chromeos/cert_loader_unittest.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chromeos/cert_loader.h"
   6
   7 #include "base/bind.h"
   8 #include "base/files/file_util.h"
   9 #include "base/memory/scoped_ptr.h"
  10 #include "base/message_loop/message_loop.h"
  11 #include "base/run_loop.h"
  12 #include "crypto/nss_util_internal.h"
  13 #include "crypto/scoped_nss_types.h"
  14 #include "crypto/scoped_test_nss_chromeos_user.h"
  15 #include "net/base/net_errors.h"
  16 #include "net/base/test_data_directory.h"
  17 #include "net/cert/nss_cert_database_chromeos.h"
  18 #include "net/cert/x509_certificate.h"
  19 #include "net/test/cert_test_util.h"
  20 #include "testing/gtest/include/gtest/gtest.h"
  21
  22 // http://crbug.com/418369
  23 #ifdef NDEBUG
  24
  25 namespace chromeos {
  26 namespace {
  27
  28 bool IsCertInCertificateList(const net::X509Certificate* cert,
  29                              const net::CertificateList& cert_list) {
  30   for (net::CertificateList::const_iterator it = cert_list.begin();
  31        it != cert_list.end();
  32        ++it) {
  33     if (net::X509Certificate::IsSameOSCert((*it)->os_cert_handle(),
  34                                             cert->os_cert_handle())) {
  35       return true;
  36     }
  37   }
  38   return false;
  39 }
  40
  41 void FailOnPrivateSlotCallback(crypto::ScopedPK11Slot slot) {
  42   EXPECT_FALSE(true) << "GetPrivateSlotForChromeOSUser callback called even "
  43                      << "though the private slot had been initialized.";
  44 }
  45
  46 class CertLoaderTest : public testing::Test,
  47                        public CertLoader::Observer {
  48  public:
  49   CertLoaderTest() : cert_loader_(NULL),
  50                      primary_user_("primary"),
  51                      certificates_loaded_events_count_(0U) {
  52   }
  53
  54   virtual ~CertLoaderTest() {}
  55
  56   virtual void SetUp() override {
  57     ASSERT_TRUE(primary_user_.constructed_successfully());
  58     ASSERT_TRUE(
  59         crypto::GetPublicSlotForChromeOSUser(primary_user_.username_hash()));
  60
  61     CertLoader::Initialize();
  62     cert_loader_ = CertLoader::Get();
  63     cert_loader_->AddObserver(this);
  64   }
  65
  66   virtual void TearDown() {
  67     cert_loader_->RemoveObserver(this);
  68     CertLoader::Shutdown();
  69   }
  70
  71  protected:
  72   void StartCertLoaderWithPrimaryUser() {
  73     FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);
  74     cert_loader_->StartWithNSSDB(primary_db_.get());
  75
  76     base::RunLoop().RunUntilIdle();
  77     GetAndResetCertificatesLoadedEventsCount();
  78   }
  79
  80   // CertLoader::Observer:
  81   // The test keeps count of times the observer method was called.
  82   virtual void OnCertificatesLoaded(const net::CertificateList& cert_list,
  83                                     bool initial_load) override {
  84     EXPECT_TRUE(certificates_loaded_events_count_ == 0 || !initial_load);
  85     certificates_loaded_events_count_++;
  86   }
  87
  88   // Returns the number of |OnCertificatesLoaded| calls observed since the
  89   // last call to this method equals |value|.
  90   size_t GetAndResetCertificatesLoadedEventsCount() {
  91     size_t result = certificates_loaded_events_count_;
  92     certificates_loaded_events_count_ = 0;
  93     return result;
  94   }
  95
  96   // Finishes initialization for the |user| and returns a user's NSS database
  97   // instance.
