Pin Chrome's shortcut to the Win10 Start menu on install and OS upgrade.
[chromium-blink-merge.git] / net / cert / test_root_certs_unittest.cc
blobe55c147c3462435c5da04f03f0393f7dc5d2a975
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/files/file_path.h"
6 #include "build/build_config.h"
7 #include "net/base/net_errors.h"
8 #include "net/base/test_data_directory.h"
9 #include "net/cert/cert_status_flags.h"
10 #include "net/cert/cert_verify_proc.h"
11 #include "net/cert/cert_verify_result.h"
12 #include "net/cert/test_root_certs.h"
13 #include "net/cert/x509_certificate.h"
14 #include "net/test/cert_test_util.h"
15 #include "testing/gtest/include/gtest/gtest.h"
17 #if defined(USE_NSS_CERTS) || defined(OS_IOS)
18 #include <nss.h>
19 #endif
21 namespace net {
23 namespace {
25 // The local test root certificate.
26 const char kRootCertificateFile[] = "root_ca_cert.pem";
27 // A certificate issued by the local test root for 127.0.0.1.
28 const char kGoodCertificateFile[] = "ok_cert.pem";
30 } // namespace
32 // Test basic functionality when adding from an existing X509Certificate.
33 TEST(TestRootCertsTest, AddFromPointer) {
34 scoped_refptr<X509Certificate> root_cert =
35 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
36 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
38 TestRootCerts* test_roots = TestRootCerts::GetInstance();
39 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
40 EXPECT_TRUE(test_roots->IsEmpty());
42 EXPECT_TRUE(test_roots->Add(root_cert.get()));
43 EXPECT_FALSE(test_roots->IsEmpty());
45 test_roots->Clear();
46 EXPECT_TRUE(test_roots->IsEmpty());
49 // Test basic functionality when adding directly from a file, which should
50 // behave the same as when adding from an existing certificate.
51 TEST(TestRootCertsTest, AddFromFile) {
52 TestRootCerts* test_roots = TestRootCerts::GetInstance();
53 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
54 EXPECT_TRUE(test_roots->IsEmpty());
56 base::FilePath cert_path =
57 GetTestCertsDirectory().AppendASCII(kRootCertificateFile);
58 EXPECT_TRUE(test_roots->AddFromFile(cert_path));
59 EXPECT_FALSE(test_roots->IsEmpty());
61 test_roots->Clear();
62 EXPECT_TRUE(test_roots->IsEmpty());
65 // Test that TestRootCerts actually adds the appropriate trust status flags
66 // when requested, and that the trusted status is cleared once the root is
67 // removed the TestRootCerts. This test acts as a canary/sanity check for
68 // the results of the rest of net_unittests, ensuring that the trust status
69 // is properly being set and cleared.
70 TEST(TestRootCertsTest, OverrideTrust) {
71 #if defined(USE_NSS_CERTS) || defined(OS_IOS)
72 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
73 // See http://bugzil.la/863947 for details
74 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
75 return;
77 #endif
79 TestRootCerts* test_roots = TestRootCerts::GetInstance();
80 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
81 EXPECT_TRUE(test_roots->IsEmpty());
83 scoped_refptr<X509Certificate> test_cert =
84 ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile);
85 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert.get());
87 // Test that the good certificate fails verification, because the root
88 // certificate should not yet be trusted.
89 int flags = 0;
90 CertVerifyResult bad_verify_result;
91 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
92 int bad_status =
93 verify_proc->Verify(test_cert.get(), "127.0.0.1", std::string(), flags,
94 NULL, CertificateList(), &bad_verify_result);
95 EXPECT_NE(OK, bad_status);
96 EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
98 // Add the root certificate and mark it as trusted.
99 EXPECT_TRUE(test_roots->AddFromFile(
100 GetTestCertsDirectory().AppendASCII(kRootCertificateFile)));
101 EXPECT_FALSE(test_roots->IsEmpty());
103 // Test that the certificate verification now succeeds, because the
104 // TestRootCerts is successfully imbuing trust.
105 CertVerifyResult good_verify_result;
106 int good_status =
107 verify_proc->Verify(test_cert.get(), "127.0.0.1", std::string(), flags,
108 NULL, CertificateList(), &good_verify_result);
109 EXPECT_EQ(OK, good_status);
110 EXPECT_EQ(0u, good_verify_result.cert_status);
112 test_roots->Clear();
113 EXPECT_TRUE(test_roots->IsEmpty());
115 // Ensure that when the TestRootCerts is cleared, the trust settings
116 // revert to their original state, and don't linger. If trust status
117 // lingers, it will likely break other tests in net_unittests.
118 CertVerifyResult restored_verify_result;
119 int restored_status =
120 verify_proc->Verify(test_cert.get(), "127.0.0.1", std::string(), flags,
121 NULL, CertificateList(), &restored_verify_result);
122 EXPECT_NE(OK, restored_status);
123 EXPECT_NE(0u,
124 restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
125 EXPECT_EQ(bad_status, restored_status);
126 EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status);
129 #if defined(USE_NSS_CERTS) || \
130 (defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID))
131 TEST(TestRootCertsTest, Contains) {
132 // Another test root certificate.
133 const char kRootCertificateFile2[] = "2048-rsa-root.pem";
135 TestRootCerts* test_roots = TestRootCerts::GetInstance();
136 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
138 scoped_refptr<X509Certificate> root_cert_1 =
139 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
140 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_1.get());
142 scoped_refptr<X509Certificate> root_cert_2 =
143 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile2);
144 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_2.get());
146 EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle()));
147 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
149 EXPECT_TRUE(test_roots->Add(root_cert_1.get()));
150 EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle()));
151 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
153 EXPECT_TRUE(test_roots->Add(root_cert_2.get()));
154 EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle()));
155 EXPECT_TRUE(test_roots->Contains(root_cert_2->os_cert_handle()));
157 test_roots->Clear();
158 EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle()));
159 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
161 #endif
163 // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that
164 // TestRootCerts properly injects itself into the validation process. See
165 // http://crbug.com/63958
167 } // namespace net