search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix Telemetry media seek action flakiness.
[chromium-blink-merge.git] / net / cert / nss_cert_database_unittest.cc
blob2e712bb54ad5ec740b5ce04b3c595df47fe2187b
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <cert.h>
6 #include <certdb.h>
7 #include <pk11pub.h>
8
9 #include <algorithm>
10
11 #include "base/file_util.h"
12 #include "base/files/file_path.h"
13 #include "base/lazy_instance.h"
14 #include "base/message_loop/message_loop.h"
15 #include "base/path_service.h"
16 #include "base/strings/string16.h"
17 #include "base/strings/string_util.h"
18 #include "base/strings/utf_string_conversions.h"
19 #include "crypto/nss_util.h"
20 #include "crypto/nss_util_internal.h"
21 #include "crypto/scoped_nss_types.h"
22 #include "net/base/crypto_module.h"
23 #include "net/base/net_errors.h"
24 #include "net/base/test_data_directory.h"
25 #include "net/cert/cert_status_flags.h"
26 #include "net/cert/cert_verify_proc_nss.h"
27 #include "net/cert/cert_verify_result.h"
28 #include "net/cert/nss_cert_database.h"
29 #include "net/cert/x509_certificate.h"
30 #include "net/test/cert_test_util.h"
31 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
32 #include "testing/gtest/include/gtest/gtest.h"
33
34 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
35 // the new name of the macro.
36 #if !defined(CERTDB_TERMINAL_RECORD)
37 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
38 #endif
39
40 namespace net {
41
42 class CertDatabaseNSSTest : public testing::Test {
43 public:
44 virtual void SetUp() {
45 ASSERT_TRUE(test_nssdb_.is_open());
46 cert_db_ = NSSCertDatabase::GetInstance();
47 slot_ = cert_db_->GetPublicModule();
48
49 // Test db should be empty at start of test.
50 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
51 }
52
53 virtual void TearDown() {
54 // Don't try to cleanup if the setup failed.
55 ASSERT_TRUE(slot_->os_module_handle());
56
57 EXPECT_TRUE(CleanupSlotContents());
58
59 // Run the message loop to process any observer callbacks (e.g. for the
60 // ClientSocketFactory singleton) so that the scoped ref ptrs created in
61 // NSSCertDatabase::NotifyObservers* get released.
62 base::MessageLoop::current()->RunUntilIdle();
63
64 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
65 }
66
67 protected:
68 static std::string ReadTestFile(const std::string& name) {
69 std::string result;
70 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
71 EXPECT_TRUE(file_util::ReadFileToString(cert_path, &result));
72 return result;
73 }
74
75 static bool ReadCertIntoList(const std::string& name,
76 CertificateList* certs) {
77 scoped_refptr<X509Certificate> cert(
78 ImportCertFromFile(GetTestCertsDirectory(), name));
79 if (!cert.get())
80 return false;
81
82 certs->push_back(cert);
83 return true;
84 }
85
86 static CertificateList ListCertsInSlot(PK11SlotInfo* slot) {
87 CertificateList result;
88 CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
89 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
90 !CERT_LIST_END(node, cert_list);
91 node = CERT_LIST_NEXT(node)) {
92 result.push_back(X509Certificate::CreateFromHandle(
93 node->cert, X509Certificate::OSCertHandles()));
94 }
95 CERT_DestroyCertList(cert_list);
96
97 // Sort the result so that test comparisons can be deterministic.
98 std::sort(result.begin(), result.end(), X509Certificate::LessThan());
99 return result;
100 }
101
102 scoped_refptr<CryptoModule> slot_;
103 NSSCertDatabase* cert_db_;
104 const CertificateList empty_cert_list_;
105
106 private:
107 bool CleanupSlotContents() {
108 bool ok = true;
109 CertificateList certs = ListCertsInSlot(slot_->os_module_handle());
110 CERTCertTrust default_trust = {0};
111 for (size_t i = 0; i < certs.size(); ++i) {
112 // Reset cert trust values to defaults before deleting. Otherwise NSS
113 // somehow seems to remember the trust which can break following tests.
