Home | History | Annotate | Download | only in cert
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include <cert.h>
      6 #include <certdb.h>
      7 #include <pk11pub.h>
      8 
      9 #include <algorithm>
     10 
     11 #include "base/file_util.h"
     12 #include "base/files/file_path.h"
     13 #include "base/lazy_instance.h"
     14 #include "base/message_loop/message_loop.h"
     15 #include "base/path_service.h"
     16 #include "base/strings/string16.h"
     17 #include "base/strings/string_util.h"
     18 #include "base/strings/utf_string_conversions.h"
     19 #include "crypto/nss_util.h"
     20 #include "crypto/nss_util_internal.h"
     21 #include "crypto/scoped_nss_types.h"
     22 #include "net/base/crypto_module.h"
     23 #include "net/base/net_errors.h"
     24 #include "net/base/test_data_directory.h"
     25 #include "net/cert/cert_status_flags.h"
     26 #include "net/cert/cert_verify_proc_nss.h"
     27 #include "net/cert/cert_verify_result.h"
     28 #include "net/cert/nss_cert_database.h"
     29 #include "net/cert/x509_certificate.h"
     30 #include "net/test/cert_test_util.h"
     31 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
     32 #include "testing/gtest/include/gtest/gtest.h"
     33 
     34 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
     35 // the new name of the macro.
     36 #if !defined(CERTDB_TERMINAL_RECORD)
     37 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
     38 #endif
     39 
     40 namespace net {
     41 
     42 class CertDatabaseNSSTest : public testing::Test {
     43  public:
     44   virtual void SetUp() {
     45     ASSERT_TRUE(test_nssdb_.is_open());
     46     cert_db_ = NSSCertDatabase::GetInstance();
     47     slot_ = cert_db_->GetPublicModule();
     48 
     49     // Test db should be empty at start of test.
     50     EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
     51   }
     52 
     53   virtual void TearDown() {
     54     // Don't try to cleanup if the setup failed.
     55     ASSERT_TRUE(slot_->os_module_handle());
     56 
     57     EXPECT_TRUE(CleanupSlotContents());
     58 
     59     // Run the message loop to process any observer callbacks (e.g. for the
     60     // ClientSocketFactory singleton) so that the scoped ref ptrs created in
     61     // NSSCertDatabase::NotifyObservers* get released.
     62     base::MessageLoop::current()->RunUntilIdle();
     63 
     64     EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
     65   }
     66 
     67  protected:
     68   static std::string ReadTestFile(const std::string& name) {
     69     std::string result;
     70     base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
     71     EXPECT_TRUE(file_util::ReadFileToString(cert_path, &result));
     72     return result;
     73   }
     74 
     75   static bool ReadCertIntoList(const std::string& name,
     76                                CertificateList* certs) {
     77     scoped_refptr<X509Certificate> cert(
     78         ImportCertFromFile(GetTestCertsDirectory(), name));
     79     if (!cert.get())
     80       return false;
     81 
     82     certs->push_back(cert);
     83     return true;
     84   }
     85 
     86   static CertificateList ListCertsInSlot(PK11SlotInfo* slot) {
     87     CertificateList result;
     88     CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
     89     for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
     90          !CERT_LIST_END(node, cert_list);
     91          node = CERT_LIST_NEXT(node)) {
     92       result.push_back(X509Certificate::CreateFromHandle(
     93           node->cert, X509Certificate::OSCertHandles()));
     94     }
     95     CERT_DestroyCertList(cert_list);
     96 
     97     // Sort the result so that test comparisons can be deterministic.
     98     std::sort(result.begin(), result.end(), X509Certificate::LessThan());
     99     return result;
    100   }
    101 
    102   scoped_refptr<CryptoModule> slot_;
    103   NSSCertDatabase* cert_db_;
    104   const CertificateList empty_cert_list_;
    105 
    106  private:
    107   bool CleanupSlotContents() {
    108     bool ok = true;
    109     CertificateList certs = ListCertsInSlot(slot_->os_module_handle());
    110     CERTCertTrust default_trust = {0};
    111     for (size_t i = 0; i < certs.size(); ++i) {
    112       // Reset cert trust values to defaults before deleting.  Otherwise NSS
    113       // somehow seems to remember the trust which can break following tests.
    114       SECStatus srv = CERT_ChangeCertTrust(
    115           CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust);
    116       if (srv != SECSuccess)
    117         ok = false;
    118 
    119       if (!cert_db_->DeleteCertAndKey(certs[i].get()))
    120         ok = false;
    121     }
    122     return ok;
    123   }
    124 
    125   crypto::ScopedTestNSSDB test_nssdb_;
    126 };
    127 
    128 TEST_F(CertDatabaseNSSTest, ListCerts) {
    129   // This test isn't terribly useful, though it will at least let valgrind test
    130   // for leaks.
