15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2012 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <cert.h> 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <certdb.h> 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <pk11pub.h> 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <algorithm> 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 115d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "base/bind.h" 122a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "base/files/file_path.h" 131320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci#include "base/files/file_util.h" 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/lazy_instance.h" 159ab5563a3196760eb381d102cbb2bc0f7abc6a50Ben Murdoch#include "base/message_loop/message_loop.h" 165d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "base/message_loop/message_loop_proxy.h" 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/path_service.h" 185d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "base/run_loop.h" 195e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles)#include "base/strings/string16.h" 205e3f23d412006dc4db4e659864679f29341e113fTorne (Richard Coles)#include "base/strings/string_util.h" 21868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles)#include "base/strings/utf_string_conversions.h" 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "crypto/scoped_nss_types.h" 235f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)#include "crypto/scoped_test_nss_db.h" 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "net/base/crypto_module.h" 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "net/base/net_errors.h" 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "net/base/test_data_directory.h" 27c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/cert_status_flags.h" 28c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/cert_verify_proc_nss.h" 29c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/cert_verify_result.h" 30c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/nss_cert_database.h" 31c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/x509_certificate.h" 32c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/test/cert_test_util.h" 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "testing/gtest/include/gtest/gtest.h" 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// the new name of the macro. 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#if !defined(CERTDB_TERMINAL_RECORD) 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 425d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)using base::ASCIIToUTF16; 435d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace net { 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 465d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)namespace { 475d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 485d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)void SwapCertList(CertificateList* destination, 495d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) scoped_ptr<CertificateList> source) { 505d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) ASSERT_TRUE(destination); 515d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) destination->swap(*source); 525d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 535d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 545d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} // namespace 555d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class CertDatabaseNSSTest : public testing::Test { 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public: 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void SetUp() { 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(test_nssdb_.is_open()); 605f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) cert_db_.reset(new NSSCertDatabase( 615f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) crypto::ScopedPK11Slot( 625f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) PK11_ReferenceSlot(test_nssdb_.slot())) /* public slot */, 635f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) crypto::ScopedPK11Slot( 645f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) PK11_ReferenceSlot(test_nssdb_.slot())) /* private slot */)); 655f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) public_module_ = cert_db_->GetPublicModule(); 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Test db should be empty at start of test. 685f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) EXPECT_EQ(0U, ListCerts().size()); 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void TearDown() { 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Run the message loop to process any observer callbacks (e.g. for the 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // ClientSocketFactory singleton) so that the scoped ref ptrs created in 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // NSSCertDatabase::NotifyObservers* get released. 7590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) base::MessageLoop::current()->RunUntilIdle(); 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) protected: 795f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) net::CryptoModule* GetPublicModule() { 805f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) return public_module_.get(); 815f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) } 825f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static std::string ReadTestFile(const std::string& name) { 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string result; 852a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name); 8658537e28ecd584eab876aee8be7156509866d23aTorne (Richard Coles) EXPECT_TRUE(base::ReadFileToString(cert_path, &result)); 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return result; 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) static bool ReadCertIntoList(const std::string& name, 915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList* certs) { 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert( 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ImportCertFromFile(GetTestCertsDirectory(), name)); 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!cert.get()) 955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return false; 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs->push_back(cert); 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return true; 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1015f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList ListCerts() { 1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList result; 1035f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CERTCertList* cert_list = PK11_ListCertsInSlot(test_nssdb_.slot()); 1045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 1055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) !CERT_LIST_END(node, cert_list); 1065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) node = CERT_LIST_NEXT(node)) { 1075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) result.push_back(X509Certificate::CreateFromHandle( 1085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) node->cert, X509Certificate::OSCertHandles())); 1095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CERT_DestroyCertList(cert_list); 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Sort the result so that test comparisons can be deterministic. 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::sort(result.begin(), result.end(), X509Certificate::LessThan()); 1145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return result; 1155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1175f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) scoped_ptr<NSSCertDatabase> cert_db_; 1182a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) const CertificateList empty_cert_list_; 1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) crypto::ScopedTestNSSDB test_nssdb_; 1205f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) scoped_refptr<net::CryptoModule> public_module_; 1215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 1225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1235d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ListCertsSync) { 1245d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // This test isn't terribly useful, though it will at least let valgrind test 1255d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // for leaks. 1265d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) CertificateList certs; 1275d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) cert_db_->ListCertsSync(&certs); 1285d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // The test DB is empty, but let's assume there will always be something in 1295d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // the other slots. 1305d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_LT(0U, certs.size()); 1315d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 1325d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ListCerts) { 1345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // This test isn't terribly useful, though it will at least let valgrind test 1355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // for leaks. 1365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs; 1375d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) cert_db_->SetSlowTaskRunnerForTest(base::MessageLoopProxy::current()); 1385d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) cert_db_->ListCerts(base::Bind(&SwapCertList, base::Unretained(&certs))); 1395d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) EXPECT_EQ(0U, certs.size()); 1405d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1415d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) base::RunLoop().RunUntilIdle(); 1425d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The test DB is empty, but let's assume there will always be something in 1445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // the other slots. 1455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_LT(0U, certs.size()); 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { 1495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string pkcs12_data = ReadTestFile("client.p12"); 1505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, 1525f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) cert_db_->ImportFromPKCS12(GetPublicModule(), 1535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) pkcs12_data, 154c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) base::string16(), 1555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) true, // is_extractable 1565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NULL)); 1575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Test db should still be empty. 