1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include <cert.h> 6 #include <certdb.h> 7 #include <pk11pub.h> 8 9 #include <algorithm> 10 11 #include "base/bind.h" 12 #include "base/file_util.h" 13 #include "base/files/file_path.h" 14 #include "base/lazy_instance.h" 15 #include "base/message_loop/message_loop.h" 16 #include "base/message_loop/message_loop_proxy.h" 17 #include "base/path_service.h" 18 #include "base/run_loop.h" 19 #include "base/strings/string16.h" 20 #include "base/strings/string_util.h" 21 #include "base/strings/utf_string_conversions.h" 22 #include "crypto/nss_util.h" 23 #include "crypto/nss_util_internal.h" 24 #include "crypto/scoped_nss_types.h" 25 #include "net/base/crypto_module.h" 26 #include "net/base/net_errors.h" 27 #include "net/base/test_data_directory.h" 28 #include "net/cert/cert_status_flags.h" 29 #include "net/cert/cert_verify_proc_nss.h" 30 #include "net/cert/cert_verify_result.h" 31 #include "net/cert/nss_cert_database.h" 32 #include "net/cert/x509_certificate.h" 33 #include "net/test/cert_test_util.h" 34 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" 35 #include "testing/gtest/include/gtest/gtest.h" 36 37 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use 38 // the new name of the macro. 39 #if !defined(CERTDB_TERMINAL_RECORD) 40 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER 41 #endif 42 43 using base::ASCIIToUTF16; 44 45 namespace net { 46 47 namespace { 48 49 void SwapCertList(CertificateList* destination, 50 scoped_ptr<CertificateList> source) { 51 ASSERT_TRUE(destination); 52 destination->swap(*source); 53 } 54 55 } // namespace 56 57 class CertDatabaseNSSTest : public testing::Test { 58 public: 59 virtual void SetUp() { 60 ASSERT_TRUE(test_nssdb_.is_open()); 61 cert_db_ = NSSCertDatabase::GetInstance(); 62 slot_ = cert_db_->GetPublicModule(); 63 64 // Test db should be empty at start of test. 65 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 66 } 67 68 virtual void TearDown() { 69 // Don't try to cleanup if the setup failed. 70 ASSERT_TRUE(slot_->os_module_handle()); 71 72 EXPECT_TRUE(CleanupSlotContents()); 73 74 // Run the message loop to process any observer callbacks (e.g. for the 75 // ClientSocketFactory singleton) so that the scoped ref ptrs created in 76 // NSSCertDatabase::NotifyObservers* get released. 77 base::MessageLoop::current()->RunUntilIdle(); 78 79 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 80 } 81 82 protected: 83 static std::string ReadTestFile(const std::string& name) { 84 std::string result; 85 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name); 86 EXPECT_TRUE(base::ReadFileToString(cert_path, &result)); 87 return result; 88 } 89 90 static bool ReadCertIntoList(const std::string& name, 91 CertificateList* certs) { 92 scoped_refptr<X509Certificate> cert( 93 ImportCertFromFile(GetTestCertsDirectory(), name)); 94 if (!cert.get()) 95 return false; 96 97 certs->push_back(cert); 98 return true; 99 } 100 101 static CertificateList ListCertsInSlot(PK11SlotInfo* slot) { 102 CertificateList result; 103 CERTCertList* cert_list = PK11_ListCertsInSlot(slot); 104 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); 105 !CERT_LIST_END(node, cert_list); 106 node = CERT_LIST_NEXT(node)) { 107 result.push_back(X509Certificate::CreateFromHandle( 108 node->cert, X509Certificate::OSCertHandles())); 109 } 110 CERT_DestroyCertList(cert_list); 111 112 // Sort the result so that test comparisons can be deterministic. 113 std::sort(result.begin(), result.end(), X509Certificate::LessThan()); 114 return result; 115 } 116 117 scoped_refptr<CryptoModule> slot_; 118 NSSCertDatabase* cert_db_; 119 const CertificateList empty_cert_list_; 120 121 private: 122 bool CleanupSlotContents() { 123 bool ok = true; 124 CertificateList certs = ListCertsInSlot(slot_->os_module_handle()); 125 CERTCertTrust default_trust = {0}; 126 for (size_t i = 0; i < certs.size(); ++i) { 127 // Reset cert trust values to defaults before deleting. Otherwise NSS 128 // somehow seems to remember the trust which can break following tests. 129 SECStatus srv = CERT_ChangeCertTrust( 130 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust); 131 if (srv != SECSuccess) 132 ok = false; 133 134 if (!cert_db_->DeleteCertAndKey(certs[i].get())) 135 ok = false; 136 } 137 return ok; 138 } 139 140 crypto::ScopedTestNSSDB test_nssdb_; 141 }; 142 143 TEST_F(CertDatabaseNSSTest, ListCertsSync) { 144 // This test isn't terribly useful, though it will at least let valgrind test 145 // for leaks. 146 CertificateList certs; 147 cert_db_->ListCertsSync(&certs); 148 // The test DB is empty, but let's assume there will always be something in 149 // the other slots. 