1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/files/file_path.h" 6 #include "build/build_config.h" 7 #include "net/base/net_errors.h" 8 #include "net/base/test_data_directory.h" 9 #include "net/cert/cert_status_flags.h" 10 #include "net/cert/cert_verify_proc.h" 11 #include "net/cert/cert_verify_result.h" 12 #include "net/cert/test_root_certs.h" 13 #include "net/cert/x509_certificate.h" 14 #include "net/test/cert_test_util.h" 15 #include "testing/gtest/include/gtest/gtest.h" 16 17 #if defined(USE_NSS) || defined(OS_IOS) 18 #include <nss.h> 19 #endif 20 21 namespace net { 22 23 namespace { 24 25 // The local test root certificate. 26 const char kRootCertificateFile[] = "root_ca_cert.pem"; 27 // A certificate issued by the local test root for 127.0.0.1. 28 const char kGoodCertificateFile[] = "ok_cert.pem"; 29 30 } // namespace 31 32 // Test basic functionality when adding from an existing X509Certificate. 33 TEST(TestRootCertsTest, AddFromPointer) { 34 scoped_refptr<X509Certificate> root_cert = 35 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile); 36 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); 37 38 TestRootCerts* test_roots = TestRootCerts::GetInstance(); 39 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); 40 EXPECT_TRUE(test_roots->IsEmpty()); 41 42 EXPECT_TRUE(test_roots->Add(root_cert.get())); 43 EXPECT_FALSE(test_roots->IsEmpty()); 44 45 test_roots->Clear(); 46 EXPECT_TRUE(test_roots->IsEmpty()); 47 } 48 49 // Test basic functionality when adding directly from a file, which should 50 // behave the same as when adding from an existing certificate. 51 TEST(TestRootCertsTest, AddFromFile) { 52 TestRootCerts* test_roots = TestRootCerts::GetInstance(); 53 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); 54 EXPECT_TRUE(test_roots->IsEmpty()); 55 56 base::FilePath cert_path = 57 GetTestCertsDirectory().AppendASCII(kRootCertificateFile); 58 EXPECT_TRUE(test_roots->AddFromFile(cert_path)); 59 EXPECT_FALSE(test_roots->IsEmpty()); 60 61 test_roots->Clear(); 62 EXPECT_TRUE(test_roots->IsEmpty()); 63 } 64 65 // Test that TestRootCerts actually adds the appropriate trust status flags 66 // when requested, and that the trusted status is cleared once the root is 67 // removed the TestRootCerts. This test acts as a canary/sanity check for 68 // the results of the rest of net_unittests, ensuring that the trust status 69 // is properly being set and cleared. 70 TEST(TestRootCertsTest, OverrideTrust) { 71 #if defined(USE_NSS) || defined(OS_IOS) 72 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { 73 // See http://bugzil.la/863947 for details 74 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; 75 return; 76 } 77 #endif 78 79 TestRootCerts* test_roots = TestRootCerts::GetInstance(); 80 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); 81 EXPECT_TRUE(test_roots->IsEmpty()); 82 83 scoped_refptr<X509Certificate> test_cert = 84 ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile); 85 ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert.get()); 86 87 // Test that the good certificate fails verification, because the root 88 // certificate should not yet be trusted. 89 int flags = 0; 90 CertVerifyResult bad_verify_result; 91 scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); 92 int bad_status = verify_proc->Verify(test_cert.get(), 93 "127.0.0.1", 94 flags, 95 NULL, 96 CertificateList(), 97 &bad_verify_result); 98 EXPECT_NE(OK, bad_status); 99 EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); 100 101 // Add the root certificate and mark it as trusted. 102 EXPECT_TRUE(test_roots->AddFromFile( 103 GetTestCertsDirectory().AppendASCII(kRootCertificateFile))); 104 EXPECT_FALSE(test_roots->IsEmpty()); 105 106 // Test that the certificate verification now succeeds, because the 107 // TestRootCerts is successfully imbuing trust. 108 CertVerifyResult good_verify_result; 109 int good_status = verify_proc->Verify(test_cert.get(), 110 "127.0.0.1", 111 flags, 112 NULL, 113 CertificateList(), 114 &good_verify_result); 115 EXPECT_EQ(OK, good_status); 116 EXPECT_EQ(0u, good_verify_result.cert_status); 117 118 test_roots->Clear(); 119 EXPECT_TRUE(test_roots->IsEmpty()); 120 121 // Ensure that when the TestRootCerts is cleared, the trust settings 122 // revert to their original state, and don't linger. If trust status 123 // lingers, it will likely break other tests in net_unittests. 124 CertVerifyResult restored_verify_result; 125 int restored_status = verify_proc->Verify(test_cert.get(), 126 "127.0.0.1", 127 flags, 128 NULL, 129 CertificateList(), 130 &restored_verify_result); 131 EXPECT_NE(OK, restored_status); 132 EXPECT_NE(0u, 133 restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); 134 EXPECT_EQ(bad_status, restored_status); 135 EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status); 136 } 137 138 #if defined(USE_NSS) || (defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)) 139 TEST(TestRootCertsTest, Contains) { 140 // Another test root certificate. 141 const char kRootCertificateFile2[] = "2048-rsa-root.pem"; 142 143 TestRootCerts* test_roots = TestRootCerts::GetInstance(); 144 ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); 145 146 scoped_refptr<X509Certificate> root_cert_1 = 147 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile); 148 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_1.get()); 149 150 scoped_refptr<X509Certificate> root_cert_2 = 151 ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile2); 152 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_2.get()); 153 154 EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle())); 155 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle())); 156 157 EXPECT_TRUE(test_roots->Add(root_cert_1.get())); 158 EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle())); 159 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle())); 160 161 EXPECT_TRUE(test_roots->Add(root_cert_2.get())); 162 EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle())); 163 EXPECT_TRUE(test_roots->Contains(root_cert_2->os_cert_handle())); 164 165 test_roots->Clear(); 166 EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle())); 167 EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle())); 168 } 169 #endif 170 171 // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that 172 // TestRootCerts properly injects itself into the validation process. See 173 // http://crbug.com/63958 174 175 } // namespace net 176
