Pin Chrome's shortcut to the Win10 Start menu on install and OS upgrade.
[chromium-blink-merge.git] / net / cert / nss_cert_database_unittest.cc
blobcdb9be0ab78c2a709fa9e84983bf5f9114bec4db
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include <cert.h>
6 #include <certdb.h>
7 #include <pk11pub.h>
9 #include <algorithm>
11 #include "base/bind.h"
12 #include "base/files/file_path.h"
13 #include "base/files/file_util.h"
14 #include "base/lazy_instance.h"
15 #include "base/message_loop/message_loop.h"
16 #include "base/run_loop.h"
17 #include "base/strings/string16.h"
18 #include "base/strings/string_util.h"
19 #include "base/strings/utf_string_conversions.h"
20 #include "base/thread_task_runner_handle.h"
21 #include "crypto/scoped_nss_types.h"
22 #include "crypto/scoped_test_nss_db.h"
23 #include "net/base/crypto_module.h"
24 #include "net/base/net_errors.h"
25 #include "net/base/test_data_directory.h"
26 #include "net/cert/cert_status_flags.h"
27 #include "net/cert/cert_verify_proc_nss.h"
28 #include "net/cert/cert_verify_result.h"
29 #include "net/cert/nss_cert_database.h"
30 #include "net/cert/x509_certificate.h"
31 #include "net/test/cert_test_util.h"
32 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
33 #include "testing/gtest/include/gtest/gtest.h"
35 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
36 // the new name of the macro.
37 #if !defined(CERTDB_TERMINAL_RECORD)
38 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
39 #endif
41 using base::ASCIIToUTF16;
43 namespace net {
45 namespace {
47 void SwapCertList(CertificateList* destination,
48 scoped_ptr<CertificateList> source) {
49 ASSERT_TRUE(destination);
50 destination->swap(*source);
53 } // namespace
55 class CertDatabaseNSSTest : public testing::Test {
56 public:
57 void SetUp() override {
58 ASSERT_TRUE(test_nssdb_.is_open());
59 cert_db_.reset(new NSSCertDatabase(
60 crypto::ScopedPK11Slot(
61 PK11_ReferenceSlot(test_nssdb_.slot())) /* public slot */,
62 crypto::ScopedPK11Slot(
63 PK11_ReferenceSlot(test_nssdb_.slot())) /* private slot */));
64 public_module_ = cert_db_->GetPublicModule();
66 // Test db should be empty at start of test.
67 EXPECT_EQ(0U, ListCerts().size());
70 void TearDown() override {
71 // Run the message loop to process any observer callbacks (e.g. for the
72 // ClientSocketFactory singleton) so that the scoped ref ptrs created in
73 // NSSCertDatabase::NotifyObservers* get released.
74 base::MessageLoop::current()->RunUntilIdle();
77 protected:
78 CryptoModule* GetPublicModule() { return public_module_.get(); }
80 static std::string ReadTestFile(const std::string& name) {
81 std::string result;
82 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
83 EXPECT_TRUE(base::ReadFileToString(cert_path, &result));
84 return result;
87 static bool ReadCertIntoList(const std::string& name,
88 CertificateList* certs) {
89 scoped_refptr<X509Certificate> cert(
90 ImportCertFromFile(GetTestCertsDirectory(), name));
91 if (!cert.get())
92 return false;
94 certs->push_back(cert);
95 return true;
98 CertificateList ListCerts() {
99 CertificateList result;
100 CERTCertList* cert_list = PK11_ListCertsInSlot(test_nssdb_.slot());
101 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
102 !CERT_LIST_END(node, cert_list);
103 node = CERT_LIST_NEXT(node)) {
104 result.push_back(X509Certificate::CreateFromHandle(
105 node->cert, X509Certificate::OSCertHandles()));
107 CERT_DestroyCertList(cert_list);
109 // Sort the result so that test comparisons can be deterministic.
110 std::sort(result.begin(), result.end(), X509Certificate::LessThan());
111 return result;
114 scoped_ptr<NSSCertDatabase> cert_db_;
115 const CertificateList empty_cert_list_;
116 crypto::ScopedTestNSSDB test_nssdb_;
117 scoped_refptr<CryptoModule> public_module_;
120 TEST_F(CertDatabaseNSSTest, ListCertsSync) {
121 // This test isn't terribly useful, though it will at least let valgrind test
122 // for leaks.
