src/net/ocsp/nss_ocsp_unittest.cc

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/ocsp/nss_ocsp.h"
   6
   7 #include <string>
   8
   9 #include "base/files/file_path.h"
  10 #include "base/files/file_util.h"
  11 #include "base/logging.h"
  12 #include "base/memory/ref_counted.h"
  13 #include "net/base/net_errors.h"
  14 #include "net/base/test_completion_callback.h"
  15 #include "net/base/test_data_directory.h"
  16 #include "net/cert/cert_status_flags.h"
  17 #include "net/cert/cert_verifier.h"
  18 #include "net/cert/cert_verify_proc.h"
  19 #include "net/cert/cert_verify_proc_nss.h"
  20 #include "net/cert/cert_verify_result.h"
  21 #include "net/cert/multi_threaded_cert_verifier.h"
  22 #include "net/cert/test_root_certs.h"
  23 #include "net/cert/x509_certificate.h"
  24 #include "net/test/cert_test_util.h"
  25 #include "net/url_request/url_request_filter.h"
  26 #include "net/url_request/url_request_interceptor.h"
  27 #include "net/url_request/url_request_test_job.h"
  28 #include "net/url_request/url_request_test_util.h"
  29 #include "testing/gtest/include/gtest/gtest.h"
  30
  31 namespace net {
  32
  33 namespace {
  34
  35 // Matches the caIssuers hostname from the generated certificate.
  36 const char kAiaHost[] = "aia-test.invalid";
  37 // Returning a single DER-encoded cert, so the mime-type must be
  38 // application/pkix-cert per RFC 5280.
  39 const char kAiaHeaders[] = "HTTP/1.1 200 OK\0"
  40                            "Content-type: application/pkix-cert\0"
  41                            "\0";
  42
  43 class AiaResponseHandler : public net::URLRequestInterceptor {
  44  public:
  45   AiaResponseHandler(const std::string& headers, const std::string& cert_data)
  46       : headers_(headers), cert_data_(cert_data), request_count_(0) {}
  47   ~AiaResponseHandler() override {}
  48
  49   // net::URLRequestInterceptor implementation:
  50   net::URLRequestJob* MaybeInterceptRequest(
  51       net::URLRequest* request,
  52       net::NetworkDelegate* network_delegate) const override {
  53     ++const_cast<AiaResponseHandler*>(this)->request_count_;
  54
  55     return new net::URLRequestTestJob(
  56         request, network_delegate, headers_, cert_data_, true);
  57   }
  58
  59   int request_count() const { return request_count_; }
  60
  61  private:
  62   std::string headers_;
  63   std::string cert_data_;
  64   int request_count_;
  65
  66   DISALLOW_COPY_AND_ASSIGN(AiaResponseHandler);
  67 };
  68
  69 }  // namespace
  70
  71 class NssHttpTest : public ::testing::Test {
  72  public:
  73   NssHttpTest()
  74       : context_(false),
  75         handler_(NULL),
  76         verify_proc_(new CertVerifyProcNSS),
  77         verifier_(new MultiThreadedCertVerifier(verify_proc_.get())) {}
  78   ~NssHttpTest() override {}
  79
  80   void SetUp() override {
  81     std::string file_contents;
  82     ASSERT_TRUE(base::ReadFileToString(
  83         GetTestCertsDirectory().AppendASCII("aia-intermediate.der"),
  84         &file_contents));
  85     ASSERT_FALSE(file_contents.empty());
  86
  87     // Ownership of |handler| is transferred to the URLRequestFilter, but
  88     // hold onto the original pointer in order to access |request_count()|.
  89     scoped_ptr<AiaResponseHandler> handler(
  90         new AiaResponseHandler(kAiaHeaders, file_contents));
  91     handler_ = handler.get();
  92
  93     URLRequestFilter::GetInstance()->AddHostnameInterceptor(
  94         "http", kAiaHost, handler.Pass());
  95
  96     SetURLRequestContextForNSSHttpIO(&context_);
  97     EnsureNSSHttpIOInit();
  98   }
  99
 100   void TearDown() override {
 101     ShutdownNSSHttpIO();
 102
 103     if (handler_)
 104       URLRequestFilter::GetInstance()->RemoveHostnameHandler("http", kAiaHost);
 105   }
 106
 107   CertVerifier* verifier() const {
 108     return verifier_.get();
 109   }
 110
 111   int request_count() const {
 112     return handler_->request_count();
 113   }
 114
 115  protected:
 116   const CertificateList empty_cert_list_;
 117
 118  private:
 119   TestURLRequestContext context_;
 120   AiaResponseHandler* handler_;
 121   scoped_refptr<CertVerifyProc> verify_proc_;
 122   scoped_ptr<CertVerifier> verifier_;
 123 };
 124
 125 // Tests that when using NSS to verify certificates, and IO is enabled,
 126 // that a request to fetch missing intermediate certificates is
 127 // made successfully.
 128 TEST_F(NssHttpTest, TestAia) {
 129   scoped_refptr<X509Certificate> test_cert(
 130       ImportCertFromFile(GetTestCertsDirectory(), "aia-cert.pem"));
 131   ASSERT_TRUE(test_cert.get());
 132
 133   scoped_refptr<X509Certificate> test_root(
 134       ImportCertFromFile(GetTestCertsDirectory(), "aia-root.pem"));
 135   ASSERT_TRUE(test_root.get());
 136
 137   ScopedTestRoot scoped_root(test_root.get());
 138
 139   CertVerifyResult verify_result;
 140   TestCompletionCallback test_callback;
 141   CertVerifier::RequestHandle request_handle;
 142
 143   int flags = CertVerifier::VERIFY_CERT_IO_ENABLED;
 144   int error = verifier()->Verify(test_cert.get(),
 145                                  "aia-host.invalid",
 146                                  flags,
 147                                  NULL,
 148                                  &verify_result,
 149                                  test_callback.callback(),
 150                                  &request_handle,
 151                                  BoundNetLog());
 152   ASSERT_EQ(ERR_IO_PENDING, error);
 153
 154   error = test_callback.WaitForResult();
 155
 156   EXPECT_EQ(OK, error);
 157
 158   // Ensure that NSS made an AIA request for the missing intermediate.
 159   EXPECT_LT(0, request_count());
 160 }
 161
 162 }  // namespace net