1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include <cert.h> 6 #include <certdb.h> 7 #include <pk11pub.h> 8 9 #include <algorithm> 10 11 #include "base/file_util.h" 12 #include "base/files/file_path.h" 13 #include "base/lazy_instance.h" 14 #include "base/message_loop/message_loop.h" 15 #include "base/path_service.h" 16 #include "base/strings/string16.h" 17 #include "base/strings/string_util.h" 18 #include "base/strings/utf_string_conversions.h" 19 #include "crypto/nss_util.h" 20 #include "crypto/nss_util_internal.h" 21 #include "crypto/scoped_nss_types.h" 22 #include "net/base/crypto_module.h" 23 #include "net/base/net_errors.h" 24 #include "net/base/test_data_directory.h" 25 #include "net/cert/cert_status_flags.h" 26 #include "net/cert/cert_verify_proc_nss.h" 27 #include "net/cert/cert_verify_result.h" 28 #include "net/cert/nss_cert_database.h" 29 #include "net/cert/x509_certificate.h" 30 #include "net/test/cert_test_util.h" 31 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" 32 #include "testing/gtest/include/gtest/gtest.h" 33 34 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use 35 // the new name of the macro. 36 #if !defined(CERTDB_TERMINAL_RECORD) 37 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER 38 #endif 39 40 namespace net { 41 42 class CertDatabaseNSSTest : public testing::Test { 43 public: 44 virtual void SetUp() { 45 ASSERT_TRUE(test_nssdb_.is_open()); 46 cert_db_ = NSSCertDatabase::GetInstance(); 47 slot_ = cert_db_->GetPublicModule(); 48 49 // Test db should be empty at start of test. 50 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 51 } 52 53 virtual void TearDown() { 54 // Don't try to cleanup if the setup failed. 55 ASSERT_TRUE(slot_->os_module_handle()); 56 57 EXPECT_TRUE(CleanupSlotContents()); 58 59 // Run the message loop to process any observer callbacks (e.g. for the 60 // ClientSocketFactory singleton) so that the scoped ref ptrs created in 61 // NSSCertDatabase::NotifyObservers* get released. 62 base::MessageLoop::current()->RunUntilIdle(); 63 64 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 65 } 66 67 protected: 68 static std::string ReadTestFile(const std::string& name) { 69 std::string result; 70 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name); 71 EXPECT_TRUE(file_util::ReadFileToString(cert_path, &result)); 72 return result; 73 } 74 75 static bool ReadCertIntoList(const std::string& name, 76 CertificateList* certs) { 77 scoped_refptr<X509Certificate> cert( 78 ImportCertFromFile(GetTestCertsDirectory(), name)); 79 if (!cert.get()) 80 return false; 81 82 certs->push_back(cert); 83 return true; 84 } 85 86 static CertificateList ListCertsInSlot(PK11SlotInfo* slot) { 87 CertificateList result; 88 CERTCertList* cert_list = PK11_ListCertsInSlot(slot); 89 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 90 !CERT_LIST_END(node, cert_list); 91 node = CERT_LIST_NEXT(node)) { 92 result.push_back(X509Certificate::CreateFromHandle( 93 node->cert, X509Certificate::OSCertHandles())); 94 } 95 CERT_DestroyCertList(cert_list); 96 97 // Sort the result so that test comparisons can be deterministic. 98 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); 99 return result; 100 } 101 102 scoped_refptr<CryptoModule> slot_; 103 NSSCertDatabase* cert_db_; 104 const CertificateList empty_cert_list_; 105 106 private: 107 bool CleanupSlotContents() { 108 bool ok = true; 109 CertificateList certs = ListCertsInSlot(slot_->os_module_handle()); 110 CERTCertTrust default_trust = {0}; 111 for (size_t i = 0; i < certs.size(); ++i) { 112 // Reset cert trust values to defaults before deleting. Otherwise NSS 113 // somehow seems to remember the trust which can break following tests. 114 SECStatus srv = CERT_ChangeCertTrust( 115 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); 116 if (srv != SECSuccess) 117 ok = false; 118 119 if (!cert_db_->DeleteCertAndKey(certs[i].get())) 120 ok = false; 121 } 122 return ok; 123 } 124 125 crypto::ScopedTestNSSDB test_nssdb_; 126 }; 127 128 TEST_F(CertDatabaseNSSTest, ListCerts) { 129 // This test isn't terribly useful, though it will at least let valgrind test 130 // for leaks. 131 CertificateList certs; 132 cert_db_->ListCerts(&certs); 133 // The test DB is empty, but let's assume there will always be something in 134 // the other slots. 135 EXPECT_LT(0U, certs.size()); 136 } 137 138 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { 139 std::string pkcs12_data = ReadTestFile("client.p12"); 140 141 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, 142 cert_db_->ImportFromPKCS12(slot_.get(), 143 pkcs12_data, 144 base::string16(), 145 true, // is_extractable 146 NULL)); 147 148 // Test db should still be empty. 