114 SECStatus srv = CERT_ChangeCertTrust(
115 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust);
116 if (srv != SECSuccess)
117 ok = false;
118
119 if (!cert_db_->DeleteCertAndKey(certs[i].get()))
120 ok = false;
121 }
122 return ok;
123 }
124
125 crypto::ScopedTestNSSDB test_nssdb_;
126 };
127
128 TEST_F(CertDatabaseNSSTest, ListCerts) {
129 // This test isn't terribly useful, though it will at least let valgrind test
130 // for leaks.
131 CertificateList certs;
132 cert_db_->ListCerts(&certs);
133 // The test DB is empty, but let's assume there will always be something in
134 // the other slots.
135 EXPECT_LT(0U, certs.size());
136 }
137
138 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
139 std::string pkcs12_data = ReadTestFile("client.p12");
140
141 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
142 cert_db_->ImportFromPKCS12(slot_.get(),
143 pkcs12_data,
144 base::string16(),
145 true, // is_extractable
146 NULL));
147
148 // Test db should still be empty.
149 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
150 }
151
152 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
153 std::string pkcs12_data = ReadTestFile("client.p12");
154
155 EXPECT_EQ(OK,
156 cert_db_->ImportFromPKCS12(slot_.get(),
157 pkcs12_data,
158 ASCIIToUTF16("12345"),
159 true, // is_extractable
160 NULL));
161
162 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
163 ASSERT_EQ(1U, cert_list.size());
164 scoped_refptr<X509Certificate> cert(cert_list[0]);
165
166 EXPECT_EQ("testusercert",
167 cert->subject().common_name);
168
169 // TODO(mattm): move export test to separate test case?
170 std::string exported_data;
171 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
172 &exported_data));
173 ASSERT_LT(0U, exported_data.size());
174 // TODO(mattm): further verification of exported data?
175 }
176
177 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
178 std::string pkcs12_data = ReadTestFile("client.p12");
179
180 EXPECT_EQ(OK,
181 cert_db_->ImportFromPKCS12(slot_.get(),
182 pkcs12_data,
183 ASCIIToUTF16("12345"),
184 true, // is_extractable
185 NULL));
186 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
187
188 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
189 // it's ever used. This test verifies that.
190 EXPECT_EQ(OK,
191 cert_db_->ImportFromPKCS12(slot_.get(),
192 pkcs12_data,
193 ASCIIToUTF16("12345"),
194 true, // is_extractable
195 NULL));
196 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
197 }
198
199 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
200 std::string pkcs12_data = ReadTestFile("client.p12");
201
202 EXPECT_EQ(OK,
203 cert_db_->ImportFromPKCS12(slot_.get(),
204 pkcs12_data,
205 ASCIIToUTF16("12345"),
206 false, // is_extractable
207 NULL));
208
209 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
210 ASSERT_EQ(1U, cert_list.size());
211 scoped_refptr<X509Certificate> cert(cert_list[0]);
212
213 EXPECT_EQ("testusercert",
214 cert->subject().common_name);
215
216 std::string exported_data;
217 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
218 &exported_data));
219 }
220
221 // Importing a PKCS#12 file with a certificate but no corresponding
222 // private key should not mark an existing private key as unextractable.
223 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
224 std::string pkcs12_data = ReadTestFile("client.p12");
225 EXPECT_EQ(OK,
226 cert_db_->ImportFromPKCS12(slot_.get(),
227 pkcs12_data,
228 ASCIIToUTF16("12345"),
229 true, // is_extractable
230 NULL));
231
232 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
233 ASSERT_EQ(1U, cert_list.size());
234
235 // Now import a PKCS#12 file with just a certificate but no private key.
236 pkcs12_data = ReadTestFile("client-nokey.p12");
237 EXPECT_EQ(OK,
238 cert_db_->ImportFromPKCS12(slot_.get(),
239 pkcs12_data,
240 ASCIIToUTF16("12345"),
241 false, // is_extractable
242 NULL));
243
244 cert_list = ListCertsInSlot(slot_->os_module_handle());
245 ASSERT_EQ(1U, cert_list.size());
246
247 // Make sure the imported private key is still extractable.