1595f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) EXPECT_EQ(0U, ListCerts().size()); 1605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) { 1635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string pkcs12_data = ReadTestFile("client.p12"); 1645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 165868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) EXPECT_EQ(OK, 1665f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) cert_db_->ImportFromPKCS12(GetPublicModule(), 167868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) pkcs12_data, 168868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ASCIIToUTF16("12345"), 169868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) true, // is_extractable 170868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL)); 1715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1725f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 1735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 1745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert(cert_list[0]); 1755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("testusercert", 1775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert->subject().common_name); 1785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(mattm): move export test to separate test case? 1805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string exported_data; 1815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), 1825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &exported_data)); 1835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_LT(0U, exported_data.size()); 1845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(mattm): further verification of exported data? 1855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) { 1885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string pkcs12_data = ReadTestFile("client.p12"); 1895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 190868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) EXPECT_EQ(OK, 1915f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) cert_db_->ImportFromPKCS12(GetPublicModule(), 192868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) pkcs12_data, 193868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ASCIIToUTF16("12345"), 194868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) true, // is_extractable 195868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL)); 1965f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) EXPECT_EQ(1U, ListCerts().size()); 1975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like 1995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // it's ever used. This test verifies that. 200868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) EXPECT_EQ(OK, 2015f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) cert_db_->ImportFromPKCS12(GetPublicModule(), 202868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) pkcs12_data, 203868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ASCIIToUTF16("12345"), 204868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) true, // is_extractable 205868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL)); 2065f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) EXPECT_EQ(1U, ListCerts().size()); 2075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) { 2105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string pkcs12_data = ReadTestFile("client.p12"); 2115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 212868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) EXPECT_EQ(OK, 2135f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) cert_db_->ImportFromPKCS12(GetPublicModule(), 214868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) pkcs12_data, 215868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ASCIIToUTF16("12345"), 216868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) false, // is_extractable 217868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL)); 2185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2195f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 2205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 2215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert(cert_list[0]); 2225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("testusercert", 2245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert->subject().common_name); 2255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string exported_data; 2275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), 2285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &exported_data)); 2295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Importing a PKCS#12 file with a certificate but no corresponding 2325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// private key should not mark an existing private key as unextractable. 2335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) { 2345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string pkcs12_data = ReadTestFile("client.p12"); 235868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) EXPECT_EQ(OK, 2365f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) cert_db_->ImportFromPKCS12(GetPublicModule(), 237868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) pkcs12_data, 238868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ASCIIToUTF16("12345"), 239868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) true, // is_extractable 240868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL)); 2415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2425f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 2435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 2445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Now import a PKCS#12 file with just a certificate but no private key. 2465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) pkcs12_data = ReadTestFile("client-nokey.p12"); 247868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) EXPECT_EQ(OK, 2485f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) cert_db_->ImportFromPKCS12(GetPublicModule(), 249868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) pkcs12_data, 250868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ASCIIToUTF16("12345"), 251868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) false, // is_extractable 252868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL)); 2535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2545f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) cert_list = ListCerts(); 2555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 2565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Make sure the imported private key is still extractable. 2585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string exported_data; 2595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), 2605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &exported_data)); 2615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_LT(0U, exported_data.size()); 2625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) { 2655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string pkcs12_data = "Foobarbaz"; 2665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE, 2685f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) cert_db_->ImportFromPKCS12(GetPublicModule(), 2695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) pkcs12_data, 270c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) base::string16(), 2715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) true, // is_extractable 2725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NULL)); 2735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Test db should still be empty. 2755f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) EXPECT_EQ(0U, ListCerts().size()); 2765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { 2795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 280eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch GetTestCertsDirectory(), "root_ca_cert.pem", 2815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 2825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, certs.size()); 2835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 2845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import it. 2865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 2875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, 2885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 2895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 2915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2925f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 2935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 2945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert(cert_list[0]); 295eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch EXPECT_EQ("Test Root CA", cert->subject().common_name); 2965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, 2985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert_db_->GetCertTrust(cert.get(), CA_CERT)); 2995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 3015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CERTDB_TRUSTED_CLIENT_CA), 3025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert->os_cert_handle()->trust->sslFlags); 3035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA), 3045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert->os_cert_handle()->trust->emailFlags); 3055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA), 3065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert->os_cert_handle()->trust->objectSigningFlags); 3075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 3085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { 3105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 311eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch GetTestCertsDirectory(), "root_ca_cert.pem", 3125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 3135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, certs.size()); 3145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 3155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import it. 3175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 3185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, 3195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 3205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 3225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3235f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 3245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 3255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert(cert_list[0]); 326eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch EXPECT_EQ("Test Root CA", cert->subject().common_name); 3275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, 3295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert_db_->GetCertTrust(cert.get(), CA_CERT)); 