Elim cr-checkbox
[chromium-blink-merge.git] / chrome / browser / chromeos / policy / policy_cert_verifier_browsertest.cc
blobd33e7d35a911aca3442d6c42ab4cc954b438d206
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h"
7 #include "base/bind.h"
8 #include "base/bind_helpers.h"
9 #include "base/callback.h"
10 #include "base/memory/ref_counted.h"
11 #include "base/memory/scoped_ptr.h"
12 #include "base/run_loop.h"
13 #include "base/thread_task_runner_handle.h"
14 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"
15 #include "content/public/browser/browser_thread.h"
16 #include "content/public/test/test_browser_thread_bundle.h"
17 #include "crypto/nss_util_internal.h"
18 #include "crypto/scoped_test_nss_chromeos_user.h"
19 #include "net/base/test_completion_callback.h"
20 #include "net/base/test_data_directory.h"
21 #include "net/cert/cert_trust_anchor_provider.h"
22 #include "net/cert/cert_verify_result.h"
23 #include "net/cert/nss_cert_database_chromeos.h"
24 #include "net/cert/x509_certificate.h"
25 #include "net/log/net_log.h"
26 #include "net/test/cert_test_util.h"
27 #include "testing/gtest/include/gtest/gtest.h"
29 namespace policy {
31 class PolicyCertVerifierTest : public testing::Test {
32 public:
33 PolicyCertVerifierTest()
34 : trust_anchor_used_(false), test_nss_user_("user1") {}
36 ~PolicyCertVerifierTest() override {}
38 void SetUp() override {
39 ASSERT_TRUE(test_nss_user_.constructed_successfully());
40 test_nss_user_.FinishInit();
42 test_cert_db_.reset(new net::NSSCertDatabaseChromeOS(
43 crypto::GetPublicSlotForChromeOSUser(test_nss_user_.username_hash()),
44 crypto::GetPrivateSlotForChromeOSUser(
45 test_nss_user_.username_hash(),
46 base::Callback<void(crypto::ScopedPK11Slot)>())));
47 test_cert_db_->SetSlowTaskRunnerForTest(
48 base::ThreadTaskRunnerHandle::Get());
50 cert_verifier_.reset(new PolicyCertVerifier(base::Bind(
51 &PolicyCertVerifierTest::OnTrustAnchorUsed, base::Unretained(this))));
52 cert_verifier_->InitializeOnIOThread(new chromeos::CertVerifyProcChromeOS(
53 crypto::GetPublicSlotForChromeOSUser(test_nss_user_.username_hash())));
55 test_ca_cert_ = LoadCertificate("root_ca_cert.pem", net::CA_CERT);
56 ASSERT_TRUE(test_ca_cert_.get());
57 test_server_cert_ = LoadCertificate("ok_cert.pem", net::SERVER_CERT);
58 ASSERT_TRUE(test_server_cert_.get());
59 test_ca_cert_list_.push_back(test_ca_cert_);
62 void TearDown() override {
63 // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise
64 // BrowserThread::CurrentlyOn checks fail.
65 cert_verifier_.reset();
68 protected:
69 int VerifyTestServerCert(const net::TestCompletionCallback& test_callback,
70 net::CertVerifyResult* verify_result,
71 scoped_ptr<net::CertVerifier::Request>* request) {
72 return cert_verifier_->Verify(
73 test_server_cert_.get(), "127.0.0.1", std::string(), 0, NULL,
74 verify_result, test_callback.callback(), request, net::BoundNetLog());
77 bool SupportsAdditionalTrustAnchors() {
78 scoped_refptr<net::CertVerifyProc> proc =
79 net::CertVerifyProc::CreateDefault();
80 return proc->SupportsAdditionalTrustAnchors();
83 // Returns whether |cert_verifier| signalled usage of one of the additional
84 // trust anchors (i.e. of |test_ca_cert_|) for the first time or since the
85 // last call of this function.
86 bool WasTrustAnchorUsedAndReset() {
87 base::RunLoop().RunUntilIdle();
88 bool result = trust_anchor_used_;
89 trust_anchor_used_ = false;
90 return result;
93 // |test_ca_cert_| is the issuer of |test_server_cert_|.
94 scoped_refptr<net::X509Certificate> test_ca_cert_;
95 scoped_refptr<net::X509Certificate> test_server_cert_;
96 net::CertificateList test_ca_cert_list_;
97 scoped_ptr<net::NSSCertDatabaseChromeOS> test_cert_db_;
98 scoped_ptr<PolicyCertVerifier> cert_verifier_;
100 private:
101 void OnTrustAnchorUsed() {
102 trust_anchor_used_ = true;
105 scoped_refptr<net::X509Certificate> LoadCertificate(const std::string& name,
106 net::CertType type) {
107 scoped_refptr<net::X509Certificate> cert =
108 net::ImportCertFromFile(net::GetTestCertsDirectory(), name);
110 // No certificate is trusted right after it's loaded.