  98   void FinishUserInitAndGetDatabase(
  99       crypto::ScopedTestNSSChromeOSUser* user,
 100       scoped_ptr<net::NSSCertDatabaseChromeOS>* database) {
 101     ASSERT_TRUE(user->constructed_successfully());
 102
 103     user->FinishInit();
 104
 105     crypto::ScopedPK11Slot private_slot(
 106         crypto::GetPrivateSlotForChromeOSUser(
 107             user->username_hash(),
 108             base::Bind(&FailOnPrivateSlotCallback)));
 109     ASSERT_TRUE(private_slot);
 110
 111     database->reset(new net::NSSCertDatabaseChromeOS(
 112         crypto::GetPublicSlotForChromeOSUser(user->username_hash()),
 113         private_slot.Pass()));
 114     (*database)->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
 115   }
 116
 117   int GetDbPrivateSlotId(net::NSSCertDatabase* db) {
 118     return static_cast<int>(PK11_GetSlotID(db->GetPrivateSlot().get()));
 119   }
 120
 121   void ImportCACert(const std::string& cert_file,
 122                     net::NSSCertDatabase* database,
 123                     net::CertificateList* imported_certs) {
 124     ASSERT_TRUE(database);
 125     ASSERT_TRUE(imported_certs);
 126
 127     // Add a certificate to the user's db.
 128     *imported_certs = net::CreateCertificateListFromFile(
 129         net::GetTestCertsDirectory(),
 130         cert_file,
 131         net::X509Certificate::FORMAT_AUTO);
 132     ASSERT_EQ(1U, imported_certs->size());
 133
 134     net::NSSCertDatabase::ImportCertFailureList failed;
 135     ASSERT_TRUE(database->ImportCACerts(*imported_certs,
 136                                         net::NSSCertDatabase::TRUST_DEFAULT,
 137                                         &failed));
 138     ASSERT_TRUE(failed.empty());
 139   }
 140
 141   void ImportClientCertAndKey(const std::string& pkcs12_file,
 142                               net::NSSCertDatabase* database,
 143                               net::CertificateList* imported_certs) {
 144     ASSERT_TRUE(database);
 145     ASSERT_TRUE(imported_certs);
 146
 147     std::string pkcs12_data;
 148     base::FilePath pkcs12_file_path =
 149         net::GetTestCertsDirectory().Append(pkcs12_file);
 150     ASSERT_TRUE(base::ReadFileToString(pkcs12_file_path, &pkcs12_data));
 151
 152     net::CertificateList client_cert_list;
 153     scoped_refptr<net::CryptoModule> module(net::CryptoModule::CreateFromHandle(
 154         database->GetPrivateSlot().get()));
 155     ASSERT_EQ(net::OK,
 156               database->ImportFromPKCS12(module.get(),
 157                                          pkcs12_data,
 158                                          base::string16(),
 159                                          false,
 160                                          imported_certs));
 161     ASSERT_EQ(1U, imported_certs->size());
 162   }
 163
 164   CertLoader* cert_loader_;
 165
 166   // The user is primary as the one whose certificates CertLoader handles, it
 167   // has nothing to do with crypto::InitializeNSSForChromeOSUser is_primary_user
 168   // parameter (which is irrelevant for these tests).
 169   crypto::ScopedTestNSSChromeOSUser primary_user_;
 170   scoped_ptr<net::NSSCertDatabaseChromeOS> primary_db_;
 171
 172   base::MessageLoop message_loop_;
 173
 174  private:
 175   size_t certificates_loaded_events_count_;
 176 };
 177
 178 TEST_F(CertLoaderTest, Basic) {
 179   EXPECT_FALSE(cert_loader_->CertificatesLoading());
 180   EXPECT_FALSE(cert_loader_->certificates_loaded());
 181
 182   FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);
 183
 184   cert_loader_->StartWithNSSDB(primary_db_.get());
 185
 186   EXPECT_FALSE(cert_loader_->certificates_loaded());
 187   EXPECT_TRUE(cert_loader_->CertificatesLoading());
 188   EXPECT_TRUE(cert_loader_->cert_list().empty());
 189
 190   ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
 191   base::RunLoop().RunUntilIdle();
 192   EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 193
 194   EXPECT_TRUE(cert_loader_->certificates_loaded());
 195   EXPECT_FALSE(cert_loader_->CertificatesLoading());
 196
 197   // Default CA cert roots should get loaded.