248 std::string exported_data;
249 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
250 &exported_data));
251 ASSERT_LT(0U, exported_data.size());
252 }
253
254 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
255 std::string pkcs12_data = "Foobarbaz";
256
257 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
258 cert_db_->ImportFromPKCS12(slot_.get(),
259 pkcs12_data,
260 base::string16(),
261 true, // is_extractable
262 NULL));
263
264 // Test db should still be empty.
265 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
266 }
267
268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
269 CertificateList certs = CreateCertificateListFromFile(
270 GetTestCertsDirectory(), "root_ca_cert.pem",
271 X509Certificate::FORMAT_AUTO);
272 ASSERT_EQ(1U, certs.size());
273 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
274
275 // Import it.
276 NSSCertDatabase::ImportCertFailureList failed;
277 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
278 &failed));
279
280 EXPECT_EQ(0U, failed.size());
281
282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
283 ASSERT_EQ(1U, cert_list.size());
284 scoped_refptr<X509Certificate> cert(cert_list[0]);
285 EXPECT_EQ("Test Root CA", cert->subject().common_name);
286
287 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
288 cert_db_->GetCertTrust(cert.get(), CA_CERT));
289
290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
291 CERTDB_TRUSTED_CLIENT_CA),
292 cert->os_cert_handle()->trust->sslFlags);
293 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
294 cert->os_cert_handle()->trust->emailFlags);
295 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
296 cert->os_cert_handle()->trust->objectSigningFlags);
297 }
298
299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
300 CertificateList certs = CreateCertificateListFromFile(
301 GetTestCertsDirectory(), "root_ca_cert.pem",
302 X509Certificate::FORMAT_AUTO);
303 ASSERT_EQ(1U, certs.size());
304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
305
306 // Import it.
307 NSSCertDatabase::ImportCertFailureList failed;
308 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL,
309 &failed));
310
311 EXPECT_EQ(0U, failed.size());
312
313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
314 ASSERT_EQ(1U, cert_list.size());
315 scoped_refptr<X509Certificate> cert(cert_list[0]);
316 EXPECT_EQ("Test Root CA", cert->subject().common_name);
317
318 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL,
319 cert_db_->GetCertTrust(cert.get(), CA_CERT));
320
321 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
322 cert->os_cert_handle()->trust->sslFlags);
323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
324 CERTDB_TRUSTED_CLIENT_CA),
325 cert->os_cert_handle()->trust->emailFlags);
326 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
327 cert->os_cert_handle()->trust->objectSigningFlags);
328 }
329
330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
331 CertificateList certs = CreateCertificateListFromFile(
332 GetTestCertsDirectory(), "root_ca_cert.pem",
333 X509Certificate::FORMAT_AUTO);
334 ASSERT_EQ(1U, certs.size());
335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
336
337 // Import it.
338 NSSCertDatabase::ImportCertFailureList failed;
339 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN,
340 &failed));
341
342 EXPECT_EQ(0U, failed.size());
343
344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
345 ASSERT_EQ(1U, cert_list.size());
346 scoped_refptr<X509Certificate> cert(cert_list[0]);
347 EXPECT_EQ("Test Root CA", cert->subject().common_name);
348
349 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN,
350 cert_db_->GetCertTrust(cert.get(), CA_CERT));
351
352 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
353 cert->os_cert_handle()->trust->sslFlags);
354 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
355 cert->os_cert_handle()->trust->emailFlags);
356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
357 CERTDB_TRUSTED_CLIENT_CA),
358 cert->os_cert_handle()->trust->objectSigningFlags);
359 }
360
361 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
362 CertificateList certs = CreateCertificateListFromFile(
363 GetTestCertsDirectory(), "ok_cert.pem",
364 X509Certificate::FORMAT_AUTO);
365 ASSERT_EQ(1U, certs.size());
366 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
367
368 // Import it.
