1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/chromeos/policy/policy_cert_verifier.h"
8 #include "base/bind_helpers.h"
9 #include "base/callback.h"
10 #include "base/memory/ref_counted.h"
11 #include "base/memory/scoped_ptr.h"
12 #include "base/run_loop.h"
13 #include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"
14 #include "content/public/browser/browser_thread.h"
15 #include "content/public/test/test_browser_thread_bundle.h"
16 #include "crypto/nss_util.h"
17 #include "crypto/nss_util_internal.h"
18 #include "net/base/net_log.h"
19 #include "net/base/test_completion_callback.h"
20 #include "net/base/test_data_directory.h"
21 #include "net/cert/cert_trust_anchor_provider.h"
22 #include "net/cert/cert_verify_result.h"
23 #include "net/cert/nss_cert_database.h"
24 #include "net/cert/x509_certificate.h"
25 #include "net/test/cert_test_util.h"
26 #include "testing/gtest/include/gtest/gtest.h"
30 // This is actually a unit test, but is linked with browser_tests because
31 // importing a certificate into the NSS test database persists for the duration
32 // of a process; since each browser_test runs in a separate process then this
33 // won't affect subsequent tests.
34 // This can be moved to the unittests target once the TODO in ~ScopedTestNSSDB
36 class PolicyCertVerifierTest : public testing::Test {
38 PolicyCertVerifierTest() : cert_db_(NULL), trust_anchor_used_(false) {}
40 virtual ~PolicyCertVerifierTest() {}
42 virtual void SetUp() OVERRIDE {
43 ASSERT_TRUE(test_nssdb_.is_open());
44 cert_db_ = net::NSSCertDatabase::GetInstance();
46 cert_verifier_.reset(new PolicyCertVerifier(base::Bind(
47 &PolicyCertVerifierTest::OnTrustAnchorUsed, base::Unretained(this))));
48 cert_verifier_->InitializeOnIOThread(new chromeos::CertVerifyProcChromeOS(
49 crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot())));
51 test_ca_cert_ = LoadCertificate("root_ca_cert.pem", net::CA_CERT);
52 ASSERT_TRUE(test_ca_cert_);
53 test_server_cert_ = LoadCertificate("ok_cert.pem", net::SERVER_CERT);
54 ASSERT_TRUE(test_server_cert_);
55 test_ca_cert_list_.push_back(test_ca_cert_);
58 virtual void TearDown() OVERRIDE {
59 // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise
60 // BrowserThread::CurrentlyOn checks fail.
61 cert_verifier_.reset();
65 int VerifyTestServerCert(const net::TestCompletionCallback& test_callback,
66 net::CertVerifyResult* verify_result,
67 net::CertVerifier::RequestHandle* request_handle) {
68 return cert_verifier_->Verify(test_server_cert_.get(),
73 test_callback.callback(),
78 bool SupportsAdditionalTrustAnchors() {
79 scoped_refptr<net::CertVerifyProc> proc =
80 net::CertVerifyProc::CreateDefault();
81 return proc->SupportsAdditionalTrustAnchors();
84 // Returns whether |cert_verifier| signalled usage of one of the additional
85 // trust anchors (i.e. of |test_ca_cert_|) for the first time or since the
86 // last call of this function.
87 bool WasTrustAnchorUsedAndReset() {
88 base::RunLoop().RunUntilIdle();
89 bool result = trust_anchor_used_;
90 trust_anchor_used_ = false;
94 // |test_ca_cert_| is the issuer of |test_server_cert_|.
95 scoped_refptr<net::X509Certificate> test_ca_cert_;
96 scoped_refptr<net::X509Certificate> test_server_cert_;
97 net::CertificateList test_ca_cert_list_;
98 net::NSSCertDatabase* cert_db_;
99 scoped_ptr<PolicyCertVerifier> cert_verifier_;
102 void OnTrustAnchorUsed() {
103 trust_anchor_used_ = true;
106 scoped_refptr<net::X509Certificate> LoadCertificate(const std::string& name,
107 net::CertType type) {
108 scoped_refptr<net::X509Certificate> cert =
109 net::ImportCertFromFile(net::GetTestCertsDirectory(), name);
111 // No certificate is trusted right after it's loaded.
