普通文本  |  324行  |  11.04 KB

// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "chromeos/cert_loader.h"

#include "base/bind.h"
#include "base/file_util.h"
#include "base/memory/scoped_ptr.h"
#include "base/message_loop/message_loop.h"
#include "base/run_loop.h"
#include "crypto/nss_util.h"
#include "crypto/nss_util_internal.h"
#include "crypto/scoped_nss_types.h"
#include "net/base/net_errors.h"
#include "net/base/test_data_directory.h"
#include "net/cert/nss_cert_database_chromeos.h"
#include "net/cert/x509_certificate.h"
#include "net/test/cert_test_util.h"
#include "testing/gtest/include/gtest/gtest.h"

namespace chromeos {
namespace {

bool IsCertInCertificateList(const net::X509Certificate* cert,
                             const net::CertificateList& cert_list) {
  for (net::CertificateList::const_iterator it = cert_list.begin();
       it != cert_list.end();
       ++it) {
    if (net::X509Certificate::IsSameOSCert((*it)->os_cert_handle(),
                                            cert->os_cert_handle())) {
      return true;
    }
  }
  return false;
}

void FailOnPrivateSlotCallback(crypto::ScopedPK11Slot slot) {
  EXPECT_FALSE(true) << "GetPrivateSlotForChromeOSUser callback called even "
                     << "though the private slot had been initialized.";
}

class CertLoaderTest : public testing::Test,
                       public CertLoader::Observer {
 public:
  CertLoaderTest() : cert_loader_(NULL),
                     primary_user_("primary"),
                     certificates_loaded_events_count_(0U) {
  }

  virtual ~CertLoaderTest() {}

  virtual void SetUp() OVERRIDE {
    ASSERT_TRUE(primary_user_.constructed_successfully());
    ASSERT_TRUE(
        crypto::GetPublicSlotForChromeOSUser(primary_user_.username_hash()));

    CertLoader::Initialize();
    cert_loader_ = CertLoader::Get();
    cert_loader_->AddObserver(this);
  }

  virtual void TearDown() {
    cert_loader_->RemoveObserver(this);
    CertLoader::Shutdown();
  }

 protected:
  void StartCertLoaderWithPrimaryUser() {
    FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);
    cert_loader_->StartWithNSSDB(primary_db_.get());

    base::RunLoop().RunUntilIdle();
    GetAndResetCertificatesLoadedEventsCount();
  }

  // CertLoader::Observer:
  // The test keeps count of times the observer method was called.
  virtual void OnCertificatesLoaded(const net::CertificateList& cert_list,
                                    bool initial_load) OVERRIDE {
    EXPECT_TRUE(certificates_loaded_events_count_ == 0 || !initial_load);
    certificates_loaded_events_count_++;
  }

  // Returns the number of |OnCertificatesLoaded| calls observed since the
  // last call to this method equals |value|.
  size_t GetAndResetCertificatesLoadedEventsCount() {
    size_t result = certificates_loaded_events_count_;
    certificates_loaded_events_count_ = 0;
    return result;
  }

  // Finishes initialization for the |user| and returns a user's NSS database
  // instance.
  void FinishUserInitAndGetDatabase(
      crypto::ScopedTestNSSChromeOSUser* user,
      scoped_ptr<net::NSSCertDatabaseChromeOS>* database) {
    ASSERT_TRUE(user->constructed_successfully());

    user->FinishInit();

    crypto::ScopedPK11Slot private_slot(
        crypto::GetPrivateSlotForChromeOSUser(
            user->username_hash(),
            base::Bind(&FailOnPrivateSlotCallback)));
    ASSERT_TRUE(private_slot);

    database->reset(new net::NSSCertDatabaseChromeOS(
        crypto::GetPublicSlotForChromeOSUser(user->username_hash()),
        private_slot.Pass()));
    (*database)->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
  }

  int GetDbPrivateSlotId(net::NSSCertDatabase* db) {
    return static_cast<int>(PK11_GetSlotID(db->GetPrivateSlot().get()));
  }

  void ImportCACert(const std::string& cert_file,
                    net::NSSCertDatabase* database,
                    net::CertificateList* imported_certs) {
    ASSERT_TRUE(database);
    ASSERT_TRUE(imported_certs);

    // Add a certificate to the user's db.
    *imported_certs = net::CreateCertificateListFromFile(
        net::GetTestCertsDirectory(),
        cert_file,
        net::X509Certificate::FORMAT_AUTO);
    ASSERT_EQ(1U, imported_certs->size());

    net::NSSCertDatabase::ImportCertFailureList failed;
    ASSERT_TRUE(database->ImportCACerts(*imported_certs,
                                        net::NSSCertDatabase::TRUST_DEFAULT,
                                        &failed));
    ASSERT_TRUE(failed.empty());
  }

  void ImportClientCertAndKey(const std::string& pkcs12_file,
                              net::NSSCertDatabase* database,
                              net::CertificateList* imported_certs) {
    ASSERT_TRUE(database);
    ASSERT_TRUE(imported_certs);

    std::string pkcs12_data;
    base::FilePath pkcs12_file_path =
        net::GetTestCertsDirectory().Append(pkcs12_file);
    ASSERT_TRUE(base::ReadFileToString(pkcs12_file_path, &pkcs12_data));

    net::CertificateList client_cert_list;
    scoped_refptr<net::CryptoModule> module(net::CryptoModule::CreateFromHandle(
        database->GetPrivateSlot().get()));
    ASSERT_EQ(
        net::OK,
        database->ImportFromPKCS12(module, pkcs12_data, base::string16(), false,
                                   imported_certs));
    ASSERT_EQ(1U, imported_certs->size());
  }