3305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA), 3325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert->os_cert_handle()->trust->sslFlags); 3335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 3345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CERTDB_TRUSTED_CLIENT_CA), 3355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert->os_cert_handle()->trust->emailFlags); 3365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA), 3375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert->os_cert_handle()->trust->objectSigningFlags); 3385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 3395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { 3415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 342eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch GetTestCertsDirectory(), "root_ca_cert.pem", 3435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 3445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, certs.size()); 3455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 3465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import it. 3485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 3495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, 3505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 3515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 3535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3545f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 3555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 3565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> cert(cert_list[0]); 357eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch EXPECT_EQ("Test Root CA", cert->subject().common_name); 3585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, 3605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert_db_->GetCertTrust(cert.get(), CA_CERT)); 3615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA), 3635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert->os_cert_handle()->trust->sslFlags); 3645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA), 3655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert->os_cert_handle()->trust->emailFlags); 3665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 3675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CERTDB_TRUSTED_CLIENT_CA), 3685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert->os_cert_handle()->trust->objectSigningFlags); 3695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 3705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { 3725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 373eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch GetTestCertsDirectory(), "ok_cert.pem", 3745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 3755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, certs.size()); 3765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 3775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import it. 3795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 3805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, 3815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 3825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, failed.size()); 3835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Note: this compares pointers directly. It's okay in this case because 3845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // ImportCACerts returns the same pointers that were passed in. In the 3855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // general case IsSameOSCert should be used. 3865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(certs[0], failed[0].certificate); 3875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); 3885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3895f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) EXPECT_EQ(0U, ListCerts().size()); 3905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 3915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { 3935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs; 3945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 3955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 3965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); 3975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 3985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import it. 3995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 4005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Have to specify email trust for the cert verification of the child cert to 4015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // work (see 4025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#752 4035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // "XXX This choice of trustType seems arbitrary.") 4045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts( 4055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 4065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 4075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(2U, failed.size()); 4095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); 4105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. 4115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); 4125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); 4135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4145f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 4155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 4165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 4175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 4185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { 4205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs; 4215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 4225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // First import just the root. 4245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 4255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts( 4265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 4275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 4285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 4305f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 4315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 4325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 4335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 4355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); 4365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Now import with the other certs in the list too. Even though the root is 4385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // already present, we should still import the rest. 4395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) failed.clear(); 4405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts( 4415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 4425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 4435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(3U, failed.size()); 4455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); 4465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); 4475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); 4485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. 4495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name); 4505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error); 4515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4525f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) cert_list = ListCerts(); 4535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 4545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 4555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 4565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { 4585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs; 4595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 4605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 4615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import it. 4635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 4645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT, 4655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 4665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, failed.size()); 4685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); 4695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(mattm): should check for net error equivalent of 4705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // SEC_ERROR_UNTRUSTED_ISSUER 4715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_FAILED, failed[0].net_error); 4725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4735f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 4745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 4755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 4765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 4775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { 4795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs; 4805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 4815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); 4825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 4835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import it. 4855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 4865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts( 4875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 4885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 4895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(2U, failed.size()); 4915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); 4925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. 4935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); 4945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. 4955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 4965f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 4975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 4985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 4995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 5005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { 5025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 503eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch GetTestCertsDirectory(), "root_ca_cert.pem", 5045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 5055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, certs.size()); 5065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); 5075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 5085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import it. 5105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 5115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts( 5125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | 5135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); 5145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(2U, failed.size()); 5165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // TODO(mattm): should check for net error equivalent of 5175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // SEC_ERROR_UNKNOWN_ISSUER 5185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); 5195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_FAILED, failed[0].net_error); 5205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); 5215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_FAILED, failed[1].net_error); 5225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5235f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 5245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 525eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name); 5265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 5275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// http://crbug.com/108009 - Disabled, as google.chain.pem is an expired 5295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// certificate. 