Google Git
Sign in
chromium / chromium / src.git / 69295bad5da2d9ddc84f0ed196dc3efcce3e239c / . / chromeos / cert_loader_unittest.cc
blob: 2f28861acd272016545c4accbf22c4feea105e03 [file] [log] [blame]
[email protected]69295ba2014-01-28 06:17:00[diff] [blame^]1// Copyright 2014 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chromeos/cert_loader.h"
6
7#include "base/bind.h"
8#include "base/file_util.h"
9#include "base/memory/scoped_ptr.h"
10#include "base/message_loop/message_loop.h"
11#include "base/run_loop.h"
12#include "crypto/nss_util.h"
13#include "crypto/nss_util_internal.h"
14#include "net/base/net_errors.h"
15#include "net/base/test_data_directory.h"
16#include "net/cert/nss_cert_database_chromeos.h"
17#include "net/cert/x509_certificate.h"
18#include "net/test/cert_test_util.h"
19#include "testing/gtest/include/gtest/gtest.h"
20
21namespace chromeos {
22namespace {
23
24bool IsCertInCertificateList(const net::X509Certificate* cert,
25 const net::CertificateList& cert_list) {
26 for (net::CertificateList::const_iterator it = cert_list.begin();
27 it != cert_list.end();
28 ++it) {
29 if (net::X509Certificate::IsSameOSCert((*it)->os_cert_handle(),
30 cert->os_cert_handle())) {
31 return true;
32 }
33 }
34 return false;
35}
36
37void FailOnPrivateSlotCallback(crypto::ScopedPK11Slot slot) {
38 EXPECT_FALSE(true) << "GetPrivateSlotForChromeOSUser callback called even "
39 << "though the private slot had been initialized.";
40}
41
42class CertLoaderTest : public testing::Test,
43 public CertLoader::Observer {
44 public:
45 CertLoaderTest() : cert_loader_(NULL),
46 primary_user_("primary"),
47 certificates_loaded_events_count_(0U) {
48 }
49
50 virtual ~CertLoaderTest() {}
51
52 virtual void SetUp() OVERRIDE {
53 ASSERT_TRUE(primary_user_.constructed_successfully());
54 ASSERT_TRUE(
55 crypto::GetPublicSlotForChromeOSUser(primary_user_.username_hash()));
56
57 CertLoader::Initialize();
58 cert_loader_ = CertLoader::Get();
59 cert_loader_->AddObserver(this);
60 cert_loader_->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
61 }
62
63 virtual void TearDown() {
64 cert_loader_->RemoveObserver(this);
65 CertLoader::Shutdown();
66 }
67
68 protected:
69 void StartCertLoaderWithPrimaryUser() {
70 FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);
71 cert_loader_->StartWithNSSDB(primary_db_.get());
72
73 base::RunLoop().RunUntilIdle();
74 GetAndResetCertificatesLoadedEventsCount();
75 }
76
77 // CertLoader::Observer:
78 // The test keeps count of times the observer method was called.
79 virtual void OnCertificatesLoaded(const net::CertificateList& cert_list,
80 bool initial_load) OVERRIDE {
81 EXPECT_TRUE(certificates_loaded_events_count_ == 0 || !initial_load);
82 certificates_loaded_events_count_++;
83 }
84
85 // Returns the number of |OnCertificatesLoaded| calls observed since the
86 // last call to this method equals |value|.
87 size_t GetAndResetCertificatesLoadedEventsCount() {
88 size_t result = certificates_loaded_events_count_;
89 certificates_loaded_events_count_ = 0;
90 return result;
91 }
92
93 // Finishes initialization for the |user| and returns a user's NSS database
94 // instance.
95 void FinishUserInitAndGetDatabase(
96 crypto::ScopedTestNSSChromeOSUser* user,
97 scoped_ptr<net::NSSCertDatabaseChromeOS>* database) {
98 ASSERT_TRUE(user->constructed_successfully());
99
100 user->FinishInit();
101
102 crypto::ScopedPK11Slot private_slot(
103 crypto::GetPrivateSlotForChromeOSUser(
104 user->username_hash(),
105 base::Bind(&FailOnPrivateSlotCallback)));
106 ASSERT_TRUE(private_slot);
107
108 database->reset(new net::NSSCertDatabaseChromeOS(
109 crypto::GetPublicSlotForChromeOSUser(user->username_hash()),
110 private_slot.Pass()));
111 }
112
113 int GetDbPrivateSlotId(net::NSSCertDatabase* db) {
114 return static_cast<int>(PK11_GetSlotID(db->GetPrivateSlot().get()));
115 }
116
117 void ImportCACert(const std::string& cert_file,
118 net::NSSCertDatabase* database,
119 net::CertificateList* imported_certs) {
120 ASSERT_TRUE(database);
121 ASSERT_TRUE(imported_certs);
122
123 // Add a certificate to the user's db.
