net/cert/nss_cert_database_chromeos_unittest.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/nss_cert_database_chromeos.h"
   6
   7 #include "base/bind.h"
   8 #include "base/callback.h"
   9 #include "base/run_loop.h"
  10 #include "crypto/nss_util.h"
  11 #include "crypto/nss_util_internal.h"
  12 #include "net/base/test_data_directory.h"
  13 #include "net/cert/cert_database.h"
  14 #include "net/test/cert_test_util.h"
  15 #include "testing/gtest/include/gtest/gtest.h"
  16
  17 namespace net {
  18
  19 namespace {
  20
  21 bool IsCertInCertificateList(const X509Certificate* cert,
  22                              const CertificateList& cert_list) {
  23   for (CertificateList::const_iterator it = cert_list.begin();
  24        it != cert_list.end();
  25        ++it) {
  26     if (X509Certificate::IsSameOSCert((*it)->os_cert_handle(),
  27                                       cert->os_cert_handle()))
  28       return true;
  29   }
  30   return false;
  31 }
  32
  33 }  // namespace
  34
  35 class NSSCertDatabaseChromeOSTest : public testing::Test,
  36                                     public CertDatabase::Observer {
  37  public:
  38   NSSCertDatabaseChromeOSTest()
  39       : observer_added_(false), user_1_("user1"), user_2_("user2") {}
  40
  41   virtual void SetUp() OVERRIDE {
  42     // Initialize nss_util slots.
  43     ASSERT_TRUE(user_1_.constructed_successfully());
  44     ASSERT_TRUE(user_2_.constructed_successfully());
  45     user_1_.FinishInit();
  46     user_2_.FinishInit();
  47
  48     // Create NSSCertDatabaseChromeOS for each user.
  49     db_1_.reset(new NSSCertDatabaseChromeOS(
  50         crypto::GetPublicSlotForChromeOSUser(user_1_.username_hash()),
  51         crypto::GetPrivateSlotForChromeOSUser(
  52             user_1_.username_hash(),
  53             base::Callback<void(crypto::ScopedPK11Slot)>())));
  54     db_2_.reset(new NSSCertDatabaseChromeOS(
  55         crypto::GetPublicSlotForChromeOSUser(user_2_.username_hash()),
  56         crypto::GetPrivateSlotForChromeOSUser(
  57             user_2_.username_hash(),
  58             base::Callback<void(crypto::ScopedPK11Slot)>())));
  59
  60     // Add observer to CertDatabase for checking that notifications from
  61     // NSSCertDatabaseChromeOS are proxied to the CertDatabase.
  62     CertDatabase::GetInstance()->AddObserver(this);
  63     observer_added_ = true;
  64   }
  65
  66   virtual void TearDown() OVERRIDE {
  67     if (observer_added_)
  68       CertDatabase::GetInstance()->RemoveObserver(this);
  69   }
  70
  71   // CertDatabase::Observer:
  72   virtual void OnCertAdded(const X509Certificate* cert) OVERRIDE {
  73     added_.push_back(cert ? cert->os_cert_handle() : NULL);
  74   }
  75
  76   virtual void OnCertRemoved(const X509Certificate* cert) OVERRIDE {}
  77
  78   virtual void OnCACertChanged(const X509Certificate* cert) OVERRIDE {
  79     added_ca_.push_back(cert ? cert->os_cert_handle() : NULL);
  80   }
  81
  82  protected:
  83   bool observer_added_;
  84   // Certificates that were passed to the CertDatabase observers.
  85   std::vector<CERTCertificate*> added_ca_;
  86   std::vector<CERTCertificate*> added_;
  87
  88   crypto::ScopedTestNSSChromeOSUser user_1_;
  89   crypto::ScopedTestNSSChromeOSUser user_2_;
  90   scoped_ptr<NSSCertDatabaseChromeOS> db_1_;
  91   scoped_ptr<NSSCertDatabaseChromeOS> db_2_;
  92 };
  93
  94 // Test that ListModules() on each user includes that user's NSS software slot,
  95 // and does not include the software slot of the other user. (Does not check the
  96 // private slot, since it is the same as the public slot in tests.)
  97 TEST_F(NSSCertDatabaseChromeOSTest, ListModules) {
  98   CryptoModuleList modules_1;
  99   CryptoModuleList modules_2;
 100
 101   db_1_->ListModules(&modules_1, false /* need_rw */);
 102   db_2_->ListModules(&modules_2, false /* need_rw */);
 103
 104   bool found_1 = false;
 105   for (CryptoModuleList::iterator it = modules_1.begin(); it != modules_1.end();
 106        ++it) {
 107     EXPECT_NE(db_2_->GetPublicSlot().get(), (*it)->os_module_handle());
 108     if ((*it)->os_module_handle() == db_1_->GetPublicSlot().get())
 109       found_1 = true;
 110   }
 111   EXPECT_TRUE(found_1);
 112
 113   bool found_2 = false;
 114   for (CryptoModuleList::iterator it = modules_2.begin(); it != modules_2.end();
 115        ++it) {
 116     EXPECT_NE(db_1_->GetPublicSlot().get(), (*it)->os_module_handle());
 117     if ((*it)->os_module_handle() == db_2_->GetPublicSlot().get())
 118       found_2 = true;
 119   }
 120   EXPECT_TRUE(found_2);
 121 }
 122
 123 // Test that ImportCACerts imports the cert to the correct slot, and that
 124 // ListCerts includes the added cert for the correct user, and does not include
 125 // it for the other user.