123 CertificateList certs;
124 cert_db_->ListCertsSync(&certs);
125 // The test DB is empty, but let's assume there will always be something in
126 // the other slots.
127 EXPECT_LT(0U, certs.size());
130 TEST_F(CertDatabaseNSSTest, ListCerts) {
131 // This test isn't terribly useful, though it will at least let valgrind test
132 // for leaks.
133 CertificateList certs;
134 cert_db_->SetSlowTaskRunnerForTest(base::ThreadTaskRunnerHandle::Get());
135 cert_db_->ListCerts(base::Bind(&SwapCertList, base::Unretained(&certs)));
136 EXPECT_EQ(0U, certs.size());
138 base::RunLoop().RunUntilIdle();
140 // The test DB is empty, but let's assume there will always be something in
141 // the other slots.
142 EXPECT_LT(0U, certs.size());
145 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
146 std::string pkcs12_data = ReadTestFile("client.p12");
148 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
149 cert_db_->ImportFromPKCS12(GetPublicModule(),
150 pkcs12_data,
151 base::string16(),
152 true, // is_extractable
153 NULL));
155 // Test db should still be empty.
156 EXPECT_EQ(0U, ListCerts().size());
159 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
160 std::string pkcs12_data = ReadTestFile("client.p12");
162 EXPECT_EQ(OK,
163 cert_db_->ImportFromPKCS12(GetPublicModule(),
164 pkcs12_data,
165 ASCIIToUTF16("12345"),
166 true, // is_extractable
167 NULL));
169 CertificateList cert_list = ListCerts();
170 ASSERT_EQ(1U, cert_list.size());
171 scoped_refptr<X509Certificate> cert(cert_list[0]);
173 EXPECT_EQ("testusercert",
174 cert->subject().common_name);
176 // TODO(mattm): move export test to separate test case?
177 std::string exported_data;
178 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
179 &exported_data));
180 ASSERT_LT(0U, exported_data.size());
181 // TODO(mattm): further verification of exported data?
184 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
185 std::string pkcs12_data = ReadTestFile("client.p12");
187 EXPECT_EQ(OK,
188 cert_db_->ImportFromPKCS12(GetPublicModule(),
189 pkcs12_data,
190 ASCIIToUTF16("12345"),
191 true, // is_extractable
192 NULL));
193 EXPECT_EQ(1U, ListCerts().size());
195 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
196 // it's ever used. This test verifies that.
197 EXPECT_EQ(OK,
198 cert_db_->ImportFromPKCS12(GetPublicModule(),
199 pkcs12_data,
200 ASCIIToUTF16("12345"),
201 true, // is_extractable
202 NULL));
203 EXPECT_EQ(1U, ListCerts().size());
206 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
207 std::string pkcs12_data = ReadTestFile("client.p12");
209 EXPECT_EQ(OK,
210 cert_db_->ImportFromPKCS12(GetPublicModule(),
211 pkcs12_data,
212 ASCIIToUTF16("12345"),
213 false, // is_extractable
214 NULL));
216 CertificateList cert_list = ListCerts();
217 ASSERT_EQ(1U, cert_list.size());
218 scoped_refptr<X509Certificate> cert(cert_list[0]);
220 EXPECT_EQ("testusercert",
221 cert->subject().common_name);
223 std::string exported_data;
224 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
225 &exported_data));
228 // Importing a PKCS#12 file with a certificate but no corresponding
229 // private key should not mark an existing private key as unextractable.
230 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
231 std::string pkcs12_data = ReadTestFile("client.p12");
232 EXPECT_EQ(OK,
233 cert_db_->ImportFromPKCS12(GetPublicModule(),
234 pkcs12_data,
235 ASCIIToUTF16("12345"),
236 true, // is_extractable
237 NULL));
239 CertificateList cert_list = ListCerts();
240 ASSERT_EQ(1U, cert_list.size());
242 // Now import a PKCS#12 file with just a certificate but no private key.
243 pkcs12_data = ReadTestFile("client-nokey.p12");
244 EXPECT_EQ(OK,
245 cert_db_->ImportFromPKCS12(GetPublicModule(),
246 pkcs12_data,
247 ASCIIToUTF16("12345"),
248 false, // is_extractable
249 NULL));
251 cert_list = ListCerts();
252 ASSERT_EQ(1U, cert_list.size());
254 // Make sure the imported private key is still extractable.
