src/chromeos/cert_loader_unittest.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chromeos/cert_loader.h"
   6
   7 #include "base/bind.h"
   8 #include "base/file_util.h"
   9 #include "base/memory/scoped_ptr.h"
  10 #include "base/message_loop/message_loop.h"
  11 #include "base/run_loop.h"
  12 #include "crypto/nss_util.h"
  13 #include "crypto/nss_util_internal.h"
  14 #include "crypto/scoped_nss_types.h"
  15 #include "net/base/net_errors.h"
  16 #include "net/base/test_data_directory.h"
  17 #include "net/cert/nss_cert_database_chromeos.h"
  18 #include "net/cert/x509_certificate.h"
  19 #include "net/test/cert_test_util.h"
  20 #include "testing/gtest/include/gtest/gtest.h"
  21
  22 namespace chromeos {
  23 namespace {
  24
  25 bool IsCertInCertificateList(const net::X509Certificate* cert,
  26                              const net::CertificateList& cert_list) {
  27   for (net::CertificateList::const_iterator it = cert_list.begin();
  28        it != cert_list.end();
  29        ++it) {
  30     if (net::X509Certificate::IsSameOSCert((*it)->os_cert_handle(),
  31                                             cert->os_cert_handle())) {
  32       return true;
  33     }
  34   }
  35   return false;
  36 }
  37
  38 void FailOnPrivateSlotCallback(crypto::ScopedPK11Slot slot) {
  39   EXPECT_FALSE(true) << "GetPrivateSlotForChromeOSUser callback called even "
  40                      << "though the private slot had been initialized.";
  41 }
  42
  43 class CertLoaderTest : public testing::Test,
  44                        public CertLoader::Observer {
  45  public:
  46   CertLoaderTest() : cert_loader_(NULL),
  47                      primary_user_("primary"),
  48                      certificates_loaded_events_count_(0U) {
  49   }
  50
  51   virtual ~CertLoaderTest() {}
  52
  53   virtual void SetUp() OVERRIDE {
  54     ASSERT_TRUE(primary_user_.constructed_successfully());
  55     ASSERT_TRUE(
  56         crypto::GetPublicSlotForChromeOSUser(primary_user_.username_hash()));
  57
  58     CertLoader::Initialize();
  59     cert_loader_ = CertLoader::Get();
  60     cert_loader_->AddObserver(this);
  61   }
  62
  63   virtual void TearDown() {
  64     cert_loader_->RemoveObserver(this);
  65     CertLoader::Shutdown();
  66   }
  67
  68  protected:
  69   void StartCertLoaderWithPrimaryUser() {
  70     FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);
  71     cert_loader_->StartWithNSSDB(primary_db_.get());
  72
  73     base::RunLoop().RunUntilIdle();
  74     GetAndResetCertificatesLoadedEventsCount();
  75   }
  76
  77   // CertLoader::Observer:
  78   // The test keeps count of times the observer method was called.
  79   virtual void OnCertificatesLoaded(const net::CertificateList& cert_list,
  80                                     bool initial_load) OVERRIDE {
  81     EXPECT_TRUE(certificates_loaded_events_count_ == 0 || !initial_load);
  82     certificates_loaded_events_count_++;
  83   }
  84
  85   // Returns the number of |OnCertificatesLoaded| calls observed since the
  86   // last call to this method equals |value|.
  87   size_t GetAndResetCertificatesLoadedEventsCount() {
  88     size_t result = certificates_loaded_events_count_;
  89     certificates_loaded_events_count_ = 0;
  90     return result;
  91   }
  92
  93   // Finishes initialization for the |user| and returns a user's NSS database
  94   // instance.
