1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
11 #include "base/file_util.h"
12 #include "base/files/file_path.h"
13 #include "base/lazy_instance.h"
14 #include "base/message_loop/message_loop.h"
15 #include "base/path_service.h"
16 #include "base/strings/string16.h"
17 #include "base/strings/string_util.h"
18 #include "base/strings/utf_string_conversions.h"
19 #include "crypto/nss_util.h"
20 #include "crypto/nss_util_internal.h"
21 #include "crypto/scoped_nss_types.h"
22 #include "net/base/crypto_module.h"
23 #include "net/base/net_errors.h"
24 #include "net/base/test_data_directory.h"
25 #include "net/cert/cert_status_flags.h"
26 #include "net/cert/cert_verify_proc_nss.h"
27 #include "net/cert/cert_verify_result.h"
28 #include "net/cert/nss_cert_database.h"
29 #include "net/cert/x509_certificate.h"
30 #include "net/test/cert_test_util.h"
31 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
32 #include "testing/gtest/include/gtest/gtest.h"
34 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
35 // the new name of the macro.
36 #if !defined(CERTDB_TERMINAL_RECORD)
37 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
42 class CertDatabaseNSSTest : public testing::Test {
44 virtual void SetUp() {
45 ASSERT_TRUE(test_nssdb_.is_open());
46 cert_db_ = NSSCertDatabase::GetInstance();
47 slot_ = cert_db_->GetPublicModule();
49 // Test db should be empty at start of test.
50 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
53 virtual void TearDown() {
54 // Don't try to cleanup if the setup failed.
55 ASSERT_TRUE(slot_->os_module_handle());
57 EXPECT_TRUE(CleanupSlotContents());
59 // Run the message loop to process any observer callbacks (e.g. for the
60 // ClientSocketFactory singleton) so that the scoped ref ptrs created in
61 // NSSCertDatabase::NotifyObservers* get released.
62 base::MessageLoop::current()->RunUntilIdle();
64 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
68 static std::string ReadTestFile(const std::string& name) {
70 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
71 EXPECT_TRUE(base::ReadFileToString(cert_path, &result));
75 static bool ReadCertIntoList(const std::string& name,
76 CertificateList* certs) {
77 scoped_refptr<X509Certificate> cert(
78 ImportCertFromFile(GetTestCertsDirectory(), name));
82 certs->push_back(cert);
86 static CertificateList ListCertsInSlot(PK11SlotInfo* slot) {
87 CertificateList result;
88 CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
89 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
90 !CERT_LIST_END(node, cert_list);
91 node = CERT_LIST_NEXT(node)) {
92 result.push_back(X509Certificate::CreateFromHandle(
93 node->cert, X509Certificate::OSCertHandles()));
95 CERT_DestroyCertList(cert_list);
97 // Sort the result so that test comparisons can be deterministic.
98 std::sort(result.begin(), result.end(), X509Certificate::LessThan());
102 scoped_refptr<CryptoModule> slot_;
103 NSSCertDatabase* cert_db_;
104 const CertificateList empty_cert_list_;
107 bool CleanupSlotContents() {
109 CertificateList certs = ListCertsInSlot(slot_->os_module_handle());
110 CERTCertTrust default_trust = {0};
111 for (size_t i = 0; i < certs.size(); ++i) {
112 // Reset cert trust values to defaults before deleting. Otherwise NSS
113 // somehow seems to remember the trust which can break following tests.
114 SECStatus srv = CERT_ChangeCertTrust(
115 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust);
116 if (srv != SECSuccess)
119 if (!cert_db_->DeleteCertAndKey(certs[i].get()))
125 crypto::ScopedTestNSSDB test_nssdb_;
128 TEST_F(CertDatabaseNSSTest, ListCerts) {
129 // This test isn't terribly useful, though it will at least let valgrind test
131 CertificateList certs;
132 cert_db_->ListCerts(&certs);
133 // The test DB is empty, but let's assume there will always be something in
135 EXPECT_LT(0U, certs.size());
138 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
139 std::string pkcs12_data = ReadTestFile("client.p12");
141 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
142 cert_db_->ImportFromPKCS12(slot_.get(),
145 true, // is_extractable
148 // Test db should still be empty.