150 EXPECT_LT(0U, certs.size()); 151 } 152 153 TEST_F(CertDatabaseNSSTest, ListCerts) { 154 // This test isn't terribly useful, though it will at least let valgrind test 155 // for leaks. 156 CertificateList certs; 157 cert_db_->SetSlowTaskRunnerForTest(base::MessageLoopProxy::current()); 158 cert_db_->ListCerts(base::Bind(&SwapCertList, base::Unretained(&certs))); 159 EXPECT_EQ(0U, certs.size()); 160 161 base::RunLoop().RunUntilIdle(); 162 163 // The test DB is empty, but let's assume there will always be something in 164 // the other slots. 165 EXPECT_LT(0U, certs.size()); 166 } 167 168 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) { 169 std::string pkcs12_data = ReadTestFile("client.p12"); 170 171 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD, 172 cert_db_->ImportFromPKCS12(slot_.get(), 173 pkcs12_data, 174 base::string16(), 175 true, // is_extractable 176 NULL)); 177 178 // Test db should still be empty. 179 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 180 } 181 182 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) { 183 std::string pkcs12_data = ReadTestFile("client.p12"); 184 185 EXPECT_EQ(OK, 186 cert_db_->ImportFromPKCS12(slot_.get(), 187 pkcs12_data, 188 ASCIIToUTF16("12345"), 189 true, // is_extractable 190 NULL)); 191 192 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 193 ASSERT_EQ(1U, cert_list.size()); 194 scoped_refptr<X509Certificate> cert(cert_list[0]); 195 196 EXPECT_EQ("testusercert", 197 cert->subject().common_name); 198 199 // TODO(mattm): move export test to separate test case? 200 std::string exported_data; 201 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), 202 &exported_data)); 203 ASSERT_LT(0U, exported_data.size()); 204 // TODO(mattm): further verification of exported data? 205 } 206 207 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) { 208 std::string pkcs12_data = ReadTestFile("client.p12"); 209 210 EXPECT_EQ(OK, 211 cert_db_->ImportFromPKCS12(slot_.get(), 212 pkcs12_data, 213 ASCIIToUTF16("12345"), 214 true, // is_extractable 215 NULL)); 216 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); 217 218 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like 219 // it's ever used. This test verifies that. 220 EXPECT_EQ(OK, 221 cert_db_->ImportFromPKCS12(slot_.get(), 222 pkcs12_data, 223 ASCIIToUTF16("12345"), 224 true, // is_extractable 225 NULL)); 226 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size()); 227 } 228 229 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) { 230 std::string pkcs12_data = ReadTestFile("client.p12"); 231 232 EXPECT_EQ(OK, 233 cert_db_->ImportFromPKCS12(slot_.get(), 234 pkcs12_data, 235 ASCIIToUTF16("12345"), 236 false, // is_extractable 237 NULL)); 238 239 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 240 ASSERT_EQ(1U, cert_list.size()); 241 scoped_refptr<X509Certificate> cert(cert_list[0]); 242 243 EXPECT_EQ("testusercert", 244 cert->subject().common_name); 245 246 std::string exported_data; 247 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), 248 &exported_data)); 249 } 250 251 // Importing a PKCS#12 file with a certificate but no corresponding 252 // private key should not mark an existing private key as unextractable. 253 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) { 254 std::string pkcs12_data = ReadTestFile("client.p12"); 255 EXPECT_EQ(OK, 256 cert_db_->ImportFromPKCS12(slot_.get(), 257 pkcs12_data, 258 ASCIIToUTF16("12345"), 259 true, // is_extractable 260 NULL)); 261 262 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 263 ASSERT_EQ(1U, cert_list.size()); 264 265 // Now import a PKCS#12 file with just a certificate but no private key. 266 pkcs12_data = ReadTestFile("client-nokey.p12"); 267 EXPECT_EQ(OK, 268 cert_db_->ImportFromPKCS12(slot_.get(), 269 pkcs12_data, 270 ASCIIToUTF16("12345"), 271 false, // is_extractable 272 NULL)); 273 274 cert_list = ListCertsInSlot(slot_->os_module_handle()); 275 ASSERT_EQ(1U, cert_list.size()); 276 277 // Make sure the imported private key is still extractable. 278 std::string exported_data; 279 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"), 280 &exported_data)); 281 ASSERT_LT(0U, exported_data.size()); 282 } 283 284 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) { 285 std::string pkcs12_data = "Foobarbaz"; 286 287 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE, 288 cert_db_->ImportFromPKCS12(slot_.get(), 289 pkcs12_data, 290 base::string16(), 291 true, // is_extractable 292 NULL)); 293 294 // Test db should still be empty. 