369 NSSCertDatabase::ImportCertFailureList failed;
370 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
371 &failed));
372 ASSERT_EQ(1U, failed.size());
373 // Note: this compares pointers directly. It's okay in this case because
374 // ImportCACerts returns the same pointers that were passed in. In the
375 // general case IsSameOSCert should be used.
376 EXPECT_EQ(certs[0], failed[0].certificate);
377 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
378
379 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
380 }
381
382 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
383 CertificateList certs;
384 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
385 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
386 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
387
388 // Import it.
389 NSSCertDatabase::ImportCertFailureList failed;
390 // Have to specify email trust for the cert verification of the child cert to
391 // work (see
392 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#752
393 // "XXX This choice of trustType seems arbitrary.")
394 EXPECT_TRUE(cert_db_->ImportCACerts(
395 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
396 &failed));
397
398 ASSERT_EQ(2U, failed.size());
399 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
400 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
401 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
402 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
403
404 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
405 ASSERT_EQ(1U, cert_list.size());
406 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
407 }
408
409 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
410 CertificateList certs;
411 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
412
413 // First import just the root.
414 NSSCertDatabase::ImportCertFailureList failed;
415 EXPECT_TRUE(cert_db_->ImportCACerts(
416 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
417 &failed));
418
419 EXPECT_EQ(0U, failed.size());
420 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
421 ASSERT_EQ(1U, cert_list.size());
422 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
423
424 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
425 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
426
427 // Now import with the other certs in the list too. Even though the root is
428 // already present, we should still import the rest.
429 failed.clear();
430 EXPECT_TRUE(cert_db_->ImportCACerts(
431 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
432 &failed));
433
434 ASSERT_EQ(3U, failed.size());
435 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name);
436 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error);
437 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
438 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
439 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
440 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
441
442 cert_list = ListCertsInSlot(slot_->os_module_handle());
443 ASSERT_EQ(1U, cert_list.size());
444 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
445 }
446
447 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
448 CertificateList certs;
449 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
450 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
451
452 // Import it.
453 NSSCertDatabase::ImportCertFailureList failed;
454 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT,
455 &failed));
456
457 ASSERT_EQ(1U, failed.size());
458 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
459 // TODO(mattm): should check for net error equivalent of
460 // SEC_ERROR_UNTRUSTED_ISSUER
461 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
462
463 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
464 ASSERT_EQ(1U, cert_list.size());
465 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
466 }
467
468 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
469 CertificateList certs;
470 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
471 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
472 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
473
474 // Import it.
475 NSSCertDatabase::ImportCertFailureList failed;
476 EXPECT_TRUE(cert_db_->ImportCACerts(
477 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
478 &failed));
479
480 EXPECT_EQ(2U, failed.size());
481 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
482 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
483 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
484 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
485
486 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
487 ASSERT_EQ(1U, cert_list.size());
488 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
489 }
490
491 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
492 CertificateList certs = CreateCertificateListFromFile(
493 GetTestCertsDirectory(), "root_ca_cert.pem",
494 X509Certificate::FORMAT_AUTO);
495 ASSERT_EQ(1U, certs.size());
496 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
497 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
498
499 // Import it.
500 NSSCertDatabase::ImportCertFailureList failed;
501 EXPECT_TRUE(cert_db_->ImportCACerts(
502 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL |
503 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed));
504
505 ASSERT_EQ(2U, failed.size());
506 // TODO(mattm): should check for net error equivalent of
507 // SEC_ERROR_UNKNOWN_ISSUER
508 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
509 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
510 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
511 EXPECT_EQ(ERR_FAILED, failed[1].net_error);
512
513 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
514 ASSERT_EQ(1U, cert_list.size());
515 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);
516 }
517
518 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired
519 // certificate.
520 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
521 // Need to import intermediate cert for the verify of google cert, otherwise
522 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which
523 // will cause OCSPCreateSession on the main thread, which is not allowed.