  95   void FinishUserInitAndGetDatabase(
  96       crypto::ScopedTestNSSChromeOSUser* user,
  97       scoped_ptr<net::NSSCertDatabaseChromeOS>* database) {
  98     ASSERT_TRUE(user->constructed_successfully());
  99
 100     user->FinishInit();
 101
 102     crypto::ScopedPK11Slot private_slot(
 103         crypto::GetPrivateSlotForChromeOSUser(
 104             user->username_hash(),
 105             base::Bind(&FailOnPrivateSlotCallback)));
 106     ASSERT_TRUE(private_slot);
 107
 108     database->reset(new net::NSSCertDatabaseChromeOS(
 109         crypto::GetPublicSlotForChromeOSUser(user->username_hash()),
 110         private_slot.Pass()));
 111     (*database)->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
 112   }
 113
 114   int GetDbPrivateSlotId(net::NSSCertDatabase* db) {
 115     return static_cast<int>(PK11_GetSlotID(db->GetPrivateSlot().get()));
 116   }
 117
 118   void ImportCACert(const std::string& cert_file,
 119                     net::NSSCertDatabase* database,
 120                     net::CertificateList* imported_certs) {
 121     ASSERT_TRUE(database);
 122     ASSERT_TRUE(imported_certs);
 123
 124     // Add a certificate to the user's db.
 125     *imported_certs = net::CreateCertificateListFromFile(
 126         net::GetTestCertsDirectory(),
 127         cert_file,
 128         net::X509Certificate::FORMAT_AUTO);
 129     ASSERT_EQ(1U, imported_certs->size());
 130
 131     net::NSSCertDatabase::ImportCertFailureList failed;
 132     ASSERT_TRUE(database->ImportCACerts(*imported_certs,
 133                                         net::NSSCertDatabase::TRUST_DEFAULT,
 134                                         &failed));
 135     ASSERT_TRUE(failed.empty());
 136   }
 137
 138   void ImportClientCertAndKey(const std::string& pkcs12_file,
 139                               net::NSSCertDatabase* database,
 140                               net::CertificateList* imported_certs) {
 141     ASSERT_TRUE(database);
 142     ASSERT_TRUE(imported_certs);
 143
 144     std::string pkcs12_data;
 145     base::FilePath pkcs12_file_path =
 146         net::GetTestCertsDirectory().Append(pkcs12_file);
 147     ASSERT_TRUE(base::ReadFileToString(pkcs12_file_path, &pkcs12_data));
 148
 149     net::CertificateList client_cert_list;
 150     scoped_refptr<net::CryptoModule> module(net::CryptoModule::CreateFromHandle(
 151         database->GetPrivateSlot().get()));
 152     ASSERT_EQ(
 153         net::OK,
 154         database->ImportFromPKCS12(module, pkcs12_data, base::string16(), false,
 155                                    imported_certs));
 156     ASSERT_EQ(1U, imported_certs->size());
 157   }
 158
 159   CertLoader* cert_loader_;
 160
 161   // The user is primary as the one whose certificates CertLoader handles, it
 162   // has nothing to do with crypto::InitializeNSSForChromeOSUser is_primary_user
 163   // parameter (which is irrelevant for these tests).
 164   crypto::ScopedTestNSSChromeOSUser primary_user_;
 165   scoped_ptr<net::NSSCertDatabaseChromeOS> primary_db_;
 166
 167   base::MessageLoop message_loop_;
 168
 169  private:
 170   size_t certificates_loaded_events_count_;
 171 };
 172
 173 TEST_F(CertLoaderTest, Basic) {
 174   EXPECT_FALSE(cert_loader_->CertificatesLoading());
 175   EXPECT_FALSE(cert_loader_->certificates_loaded());
 176   EXPECT_FALSE(cert_loader_->IsHardwareBacked());
 177
 178   FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);
 179
 180   cert_loader_->StartWithNSSDB(primary_db_.get());
 181
 182   EXPECT_FALSE(cert_loader_->certificates_loaded());
 183   EXPECT_TRUE(cert_loader_->CertificatesLoading());
 184   EXPECT_TRUE(cert_loader_->cert_list().empty());
 185
 186   ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
 187   base::RunLoop().RunUntilIdle();
 188   EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 189
 190   EXPECT_TRUE(cert_loader_->certificates_loaded());
 191   EXPECT_FALSE(cert_loader_->CertificatesLoading());
 192   EXPECT_EQ(GetDbPrivateSlotId(primary_db_.get()),
 193             cert_loader_->TPMTokenSlotID());
 194
 195   // Default CA cert roots should get loaded.
 196   EXPECT_FALSE(cert_loader_->cert_list().empty());
 197 }
 198
 199 TEST_F(CertLoaderTest, CertLoaderUpdatesCertListOnNewCert) {
 200   StartCertLoaderWithPrimaryUser();
 201
 202   net::CertificateList certs;
 203   ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);
 204
 205   // Certs are loaded asynchronously, so the new cert should not yet be in the
 206   // cert list.