149 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
152 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
153 std::string pkcs12_data = ReadTestFile("client.p12");
156 cert_db_->ImportFromPKCS12(slot_.get(),
158 ASCIIToUTF16("12345"),
159 true, // is_extractable
162 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
163 ASSERT_EQ(1U, cert_list.size());
164 scoped_refptr<X509Certificate> cert(cert_list[0]);
166 EXPECT_EQ("testusercert",
167 cert->subject().common_name);
169 // TODO(mattm): move export test to separate test case?
170 std::string exported_data;
171 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
173 ASSERT_LT(0U, exported_data.size());
174 // TODO(mattm): further verification of exported data?
177 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
178 std::string pkcs12_data = ReadTestFile("client.p12");
181 cert_db_->ImportFromPKCS12(slot_.get(),
183 ASCIIToUTF16("12345"),
184 true, // is_extractable
186 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
188 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
189 // it's ever used. This test verifies that.
191 cert_db_->ImportFromPKCS12(slot_.get(),
193 ASCIIToUTF16("12345"),
194 true, // is_extractable
196 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
199 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
200 std::string pkcs12_data = ReadTestFile("client.p12");
203 cert_db_->ImportFromPKCS12(slot_.get(),
205 ASCIIToUTF16("12345"),
206 false, // is_extractable
209 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
210 ASSERT_EQ(1U, cert_list.size());
211 scoped_refptr<X509Certificate> cert(cert_list[0]);
213 EXPECT_EQ("testusercert",
214 cert->subject().common_name);
216 std::string exported_data;
217 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
221 // Importing a PKCS#12 file with a certificate but no corresponding
222 // private key should not mark an existing private key as unextractable.
223 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
224 std::string pkcs12_data = ReadTestFile("client.p12");
226 cert_db_->ImportFromPKCS12(slot_.get(),
228 ASCIIToUTF16("12345"),
229 true, // is_extractable
232 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
233 ASSERT_EQ(1U, cert_list.size());
235 // Now import a PKCS#12 file with just a certificate but no private key.
236 pkcs12_data = ReadTestFile("client-nokey.p12");
238 cert_db_->ImportFromPKCS12(slot_.get(),
240 ASCIIToUTF16("12345"),
241 false, // is_extractable
244 cert_list = ListCertsInSlot(slot_->os_module_handle());
245 ASSERT_EQ(1U, cert_list.size());
247 // Make sure the imported private key is still extractable.
248 std::string exported_data;
249 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
251 ASSERT_LT(0U, exported_data.size());
254 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
255 std::string pkcs12_data = "Foobarbaz";
257 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
258 cert_db_->ImportFromPKCS12(slot_.get(),
261 true, // is_extractable
264 // Test db should still be empty.