149 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 150 } 151 152 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) { 153 std::string pkcs12_data = ReadTestFile("client.p12"); 154 155 EXPECT_EQ(OK, 156 cert_db_->ImportFromPKCS12(slot_.get(), 157 pkcs12_data, 158 ASCIIToUTF16("12345"), 159 true, // is_extractable 160 NULL)); 161 162 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 163 ASSERT_EQ(1U, cert_list.size()); 164 scoped_refptr<X509Certificate> cert(cert_list[0]); 165 166 EXPECT_EQ("testusercert", 167 cert->subject().common_name); 168 169 // TODO(mattm): move export test to separate test case? 170 std::string exported_data; 171 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), 172 &exported_data)); 173 ASSERT_LT(0U, exported_data.size()); 174 // TODO(mattm): further verification of exported data? 175 } 176 177 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) { 178 std::string pkcs12_data = ReadTestFile("client.p12"); 179 180 EXPECT_EQ(OK, 181 cert_db_->ImportFromPKCS12(slot_.get(), 182 pkcs12_data, 183 ASCIIToUTF16("12345"), 184 true, // is_extractable 185 NULL)); 186 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); 187 188 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like 189 // it's ever used. This test verifies that. 190 EXPECT_EQ(OK, 191 cert_db_->ImportFromPKCS12(slot_.get(), 192 pkcs12_data, 193 ASCIIToUTF16("12345"), 194 true, // is_extractable 195 NULL)); 196 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); 197 } 198 199 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) { 200 std::string pkcs12_data = ReadTestFile("client.p12"); 201 202 EXPECT_EQ(OK, 203 cert_db_->ImportFromPKCS12(slot_.get(), 204 pkcs12_data, 205 ASCIIToUTF16("12345"), 206 false, // is_extractable 207 NULL)); 208 209 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 210 ASSERT_EQ(1U, cert_list.size()); 211 scoped_refptr<X509Certificate> cert(cert_list[0]); 212 213 EXPECT_EQ("testusercert", 214 cert->subject().common_name); 215 216 std::string exported_data; 217 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), 218 &exported_data)); 219 } 220 221 // Importing a PKCS#12 file with a certificate but no corresponding 222 // private key should not mark an existing private key as unextractable. 223 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) { 224 std::string pkcs12_data = ReadTestFile("client.p12"); 225 EXPECT_EQ(OK, 226 cert_db_->ImportFromPKCS12(slot_.get(), 227 pkcs12_data, 228 ASCIIToUTF16("12345"), 229 true, // is_extractable 230 NULL)); 231 232 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 233 ASSERT_EQ(1U, cert_list.size()); 234 235 // Now import a PKCS#12 file with just a certificate but no private key. 236 pkcs12_data = ReadTestFile("client-nokey.p12"); 237 EXPECT_EQ(OK, 238 cert_db_->ImportFromPKCS12(slot_.get(), 239 pkcs12_data, 240 ASCIIToUTF16("12345"), 241 false, // is_extractable 242 NULL)); 243 244 cert_list = ListCertsInSlot(slot_->os_module_handle()); 245 ASSERT_EQ(1U, cert_list.size()); 246 247 // Make sure the imported private key is still extractable. 248 std::string exported_data; 249 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), 250 &exported_data)); 251 ASSERT_LT(0U, exported_data.size()); 252 } 253 254 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) { 255 std::string pkcs12_data = "Foobarbaz"; 256 257 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE, 258 cert_db_->ImportFromPKCS12(slot_.get(), 259 pkcs12_data, 260 base::string16(), 261 true, // is_extractable 262 NULL)); 263 264 // Test db should still be empty. 265 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 266 } 267 268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { 269 CertificateList certs = CreateCertificateListFromFile( 270 GetTestCertsDirectory(), "root_ca_cert.pem", 271 X509Certificate::FORMAT_AUTO); 272 ASSERT_EQ(1U, certs.size()); 273 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 274 275 // Import it. 276 NSSCertDatabase::ImportCertFailureList failed; 277 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, 278 &failed)); 279 280 EXPECT_EQ(0U, failed.size()); 281 282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 283 ASSERT_EQ(1U, cert_list.size()); 284 scoped_refptr<X509Certificate> cert(cert_list[0]); 285 EXPECT_EQ("Test Root CA", cert->subject().common_name); 286 287 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, 288 cert_db_->GetCertTrust(cert.get(), CA_CERT)); 289 