 126 TEST_F(NSSCertDatabaseChromeOSTest, ImportCACerts) {
 127   // Load test certs from disk.
 128   CertificateList certs_1 =
 129       CreateCertificateListFromFile(GetTestCertsDirectory(),
 130                                     "root_ca_cert.pem",
 131                                     X509Certificate::FORMAT_AUTO);
 132   ASSERT_EQ(1U, certs_1.size());
 133
 134   CertificateList certs_2 =
 135       CreateCertificateListFromFile(GetTestCertsDirectory(),
 136                                     "2048-rsa-root.pem",
 137                                     X509Certificate::FORMAT_AUTO);
 138   ASSERT_EQ(1U, certs_2.size());
 139
 140   // Import one cert for each user.
 141   NSSCertDatabase::ImportCertFailureList failed;
 142   EXPECT_TRUE(
 143       db_1_->ImportCACerts(certs_1, NSSCertDatabase::TRUSTED_SSL, &failed));
 144   EXPECT_EQ(0U, failed.size());
 145   failed.clear();
 146   EXPECT_TRUE(
 147       db_2_->ImportCACerts(certs_2, NSSCertDatabase::TRUSTED_SSL, &failed));
 148   EXPECT_EQ(0U, failed.size());
 149
 150   // Get cert list for each user.
 151   CertificateList user_1_certlist;
 152   CertificateList user_2_certlist;
 153   db_1_->ListCerts(&user_1_certlist);
 154   db_2_->ListCerts(&user_2_certlist);
 155
 156   // Check that the imported certs only shows up in the list for the user that
 157   // imported them.
 158   EXPECT_TRUE(IsCertInCertificateList(certs_1[0], user_1_certlist));
 159   EXPECT_FALSE(IsCertInCertificateList(certs_1[0], user_2_certlist));
 160
 161   EXPECT_TRUE(IsCertInCertificateList(certs_2[0], user_2_certlist));
 162   EXPECT_FALSE(IsCertInCertificateList(certs_2[0], user_1_certlist));
 163
 164   // Run the message loop so the observer notifications get processed.
 165   base::RunLoop().RunUntilIdle();
 166   // Should have gotten two OnCACertChanged notifications.
 167   ASSERT_EQ(2U, added_ca_.size());
 168   // TODO(mattm): make NSSCertDatabase actually pass the cert to the callback,
 169   // and enable these checks:
 170   // EXPECT_EQ(certs_1[0]->os_cert_handle(), added_ca_[0]);
 171   // EXPECT_EQ(certs_2[0]->os_cert_handle(), added_ca_[1]);
 172   EXPECT_EQ(0U, added_.size());
 173 }
 174
 175 // Test that ImportServerCerts imports the cert to the correct slot, and that
 176 // ListCerts includes the added cert for the correct user, and does not include
 177 // it for the other user.
 178 TEST_F(NSSCertDatabaseChromeOSTest, ImportServerCert) {
 179   // Load test certs from disk.
 180   CertificateList certs_1 = CreateCertificateListFromFile(
 181       GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
 182   ASSERT_EQ(1U, certs_1.size());
 183
 184   CertificateList certs_2 =
 185       CreateCertificateListFromFile(GetTestCertsDirectory(),
 186                                     "2048-rsa-ee-by-2048-rsa-intermediate.pem",
 187                                     X509Certificate::FORMAT_AUTO);
 188   ASSERT_EQ(1U, certs_2.size());
 189
 190   // Import one cert for each user.
 191   NSSCertDatabase::ImportCertFailureList failed;
 192   EXPECT_TRUE(
 193       db_1_->ImportServerCert(certs_1, NSSCertDatabase::TRUSTED_SSL, &failed));
 194   EXPECT_EQ(0U, failed.size());
 195   failed.clear();
 196   EXPECT_TRUE(
 197       db_2_->ImportServerCert(certs_2, NSSCertDatabase::TRUSTED_SSL, &failed));
 198   EXPECT_EQ(0U, failed.size());
 199
 200   // Get cert list for each user.
 201   CertificateList user_1_certlist;
 202   CertificateList user_2_certlist;
 203   db_1_->ListCerts(&user_1_certlist);
 204   db_2_->ListCerts(&user_2_certlist);
 205
 206   // Check that the imported certs only shows up in the list for the user that
 207   // imported them.
 208   EXPECT_TRUE(IsCertInCertificateList(certs_1[0], user_1_certlist));
 209   EXPECT_FALSE(IsCertInCertificateList(certs_1[0], user_2_certlist));
 210
 211   EXPECT_TRUE(IsCertInCertificateList(certs_2[0], user_2_certlist));
 212   EXPECT_FALSE(IsCertInCertificateList(certs_2[0], user_1_certlist));
 213
 214   // Run the message loop so the observer notifications get processed.
 215   base::RunLoop().RunUntilIdle();
 216   // TODO(mattm): ImportServerCert doesn't actually cause any observers to
 217   // fire. Is that correct?
 218   EXPECT_EQ(0U, added_ca_.size());
 219   EXPECT_EQ(0U, added_.size());
 220 }
 221
 222 }  // namespace net