  CertLoader* cert_loader_;

  // The user is primary as the one whose certificates CertLoader handles, it
  // has nothing to do with crypto::InitializeNSSForChromeOSUser is_primary_user
  // parameter (which is irrelevant for these tests).
  crypto::ScopedTestNSSChromeOSUser primary_user_;
  scoped_ptr<net::NSSCertDatabaseChromeOS> primary_db_;

  base::MessageLoop message_loop_;

 private:
  size_t certificates_loaded_events_count_;
};

TEST_F(CertLoaderTest, Basic) {
  EXPECT_FALSE(cert_loader_->CertificatesLoading());
  EXPECT_FALSE(cert_loader_->certificates_loaded());
  EXPECT_FALSE(cert_loader_->IsHardwareBacked());

  FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);

  cert_loader_->StartWithNSSDB(primary_db_.get());

  EXPECT_FALSE(cert_loader_->certificates_loaded());
  EXPECT_TRUE(cert_loader_->CertificatesLoading());
  EXPECT_TRUE(cert_loader_->cert_list().empty());

  ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
  base::RunLoop().RunUntilIdle();
  EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());

  EXPECT_TRUE(cert_loader_->certificates_loaded());
  EXPECT_FALSE(cert_loader_->CertificatesLoading());
  EXPECT_EQ(GetDbPrivateSlotId(primary_db_.get()),
            cert_loader_->TPMTokenSlotID());

  // Default CA cert roots should get loaded.
  EXPECT_FALSE(cert_loader_->cert_list().empty());
}

TEST_F(CertLoaderTest, CertLoaderUpdatesCertListOnNewCert) {
  StartCertLoaderWithPrimaryUser();

  net::CertificateList certs;
  ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);

  // Certs are loaded asynchronously, so the new cert should not yet be in the
  // cert list.
  EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));

  ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
  base::RunLoop().RunUntilIdle();
  EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());

  // The certificate list should be updated now, as the message loop's been run.
  EXPECT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
}

TEST_F(CertLoaderTest, CertLoaderNoUpdateOnSecondaryDbChanges) {
  crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
  scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;

  StartCertLoaderWithPrimaryUser();
  FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);

  net::CertificateList certs;
  ImportCACert("root_ca_cert.pem", secondary_db.get(), &certs);

  base::RunLoop().RunUntilIdle();

  EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
}

TEST_F(CertLoaderTest, ClientLoaderUpdateOnNewClientCert) {
  StartCertLoaderWithPrimaryUser();

  net::CertificateList certs;
  ImportClientCertAndKey("websocket_client_cert.p12",
                         primary_db_.get(),
                         &certs);

  ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
  base::RunLoop().RunUntilIdle();
  EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());

  EXPECT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
}

TEST_F(CertLoaderTest, CertLoaderNoUpdateOnNewClientCertInSecondaryDb) {
  crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
  scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;

  StartCertLoaderWithPrimaryUser();
  FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);

  net::CertificateList certs;
  ImportClientCertAndKey("websocket_client_cert.p12",
                         secondary_db.get(),
                         &certs);

  base::RunLoop().RunUntilIdle();

  EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
}

TEST_F(CertLoaderTest, UpdatedOnCertRemoval) {
  StartCertLoaderWithPrimaryUser();

  net::CertificateList certs;
  ImportClientCertAndKey("websocket_client_cert.p12",
                         primary_db_.get(),
                         &certs);

  base::RunLoop().RunUntilIdle();

  ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
  ASSERT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));

  primary_db_->DeleteCertAndKey(certs[0]);

  ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
  base::RunLoop().RunUntilIdle();
  EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());

  ASSERT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
}

TEST_F(CertLoaderTest, UpdatedOnCACertTrustChange) {
  StartCertLoaderWithPrimaryUser();

  net::CertificateList certs;
  ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);

  base::RunLoop().RunUntilIdle();
  ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
  ASSERT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));

  // The value that should have been set by |ImportCACert|.
  ASSERT_EQ(net::NSSCertDatabase::TRUST_DEFAULT,
            primary_db_->GetCertTrust(certs[0], net::CA_CERT));
  ASSERT_TRUE(primary_db_->SetCertTrust(
      certs[0], net::CA_CERT, net::NSSCertDatabase::TRUSTED_SSL));

  // Cert trust change should trigger certificate reload in cert_loader_.
  ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
  base::RunLoop().RunUntilIdle();
  EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
}

TEST_F(CertLoaderTest, DatabaseWithUnsetSlots) {
  primary_db_.reset(new net::NSSCertDatabaseChromeOS(crypto::ScopedPK11Slot(),
                                                     crypto::ScopedPK11Slot()));
  primary_db_->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
  cert_loader_->StartWithNSSDB(primary_db_.get());

  base::RunLoop().RunUntilIdle();
  EXPECT_EQ(1u, GetAndResetCertificatesLoadedEventsCount());

  EXPECT_TRUE(cert_loader_->certificates_loaded());
  EXPECT_EQ(-1, cert_loader_->TPMTokenSlotID());
  EXPECT_FALSE(cert_loader_->IsHardwareBacked());
}

}  // namespace
}  // namespace chromeos