    131   CertificateList certs;
    132   cert_db_->ListCerts(&certs);
    133   // The test DB is empty, but let's assume there will always be something in
    134   // the other slots.
    135   EXPECT_LT(0U, certs.size());
    136 }
    137 
    138 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
    139   std::string pkcs12_data = ReadTestFile("client.p12");
    140 
    141   EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
    142             cert_db_->ImportFromPKCS12(slot_.get(),
    143                                        pkcs12_data,
    144                                        base::string16(),
    145                                        true,  // is_extractable
    146                                        NULL));
    147 
    148   // Test db should still be empty.
    149   EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
    150 }
    151 
    152 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
    153   std::string pkcs12_data = ReadTestFile("client.p12");
    154 
    155   EXPECT_EQ(OK,
    156             cert_db_->ImportFromPKCS12(slot_.get(),
    157                                        pkcs12_data,
    158                                        ASCIIToUTF16("12345"),
    159                                        true,  // is_extractable
    160                                        NULL));
    161 
    162   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    163   ASSERT_EQ(1U, cert_list.size());
    164   scoped_refptr<X509Certificate> cert(cert_list[0]);
    165 
    166   EXPECT_EQ("testusercert",
    167             cert->subject().common_name);
    168 
    169   // TODO(mattm): move export test to separate test case?
    170   std::string exported_data;
    171   EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
    172                                         &exported_data));
    173   ASSERT_LT(0U, exported_data.size());
    174   // TODO(mattm): further verification of exported data?
    175 }
    176 
    177 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
    178   std::string pkcs12_data = ReadTestFile("client.p12");
    179 
    180   EXPECT_EQ(OK,
    181             cert_db_->ImportFromPKCS12(slot_.get(),
    182                                        pkcs12_data,
    183                                        ASCIIToUTF16("12345"),
    184                                        true,  // is_extractable
    185                                        NULL));
    186   EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
    187 
    188   // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
    189   // it's ever used.  This test verifies that.
    190   EXPECT_EQ(OK,
    191             cert_db_->ImportFromPKCS12(slot_.get(),
    192                                        pkcs12_data,
    193                                        ASCIIToUTF16("12345"),
    194                                        true,  // is_extractable
    195                                        NULL));
    196   EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
    197 }
    198 
    199 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
    200   std::string pkcs12_data = ReadTestFile("client.p12");
    201 
    202   EXPECT_EQ(OK,
    203             cert_db_->ImportFromPKCS12(slot_.get(),
    204                                        pkcs12_data,
    205                                        ASCIIToUTF16("12345"),
    206                                        false,  // is_extractable
    207                                        NULL));
    208 
    209   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    210   ASSERT_EQ(1U, cert_list.size());
    211   scoped_refptr<X509Certificate> cert(cert_list[0]);
    212 
    213   EXPECT_EQ("testusercert",
    214             cert->subject().common_name);
    215 
    216   std::string exported_data;
    217   EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
    218                                         &exported_data));
    219 }
    220 
    221 // Importing a PKCS#12 file with a certificate but no corresponding
    222 // private key should not mark an existing private key as unextractable.
    223 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
    224   std::string pkcs12_data = ReadTestFile("client.p12");
    225   EXPECT_EQ(OK,
    226             cert_db_->ImportFromPKCS12(slot_.get(),
    227                                        pkcs12_data,
    228                                        ASCIIToUTF16("12345"),
    229                                        true,  // is_extractable
    230                                        NULL));
    231 
    232   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    233   ASSERT_EQ(1U, cert_list.size());
    234 
    235   // Now import a PKCS#12 file with just a certificate but no private key.
    236   pkcs12_data = ReadTestFile("client-nokey.p12");
    237   EXPECT_EQ(OK,
    238             cert_db_->ImportFromPKCS12(slot_.get(),
    239                                        pkcs12_data,
    240                                        ASCIIToUTF16("12345"),
    241                                        false,  // is_extractable
    242                                        NULL));
    243 
    244   cert_list = ListCertsInSlot(slot_->os_module_handle());
    245   ASSERT_EQ(1U, cert_list.size());
    246 
    247   // Make sure the imported private key is still extractable.
    248   std::string exported_data;
    249   EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
    250                                         &exported_data));
    251   ASSERT_LT(0U, exported_data.size());
    252 }
    253 
    254 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
    255   std::string pkcs12_data = "Foobarbaz";
    256 
    257   EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
    258             cert_db_->ImportFromPKCS12(slot_.get(),
    259                                        pkcs12_data,
    260                                        base::string16(),
    261                                        true,  // is_extractable
    262                                        NULL));
    263 
    264   // Test db should still be empty.