295 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 296 } 297 298 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) { 299 CertificateList certs = CreateCertificateListFromFile( 300 GetTestCertsDirectory(), "root_ca_cert.pem", 301 X509Certificate::FORMAT_AUTO); 302 ASSERT_EQ(1U, certs.size()); 303 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 304 305 // Import it. 306 NSSCertDatabase::ImportCertFailureList failed; 307 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, 308 &failed)); 309 310 EXPECT_EQ(0U, failed.size()); 311 312 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 313 ASSERT_EQ(1U, cert_list.size()); 314 scoped_refptr<X509Certificate> cert(cert_list[0]); 315 EXPECT_EQ("Test Root CA", cert->subject().common_name); 316 317 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, 318 cert_db_->GetCertTrust(cert.get(), CA_CERT)); 319 320 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 321 CERTDB_TRUSTED_CLIENT_CA), 322 cert->os_cert_handle()->trust->sslFlags); 323 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 324 cert->os_cert_handle()->trust->emailFlags); 325 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 326 cert->os_cert_handle()->trust->objectSigningFlags); 327 } 328 329 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) { 330 CertificateList certs = CreateCertificateListFromFile( 331 GetTestCertsDirectory(), "root_ca_cert.pem", 332 X509Certificate::FORMAT_AUTO); 333 ASSERT_EQ(1U, certs.size()); 334 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 335 336 // Import it. 337 NSSCertDatabase::ImportCertFailureList failed; 338 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL, 339 &failed)); 340 341 EXPECT_EQ(0U, failed.size()); 342 343 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 344 ASSERT_EQ(1U, cert_list.size()); 345 scoped_refptr<X509Certificate> cert(cert_list[0]); 346 EXPECT_EQ("Test Root CA", cert->subject().common_name); 347 348 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL, 349 cert_db_->GetCertTrust(cert.get(), CA_CERT)); 350 351 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 352 cert->os_cert_handle()->trust->sslFlags); 353 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 354 CERTDB_TRUSTED_CLIENT_CA), 355 cert->os_cert_handle()->trust->emailFlags); 356 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 357 cert->os_cert_handle()->trust->objectSigningFlags); 358 } 359 360 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) { 361 CertificateList certs = CreateCertificateListFromFile( 362 GetTestCertsDirectory(), "root_ca_cert.pem", 363 X509Certificate::FORMAT_AUTO); 364 ASSERT_EQ(1U, certs.size()); 365 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 366 367 // Import it. 368 NSSCertDatabase::ImportCertFailureList failed; 369 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN, 370 &failed)); 371 372 EXPECT_EQ(0U, failed.size()); 373 374 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 375 ASSERT_EQ(1U, cert_list.size()); 376 scoped_refptr<X509Certificate> cert(cert_list[0]); 377 EXPECT_EQ("Test Root CA", cert->subject().common_name); 378 379 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN, 380 cert_db_->GetCertTrust(cert.get(), CA_CERT)); 381 382 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 383 cert->os_cert_handle()->trust->sslFlags); 384 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 385 cert->os_cert_handle()->trust->emailFlags); 386 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 387 CERTDB_TRUSTED_CLIENT_CA), 388 cert->os_cert_handle()->trust->objectSigningFlags); 389 } 390 391 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) { 392 CertificateList certs = CreateCertificateListFromFile( 393 GetTestCertsDirectory(), "ok_cert.pem", 394 X509Certificate::FORMAT_AUTO); 395 ASSERT_EQ(1U, certs.size()); 396 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm); 397 398 // Import it. 399 NSSCertDatabase::ImportCertFailureList failed; 400 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL, 401 &failed)); 402 ASSERT_EQ(1U, failed.size()); 403 // Note: this compares pointers directly. It's okay in this case because 404 // ImportCACerts returns the same pointers that were passed in. In the 405 // general case IsSameOSCert should be used. 406 EXPECT_EQ(certs[0], failed[0].certificate); 407 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error); 408 409 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 410 } 411 412 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) { 413 CertificateList certs; 414 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 415 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 416 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); 417 418 // Import it. 419 NSSCertDatabase::ImportCertFailureList failed; 420 // Have to specify email trust for the cert verification of the child cert to 421 // work (see 422 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#752 423 // "XXX This choice of trustType seems arbitrary.") 