1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/ocsp/nss_ocsp.h" 6 7#include <string> 8 9#include "base/files/file_path.h" 10#include "base/files/file_util.h" 11#include "base/logging.h" 12#include "base/memory/ref_counted.h" 13#include "net/base/net_errors.h" 14#include "net/base/test_completion_callback.h" 15#include "net/base/test_data_directory.h" 16#include "net/cert/cert_status_flags.h" 17#include "net/cert/cert_verifier.h" 18#include "net/cert/cert_verify_proc.h" 19#include "net/cert/cert_verify_proc_nss.h" 20#include "net/cert/cert_verify_result.h" 21#include "net/cert/multi_threaded_cert_verifier.h" 22#include "net/cert/test_root_certs.h" 23#include "net/cert/x509_certificate.h" 24#include "net/test/cert_test_util.h" 25#include "net/url_request/url_request_filter.h" 26#include "net/url_request/url_request_interceptor.h" 27#include "net/url_request/url_request_test_job.h" 28#include "net/url_request/url_request_test_util.h" 29#include "testing/gtest/include/gtest/gtest.h" 30 31namespace net { 32 33namespace { 34 35// Matches the caIssuers hostname from the generated certificate. 36const char kAiaHost[] = "aia-test.invalid"; 37// Returning a single DER-encoded cert, so the mime-type must be 38// application/pkix-cert per RFC 5280. 39const char kAiaHeaders[] = "HTTP/1.1 200 OK\0" 40 "Content-type: application/pkix-cert\0" 41 "\0"; 42 43class AiaResponseHandler : public net::URLRequestInterceptor { 44 public: 45 AiaResponseHandler(const std::string& headers, const std::string& cert_data) 46 : headers_(headers), cert_data_(cert_data), request_count_(0) {} 47 virtual ~AiaResponseHandler() {} 48 49 // net::URLRequestInterceptor implementation: 50 virtual net::URLRequestJob* MaybeInterceptRequest( 51 net::URLRequest* request, 52 net::NetworkDelegate* network_delegate) const OVERRIDE { 53 ++const_cast<AiaResponseHandler*>(this)->request_count_; 54 55 return new net::URLRequestTestJob( 56 request, network_delegate, headers_, cert_data_, true); 57 } 58 59 int request_count() const { return request_count_; } 60 61 private: 62 std::string headers_; 63 std::string cert_data_; 64 int request_count_; 65 66 DISALLOW_COPY_AND_ASSIGN(AiaResponseHandler); 67}; 68 69} // namespace 70 71class NssHttpTest : public ::testing::Test { 72 public: 73 NssHttpTest() 74 : context_(false), 75 handler_(NULL), 76 verify_proc_(new CertVerifyProcNSS), 77 verifier_(new MultiThreadedCertVerifier(verify_proc_.get())) {} 78 virtual ~NssHttpTest() {} 79 80 virtual void SetUp() { 81 std::string file_contents; 82 ASSERT_TRUE(base::ReadFileToString( 83 GetTestCertsDirectory().AppendASCII("aia-intermediate.der"), 84 &file_contents)); 85 ASSERT_FALSE(file_contents.empty()); 86 87 // Ownership of |handler| is transferred to the URLRequestFilter, but 88 // hold onto the original pointer in order to access |request_count()|. 89 scoped_ptr<AiaResponseHandler> handler( 90 new AiaResponseHandler(kAiaHeaders, file_contents)); 91 handler_ = handler.get(); 92 93 URLRequestFilter::GetInstance()->AddHostnameInterceptor( 94 "http", 95 kAiaHost, 96 handler.PassAs<URLRequestInterceptor>()); 97 98 SetURLRequestContextForNSSHttpIO(&context_); 99 EnsureNSSHttpIOInit(); 100 } 101 102 virtual void TearDown() { 103 ShutdownNSSHttpIO(); 104 105 if (handler_) 106 URLRequestFilter::GetInstance()->RemoveHostnameHandler("http", kAiaHost); 107 } 108 109 CertVerifier* verifier() const { 110 return verifier_.get(); 111 } 112 113 int request_count() const { 114 return handler_->request_count(); 115 } 116 117 protected: 118 const CertificateList empty_cert_list_; 119 120 private: 121 TestURLRequestContext context_; 122 AiaResponseHandler* handler_; 123 scoped_refptr<CertVerifyProc> verify_proc_; 124 scoped_ptr<CertVerifier> verifier_; 125}; 126 127// Tests that when using NSS to verify certificates, and IO is enabled, 128// that a request to fetch missing intermediate certificates is 129// made successfully. 130TEST_F(NssHttpTest, TestAia) { 131 scoped_refptr<X509Certificate> test_cert( 132 ImportCertFromFile(GetTestCertsDirectory(), "aia-cert.pem")); 133 ASSERT_TRUE(test_cert.get()); 134 135 scoped_refptr<X509Certificate> test_root( 136 ImportCertFromFile(GetTestCertsDirectory(), "aia-root.pem")); 137 ASSERT_TRUE(test_root.get()); 138 139 ScopedTestRoot scoped_root(test_root.get()); 140 141 CertVerifyResult verify_result; 142 TestCompletionCallback test_callback; 143 CertVerifier::RequestHandle request_handle; 144 145 int flags = CertVerifier::VERIFY_CERT_IO_ENABLED; 146 int error = verifier()->Verify(test_cert.get(), 147 "aia-host.invalid", 148 flags, 149 NULL, 150 &verify_result, 151 test_callback.callback(), 152 &request_handle, 153 BoundNetLog()); 154 ASSERT_EQ(ERR_IO_PENDING, error); 155 156 error = test_callback.WaitForResult(); 157 158 EXPECT_EQ(OK, error); 159 160 // Ensure that NSS made an AIA request for the missing intermediate. 161 EXPECT_LT(0, request_count()); 162} 163 164} // namespace net 165