 207   EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
 208
 209   ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
 210   base::RunLoop().RunUntilIdle();
 211   EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 212
 213   // The certificate list should be updated now, as the message loop's been run.
 214   EXPECT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
 215 }
 216
 217 TEST_F(CertLoaderTest, CertLoaderNoUpdateOnSecondaryDbChanges) {
 218   crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
 219   scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;
 220
 221   StartCertLoaderWithPrimaryUser();
 222   FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);
 223
 224   net::CertificateList certs;
 225   ImportCACert("root_ca_cert.pem", secondary_db.get(), &certs);
 226
 227   base::RunLoop().RunUntilIdle();
 228
 229   EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
 230 }
 231
 232 TEST_F(CertLoaderTest, ClientLoaderUpdateOnNewClientCert) {
 233   StartCertLoaderWithPrimaryUser();
 234
 235   net::CertificateList certs;
 236   ImportClientCertAndKey("websocket_client_cert.p12",
 237                          primary_db_.get(),
 238                          &certs);
 239
 240   ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
 241   base::RunLoop().RunUntilIdle();
 242   EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 243
 244   EXPECT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
 245 }
 246
 247 TEST_F(CertLoaderTest, CertLoaderNoUpdateOnNewClientCertInSecondaryDb) {
 248   crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
 249   scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;
 250
 251   StartCertLoaderWithPrimaryUser();
 252   FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);
 253
 254   net::CertificateList certs;
 255   ImportClientCertAndKey("websocket_client_cert.p12",
 256                          secondary_db.get(),
 257                          &certs);
 258
 259   base::RunLoop().RunUntilIdle();
 260
 261   EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
 262 }
 263
 264 TEST_F(CertLoaderTest, UpdatedOnCertRemoval) {
 265   StartCertLoaderWithPrimaryUser();
 266
 267   net::CertificateList certs;
 268   ImportClientCertAndKey("websocket_client_cert.p12",
 269                          primary_db_.get(),
 270                          &certs);
 271
 272   base::RunLoop().RunUntilIdle();
 273
 274   ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 275   ASSERT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
 276
 277   primary_db_->DeleteCertAndKey(certs[0]);
 278
 279   ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
 280   base::RunLoop().RunUntilIdle();
 281   EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 282
 283   ASSERT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
 284 }
 285
 286 TEST_F(CertLoaderTest, UpdatedOnCACertTrustChange) {
 287   StartCertLoaderWithPrimaryUser();
 288
 289   net::CertificateList certs;
 290   ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);
 291
 292   base::RunLoop().RunUntilIdle();
 293   ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 294   ASSERT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
 295
 296   // The value that should have been set by |ImportCACert|.
 297   ASSERT_EQ(net::NSSCertDatabase::TRUST_DEFAULT,
 298             primary_db_->GetCertTrust(certs[0], net::CA_CERT));
 299   ASSERT_TRUE(primary_db_->SetCertTrust(
 300       certs[0], net::CA_CERT, net::NSSCertDatabase::TRUSTED_SSL));
 301
 302   // Cert trust change should trigger certificate reload in cert_loader_.
 303   ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
 304   base::RunLoop().RunUntilIdle();
 305   EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 306 }
 307
 308 TEST_F(CertLoaderTest, DatabaseWithUnsetSlots) {
 309   primary_db_.reset(new net::NSSCertDatabaseChromeOS(crypto::ScopedPK11Slot(),
 310                                                      crypto::ScopedPK11Slot()));
 311   primary_db_->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
 312   cert_loader_->StartWithNSSDB(primary_db_.get());
 313
 314   base::RunLoop().RunUntilIdle();
 315   EXPECT_EQ(1u, GetAndResetCertificatesLoadedEventsCount());
 316
 317   EXPECT_TRUE(cert_loader_->certificates_loaded());
 318   EXPECT_EQ(-1, cert_loader_->TPMTokenSlotID());
 319   EXPECT_FALSE(cert_loader_->IsHardwareBacked());
 320 }
 321
 322 }  // namespace
 323 }  // namespace chromeos