424 EXPECT_TRUE(cert_db_->ImportCACerts( 425 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 426 &failed)); 427 428 ASSERT_EQ(2U, failed.size()); 429 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); 430 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. 431 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name); 432 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error); 433 434 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 435 ASSERT_EQ(1U, cert_list.size()); 436 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 437 } 438 439 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) { 440 CertificateList certs; 441 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 442 443 // First import just the root. 444 NSSCertDatabase::ImportCertFailureList failed; 445 EXPECT_TRUE(cert_db_->ImportCACerts( 446 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 447 &failed)); 448 449 EXPECT_EQ(0U, failed.size()); 450 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 451 ASSERT_EQ(1U, cert_list.size()); 452 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 453 454 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 455 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs)); 456 457 // Now import with the other certs in the list too. Even though the root is 458 // already present, we should still import the rest. 459 failed.clear(); 460 EXPECT_TRUE(cert_db_->ImportCACerts( 461 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 462 &failed)); 463 464 ASSERT_EQ(3U, failed.size()); 465 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name); 466 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error); 467 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); 468 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. 469 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name); 470 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error); 471 472 cert_list = ListCertsInSlot(slot_->os_module_handle()); 473 ASSERT_EQ(1U, cert_list.size()); 474 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 475 } 476 477 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) { 478 CertificateList certs; 479 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 480 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 481 482 // Import it. 483 NSSCertDatabase::ImportCertFailureList failed; 484 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT, 485 &failed)); 486 487 ASSERT_EQ(1U, failed.size()); 488 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name); 489 // TODO(mattm): should check for net error equivalent of 490 // SEC_ERROR_UNTRUSTED_ISSUER 491 EXPECT_EQ(ERR_FAILED, failed[0].net_error); 492 493 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 494 ASSERT_EQ(1U, cert_list.size()); 495 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 496 } 497 498 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) { 499 CertificateList certs; 500 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs)); 501 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); 502 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 503 504 // Import it. 505 NSSCertDatabase::ImportCertFailureList failed; 506 EXPECT_TRUE(cert_db_->ImportCACerts( 507 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL, 508 &failed)); 509 510 EXPECT_EQ(2U, failed.size()); 511 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); 512 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired. 513 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); 514 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired. 515 516 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 517 ASSERT_EQ(1U, cert_list.size()); 518 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name); 519 } 520 521 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) { 522 CertificateList certs = CreateCertificateListFromFile( 523 GetTestCertsDirectory(), "root_ca_cert.pem", 524 X509Certificate::FORMAT_AUTO); 525 ASSERT_EQ(1U, certs.size()); 526 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs)); 527 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs)); 528 529 // Import it. 530 NSSCertDatabase::ImportCertFailureList failed; 531 EXPECT_TRUE(cert_db_->ImportCACerts( 532 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL | 533 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed)); 534 535 ASSERT_EQ(2U, failed.size()); 536 // TODO(mattm): should check for net error equivalent of 537 // SEC_ERROR_UNKNOWN_ISSUER 538 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name); 539 EXPECT_EQ(ERR_FAILED, failed[0].net_error); 540 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name); 541 EXPECT_EQ(ERR_FAILED, failed[1].net_error); 542 543 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 544 ASSERT_EQ(1U, cert_list.size()); 545 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name); 546 } 547 548 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired 549 // certificate. 