255 std::string exported_data;
256 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
257 &exported_data));
258 ASSERT_LT(0U, exported_data.size());
261 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
262 std::string pkcs12_data = "Foobarbaz";
264 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
265 cert_db_->ImportFromPKCS12(GetPublicModule(),
266 pkcs12_data,
267 base::string16(),
268 true, // is_extractable
269 NULL));
271 // Test db should still be empty.
272 EXPECT_EQ(0U, ListCerts().size());
275 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
276 CertificateList certs = CreateCertificateListFromFile(
277 GetTestCertsDirectory(), "root_ca_cert.pem",
278 X509Certificate::FORMAT_AUTO);
279 ASSERT_EQ(1U, certs.size());
280 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
282 // Import it.
283 NSSCertDatabase::ImportCertFailureList failed;
284 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
285 &failed));
287 EXPECT_EQ(0U, failed.size());
289 CertificateList cert_list = ListCerts();
290 ASSERT_EQ(1U, cert_list.size());
291 scoped_refptr<X509Certificate> cert(cert_list[0]);
292 EXPECT_EQ("Test Root CA", cert->subject().common_name);
294 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
295 cert_db_->GetCertTrust(cert.get(), CA_CERT));
297 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
298 CERTDB_TRUSTED_CLIENT_CA),
299 cert->os_cert_handle()->trust->sslFlags);
300 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
301 cert->os_cert_handle()->trust->emailFlags);
302 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
303 cert->os_cert_handle()->trust->objectSigningFlags);
306 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
307 CertificateList certs = CreateCertificateListFromFile(
308 GetTestCertsDirectory(), "root_ca_cert.pem",
309 X509Certificate::FORMAT_AUTO);
310 ASSERT_EQ(1U, certs.size());
311 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
313 // Import it.
314 NSSCertDatabase::ImportCertFailureList failed;
315 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL,
316 &failed));
318 EXPECT_EQ(0U, failed.size());
320 CertificateList cert_list = ListCerts();
321 ASSERT_EQ(1U, cert_list.size());
322 scoped_refptr<X509Certificate> cert(cert_list[0]);
323 EXPECT_EQ("Test Root CA", cert->subject().common_name);
325 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL,
326 cert_db_->GetCertTrust(cert.get(), CA_CERT));
328 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
329 cert->os_cert_handle()->trust->sslFlags);
330 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
331 CERTDB_TRUSTED_CLIENT_CA),
332 cert->os_cert_handle()->trust->emailFlags);
333 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
334 cert->os_cert_handle()->trust->objectSigningFlags);
337 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
338 CertificateList certs = CreateCertificateListFromFile(
339 GetTestCertsDirectory(), "root_ca_cert.pem",
340 X509Certificate::FORMAT_AUTO);
341 ASSERT_EQ(1U, certs.size());
342 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
344 // Import it.
345 NSSCertDatabase::ImportCertFailureList failed;
346 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN,
347 &failed));
349 EXPECT_EQ(0U, failed.size());
351 CertificateList cert_list = ListCerts();
352 ASSERT_EQ(1U, cert_list.size());
353 scoped_refptr<X509Certificate> cert(cert_list[0]);
354 EXPECT_EQ("Test Root CA", cert->subject().common_name);
356 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN,
357 cert_db_->GetCertTrust(cert.get(), CA_CERT));
359 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
360 cert->os_cert_handle()->trust->sslFlags);
361 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
362 cert->os_cert_handle()->trust->emailFlags);
363 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
364 CERTDB_TRUSTED_CLIENT_CA),
365 cert->os_cert_handle()->trust->objectSigningFlags);
368 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
369 CertificateList certs = CreateCertificateListFromFile(
370 GetTestCertsDirectory(), "ok_cert.pem",
371 X509Certificate::FORMAT_AUTO);
372 ASSERT_EQ(1U, certs.size());
373 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
375 // Import it.
376 NSSCertDatabase::ImportCertFailureList failed;
377 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
378 &failed));
379 ASSERT_EQ(1U, failed.size());
380 // Note: this compares pointers directly. It's okay in this case because
381 // ImportCACerts returns the same pointers that were passed in. In the
382 // general case IsSameOSCert should be used.
383 EXPECT_EQ(certs[0], failed[0].certificate);
384 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
386 EXPECT_EQ(0U, ListCerts().size());
389 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
390 CertificateList certs;
391 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
392 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
393 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
395 // Import it.
