1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 #include "chromeos/network/client_cert_resolver.h"
9 #include "base/file_util.h"
10 #include "base/files/file_path.h"
11 #include "base/json/json_reader.h"
12 #include "base/run_loop.h"
13 #include "base/strings/stringprintf.h"
14 #include "base/values.h"
15 #include "chromeos/dbus/dbus_thread_manager.h"
16 #include "chromeos/dbus/shill_profile_client.h"
17 #include "chromeos/dbus/shill_service_client.h"
18 #include "chromeos/login/login_state.h"
19 #include "chromeos/network/managed_network_configuration_handler_impl.h"
20 #include "chromeos/network/network_configuration_handler.h"
21 #include "chromeos/network/network_profile_handler.h"
22 #include "chromeos/network/network_state_handler.h"
23 #include "crypto/nss_util.h"
24 #include "net/base/crypto_module.h"
25 #include "net/base/net_errors.h"
26 #include "net/base/test_data_directory.h"
27 #include "net/cert/nss_cert_database.h"
28 #include "net/cert/x509_certificate.h"
29 #include "net/test/cert_test_util.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31 #include "third_party/cros_system_api/dbus/service_constants.h"
37 const char* kWifiStub = "wifi_stub";
38 const char* kWifiSSID = "wifi_ssid";
39 const char* kUserProfilePath = "user_profile";
40 const char* kUserHash = "user_hash";
44 class ClientCertResolverTest : public testing::Test {
46 ClientCertResolverTest() {}
47 virtual ~ClientCertResolverTest() {}
49 virtual void SetUp() OVERRIDE {
50 ASSERT_TRUE(test_nssdb_.is_open());
51 slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule();
52 ASSERT_TRUE(slot_->os_module_handle());
54 LoginState::Initialize();
56 DBusThreadManager::InitializeWithStub();
58 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface();
60 DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface();
61 message_loop_.RunUntilIdle();
62 service_test_->ClearServices();
63 message_loop_.RunUntilIdle();
65 CertLoader::Initialize();
66 CertLoader* cert_loader = CertLoader::Get();
67 cert_loader->InitializeTPMForTest();
68 cert_loader->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
69 cert_loader->SetCryptoTaskRunner(message_loop_.message_loop_proxy());
72 virtual void TearDown() OVERRIDE {
73 client_cert_resolver_.reset();
74 managed_config_handler_.reset();
75 network_config_handler_.reset();
76 network_profile_handler_.reset();
77 network_state_handler_.reset();
78 CertLoader::Shutdown();
79 DBusThreadManager::Shutdown();
80 LoginState::Shutdown();
81 CleanupSlotContents();
85 // Imports a CA cert (stored as PEM in test_ca_cert_pem_) and a client
86 // certificate signed by that CA. Its PKCS#11 ID is stored in
88 void SetupTestCerts() {
90 net::NSSCertDatabase* cert_db = net::NSSCertDatabase::GetInstance();
91 net::CertificateList ca_cert_list =
92 net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
93 "websocket_cacert.pem",
94 net::X509Certificate::FORMAT_AUTO);
95 ASSERT_TRUE(!ca_cert_list.empty());
96 net::NSSCertDatabase::ImportCertFailureList failures;
97 EXPECT_TRUE(cert_db->ImportCACerts(
98 ca_cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures));
99 ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error);
101 net::X509Certificate::GetPEMEncoded(ca_cert_list[0]->os_cert_handle(),
103 ASSERT_TRUE(!test_ca_cert_pem_.empty());
105 // Import a client cert signed by that CA.
106 scoped_refptr<net::CryptoModule> crypt_module = cert_db->GetPrivateModule();
107 std::string pkcs12_data;
108 ASSERT_TRUE(base::ReadFileToString(
109 net::GetTestCertsDirectory().Append("websocket_client_cert.p12"),
112 net::CertificateList client_cert_list;
114 cert_db->ImportFromPKCS12(crypt_module.get(),
119 ASSERT_TRUE(!client_cert_list.empty());
120 test_pkcs11_id_ = CertLoader::GetPkcs11IdForCert(*client_cert_list[0]);
121 ASSERT_TRUE(!test_pkcs11_id_.empty());
124 void SetupNetworkHandlers() {
125 network_state_handler_.reset(NetworkStateHandler::InitializeForTest());
126 network_profile_handler_.reset(new NetworkProfileHandler());
127 network_config_handler_.reset(new NetworkConfigurationHandler());
128 managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl());
129 client_cert_resolver_.reset(new ClientCertResolver());
131 network_profile_handler_->Init(network_state_handler_.get());
132 network_config_handler_->Init(network_state_handler_.get());
133 managed_config_handler_->Init(network_state_handler_.get(),
134 network_profile_handler_.get(),
135 network_config_handler_.get());
136 client_cert_resolver_->Init(network_state_handler_.get(),
137 managed_config_handler_.get());
138 client_cert_resolver_->SetSlowTaskRunnerForTest(
139 message_loop_.message_loop_proxy());
141 profile_test_->AddProfile(kUserProfilePath, kUserHash);
145 const bool add_to_visible = true;
146 const bool add_to_watchlist = true;
147 service_test_->AddService(kWifiStub,
153 service_test_->SetServiceProperty(
154 kWifiStub, shill::kGuidProperty, base::StringValue(kWifiStub));
156 profile_test_->AddService(kUserProfilePath, kWifiStub);
159 // Setup a policy with a certificate pattern that matches any client cert that
160 // is signed by the test CA cert (stored in |test_ca_cert_pem_|). In
161 // particular it will match the test client cert.