111 net::NSSCertDatabase::TrustBits trust =
112 test_cert_db_->GetCertTrust(cert.get(), type);
113 EXPECT_EQ(net::NSSCertDatabase::TRUST_DEFAULT, trust);
115 return cert;
118 bool trust_anchor_used_;
119 crypto::ScopedTestNSSChromeOSUser test_nss_user_;
120 content::TestBrowserThreadBundle thread_bundle_;
123 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) {
124 // |test_server_cert_| is untrusted, so Verify() fails.
126 net::CertVerifyResult verify_result;
127 net::TestCompletionCallback callback;
128 scoped_ptr<net::CertVerifier::Request> request;
129 int error = VerifyTestServerCert(callback, &verify_result, &request);
130 ASSERT_EQ(net::ERR_IO_PENDING, error);
131 EXPECT_TRUE(request);
132 error = callback.WaitForResult();
133 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
136 // Issuing the same request again hits the cache. This tests the synchronous
137 // path.
139 net::CertVerifyResult verify_result;
140 net::TestCompletionCallback callback;
141 scoped_ptr<net::CertVerifier::Request> request;
142 int error = VerifyTestServerCert(callback, &verify_result, &request);
143 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
146 EXPECT_FALSE(WasTrustAnchorUsedAndReset());
149 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) {
150 // Make the database trust |test_ca_cert_|.
151 net::NSSCertDatabase::ImportCertFailureList failure_list;
152 ASSERT_TRUE(test_cert_db_->ImportCACerts(
153 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list));
154 ASSERT_TRUE(failure_list.empty());
156 // Verify that it is now trusted.
157 net::NSSCertDatabase::TrustBits trust =
158 test_cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT);
159 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust);
161 // Verify() successfully verifies |test_server_cert_| after it was imported.
162 net::CertVerifyResult verify_result;
163 net::TestCompletionCallback callback;
164 scoped_ptr<net::CertVerifier::Request> request;
165 int error = VerifyTestServerCert(callback, &verify_result, &request);
166 ASSERT_EQ(net::ERR_IO_PENDING, error);
167 EXPECT_TRUE(request);
168 error = callback.WaitForResult();
169 EXPECT_EQ(net::OK, error);
171 // The additional trust anchors were not used, since the certificate is
172 // trusted from the database.
173 EXPECT_FALSE(WasTrustAnchorUsedAndReset());
176 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) {
177 ASSERT_TRUE(SupportsAdditionalTrustAnchors());
179 // |test_server_cert_| is untrusted, so Verify() fails.
181 net::CertVerifyResult verify_result;
182 net::TestCompletionCallback callback;
183 scoped_ptr<net::CertVerifier::Request> request;
184 int error = VerifyTestServerCert(callback, &verify_result, &request);
185 ASSERT_EQ(net::ERR_IO_PENDING, error);
186 EXPECT_TRUE(request);
187 error = callback.WaitForResult();
188 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
190 EXPECT_FALSE(WasTrustAnchorUsedAndReset());
192 // Verify() again with the additional trust anchors.
193 cert_verifier_->SetTrustAnchors(test_ca_cert_list_);
195 net::CertVerifyResult verify_result;
196 net::TestCompletionCallback callback;
197 scoped_ptr<net::CertVerifier::Request> request;
198 int error = VerifyTestServerCert(callback, &verify_result, &request);
199 ASSERT_EQ(net::ERR_IO_PENDING, error);
200 EXPECT_TRUE(request);
201 error = callback.WaitForResult();
202 EXPECT_EQ(net::OK, error);
204 EXPECT_TRUE(WasTrustAnchorUsedAndReset());
206 // Verify() again with the additional trust anchors will hit the cache.
207 cert_verifier_->SetTrustAnchors(test_ca_cert_list_);
209 net::CertVerifyResult verify_result;
210 net::TestCompletionCallback callback;
211 scoped_ptr<net::CertVerifier::Request> request;
212 int error = VerifyTestServerCert(callback, &verify_result, &request);
213 EXPECT_EQ(net::OK, error);
215 EXPECT_TRUE(WasTrustAnchorUsedAndReset());
217 // Verifying after removing the trust anchors should now fail.
218 cert_verifier_->SetTrustAnchors(net::CertificateList());
220 net::CertVerifyResult verify_result;
221 net::TestCompletionCallback callback;
222 scoped_ptr<net::CertVerifier::Request> request;
223 int error = VerifyTestServerCert(callback, &verify_result, &request);
224 // Note: this hits the cached result from the first Verify() in this test.
225 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
227 // The additional trust anchors were reset, thus |cert_verifier_| should not
228 // signal it's usage anymore.
229 EXPECT_FALSE(WasTrustAnchorUsedAndReset());
232 } // namespace policy