396 NSSCertDatabase::ImportCertFailureList failed;
397 // Have to specify email trust for the cert verification of the child cert to
398 // work (see
399 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#752
400 // "XXX This choice of trustType seems arbitrary.")
401 EXPECT_TRUE(cert_db_->ImportCACerts(
402 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
403 &failed));
405 ASSERT_EQ(2U, failed.size());
406 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
407 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
408 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
409 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
411 CertificateList cert_list = ListCerts();
412 ASSERT_EQ(1U, cert_list.size());
413 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
416 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
417 CertificateList certs;
418 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
420 // First import just the root.
421 NSSCertDatabase::ImportCertFailureList failed;
422 EXPECT_TRUE(cert_db_->ImportCACerts(
423 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
424 &failed));
426 EXPECT_EQ(0U, failed.size());
427 CertificateList cert_list = ListCerts();
428 ASSERT_EQ(1U, cert_list.size());
429 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
431 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
432 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
434 // Now import with the other certs in the list too. Even though the root is
435 // already present, we should still import the rest.
436 failed.clear();
437 EXPECT_TRUE(cert_db_->ImportCACerts(
438 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
439 &failed));
441 ASSERT_EQ(3U, failed.size());
442 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name);
443 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error);
444 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
445 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
446 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
447 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
449 cert_list = ListCerts();
450 ASSERT_EQ(1U, cert_list.size());
451 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
454 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
455 CertificateList certs;
456 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
457 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
459 // Import it.
460 NSSCertDatabase::ImportCertFailureList failed;
461 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT,
462 &failed));
464 ASSERT_EQ(1U, failed.size());
465 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
466 // TODO(mattm): should check for net error equivalent of
467 // SEC_ERROR_UNTRUSTED_ISSUER
468 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
470 CertificateList cert_list = ListCerts();
471 ASSERT_EQ(1U, cert_list.size());
472 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
475 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
476 CertificateList certs;
477 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
478 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
479 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
481 // Import it.
482 NSSCertDatabase::ImportCertFailureList failed;
483 EXPECT_TRUE(cert_db_->ImportCACerts(
484 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
485 &failed));
487 EXPECT_EQ(2U, failed.size());
488 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
489 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
490 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
491 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
493 CertificateList cert_list = ListCerts();
494 ASSERT_EQ(1U, cert_list.size());
495 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
498 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
499 CertificateList certs = CreateCertificateListFromFile(
500 GetTestCertsDirectory(), "root_ca_cert.pem",
501 X509Certificate::FORMAT_AUTO);
502 ASSERT_EQ(1U, certs.size());
503 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
504 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
506 // Import it.
507 NSSCertDatabase::ImportCertFailureList failed;
508 EXPECT_TRUE(cert_db_->ImportCACerts(
509 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL |
510 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed));
512 ASSERT_EQ(2U, failed.size());
513 // TODO(mattm): should check for net error equivalent of
514 // SEC_ERROR_UNKNOWN_ISSUER
515 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
516 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
517 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
518 EXPECT_EQ(ERR_FAILED, failed[1].net_error);
520 CertificateList cert_list = ListCerts();
521 ASSERT_EQ(1U, cert_list.size());
522 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);
525 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired
526 // certificate.
527 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
528 // Need to import intermediate cert for the verify of google cert, otherwise
529 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which
530 // will cause OCSPCreateSession on the main thread, which is not allowed.
