Bug 1465613 - Created two new fields for scheduled distrust from builtins and updated support commands. r=jcj,kjacobs,mt

Added two new fields do scheduled distrust of CAs in nssckbi/builtins.
Also, created a testlib to validate these fields with gtests.

Differential Revision: https://phabricator.services.mozilla.com/D36597

3 files changed, 139 insertions, 1 deletions

diff --git a/gtests/softoken_gtest/manifest.mn b/gtests/softoken_gtest/manifest.mn
index 0e998adf4..8a533c56b 100644
--- a/gtests/softoken_gtest/manifest.mn
+++ b/gtests/softoken_gtest/manifest.mn
@@ -6,13 +6,22 @@ CORE_DEPTH = ../..
 DEPTH      = ../..
 MODULE = nss
 
+DEFINES += -DDLL_SUFFIX=\"$(DLL_SUFFIX)\" -DDLL_PREFIX=\"$(DLL_PREFIX)\"
+
+include $(CORE_DEPTH)/coreconf/arch.mk
+ifneq ($(OS_ARCH),WINNT)
+DB_TESTS = \
+	softoken_nssckbi_testlib_gtest.cc
+endif
+
 CPPSRCS = \
 	softoken_gtest.cc \
+	$(DB_TESTS) \
 	$(NULL)
 
 INCLUDES += \
 	-I$(CORE_DEPTH)/gtests/google_test/gtest/include \
-  -I$(CORE_DEPTH)/gtests/common \
+	-I$(CORE_DEPTH)/gtests/common \
 	-I$(CORE_DEPTH)/cpputil \
 	$(NULL)
 
diff --git a/gtests/softoken_gtest/softoken_gtest.gyp b/gtests/softoken_gtest/softoken_gtest.gyp
index 8deb2006b..3d9b8dba9 100644
--- a/gtests/softoken_gtest/softoken_gtest.gyp
+++ b/gtests/softoken_gtest/softoken_gtest.gyp
@@ -12,6 +12,7 @@
       'type': 'executable',
       'sources': [
         'softoken_gtest.cc',
+        'softoken_nssckbi_testlib_gtest.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
@@ -44,6 +45,10 @@
   'target_defaults': {
     'include_dirs': [
       '../../lib/util'
+    ],
+    'defines': [
+      'DLL_PREFIX=\"<(dll_prefix)\"',
+      'DLL_SUFFIX=\"<(dll_suffix)\"'
     ]
   },
   'variables': {
diff --git a/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc b/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc
new file mode 100644
index 000000000..e7d6bc28b
--- /dev/null
+++ b/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc
@@ -0,0 +1,124 @@
+#include "cert.h"
+#include "certdb.h"
+#include "nspr.h"
+#include "nss.h"
+#include "pk11pub.h"
+#include "secerr.h"
+
+#include "nss_scoped_ptrs.h"
+#include "util.h"
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+class SoftokenBuiltinsTest : public ::testing::Test {
+ protected:
+  SoftokenBuiltinsTest() : nss_db_dir_("SoftokenBuiltinsTest.d-") {}
+  SoftokenBuiltinsTest(const std::string &prefix) : nss_db_dir_(prefix) {}
+
+  virtual void SetUp() {
+    std::string nss_init_arg("sql:");
+    nss_init_arg.append(nss_db_dir_.GetUTF8Path());
+    ASSERT_EQ(SECSuccess, NSS_Initialize(nss_init_arg.c_str(), "", "",
+                                         SECMOD_DB, NSS_INIT_NOROOTINIT));
+  }
+
+  virtual void TearDown() {
+    ASSERT_EQ(SECSuccess, NSS_Shutdown());
+    const std::string &nss_db_dir_path = nss_db_dir_.GetPath();
+    ASSERT_EQ(0, unlink((nss_db_dir_path + "/cert9.db").c_str()));
+    ASSERT_EQ(0, unlink((nss_db_dir_path + "/key4.db").c_str()));
+    ASSERT_EQ(0, unlink((nss_db_dir_path + "/pkcs11.txt").c_str()));
+  }
+
+  virtual void LoadModule() {
+    ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+    ASSERT_TRUE(slot);
+    EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
+    SECStatus result = SECMOD_AddNewModule(
+        "Builtins-testlib", DLL_PREFIX "nssckbi-testlib." DLL_SUFFIX, 0, 0);
+    ASSERT_EQ(result, SECSuccess);
+  }
+
+  ScopedUniqueDirectory nss_db_dir_;
+};
+
+// The next tests in this class are used to test the Distrust Fields.
+// More details about these fields in lib/ckfw/builtins/README.
+TEST_F(SoftokenBuiltinsTest, CheckNoDistrustFields) {
+  const char *kCertNickname =
+      "Builtin Object Token:Distrust Fields Test - no_distrust";
+  LoadModule();
+
+  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
+  ASSERT_TRUE(cert_handle);
+  ScopedCERTCertificate cert(
+      CERT_FindCertByNickname(cert_handle, kCertNickname));
+  ASSERT_TRUE(cert);
+
+  EXPECT_EQ(PR_FALSE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
+  EXPECT_EQ(PR_FALSE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
+  ASSERT_FALSE(cert->distrust);
+}
+
+TEST_F(SoftokenBuiltinsTest, CheckOkDistrustFields) {
+  const char *kCertNickname =
+      "Builtin Object Token:Distrust Fields Test - ok_distrust";
+  LoadModule();
+
+  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
+  ASSERT_TRUE(cert_handle);
+  ScopedCERTCertificate cert(
+      CERT_FindCertByNickname(cert_handle, kCertNickname));
+  ASSERT_TRUE(cert);
+
+  const char *kExpectedDERValueServer = "200617000000Z";
+  const char *kExpectedDERValueEmail = "071014085320Z";
+  // When a valid timestamp is encoded, the result length is exactly 13.
+  const unsigned int kDistrustFieldSize = 13;
+
+  ASSERT_TRUE(cert->distrust);
+  ASSERT_EQ(kDistrustFieldSize, cert->distrust->serverDistrustAfter.len);
+  ASSERT_NE(nullptr, cert->distrust->serverDistrustAfter.data);
+  EXPECT_TRUE(!memcmp(kExpectedDERValueServer,
+                      cert->distrust->serverDistrustAfter.data,
+                      kDistrustFieldSize));
+
+  ASSERT_EQ(kDistrustFieldSize, cert->distrust->emailDistrustAfter.len);
+  ASSERT_NE(nullptr, cert->distrust->emailDistrustAfter.data);
+  EXPECT_TRUE(!memcmp(kExpectedDERValueEmail,
+                      cert->distrust->emailDistrustAfter.data,
+                      kDistrustFieldSize));
+}
+
+TEST_F(SoftokenBuiltinsTest, CheckInvalidDistrustFields) {
+  const char *kCertNickname =
+      "Builtin Object Token:Distrust Fields Test - err_distrust";
+  LoadModule();
+
+  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
+  ASSERT_TRUE(cert_handle);
+  ScopedCERTCertificate cert(
+      CERT_FindCertByNickname(cert_handle, kCertNickname));
+  ASSERT_TRUE(cert);
+
+  // The field should never be set to TRUE in production, we are just
+  // testing if this field is readable, even if set to TRUE.
+  EXPECT_EQ(PR_TRUE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
+  // If something other than CK_BBOOL CK_TRUE, it will be considered FALSE
+  // Here, there is an OCTAL value, but with unexpected content (1 digit less).
+  EXPECT_EQ(PR_FALSE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
+  ASSERT_FALSE(cert->distrust);
+}
+
+}  // namespace nss_test