550 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) { 551 // Need to import intermediate cert for the verify of google cert, otherwise 552 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which 553 // will cause OCSPCreateSession on the main thread, which is not allowed. 554 CertificateList certs = CreateCertificateListFromFile( 555 GetTestCertsDirectory(), "google.chain.pem", 556 X509Certificate::FORMAT_AUTO); 557 ASSERT_EQ(2U, certs.size()); 558 559 NSSCertDatabase::ImportCertFailureList failed; 560 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, 561 &failed)); 562 563 EXPECT_EQ(0U, failed.size()); 564 565 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 566 ASSERT_EQ(2U, cert_list.size()); 567 scoped_refptr<X509Certificate> goog_cert(cert_list[0]); 568 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]); 569 EXPECT_EQ("www.google.com", goog_cert->subject().common_name); 570 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name); 571 572 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 573 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT)); 574 575 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags); 576 577 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 578 int flags = 0; 579 CertVerifyResult verify_result; 580 int error = verify_proc->Verify(goog_cert.get(), 581 "www.google.com", 582 flags, 583 NULL, 584 empty_cert_list_, 585 &verify_result); 586 EXPECT_EQ(OK, error); 587 EXPECT_EQ(0U, verify_result.cert_status); 588 } 589 590 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) { 591 CertificateList certs; 592 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); 593 594 NSSCertDatabase::ImportCertFailureList failed; 595 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, 596 &failed)); 597 598 EXPECT_EQ(0U, failed.size()); 599 600 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 601 ASSERT_EQ(1U, cert_list.size()); 602 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); 603 604 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 605 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); 606 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags); 607 608 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 609 int flags = 0; 610 CertVerifyResult verify_result; 611 int error = verify_proc->Verify(puny_cert.get(), 612 "xn--wgv71a119e.com", 613 flags, 614 NULL, 615 empty_cert_list_, 616 &verify_result); 617 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 618 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status); 619 } 620 621 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) { 622 CertificateList certs; 623 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs)); 624 625 NSSCertDatabase::ImportCertFailureList failed; 626 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL, 627 &failed)); 628 629 EXPECT_EQ(0U, failed.size()); 630 631 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle()); 632 ASSERT_EQ(1U, cert_list.size()); 633 scoped_refptr<X509Certificate> puny_cert(cert_list[0]); 634 635 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL, 636 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT)); 637 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD), 638 puny_cert->os_cert_handle()->trust->sslFlags); 639 640 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 641 int flags = 0; 642 CertVerifyResult verify_result; 643 int error = verify_proc->Verify(puny_cert.get(), 644 "xn--wgv71a119e.com", 645 flags, 646 NULL, 647 empty_cert_list_, 648 &verify_result); 649 EXPECT_EQ(OK, error); 650 EXPECT_EQ(0U, verify_result.cert_status); 651 } 652 653 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) { 654 CertificateList ca_certs = CreateCertificateListFromFile( 655 GetTestCertsDirectory(), "root_ca_cert.pem", 656 X509Certificate::FORMAT_AUTO); 657 ASSERT_EQ(1U, ca_certs.size()); 658 659 // Import CA cert and trust it. 660 NSSCertDatabase::ImportCertFailureList failed; 661 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, 662 &failed)); 663 EXPECT_EQ(0U, failed.size()); 664 665 CertificateList certs = CreateCertificateListFromFile( 666 GetTestCertsDirectory(), "ok_cert.pem", 667 X509Certificate::FORMAT_AUTO); 668 ASSERT_EQ(1U, certs.size()); 669 670 // Import server cert with default trust. 