531 CertificateList certs = CreateCertificateListFromFile(
532 GetTestCertsDirectory(), "google.chain.pem",
533 X509Certificate::FORMAT_AUTO);
534 ASSERT_EQ(2U, certs.size());
536 NSSCertDatabase::ImportCertFailureList failed;
537 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
538 &failed));
540 EXPECT_EQ(0U, failed.size());
542 CertificateList cert_list = ListCerts();
543 ASSERT_EQ(2U, cert_list.size());
544 scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
545 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
546 EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
547 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
549 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
550 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT));
552 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
554 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
555 int flags = 0;
556 CertVerifyResult verify_result;
557 int error =
558 verify_proc->Verify(goog_cert.get(), "www.google.com", std::string(),
559 flags, NULL, empty_cert_list_, &verify_result);
560 EXPECT_EQ(OK, error);
561 EXPECT_EQ(0U, verify_result.cert_status);
564 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
565 CertificateList certs;
566 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs));
568 NSSCertDatabase::ImportCertFailureList failed;
569 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
570 &failed));
572 EXPECT_EQ(0U, failed.size());
574 CertificateList cert_list = ListCerts();
575 ASSERT_EQ(1U, cert_list.size());
576 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
578 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
579 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
580 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
582 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
583 int flags = 0;
584 CertVerifyResult verify_result;
585 int error =
586 verify_proc->Verify(puny_cert.get(), "xn--wgv71a119e.com", std::string(),
587 flags, NULL, empty_cert_list_, &verify_result);
588 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
589 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
592 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
593 CertificateList certs;
594 ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs));
596 NSSCertDatabase::ImportCertFailureList failed;
597 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL,
598 &failed));
600 EXPECT_EQ(0U, failed.size());
602 CertificateList cert_list = ListCerts();
603 ASSERT_EQ(1U, cert_list.size());
604 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
606 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
607 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
608 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
609 puny_cert->os_cert_handle()->trust->sslFlags);
611 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
612 int flags = 0;
613 CertVerifyResult verify_result;
614 int error =
615 verify_proc->Verify(puny_cert.get(), "xn--wgv71a119e.com", std::string(),
616 flags, NULL, empty_cert_list_, &verify_result);
617 EXPECT_EQ(OK, error);
618 EXPECT_EQ(0U, verify_result.cert_status);
621 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
622 CertificateList ca_certs = CreateCertificateListFromFile(
623 GetTestCertsDirectory(), "root_ca_cert.pem",
624 X509Certificate::FORMAT_AUTO);
625 ASSERT_EQ(1U, ca_certs.size());
627 // Import CA cert and trust it.
628 NSSCertDatabase::ImportCertFailureList failed;
629 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
630 &failed));
631 EXPECT_EQ(0U, failed.size());
633 CertificateList certs = CreateCertificateListFromFile(
634 GetTestCertsDirectory(), "ok_cert.pem",
635 X509Certificate::FORMAT_AUTO);
636 ASSERT_EQ(1U, certs.size());
638 // Import server cert with default trust.
639 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
640 &failed));
641 EXPECT_EQ(0U, failed.size());
643 // Server cert should verify.
644 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
645 int flags = 0;
646 CertVerifyResult verify_result;
647 int error =
648 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags,
649 NULL, empty_cert_list_, &verify_result);
650 EXPECT_EQ(OK, error);
651 EXPECT_EQ(0U, verify_result.cert_status);
654 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
655 CertificateList ca_certs = CreateCertificateListFromFile(
656 GetTestCertsDirectory(), "root_ca_cert.pem",
657 X509Certificate::FORMAT_AUTO);
658 ASSERT_EQ(1U, ca_certs.size());
660 // Import CA cert and trust it.
661 NSSCertDatabase::ImportCertFailureList failed;
662 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
663 &failed));
664 EXPECT_EQ(0U, failed.size());
666 CertificateList certs = CreateCertificateListFromFile(
667 GetTestCertsDirectory(), "ok_cert.pem",
668 X509Certificate::FORMAT_AUTO);
669 ASSERT_EQ(1U, certs.size());
671 // Import server cert without inheriting trust from issuer (explicit
672 // distrust).
673 EXPECT_TRUE(cert_db_->ImportServerCert(
674 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
675 EXPECT_EQ(0U, failed.size());
676 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL,
677 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
679 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
680 certs[0]->os_cert_handle()->trust->sslFlags);
682 // Server cert should fail to verify.
683 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
684 int flags = 0;
685 CertVerifyResult verify_result;
686 int error =
687 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags,
688 NULL, empty_cert_list_, &verify_result);
689 EXPECT_EQ(ERR_CERT_REVOKED, error);
690 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
693 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
694 CertificateList ca_certs = CreateCertificateListFromFile(
695 GetTestCertsDirectory(), "2048-rsa-root.pem",
696 X509Certificate::FORMAT_AUTO);
697 ASSERT_EQ(1U, ca_certs.size());
699 // Import Root CA cert and distrust it.
700 NSSCertDatabase::ImportCertFailureList failed;
701 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL,
702 &failed));
703 EXPECT_EQ(0U, failed.size());
705 CertificateList intermediate_certs = CreateCertificateListFromFile(
706 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
707 X509Certificate::FORMAT_AUTO);
708 ASSERT_EQ(1U, intermediate_certs.size());
710 // Import Intermediate CA cert and trust it.