124 *imported_certs = net::CreateCertificateListFromFile(
125 net::GetTestCertsDirectory(),
126 cert_file,
127 net::X509Certificate::FORMAT_AUTO);
128 ASSERT_EQ(1U, imported_certs->size());
129
130 net::NSSCertDatabase::ImportCertFailureList failed;
131 ASSERT_TRUE(database->ImportCACerts(*imported_certs,
132 net::NSSCertDatabase::TRUST_DEFAULT,
133 &failed));
134 ASSERT_TRUE(failed.empty());
135 }
136
137 void ImportClientCertAndKey(const std::string& pkcs12_file,
138 net::NSSCertDatabase* database,
139 net::CertificateList* imported_certs) {
140 ASSERT_TRUE(database);
141 ASSERT_TRUE(imported_certs);
142
143 std::string pkcs12_data;
144 base::FilePath pkcs12_file_path =
145 net::GetTestCertsDirectory().Append(pkcs12_file);
146 ASSERT_TRUE(base::ReadFileToString(pkcs12_file_path, &pkcs12_data));
147
148 net::CertificateList client_cert_list;
149 scoped_refptr<net::CryptoModule> module(net::CryptoModule::CreateFromHandle(
150 database->GetPrivateSlot().get()));
151 ASSERT_EQ(
152 net::OK,
153 database->ImportFromPKCS12(module, pkcs12_data, base::string16(), false,
154 imported_certs));
155 ASSERT_EQ(1U, imported_certs->size());
156 }
157
158 CertLoader* cert_loader_;
159
160 // The user is primary as the one whose certificates CertLoader handles, it
161 // has nothing to do with crypto::InitializeNSSForChromeOSUser is_primary_user
162 // parameter (which is irrelevant for these tests).
163 crypto::ScopedTestNSSChromeOSUser primary_user_;
164 scoped_ptr<net::NSSCertDatabaseChromeOS> primary_db_;
165
166 base::MessageLoop message_loop_;
167
168 private:
169 size_t certificates_loaded_events_count_;
170};
171
172TEST_F(CertLoaderTest, Basic) {
173 EXPECT_FALSE(cert_loader_->CertificatesLoading());
174 EXPECT_FALSE(cert_loader_->certificates_loaded());
175 EXPECT_FALSE(cert_loader_->IsHardwareBacked());
176
177 FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);
178
179 cert_loader_->StartWithNSSDB(primary_db_.get());
180
181 EXPECT_FALSE(cert_loader_->certificates_loaded());
182 EXPECT_TRUE(cert_loader_->CertificatesLoading());
183 EXPECT_TRUE(cert_loader_->cert_list().empty());
184
185 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
186 base::RunLoop().RunUntilIdle();
187 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
188
189 EXPECT_TRUE(cert_loader_->certificates_loaded());
190 EXPECT_FALSE(cert_loader_->CertificatesLoading());
191 EXPECT_EQ(GetDbPrivateSlotId(primary_db_.get()),
192 cert_loader_->TPMTokenSlotID());
193
194 // Default CA cert roots should get loaded.
195 EXPECT_FALSE(cert_loader_->cert_list().empty());
196}
197
198TEST_F(CertLoaderTest, CertLoaderUpdatesCertListOnNewCert) {
199 StartCertLoaderWithPrimaryUser();
200
201 net::CertificateList certs;
202 ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);
203
204 // Certs are loaded asynchronously, so the new cert should not yet be in the
205 // cert list.
206 EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
207
208 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
209 base::RunLoop().RunUntilIdle();
210 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
211
212 // The certificate list should be updated now, as the message loop's been run.
213 EXPECT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
214}
215
216TEST_F(CertLoaderTest, CertLoaderNoUpdateOnSecondaryDbChanges) {
217 crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
218 scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;
219
220 StartCertLoaderWithPrimaryUser();
221 FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);
222
223 net::CertificateList certs;
224 ImportCACert("root_ca_cert.pem", secondary_db.get(), &certs);
225
226 base::RunLoop().RunUntilIdle();
227
228 EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
229}
230
231TEST_F(CertLoaderTest, ClientLoaderUpdateOnNewClientCert) {
232 StartCertLoaderWithPrimaryUser();
233
234 net::CertificateList certs;
235 ImportClientCertAndKey("websocket_client_cert.p12",
236 primary_db_.get(),
237 &certs);
238
239 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
240 base::RunLoop().RunUntilIdle();
241 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
242
243 EXPECT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
244}
245
246TEST_F(CertLoaderTest, CertLoaderNoUpdateOnNewClientCertInSecondaryDb) {
247 crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
248 scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;
249
250 StartCertLoaderWithPrimaryUser();
251 FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);
252
253 net::CertificateList certs;
254 ImportClientCertAndKey("websocket_client_cert.p12",
255 secondary_db.get(),
256 &certs);
257
258 base::RunLoop().RunUntilIdle();
259
260 EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
261}
262
263TEST_F(CertLoaderTest, UpdatedOnCertRemoval) {
264 StartCertLoaderWithPrimaryUser();
265
266 net::CertificateList certs;
267 ImportClientCertAndKey("websocket_client_cert.p12",
268 primary_db_.get(),
269 &certs);
270
271 base::RunLoop().RunUntilIdle();
272
273 ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
274 ASSERT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
275
276 primary_db_->DeleteCertAndKey(certs[0]);
277
278 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
279 base::RunLoop().RunUntilIdle();
280 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
281
282 ASSERT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
283}
284
285TEST_F(CertLoaderTest, UpdatedOnCACertTrustChange) {
286 StartCertLoaderWithPrimaryUser();
287
288 net::CertificateList certs;
289 ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);
290
291 base::RunLoop().RunUntilIdle();
292 ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
293 ASSERT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list()));
294
295 // The value that should have been set by |ImportCACert|.
296 ASSERT_EQ(net::NSSCertDatabase::TRUST_DEFAULT,
297 primary_db_->GetCertTrust(certs[0], net::CA_CERT));
298 ASSERT_TRUE(primary_db_->SetCertTrust(
299 certs[0], net::CA_CERT, net::NSSCertDatabase::TRUSTED_SSL));
300
301 // Cert trust change should trigger certificate reload in cert_loader_.
302 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
303 base::RunLoop().RunUntilIdle();
304 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
305}
306
307} // namespace
308} // namespace chromeos