671 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT, 672 &failed)); 673 EXPECT_EQ(0U, failed.size()); 674 675 // Server cert should verify. 676 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 677 int flags = 0; 678 CertVerifyResult verify_result; 679 int error = verify_proc->Verify(certs[0].get(), 680 "127.0.0.1", 681 flags, 682 NULL, 683 empty_cert_list_, 684 &verify_result); 685 EXPECT_EQ(OK, error); 686 EXPECT_EQ(0U, verify_result.cert_status); 687 } 688 689 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) { 690 CertificateList ca_certs = CreateCertificateListFromFile( 691 GetTestCertsDirectory(), "root_ca_cert.pem", 692 X509Certificate::FORMAT_AUTO); 693 ASSERT_EQ(1U, ca_certs.size()); 694 695 // Import CA cert and trust it. 696 NSSCertDatabase::ImportCertFailureList failed; 697 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, 698 &failed)); 699 EXPECT_EQ(0U, failed.size()); 700 701 CertificateList certs = CreateCertificateListFromFile( 702 GetTestCertsDirectory(), "ok_cert.pem", 703 X509Certificate::FORMAT_AUTO); 704 ASSERT_EQ(1U, certs.size()); 705 706 // Import server cert without inheriting trust from issuer (explicit 707 // distrust). 708 EXPECT_TRUE(cert_db_->ImportServerCert( 709 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed)); 710 EXPECT_EQ(0U, failed.size()); 711 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL, 712 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 713 714 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), 715 certs[0]->os_cert_handle()->trust->sslFlags); 716 717 // Server cert should fail to verify. 718 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 719 int flags = 0; 720 CertVerifyResult verify_result; 721 int error = verify_proc->Verify(certs[0].get(), 722 "127.0.0.1", 723 flags, 724 NULL, 725 empty_cert_list_, 726 &verify_result); 727 EXPECT_EQ(ERR_CERT_REVOKED, error); 728 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); 729 } 730 731 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) { 732 CertificateList ca_certs = CreateCertificateListFromFile( 733 GetTestCertsDirectory(), "2048-rsa-root.pem", 734 X509Certificate::FORMAT_AUTO); 735 ASSERT_EQ(1U, ca_certs.size()); 736 737 // Import Root CA cert and distrust it. 738 NSSCertDatabase::ImportCertFailureList failed; 739 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL, 740 &failed)); 741 EXPECT_EQ(0U, failed.size()); 742 743 CertificateList intermediate_certs = CreateCertificateListFromFile( 744 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 745 X509Certificate::FORMAT_AUTO); 746 ASSERT_EQ(1U, intermediate_certs.size()); 747 748 // Import Intermediate CA cert and trust it. 749 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs, 750 NSSCertDatabase::TRUSTED_SSL, &failed)); 751 EXPECT_EQ(0U, failed.size()); 752 753 CertificateList certs = CreateCertificateListFromFile( 754 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 755 X509Certificate::FORMAT_AUTO); 756 ASSERT_EQ(1U, certs.size()); 757 758 // Import server cert with default trust. 759 EXPECT_TRUE(cert_db_->ImportServerCert( 760 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 761 EXPECT_EQ(0U, failed.size()); 762 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 763 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 764 765 // Server cert should verify. 766 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 767 int flags = 0; 768 CertVerifyResult verify_result; 769 int error = verify_proc->Verify(certs[0].get(), 770 "127.0.0.1", 771 flags, 772 NULL, 773 empty_cert_list_, 774 &verify_result); 775 EXPECT_EQ(OK, error); 776 EXPECT_EQ(0U, verify_result.cert_status); 777 778 // Trust the root cert and distrust the intermediate. 779 EXPECT_TRUE(cert_db_->SetCertTrust( 780 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL)); 781 EXPECT_TRUE(cert_db_->SetCertTrust( 782 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL)); 783 EXPECT_EQ( 784 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA), 785 ca_certs[0]->os_cert_handle()->trust->sslFlags); 786 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 787 ca_certs[0]->os_cert_handle()->trust->emailFlags); 788 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 789 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags); 790 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD), 791 intermediate_certs[0]->os_cert_handle()->trust->sslFlags); 792 EXPECT_EQ(unsigned(CERTDB_VALID_CA), 793 intermediate_certs[0]->os_cert_handle()->trust->emailFlags); 794 EXPECT_EQ( 795 unsigned(CERTDB_VALID_CA), 796 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags); 797 798 // Server cert should fail to verify. 