112 net::NSSCertDatabase::TrustBits trust =
113 cert_db_->GetCertTrust(cert.get(), type);
114 EXPECT_EQ(net::NSSCertDatabase::TRUST_DEFAULT, trust);
119 bool trust_anchor_used_;
120 crypto::ScopedTestNSSDB test_nssdb_;
121 content::TestBrowserThreadBundle thread_bundle_;
124 TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) {
125 // |test_server_cert_| is untrusted, so Verify() fails.
127 net::CertVerifyResult verify_result;
128 net::TestCompletionCallback callback;
129 net::CertVerifier::RequestHandle request_handle = NULL;
130 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
131 ASSERT_EQ(net::ERR_IO_PENDING, error);
132 EXPECT_TRUE(request_handle);
133 error = callback.WaitForResult();
134 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
137 // Issuing the same request again hits the cache. This tests the synchronous
140 net::CertVerifyResult verify_result;
141 net::TestCompletionCallback callback;
142 net::CertVerifier::RequestHandle request_handle = NULL;
143 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
144 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
147 EXPECT_FALSE(WasTrustAnchorUsedAndReset());
150 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) {
151 // Make the database trust |test_ca_cert_|.
152 net::NSSCertDatabase::ImportCertFailureList failure_list;
153 ASSERT_TRUE(cert_db_->ImportCACerts(
154 test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list));
155 ASSERT_TRUE(failure_list.empty());
157 // Verify that it is now trusted.
158 net::NSSCertDatabase::TrustBits trust =
159 cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT);
160 EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust);
162 // Verify() successfully verifies |test_server_cert_| after it was imported.
163 net::CertVerifyResult verify_result;
164 net::TestCompletionCallback callback;
165 net::CertVerifier::RequestHandle request_handle = NULL;
166 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
167 ASSERT_EQ(net::ERR_IO_PENDING, error);
168 EXPECT_TRUE(request_handle);
169 error = callback.WaitForResult();
170 EXPECT_EQ(net::OK, error);
172 // The additional trust anchors were not used, since the certificate is
173 // trusted from the database.
174 EXPECT_FALSE(WasTrustAnchorUsedAndReset());
177 TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) {
178 ASSERT_TRUE(SupportsAdditionalTrustAnchors());
180 // |test_server_cert_| is untrusted, so Verify() fails.
182 net::CertVerifyResult verify_result;
183 net::TestCompletionCallback callback;
184 net::CertVerifier::RequestHandle request_handle = NULL;
185 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
186 ASSERT_EQ(net::ERR_IO_PENDING, error);
187 EXPECT_TRUE(request_handle);
188 error = callback.WaitForResult();
189 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
191 EXPECT_FALSE(WasTrustAnchorUsedAndReset());
193 // Verify() again with the additional trust anchors.
194 cert_verifier_->SetTrustAnchors(test_ca_cert_list_);
196 net::CertVerifyResult verify_result;
197 net::TestCompletionCallback callback;
198 net::CertVerifier::RequestHandle request_handle = NULL;
199 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
200 ASSERT_EQ(net::ERR_IO_PENDING, error);
201 EXPECT_TRUE(request_handle);
202 error = callback.WaitForResult();
203 EXPECT_EQ(net::OK, error);
205 EXPECT_TRUE(WasTrustAnchorUsedAndReset());
207 // Verify() again with the additional trust anchors will hit the cache.
208 cert_verifier_->SetTrustAnchors(test_ca_cert_list_);
210 net::CertVerifyResult verify_result;
211 net::TestCompletionCallback callback;
212 net::CertVerifier::RequestHandle request_handle = NULL;
213 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
214 EXPECT_EQ(net::OK, error);
216 EXPECT_TRUE(WasTrustAnchorUsedAndReset());
218 // Verifying after removing the trust anchors should now fail.
219 cert_verifier_->SetTrustAnchors(net::CertificateList());
221 net::CertVerifyResult verify_result;
222 net::TestCompletionCallback callback;
223 net::CertVerifier::RequestHandle request_handle = NULL;
224 int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
225 // Note: this hits the cached result from the first Verify() in this test.
226 EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
228 // The additional trust anchors were reset, thus |cert_verifier_| should not
229 // signal it's usage anymore.
230 EXPECT_FALSE(WasTrustAnchorUsedAndReset());
233 } // namespace policy