711 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
712 NSSCertDatabase::TRUSTED_SSL, &failed));
713 EXPECT_EQ(0U, failed.size());
715 CertificateList certs = CreateCertificateListFromFile(
716 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
717 X509Certificate::FORMAT_AUTO);
718 ASSERT_EQ(1U, certs.size());
720 // Import server cert with default trust.
721 EXPECT_TRUE(cert_db_->ImportServerCert(
722 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
723 EXPECT_EQ(0U, failed.size());
724 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
725 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
727 // Server cert should verify.
728 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
729 int flags = 0;
730 CertVerifyResult verify_result;
731 int error =
732 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags,
733 NULL, empty_cert_list_, &verify_result);
734 EXPECT_EQ(OK, error);
735 EXPECT_EQ(0U, verify_result.cert_status);
737 // Trust the root cert and distrust the intermediate.
738 EXPECT_TRUE(cert_db_->SetCertTrust(
739 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL));
740 EXPECT_TRUE(cert_db_->SetCertTrust(
741 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL));
742 EXPECT_EQ(
743 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA),
744 ca_certs[0]->os_cert_handle()->trust->sslFlags);
745 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
746 ca_certs[0]->os_cert_handle()->trust->emailFlags);
747 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
748 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);
749 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
750 intermediate_certs[0]->os_cert_handle()->trust->sslFlags);
751 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
752 intermediate_certs[0]->os_cert_handle()->trust->emailFlags);
753 EXPECT_EQ(
754 unsigned(CERTDB_VALID_CA),
755 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);
757 // Server cert should fail to verify.
758 CertVerifyResult verify_result2;
759 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags,
760 NULL, empty_cert_list_, &verify_result2);
761 EXPECT_EQ(ERR_CERT_REVOKED, error);
762 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);
765 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {
766 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
767 // See http://bugzil.la/863947 for details.
768 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
769 return;
772 NSSCertDatabase::ImportCertFailureList failed;
774 CertificateList intermediate_certs = CreateCertificateListFromFile(
775 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
776 X509Certificate::FORMAT_AUTO);
777 ASSERT_EQ(1U, intermediate_certs.size());
779 // Import Intermediate CA cert and trust it.
780 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
781 NSSCertDatabase::TRUSTED_SSL, &failed));
782 EXPECT_EQ(0U, failed.size());
784 CertificateList certs = CreateCertificateListFromFile(
785 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
786 X509Certificate::FORMAT_AUTO);
787 ASSERT_EQ(1U, certs.size());
789 // Import server cert with default trust.
790 EXPECT_TRUE(cert_db_->ImportServerCert(
791 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
792 EXPECT_EQ(0U, failed.size());
793 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
794 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
796 // Server cert should verify.
797 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
798 int flags = 0;
799 CertVerifyResult verify_result;
800 int error =
801 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags,
802 NULL, empty_cert_list_, &verify_result);
803 EXPECT_EQ(OK, error);
804 EXPECT_EQ(0U, verify_result.cert_status);
806 // Without explicit trust of the intermediate, verification should fail.
807 EXPECT_TRUE(cert_db_->SetCertTrust(
808 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
810 // Server cert should fail to verify.
811 CertVerifyResult verify_result2;
812 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags,
813 NULL, empty_cert_list_, &verify_result2);
814 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
815 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
818 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {
819 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
820 // See http://bugzil.la/863947 for details.
821 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
822 return;
825 NSSCertDatabase::ImportCertFailureList failed;
827 CertificateList ca_certs = CreateCertificateListFromFile(
828 GetTestCertsDirectory(), "2048-rsa-root.pem",
829 X509Certificate::FORMAT_AUTO);
830 ASSERT_EQ(1U, ca_certs.size());
832 // Import Root CA cert and default trust it.
833 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT,
834 &failed));
835 EXPECT_EQ(0U, failed.size());
837 CertificateList intermediate_certs = CreateCertificateListFromFile(
838 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
839 X509Certificate::FORMAT_AUTO);
840 ASSERT_EQ(1U, intermediate_certs.size());
842 // Import Intermediate CA cert and trust it.
843 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
844 NSSCertDatabase::TRUSTED_SSL, &failed));
845 EXPECT_EQ(0U, failed.size());
847 CertificateList certs = CreateCertificateListFromFile(
848 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
849 X509Certificate::FORMAT_AUTO);
850 ASSERT_EQ(1U, certs.size());
852 // Import server cert with default trust.