    265   EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
    266 }
    267 
    268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
    269   CertificateList certs = CreateCertificateListFromFile(
    270       GetTestCertsDirectory(), "root_ca_cert.pem",
    271       X509Certificate::FORMAT_AUTO);
    272   ASSERT_EQ(1U, certs.size());
    273   EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
    274 
    275   // Import it.
    276   NSSCertDatabase::ImportCertFailureList failed;
    277   EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
    278                                       &failed));
    279 
    280   EXPECT_EQ(0U, failed.size());
    281 
    282   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    283   ASSERT_EQ(1U, cert_list.size());
    284   scoped_refptr<X509Certificate> cert(cert_list[0]);
    285   EXPECT_EQ("Test Root CA", cert->subject().common_name);
    286 
    287   EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
    288             cert_db_->GetCertTrust(cert.get(), CA_CERT));
    289 
    290   EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
    291                      CERTDB_TRUSTED_CLIENT_CA),
    292             cert->os_cert_handle()->trust->sslFlags);
    293   EXPECT_EQ(unsigned(CERTDB_VALID_CA),
    294             cert->os_cert_handle()->trust->emailFlags);
    295   EXPECT_EQ(unsigned(CERTDB_VALID_CA),
    296             cert->os_cert_handle()->trust->objectSigningFlags);
    297 }
    298 
    299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
    300   CertificateList certs = CreateCertificateListFromFile(
    301       GetTestCertsDirectory(), "root_ca_cert.pem",
    302       X509Certificate::FORMAT_AUTO);
    303   ASSERT_EQ(1U, certs.size());
    304   EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
    305 
    306   // Import it.
    307   NSSCertDatabase::ImportCertFailureList failed;
    308   EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL,
    309                                       &failed));
    310 
    311   EXPECT_EQ(0U, failed.size());
    312 
    313   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    314   ASSERT_EQ(1U, cert_list.size());
    315   scoped_refptr<X509Certificate> cert(cert_list[0]);
    316   EXPECT_EQ("Test Root CA", cert->subject().common_name);
    317 
    318   EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL,
    319             cert_db_->GetCertTrust(cert.get(), CA_CERT));
    320 
    321   EXPECT_EQ(unsigned(CERTDB_VALID_CA),
    322             cert->os_cert_handle()->trust->sslFlags);
    323   EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
    324                      CERTDB_TRUSTED_CLIENT_CA),
    325             cert->os_cert_handle()->trust->emailFlags);
    326   EXPECT_EQ(unsigned(CERTDB_VALID_CA),
    327             cert->os_cert_handle()->trust->objectSigningFlags);
    328 }
    329 
    330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
    331   CertificateList certs = CreateCertificateListFromFile(
    332       GetTestCertsDirectory(), "root_ca_cert.pem",
    333       X509Certificate::FORMAT_AUTO);
    334   ASSERT_EQ(1U, certs.size());
    335   EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
    336 
    337   // Import it.
    338   NSSCertDatabase::ImportCertFailureList failed;
    339   EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN,
    340                                       &failed));
    341 
    342   EXPECT_EQ(0U, failed.size());
    343 
    344   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    345   ASSERT_EQ(1U, cert_list.size());
    346   scoped_refptr<X509Certificate> cert(cert_list[0]);
    347   EXPECT_EQ("Test Root CA", cert->subject().common_name);
    348 
    349   EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN,
    350             cert_db_->GetCertTrust(cert.get(), CA_CERT));
    351 
    352   EXPECT_EQ(unsigned(CERTDB_VALID_CA),
    353             cert->os_cert_handle()->trust->sslFlags);
    354   EXPECT_EQ(unsigned(CERTDB_VALID_CA),
    355             cert->os_cert_handle()->trust->emailFlags);
    356   EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
    357                      CERTDB_TRUSTED_CLIENT_CA),
    358             cert->os_cert_handle()->trust->objectSigningFlags);
    359 }
    360 
    361 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
    362   CertificateList certs = CreateCertificateListFromFile(
    363       GetTestCertsDirectory(), "ok_cert.pem",
    364       X509Certificate::FORMAT_AUTO);
    365   ASSERT_EQ(1U, certs.size());
    366   EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
    367 
    368   // Import it.
    369   NSSCertDatabase::ImportCertFailureList failed;
    370   EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
    371                                       &failed));
    372   ASSERT_EQ(1U, failed.size());
    373   // Note: this compares pointers directly.  It's okay in this case because
    374   // ImportCACerts returns the same pointers that were passed in.  In the
    375   // general case IsSameOSCert should be used.
