1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chromeos/cert_loader.h"
8 #include "base/file_util.h"
9 #include "base/memory/scoped_ptr.h"
10 #include "base/message_loop/message_loop.h"
11 #include "base/run_loop.h"
12 #include "crypto/nss_util.h"
13 #include "crypto/nss_util_internal.h"
14 #include "crypto/scoped_nss_types.h"
15 #include "net/base/net_errors.h"
16 #include "net/base/test_data_directory.h"
17 #include "net/cert/nss_cert_database_chromeos.h"
18 #include "net/cert/x509_certificate.h"
19 #include "net/test/cert_test_util.h"
20 #include "testing/gtest/include/gtest/gtest.h"
25 bool IsCertInCertificateList(const net::X509Certificate
* cert
,
26 const net::CertificateList
& cert_list
) {
27 for (net::CertificateList::const_iterator it
= cert_list
.begin();
28 it
!= cert_list
.end();
30 if (net::X509Certificate::IsSameOSCert((*it
)->os_cert_handle(),
31 cert
->os_cert_handle())) {
38 void FailOnPrivateSlotCallback(crypto::ScopedPK11Slot slot
) {
39 EXPECT_FALSE(true) << "GetPrivateSlotForChromeOSUser callback called even "
40 << "though the private slot had been initialized.";
43 class CertLoaderTest
: public testing::Test
,
44 public CertLoader::Observer
{
46 CertLoaderTest() : cert_loader_(NULL
),
47 primary_user_("primary"),
48 certificates_loaded_events_count_(0U) {
51 virtual ~CertLoaderTest() {}
53 virtual void SetUp() OVERRIDE
{
54 ASSERT_TRUE(primary_user_
.constructed_successfully());
56 crypto::GetPublicSlotForChromeOSUser(primary_user_
.username_hash()));
58 CertLoader::Initialize();
59 cert_loader_
= CertLoader::Get();
60 cert_loader_
->AddObserver(this);
63 virtual void TearDown() {
64 cert_loader_
->RemoveObserver(this);
65 CertLoader::Shutdown();
69 void StartCertLoaderWithPrimaryUser() {
70 FinishUserInitAndGetDatabase(&primary_user_
, &primary_db_
);
71 cert_loader_
->StartWithNSSDB(primary_db_
.get());
73 base::RunLoop().RunUntilIdle();
74 GetAndResetCertificatesLoadedEventsCount();
77 // CertLoader::Observer:
78 // The test keeps count of times the observer method was called.
79 virtual void OnCertificatesLoaded(const net::CertificateList
& cert_list
,
80 bool initial_load
) OVERRIDE
{
81 EXPECT_TRUE(certificates_loaded_events_count_
== 0 || !initial_load
);
82 certificates_loaded_events_count_
++;
85 // Returns the number of |OnCertificatesLoaded| calls observed since the
86 // last call to this method equals |value|.
87 size_t GetAndResetCertificatesLoadedEventsCount() {
88 size_t result
= certificates_loaded_events_count_
;
89 certificates_loaded_events_count_
= 0;
93 // Finishes initialization for the |user| and returns a user's NSS database
95 void FinishUserInitAndGetDatabase(
96 crypto::ScopedTestNSSChromeOSUser
* user
,
97 scoped_ptr
<net::NSSCertDatabaseChromeOS
>* database
) {
98 ASSERT_TRUE(user
->constructed_successfully());
102 crypto::ScopedPK11Slot
private_slot(
103 crypto::GetPrivateSlotForChromeOSUser(
104 user
->username_hash(),
105 base::Bind(&FailOnPrivateSlotCallback
)));
106 ASSERT_TRUE(private_slot
);
108 database
->reset(new net::NSSCertDatabaseChromeOS(
109 crypto::GetPublicSlotForChromeOSUser(user
->username_hash()),
110 private_slot
.Pass()));
111 (*database
)->SetSlowTaskRunnerForTest(message_loop_
.message_loop_proxy());
114 int GetDbPrivateSlotId(net::NSSCertDatabase
* db
) {
115 return static_cast<int>(PK11_GetSlotID(db
->GetPrivateSlot().get()));
118 void ImportCACert(const std::string
& cert_file
,
119 net::NSSCertDatabase
* database
,
120 net::CertificateList
* imported_certs
) {
121 ASSERT_TRUE(database
);
122 ASSERT_TRUE(imported_certs
);
124 // Add a certificate to the user's db.