524 CertificateList certs = CreateCertificateListFromFile(
525 GetTestCertsDirectory(), "google.chain.pem",
526 X509Certificate::FORMAT_AUTO);
527 ASSERT_EQ(2U, certs.size());
528
529 NSSCertDatabase::ImportCertFailureList failed;
530 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
531 &failed));
532
533 EXPECT_EQ(0U, failed.size());
534
535 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
536 ASSERT_EQ(2U, cert_list.size());
537 scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
538 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
539 EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
540 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
541
542 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
543 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT));
544
545 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
546
547 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
548 int flags = 0;
549 CertVerifyResult verify_result;
550 int error = verify_proc->Verify(goog_cert.get(),
551 "www.google.com",
552 flags,
553 NULL,
554 empty_cert_list_,
555 &verify_result);
556 EXPECT_EQ(OK, error);
557 EXPECT_EQ(0U, verify_result.cert_status);
558 }
559
560 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
561 CertificateList certs;
562 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
563
564 NSSCertDatabase::ImportCertFailureList failed;
565 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
566 &failed));
567
568 EXPECT_EQ(0U, failed.size());
569
570 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
571 ASSERT_EQ(1U, cert_list.size());
572 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
573
574 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
575 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
576 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
577
578 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
579 int flags = 0;
580 CertVerifyResult verify_result;
581 int error = verify_proc->Verify(puny_cert.get(),
582 "xn--wgv71a119e.com",
583 flags,
584 NULL,
585 empty_cert_list_,
586 &verify_result);
587 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
588 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
589 }
590
591 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
592 // When using CERT_PKIXVerifyCert (which we do), server trust only works from
593 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364.
594 if (!NSS_VersionCheck("3.13.4")) {
595 LOG(INFO) << "test skipped on NSS < 3.13.4";
596 return;
597 }
598
599 CertificateList certs;
600 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
601
602 NSSCertDatabase::ImportCertFailureList failed;
603 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL,
604 &failed));
605
606 EXPECT_EQ(0U, failed.size());
607
608 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
609 ASSERT_EQ(1U, cert_list.size());
610 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
611
612 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
613 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
614 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
615 puny_cert->os_cert_handle()->trust->sslFlags);
616
617 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
618 int flags = 0;
619 CertVerifyResult verify_result;
620 int error = verify_proc->Verify(puny_cert.get(),
621 "xn--wgv71a119e.com",
622 flags,
623 NULL,
624 empty_cert_list_,
625 &verify_result);
626 EXPECT_EQ(OK, error);
627 EXPECT_EQ(0U, verify_result.cert_status);
628 }
629
630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
631 CertificateList ca_certs = CreateCertificateListFromFile(
632 GetTestCertsDirectory(), "root_ca_cert.pem",
633 X509Certificate::FORMAT_AUTO);
634 ASSERT_EQ(1U, ca_certs.size());
635
636 // Import CA cert and trust it.
637 NSSCertDatabase::ImportCertFailureList failed;
638 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
639 &failed));
640 EXPECT_EQ(0U, failed.size());
641
642 CertificateList certs = CreateCertificateListFromFile(
643 GetTestCertsDirectory(), "ok_cert.pem",
644 X509Certificate::FORMAT_AUTO);
645 ASSERT_EQ(1U, certs.size());
646
647 // Import server cert with default trust.
648 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
649 &failed));
650 EXPECT_EQ(0U, failed.size());
651
652 // Server cert should verify.
653 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
654 int flags = 0;
655 CertVerifyResult verify_result;
656 int error = verify_proc->Verify(certs[0].get(),
657 "127.0.0.1",
658 flags,
659 NULL,
660 empty_cert_list_,
661 &verify_result);
662 EXPECT_EQ(OK, error);
663 EXPECT_EQ(0U, verify_result.cert_status);
664 }
665
666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
667 // Explicit distrust only works starting in NSS 3.13.
668 if (!NSS_VersionCheck("3.13")) {
669 LOG(INFO) << "test skipped on NSS < 3.13";
670 return;
671 }
672
673 CertificateList ca_certs = CreateCertificateListFromFile(
674 GetTestCertsDirectory(), "root_ca_cert.pem",
675 X509Certificate::FORMAT_AUTO);
676 ASSERT_EQ(1U, ca_certs.size());
677
678 // Import CA cert and trust it.