799 CertVerifyResult verify_result2; 800 error = verify_proc->Verify(certs[0].get(), 801 "127.0.0.1", 802 flags, 803 NULL, 804 empty_cert_list_, 805 &verify_result2); 806 EXPECT_EQ(ERR_CERT_REVOKED, error); 807 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status); 808 } 809 810 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) { 811 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { 812 // See http://bugzil.la/863947 for details. 813 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; 814 return; 815 } 816 817 NSSCertDatabase::ImportCertFailureList failed; 818 819 CertificateList intermediate_certs = CreateCertificateListFromFile( 820 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 821 X509Certificate::FORMAT_AUTO); 822 ASSERT_EQ(1U, intermediate_certs.size()); 823 824 // Import Intermediate CA cert and trust it. 825 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs, 826 NSSCertDatabase::TRUSTED_SSL, &failed)); 827 EXPECT_EQ(0U, failed.size()); 828 829 CertificateList certs = CreateCertificateListFromFile( 830 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 831 X509Certificate::FORMAT_AUTO); 832 ASSERT_EQ(1U, certs.size()); 833 834 // Import server cert with default trust. 835 EXPECT_TRUE(cert_db_->ImportServerCert( 836 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 837 EXPECT_EQ(0U, failed.size()); 838 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 839 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 840 841 // Server cert should verify. 842 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 843 int flags = 0; 844 CertVerifyResult verify_result; 845 int error = verify_proc->Verify(certs[0].get(), 846 "127.0.0.1", 847 flags, 848 NULL, 849 empty_cert_list_, 850 &verify_result); 851 EXPECT_EQ(OK, error); 852 EXPECT_EQ(0U, verify_result.cert_status); 853 854 // Without explicit trust of the intermediate, verification should fail. 855 EXPECT_TRUE(cert_db_->SetCertTrust( 856 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); 857 858 // Server cert should fail to verify. 859 CertVerifyResult verify_result2; 860 error = verify_proc->Verify(certs[0].get(), 861 "127.0.0.1", 862 flags, 863 NULL, 864 empty_cert_list_, 865 &verify_result2); 866 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 867 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); 868 } 869 870 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) { 871 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { 872 // See http://bugzil.la/863947 for details. 873 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; 874 return; 875 } 876 877 NSSCertDatabase::ImportCertFailureList failed; 878 879 CertificateList ca_certs = CreateCertificateListFromFile( 880 GetTestCertsDirectory(), "2048-rsa-root.pem", 881 X509Certificate::FORMAT_AUTO); 882 ASSERT_EQ(1U, ca_certs.size()); 883 884 // Import Root CA cert and default trust it. 885 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT, 886 &failed)); 887 EXPECT_EQ(0U, failed.size()); 888 889 CertificateList intermediate_certs = CreateCertificateListFromFile( 890 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 891 X509Certificate::FORMAT_AUTO); 892 ASSERT_EQ(1U, intermediate_certs.size()); 893 894 // Import Intermediate CA cert and trust it. 895 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs, 896 NSSCertDatabase::TRUSTED_SSL, &failed)); 897 EXPECT_EQ(0U, failed.size()); 898 899 CertificateList certs = CreateCertificateListFromFile( 900 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 901 X509Certificate::FORMAT_AUTO); 902 ASSERT_EQ(1U, certs.size()); 903 904 // Import server cert with default trust. 905 EXPECT_TRUE(cert_db_->ImportServerCert( 906 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 907 EXPECT_EQ(0U, failed.size()); 908 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 909 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 910 911 // Server cert should verify. 912 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 913 int flags = 0; 914 CertVerifyResult verify_result; 915 int error = verify_proc->Verify(certs[0].get(), 916 "127.0.0.1", 917 flags, 918 NULL, 919 empty_cert_list_, 920 &verify_result); 921 EXPECT_EQ(OK, error); 922 EXPECT_EQ(0U, verify_result.cert_status); 923 924 // Without explicit trust of the intermediate, verification should fail. 925 EXPECT_TRUE(cert_db_->SetCertTrust( 926 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); 927 928 // Server cert should fail to verify. 