265 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
268 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
269 CertificateList certs = CreateCertificateListFromFile(
270 GetTestCertsDirectory(), "root_ca_cert.pem",
271 X509Certificate::FORMAT_AUTO);
272 ASSERT_EQ(1U, certs.size());
273 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
276 NSSCertDatabase::ImportCertFailureList failed;
277 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
280 EXPECT_EQ(0U, failed.size());
282 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
283 ASSERT_EQ(1U, cert_list.size());
284 scoped_refptr<X509Certificate> cert(cert_list[0]);
285 EXPECT_EQ("Test Root CA", cert->subject().common_name);
287 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
288 cert_db_->GetCertTrust(cert.get(), CA_CERT));
290 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
291 CERTDB_TRUSTED_CLIENT_CA),
292 cert->os_cert_handle()->trust->sslFlags);
293 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
294 cert->os_cert_handle()->trust->emailFlags);
295 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
296 cert->os_cert_handle()->trust->objectSigningFlags);
299 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
300 CertificateList certs = CreateCertificateListFromFile(
301 GetTestCertsDirectory(), "root_ca_cert.pem",
302 X509Certificate::FORMAT_AUTO);
303 ASSERT_EQ(1U, certs.size());
304 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
307 NSSCertDatabase::ImportCertFailureList failed;
308 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL,
311 EXPECT_EQ(0U, failed.size());
313 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
314 ASSERT_EQ(1U, cert_list.size());
315 scoped_refptr<X509Certificate> cert(cert_list[0]);
316 EXPECT_EQ("Test Root CA", cert->subject().common_name);
318 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL,
319 cert_db_->GetCertTrust(cert.get(), CA_CERT));
321 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
322 cert->os_cert_handle()->trust->sslFlags);
323 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
324 CERTDB_TRUSTED_CLIENT_CA),
325 cert->os_cert_handle()->trust->emailFlags);
326 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
327 cert->os_cert_handle()->trust->objectSigningFlags);
330 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
331 CertificateList certs = CreateCertificateListFromFile(
332 GetTestCertsDirectory(), "root_ca_cert.pem",
333 X509Certificate::FORMAT_AUTO);
334 ASSERT_EQ(1U, certs.size());
335 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
338 NSSCertDatabase::ImportCertFailureList failed;
339 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN,
342 EXPECT_EQ(0U, failed.size());
344 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
345 ASSERT_EQ(1U, cert_list.size());
346 scoped_refptr<X509Certificate> cert(cert_list[0]);
347 EXPECT_EQ("Test Root CA", cert->subject().common_name);
349 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN,
350 cert_db_->GetCertTrust(cert.get(), CA_CERT));
352 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
353 cert->os_cert_handle()->trust->sslFlags);
354 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
355 cert->os_cert_handle()->trust->emailFlags);
356 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
357 CERTDB_TRUSTED_CLIENT_CA),
358 cert->os_cert_handle()->trust->objectSigningFlags);
361 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
362 CertificateList certs = CreateCertificateListFromFile(
363 GetTestCertsDirectory(), "ok_cert.pem",
364 X509Certificate::FORMAT_AUTO);
365 ASSERT_EQ(1U, certs.size());
366 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
369 NSSCertDatabase::ImportCertFailureList failed;
370 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
372 ASSERT_EQ(1U, failed.size());
373 // Note: this compares pointers directly. It's okay in this case because
374 // ImportCACerts returns the same pointers that were passed in. In the
375 // general case IsSameOSCert should be used.
376 EXPECT_EQ(certs[0], failed[0].certificate);
377 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
379 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
382 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
383 CertificateList certs;
384 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
385 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
386 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
389 NSSCertDatabase::ImportCertFailureList failed;
390 // Have to specify email trust for the cert verification of the child cert to
392 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#752
393 // "XXX This choice of trustType seems arbitrary.")
394 EXPECT_TRUE(cert_db_->ImportCACerts(
395 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
398 ASSERT_EQ(2U, failed.size());
399 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
400 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
401 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
402 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
404 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
405 ASSERT_EQ(1U, cert_list.size());
406 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
409 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
410 CertificateList certs;
411 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
413 // First import just the root.
414 NSSCertDatabase::ImportCertFailureList failed;
415 EXPECT_TRUE(cert_db_->ImportCACerts(
416 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
419 EXPECT_EQ(0U, failed.size());
420 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
421 ASSERT_EQ(1U, cert_list.size());
422 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
424 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
425 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
427 // Now import with the other certs in the list too. Even though the root is
428 // already present, we should still import the rest.