5305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { 5315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Need to import intermediate cert for the verify of google cert, otherwise 5325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // it will try to fetch it automatically with cert_pi_useAIACertFetch, which 5335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // will cause OCSPCreateSession on the main thread, which is not allowed. 5345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 5355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "google.chain.pem", 5365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 5375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(2U, certs.size()); 5385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 5405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, 5415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 5425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 5445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5455f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 5465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(2U, cert_list.size()); 5475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> goog_cert(cert_list[0]); 5485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); 5495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("www.google.com", goog_cert->subject().common_name); 5505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); 5515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 5535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); 5545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); 5565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 5585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 5595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 560868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = verify_proc->Verify(goog_cert.get(), 561868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "www.google.com", 562868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 563868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 564868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 565868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 5665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 5675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, verify_result.cert_status); 5685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 5695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { 5715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs; 57234680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); 5735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 5755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, 5765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 5775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 5795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5805f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 5815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 5825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> puny_cert(cert_list[0]); 5835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 5855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); 5865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); 5875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 5895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 5905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 591868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = verify_proc->Verify(puny_cert.get(), 592868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "xn--wgv71a119e.com", 593868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 594868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 595868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 596868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 5975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 5985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); 5995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 6005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { 6025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs; 60334680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) ASSERT_TRUE(ReadCertIntoList("punycodetest.pem", &certs)); 6045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 6065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, 6075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 6085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 6105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6115f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList cert_list = ListCerts(); 6125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, cert_list.size()); 6135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<X509Certificate> puny_cert(cert_list[0]); 6145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, 6165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); 6175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), 6185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) puny_cert->os_cert_handle()->trust->sslFlags); 6195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 6215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 6225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 623868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = verify_proc->Verify(puny_cert.get(), 624868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "xn--wgv71a119e.com", 625868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 626868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 627868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 628868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 6295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 6305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, verify_result.cert_status); 6315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 6325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { 6345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList ca_certs = CreateCertificateListFromFile( 635eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch GetTestCertsDirectory(), "root_ca_cert.pem", 6365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 6375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, ca_certs.size()); 6385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import CA cert and trust it. 6405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 6415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, 6425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 6435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 6445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 6465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "ok_cert.pem", 6475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 6485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, certs.size()); 6495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import server cert with default trust. 6515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, 6525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 6535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 6545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Server cert should verify. 6565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 6575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 6585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 659868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = verify_proc->Verify(certs[0].get(), 660868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 661868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 662868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 663868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 664868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 6655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 6665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, verify_result.cert_status); 6675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 6685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { 6705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList ca_certs = CreateCertificateListFromFile( 671eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch GetTestCertsDirectory(), "root_ca_cert.pem", 6725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 6735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, ca_certs.size()); 6745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import CA cert and trust it. 6765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 6775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, 6785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 6795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 6805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 6825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "ok_cert.pem", 6835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 6845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, certs.size()); 6855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import server cert without inheriting trust from issuer (explicit 6875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // distrust). 6885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportServerCert( 6895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs, NSSCertDatabase::DISTRUSTED_SSL, &failed)); 6905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 6915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, 692868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 6935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), 6955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs[0]->os_cert_handle()->trust->sslFlags); 6965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Server cert should fail to verify. 