    376   EXPECT_EQ(certs[0], failed[0].certificate);
    377   EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
    378 
    379   EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
    380 }
    381 
    382 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
    383   CertificateList certs;
    384   ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
    385   ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
    386   ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
    387 
    388   // Import it.
    389   NSSCertDatabase::ImportCertFailureList failed;
    390   // Have to specify email trust for the cert verification of the child cert to
    391   // work (see
    392   // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#752
    393   // "XXX This choice of trustType seems arbitrary.")
    394   EXPECT_TRUE(cert_db_->ImportCACerts(
    395       certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
    396       &failed));
    397 
    398   ASSERT_EQ(2U, failed.size());
    399   EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
    400   EXPECT_EQ(ERR_FAILED, failed[0].net_error);  // The certificate expired.
    401   EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
    402   EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
    403 
    404   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    405   ASSERT_EQ(1U, cert_list.size());
    406   EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
    407 }
    408 
    409 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
    410   CertificateList certs;
    411   ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
    412 
    413   // First import just the root.
    414   NSSCertDatabase::ImportCertFailureList failed;
    415   EXPECT_TRUE(cert_db_->ImportCACerts(
    416       certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
    417       &failed));
    418 
    419   EXPECT_EQ(0U, failed.size());
    420   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    421   ASSERT_EQ(1U, cert_list.size());
    422   EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
    423 
    424   ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
    425   ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
    426 
    427   // Now import with the other certs in the list too.  Even though the root is
    428   // already present, we should still import the rest.
    429   failed.clear();
    430   EXPECT_TRUE(cert_db_->ImportCACerts(
    431       certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
    432       &failed));
    433 
    434   ASSERT_EQ(3U, failed.size());
    435   EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name);
    436   EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error);
    437   EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
    438   EXPECT_EQ(ERR_FAILED, failed[1].net_error);  // The certificate expired.
    439   EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
    440   EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
    441 
    442   cert_list = ListCertsInSlot(slot_->os_module_handle());
    443   ASSERT_EQ(1U, cert_list.size());
    444   EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
    445 }
    446 
    447 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
    448   CertificateList certs;
    449   ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
    450   ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
    451 
    452   // Import it.
    453   NSSCertDatabase::ImportCertFailureList failed;
    454   EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT,
    455                                       &failed));
    456 
    457   ASSERT_EQ(1U, failed.size());
    458   EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
    459   // TODO(mattm): should check for net error equivalent of
    460   // SEC_ERROR_UNTRUSTED_ISSUER
    461   EXPECT_EQ(ERR_FAILED, failed[0].net_error);
    462 
    463   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    464   ASSERT_EQ(1U, cert_list.size());
    465   EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
    466 }
    467 
    468 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
    469   CertificateList certs;
    470   ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
    471   ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
    472   ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
    473 
    474   // Import it.
    475   NSSCertDatabase::ImportCertFailureList failed;
    476   EXPECT_TRUE(cert_db_->ImportCACerts(
    477       certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
    478       &failed));
    479 
    480   EXPECT_EQ(2U, failed.size());
    481   EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
    482   EXPECT_EQ(ERR_FAILED, failed[0].net_error);  // The certificate expired.
    483   EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
    484   EXPECT_EQ(ERR_FAILED, failed[1].net_error);  // The certificate expired.
    485 
    486   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    487   ASSERT_EQ(1U, cert_list.size());
    488   EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
    489 }
    490 
    491 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
    492   CertificateList certs = CreateCertificateListFromFile(
    493       GetTestCertsDirectory(), "root_ca_cert.pem",
    494       X509Certificate::FORMAT_AUTO);
    495   ASSERT_EQ(1U, certs.size());
    496   ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
    497   ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
    498 
    499   // Import it.
    500   NSSCertDatabase::ImportCertFailureList failed;
    501   EXPECT_TRUE(cert_db_->ImportCACerts(
    502       certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL |
    503       NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed));
    504 
    505   ASSERT_EQ(2U, failed.size());
    506   // TODO(mattm): should check for net error equivalent of
    507   // SEC_ERROR_UNKNOWN_ISSUER
    508   EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
    509   EXPECT_EQ(ERR_FAILED, failed[0].net_error);
    510   EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
    511   EXPECT_EQ(ERR_FAILED, failed[1].net_error);
    512 
    513   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    514   ASSERT_EQ(1U, cert_list.size());
    515   EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);
    516 }
    517 
    518 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired
    519 // certificate.
    520 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
    521   // Need to import intermediate cert for the verify of google cert, otherwise
    522   // it will try to fetch it automatically with cert_pi_useAIACertFetch, which
    523   // will cause OCSPCreateSession on the main thread, which is not allowed.
