// Copyright 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "base/files/file_path.h" #include "build/build_config.h" #include "net/base/net_errors.h" #include "net/base/test_data_directory.h" #include "net/cert/cert_status_flags.h" #include "net/cert/cert_verify_proc.h" #include "net/cert/cert_verify_result.h" #include "net/cert/test_root_certs.h" #include "net/cert/x509_certificate.h" #include "net/test/cert_test_util.h" #include "testing/gtest/include/gtest/gtest.h" #if defined(USE_NSS) || defined(OS_IOS) #include <nss.h> #endif namespace net { namespace { // The local test root certificate. const char kRootCertificateFile[] = "root_ca_cert.pem"; // A certificate issued by the local test root for 127.0.0.1. const char kGoodCertificateFile[] = "ok_cert.pem"; } // namespace // Test basic functionality when adding from an existing X509Certificate. TEST(TestRootCertsTest, AddFromPointer) { scoped_refptr<X509Certificate> root_cert = ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile); ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); TestRootCerts* test_roots = TestRootCerts::GetInstance(); ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); EXPECT_TRUE(test_roots->IsEmpty()); EXPECT_TRUE(test_roots->Add(root_cert.get())); EXPECT_FALSE(test_roots->IsEmpty()); test_roots->Clear(); EXPECT_TRUE(test_roots->IsEmpty()); } // Test basic functionality when adding directly from a file, which should // behave the same as when adding from an existing certificate. TEST(TestRootCertsTest, AddFromFile) { TestRootCerts* test_roots = TestRootCerts::GetInstance(); ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); EXPECT_TRUE(test_roots->IsEmpty()); base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(kRootCertificateFile); EXPECT_TRUE(test_roots->AddFromFile(cert_path)); EXPECT_FALSE(test_roots->IsEmpty()); test_roots->Clear(); EXPECT_TRUE(test_roots->IsEmpty()); } // Test that TestRootCerts actually adds the appropriate trust status flags // when requested, and that the trusted status is cleared once the root is // removed the TestRootCerts. This test acts as a canary/sanity check for // the results of the rest of net_unittests, ensuring that the trust status // is properly being set and cleared. TEST(TestRootCertsTest, OverrideTrust) { #if defined(USE_NSS) || defined(OS_IOS) if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { // See http://bugzil.la/863947 for details LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; return; } #endif TestRootCerts* test_roots = TestRootCerts::GetInstance(); ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); EXPECT_TRUE(test_roots->IsEmpty()); scoped_refptr<X509Certificate> test_cert = ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile); ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert.get()); // Test that the good certificate fails verification, because the root // certificate should not yet be trusted. int flags = 0; CertVerifyResult bad_verify_result; scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); int bad_status = verify_proc->Verify(test_cert.get(), "127.0.0.1", flags, NULL, CertificateList(), &bad_verify_result); EXPECT_NE(OK, bad_status); EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); // Add the root certificate and mark it as trusted. EXPECT_TRUE(test_roots->AddFromFile( GetTestCertsDirectory().AppendASCII(kRootCertificateFile))); EXPECT_FALSE(test_roots->IsEmpty()); // Test that the certificate verification now succeeds, because the // TestRootCerts is successfully imbuing trust. CertVerifyResult good_verify_result; int good_status = verify_proc->Verify(test_cert.get(), "127.0.0.1", flags, NULL, CertificateList(), &good_verify_result); EXPECT_EQ(OK, good_status); EXPECT_EQ(0u, good_verify_result.cert_status); test_roots->Clear(); EXPECT_TRUE(test_roots->IsEmpty()); // Ensure that when the TestRootCerts is cleared, the trust settings // revert to their original state, and don't linger. If trust status // lingers, it will likely break other tests in net_unittests. CertVerifyResult restored_verify_result; int restored_status = verify_proc->Verify(test_cert.get(), "127.0.0.1", flags, NULL, CertificateList(), &restored_verify_result); EXPECT_NE(OK, restored_status); EXPECT_NE(0u, restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); EXPECT_EQ(bad_status, restored_status); EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status); } #if defined(USE_NSS) || (defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)) TEST(TestRootCertsTest, Contains) { // Another test root certificate. const char kRootCertificateFile2[] = "2048-rsa-root.pem"; TestRootCerts* test_roots = TestRootCerts::GetInstance(); ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); scoped_refptr<X509Certificate> root_cert_1 = ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile); ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_1.get()); scoped_refptr<X509Certificate> root_cert_2 = ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile2); ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_2.get()); EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle())); EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle())); EXPECT_TRUE(test_roots->Add(root_cert_1.get())); EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle())); EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle())); EXPECT_TRUE(test_roots->Add(root_cert_2.get())); EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle())); EXPECT_TRUE(test_roots->Contains(root_cert_2->os_cert_handle())); test_roots->Clear(); EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle())); EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle())); } #endif // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that // TestRootCerts properly injects itself into the validation process. See // http://crbug.com/63958 } // namespace net