6985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 6995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 7005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 701868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = verify_proc->Verify(certs[0].get(), 702868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 703868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 704868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 705868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 706868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 7075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_REVOKED, error); 7085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); 7095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 7105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { 7125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList ca_certs = CreateCertificateListFromFile( 7135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "2048-rsa-root.pem", 7145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 7155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, ca_certs.size()); 7165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import Root CA cert and distrust it. 7185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 7195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL, 7205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 7215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 7225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList intermediate_certs = CreateCertificateListFromFile( 7245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 7255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 7265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, intermediate_certs.size()); 7275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import Intermediate CA cert and trust it. 7295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs, 7305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::TRUSTED_SSL, &failed)); 7315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 7325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 7345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 7355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 7365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, certs.size()); 7375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import server cert with default trust. 7395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportServerCert( 7405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 7415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 7425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 743868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 7445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Server cert should verify. 7465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 7475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 7485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 749868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = verify_proc->Verify(certs[0].get(), 750868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 751868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 752868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 753868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 754868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 7555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 7565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, verify_result.cert_status); 7575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Trust the root cert and distrust the intermediate. 7595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->SetCertTrust( 760868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL)); 7615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->SetCertTrust( 762868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); 7635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ( 7645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), 7655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ca_certs[0]->os_cert_handle()->trust->sslFlags); 7665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA), 7675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ca_certs[0]->os_cert_handle()->trust->emailFlags); 7685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA), 7695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); 7705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), 7715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediate_certs[0]->os_cert_handle()->trust->sslFlags); 7725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(unsigned(CERTDB_VALID_CA), 7735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediate_certs[0]->os_cert_handle()->trust->emailFlags); 7745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ( 7755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) unsigned(CERTDB_VALID_CA), 7765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); 7775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Server cert should fail to verify. 7795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result2; 780868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) error = verify_proc->Verify(certs[0].get(), 781868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 782868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 783868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 784868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 785868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result2); 7865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_REVOKED, error); 7875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); 7885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 7895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 79090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { 79190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { 79290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // See http://bugzil.la/863947 for details. 79390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; 79490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return; 79590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) } 796c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 7975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 7985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 7995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList intermediate_certs = CreateCertificateListFromFile( 8005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 8015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 8025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, intermediate_certs.size()); 8035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import Intermediate CA cert and trust it. 8055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs, 8065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::TRUSTED_SSL, &failed)); 8075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 8085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 8105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 8115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 8125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, certs.size()); 8135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import server cert with default trust. 8155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportServerCert( 8165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 8175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 8185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 819868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 8205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Server cert should verify. 8225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 8235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 8245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 825868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = verify_proc->Verify(certs[0].get(), 826868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 827868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 828868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 829868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 830868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 8315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 8325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, verify_result.cert_status); 8335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Without explicit trust of the intermediate, verification should fail. 8355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->SetCertTrust( 836868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); 8375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Server cert should fail to verify. 8395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result2; 840868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) error = verify_proc->Verify(certs[0].get(), 841868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 842868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 843868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 844868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 845868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result2); 8465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 8475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); 8485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 8495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 85090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { 85190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { 85290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // See http://bugzil.la/863947 for details. 85390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; 85490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return; 85590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) } 856c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 8575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 8585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList ca_certs = CreateCertificateListFromFile( 8605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "2048-rsa-root.pem", 8615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 8625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, ca_certs.size()); 8635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import Root CA cert and default trust it. 8655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT, 8665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 8675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 8685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList intermediate_certs = CreateCertificateListFromFile( 8705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 8715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 8725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, intermediate_certs.size()); 8735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import Intermediate CA cert and trust it. 8755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs, 8765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::TRUSTED_SSL, &failed)); 8775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 8785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 8805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 8815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 8825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, certs.size()); 8835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import server cert with default trust. 