290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 291 CERTDB_TRUSTED_CLIENT_CA), 292 cert->os_cert_handle()->trust->sslFlags); 293 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 294 cert->os_cert_handle()->trust->emailFlags); 295 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 296 cert->os_cert_handle()->trust->objectSigningFlags); 297 } 298 299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { 300 CertificateList certs = CreateCertificateListFromFile( 301 GetTestCertsDirectory(), "root_ca_cert.pem", 302 X509Certificate::FORMAT_AUTO); 303 ASSERT_EQ(1U, certs.size()); 304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 305 306 // Import it. 307 NSSCertDatabase::ImportCertFailureList failed; 308 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, 309 &failed)); 310 311 EXPECT_EQ(0U, failed.size()); 312 313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 314 ASSERT_EQ(1U, cert_list.size()); 315 scoped_refptr<X509Certificate> cert(cert_list[0]); 316 EXPECT_EQ("Test Root CA", cert->subject().common_name); 317 318 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, 319 cert_db_->GetCertTrust(cert.get(), CA_CERT)); 320 321 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 322 cert->os_cert_handle()->trust->sslFlags); 323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 324 CERTDB_TRUSTED_CLIENT_CA), 325 cert->os_cert_handle()->trust->emailFlags); 326 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 327 cert->os_cert_handle()->trust->objectSigningFlags); 328 } 329 330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { 331 CertificateList certs = CreateCertificateListFromFile( 332 GetTestCertsDirectory(), "root_ca_cert.pem", 333 X509Certificate::FORMAT_AUTO); 334 ASSERT_EQ(1U, certs.size()); 335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 336 337 // Import it. 338 NSSCertDatabase::ImportCertFailureList failed; 339 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, 340 &failed)); 341 342 EXPECT_EQ(0U, failed.size()); 343 344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 345 ASSERT_EQ(1U, cert_list.size()); 346 scoped_refptr<X509Certificate> cert(cert_list[0]); 347 EXPECT_EQ("Test Root CA", cert->subject().common_name); 348 349 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, 350 cert_db_->GetCertTrust(cert.get(), CA_CERT)); 351 352 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 353 cert->os_cert_handle()->trust->sslFlags); 354 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 355 cert->os_cert_handle()->trust->emailFlags); 356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 357 CERTDB_TRUSTED_CLIENT_CA), 358 cert->os_cert_handle()->trust->objectSigningFlags); 359 } 360 361 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { 362 CertificateList certs = CreateCertificateListFromFile( 363 GetTestCertsDirectory(), "ok_cert.pem", 364 X509Certificate::FORMAT_AUTO); 365 ASSERT_EQ(1U, certs.size()); 366 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 367 368 // Import it. 369 NSSCertDatabase::ImportCertFailureList failed; 370 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, 371 &failed)); 372 ASSERT_EQ(1U, failed.size()); 373 // Note: this compares pointers directly. It's okay in this case because 374 // ImportCACerts returns the same pointers that were passed in. In the 375 // general case IsSameOSCert should be used. 376 EXPECT_EQ(certs[0], failed[0].certificate); 377 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); 378 379 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 380 } 381 382 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { 383 CertificateList certs; 384 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 385 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 386 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); 387 388 // Import it. 389 NSSCertDatabase::ImportCertFailureList failed; 390 // Have to specify email trust for the cert verification of the child cert to 391 // work (see 392 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#752 393 // "XXX This choice of trustType seems arbitrary.") 394 EXPECT_TRUE(cert_db_->ImportCACerts( 395 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 396 &failed)); 397 398 ASSERT_EQ(2U, failed.size()); 399 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); 400 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. 