430 EXPECT_TRUE(cert_db_->ImportCACerts(
431 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
434 ASSERT_EQ(3U, failed.size());
435 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name);
436 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error);
437 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
438 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
439 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
440 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
442 cert_list = ListCertsInSlot(slot_->os_module_handle());
443 ASSERT_EQ(1U, cert_list.size());
444 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
447 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
448 CertificateList certs;
449 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
450 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
453 NSSCertDatabase::ImportCertFailureList failed;
454 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT,
457 ASSERT_EQ(1U, failed.size());
458 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
459 // TODO(mattm): should check for net error equivalent of
460 // SEC_ERROR_UNTRUSTED_ISSUER
461 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
463 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
464 ASSERT_EQ(1U, cert_list.size());
465 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
468 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
469 CertificateList certs;
470 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
471 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
472 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
475 NSSCertDatabase::ImportCertFailureList failed;
476 EXPECT_TRUE(cert_db_->ImportCACerts(
477 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
480 EXPECT_EQ(2U, failed.size());
481 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
482 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
483 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
484 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
486 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
487 ASSERT_EQ(1U, cert_list.size());
488 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
491 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
492 CertificateList certs = CreateCertificateListFromFile(
493 GetTestCertsDirectory(), "root_ca_cert.pem",
494 X509Certificate::FORMAT_AUTO);
495 ASSERT_EQ(1U, certs.size());
496 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
497 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
500 NSSCertDatabase::ImportCertFailureList failed;
501 EXPECT_TRUE(cert_db_->ImportCACerts(
502 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL |
503 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed));
505 ASSERT_EQ(2U, failed.size());
506 // TODO(mattm): should check for net error equivalent of
507 // SEC_ERROR_UNKNOWN_ISSUER
508 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
509 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
510 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
511 EXPECT_EQ(ERR_FAILED, failed[1].net_error);
513 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
514 ASSERT_EQ(1U, cert_list.size());
515 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);
518 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired
520 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
521 // Need to import intermediate cert for the verify of google cert, otherwise
522 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which
523 // will cause OCSPCreateSession on the main thread, which is not allowed.
524 CertificateList certs = CreateCertificateListFromFile(
525 GetTestCertsDirectory(), "google.chain.pem",
526 X509Certificate::FORMAT_AUTO);
527 ASSERT_EQ(2U, certs.size());
529 NSSCertDatabase::ImportCertFailureList failed;
530 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
533 EXPECT_EQ(0U, failed.size());
535 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
536 ASSERT_EQ(2U, cert_list.size());
537 scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
538 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
539 EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
540 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
542 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
543 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT));
545 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
547 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
549 CertVerifyResult verify_result;
550 int error = verify_proc->Verify(goog_cert.get(),
556 EXPECT_EQ(OK, error);
557 EXPECT_EQ(0U, verify_result.cert_status);
560 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
561 CertificateList certs;
562 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
564 NSSCertDatabase::ImportCertFailureList failed;
565 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
568 EXPECT_EQ(0U, failed.size());
570 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
571 ASSERT_EQ(1U, cert_list.size());
572 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
574 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
575 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
576 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
578 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
580 CertVerifyResult verify_result;
581 int error = verify_proc->Verify(puny_cert.get(),
582 "xn--wgv71a119e.com",
587 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
588 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
591 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
592 // When using CERT_PKIXVerifyCert (which we do), server trust only works from
593 // 3.13.4 onwards. See https://bugzilla.mozilla.org/show_bug.cgi?id=647364.
594 if (!NSS_VersionCheck("3.13.4")) {
595 LOG(INFO) << "test skipped on NSS < 3.13.4";
599 CertificateList certs;
600 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
602 NSSCertDatabase::ImportCertFailureList failed;
603 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL,
606 EXPECT_EQ(0U, failed.size());
608 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
609 ASSERT_EQ(1U, cert_list.size());
610 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
612 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
613 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
614 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
615 puny_cert->os_cert_handle()->trust->sslFlags);
617 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
619 CertVerifyResult verify_result;
620 int error = verify_proc->Verify(puny_cert.get(),
621 "xn--wgv71a119e.com",
626 EXPECT_EQ(OK, error);
627 EXPECT_EQ(0U, verify_result.cert_status);
630 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
631 CertificateList ca_certs = CreateCertificateListFromFile(
632 GetTestCertsDirectory(), "root_ca_cert.pem",
633 X509Certificate::FORMAT_AUTO);
634 ASSERT_EQ(1U, ca_certs.size());
636 // Import CA cert and trust it.
