1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/files/file_path.h"
6 #include "build/build_config.h"
7 #include "net/base/net_errors.h"
8 #include "net/base/test_data_directory.h"
9 #include "net/cert/cert_status_flags.h"
10 #include "net/cert/cert_verify_proc.h"
11 #include "net/cert/cert_verify_result.h"
12 #include "net/cert/test_root_certs.h"
13 #include "net/cert/x509_certificate.h"
14 #include "net/test/cert_test_util.h"
15 #include "testing/gtest/include/gtest/gtest.h"
17 #if defined(USE_NSS) || defined(OS_IOS)
25 // The local test root certificate.
26 const char kRootCertificateFile
[] = "root_ca_cert.pem";
27 // A certificate issued by the local test root for 127.0.0.1.
28 const char kGoodCertificateFile
[] = "ok_cert.pem";
32 // Test basic functionality when adding from an existing X509Certificate.
33 TEST(TestRootCertsTest
, AddFromPointer
) {
34 scoped_refptr
<X509Certificate
> root_cert
=
35 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile
);
36 ASSERT_NE(static_cast<X509Certificate
*>(NULL
), root_cert
.get());
38 TestRootCerts
* test_roots
= TestRootCerts::GetInstance();
39 ASSERT_NE(static_cast<TestRootCerts
*>(NULL
), test_roots
);
40 EXPECT_TRUE(test_roots
->IsEmpty());
42 EXPECT_TRUE(test_roots
->Add(root_cert
.get()));
43 EXPECT_FALSE(test_roots
->IsEmpty());
46 EXPECT_TRUE(test_roots
->IsEmpty());
49 // Test basic functionality when adding directly from a file, which should
50 // behave the same as when adding from an existing certificate.
51 TEST(TestRootCertsTest
, AddFromFile
) {
52 TestRootCerts
* test_roots
= TestRootCerts::GetInstance();
53 ASSERT_NE(static_cast<TestRootCerts
*>(NULL
), test_roots
);
54 EXPECT_TRUE(test_roots
->IsEmpty());
56 base::FilePath cert_path
=
57 GetTestCertsDirectory().AppendASCII(kRootCertificateFile
);
58 EXPECT_TRUE(test_roots
->AddFromFile(cert_path
));
59 EXPECT_FALSE(test_roots
->IsEmpty());
62 EXPECT_TRUE(test_roots
->IsEmpty());
65 // Test that TestRootCerts actually adds the appropriate trust status flags
66 // when requested, and that the trusted status is cleared once the root is
67 // removed the TestRootCerts. This test acts as a canary/sanity check for
68 // the results of the rest of net_unittests, ensuring that the trust status
69 // is properly being set and cleared.
70 TEST(TestRootCertsTest
, OverrideTrust
) {
71 #if defined(USE_NSS) || defined(OS_IOS)
72 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
73 // See http://bugzil.la/863947 for details
74 LOG(INFO
) << "Skipping test for NSS 3.14.2 - NSS 3.15";
79 TestRootCerts
* test_roots
= TestRootCerts::GetInstance();
80 ASSERT_NE(static_cast<TestRootCerts
*>(NULL
), test_roots
);
81 EXPECT_TRUE(test_roots
->IsEmpty());
83 scoped_refptr
<X509Certificate
> test_cert
=
84 ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile
);
85 ASSERT_NE(static_cast<X509Certificate
*>(NULL
), test_cert
.get());
87 // Test that the good certificate fails verification, because the root
88 // certificate should not yet be trusted.
90 CertVerifyResult bad_verify_result
;
91 scoped_refptr
<CertVerifyProc
> verify_proc(CertVerifyProc::CreateDefault());
92 int bad_status
= verify_proc
->Verify(test_cert
.get(),
98 EXPECT_NE(OK
, bad_status
);
99 EXPECT_NE(0u, bad_verify_result
.cert_status
& CERT_STATUS_AUTHORITY_INVALID
);
101 // Add the root certificate and mark it as trusted.
102 EXPECT_TRUE(test_roots
->AddFromFile(
103 GetTestCertsDirectory().AppendASCII(kRootCertificateFile
)));
104 EXPECT_FALSE(test_roots
->IsEmpty());
106 // Test that the certificate verification now succeeds, because the
107 // TestRootCerts is successfully imbuing trust.
108 CertVerifyResult good_verify_result
;
109 int good_status
= verify_proc
->Verify(test_cert
.get(),
114 &good_verify_result
);
115 EXPECT_EQ(OK
, good_status
);
116 EXPECT_EQ(0u, good_verify_result
.cert_status
);
119 EXPECT_TRUE(test_roots
->IsEmpty());
121 // Ensure that when the TestRootCerts is cleared, the trust settings
122 // revert to their original state, and don't linger. If trust status
123 // lingers, it will likely break other tests in net_unittests.
124 CertVerifyResult restored_verify_result
;
125 int restored_status
= verify_proc
->Verify(test_cert
.get(),
130 &restored_verify_result
);
131 EXPECT_NE(OK
, restored_status
);
133 restored_verify_result
.cert_status
& CERT_STATUS_AUTHORITY_INVALID
);
134 EXPECT_EQ(bad_status
, restored_status
);
135 EXPECT_EQ(bad_verify_result
.cert_status
, restored_verify_result
.cert_status
);
138 #if defined(USE_NSS) || (defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID))
139 TEST(TestRootCertsTest
, Contains
) {
140 // Another test root certificate.
141 const char kRootCertificateFile2
[] = "2048-rsa-root.pem";
143 TestRootCerts
* test_roots
= TestRootCerts::GetInstance();
144 ASSERT_NE(static_cast<TestRootCerts
*>(NULL
), test_roots
);
146 scoped_refptr
<X509Certificate
> root_cert_1
=
147 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile
);
148 ASSERT_NE(static_cast<X509Certificate
*>(NULL
), root_cert_1
.get());
150 scoped_refptr
<X509Certificate
> root_cert_2
=
151 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile2
);
152 ASSERT_NE(static_cast<X509Certificate
*>(NULL
), root_cert_2
.get());
154 EXPECT_FALSE(test_roots
->Contains(root_cert_1
->os_cert_handle()));
155 EXPECT_FALSE(test_roots
->Contains(root_cert_2
->os_cert_handle()));
157 EXPECT_TRUE(test_roots
->Add(root_cert_1
.get()));
158 EXPECT_TRUE(test_roots
->Contains(root_cert_1
->os_cert_handle()));
159 EXPECT_FALSE(test_roots
->Contains(root_cert_2
->os_cert_handle()));
161 EXPECT_TRUE(test_roots
->Add(root_cert_2
.get()));
162 EXPECT_TRUE(test_roots
->Contains(root_cert_1
->os_cert_handle()));
163 EXPECT_TRUE(test_roots
->Contains(root_cert_2
->os_cert_handle()));
166 EXPECT_FALSE(test_roots
->Contains(root_cert_1
->os_cert_handle()));
167 EXPECT_FALSE(test_roots
->Contains(root_cert_2
->os_cert_handle()));
171 // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that
172 // TestRootCerts properly injects itself into the validation process. See
173 // http://crbug.com/63958