853 EXPECT_TRUE(cert_db_->ImportServerCert(
854 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
855 EXPECT_EQ(0U, failed.size());
856 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
857 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
859 // Server cert should verify.
860 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
861 int flags = 0;
862 CertVerifyResult verify_result;
863 int error =
864 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags,
865 NULL, empty_cert_list_, &verify_result);
866 EXPECT_EQ(OK, error);
867 EXPECT_EQ(0U, verify_result.cert_status);
869 // Without explicit trust of the intermediate, verification should fail.
870 EXPECT_TRUE(cert_db_->SetCertTrust(
871 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
873 // Server cert should fail to verify.
874 CertVerifyResult verify_result2;
875 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags,
876 NULL, empty_cert_list_, &verify_result2);
877 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
878 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
881 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
882 NSSCertDatabase::ImportCertFailureList failed;
884 CertificateList ca_certs = CreateCertificateListFromFile(
885 GetTestCertsDirectory(), "2048-rsa-root.pem",
886 X509Certificate::FORMAT_AUTO);
887 ASSERT_EQ(1U, ca_certs.size());
889 // Import Root CA cert and trust it.
890 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
891 &failed));
892 EXPECT_EQ(0U, failed.size());
894 CertificateList intermediate_certs = CreateCertificateListFromFile(
895 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
896 X509Certificate::FORMAT_AUTO);
897 ASSERT_EQ(1U, intermediate_certs.size());
899 // Import Intermediate CA cert and distrust it.
900 EXPECT_TRUE(cert_db_->ImportCACerts(
901 intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
902 EXPECT_EQ(0U, failed.size());
904 CertificateList certs = CreateCertificateListFromFile(
905 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
906 X509Certificate::FORMAT_AUTO);
907 ASSERT_EQ(1U, certs.size());
909 // Import server cert with default trust.
910 EXPECT_TRUE(cert_db_->ImportServerCert(
911 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
912 EXPECT_EQ(0U, failed.size());
913 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
914 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
916 // Server cert should not verify.
917 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
918 int flags = 0;
919 CertVerifyResult verify_result;
920 int error =
921 verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags,
922 NULL, empty_cert_list_, &verify_result);
923 EXPECT_EQ(ERR_CERT_REVOKED, error);
924 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
926 // Without explicit distrust of the intermediate, verification should succeed.
927 EXPECT_TRUE(cert_db_->SetCertTrust(
928 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
930 // Server cert should verify.
931 CertVerifyResult verify_result2;
932 error = verify_proc->Verify(certs[0].get(), "127.0.0.1", std::string(), flags,
933 NULL, empty_cert_list_, &verify_result2);
934 EXPECT_EQ(OK, error);
935 EXPECT_EQ(0U, verify_result2.cert_status);
938 // Importing two certificates with the same issuer and subject common name,
939 // but overall distinct subject names, should succeed and generate a unique
940 // nickname for the second certificate.
941 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
942 CertificateList certs =
943 CreateCertificateListFromFile(GetTestCertsDirectory(),
944 "duplicate_cn_1.pem",
945 X509Certificate::FORMAT_AUTO);
946 ASSERT_EQ(1U, certs.size());
948 EXPECT_EQ(0U, ListCerts().size());
950 // Import server cert with default trust.
951 NSSCertDatabase::ImportCertFailureList failed;
952 EXPECT_TRUE(cert_db_->ImportServerCert(
953 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
954 EXPECT_EQ(0U, failed.size());
955 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
956 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
958 CertificateList new_certs = ListCerts();
959 ASSERT_EQ(1U, new_certs.size());
961 // Now attempt to import a different certificate with the same common name.
962 CertificateList certs2 =
963 CreateCertificateListFromFile(GetTestCertsDirectory(),
964 "duplicate_cn_2.pem",
965 X509Certificate::FORMAT_AUTO);
966 ASSERT_EQ(1U, certs2.size());
968 // Import server cert with default trust.
969 EXPECT_TRUE(cert_db_->ImportServerCert(
970 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed));
971 EXPECT_EQ(0U, failed.size());
972 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
973 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT));
975 new_certs = ListCerts();
976 ASSERT_EQ(2U, new_certs.size());
977 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname,
978 new_certs[1]->os_cert_handle()->nickname);
981 } // namespace net