diff options
Diffstat (limited to 'chromium/net/cert/test_root_certs_unittest.cc')
-rw-r--r-- | chromium/net/cert/test_root_certs_unittest.cc | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/chromium/net/cert/test_root_certs_unittest.cc b/chromium/net/cert/test_root_certs_unittest.cc new file mode 100644 index 00000000000..74c3551862b --- /dev/null +++ b/chromium/net/cert/test_root_certs_unittest.cc @@ -0,0 +1,142 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "base/files/file_path.h" +#include "build/build_config.h" +#include "net/base/net_errors.h" +#include "net/base/test_data_directory.h" +#include "net/cert/cert_status_flags.h" +#include "net/cert/cert_verify_proc.h" +#include "net/cert/cert_verify_result.h" +#include "net/cert/test_root_certs.h" +#include "net/cert/x509_certificate.h" +#include "net/test/cert_test_util.h" +#include "testing/gtest/include/gtest/gtest.h" + +#if defined(USE_NSS) || defined(OS_IOS) +#include <nss.h> +#endif + +namespace net { + +namespace { + +// The local test root certificate. +const char kRootCertificateFile[] = "root_ca_cert.pem"; +// A certificate issued by the local test root for 127.0.0.1. +const char kGoodCertificateFile[] = "ok_cert.pem"; + +} // namespace + +// Test basic functionality when adding from an existing X509Certificate. +TEST(TestRootCertsTest, AddFromPointer) { + scoped_refptr<X509Certificate> root_cert = + ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile); + ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); + + TestRootCerts* test_roots = TestRootCerts::GetInstance(); + ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); + EXPECT_TRUE(test_roots->IsEmpty()); + + EXPECT_TRUE(test_roots->Add(root_cert.get())); + EXPECT_FALSE(test_roots->IsEmpty()); + + test_roots->Clear(); + EXPECT_TRUE(test_roots->IsEmpty()); +} + +// Test basic functionality when adding directly from a file, which should +// behave the same as when adding from an existing certificate. +TEST(TestRootCertsTest, AddFromFile) { + TestRootCerts* test_roots = TestRootCerts::GetInstance(); + ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); + EXPECT_TRUE(test_roots->IsEmpty()); + + base::FilePath cert_path = + GetTestCertsDirectory().AppendASCII(kRootCertificateFile); + EXPECT_TRUE(test_roots->AddFromFile(cert_path)); + EXPECT_FALSE(test_roots->IsEmpty()); + + test_roots->Clear(); + EXPECT_TRUE(test_roots->IsEmpty()); +} + +// Test that TestRootCerts actually adds the appropriate trust status flags +// when requested, and that the trusted status is cleared once the root is +// removed the TestRootCerts. This test acts as a canary/sanity check for +// the results of the rest of net_unittests, ensuring that the trust status +// is properly being set and cleared. +TEST(TestRootCertsTest, OverrideTrust) { +#if defined(USE_NSS) || defined(OS_IOS) + if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { + // See http://bugzil.la/863947 for details + LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; + return; + } +#endif + + TestRootCerts* test_roots = TestRootCerts::GetInstance(); + ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots); + EXPECT_TRUE(test_roots->IsEmpty()); + + scoped_refptr<X509Certificate> test_cert = + ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile); + ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert.get()); + + // Test that the good certificate fails verification, because the root + // certificate should not yet be trusted. + int flags = 0; + CertVerifyResult bad_verify_result; + scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault()); + int bad_status = verify_proc->Verify(test_cert.get(), + "127.0.0.1", + flags, + NULL, + CertificateList(), + &bad_verify_result); + EXPECT_NE(OK, bad_status); + EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); + + // Add the root certificate and mark it as trusted. + EXPECT_TRUE(test_roots->AddFromFile( + GetTestCertsDirectory().AppendASCII(kRootCertificateFile))); + EXPECT_FALSE(test_roots->IsEmpty()); + + // Test that the certificate verification now succeeds, because the + // TestRootCerts is successfully imbuing trust. + CertVerifyResult good_verify_result; + int good_status = verify_proc->Verify(test_cert.get(), + "127.0.0.1", + flags, + NULL, + CertificateList(), + &good_verify_result); + EXPECT_EQ(OK, good_status); + EXPECT_EQ(0u, good_verify_result.cert_status); + + test_roots->Clear(); + EXPECT_TRUE(test_roots->IsEmpty()); + + // Ensure that when the TestRootCerts is cleared, the trust settings + // revert to their original state, and don't linger. If trust status + // lingers, it will likely break other tests in net_unittests. + CertVerifyResult restored_verify_result; + int restored_status = verify_proc->Verify(test_cert.get(), + "127.0.0.1", + flags, + NULL, + CertificateList(), + &restored_verify_result); + EXPECT_NE(OK, restored_status); + EXPECT_NE(0u, + restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID); + EXPECT_EQ(bad_status, restored_status); + EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status); +} + +// TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that +// TestRootCerts properly injects itself into the validation process. See +// http://crbug.com/63958 + +} // namespace net |