1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chromeos/network/onc/onc_certificate_importer_impl.h"
13 #include "base/bind.h"
14 #include "base/logging.h"
15 #include "base/strings/string_number_conversions.h"
16 #include "base/test/test_simple_task_runner.h"
17 #include "base/thread_task_runner_handle.h"
18 #include "base/values.h"
19 #include "chromeos/network/onc/onc_test_utils.h"
20 #include "components/onc/onc_constants.h"
21 #include "crypto/scoped_test_nss_db.h"
22 #include "net/base/crypto_module.h"
23 #include "net/cert/cert_type.h"
24 #include "net/cert/nss_cert_database_chromeos.h"
25 #include "net/cert/x509_certificate.h"
26 #include "testing/gtest/include/gtest/gtest.h"
33 #if defined(USE_NSS_CERTS)
34 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
35 // the new name of the macro.
36 #if !defined(CERTDB_TERMINAL_RECORD)
37 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
40 net::CertType
GetCertType(net::X509Certificate::OSCertHandle cert
) {
41 CERTCertTrust trust
= {0};
42 CERT_GetCertTrust(cert
, &trust
);
44 unsigned all_flags
= trust
.sslFlags
| trust
.emailFlags
|
45 trust
.objectSigningFlags
;
47 if (cert
->nickname
&& (all_flags
& CERTDB_USER
))
48 return net::USER_CERT
;
49 if ((all_flags
& CERTDB_VALID_CA
) || CERT_IsCACert(cert
, NULL
))
51 // TODO(mattm): http://crbug.com/128633.
52 if (trust
.sslFlags
& CERTDB_TERMINAL_RECORD
)
53 return net::SERVER_CERT
;
54 return net::OTHER_CERT
;
57 net::CertType
GetCertType(net::X509Certificate::OSCertHandle cert
) {
59 return net::OTHER_CERT
;
61 #endif // USE_NSS_CERTS
65 class ONCCertificateImporterImplTest
: public testing::Test
{
67 ONCCertificateImporterImplTest() {}
68 ~ONCCertificateImporterImplTest() override
{}
70 void SetUp() override
{
71 ASSERT_TRUE(public_nssdb_
.is_open());
72 ASSERT_TRUE(private_nssdb_
.is_open());
74 task_runner_
= new base::TestSimpleTaskRunner();
75 thread_task_runner_handle_
.reset(
76 new base::ThreadTaskRunnerHandle(task_runner_
));
78 test_nssdb_
.reset(new net::NSSCertDatabaseChromeOS(
79 crypto::ScopedPK11Slot(PK11_ReferenceSlot(public_nssdb_
.slot())),
80 crypto::ScopedPK11Slot(PK11_ReferenceSlot(private_nssdb_
.slot()))));
82 // Test db should be empty at start of test.
83 EXPECT_TRUE(ListCertsInPublicSlot().empty());
84 EXPECT_TRUE(ListCertsInPrivateSlot().empty());
87 void TearDown() override
{
88 thread_task_runner_handle_
.reset();
93 void OnImportCompleted(bool expected_success
,
95 const net::CertificateList
& onc_trusted_certificates
) {
96 EXPECT_EQ(expected_success
, success
);
97 web_trust_certificates_
= onc_trusted_certificates
;
100 void AddCertificatesFromFile(std::string filename
, bool expected_success
) {
101 scoped_ptr
<base::DictionaryValue
> onc
=
102 test_utils::ReadTestDictionary(filename
);
103 scoped_ptr
<base::Value
> certificates_value
;
104 base::ListValue
* certificates
= NULL
;
105 onc
->RemoveWithoutPathExpansion(::onc::toplevel_config::kCertificates
,
106 &certificates_value
);
107 certificates_value
.release()->GetAsList(&certificates
);
108 onc_certificates_
.reset(certificates
);
110 web_trust_certificates_
.clear();
111 CertificateImporterImpl
importer(task_runner_
, test_nssdb_
.get());
112 importer
.ImportCertificates(
114 ::onc::ONC_SOURCE_USER_IMPORT
, // allow web trust
115 base::Bind(&ONCCertificateImporterImplTest::OnImportCompleted
,
116 base::Unretained(this),
119 task_runner_
->RunUntilIdle();
121 public_list_
= ListCertsInPublicSlot();
122 private_list_
= ListCertsInPrivateSlot();
125 void AddCertificateFromFile(std::string filename
,
126 net::CertType expected_type
,
128 std::string guid_temporary
;
130 guid
= &guid_temporary
;
132 AddCertificatesFromFile(filename
, true);
134 if (expected_type
== net::SERVER_CERT
|| expected_type
== net::CA_CERT
) {
135 ASSERT_EQ(1u, public_list_
.size());
136 EXPECT_EQ(expected_type
, GetCertType(public_list_
[0]->os_cert_handle()));
137 EXPECT_TRUE(private_list_
.empty());
138 } else { // net::USER_CERT
139 EXPECT_TRUE(public_list_
.empty());
140 ASSERT_EQ(1u, private_list_
.size());
141 EXPECT_EQ(expected_type
, GetCertType(private_list_
[0]->os_cert_handle()));
144 base::DictionaryValue
* certificate
= NULL
;
145 onc_certificates_
->GetDictionary(0, &certificate
);
146 certificate
->GetStringWithoutPathExpansion(::onc::certificate::kGUID
, guid
);
149 // Certificates and the NSSCertDatabase depend on these test DBs. Destroy them
151 crypto::ScopedTestNSSDB public_nssdb_
;
152 crypto::ScopedTestNSSDB private_nssdb_
;
154 scoped_refptr
<base::TestSimpleTaskRunner
> task_runner_
;
155 scoped_ptr
<base::ThreadTaskRunnerHandle
> thread_task_runner_handle_
;
156 scoped_ptr
<net::NSSCertDatabaseChromeOS
> test_nssdb_
;
157 scoped_ptr
<base::ListValue
> onc_certificates_
;
158 // List of certs in the nssdb's public slot.