679 NSSCertDatabase::ImportCertFailureList failed;
680 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
681 &failed));
682 EXPECT_EQ(0U, failed.size());
683
684 CertificateList certs = CreateCertificateListFromFile(
685 GetTestCertsDirectory(), "ok_cert.pem",
686 X509Certificate::FORMAT_AUTO);
687 ASSERT_EQ(1U, certs.size());
688
689 // Import server cert without inheriting trust from issuer (explicit
690 // distrust).
691 EXPECT_TRUE(cert_db_->ImportServerCert(
692 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
693 EXPECT_EQ(0U, failed.size());
694 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL,
695 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
696
697 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
698 certs[0]->os_cert_handle()->trust->sslFlags);
699
700 // Server cert should fail to verify.
701 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
702 int flags = 0;
703 CertVerifyResult verify_result;
704 int error = verify_proc->Verify(certs[0].get(),
705 "127.0.0.1",
706 flags,
707 NULL,
708 empty_cert_list_,
709 &verify_result);
710 EXPECT_EQ(ERR_CERT_REVOKED, error);
711 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
712 }
713
714 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
715 CertificateList ca_certs = CreateCertificateListFromFile(
716 GetTestCertsDirectory(), "2048-rsa-root.pem",
717 X509Certificate::FORMAT_AUTO);
718 ASSERT_EQ(1U, ca_certs.size());
719
720 // Import Root CA cert and distrust it.
721 NSSCertDatabase::ImportCertFailureList failed;
722 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL,
723 &failed));
724 EXPECT_EQ(0U, failed.size());
725
726 CertificateList intermediate_certs = CreateCertificateListFromFile(
727 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
728 X509Certificate::FORMAT_AUTO);
729 ASSERT_EQ(1U, intermediate_certs.size());
730
731 // Import Intermediate CA cert and trust it.
732 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
733 NSSCertDatabase::TRUSTED_SSL, &failed));
734 EXPECT_EQ(0U, failed.size());
735
736 CertificateList certs = CreateCertificateListFromFile(
737 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
738 X509Certificate::FORMAT_AUTO);
739 ASSERT_EQ(1U, certs.size());
740
741 // Import server cert with default trust.
742 EXPECT_TRUE(cert_db_->ImportServerCert(
743 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
744 EXPECT_EQ(0U, failed.size());
745 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
746 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
747
748 // Server cert should verify.
749 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
750 int flags = 0;
751 CertVerifyResult verify_result;
752 int error = verify_proc->Verify(certs[0].get(),
753 "127.0.0.1",
754 flags,
755 NULL,
756 empty_cert_list_,
757 &verify_result);
758 EXPECT_EQ(OK, error);
759 EXPECT_EQ(0U, verify_result.cert_status);
760
761 // Explicit distrust only works starting in NSS 3.13.
762 if (!NSS_VersionCheck("3.13")) {
763 LOG(INFO) << "test partially skipped on NSS < 3.13";
764 return;
765 }
766
767 // Trust the root cert and distrust the intermediate.
768 EXPECT_TRUE(cert_db_->SetCertTrust(
769 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL));
770 EXPECT_TRUE(cert_db_->SetCertTrust(
771 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL));
772 EXPECT_EQ(
773 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA),
774 ca_certs[0]->os_cert_handle()->trust->sslFlags);
775 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
776 ca_certs[0]->os_cert_handle()->trust->emailFlags);
777 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
778 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);
779 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
780 intermediate_certs[0]->os_cert_handle()->trust->sslFlags);
781 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
782 intermediate_certs[0]->os_cert_handle()->trust->emailFlags);
783 EXPECT_EQ(
784 unsigned(CERTDB_VALID_CA),
785 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);
786
787 // Server cert should fail to verify.
788 CertVerifyResult verify_result2;
789 error = verify_proc->Verify(certs[0].get(),
790 "127.0.0.1",
791 flags,
792 NULL,
793 empty_cert_list_,
794 &verify_result2);
795 EXPECT_EQ(ERR_CERT_REVOKED, error);
796 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);
797 }
798
799 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {
800 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
801 // See http://bugzil.la/863947 for details.