401 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); 402 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); 403 404 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 405 ASSERT_EQ(1U, cert_list.size()); 406 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 407 } 408 409 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { 410 CertificateList certs; 411 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 412 413 // First import just the root. 414 NSSCertDatabase::ImportCertFailureList failed; 415 EXPECT_TRUE(cert_db_->ImportCACerts( 416 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 417 &failed)); 418 419 EXPECT_EQ(0U, failed.size()); 420 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 421 ASSERT_EQ(1U, cert_list.size()); 422 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 423 424 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 425 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); 426 427 // Now import with the other certs in the list too. Even though the root is 428 // already present, we should still import the rest. 429 failed.clear(); 430 EXPECT_TRUE(cert_db_->ImportCACerts( 431 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 432 &failed)); 433 434 ASSERT_EQ(3U, failed.size()); 435 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); 436 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); 437 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); 438 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. 439 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name); 440 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error); 441 442 cert_list = ListCertsInSlot(slot_->os_module_handle()); 443 ASSERT_EQ(1U, cert_list.size()); 444 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 445 } 446 447 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { 448 CertificateList certs; 449 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 450 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 451 452 // Import it. 453 NSSCertDatabase::ImportCertFailureList failed; 454 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT, 455 &failed)); 456 457 ASSERT_EQ(1U, failed.size()); 458 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); 459 // TODO(mattm): should check for net error equivalent of 460 // SEC_ERROR_UNTRUSTED_ISSUER 461 EXPECT_EQ(ERR_FAILED, failed[0].net_error); 462 463 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 464 ASSERT_EQ(1U, cert_list.size()); 465 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 466 } 467 468 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { 469 CertificateList certs; 470 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 471 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); 472 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 473 474 // Import it. 475 NSSCertDatabase::ImportCertFailureList failed; 476 EXPECT_TRUE(cert_db_->ImportCACerts( 477 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 478 &failed)); 479 480 EXPECT_EQ(2U, failed.size()); 481 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); 482 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. 483 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); 484 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. 485 486 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 487 ASSERT_EQ(1U, cert_list.size()); 488 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 489 } 490 491 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { 492 CertificateList certs = CreateCertificateListFromFile( 493 GetTestCertsDirectory(), "root_ca_cert.pem", 494 X509Certificate::FORMAT_AUTO); 495 ASSERT_EQ(1U, certs.size()); 496 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); 497 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 498 499 // Import it. 500 NSSCertDatabase::ImportCertFailureList failed; 501 EXPECT_TRUE(cert_db_->ImportCACerts( 502 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | 503 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); 504 505 ASSERT_EQ(2U, failed.size()); 506 // TODO(mattm): should check for net error equivalent of 507 // SEC_ERROR_UNKNOWN_ISSUER 508 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); 509 EXPECT_EQ(ERR_FAILED, failed[0].net_error); 510 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); 511 EXPECT_EQ(ERR_FAILED, failed[1].net_error); 512 513 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 514 ASSERT_EQ(1U, cert_list.size()); 515 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name); 516 } 517 518 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired 519 // certificate. 520 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { 521 // Need to import intermediate cert for the verify of google cert, otherwise 522 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which 523 // will cause OCSPCreateSession on the main thread, which is not allowed. 