125 *imported_certs
= net::CreateCertificateListFromFile(
126 net::GetTestCertsDirectory(),
128 net::X509Certificate::FORMAT_AUTO
);
129 ASSERT_EQ(1U, imported_certs
->size());
131 net::NSSCertDatabase::ImportCertFailureList failed
;
132 ASSERT_TRUE(database
->ImportCACerts(*imported_certs
,
133 net::NSSCertDatabase::TRUST_DEFAULT
,
135 ASSERT_TRUE(failed
.empty());
138 void ImportClientCertAndKey(const std::string
& pkcs12_file
,
139 net::NSSCertDatabase
* database
,
140 net::CertificateList
* imported_certs
) {
141 ASSERT_TRUE(database
);
142 ASSERT_TRUE(imported_certs
);
144 std::string pkcs12_data
;
145 base::FilePath pkcs12_file_path
=
146 net::GetTestCertsDirectory().Append(pkcs12_file
);
147 ASSERT_TRUE(base::ReadFileToString(pkcs12_file_path
, &pkcs12_data
));
149 net::CertificateList client_cert_list
;
150 scoped_refptr
<net::CryptoModule
> module(net::CryptoModule::CreateFromHandle(
151 database
->GetPrivateSlot().get()));
154 database
->ImportFromPKCS12(module
, pkcs12_data
, base::string16(), false,
156 ASSERT_EQ(1U, imported_certs
->size());
159 CertLoader
* cert_loader_
;
161 // The user is primary as the one whose certificates CertLoader handles, it
162 // has nothing to do with crypto::InitializeNSSForChromeOSUser is_primary_user
163 // parameter (which is irrelevant for these tests).
164 crypto::ScopedTestNSSChromeOSUser primary_user_
;
165 scoped_ptr
<net::NSSCertDatabaseChromeOS
> primary_db_
;
167 base::MessageLoop message_loop_
;
170 size_t certificates_loaded_events_count_
;
173 TEST_F(CertLoaderTest
, Basic
) {
174 EXPECT_FALSE(cert_loader_
->CertificatesLoading());
175 EXPECT_FALSE(cert_loader_
->certificates_loaded());
176 EXPECT_FALSE(cert_loader_
->IsHardwareBacked());
178 FinishUserInitAndGetDatabase(&primary_user_
, &primary_db_
);
180 cert_loader_
->StartWithNSSDB(primary_db_
.get());
182 EXPECT_FALSE(cert_loader_
->certificates_loaded());
183 EXPECT_TRUE(cert_loader_
->CertificatesLoading());
184 EXPECT_TRUE(cert_loader_
->cert_list().empty());
186 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
187 base::RunLoop().RunUntilIdle();
188 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
190 EXPECT_TRUE(cert_loader_
->certificates_loaded());
191 EXPECT_FALSE(cert_loader_
->CertificatesLoading());
192 EXPECT_EQ(GetDbPrivateSlotId(primary_db_
.get()),
193 cert_loader_
->TPMTokenSlotID());
195 // Default CA cert roots should get loaded.
196 EXPECT_FALSE(cert_loader_
->cert_list().empty());
199 TEST_F(CertLoaderTest
, CertLoaderUpdatesCertListOnNewCert
) {
200 StartCertLoaderWithPrimaryUser();
202 net::CertificateList certs
;
203 ImportCACert("root_ca_cert.pem", primary_db_
.get(), &certs
);
205 // Certs are loaded asynchronously, so the new cert should not yet be in the
207 EXPECT_FALSE(IsCertInCertificateList(certs
[0], cert_loader_
->cert_list()));
209 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
210 base::RunLoop().RunUntilIdle();
211 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
213 // The certificate list should be updated now, as the message loop's been run.