    524   CertificateList certs = CreateCertificateListFromFile(
    525       GetTestCertsDirectory(), "google.chain.pem",
    526       X509Certificate::FORMAT_AUTO);
    527   ASSERT_EQ(2U, certs.size());
    528 
    529   NSSCertDatabase::ImportCertFailureList failed;
    530   EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
    531                                          &failed));
    532 
    533   EXPECT_EQ(0U, failed.size());
    534 
    535   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    536   ASSERT_EQ(2U, cert_list.size());
    537   scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
    538   scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
    539   EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
    540   EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
    541 
    542   EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
    543             cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT));
    544 
    545   EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
    546 
    547   scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
    548   int flags = 0;
    549   CertVerifyResult verify_result;
    550   int error = verify_proc->Verify(goog_cert.get(),
    551                                   "www.google.com",
    552                                   flags,
    553                                   NULL,
    554                                   empty_cert_list_,
    555                                   &verify_result);
    556   EXPECT_EQ(OK, error);
    557   EXPECT_EQ(0U, verify_result.cert_status);
    558 }
    559 
    560 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
    561   CertificateList certs;
    562   ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
    563 
    564   NSSCertDatabase::ImportCertFailureList failed;
    565   EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
    566                                          &failed));
    567 
    568   EXPECT_EQ(0U, failed.size());
    569 
    570   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    571   ASSERT_EQ(1U, cert_list.size());
    572   scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
    573 
    574   EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
    575             cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
    576   EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
    577 
    578   scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
    579   int flags = 0;
    580   CertVerifyResult verify_result;
    581   int error = verify_proc->Verify(puny_cert.get(),
    582                                   "xn--wgv71a119e.com",
    583                                   flags,
    584                                   NULL,
    585                                   empty_cert_list_,
    586                                   &verify_result);
    587   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
    588   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
    589 }
    590 
    591 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
    592   // When using CERT_PKIXVerifyCert (which we do), server trust only works from
    593   // 3.13.4 onwards.  See https://bugzilla.mozilla.org/show_bug.cgi?id=647364.
    594   if (!NSS_VersionCheck("3.13.4")) {
    595     LOG(INFO) << "test skipped on NSS < 3.13.4";
    596     return;
    597   }
    598 
    599   CertificateList certs;
    600   ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
    601 
    602   NSSCertDatabase::ImportCertFailureList failed;
    603   EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL,
    604                                          &failed));
    605 
    606   EXPECT_EQ(0U, failed.size());
    607 
    608   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
    609   ASSERT_EQ(1U, cert_list.size());
    610   scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
    611 
    612   EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
    613             cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
    614   EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
    615             puny_cert->os_cert_handle()->trust->sslFlags);
    616 
    617   scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
    618   int flags = 0;
    619   CertVerifyResult verify_result;
    620   int error = verify_proc->Verify(puny_cert.get(),
    621                                   "xn--wgv71a119e.com",
    622                                   flags,
    623                                   NULL,
    624                                   empty_cert_list_,
    625                                   &verify_result);
    626   EXPECT_EQ(OK, error);
    627   EXPECT_EQ(0U, verify_result.cert_status);
    628 }
    629 
    630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
    631   CertificateList ca_certs = CreateCertificateListFromFile(
    632       GetTestCertsDirectory(), "root_ca_cert.pem",
    633       X509Certificate::FORMAT_AUTO);
    634   ASSERT_EQ(1U, ca_certs.size());
    635 
    636   // Import CA cert and trust it.
    637   NSSCertDatabase::ImportCertFailureList failed;
    638   EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
    639                                       &failed));
    640   EXPECT_EQ(0U, failed.size());
    641 
    642   CertificateList certs = CreateCertificateListFromFile(
    643       GetTestCertsDirectory(), "ok_cert.pem",
    644       X509Certificate::FORMAT_AUTO);
    645   ASSERT_EQ(1U, certs.size());
    646 
    647   // Import server cert with default trust.
    648   EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
    649                                          &failed));
    650   EXPECT_EQ(0U, failed.size());
    651 
    652   // Server cert should verify.
    653   scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
    654   int flags = 0;
    655   CertVerifyResult verify_result;
    656   int error = verify_proc->Verify(certs[0].get(),
    657                                   "127.0.0.1",
    658                                   flags,
    659                                   NULL,
    660                                   empty_cert_list_,
    661                                   &verify_result);
    662   EXPECT_EQ(OK, error);
    663   EXPECT_EQ(0U, verify_result.cert_status);
    664 }
    665 
    666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
    667   // Explicit distrust only works starting in NSS 3.13.