524 CertificateList certs = CreateCertificateListFromFile( 525 GetTestCertsDirectory(), "google.chain.pem", 526 X509Certificate::FORMAT_AUTO); 527 ASSERT_EQ(2U, certs.size()); 528 529 NSSCertDatabase::ImportCertFailureList failed; 530 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, 531 &failed)); 532 533 EXPECT_EQ(0U, failed.size()); 534 535 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 536 ASSERT_EQ(2U, cert_list.size()); 537 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); 538 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); 539 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); 540 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); 541 542 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 543 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); 544 545 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); 546 547 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 548 int flags = 0; 549 CertVerifyResult verify_result; 550 int error = verify_proc->Verify(goog_cert.get(), 551 "www.google.com", 552 flags, 553 NULL, 554 empty_cert_list_, 555 &verify_result); 556 EXPECT_EQ(OK, error); 557 EXPECT_EQ(0U, verify_result.cert_status); 558 } 559 560 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { 561 CertificateList certs; 562 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); 563 564 NSSCertDatabase::ImportCertFailureList failed; 565 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, 566 &failed)); 567 568 EXPECT_EQ(0U, failed.size()); 569 570 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 571 ASSERT_EQ(1U, cert_list.size()); 572 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); 573 574 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 575 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); 576 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); 577 578 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 579 int flags = 0; 580 CertVerifyResult verify_result; 581 int error = verify_proc->Verify(puny_cert.get(), 582 "xn--wgv71a119e.com", 583 flags, 584 NULL, 585 empty_cert_list_, 586 &verify_result); 587 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 588 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); 589 } 590 591 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { 592 // When using CERT_PKIXVerifyCert (which we do), server trust only works from 593 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364. 594 if (!NSS_VersionCheck("3.13.4")) { 595 LOG(INFO) << "test skipped on NSS < 3.13.4"; 596 return; 597 } 598 599 CertificateList certs; 600 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); 601 602 NSSCertDatabase::ImportCertFailureList failed; 603 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, 604 &failed)); 605 606 EXPECT_EQ(0U, failed.size()); 607 608 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 609 ASSERT_EQ(1U, cert_list.size()); 610 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); 611 612 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, 613 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); 614 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), 615 puny_cert->os_cert_handle()->trust->sslFlags); 616 617 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 618 int flags = 0; 619 CertVerifyResult verify_result; 620 int error = verify_proc->Verify(puny_cert.get(), 621 "xn--wgv71a119e.com", 622 flags, 623 NULL, 624 empty_cert_list_, 625 &verify_result); 626 EXPECT_EQ(OK, error); 627 EXPECT_EQ(0U, verify_result.cert_status); 628 } 629 630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { 631 CertificateList ca_certs = CreateCertificateListFromFile( 632 GetTestCertsDirectory(), "root_ca_cert.pem", 633 X509Certificate::FORMAT_AUTO); 634 ASSERT_EQ(1U, ca_certs.size()); 635 636 // Import CA cert and trust it. 637 NSSCertDatabase::ImportCertFailureList failed; 638 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, 639 &failed)); 640 EXPECT_EQ(0U, failed.size()); 641 642 CertificateList certs = CreateCertificateListFromFile( 643 GetTestCertsDirectory(), "ok_cert.pem", 644 X509Certificate::FORMAT_AUTO); 645 ASSERT_EQ(1U, certs.size()); 646 647 // Import server cert with default trust. 648 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, 649 &failed)); 650 EXPECT_EQ(0U, failed.size()); 651 652 // Server cert should verify. 