214 EXPECT_TRUE(IsCertInCertificateList(certs
[0], cert_loader_
->cert_list()));
217 TEST_F(CertLoaderTest
, CertLoaderNoUpdateOnSecondaryDbChanges
) {
218 crypto::ScopedTestNSSChromeOSUser
secondary_user("secondary");
219 scoped_ptr
<net::NSSCertDatabaseChromeOS
> secondary_db
;
221 StartCertLoaderWithPrimaryUser();
222 FinishUserInitAndGetDatabase(&secondary_user
, &secondary_db
);
224 net::CertificateList certs
;
225 ImportCACert("root_ca_cert.pem", secondary_db
.get(), &certs
);
227 base::RunLoop().RunUntilIdle();
229 EXPECT_FALSE(IsCertInCertificateList(certs
[0], cert_loader_
->cert_list()));
232 TEST_F(CertLoaderTest
, ClientLoaderUpdateOnNewClientCert
) {
233 StartCertLoaderWithPrimaryUser();
235 net::CertificateList certs
;
236 ImportClientCertAndKey("websocket_client_cert.p12",
240 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
241 base::RunLoop().RunUntilIdle();
242 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
244 EXPECT_TRUE(IsCertInCertificateList(certs
[0], cert_loader_
->cert_list()));
247 TEST_F(CertLoaderTest
, CertLoaderNoUpdateOnNewClientCertInSecondaryDb
) {
248 crypto::ScopedTestNSSChromeOSUser
secondary_user("secondary");
249 scoped_ptr
<net::NSSCertDatabaseChromeOS
> secondary_db
;
251 StartCertLoaderWithPrimaryUser();
252 FinishUserInitAndGetDatabase(&secondary_user
, &secondary_db
);
254 net::CertificateList certs
;
255 ImportClientCertAndKey("websocket_client_cert.p12",
259 base::RunLoop().RunUntilIdle();
261 EXPECT_FALSE(IsCertInCertificateList(certs
[0], cert_loader_
->cert_list()));
264 TEST_F(CertLoaderTest
, UpdatedOnCertRemoval
) {
265 StartCertLoaderWithPrimaryUser();
267 net::CertificateList certs
;
268 ImportClientCertAndKey("websocket_client_cert.p12",
272 base::RunLoop().RunUntilIdle();
274 ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
275 ASSERT_TRUE(IsCertInCertificateList(certs
[0], cert_loader_
->cert_list()));
277 primary_db_
->DeleteCertAndKey(certs
[0]);
279 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
280 base::RunLoop().RunUntilIdle();
281 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
283 ASSERT_FALSE(IsCertInCertificateList(certs
[0], cert_loader_
->cert_list()));
286 TEST_F(CertLoaderTest
, UpdatedOnCACertTrustChange
) {
287 StartCertLoaderWithPrimaryUser();
289 net::CertificateList certs
;
290 ImportCACert("root_ca_cert.pem", primary_db_
.get(), &certs
);
292 base::RunLoop().RunUntilIdle();
293 ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
294 ASSERT_TRUE(IsCertInCertificateList(certs
[0], cert_loader_
->cert_list()));
296 // The value that should have been set by |ImportCACert|.
297 ASSERT_EQ(net::NSSCertDatabase::TRUST_DEFAULT
,
298 primary_db_
->GetCertTrust(certs
[0], net::CA_CERT
));
299 ASSERT_TRUE(primary_db_
->SetCertTrust(
300 certs
[0], net::CA_CERT
, net::NSSCertDatabase::TRUSTED_SSL
));
302 // Cert trust change should trigger certificate reload in cert_loader_.
303 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
304 base::RunLoop().RunUntilIdle();
305 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
308 TEST_F(CertLoaderTest
, DatabaseWithUnsetSlots
) {
309 primary_db_
.reset(new net::NSSCertDatabaseChromeOS(crypto::ScopedPK11Slot(),
310 crypto::ScopedPK11Slot()));
311 primary_db_
->SetSlowTaskRunnerForTest(message_loop_
.message_loop_proxy());
312 cert_loader_
->StartWithNSSDB(primary_db_
.get());
314 base::RunLoop().RunUntilIdle();
315 EXPECT_EQ(1u, GetAndResetCertificatesLoadedEventsCount());
317 EXPECT_TRUE(cert_loader_
->certificates_loaded());
318 EXPECT_EQ(-1, cert_loader_
->TPMTokenSlotID());
319 EXPECT_FALSE(cert_loader_
->IsHardwareBacked());
323 } // namespace chromeos