637 NSSCertDatabase::ImportCertFailureList failed;
638 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
640 EXPECT_EQ(0U, failed.size());
642 CertificateList certs = CreateCertificateListFromFile(
643 GetTestCertsDirectory(), "ok_cert.pem",
644 X509Certificate::FORMAT_AUTO);
645 ASSERT_EQ(1U, certs.size());
647 // Import server cert with default trust.
648 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
650 EXPECT_EQ(0U, failed.size());
652 // Server cert should verify.
653 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
655 CertVerifyResult verify_result;
656 int error = verify_proc->Verify(certs[0].get(),
662 EXPECT_EQ(OK, error);
663 EXPECT_EQ(0U, verify_result.cert_status);
666 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
667 // Explicit distrust only works starting in NSS 3.13.
668 if (!NSS_VersionCheck("3.13")) {
669 LOG(INFO) << "test skipped on NSS < 3.13";
673 CertificateList ca_certs = CreateCertificateListFromFile(
674 GetTestCertsDirectory(), "root_ca_cert.pem",
675 X509Certificate::FORMAT_AUTO);
676 ASSERT_EQ(1U, ca_certs.size());
678 // Import CA cert and trust it.
679 NSSCertDatabase::ImportCertFailureList failed;
680 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
682 EXPECT_EQ(0U, failed.size());
684 CertificateList certs = CreateCertificateListFromFile(
685 GetTestCertsDirectory(), "ok_cert.pem",
686 X509Certificate::FORMAT_AUTO);
687 ASSERT_EQ(1U, certs.size());
689 // Import server cert without inheriting trust from issuer (explicit
691 EXPECT_TRUE(cert_db_->ImportServerCert(
692 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
693 EXPECT_EQ(0U, failed.size());
694 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL,
695 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
697 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
698 certs[0]->os_cert_handle()->trust->sslFlags);
700 // Server cert should fail to verify.
701 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
703 CertVerifyResult verify_result;
704 int error = verify_proc->Verify(certs[0].get(),
710 EXPECT_EQ(ERR_CERT_REVOKED, error);
711 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
714 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
715 CertificateList ca_certs = CreateCertificateListFromFile(
716 GetTestCertsDirectory(), "2048-rsa-root.pem",
717 X509Certificate::FORMAT_AUTO);
718 ASSERT_EQ(1U, ca_certs.size());
720 // Import Root CA cert and distrust it.
721 NSSCertDatabase::ImportCertFailureList failed;
722 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL,
724 EXPECT_EQ(0U, failed.size());
726 CertificateList intermediate_certs = CreateCertificateListFromFile(
727 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
728 X509Certificate::FORMAT_AUTO);
729 ASSERT_EQ(1U, intermediate_certs.size());
731 // Import Intermediate CA cert and trust it.
732 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
733 NSSCertDatabase::TRUSTED_SSL, &failed));
734 EXPECT_EQ(0U, failed.size());
736 CertificateList certs = CreateCertificateListFromFile(
737 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
738 X509Certificate::FORMAT_AUTO);
739 ASSERT_EQ(1U, certs.size());
741 // Import server cert with default trust.
742 EXPECT_TRUE(cert_db_->ImportServerCert(
743 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
744 EXPECT_EQ(0U, failed.size());
745 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
746 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
748 // Server cert should verify.
749 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
751 CertVerifyResult verify_result;
752 int error = verify_proc->Verify(certs[0].get(),
758 EXPECT_EQ(OK, error);
759 EXPECT_EQ(0U, verify_result.cert_status);
761 // Explicit distrust only works starting in NSS 3.13.