    668   if (!NSS_VersionCheck("3.13")) {
    669     LOG(INFO) << "test skipped on NSS < 3.13";
    670     return;
    671   }
    672 
    673   CertificateList ca_certs = CreateCertificateListFromFile(
    674       GetTestCertsDirectory(), "root_ca_cert.pem",
    675       X509Certificate::FORMAT_AUTO);
    676   ASSERT_EQ(1U, ca_certs.size());
    677 
    678   // Import CA cert and trust it.
    679   NSSCertDatabase::ImportCertFailureList failed;
    680   EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
    681                                       &failed));
    682   EXPECT_EQ(0U, failed.size());
    683 
    684   CertificateList certs = CreateCertificateListFromFile(
    685       GetTestCertsDirectory(), "ok_cert.pem",
    686       X509Certificate::FORMAT_AUTO);
    687   ASSERT_EQ(1U, certs.size());
    688 
    689   // Import server cert without inheriting trust from issuer (explicit
    690   // distrust).
    691   EXPECT_TRUE(cert_db_->ImportServerCert(
    692       certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
    693   EXPECT_EQ(0U, failed.size());
    694   EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL,
    695             cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
    696 
    697   EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
    698             certs[0]->os_cert_handle()->trust->sslFlags);
    699 
    700   // Server cert should fail to verify.
    701   scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
    702   int flags = 0;
    703   CertVerifyResult verify_result;
    704   int error = verify_proc->Verify(certs[0].get(),
    705                                   "127.0.0.1",
    706                                   flags,
    707                                   NULL,
    708                                   empty_cert_list_,
    709                                   &verify_result);
    710   EXPECT_EQ(ERR_CERT_REVOKED, error);
    711   EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
    712 }
    713 
    714 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
    715   CertificateList ca_certs = CreateCertificateListFromFile(
    716       GetTestCertsDirectory(), "2048-rsa-root.pem",
    717       X509Certificate::FORMAT_AUTO);
    718   ASSERT_EQ(1U, ca_certs.size());
    719 
    720   // Import Root CA cert and distrust it.
    721   NSSCertDatabase::ImportCertFailureList failed;
    722   EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL,
    723                                       &failed));
    724   EXPECT_EQ(0U, failed.size());
    725 
    726   CertificateList intermediate_certs = CreateCertificateListFromFile(
    727       GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
    728       X509Certificate::FORMAT_AUTO);
    729   ASSERT_EQ(1U, intermediate_certs.size());
    730 
    731   // Import Intermediate CA cert and trust it.
    732   EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
    733                                       NSSCertDatabase::TRUSTED_SSL, &failed));
    734   EXPECT_EQ(0U, failed.size());
    735 
    736   CertificateList certs = CreateCertificateListFromFile(
    737       GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
    738       X509Certificate::FORMAT_AUTO);
    739   ASSERT_EQ(1U, certs.size());
    740 
    741   // Import server cert with default trust.
    742   EXPECT_TRUE(cert_db_->ImportServerCert(
    743       certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
    744   EXPECT_EQ(0U, failed.size());
    745   EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
    746             cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
    747 
    748   // Server cert should verify.
    749   scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
    750   int flags = 0;
    751   CertVerifyResult verify_result;
    752   int error = verify_proc->Verify(certs[0].get(),
    753                                   "127.0.0.1",
    754                                   flags,
    755                                   NULL,
    756                                   empty_cert_list_,
    757                                   &verify_result);
    758   EXPECT_EQ(OK, error);
    759   EXPECT_EQ(0U, verify_result.cert_status);
    760 
    761   // Explicit distrust only works starting in NSS 3.13.
    762   if (!NSS_VersionCheck("3.13")) {
    763     LOG(INFO) << "test partially skipped on NSS < 3.13";
    764     return;
    765   }
    766 
    767   // Trust the root cert and distrust the intermediate.
    768   EXPECT_TRUE(cert_db_->SetCertTrust(
    769       ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL));
    770   EXPECT_TRUE(cert_db_->SetCertTrust(
    771       intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL));
    772   EXPECT_EQ(
    773       unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA),
    774       ca_certs[0]->os_cert_handle()->trust->sslFlags);
    775   EXPECT_EQ(unsigned(CERTDB_VALID_CA),
    776             ca_certs[0]->os_cert_handle()->trust->emailFlags);
    777   EXPECT_EQ(unsigned(CERTDB_VALID_CA),
    778             ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);
    779   EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
    780             intermediate_certs[0]->os_cert_handle()->trust->sslFlags);
    781   EXPECT_EQ(unsigned(CERTDB_VALID_CA),
    782             intermediate_certs[0]->os_cert_handle()->trust->emailFlags);
    783   EXPECT_EQ(
    784       unsigned(CERTDB_VALID_CA),
    785       intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);
    786 
    787   // Server cert should fail to verify.
