1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/ocsp/nss_ocsp.h"
9 #include "base/files/file_path.h"
10 #include "base/files/file_util.h"
11 #include "base/logging.h"
12 #include "base/memory/ref_counted.h"
13 #include "net/base/net_errors.h"
14 #include "net/base/test_completion_callback.h"
15 #include "net/base/test_data_directory.h"
16 #include "net/cert/cert_status_flags.h"
17 #include "net/cert/cert_verifier.h"
18 #include "net/cert/cert_verify_proc.h"
19 #include "net/cert/cert_verify_proc_nss.h"
20 #include "net/cert/cert_verify_result.h"
21 #include "net/cert/multi_threaded_cert_verifier.h"
22 #include "net/cert/test_root_certs.h"
23 #include "net/cert/x509_certificate.h"
24 #include "net/test/cert_test_util.h"
25 #include "net/url_request/url_request_filter.h"
26 #include "net/url_request/url_request_interceptor.h"
27 #include "net/url_request/url_request_test_job.h"
28 #include "net/url_request/url_request_test_util.h"
29 #include "testing/gtest/include/gtest/gtest.h"
35 // Matches the caIssuers hostname from the generated certificate.
36 const char kAiaHost
[] = "aia-test.invalid";
37 // Returning a single DER-encoded cert, so the mime-type must be
38 // application/pkix-cert per RFC 5280.
39 const char kAiaHeaders
[] = "HTTP/1.1 200 OK\0"
40 "Content-type: application/pkix-cert\0"
43 class AiaResponseHandler
: public net::URLRequestInterceptor
{
45 AiaResponseHandler(const std::string
& headers
, const std::string
& cert_data
)
46 : headers_(headers
), cert_data_(cert_data
), request_count_(0) {}
47 ~AiaResponseHandler() override
{}
49 // net::URLRequestInterceptor implementation:
50 net::URLRequestJob
* MaybeInterceptRequest(
51 net::URLRequest
* request
,
52 net::NetworkDelegate
* network_delegate
) const override
{
53 ++const_cast<AiaResponseHandler
*>(this)->request_count_
;
55 return new net::URLRequestTestJob(
56 request
, network_delegate
, headers_
, cert_data_
, true);
59 int request_count() const { return request_count_
; }
63 std::string cert_data_
;
66 DISALLOW_COPY_AND_ASSIGN(AiaResponseHandler
);
71 class NssHttpTest
: public ::testing::Test
{
76 verify_proc_(new CertVerifyProcNSS
),
77 verifier_(new MultiThreadedCertVerifier(verify_proc_
.get())) {}
78 ~NssHttpTest() override
{}
80 void SetUp() override
{
81 std::string file_contents
;
82 ASSERT_TRUE(base::ReadFileToString(
83 GetTestCertsDirectory().AppendASCII("aia-intermediate.der"),
85 ASSERT_FALSE(file_contents
.empty());
87 // Ownership of |handler| is transferred to the URLRequestFilter, but
88 // hold onto the original pointer in order to access |request_count()|.
89 scoped_ptr
<AiaResponseHandler
> handler(
90 new AiaResponseHandler(kAiaHeaders
, file_contents
));
91 handler_
= handler
.get();
93 URLRequestFilter::GetInstance()->AddHostnameInterceptor(
94 "http", kAiaHost
, handler
.Pass());
96 SetURLRequestContextForNSSHttpIO(&context_
);
97 EnsureNSSHttpIOInit();
100 void TearDown() override
{
104 URLRequestFilter::GetInstance()->RemoveHostnameHandler("http", kAiaHost
);
107 CertVerifier
* verifier() const {
108 return verifier_
.get();
111 int request_count() const {
112 return handler_
->request_count();
116 const CertificateList empty_cert_list_
;
119 TestURLRequestContext context_
;
120 AiaResponseHandler
* handler_
;
121 scoped_refptr
<CertVerifyProc
> verify_proc_
;
122 scoped_ptr
<CertVerifier
> verifier_
;
125 // Tests that when using NSS to verify certificates, and IO is enabled,
126 // that a request to fetch missing intermediate certificates is
127 // made successfully.
128 TEST_F(NssHttpTest
, TestAia
) {
129 scoped_refptr
<X509Certificate
> test_cert(
130 ImportCertFromFile(GetTestCertsDirectory(), "aia-cert.pem"));
131 ASSERT_TRUE(test_cert
.get());
133 scoped_refptr
<X509Certificate
> test_root(
134 ImportCertFromFile(GetTestCertsDirectory(), "aia-root.pem"));
135 ASSERT_TRUE(test_root
.get());
137 ScopedTestRoot
scoped_root(test_root
.get());
139 CertVerifyResult verify_result
;
140 TestCompletionCallback test_callback
;
141 CertVerifier::RequestHandle request_handle
;
143 int flags
= CertVerifier::VERIFY_CERT_IO_ENABLED
;
144 int error
= verifier()->Verify(test_cert
.get(),
149 test_callback
.callback(),
152 ASSERT_EQ(ERR_IO_PENDING
, error
);
154 error
= test_callback
.WaitForResult();
156 EXPECT_EQ(OK
, error
);
158 // Ensure that NSS made an AIA request for the missing intermediate.
159 EXPECT_LT(0, request_count());