159 net::CertificateList public_list_
;
160 // List of certs in the nssdb's "private" slot.
161 net::CertificateList private_list_
;
162 net::CertificateList web_trust_certificates_
;
165 net::CertificateList
ListCertsInPublicSlot() {
166 return ListCertsInSlot(public_nssdb_
.slot());
169 net::CertificateList
ListCertsInPrivateSlot() {
170 return ListCertsInSlot(private_nssdb_
.slot());
173 net::CertificateList
ListCertsInSlot(PK11SlotInfo
* slot
) {
174 net::CertificateList result
;
175 CERTCertList
* cert_list
= PK11_ListCertsInSlot(slot
);
176 for (CERTCertListNode
* node
= CERT_LIST_HEAD(cert_list
);
177 !CERT_LIST_END(node
, cert_list
);
178 node
= CERT_LIST_NEXT(node
)) {
179 result
.push_back(net::X509Certificate::CreateFromHandle(
180 node
->cert
, net::X509Certificate::OSCertHandles()));
182 CERT_DestroyCertList(cert_list
);
184 // Sort the result so that test comparisons can be deterministic.
185 std::sort(result
.begin(), result
.end(), net::X509Certificate::LessThan());
190 TEST_F(ONCCertificateImporterImplTest
, MultipleCertificates
) {
191 AddCertificatesFromFile("managed_toplevel2.onc", true);
192 EXPECT_EQ(onc_certificates_
->GetSize(), public_list_
.size());
193 EXPECT_TRUE(private_list_
.empty());
194 EXPECT_EQ(2ul, public_list_
.size());
197 TEST_F(ONCCertificateImporterImplTest
, MultipleCertificatesWithFailures
) {
198 AddCertificatesFromFile("toplevel_partially_invalid.onc", false);
199 EXPECT_EQ(3ul, onc_certificates_
->GetSize());
200 EXPECT_EQ(1ul, private_list_
.size());
201 EXPECT_TRUE(public_list_
.empty());
204 TEST_F(ONCCertificateImporterImplTest
, AddClientCertificate
) {
206 AddCertificateFromFile("certificate-client.onc", net::USER_CERT
, &guid
);
207 EXPECT_TRUE(web_trust_certificates_
.empty());
208 EXPECT_EQ(1ul, private_list_
.size());
209 EXPECT_TRUE(public_list_
.empty());
211 SECKEYPrivateKeyList
* privkey_list
=
212 PK11_ListPrivKeysInSlot(private_nssdb_
.slot(), NULL
, NULL
);
213 EXPECT_TRUE(privkey_list
);
215 SECKEYPrivateKeyListNode
* node
= PRIVKEY_LIST_HEAD(privkey_list
);
217 while (!PRIVKEY_LIST_END(node
, privkey_list
)) {
218 char* name
= PK11_GetPrivateKeyNickname(node
->key
);
219 EXPECT_STREQ(guid
.c_str(), name
);
222 node
= PRIVKEY_LIST_NEXT(node
);
225 SECKEY_DestroyPrivateKeyList(privkey_list
);
228 SECKEYPublicKeyList
* pubkey_list
=
229 PK11_ListPublicKeysInSlot(private_nssdb_
.slot(), NULL
);
230 EXPECT_TRUE(pubkey_list
);
232 SECKEYPublicKeyListNode
* node
= PUBKEY_LIST_HEAD(pubkey_list
);
234 while (!PUBKEY_LIST_END(node
, pubkey_list
)) {
236 node
= PUBKEY_LIST_NEXT(node
);
239 SECKEY_DestroyPublicKeyList(pubkey_list
);
243 TEST_F(ONCCertificateImporterImplTest
, AddServerCertificateWithWebTrust
) {
244 AddCertificateFromFile("certificate-server.onc", net::SERVER_CERT
, NULL
);
246 SECKEYPrivateKeyList
* privkey_list
=
247 PK11_ListPrivKeysInSlot(private_nssdb_
.slot(), NULL
, NULL
);
248 EXPECT_FALSE(privkey_list
);
250 SECKEYPublicKeyList
* pubkey_list
=
251 PK11_ListPublicKeysInSlot(private_nssdb_
.slot(), NULL
);
252 EXPECT_FALSE(pubkey_list
);
254 ASSERT_EQ(1u, web_trust_certificates_
.size());
255 ASSERT_EQ(1u, public_list_