802 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
803 return;
804 }
805
806 NSSCertDatabase::ImportCertFailureList failed;
807
808 CertificateList intermediate_certs = CreateCertificateListFromFile(
809 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
810 X509Certificate::FORMAT_AUTO);
811 ASSERT_EQ(1U, intermediate_certs.size());
812
813 // Import Intermediate CA cert and trust it.
814 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
815 NSSCertDatabase::TRUSTED_SSL, &failed));
816 EXPECT_EQ(0U, failed.size());
817
818 CertificateList certs = CreateCertificateListFromFile(
819 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
820 X509Certificate::FORMAT_AUTO);
821 ASSERT_EQ(1U, certs.size());
822
823 // Import server cert with default trust.
824 EXPECT_TRUE(cert_db_->ImportServerCert(
825 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
826 EXPECT_EQ(0U, failed.size());
827 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
828 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
829
830 // Server cert should verify.
831 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
832 int flags = 0;
833 CertVerifyResult verify_result;
834 int error = verify_proc->Verify(certs[0].get(),
835 "127.0.0.1",
836 flags,
837 NULL,
838 empty_cert_list_,
839 &verify_result);
840 EXPECT_EQ(OK, error);
841 EXPECT_EQ(0U, verify_result.cert_status);
842
843 // Without explicit trust of the intermediate, verification should fail.
844 EXPECT_TRUE(cert_db_->SetCertTrust(
845 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
846
847 // Server cert should fail to verify.
848 CertVerifyResult verify_result2;
849 error = verify_proc->Verify(certs[0].get(),
850 "127.0.0.1",
851 flags,
852 NULL,
853 empty_cert_list_,
854 &verify_result2);
855 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
856 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
857 }
858
859 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {
860 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
861 // See http://bugzil.la/863947 for details.
862 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
863 return;
864 }
865
866 NSSCertDatabase::ImportCertFailureList failed;
867
868 CertificateList ca_certs = CreateCertificateListFromFile(
869 GetTestCertsDirectory(), "2048-rsa-root.pem",
870 X509Certificate::FORMAT_AUTO);
871 ASSERT_EQ(1U, ca_certs.size());
872
873 // Import Root CA cert and default trust it.
874 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT,
875 &failed));
876 EXPECT_EQ(0U, failed.size());
877
878 CertificateList intermediate_certs = CreateCertificateListFromFile(
879 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
880 X509Certificate::FORMAT_AUTO);
881 ASSERT_EQ(1U, intermediate_certs.size());
882
883 // Import Intermediate CA cert and trust it.
884 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
885 NSSCertDatabase::TRUSTED_SSL, &failed));
886 EXPECT_EQ(0U, failed.size());
887
888 CertificateList certs = CreateCertificateListFromFile(
889 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
890 X509Certificate::FORMAT_AUTO);
891 ASSERT_EQ(1U, certs.size());
892
893 // Import server cert with default trust.
894 EXPECT_TRUE(cert_db_->ImportServerCert(
895 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
896 EXPECT_EQ(0U, failed.size());
897 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
898 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
899
900 // Server cert should verify.
901 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
902 int flags = 0;
903 CertVerifyResult verify_result;
904 int error = verify_proc->Verify(certs[0].get(),
905 "127.0.0.1",
906 flags,
907 NULL,
908 empty_cert_list_,
909 &verify_result);
910 EXPECT_EQ(OK, error);
911 EXPECT_EQ(0U, verify_result.cert_status);
912
913 // Without explicit trust of the intermediate, verification should fail.
914 EXPECT_TRUE(cert_db_->SetCertTrust(
915 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
916
917 // Server cert should fail to verify.
918 CertVerifyResult verify_result2;
919 error = verify_proc->Verify(certs[0].get(),
920 "127.0.0.1",
921 flags,
922 NULL,
923 empty_cert_list_,
924 &verify_result2);
925 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
926 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
927 }
928
929 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
930 // Explicit distrust only works starting in NSS 3.13.