8855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportServerCert( 8865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 8875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 8885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 889868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 8905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 8915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Server cert should verify. 8925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 8935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 8945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 895868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = verify_proc->Verify(certs[0].get(), 896868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 897868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 898868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 899868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 900868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 9015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 9025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, verify_result.cert_status); 9035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Without explicit trust of the intermediate, verification should fail. 9055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->SetCertTrust( 906868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); 9075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Server cert should fail to verify. 9095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result2; 910868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) error = verify_proc->Verify(certs[0].get(), 911868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 912868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 913868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 914868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 915868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result2); 9165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 9175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); 9185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 9195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { 9215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 9225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList ca_certs = CreateCertificateListFromFile( 9245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "2048-rsa-root.pem", 9255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 9265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, ca_certs.size()); 9275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import Root CA cert and trust it. 9295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, 9305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) &failed)); 9315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 9325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList intermediate_certs = CreateCertificateListFromFile( 9345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 9355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 9365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, intermediate_certs.size()); 9375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import Intermediate CA cert and distrust it. 9395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportCACerts( 9405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed)); 9415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 9425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertificateList certs = CreateCertificateListFromFile( 9445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 9455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) X509Certificate::FORMAT_AUTO); 9465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ASSERT_EQ(1U, certs.size()); 9475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Import server cert with default trust. 9495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->ImportServerCert( 9505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 9515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, failed.size()); 9525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 953868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 9545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Server cert should not verify. 9565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 9575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int flags = 0; 9585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result; 959868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) int error = verify_proc->Verify(certs[0].get(), 960868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 961868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 962868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 963868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 964868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result); 9655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(ERR_CERT_REVOKED, error); 9665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); 9675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Without explicit distrust of the intermediate, verification should succeed. 9695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_TRUE(cert_db_->SetCertTrust( 970868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); 9715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 9725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Server cert should verify. 9735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CertVerifyResult verify_result2; 974868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) error = verify_proc->Verify(certs[0].get(), 975868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) "127.0.0.1", 976868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) flags, 977868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) NULL, 978868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) empty_cert_list_, 979868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) &verify_result2); 9805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(OK, error); 9815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EXPECT_EQ(0U, verify_result2.cert_status); 9825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 9835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 98490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)// Importing two certificates with the same issuer and subject common name, 98590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)// but overall distinct subject names, should succeed and generate a unique 98690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)// nickname for the second certificate. 98790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { 98890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) CertificateList certs = 98990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) CreateCertificateListFromFile(GetTestCertsDirectory(), 99090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) "duplicate_cn_1.pem", 99190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) X509Certificate::FORMAT_AUTO); 99290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ASSERT_EQ(1U, certs.size()); 99390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 9945f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) EXPECT_EQ(0U, ListCerts().size()); 99590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 99690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // Import server cert with default trust. 99790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) NSSCertDatabase::ImportCertFailureList failed; 99890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) EXPECT_TRUE(cert_db_->ImportServerCert( 99990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 100090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) EXPECT_EQ(0U, failed.size()); 100190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 1002868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 100390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 10045f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) CertificateList new_certs = ListCerts(); 100590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ASSERT_EQ(1U, new_certs.size()); 100690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 100790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // Now attempt to import a different certificate with the same common name. 100890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) CertificateList certs2 = 100990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) CreateCertificateListFromFile(GetTestCertsDirectory(), 101090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) "duplicate_cn_2.pem", 101190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) X509Certificate::FORMAT_AUTO); 101290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ASSERT_EQ(1U, certs2.size()); 101390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 101490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) // Import server cert with default trust. 101590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) EXPECT_TRUE(cert_db_->ImportServerCert( 101690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); 101790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) EXPECT_EQ(0U, failed.size()); 101890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 1019868fa2fe829687343ffae624259930155e16dbd8Torne (Richard Coles) cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); 102090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 10215f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) new_certs = ListCerts(); 102290dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) ASSERT_EQ(2U, new_certs.size()); 102390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, 102490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) new_certs[1]->os_cert_handle()->nickname); 102590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)} 102690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 10275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace net 1028