Home | History | Annotate | Download | only in cert
      1 // Copyright 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "base/files/file_path.h"
      6 #include "build/build_config.h"
      7 #include "net/base/net_errors.h"
      8 #include "net/base/test_data_directory.h"
      9 #include "net/cert/cert_status_flags.h"
     10 #include "net/cert/cert_verify_proc.h"
     11 #include "net/cert/cert_verify_result.h"
     12 #include "net/cert/test_root_certs.h"
     13 #include "net/cert/x509_certificate.h"
     14 #include "net/test/cert_test_util.h"
     15 #include "testing/gtest/include/gtest/gtest.h"
     16 
     17 #if defined(USE_NSS) || defined(OS_IOS)
     18 #include <nss.h>
     19 #endif
     20 
     21 namespace net {
     22 
     23 namespace {
     24 
     25 // The local test root certificate.
     26 const char kRootCertificateFile[] = "root_ca_cert.pem";
     27 // A certificate issued by the local test root for 127.0.0.1.
     28 const char kGoodCertificateFile[] = "ok_cert.pem";
     29 
     30 }  // namespace
     31 
     32 // Test basic functionality when adding from an existing X509Certificate.
     33 TEST(TestRootCertsTest, AddFromPointer) {
     34   scoped_refptr<X509Certificate> root_cert =
     35       ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
     36   ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
     37 
     38   TestRootCerts* test_roots = TestRootCerts::GetInstance();
     39   ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
     40   EXPECT_TRUE(test_roots->IsEmpty());
     41 
     42   EXPECT_TRUE(test_roots->Add(root_cert.get()));
     43   EXPECT_FALSE(test_roots->IsEmpty());
     44 
     45   test_roots->Clear();
     46   EXPECT_TRUE(test_roots->IsEmpty());
     47 }
     48 
     49 // Test basic functionality when adding directly from a file, which should
     50 // behave the same as when adding from an existing certificate.
     51 TEST(TestRootCertsTest, AddFromFile) {
     52   TestRootCerts* test_roots = TestRootCerts::GetInstance();
     53   ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
     54   EXPECT_TRUE(test_roots->IsEmpty());
     55 
     56   base::FilePath cert_path =
     57       GetTestCertsDirectory().AppendASCII(kRootCertificateFile);
     58   EXPECT_TRUE(test_roots->AddFromFile(cert_path));
     59   EXPECT_FALSE(test_roots->IsEmpty());
     60 
     61   test_roots->Clear();
     62   EXPECT_TRUE(test_roots->IsEmpty());
     63 }
     64 
     65 // Test that TestRootCerts actually adds the appropriate trust status flags
     66 // when requested, and that the trusted status is cleared once the root is
     67 // removed the TestRootCerts. This test acts as a canary/sanity check for
     68 // the results of the rest of net_unittests, ensuring that the trust status
     69 // is properly being set and cleared.
     70 TEST(TestRootCertsTest, OverrideTrust) {
     71 #if defined(USE_NSS) || defined(OS_IOS)
     72   if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
     73     // See http://bugzil.la/863947 for details
     74     LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
     75     return;
     76   }
     77 #endif
     78 
     79   TestRootCerts* test_roots = TestRootCerts::GetInstance();
     80   ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
     81   EXPECT_TRUE(test_roots->IsEmpty());
     82 
     83   scoped_refptr<X509Certificate> test_cert =
     84       ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile);
     85   ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert.get());
     86 
     87   // Test that the good certificate fails verification, because the root
     88   // certificate should not yet be trusted.
     89   int flags = 0;
     90   CertVerifyResult bad_verify_result;
     91   scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
     92   int bad_status = verify_proc->Verify(test_cert.get(),
     93                                        "127.0.0.1",
     94                                        flags,
     95                                        NULL,
     96                                        CertificateList(),
     97                                        &bad_verify_result);
     98   EXPECT_NE(OK, bad_status);
     99   EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
    100 
    101   // Add the root certificate and mark it as trusted.
    102   EXPECT_TRUE(test_roots->AddFromFile(
    103       GetTestCertsDirectory().AppendASCII(kRootCertificateFile)));
    104   EXPECT_FALSE(test_roots->IsEmpty());
    105 
    106   // Test that the certificate verification now succeeds, because the
    107   // TestRootCerts is successfully imbuing trust.
    108   CertVerifyResult good_verify_result;
    109   int good_status = verify_proc->Verify(test_cert.get(),
    110                                         "127.0.0.1",
    111                                         flags,
    112                                         NULL,
    113                                         CertificateList(),
    114                                         &good_verify_result);
    115   EXPECT_EQ(OK, good_status);
    116   EXPECT_EQ(0u, good_verify_result.cert_status);
    117 
    118   test_roots->Clear();
    119   EXPECT_TRUE(test_roots->IsEmpty());
    120 
    121   // Ensure that when the TestRootCerts is cleared, the trust settings
    122   // revert to their original state, and don't linger. If trust status
    123   // lingers, it will likely break other tests in net_unittests.
    124   CertVerifyResult restored_verify_result;
    125   int restored_status = verify_proc->Verify(test_cert.get(),
    126                                             "127.0.0.1",
    127                                             flags,
    128                                             NULL,
    129                                             CertificateList(),
    130                                             &restored_verify_result);
    131   EXPECT_NE(OK, restored_status);
    132   EXPECT_NE(0u,
    133             restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
    134   EXPECT_EQ(bad_status, restored_status);
    135   EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status);
    136 }
    137 
    138 // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that
    139 // TestRootCerts properly injects itself into the validation process. See
    140 // http://crbug.com/63958
    141 
    142 }  // namespace net
    143