We started redesigning GpuMemoryBuffer interface to handle multiple buffers [0].
[chromium-blink-merge.git] / net / cert / test_root_certs_unittest.cc
bloba2cf695f95fe9bf1da1b23f7c9c83589bb53fb7c
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/files/file_path.h"
6 #include "build/build_config.h"
7 #include "net/base/net_errors.h"
8 #include "net/base/test_data_directory.h"
9 #include "net/cert/cert_status_flags.h"
10 #include "net/cert/cert_verify_proc.h"
11 #include "net/cert/cert_verify_result.h"
12 #include "net/cert/test_root_certs.h"
13 #include "net/cert/x509_certificate.h"
14 #include "net/test/cert_test_util.h"
15 #include "testing/gtest/include/gtest/gtest.h"
17 #if defined(USE_NSS) || defined(OS_IOS)
18 #include <nss.h>
19 #endif
21 namespace net {
23 namespace {
25 // The local test root certificate.
26 const char kRootCertificateFile[] = "root_ca_cert.pem";
27 // A certificate issued by the local test root for 127.0.0.1.
28 const char kGoodCertificateFile[] = "ok_cert.pem";
30 } // namespace
32 // Test basic functionality when adding from an existing X509Certificate.
33 TEST(TestRootCertsTest, AddFromPointer) {
34 scoped_refptr<X509Certificate> root_cert =
35 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
36 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
38 TestRootCerts* test_roots = TestRootCerts::GetInstance();
39 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
40 EXPECT_TRUE(test_roots->IsEmpty());
42 EXPECT_TRUE(test_roots->Add(root_cert.get()));
43 EXPECT_FALSE(test_roots->IsEmpty());
45 test_roots->Clear();
46 EXPECT_TRUE(test_roots->IsEmpty());
49 // Test basic functionality when adding directly from a file, which should
50 // behave the same as when adding from an existing certificate.
51 TEST(TestRootCertsTest, AddFromFile) {
52 TestRootCerts* test_roots = TestRootCerts::GetInstance();
53 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
54 EXPECT_TRUE(test_roots->IsEmpty());
56 base::FilePath cert_path =
57 GetTestCertsDirectory().AppendASCII(kRootCertificateFile);
58 EXPECT_TRUE(test_roots->AddFromFile(cert_path));
59 EXPECT_FALSE(test_roots->IsEmpty());
61 test_roots->Clear();
62 EXPECT_TRUE(test_roots->IsEmpty());
65 // Test that TestRootCerts actually adds the appropriate trust status flags
66 // when requested, and that the trusted status is cleared once the root is
67 // removed the TestRootCerts. This test acts as a canary/sanity check for
68 // the results of the rest of net_unittests, ensuring that the trust status
69 // is properly being set and cleared.
70 TEST(TestRootCertsTest, OverrideTrust) {
71 #if defined(USE_NSS) || defined(OS_IOS)
72 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
73 // See http://bugzil.la/863947 for details
74 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
75 return;
77 #endif
79 TestRootCerts* test_roots = TestRootCerts::GetInstance();
80 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
81 EXPECT_TRUE(test_roots->IsEmpty());
83 scoped_refptr<X509Certificate> test_cert =
84 ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile);
85 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert.get());
87 // Test that the good certificate fails verification, because the root
88 // certificate should not yet be trusted.
89 int flags = 0;
90 CertVerifyResult bad_verify_result;
91 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
92 int bad_status = verify_proc->Verify(test_cert.get(),
93 "127.0.0.1",
94 flags,
95 NULL,
96 CertificateList(),
97 &bad_verify_result);
98 EXPECT_NE(OK, bad_status);
99 EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
101 // Add the root certificate and mark it as trusted.
102 EXPECT_TRUE(test_roots->AddFromFile(
103 GetTestCertsDirectory().AppendASCII(kRootCertificateFile)));
104 EXPECT_FALSE(test_roots->IsEmpty());
106 // Test that the certificate verification now succeeds, because the
107 // TestRootCerts is successfully imbuing trust.
108 CertVerifyResult good_verify_result;
109 int good_status = verify_proc->Verify(test_cert.get(),
110 "127.0.0.1",
111 flags,
112 NULL,
113 CertificateList(),
114 &good_verify_result);
115 EXPECT_EQ(OK, good_status);
116 EXPECT_EQ(0u, good_verify_result.cert_status);
118 test_roots->Clear();
119 EXPECT_TRUE(test_roots->IsEmpty());
121 // Ensure that when the TestRootCerts is cleared, the trust settings
122 // revert to their original state, and don't linger. If trust status
123 // lingers, it will likely break other tests in net_unittests.
124 CertVerifyResult restored_verify_result;
125 int restored_status = verify_proc->Verify(test_cert.get(),
126 "127.0.0.1",
127 flags,
128 NULL,
129 CertificateList(),
130 &restored_verify_result);
131 EXPECT_NE(OK, restored_status);
132 EXPECT_NE(0u,
133 restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
134 EXPECT_EQ(bad_status, restored_status);
135 EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status);
138 #if defined(USE_NSS) || (defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID))
139 TEST(TestRootCertsTest, Contains) {
140 // Another test root certificate.
141 const char kRootCertificateFile2[] = "2048-rsa-root.pem";
143 TestRootCerts* test_roots = TestRootCerts::GetInstance();
144 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
146 scoped_refptr<X509Certificate> root_cert_1 =
147 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
148 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_1.get());
150 scoped_refptr<X509Certificate> root_cert_2 =
151 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile2);
152 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_2.get());
154 EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle()));
155 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
157 EXPECT_TRUE(test_roots->Add(root_cert_1.get()));
158 EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle()));
159 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
161 EXPECT_TRUE(test_roots->Add(root_cert_2.get()));
162 EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle()));
163 EXPECT_TRUE(test_roots->Contains(root_cert_2->os_cert_handle()));
165 test_roots->Clear();
166 EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle()));
167 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
169 #endif
171 // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that
172 // TestRootCerts properly injects itself into the validation process. See
173 // http://crbug.com/63958
175 } // namespace net