chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h"
   6
   7 #include "base/bind.h"
   8 #include "base/bind_helpers.h"
   9 #include "base/callback.h"
  10 #include "base/memory/ref_counted.h"
  11 #include "base/memory/scoped_ptr.h"
  12 #include "base/run_loop.h"
  13 #include "base/thread_task_runner_handle.h"
  14 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"
  15 #include "content/public/browser/browser_thread.h"
  16 #include "content/public/test/test_browser_thread_bundle.h"
  17 #include "crypto/nss_util_internal.h"
  18 #include "crypto/scoped_test_nss_chromeos_user.h"
  19 #include "net/base/test_completion_callback.h"
  20 #include "net/base/test_data_directory.h"
  21 #include "net/cert/cert_trust_anchor_provider.h"
  22 #include "net/cert/cert_verify_result.h"
  23 #include "net/cert/nss_cert_database_chromeos.h"
  24 #include "net/cert/x509_certificate.h"
  25 #include "net/log/net_log.h"
  26 #include "net/test/cert_test_util.h"
  27 #include "testing/gtest/include/gtest/gtest.h"
  28
  29 namespace policy {
  30
  31 class PolicyCertVerifierTest : public testing::Test {
  32  public:
  33   PolicyCertVerifierTest()
  34       : trust_anchor_used_(false), test_nss_user_("user1") {}
  35
  36   ~PolicyCertVerifierTest() override {}
  37
  38   void SetUp() override {
  39     ASSERT_TRUE(test_nss_user_.constructed_successfully());
  40     test_nss_user_.FinishInit();
  41
  42     test_cert_db_.reset(new net::NSSCertDatabaseChromeOS(
  43         crypto::GetPublicSlotForChromeOSUser(test_nss_user_.username_hash()),
  44         crypto::GetPrivateSlotForChromeOSUser(
  45             test_nss_user_.username_hash(),
  46             base::Callback<void(crypto::ScopedPK11Slot)>())));
  47     test_cert_db_->SetSlowTaskRunnerForTest(
  48         base::ThreadTaskRunnerHandle::Get());
  49
  50     cert_verifier_.reset(new PolicyCertVerifier(base::Bind(
  51         &PolicyCertVerifierTest::OnTrustAnchorUsed, base::Unretained(this))));
  52     cert_verifier_->InitializeOnIOThread(new chromeos::CertVerifyProcChromeOS(
  53         crypto::GetPublicSlotForChromeOSUser(test_nss_user_.username_hash())));
  54
  55     test_ca_cert_ = LoadCertificate("root_ca_cert.pem", net::CA_CERT);
  56     ASSERT_TRUE(test_ca_cert_.get());
  57     test_server_cert_ = LoadCertificate("ok_cert.pem", net::SERVER_CERT);
  58     ASSERT_TRUE(test_server_cert_.get());
  59     test_ca_cert_list_.push_back(test_ca_cert_);
  60   }
  61
  62   void TearDown() override {
  63     // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise
  64     // BrowserThread::CurrentlyOn checks fail.
  65     cert_verifier_.reset();
  66   }
  67
  68  protected:
  69   int VerifyTestServerCert(const net::TestCompletionCallback& test_callback,
  70                            net::CertVerifyResult* verify_result,
  71                            scoped_ptr<net::CertVerifier::Request>* request) {
  72     return cert_verifier_->Verify(
  73         test_server_cert_.get(), "127.0.0.1", std::string(), 0, NULL,
  74         verify_result, test_callback.callback(), request, net::BoundNetLog());
  75   }
  76
  77   bool SupportsAdditionalTrustAnchors() {
  78     scoped_refptr<net::CertVerifyProc> proc =
  79         net::CertVerifyProc::CreateDefault();
  80     return proc->SupportsAdditionalTrustAnchors();
  81   }
  82
  83   // Returns whether |cert_verifier| signalled usage of one of the additional
  84   // trust anchors (i.e. of |test_ca_cert_|) for the first time or since the
  85   // last call of this function.
  86   bool WasTrustAnchorUsedAndReset() {
  87     base::RunLoop().RunUntilIdle();
  88     bool result = trust_anchor_used_;
  89     trust_anchor_used_ = false;
  90     return result;
  91   }
  92
  93   // |test_ca_cert_| is the issuer of |test_server_cert_|.
  94   scoped_refptr<net::X509Certificate> test_ca_cert_;
  95   scoped_refptr<net::X509Certificate> test_server_cert_;
  96   net::CertificateList test_ca_cert_list_;
  97   scoped_ptr<net::NSSCertDatabaseChromeOS> test_cert_db_;
  98   scoped_ptr<PolicyCertVerifier> cert_verifier_;
  99
 100  private:
 101   void OnTrustAnchorUsed() {
 102     trust_anchor_used_ = true;
 103   }
 104
 105   scoped_refptr<net::X509Certificate> LoadCertificate(const std::string& name,
 106                                                       net::CertType type) {
 107     scoped_refptr<net::X509Certificate> cert =
 108         net::ImportCertFromFile(net::GetTestCertsDirectory(), name);
 109
 110     // No certificate is trusted right after it's loaded.