    788   CertVerifyResult verify_result2;
    789   error = verify_proc->Verify(certs[0].get(),
    790                               "127.0.0.1",
    791                               flags,
    792                               NULL,
    793                               empty_cert_list_,
    794                               &verify_result2);
    795   EXPECT_EQ(ERR_CERT_REVOKED, error);
    796   EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);
    797 }
    798 
    799 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {
    800   if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
    801     // See http://bugzil.la/863947 for details.
    802     LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
    803     return;
    804   }
    805 
    806   NSSCertDatabase::ImportCertFailureList failed;
    807 
    808   CertificateList intermediate_certs = CreateCertificateListFromFile(
    809       GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
    810       X509Certificate::FORMAT_AUTO);
    811   ASSERT_EQ(1U, intermediate_certs.size());
    812 
    813   // Import Intermediate CA cert and trust it.
    814   EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
    815                                       NSSCertDatabase::TRUSTED_SSL, &failed));
    816   EXPECT_EQ(0U, failed.size());
    817 
    818   CertificateList certs = CreateCertificateListFromFile(
    819       GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
    820       X509Certificate::FORMAT_AUTO);
    821   ASSERT_EQ(1U, certs.size());
    822 
    823   // Import server cert with default trust.
    824   EXPECT_TRUE(cert_db_->ImportServerCert(
    825       certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
    826   EXPECT_EQ(0U, failed.size());
    827   EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
    828             cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
    829 
    830   // Server cert should verify.
    831   scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
    832   int flags = 0;
    833   CertVerifyResult verify_result;
    834   int error = verify_proc->Verify(certs[0].get(),
    835                                   "127.0.0.1",
    836                                   flags,
    837                                   NULL,
    838                                   empty_cert_list_,
    839                                   &verify_result);
    840   EXPECT_EQ(OK, error);
    841   EXPECT_EQ(0U, verify_result.cert_status);
    842 
    843   // Without explicit trust of the intermediate, verification should fail.
    844   EXPECT_TRUE(cert_db_->SetCertTrust(
    845       intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
    846 
    847   // Server cert should fail to verify.
    848   CertVerifyResult verify_result2;
    849   error = verify_proc->Verify(certs[0].get(),
    850                               "127.0.0.1",
    851                               flags,
    852                               NULL,
    853                               empty_cert_list_,
    854                               &verify_result2);
    855   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
    856   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
    857 }
    858 
    859 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {
    860   if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
    861     // See http://bugzil.la/863947 for details.
    862     LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
    863     return;
    864   }
    865 
    866   NSSCertDatabase::ImportCertFailureList failed;
    867 
    868   CertificateList ca_certs = CreateCertificateListFromFile(
    869       GetTestCertsDirectory(), "2048-rsa-root.pem",
    870       X509Certificate::FORMAT_AUTO);
    871   ASSERT_EQ(1U, ca_certs.size());
    872 
    873   // Import Root CA cert and default trust it.
    874   EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT,
    875                                       &failed));
    876   EXPECT_EQ(0U, failed.size());
    877 
    878   CertificateList intermediate_certs = CreateCertificateListFromFile(
    879       GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
    880       X509Certificate::FORMAT_AUTO);
    881   ASSERT_EQ(1U, intermediate_certs.size());
    882 
    883   // Import Intermediate CA cert and trust it.
    884   EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
    885                                       NSSCertDatabase::TRUSTED_SSL, &failed));
    886   EXPECT_EQ(0U, failed.size());
    887 
    888   CertificateList certs = CreateCertificateListFromFile(
    889       GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
    890       X509Certificate::FORMAT_AUTO);
    891   ASSERT_EQ(1U, certs.size());
    892 
    893   // Import server cert with default trust.
    894   EXPECT_TRUE(cert_db_->ImportServerCert(
    895       certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
    896   EXPECT_EQ(0U, failed.size());
    897   EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
    898             cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
    899 
    900   // Server cert should verify.
    901   scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
    902   int flags = 0;
    903   CertVerifyResult verify_result;
    904   int error = verify_proc->Verify(certs[0].get(),
    905                                   "127.0.0.1",
    906                                   flags,
    907                                   NULL,
    908                                   empty_cert_list_,
    909                                   &verify_result);
    910   EXPECT_EQ(OK, error);
    911   EXPECT_EQ(0U, verify_result.cert_status);
    912 
    913   // Without explicit trust of the intermediate, verification should fail.
    914   EXPECT_TRUE(cert_db_->SetCertTrust(
    915       intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
    916 
    917   // Server cert should fail to verify.
