diff options
author | Marcus Burghardt <mburghardt@mozilla.com> | 2019-10-11 03:49:25 +0000 |
---|---|---|
committer | Marcus Burghardt <mburghardt@mozilla.com> | 2019-10-11 03:49:25 +0000 |
commit | 4773827d33691bfe104debb0b78156574612b24d (patch) | |
tree | 56dc1dcd9dd8bb50849f5e81ba6c337383870a96 /gtests/softoken_gtest | |
parent | 96a54e65e82ad4baa20ca208e633bd20f136f365 (diff) | |
download | nss-hg-4773827d33691bfe104debb0b78156574612b24d.tar.gz |
Bug 1465613 - Created two new fields for scheduled distrust from builtins and updated support commands. r=jcj,kjacobs,mt
Added two new fields do scheduled distrust of CAs in nssckbi/builtins.
Also, created a testlib to validate these fields with gtests.
Differential Revision: https://phabricator.services.mozilla.com/D36597
Diffstat (limited to 'gtests/softoken_gtest')
-rw-r--r-- | gtests/softoken_gtest/manifest.mn | 11 | ||||
-rw-r--r-- | gtests/softoken_gtest/softoken_gtest.gyp | 5 | ||||
-rw-r--r-- | gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc | 124 |
3 files changed, 139 insertions, 1 deletions
diff --git a/gtests/softoken_gtest/manifest.mn b/gtests/softoken_gtest/manifest.mn index 0e998adf4..8a533c56b 100644 --- a/gtests/softoken_gtest/manifest.mn +++ b/gtests/softoken_gtest/manifest.mn @@ -6,13 +6,22 @@ CORE_DEPTH = ../.. DEPTH = ../.. MODULE = nss +DEFINES += -DDLL_SUFFIX=\"$(DLL_SUFFIX)\" -DDLL_PREFIX=\"$(DLL_PREFIX)\" + +include $(CORE_DEPTH)/coreconf/arch.mk +ifneq ($(OS_ARCH),WINNT) +DB_TESTS = \ + softoken_nssckbi_testlib_gtest.cc +endif + CPPSRCS = \ softoken_gtest.cc \ + $(DB_TESTS) \ $(NULL) INCLUDES += \ -I$(CORE_DEPTH)/gtests/google_test/gtest/include \ - -I$(CORE_DEPTH)/gtests/common \ + -I$(CORE_DEPTH)/gtests/common \ -I$(CORE_DEPTH)/cpputil \ $(NULL) diff --git a/gtests/softoken_gtest/softoken_gtest.gyp b/gtests/softoken_gtest/softoken_gtest.gyp index 8deb2006b..3d9b8dba9 100644 --- a/gtests/softoken_gtest/softoken_gtest.gyp +++ b/gtests/softoken_gtest/softoken_gtest.gyp @@ -12,6 +12,7 @@ 'type': 'executable', 'sources': [ 'softoken_gtest.cc', + 'softoken_nssckbi_testlib_gtest.cc', ], 'dependencies': [ '<(DEPTH)/exports.gyp:nss_exports', @@ -44,6 +45,10 @@ 'target_defaults': { 'include_dirs': [ '../../lib/util' + ], + 'defines': [ + 'DLL_PREFIX=\"<(dll_prefix)\"', + 'DLL_SUFFIX=\"<(dll_suffix)\"' ] }, 'variables': { diff --git a/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc b/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc new file mode 100644 index 000000000..e7d6bc28b --- /dev/null +++ b/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc @@ -0,0 +1,124 @@ +#include "cert.h" +#include "certdb.h" +#include "nspr.h" +#include "nss.h" +#include "pk11pub.h" +#include "secerr.h" + +#include "nss_scoped_ptrs.h" +#include "util.h" + +#define GTEST_HAS_RTTI 0 +#include "gtest/gtest.h" + +namespace nss_test { + +class SoftokenBuiltinsTest : public ::testing::Test { + protected: + SoftokenBuiltinsTest() : nss_db_dir_("SoftokenBuiltinsTest.d-") {} + SoftokenBuiltinsTest(const std::string &prefix) : nss_db_dir_(prefix) {} + + virtual void SetUp() { + std::string nss_init_arg("sql:"); + nss_init_arg.append(nss_db_dir_.GetUTF8Path()); + ASSERT_EQ(SECSuccess, NSS_Initialize(nss_init_arg.c_str(), "", "", + SECMOD_DB, NSS_INIT_NOROOTINIT)); + } + + virtual void TearDown() { + ASSERT_EQ(SECSuccess, NSS_Shutdown()); + const std::string &nss_db_dir_path = nss_db_dir_.GetPath(); + ASSERT_EQ(0, unlink((nss_db_dir_path + "/cert9.db").c_str())); + ASSERT_EQ(0, unlink((nss_db_dir_path + "/key4.db").c_str())); + ASSERT_EQ(0, unlink((nss_db_dir_path + "/pkcs11.txt").c_str())); + } + + virtual void LoadModule() { + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + ASSERT_TRUE(slot); + EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr)); + SECStatus result = SECMOD_AddNewModule( + "Builtins-testlib", DLL_PREFIX "nssckbi-testlib." DLL_SUFFIX, 0, 0); + ASSERT_EQ(result, SECSuccess); + } + + ScopedUniqueDirectory nss_db_dir_; +}; + +// The next tests in this class are used to test the Distrust Fields. +// More details about these fields in lib/ckfw/builtins/README. +TEST_F(SoftokenBuiltinsTest, CheckNoDistrustFields) { + const char *kCertNickname = + "Builtin Object Token:Distrust Fields Test - no_distrust"; + LoadModule(); + + CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB(); + ASSERT_TRUE(cert_handle); + ScopedCERTCertificate cert( + CERT_FindCertByNickname(cert_handle, kCertNickname)); + ASSERT_TRUE(cert); + + EXPECT_EQ(PR_FALSE, + PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, + CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE)); + EXPECT_EQ(PR_FALSE, + PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, + CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE)); + ASSERT_FALSE(cert->distrust); +} + +TEST_F(SoftokenBuiltinsTest, CheckOkDistrustFields) { + const char *kCertNickname = + "Builtin Object Token:Distrust Fields Test - ok_distrust"; + LoadModule(); + + CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB(); + ASSERT_TRUE(cert_handle); + ScopedCERTCertificate cert( + CERT_FindCertByNickname(cert_handle, kCertNickname)); + ASSERT_TRUE(cert); + + const char *kExpectedDERValueServer = "200617000000Z"; + const char *kExpectedDERValueEmail = "071014085320Z"; + // When a valid timestamp is encoded, the result length is exactly 13. + const unsigned int kDistrustFieldSize = 13; + + ASSERT_TRUE(cert->distrust); + ASSERT_EQ(kDistrustFieldSize, cert->distrust->serverDistrustAfter.len); + ASSERT_NE(nullptr, cert->distrust->serverDistrustAfter.data); + EXPECT_TRUE(!memcmp(kExpectedDERValueServer, + cert->distrust->serverDistrustAfter.data, + kDistrustFieldSize)); + + ASSERT_EQ(kDistrustFieldSize, cert->distrust->emailDistrustAfter.len); + ASSERT_NE(nullptr, cert->distrust->emailDistrustAfter.data); + EXPECT_TRUE(!memcmp(kExpectedDERValueEmail, + cert->distrust->emailDistrustAfter.data, + kDistrustFieldSize)); +} + +TEST_F(SoftokenBuiltinsTest, CheckInvalidDistrustFields) { + const char *kCertNickname = + "Builtin Object Token:Distrust Fields Test - err_distrust"; + LoadModule(); + + CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB(); + ASSERT_TRUE(cert_handle); + ScopedCERTCertificate cert( + CERT_FindCertByNickname(cert_handle, kCertNickname)); + ASSERT_TRUE(cert); + + // The field should never be set to TRUE in production, we are just + // testing if this field is readable, even if set to TRUE. + EXPECT_EQ(PR_TRUE, + PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, + CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE)); + // If something other than CK_BBOOL CK_TRUE, it will be considered FALSE + // Here, there is an OCTAL value, but with unexpected content (1 digit less). + EXPECT_EQ(PR_FALSE, + PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, + CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE)); + ASSERT_FALSE(cert->distrust); +} + +} // namespace nss_test |