 111     net::NSSCertDatabase::TrustBits trust =
 112         test_cert_db_->GetCertTrust(cert.get(), type);
 113     EXPECT_EQ(net::NSSCertDatabase::TRUST_DEFAULT, trust);
 114
 115     return cert;
 116   }
 117
 118   bool trust_anchor_used_;
 119   crypto::ScopedTestNSSChromeOSUser test_nss_user_;
 120   content::TestBrowserThreadBundle thread_bundle_;
 121 };
 122
 123 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) {
 124   // |test_server_cert_| is untrusted, so Verify() fails.
 125   {
 126     net::CertVerifyResult verify_result;
 127     net::TestCompletionCallback callback;
 128     scoped_ptr<net::CertVerifier::Request> request;
 129     int error = VerifyTestServerCert(callback, &verify_result, &request);
 130     ASSERT_EQ(net::ERR_IO_PENDING, error);
 131     EXPECT_TRUE(request);
 132     error = callback.WaitForResult();
 133     EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
 134   }
 135
 136   // Issuing the same request again hits the cache. This tests the synchronous
 137   // path.
 138   {
 139     net::CertVerifyResult verify_result;
 140     net::TestCompletionCallback callback;
 141     scoped_ptr<net::CertVerifier::Request> request;
 142     int error = VerifyTestServerCert(callback, &verify_result, &request);
 143     EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
 144   }
 145
 146   EXPECT_FALSE(WasTrustAnchorUsedAndReset());
 147 }
 148
 149 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) {
 150   // Make the database trust |test_ca_cert_|.
 151   net::NSSCertDatabase::ImportCertFailureList failure_list;
 152   ASSERT_TRUE(test_cert_db_->ImportCACerts(
 153       test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list));
 154   ASSERT_TRUE(failure_list.empty());
 155
 156   // Verify that it is now trusted.
 157   net::NSSCertDatabase::TrustBits trust =
 158       test_cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT);
 159   EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust);
 160
 161   // Verify() successfully verifies |test_server_cert_| after it was imported.
 162   net::CertVerifyResult verify_result;
 163   net::TestCompletionCallback callback;
 164   scoped_ptr<net::CertVerifier::Request> request;
 165   int error = VerifyTestServerCert(callback, &verify_result, &request);
 166   ASSERT_EQ(net::ERR_IO_PENDING, error);
 167   EXPECT_TRUE(request);
 168   error = callback.WaitForResult();
 169   EXPECT_EQ(net::OK, error);
 170
 171   // The additional trust anchors were not used, since the certificate is
 172   // trusted from the database.
 173   EXPECT_FALSE(WasTrustAnchorUsedAndReset());
 174 }
 175
 176 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) {
 177   ASSERT_TRUE(SupportsAdditionalTrustAnchors());
 178
 179   // |test_server_cert_| is untrusted, so Verify() fails.
 180   {
 181     net::CertVerifyResult verify_result;
 182     net::TestCompletionCallback callback;
 183     scoped_ptr<net::CertVerifier::Request> request;
 184     int error = VerifyTestServerCert(callback, &verify_result, &request);
 185     ASSERT_EQ(net::ERR_IO_PENDING, error);
 186     EXPECT_TRUE(request);
 187     error = callback.WaitForResult();
 188     EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
 189   }
 190   EXPECT_FALSE(WasTrustAnchorUsedAndReset());
 191
 192   // Verify() again with the additional trust anchors.
 193   cert_verifier_->SetTrustAnchors(test_ca_cert_list_);
 194   {
 195     net::CertVerifyResult verify_result;
 196     net::TestCompletionCallback callback;
 197     scoped_ptr<net::CertVerifier::Request> request;
 198     int error = VerifyTestServerCert(callback, &verify_result, &request);
 199     ASSERT_EQ(net::ERR_IO_PENDING, error);
 200     EXPECT_TRUE(request);
 201     error = callback.WaitForResult();
 202     EXPECT_EQ(net::OK, error);
 203   }
 204   EXPECT_TRUE(WasTrustAnchorUsedAndReset());
 205
 206   // Verify() again with the additional trust anchors will hit the cache.
 207   cert_verifier_->SetTrustAnchors(test_ca_cert_list_);
 208   {
 209     net::CertVerifyResult verify_result;
 210     net::TestCompletionCallback callback;
 211     scoped_ptr<net::CertVerifier::Request> request;
 212     int error = VerifyTestServerCert(callback, &verify_result, &request);
 213     EXPECT_EQ(net::OK, error);
 214   }
 215   EXPECT_TRUE(WasTrustAnchorUsedAndReset());
 216
 217   // Verifying after removing the trust anchors should now fail.
 218   cert_verifier_->SetTrustAnchors(net::CertificateList());
 219   {
 220     net::CertVerifyResult verify_result;
 221     net::TestCompletionCallback callback;
 222     scoped_ptr<net::CertVerifier::Request> request;
 223     int error = VerifyTestServerCert(callback, &verify_result, &request);
 224     // Note: this hits the cached result from the first Verify() in this test.
 225     EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
 226   }
 227   // The additional trust anchors were reset, thus |cert_verifier_| should not
 228   // signal it's usage anymore.
 229   EXPECT_FALSE(WasTrustAnchorUsedAndReset());
 230 }
 231
 232 }  // namespace policy