    918   CertVerifyResult verify_result2;
    919   error = verify_proc->Verify(certs[0].get(),
    920                               "127.0.0.1",
    921                               flags,
    922                               NULL,
    923                               empty_cert_list_,
    924                               &verify_result2);
    925   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
    926   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
    927 }
    928 
    929 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
    930   // Explicit distrust only works starting in NSS 3.13.
    931   if (!NSS_VersionCheck("3.13")) {
    932     LOG(INFO) << "test skipped on NSS < 3.13";
    933     return;
    934   }
    935 
    936   NSSCertDatabase::ImportCertFailureList failed;
    937 
    938   CertificateList ca_certs = CreateCertificateListFromFile(
    939       GetTestCertsDirectory(), "2048-rsa-root.pem",
    940       X509Certificate::FORMAT_AUTO);
    941   ASSERT_EQ(1U, ca_certs.size());
    942 
    943   // Import Root CA cert and trust it.
    944   EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
    945                                       &failed));
    946   EXPECT_EQ(0U, failed.size());
    947 
    948   CertificateList intermediate_certs = CreateCertificateListFromFile(
    949       GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
    950       X509Certificate::FORMAT_AUTO);
    951   ASSERT_EQ(1U, intermediate_certs.size());
    952 
    953   // Import Intermediate CA cert and distrust it.
    954   EXPECT_TRUE(cert_db_->ImportCACerts(
    955         intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
    956   EXPECT_EQ(0U, failed.size());
    957 
    958   CertificateList certs = CreateCertificateListFromFile(
    959       GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
    960       X509Certificate::FORMAT_AUTO);
    961   ASSERT_EQ(1U, certs.size());
    962 
    963   // Import server cert with default trust.
    964   EXPECT_TRUE(cert_db_->ImportServerCert(
    965       certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
    966   EXPECT_EQ(0U, failed.size());
    967   EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
    968             cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
    969 
    970   // Server cert should not verify.
    971   scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
    972   int flags = 0;
    973   CertVerifyResult verify_result;
    974   int error = verify_proc->Verify(certs[0].get(),
    975                                   "127.0.0.1",
    976                                   flags,
    977                                   NULL,
    978                                   empty_cert_list_,
    979                                   &verify_result);
    980   EXPECT_EQ(ERR_CERT_REVOKED, error);
    981   EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
    982 
    983   // Without explicit distrust of the intermediate, verification should succeed.
    984   EXPECT_TRUE(cert_db_->SetCertTrust(
    985       intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
    986 
    987   // Server cert should verify.
    988   CertVerifyResult verify_result2;
    989   error = verify_proc->Verify(certs[0].get(),
    990                               "127.0.0.1",
    991                               flags,
    992                               NULL,
    993                               empty_cert_list_,
    994                               &verify_result2);
    995   EXPECT_EQ(OK, error);
    996   EXPECT_EQ(0U, verify_result2.cert_status);
    997 }
    998 
    999 // Importing two certificates with the same issuer and subject common name,
   1000 // but overall distinct subject names, should succeed and generate a unique
   1001 // nickname for the second certificate.
   1002 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
   1003   CertificateList certs =
   1004       CreateCertificateListFromFile(GetTestCertsDirectory(),
   1005                                     "duplicate_cn_1.pem",
   1006                                     X509Certificate::FORMAT_AUTO);
   1007   ASSERT_EQ(1U, certs.size());
   1008 
   1009   EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
   1010 
   1011   // Import server cert with default trust.
   1012   NSSCertDatabase::ImportCertFailureList failed;
   1013   EXPECT_TRUE(cert_db_->ImportServerCert(
   1014       certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
   1015   EXPECT_EQ(0U, failed.size());
   1016   EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
   1017             cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
   1018 
   1019   CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle());
   1020   ASSERT_EQ(1U, new_certs.size());
   1021 
   1022   // Now attempt to import a different certificate with the same common name.
   1023   CertificateList certs2 =
   1024       CreateCertificateListFromFile(GetTestCertsDirectory(),
   1025                                     "duplicate_cn_2.pem",
   1026                                     X509Certificate::FORMAT_AUTO);
   1027   ASSERT_EQ(1U, certs2.size());
   1028 
   1029   // Import server cert with default trust.
   1030   EXPECT_TRUE(cert_db_->ImportServerCert(
   1031       certs2, NSSCertDatabase::TRUST_DEFAULT, &failed));
   1032   EXPECT_EQ(0U, failed.size());
   1033   EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
   1034             cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT));
   1035 
   1036   new_certs = ListCertsInSlot(slot_->os_module_handle());
   1037   ASSERT_EQ(2U, new_certs.size());
   1038   EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname,
   1039                new_certs[1]->os_cert_handle()->nickname);
   1040 }
   1041 
   1042 }  // namespace net
   1043