931 if (!NSS_VersionCheck("3.13")) {
932 LOG(INFO) << "test skipped on NSS < 3.13";
933 return;
934 }
935
936 NSSCertDatabase::ImportCertFailureList failed;
937
938 CertificateList ca_certs = CreateCertificateListFromFile(
939 GetTestCertsDirectory(), "2048-rsa-root.pem",
940 X509Certificate::FORMAT_AUTO);
941 ASSERT_EQ(1U, ca_certs.size());
942
943 // Import Root CA cert and trust it.
944 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
945 &failed));
946 EXPECT_EQ(0U, failed.size());
947
948 CertificateList intermediate_certs = CreateCertificateListFromFile(
949 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
950 X509Certificate::FORMAT_AUTO);
951 ASSERT_EQ(1U, intermediate_certs.size());
952
953 // Import Intermediate CA cert and distrust it.
954 EXPECT_TRUE(cert_db_->ImportCACerts(
955 intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
956 EXPECT_EQ(0U, failed.size());
957
958 CertificateList certs = CreateCertificateListFromFile(
959 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
960 X509Certificate::FORMAT_AUTO);
961 ASSERT_EQ(1U, certs.size());
962
963 // Import server cert with default trust.
964 EXPECT_TRUE(cert_db_->ImportServerCert(
965 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
966 EXPECT_EQ(0U, failed.size());
967 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
968 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
969
970 // Server cert should not verify.
971 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
972 int flags = 0;
973 CertVerifyResult verify_result;
974 int error = verify_proc->Verify(certs[0].get(),
975 "127.0.0.1",
976 flags,
977 NULL,
978 empty_cert_list_,
979 &verify_result);
980 EXPECT_EQ(ERR_CERT_REVOKED, error);
981 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
982
983 // Without explicit distrust of the intermediate, verification should succeed.
984 EXPECT_TRUE(cert_db_->SetCertTrust(
985 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
986
987 // Server cert should verify.
988 CertVerifyResult verify_result2;
989 error = verify_proc->Verify(certs[0].get(),
990 "127.0.0.1",
991 flags,
992 NULL,
993 empty_cert_list_,
994 &verify_result2);
995 EXPECT_EQ(OK, error);
996 EXPECT_EQ(0U, verify_result2.cert_status);
997 }
998
999 // Importing two certificates with the same issuer and subject common name,
1000 // but overall distinct subject names, should succeed and generate a unique
1001 // nickname for the second certificate.
1002 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
1003 CertificateList certs =
1004 CreateCertificateListFromFile(GetTestCertsDirectory(),
1005 "duplicate_cn_1.pem",
1006 X509Certificate::FORMAT_AUTO);
1007 ASSERT_EQ(1U, certs.size());
1008
1009 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
1010
1011 // Import server cert with default trust.
1012 NSSCertDatabase::ImportCertFailureList failed;
1013 EXPECT_TRUE(cert_db_->ImportServerCert(
1014 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
1015 EXPECT_EQ(0U, failed.size());
1016 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
1017 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
1018
1019 CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle());
1020 ASSERT_EQ(1U, new_certs.size());
1021
1022 // Now attempt to import a different certificate with the same common name.
1023 CertificateList certs2 =
1024 CreateCertificateListFromFile(GetTestCertsDirectory(),
1025 "duplicate_cn_2.pem",
1026 X509Certificate::FORMAT_AUTO);
1027 ASSERT_EQ(1U, certs2.size());
1028
1029 // Import server cert with default trust.
1030 EXPECT_TRUE(cert_db_->ImportServerCert(
1031 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed));
1032 EXPECT_EQ(0U, failed.size());
1033 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
1034 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT));
1035
1036 new_certs = ListCertsInSlot(slot_->os_module_handle());
1037 ASSERT_EQ(2U, new_certs.size());
1038 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname,
1039 new_certs[1]->os_cert_handle()->nickname);
1040 }
1041
1042 } // namespace net