929 CertVerifyResult verify_result2; 930 error = verify_proc->Verify(certs[0].get(), 931 "127.0.0.1", 932 flags, 933 NULL, 934 empty_cert_list_, 935 &verify_result2); 936 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error); 937 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status); 938 } 939 940 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { 941 NSSCertDatabase::ImportCertFailureList failed; 942 943 CertificateList ca_certs = CreateCertificateListFromFile( 944 GetTestCertsDirectory(), "2048-rsa-root.pem", 945 X509Certificate::FORMAT_AUTO); 946 ASSERT_EQ(1U, ca_certs.size()); 947 948 // Import Root CA cert and trust it. 949 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL, 950 &failed)); 951 EXPECT_EQ(0U, failed.size()); 952 953 CertificateList intermediate_certs = CreateCertificateListFromFile( 954 GetTestCertsDirectory(), "2048-rsa-intermediate.pem", 955 X509Certificate::FORMAT_AUTO); 956 ASSERT_EQ(1U, intermediate_certs.size()); 957 958 // Import Intermediate CA cert and distrust it. 959 EXPECT_TRUE(cert_db_->ImportCACerts( 960 intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed)); 961 EXPECT_EQ(0U, failed.size()); 962 963 CertificateList certs = CreateCertificateListFromFile( 964 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem", 965 X509Certificate::FORMAT_AUTO); 966 ASSERT_EQ(1U, certs.size()); 967 968 // Import server cert with default trust. 969 EXPECT_TRUE(cert_db_->ImportServerCert( 970 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 971 EXPECT_EQ(0U, failed.size()); 972 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 973 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 974 975 // Server cert should not verify. 976 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS()); 977 int flags = 0; 978 CertVerifyResult verify_result; 979 int error = verify_proc->Verify(certs[0].get(), 980 "127.0.0.1", 981 flags, 982 NULL, 983 empty_cert_list_, 984 &verify_result); 985 EXPECT_EQ(ERR_CERT_REVOKED, error); 986 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status); 987 988 // Without explicit distrust of the intermediate, verification should succeed. 989 EXPECT_TRUE(cert_db_->SetCertTrust( 990 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT)); 991 992 // Server cert should verify. 993 CertVerifyResult verify_result2; 994 error = verify_proc->Verify(certs[0].get(), 995 "127.0.0.1", 996 flags, 997 NULL, 998 empty_cert_list_, 999 &verify_result2); 1000 EXPECT_EQ(OK, error); 1001 EXPECT_EQ(0U, verify_result2.cert_status); 1002 } 1003 1004 // Importing two certificates with the same issuer and subject common name, 1005 // but overall distinct subject names, should succeed and generate a unique 1006 // nickname for the second certificate. 1007 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { 1008 CertificateList certs = 1009 CreateCertificateListFromFile(GetTestCertsDirectory(), 1010 "duplicate_cn_1.pem", 1011 X509Certificate::FORMAT_AUTO); 1012 ASSERT_EQ(1U, certs.size()); 1013 1014 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); 1015 1016 // Import server cert with default trust. 1017 NSSCertDatabase::ImportCertFailureList failed; 1018 EXPECT_TRUE(cert_db_->ImportServerCert( 1019 certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); 1020 EXPECT_EQ(0U, failed.size()); 1021 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 1022 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT)); 1023 1024 CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle()); 1025 ASSERT_EQ(1U, new_certs.size()); 1026 1027 // Now attempt to import a different certificate with the same common name. 1028 CertificateList certs2 = 1029 CreateCertificateListFromFile(GetTestCertsDirectory(), 1030 "duplicate_cn_2.pem", 1031 X509Certificate::FORMAT_AUTO); 1032 ASSERT_EQ(1U, certs2.size()); 1033 1034 // Import server cert with default trust. 1035 EXPECT_TRUE(cert_db_->ImportServerCert( 1036 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); 1037 EXPECT_EQ(0U, failed.size()); 1038 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, 1039 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT)); 1040 1041 new_certs = ListCertsInSlot(slot_->os_module_handle()); 1042 ASSERT_EQ(2U, new_certs.size()); 1043 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, 1044 new_certs[1]->os_cert_handle()->nickname); 1045 } 1046 1047 } // namespace net 1048