762 if (!NSS_VersionCheck("3.13")) {
763 LOG(INFO) << "test partially skipped on NSS < 3.13";
767 // Trust the root cert and distrust the intermediate.
768 EXPECT_TRUE(cert_db_->SetCertTrust(
769 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL));
770 EXPECT_TRUE(cert_db_->SetCertTrust(
771 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL));
773 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA),
774 ca_certs[0]->os_cert_handle()->trust->sslFlags);
775 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
776 ca_certs[0]->os_cert_handle()->trust->emailFlags);
777 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
778 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);
779 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
780 intermediate_certs[0]->os_cert_handle()->trust->sslFlags);
781 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
782 intermediate_certs[0]->os_cert_handle()->trust->emailFlags);
784 unsigned(CERTDB_VALID_CA),
785 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);
787 // Server cert should fail to verify.
788 CertVerifyResult verify_result2;
789 error = verify_proc->Verify(certs[0].get(),
795 EXPECT_EQ(ERR_CERT_REVOKED, error);
796 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);
799 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {
800 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
801 // See http://bugzil.la/863947 for details.
802 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
806 NSSCertDatabase::ImportCertFailureList failed;
808 CertificateList intermediate_certs = CreateCertificateListFromFile(
809 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
810 X509Certificate::FORMAT_AUTO);
811 ASSERT_EQ(1U, intermediate_certs.size());
813 // Import Intermediate CA cert and trust it.
814 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
815 NSSCertDatabase::TRUSTED_SSL, &failed));
816 EXPECT_EQ(0U, failed.size());
818 CertificateList certs = CreateCertificateListFromFile(
819 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
820 X509Certificate::FORMAT_AUTO);
821 ASSERT_EQ(1U, certs.size());
823 // Import server cert with default trust.
824 EXPECT_TRUE(cert_db_->ImportServerCert(
825 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
826 EXPECT_EQ(0U, failed.size());
827 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
828 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
830 // Server cert should verify.
831 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
833 CertVerifyResult verify_result;
834 int error = verify_proc->Verify(certs[0].get(),
840 EXPECT_EQ(OK, error);
841 EXPECT_EQ(0U, verify_result.cert_status);
843 // Without explicit trust of the intermediate, verification should fail.
844 EXPECT_TRUE(cert_db_->SetCertTrust(
845 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
847 // Server cert should fail to verify.
848 CertVerifyResult verify_result2;
849 error = verify_proc->Verify(certs[0].get(),
855 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
856 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
859 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {
860 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
861 // See http://bugzil.la/863947 for details.
862 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
866 NSSCertDatabase::ImportCertFailureList failed;
868 CertificateList ca_certs = CreateCertificateListFromFile(
869 GetTestCertsDirectory(), "2048-rsa-root.pem",
870 X509Certificate::FORMAT_AUTO);
871 ASSERT_EQ(1U, ca_certs.size());
873 // Import Root CA cert and default trust it.
874 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT,
876 EXPECT_EQ(0U, failed.size());
878 CertificateList intermediate_certs = CreateCertificateListFromFile(
879 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
880 X509Certificate::FORMAT_AUTO);
881 ASSERT_EQ(1U, intermediate_certs.size());
883 // Import Intermediate CA cert and trust it.
884 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
885 NSSCertDatabase::TRUSTED_SSL, &failed));
886 EXPECT_EQ(0U, failed.size());
888 CertificateList certs = CreateCertificateListFromFile(
889 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
890 X509Certificate::FORMAT_AUTO);
891 ASSERT_EQ(1U, certs.size());
893 // Import server cert with default trust.
894 EXPECT_TRUE(cert_db_->ImportServerCert(
895 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
896 EXPECT_EQ(0U, failed.size());
897 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
898 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
900 // Server cert should verify.
901 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
903 CertVerifyResult verify_result;
904 int error = verify_proc->Verify(certs[0].get(),
910 EXPECT_EQ(OK, error);
911 EXPECT_EQ(0U, verify_result.cert_status);
913 // Without explicit trust of the intermediate, verification should fail.