653 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 654 int flags = 0; 655 CertVerifyResult verify_result; 656 int error = verify_proc->Verify(certs[0].get(), 657 "127.0.0.1", 658 flags, 659 NULL, 660 empty_cert_list_, 661 &verify_result); 662 EXPECT_EQ(OK, error); 663 EXPECT_EQ(0U, verify_result.cert_status); 664 } 665 666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { 667 // Explicit distrust only works starting in NSS 3.13. 668 if (!NSS_VersionCheck("3.13")) { 669 LOG(INFO) << "test skipped on NSS < 3.13"; 670 return; 671 } 672 673 CertificateList ca_certs = CreateCertificateListFromFile( 674 GetTestCertsDirectory(), "root_ca_cert.pem", 675 X509Certificate::FORMAT_AUTO); 676 ASSERT_EQ(1U, ca_certs.size()); 677 678 // Import CA cert and trust it. 679 NSSCertDatabase::ImportCertFailureList failed; 680 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, 681 &failed)); 682 EXPECT_EQ(0U, failed.size()); 683 684 CertificateList certs = CreateCertificateListFromFile( 685 GetTestCertsDirectory(), "ok_cert.pem", 686 X509Certificate::FORMAT_AUTO); 687 ASSERT_EQ(1U, certs.size()); 688 689 // Import server cert without inheriting trust from issuer (explicit 690 // distrust). 691 EXPECT_TRUE(cert_db_->ImportServerCert( 692 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed)); 693 EXPECT_EQ(0U, failed.size()); 694 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, 695 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 696 697 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), 698 certs[0]->os_cert_handle()->trust->sslFlags); 699 700 // Server cert should fail to verify. 701 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 702 int flags = 0; 703 CertVerifyResult verify_result; 704 int error = verify_proc->Verify(certs[0].get(), 705 "127.0.0.1", 706 flags, 707 NULL, 708 empty_cert_list_, 709 &verify_result); 710 EXPECT_EQ(ERR_CERT_REVOKED, error); 711 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); 712 } 713 714 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { 715 CertificateList ca_certs = CreateCertificateListFromFile( 716 GetTestCertsDirectory(), "2048-rsa-root.pem", 717 X509Certificate::FORMAT_AUTO); 718 ASSERT_EQ(1U, ca_certs.size()); 719 720 // Import Root CA cert and distrust it. 721 NSSCertDatabase::ImportCertFailureList failed; 722 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL, 723 &failed)); 724 EXPECT_EQ(0U, failed.size()); 725 726 CertificateList intermediate_certs = CreateCertificateListFromFile( 727 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 728 X509Certificate::FORMAT_AUTO); 729 ASSERT_EQ(1U, intermediate_certs.size()); 730 731 // Import Intermediate CA cert and trust it. 732 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs, 733 NSSCertDatabase::TRUSTED_SSL, &failed)); 734 EXPECT_EQ(0U, failed.size()); 735 736 CertificateList certs = CreateCertificateListFromFile( 737 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 738 X509Certificate::FORMAT_AUTO); 739 ASSERT_EQ(1U, certs.size()); 740 741 // Import server cert with default trust. 742 EXPECT_TRUE(cert_db_->ImportServerCert( 743 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 744 EXPECT_EQ(0U, failed.size()); 745 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 746 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 747 748 // Server cert should verify. 749 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 750 int flags = 0; 751 CertVerifyResult verify_result; 752 int error = verify_proc->Verify(certs[0].get(), 753 "127.0.0.1", 754 flags, 755 NULL, 756 empty_cert_list_, 757 &verify_result); 758 EXPECT_EQ(OK, error); 759 EXPECT_EQ(0U, verify_result.cert_status); 760 761 // Explicit distrust only works starting in NSS 3.13. 762 if (!NSS_VersionCheck("3.13")) { 763 LOG(INFO) << "test partially skipped on NSS < 3.13"; 764 return; 765 } 766 767 // Trust the root cert and distrust the intermediate. 768 EXPECT_TRUE(cert_db_->SetCertTrust( 769 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL)); 770 EXPECT_TRUE(cert_db_->SetCertTrust( 771 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); 772 EXPECT_EQ( 773 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), 774 ca_certs[0]->os_cert_handle()->trust->sslFlags); 775 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 776 ca_certs[0]->os_cert_handle()->trust->emailFlags); 777 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 778 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); 779 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), 780 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); 781 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 782 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); 783 EXPECT_EQ( 784 unsigned(CERTDB_VALID_CA), 785 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); 786 787 // Server cert should fail to verify. 