.size());
256 EXPECT_TRUE(private_list_
.empty());
257 EXPECT_TRUE(CERT_CompareCerts(public_list_
[0]->os_cert_handle(),
258 web_trust_certificates_
[0]->os_cert_handle()));
261 TEST_F(ONCCertificateImporterImplTest
, AddWebAuthorityCertificateWithWebTrust
) {
262 AddCertificateFromFile("certificate-web-authority.onc", net::CA_CERT
, NULL
);
264 SECKEYPrivateKeyList
* privkey_list
=
265 PK11_ListPrivKeysInSlot(private_nssdb_
.slot(), NULL
, NULL
);
266 EXPECT_FALSE(privkey_list
);
268 SECKEYPublicKeyList
* pubkey_list
=
269 PK11_ListPublicKeysInSlot(private_nssdb_
.slot(), NULL
);
270 EXPECT_FALSE(pubkey_list
);
272 ASSERT_EQ(1u, web_trust_certificates_
.size());
273 ASSERT_EQ(1u, public_list_
.size());
274 EXPECT_TRUE(private_list_
.empty());
275 EXPECT_TRUE(CERT_CompareCerts(public_list_
[0]->os_cert_handle(),
276 web_trust_certificates_
[0]->os_cert_handle()));
279 TEST_F(ONCCertificateImporterImplTest
, AddAuthorityCertificateWithoutWebTrust
) {
280 AddCertificateFromFile("certificate-authority.onc", net::CA_CERT
, NULL
);
281 EXPECT_TRUE(web_trust_certificates_
.empty());
283 SECKEYPrivateKeyList
* privkey_list
=
284 PK11_ListPrivKeysInSlot(private_nssdb_
.slot(), NULL
, NULL
);
285 EXPECT_FALSE(privkey_list
);
287 SECKEYPublicKeyList
* pubkey_list
=
288 PK11_ListPublicKeysInSlot(private_nssdb_
.slot(), NULL
);
289 EXPECT_FALSE(pubkey_list
);
293 CertParam(net::CertType certificate_type
,
294 const char* original_filename
,
295 const char* update_filename
)
296 : cert_type(certificate_type
),
297 original_file(original_filename
),
298 update_file(update_filename
) {}
300 net::CertType cert_type
;
301 const char* original_file
;
302 const char* update_file
;
305 class ONCCertificateImporterImplTestWithParam
:
306 public ONCCertificateImporterImplTest
,
307 public testing::WithParamInterface
<CertParam
> {
310 TEST_P(ONCCertificateImporterImplTestWithParam
, UpdateCertificate
) {
311 // First we import a certificate.
313 SCOPED_TRACE("Import original certificate");
314 AddCertificateFromFile(GetParam().original_file
, GetParam().cert_type
,
318 // Now we import the same certificate with a different GUID. In case of a
319 // client cert, the cert should be retrievable via the new GUID.
321 SCOPED_TRACE("Import updated certificate");
322 AddCertificateFromFile(GetParam().update_file
, GetParam().cert_type
, NULL
);
326 TEST_P(ONCCertificateImporterImplTestWithParam
, ReimportCertificate
) {
327 // Verify that reimporting a client certificate works.
328 for (int i
= 0; i
< 2; ++i
) {
329 SCOPED_TRACE("Import certificate, iteration " + base::IntToString(i
));
330 AddCertificateFromFile(GetParam().original_file
, GetParam().cert_type
,
335 INSTANTIATE_TEST_CASE_P(
336 ONCCertificateImporterImplTestWithParam
,
337 ONCCertificateImporterImplTestWithParam
,
339 CertParam(net::USER_CERT
,
340 "certificate-client.onc",
341 "certificate-client-update.onc"),
342 CertParam(net::SERVER_CERT
,
343 "certificate-server.onc",
344 "certificate-server-update.onc"),
345 CertParam(net::CA_CERT
,
346 "certificate-web-authority.onc",
347 "certificate-web-authority-update.onc")));
350 } // namespace chromeos