Fix "#if defined(DEBUG)" statements
[chromium-blink-merge.git] / net / cert / x509_util_nss_unittest.cc
blob40a8d9c7e931589671690a19befe35b22c764a66
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/cert/x509_util.h"
6 #include "net/cert/x509_util_nss.h"
8 #include <cert.h>
9 #include <secoid.h>
11 #include "base/memory/ref_counted.h"
12 #include "base/memory/scoped_ptr.h"
13 #include "crypto/ec_private_key.h"
14 #include "crypto/scoped_nss_types.h"
15 #include "crypto/signature_verifier.h"
16 #include "net/cert/x509_certificate.h"
17 #include "testing/gtest/include/gtest/gtest.h"
19 namespace net {
21 namespace {
23 CERTCertificate* CreateNSSCertHandleFromBytes(const char* data, size_t length) {
24 SECItem der_cert;
25 der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
26 der_cert.len = length;
27 der_cert.type = siDERCertBuffer;
29 // Parse into a certificate structure.
30 return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL,
31 PR_FALSE, PR_TRUE);
34 #if !defined(OS_WIN) && !defined(OS_MACOSX)
35 void VerifyCertificateSignature(const std::string& der_cert,
36 const std::vector<uint8>& der_spki) {
37 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
39 CERTSignedData sd;
40 memset(&sd, 0, sizeof(sd));
42 SECItem der_cert_item = {
43 siDERCertBuffer,
44 reinterpret_cast<unsigned char*>(const_cast<char*>(der_cert.data())),
45 static_cast<unsigned int>(der_cert.size())
47 SECStatus rv = SEC_ASN1DecodeItem(arena.get(), &sd,
48 SEC_ASN1_GET(CERT_SignedDataTemplate),
49 &der_cert_item);
50 ASSERT_EQ(SECSuccess, rv);
52 // The CERTSignedData.signatureAlgorithm is decoded, but SignatureVerifier
53 // wants the DER encoded form, so re-encode it again.
54 SECItem* signature_algorithm = SEC_ASN1EncodeItem(
55 arena.get(),
56 NULL,
57 &sd.signatureAlgorithm,
58 SEC_ASN1_GET(SECOID_AlgorithmIDTemplate));
59 ASSERT_TRUE(signature_algorithm);
61 crypto::SignatureVerifier verifier;
62 bool ok = verifier.VerifyInit(
63 signature_algorithm->data,
64 signature_algorithm->len,
65 sd.signature.data,
66 sd.signature.len / 8, // Signature is a BIT STRING, convert to bytes.
67 &der_spki[0],
68 der_spki.size());
70 ASSERT_TRUE(ok);
71 verifier.VerifyUpdate(sd.data.data,
72 sd.data.len);
74 ok = verifier.VerifyFinal();
75 EXPECT_TRUE(ok);
77 #endif // !defined(OS_WIN) && !defined(OS_MACOSX)
79 void VerifyChannelID(const std::string& domain,
80 const std::string& der_cert) {
81 // Origin Bound Cert OID.
82 static const char oid_string[] = "1.3.6.1.4.1.11129.2.1.6";
84 // Create object neccessary for extension lookup call.
85 SECItem extension_object = {
86 siAsciiString,
87 (unsigned char*)domain.data(),
88 static_cast<unsigned int>(domain.size())
91 // IA5Encode and arena allocate SECItem.
92 PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
93 SECItem* expected = SEC_ASN1EncodeItem(arena,
94 NULL,
95 &extension_object,
96 SEC_ASN1_GET(SEC_IA5StringTemplate));
98 ASSERT_NE(static_cast<SECItem*>(NULL), expected);
100 // Create OID SECItem.
101 SECItem ob_cert_oid = { siDEROID, NULL, 0 };
102 SECStatus ok = SEC_StringToOID(arena, &ob_cert_oid,
103 oid_string, 0);
105 ASSERT_EQ(SECSuccess, ok);
107 SECOidTag ob_cert_oid_tag = SECOID_FindOIDTag(&ob_cert_oid);
109 ASSERT_NE(SEC_OID_UNKNOWN, ob_cert_oid_tag);
111 // This test is run on Mac and Win where X509Certificate::os_cert_handle isn't
112 // an NSS type, so we have to manually create a NSS certificate object so we
113 // can use CERT_FindCertExtension. We also check the subject and validity
114 // times using NSS since X509Certificate will fail with EC certs on OSX 10.5
115 // (http://crbug.com/101231).
116 CERTCertificate* nss_cert = CreateNSSCertHandleFromBytes(
117 der_cert.data(), der_cert.size());
119 char* common_name = CERT_GetCommonName(&nss_cert->subject);
120 ASSERT_TRUE(common_name);
121 EXPECT_STREQ("anonymous.invalid", common_name);
122 PORT_Free(common_name);
123 EXPECT_EQ(SECSuccess, CERT_CertTimesValid(nss_cert));
125 // Lookup Origin Bound Cert extension in generated cert.
126 SECItem actual = { siBuffer, NULL, 0 };
127 ok = CERT_FindCertExtension(nss_cert,
128 ob_cert_oid_tag,
129 &actual);
130 CERT_DestroyCertificate(nss_cert);
131 ASSERT_EQ(SECSuccess, ok);
133 // Compare expected and actual extension values.
134 PRBool result = SECITEM_ItemsAreEqual(expected, &actual);
135 ASSERT_TRUE(result);
137 // Do Cleanup.
138 SECITEM_FreeItem(&actual, PR_FALSE);
139 PORT_FreeArena(arena, PR_FALSE);
142 } // namespace
144 // This test creates a domain-bound cert and an EC private key and
145 // then verifies the content of the certificate.
146 TEST(X509UtilNSSTest, CreateKeyAndChannelIDEC) {
147 // Create a sample ASCII weborigin.
148 std::string domain = "weborigin.com";
149 base::Time now = base::Time::Now();
151 scoped_ptr<crypto::ECPrivateKey> private_key;
152 std::string der_cert;
153 ASSERT_TRUE(x509_util::CreateKeyAndChannelIDEC(
154 domain, 1,
155 now,
156 now + base::TimeDelta::FromDays(1),
157 &private_key,
158 &der_cert));
160 VerifyChannelID(domain, der_cert);
162 #if !defined(OS_WIN) && !defined(OS_MACOSX)
163 // signature_verifier_win and signature_verifier_mac can't handle EC certs.
164 std::vector<uint8> spki;
165 ASSERT_TRUE(private_key->ExportPublicKey(&spki));
166 VerifyCertificateSignature(der_cert, spki);
167 #endif
170 } // namespace net