163 const char* kTestPolicyTemplate =
164 "[ { \"GUID\": \"wifi_stub\","
165 " \"Name\": \"wifi_stub\","
166 " \"Type\": \"WiFi\","
168 " \"Security\": \"WPA-EAP\","
169 " \"SSID\": \"wifi_ssid\","
171 " \"Outer\": \"EAP-TLS\","
172 " \"ClientCertType\": \"Pattern\","
173 " \"ClientCertPattern\": {"
174 " \"IssuerCAPEMs\": [ \"%s\" ]"
179 std::string policy_json =
180 base::StringPrintf(kTestPolicyTemplate, test_ca_cert_pem_.c_str());
183 scoped_ptr<base::Value> policy_value(base::JSONReader::ReadAndReturnError(
184 policy_json, base::JSON_ALLOW_TRAILING_COMMAS, NULL, &error));
185 ASSERT_TRUE(policy_value) << error;
187 base::ListValue* policy = NULL;
188 ASSERT_TRUE(policy_value->GetAsList(&policy));
190 managed_config_handler_->SetPolicy(
191 onc::ONC_SOURCE_USER_POLICY,
194 base::DictionaryValue() /* no global network config */);
197 void GetClientCertProperties(std::string* pkcs11_id) {
199 const base::DictionaryValue* properties =
200 service_test_->GetServiceProperties(kWifiStub);
203 properties->GetStringWithoutPathExpansion(shill::kEapCertIdProperty,
207 ShillServiceClient::TestInterface* service_test_;
208 ShillProfileClient::TestInterface* profile_test_;
209 std::string test_pkcs11_id_;
210 scoped_refptr<net::X509Certificate> test_ca_cert_;
211 std::string test_ca_cert_pem_;
212 base::MessageLoop message_loop_;
215 void CleanupSlotContents() {
216 CERTCertList* cert_list = PK11_ListCertsInSlot(slot_->os_module_handle());
217 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
218 !CERT_LIST_END(node, cert_list);
219 node = CERT_LIST_NEXT(node)) {
220 scoped_refptr<net::X509Certificate> cert(
221 net::X509Certificate::CreateFromHandle(
222 node->cert, net::X509Certificate::OSCertHandles()));
223 net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(cert.get());
225 CERT_DestroyCertList(cert_list);
228 scoped_ptr<NetworkStateHandler> network_state_handler_;
229 scoped_ptr<NetworkProfileHandler> network_profile_handler_;
230 scoped_ptr<NetworkConfigurationHandler> network_config_handler_;
231 scoped_ptr<ManagedNetworkConfigurationHandlerImpl> managed_config_handler_;
232 scoped_ptr<ClientCertResolver> client_cert_resolver_;
233 scoped_refptr<net::CryptoModule> slot_;
234 crypto::ScopedTestNSSDB test_nssdb_;
236 DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest);
239 TEST_F(ClientCertResolverTest, NoMatchingCertificates) {
240 SetupNetworkHandlers();
242 message_loop_.RunUntilIdle();
245 message_loop_.RunUntilIdle();
247 // Verify that no client certificate was configured.
248 std::string pkcs11_id;
249 GetClientCertProperties(&pkcs11_id);
250 EXPECT_TRUE(pkcs11_id.empty());
253 TEST_F(ClientCertResolverTest, ResolveOnInitialization) {
255 SetupNetworkHandlers();
257 message_loop_.RunUntilIdle();
260 message_loop_.RunUntilIdle();
262 // Verify that the resolver positively matched the pattern in the policy with
263 // the test client cert and configured the network.
264 std::string pkcs11_id;
265 GetClientCertProperties(&pkcs11_id);
266 EXPECT_EQ(test_pkcs11_id_, pkcs11_id);
269 TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) {
271 SetupNetworkHandlers();
272 message_loop_.RunUntilIdle();
274 // The policy will trigger the creation of a new wifi service.
276 message_loop_.RunUntilIdle();
278 // Verify that the resolver positively matched the pattern in the policy with
279 // the test client cert and configured the network.
280 std::string pkcs11_id;
281 GetClientCertProperties(&pkcs11_id);
282 EXPECT_EQ(test_pkcs11_id_, pkcs11_id);
285 } // namespace chromeos