 198   EXPECT_FALSE(cert_loader_->cert_list().empty());
 199 }
 200
 201 TEST_F(CertLoaderTest, CertLoaderUpdatesCertListOnNewCert) {
 202   StartCertLoaderWithPrimaryUser();
 203
 204   net::CertificateList certs;
 205   ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);
 206
 207   // Certs are loaded asynchronously, so the new cert should not yet be in the
 208   // cert list.
 209   EXPECT_FALSE(
 210       IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
 211
 212   ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
 213   base::RunLoop().RunUntilIdle();
 214   EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 215
 216   // The certificate list should be updated now, as the message loop's been run.
 217   EXPECT_TRUE(
 218       IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
 219
 220   EXPECT_FALSE(cert_loader_->IsCertificateHardwareBacked(certs[0].get()));
 221 }
 222
 223 TEST_F(CertLoaderTest, CertLoaderNoUpdateOnSecondaryDbChanges) {
 224   crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
 225   scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;
 226
 227   StartCertLoaderWithPrimaryUser();
 228   FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);
 229
 230   net::CertificateList certs;
 231   ImportCACert("root_ca_cert.pem", secondary_db.get(), &certs);
 232
 233   base::RunLoop().RunUntilIdle();
 234
 235   EXPECT_FALSE(
 236       IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
 237 }
 238
 239 TEST_F(CertLoaderTest, ClientLoaderUpdateOnNewClientCert) {
 240   StartCertLoaderWithPrimaryUser();
 241
 242   net::CertificateList certs;
 243   ImportClientCertAndKey("websocket_client_cert.p12",
 244                          primary_db_.get(),
 245                          &certs);
 246
 247   ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
 248   base::RunLoop().RunUntilIdle();
 249   EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 250
 251   EXPECT_TRUE(
 252       IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
 253 }
 254
 255 TEST_F(CertLoaderTest, CertLoaderNoUpdateOnNewClientCertInSecondaryDb) {
 256   crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
 257   scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;
 258
 259   StartCertLoaderWithPrimaryUser();
 260   FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);
 261
 262   net::CertificateList certs;
 263   ImportClientCertAndKey("websocket_client_cert.p12",
 264                          secondary_db.get(),
 265                          &certs);
 266
 267   base::RunLoop().RunUntilIdle();
 268
 269   EXPECT_FALSE(
 270       IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
 271 }
 272
 273 TEST_F(CertLoaderTest, UpdatedOnCertRemoval) {
 274   StartCertLoaderWithPrimaryUser();
 275
 276   net::CertificateList certs;
 277   ImportClientCertAndKey("websocket_client_cert.p12",
 278                          primary_db_.get(),
 279                          &certs);
 280
 281   base::RunLoop().RunUntilIdle();
 282
 283   ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 284   ASSERT_TRUE(
 285       IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
 286
 287   primary_db_->DeleteCertAndKey(certs[0].get());
 288
 289   ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
 290   base::RunLoop().RunUntilIdle();
 291   EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 292
 293   ASSERT_FALSE(
 294       IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
 295 }
 296
 297 TEST_F(CertLoaderTest, UpdatedOnCACertTrustChange) {
 298   StartCertLoaderWithPrimaryUser();
 299
 300   net::CertificateList certs;
 301   ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);
 302
 303   base::RunLoop().RunUntilIdle();
 304   ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 305   ASSERT_TRUE(
 306       IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
 307
 308   // The value that should have been set by |ImportCACert|.
 309   ASSERT_EQ(net::NSSCertDatabase::TRUST_DEFAULT,
 310             primary_db_->GetCertTrust(certs[0].get(), net::CA_CERT));
 311   ASSERT_TRUE(primary_db_->SetCertTrust(
 312       certs[0].get(), net::CA_CERT, net::NSSCertDatabase::TRUSTED_SSL));
 313
 314   // Cert trust change should trigger certificate reload in cert_loader_.
 315   ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
 316   base::RunLoop().RunUntilIdle();
 317   EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
 318 }
 319
 320 }  // namespace
 321 }  // namespace chromeos
 322
 323 #endif
 324