788 CertVerifyResult verify_result2; 789 error = verify_proc->Verify(certs[0].get(), 790 "127.0.0.1", 791 flags, 792 NULL, 793 empty_cert_list_, 794 &verify_result2); 795 EXPECT_EQ(ERR_CERT_REVOKED, error); 796 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); 797 } 798 799 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { 800 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { 801 // See http://bugzil.la/863947 for details. 802 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; 803 return; 804 } 805 806 NSSCertDatabase::ImportCertFailureList failed; 807 808 CertificateList intermediate_certs = CreateCertificateListFromFile( 809 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 810 X509Certificate::FORMAT_AUTO); 811 ASSERT_EQ(1U, intermediate_certs.size()); 812 813 // Import Intermediate CA cert and trust it. 814 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs, 815 NSSCertDatabase::TRUSTED_SSL, &failed)); 816 EXPECT_EQ(0U, failed.size()); 817 818 CertificateList certs = CreateCertificateListFromFile( 819 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 820 X509Certificate::FORMAT_AUTO); 821 ASSERT_EQ(1U, certs.size()); 822 823 // Import server cert with default trust. 824 EXPECT_TRUE(cert_db_->ImportServerCert( 825 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 826 EXPECT_EQ(0U, failed.size()); 827 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 828 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 829 830 // Server cert should verify. 831 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 832 int flags = 0; 833 CertVerifyResult verify_result; 834 int error = verify_proc->Verify(certs[0].get(), 835 "127.0.0.1", 836 flags, 837 NULL, 838 empty_cert_list_, 839 &verify_result); 840 EXPECT_EQ(OK, error); 841 EXPECT_EQ(0U, verify_result.cert_status); 842 843 // Without explicit trust of the intermediate, verification should fail. 844 EXPECT_TRUE(cert_db_->SetCertTrust( 845 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); 846 847 // Server cert should fail to verify. 848 CertVerifyResult verify_result2; 849 error = verify_proc->Verify(certs[0].get(), 850 "127.0.0.1", 851 flags, 852 NULL, 853 empty_cert_list_, 854 &verify_result2); 855 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 856 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); 857 } 858 859 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { 860 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { 861 // See http://bugzil.la/863947 for details. 862 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; 863 return; 864 } 865 866 NSSCertDatabase::ImportCertFailureList failed; 867 868 CertificateList ca_certs = CreateCertificateListFromFile( 869 GetTestCertsDirectory(), "2048-rsa-root.pem", 870 X509Certificate::FORMAT_AUTO); 871 ASSERT_EQ(1U, ca_certs.size()); 872 873 // Import Root CA cert and default trust it. 874 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT, 875 &failed)); 876 EXPECT_EQ(0U, failed.size()); 877 878 CertificateList intermediate_certs = CreateCertificateListFromFile( 879 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 880 X509Certificate::FORMAT_AUTO); 881 ASSERT_EQ(1U, intermediate_certs.size()); 882 883 // Import Intermediate CA cert and trust it. 884 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs, 885 NSSCertDatabase::TRUSTED_SSL, &failed)); 886 EXPECT_EQ(0U, failed.size()); 887 888 CertificateList certs = CreateCertificateListFromFile( 889 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 890 X509Certificate::FORMAT_AUTO); 891 ASSERT_EQ(1U, certs.size()); 892 893 // Import server cert with default trust. 894 EXPECT_TRUE(cert_db_->ImportServerCert( 895 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 896 EXPECT_EQ(0U, failed.size()); 897 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 898 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 899 900 // Server cert should verify. 901 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 902 int flags = 0; 903 CertVerifyResult verify_result; 904 int error = verify_proc->Verify(certs[0].get(), 905 "127.0.0.1", 906 flags, 907 NULL, 908 empty_cert_list_, 909 &verify_result); 910 EXPECT_EQ(OK, error); 911 EXPECT_EQ(0U, verify_result.cert_status); 912 913 // Without explicit trust of the intermediate, verification should fail. 914 EXPECT_TRUE(cert_db_->SetCertTrust( 915 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); 916 917 // Server cert should fail to verify. 