914 EXPECT_TRUE(cert_db_->SetCertTrust(
915 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
917 // Server cert should fail to verify.
918 CertVerifyResult verify_result2;
919 error = verify_proc->Verify(certs[0].get(),
925 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
926 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
929 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
930 // Explicit distrust only works starting in NSS 3.13.
931 if (!NSS_VersionCheck("3.13")) {
932 LOG(INFO) << "test skipped on NSS < 3.13";
936 NSSCertDatabase::ImportCertFailureList failed;
938 CertificateList ca_certs = CreateCertificateListFromFile(
939 GetTestCertsDirectory(), "2048-rsa-root.pem",
940 X509Certificate::FORMAT_AUTO);
941 ASSERT_EQ(1U, ca_certs.size());
943 // Import Root CA cert and trust it.
944 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
946 EXPECT_EQ(0U, failed.size());
948 CertificateList intermediate_certs = CreateCertificateListFromFile(
949 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
950 X509Certificate::FORMAT_AUTO);
951 ASSERT_EQ(1U, intermediate_certs.size());
953 // Import Intermediate CA cert and distrust it.
954 EXPECT_TRUE(cert_db_->ImportCACerts(
955 intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
956 EXPECT_EQ(0U, failed.size());
958 CertificateList certs = CreateCertificateListFromFile(
959 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
960 X509Certificate::FORMAT_AUTO);
961 ASSERT_EQ(1U, certs.size());
963 // Import server cert with default trust.
964 EXPECT_TRUE(cert_db_->ImportServerCert(
965 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
966 EXPECT_EQ(0U, failed.size());
967 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
968 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
970 // Server cert should not verify.
971 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
973 CertVerifyResult verify_result;
974 int error = verify_proc->Verify(certs[0].get(),
980 EXPECT_EQ(ERR_CERT_REVOKED, error);
981 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
983 // Without explicit distrust of the intermediate, verification should succeed.
984 EXPECT_TRUE(cert_db_->SetCertTrust(
985 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
987 // Server cert should verify.
988 CertVerifyResult verify_result2;
989 error = verify_proc->Verify(certs[0].get(),
995 EXPECT_EQ(OK, error);
996 EXPECT_EQ(0U, verify_result2.cert_status);
999 // Importing two certificates with the same issuer and subject common name,
1000 // but overall distinct subject names, should succeed and generate a unique
1001 // nickname for the second certificate.
1002 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
1003 CertificateList certs =
1004 CreateCertificateListFromFile(GetTestCertsDirectory(),
1005 "duplicate_cn_1.pem",
1006 X509Certificate::FORMAT_AUTO);
1007 ASSERT_EQ(1U, certs.size());
1009 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
1011 // Import server cert with default trust.
1012 NSSCertDatabase::ImportCertFailureList failed;
1013 EXPECT_TRUE(cert_db_->ImportServerCert(
1014 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
1015 EXPECT_EQ(0U, failed.size());
1016 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
1017 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
1019 CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle());
1020 ASSERT_EQ(1U, new_certs.size());
1022 // Now attempt to import a different certificate with the same common name.
1023 CertificateList certs2 =
1024 CreateCertificateListFromFile(GetTestCertsDirectory(),
1025 "duplicate_cn_2.pem",
1026 X509Certificate::FORMAT_AUTO);
1027 ASSERT_EQ(1U, certs2.size());
1029 // Import server cert with default trust.
1030 EXPECT_TRUE(cert_db_->ImportServerCert(
1031 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed));
1032 EXPECT_EQ(0U, failed.size());
1033 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
1034 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT));
1036 new_certs = ListCertsInSlot(slot_->os_module_handle());
1037 ASSERT_EQ(2U, new_certs.size());
1038 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname,
1039 new_certs[1]->os_cert_handle()->nickname);
projects / platform / framework / web / crosswalk.git / blob