImportServerCert(
815 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
816 EXPECT_EQ(0U, failed.size());
817 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
818 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
820 // Server cert should verify.
821 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
822 int flags = 0;
823 CertVerifyResult verify_result;
824 int error = verify_proc->Verify(certs[0].get(),
825 "127.0.0.1",
826 flags,
827 NULL,
828 empty_cert_list_,
829 &verify_result);
830 EXPECT_EQ(OK, error);
831 EXPECT_EQ(0U, verify_result.cert_status);
833 // Without explicit trust of the intermediate, verification should fail.
834 EXPECT_TRUE(cert_db_->SetCertTrust(
835 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
837 // Server cert should fail to verify.
838 CertVerifyResult verify_result2;
839 error = verify_proc->Verify(certs[0].get(),
840 "127.0.0.1",
841 flags,
842 NULL,
843 empty_cert_list_,
844 &verify_result2);
845 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
846 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
849 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {
850 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
851 // See http://bugzil.la/863947 for details.
852 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
853 return;
856 NSSCertDatabase::ImportCertFailureList failed;
858 CertificateList ca_certs = CreateCertificateListFromFile(
859 GetTestCertsDirectory(), "2048-rsa-root.pem",
860 X509Certificate::FORMAT_AUTO);
861 ASSERT_EQ(1U, ca_certs.size());
863 // Import Root CA cert and default trust it.
864 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT,
865 &failed));
866 EXPECT_EQ(0U, failed.size());
868 CertificateList intermediate_certs = CreateCertificateListFromFile(
869 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
870 X509Certificate::FORMAT_AUTO);
871 ASSERT_EQ(1U, intermediate_certs.size());
873 // Import Intermediate CA cert and trust it.
874 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
875 NSSCertDatabase::TRUSTED_SSL, &failed));
876 EXPECT_EQ(0U, failed.size());
878 CertificateList certs = CreateCertificateListFromFile(
879 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
880 X509Certificate::FORMAT_AUTO);
881 ASSERT_EQ(1U, certs.size());
883 // Import server cert with default trust.
884 EXPECT_TRUE(cert_db_->ImportServerCert(
885 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
886 EXPECT_EQ(0U, failed.size());
887 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
888 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
890 // Server cert should verify.
891 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
892 int flags = 0;
893 CertVerifyResult verify_result;
894 int error = verify_proc->Verify(certs[0].get(),
895 "127.0.0.1",
896 flags,
897 NULL,
898 empty_cert_list_,
899 &verify_result);
900 EXPECT_EQ(OK, error);
901 EXPECT_EQ(0U, verify_result.cert_status);
903 // Without explicit trust of the intermediate, verification should fail.
904 EXPECT_TRUE(cert_db_->SetCertTrust(
905 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
907 // Server cert should fail to verify.
908 CertVerifyResult verify_result2;
909 error = verify_proc->Verify(certs[0].get(),
910 "127.0.0.1",
911 flags,
912 NULL,
913 empty_cert_list_,
914 &verify_result2);
915 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
916 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
919 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
920 NSSCertDatabase::ImportCertFailureList failed;
922 CertificateList ca_certs = CreateCertificateListFromFile(
923 GetTestCertsDirectory(), "2048-rsa-root.pem",
924 X509Certificate::FORMAT_AUTO);
925 ASSERT_EQ(1U, ca_certs.size());
927 // Import Root CA cert and trust it.
928 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
929 &failed));
930 EXPECT_EQ(0U, failed.size());
932 CertificateList intermediate_certs = CreateCertificateListFromFile(
933 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
934 X509Certificate::FORMAT_AUTO);
935 ASSERT_EQ(1U, intermediate_certs.size());
937 // Import Intermediate CA cert and distrust it.
938 EXPECT_TRUE(cert_db_->ImportCACerts(
939 intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
940 EXPECT_EQ(0U, failed.size());
942 CertificateList certs = CreateCertificateListFromFile(
943 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
944 X509Certificate::FORMAT_AUTO);
945 ASSERT_EQ(1U, certs.size());
947 // Import server cert with default trust.
948 EXPECT_TRUE(cert_db_->ImportServerCert(
949 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
950 EXPECT_EQ(0U, failed.size());
951 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
952 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
954 // Server cert should not verify.
955 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
956 int flags = 0;
957 CertVerifyResult verify_result;
958 int error = verify_proc->Verify(certs[0].get(),
959 "127.0.0.1",
960 flags,
961 NULL,
962 empty_cert_list_,
963 &verify_result);
964 EXPECT_EQ(ERR_CERT_REVOKED, error);
965 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
967 // Without explicit distrust of the intermediate, verification should succeed.
968 EXPECT_TRUE(cert_db_->SetCertTrust(
969 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
971 // Server cert should verify.
972 CertVerifyResult verify_result2;
973 error = verify_proc->Verify(certs[0].get(),
974 "127.0.0.1",
975 flags,
976 NULL,
977 empty_cert_list_,
978 &verify_result2);
979 EXPECT_EQ(OK, error);
980 EXPECT_EQ(0U, verify_result2.cert_status);
983 // Importing two certificates with the same issuer and subject common name,
984 // but overall distinct subject names, should succeed and generate a unique
985 // nickname for the second certificate.
986 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
987 CertificateList certs =
988 CreateCertificateListFromFile(GetTestCertsDirectory(),
989 "duplicate_cn_1.pem",
990 X509Certificate::FORMAT_AUTO);
991 ASSERT_EQ(1U, certs.size());
993 EXPECT_EQ(0U, ListCerts().size());
995 // Import server cert with default trust.
996 NSSCertDatabase::ImportCertFailureList failed;
997 EXPECT_TRUE(cert_db_->ImportServerCert(
998 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
999 EXPECT_EQ(0U, failed.size());
1000 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
1001 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
1003 CertificateList new_certs = ListCerts();
1004 ASSERT_EQ(1U, new_certs.size());
1006 // Now attempt to import a different certificate with the same common name.
1007 CertificateList certs2 =
1008 CreateCertificateListFromFile(GetTestCertsDirectory(),
1009 "duplicate_cn_2.pem",
1010 X509Certificate::FORMAT_AUTO);
1011 ASSERT_EQ(1U, certs2.size());
1013 // Import server cert with default trust.
1014 EXPECT_TRUE(cert_db_->ImportServerCert(
1015 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed));
1016 EXPECT_EQ(0U, failed.size());
1017 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
1018 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT));
1020 new_certs = ListCerts();
1021 ASSERT_EQ(2U, new_certs.size());
1022 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname,
1023 new_certs[1]->os_cert_handle()->nickname);
1026 } // namespace net