918 CertVerifyResult verify_result2; 919 error = verify_proc->Verify(certs[0].get(), 920 "127.0.0.1", 921 flags, 922 NULL, 923 empty_cert_list_, 924 &verify_result2); 925 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 926 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); 927 } 928 929 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { 930 // Explicit distrust only works starting in NSS 3.13. 931 if (!NSS_VersionCheck("3.13")) { 932 LOG(INFO) << "test skipped on NSS < 3.13"; 933 return; 934 } 935 936 NSSCertDatabase::ImportCertFailureList failed; 937 938 CertificateList ca_certs = CreateCertificateListFromFile( 939 GetTestCertsDirectory(), "2048-rsa-root.pem", 940 X509Certificate::FORMAT_AUTO); 941 ASSERT_EQ(1U, ca_certs.size()); 942 943 // Import Root CA cert and trust it. 944 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, 945 &failed)); 946 EXPECT_EQ(0U, failed.size()); 947 948 CertificateList intermediate_certs = CreateCertificateListFromFile( 949 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 950 X509Certificate::FORMAT_AUTO); 951 ASSERT_EQ(1U, intermediate_certs.size()); 952 953 // Import Intermediate CA cert and distrust it. 954 EXPECT_TRUE(cert_db_->ImportCACerts( 955 intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed)); 956 EXPECT_EQ(0U, failed.size()); 957 958 CertificateList certs = CreateCertificateListFromFile( 959 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 960 X509Certificate::FORMAT_AUTO); 961 ASSERT_EQ(1U, certs.size()); 962 963 // Import server cert with default trust. 964 EXPECT_TRUE(cert_db_->ImportServerCert( 965 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 966 EXPECT_EQ(0U, failed.size()); 967 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 968 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 969 970 // Server cert should not verify. 971 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 972 int flags = 0; 973 CertVerifyResult verify_result; 974 int error = verify_proc->Verify(certs[0].get(), 975 "127.0.0.1", 976 flags, 977 NULL, 978 empty_cert_list_, 979 &verify_result); 980 EXPECT_EQ(ERR_CERT_REVOKED, error); 981 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); 982 983 // Without explicit distrust of the intermediate, verification should succeed. 984 EXPECT_TRUE(cert_db_->SetCertTrust( 985 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); 986 987 // Server cert should verify. 988 CertVerifyResult verify_result2; 989 error = verify_proc->Verify(certs[0].get(), 990 "127.0.0.1", 991 flags, 992 NULL, 993 empty_cert_list_, 994 &verify_result2); 995 EXPECT_EQ(OK, error); 996 EXPECT_EQ(0U, verify_result2.cert_status); 997 } 998 999 // Importing two certificates with the same issuer and subject common name, 1000 // but overall distinct subject names, should succeed and generate a unique 1001 // nickname for the second certificate. 1002 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { 1003 CertificateList certs = 1004 CreateCertificateListFromFile(GetTestCertsDirectory(), 1005 "duplicate_cn_1.pem", 1006 X509Certificate::FORMAT_AUTO); 1007 ASSERT_EQ(1U, certs.size()); 1008 1009 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 1010 1011 // Import server cert with default trust. 1012 NSSCertDatabase::ImportCertFailureList failed; 1013 EXPECT_TRUE(cert_db_->ImportServerCert( 1014 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 1015 EXPECT_EQ(0U, failed.size()); 1016 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 1017 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 1018 1019 CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle()); 1020 ASSERT_EQ(1U, new_certs.size()); 1021 1022 // Now attempt to import a different certificate with the same common name. 1023 CertificateList certs2 = 1024 CreateCertificateListFromFile(GetTestCertsDirectory(), 1025 "duplicate_cn_2.pem", 1026 X509Certificate::FORMAT_AUTO); 1027 ASSERT_EQ(1U, certs2.size()); 1028 1029 // Import server cert with default trust. 1030 EXPECT_TRUE(cert_db_->ImportServerCert( 1031 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); 1032 EXPECT_EQ(0U, failed.size()); 1033 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 1034 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); 1035 1036 new_certs = ListCertsInSlot(slot_->os_module_handle()); 1037 ASSERT_EQ(2U, new_certs.size()); 1038 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, 1039 new_certs[1]->os_cert_handle()->nickname); 1040 } 1041 1042 } // namespace net 1043