search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add network_ui OWNERS
[chromium-blink-merge.git] / net / cert / nss_cert_database_unittest.cc
blob342e0b9701ab26d59c44ae81a74fd2ba72539e82
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <cert.h>
6 #include <certdb.h>
7 #include <pk11pub.h>
8
9 #include <algorithm>
10
11 #include "base/bind.h"
12 #include "base/file_util.h"
13 #include "base/files/file_path.h"
14 #include "base/lazy_instance.h"
15 #include "base/message_loop/message_loop.h"
16 #include "base/message_loop/message_loop_proxy.h"
17 #include "base/path_service.h"
18 #include "base/run_loop.h"
19 #include "base/strings/string16.h"
20 #include "base/strings/string_util.h"
21 #include "base/strings/utf_string_conversions.h"
22 #include "crypto/nss_util.h"
23 #include "crypto/nss_util_internal.h"
24 #include "crypto/scoped_nss_types.h"
25 #include "net/base/crypto_module.h"
26 #include "net/base/net_errors.h"
27 #include "net/base/test_data_directory.h"
28 #include "net/cert/cert_status_flags.h"
29 #include "net/cert/cert_verify_proc_nss.h"
30 #include "net/cert/cert_verify_result.h"
31 #include "net/cert/nss_cert_database.h"
32 #include "net/cert/x509_certificate.h"
33 #include "net/test/cert_test_util.h"
34 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
35 #include "testing/gtest/include/gtest/gtest.h"
36
37 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
38 // the new name of the macro.
39 #if !defined(CERTDB_TERMINAL_RECORD)
40 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
41 #endif
42
43 using base::ASCIIToUTF16;
44
45 namespace net {
46
47 namespace {
48
49 void SwapCertList(CertificateList* destination,
50 scoped_ptr<CertificateList> source) {
51 ASSERT_TRUE(destination);
52 destination->swap(*source);
53 }
54
55 } // namespace
56
57 class CertDatabaseNSSTest : public testing::Test {
58 public:
59 virtual void SetUp() {
60 ASSERT_TRUE(test_nssdb_.is_open());
61 cert_db_ = NSSCertDatabase::GetInstance();
62 slot_ = cert_db_->GetPublicModule();
63
64 // Test db should be empty at start of test.
65 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
66 }
67
68 virtual void TearDown() {
69 // Don't try to cleanup if the setup failed.
70 ASSERT_TRUE(slot_->os_module_handle());
71
72 EXPECT_TRUE(CleanupSlotContents());
73
74 // Run the message loop to process any observer callbacks (e.g. for the
75 // ClientSocketFactory singleton) so that the scoped ref ptrs created in
76 // NSSCertDatabase::NotifyObservers* get released.
77 base::MessageLoop::current()->RunUntilIdle();
78
79 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
80 }
81
82 protected:
83 static std::string ReadTestFile(const std::string& name) {
84 std::string result;
85 base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
86 EXPECT_TRUE(base::ReadFileToString(cert_path, &result));
87 return result;
88 }
89
90 static bool ReadCertIntoList(const std::string& name,
91 CertificateList* certs) {
92 scoped_refptr<X509Certificate> cert(
93 ImportCertFromFile(GetTestCertsDirectory(), name));
94 if (!cert.get())
95 return false;
96
97 certs->push_back(cert);
98 return true;
99 }
100
101 static CertificateList ListCertsInSlot(PK11SlotInfo* slot) {
102 CertificateList result;
103 CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
104 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
105 !CERT_LIST_END(node, cert_list);
106 node = CERT_LIST_NEXT(node)) {
107 result.push_back(X509Certificate::CreateFromHandle(
108 node->cert, X509Certificate::OSCertHandles()));
109 }
110 CERT_DestroyCertList(cert_list);
111
112 // Sort the result so that test comparisons can be deterministic.
113 std::sort(result.begin(), result.end(), X509Certificate::LessThan());
114 return result;
115 }
116
117 scoped_refptr<CryptoModule> slot_;
118 NSSCertDatabase* cert_db_;
119 const CertificateList empty_cert_list_;
120
121 private:
122 bool CleanupSlotContents() {
123 bool ok = true;
124 CertificateList certs = ListCertsInSlot(slot_->os_module_handle());
125 CERTCertTrust default_trust = {0};
126 for (size_t i = 0; i < certs.size(); ++i) {
127 // Reset cert trust values to defaults before deleting. Otherwise NSS
128 // somehow seems to remember the trust which can break following tests.
129 SECStatus srv = CERT_ChangeCertTrust(
130 CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust);
131 if (srv != SECSuccess)
132 ok = false;
133
134 if (!cert_db_->DeleteCertAndKey(certs[i].get()))
135 ok = false;
136 }
137 return ok;
138 }
139
140 crypto::ScopedTestNSSDB test_nssdb_;
141 };
142
143 TEST_F(CertDatabaseNSSTest, ListCertsSync) {
144 // This test isn't terribly useful, though it will at least let valgrind test
145 // for leaks.
146 CertificateList certs;
147 cert_db_->ListCertsSync(&certs);
148 // The test DB is empty, but let's assume there will always be something in
149 // the other slots.
150 EXPECT_LT(0U, certs.size());
151 }
152
153 TEST_F(CertDatabaseNSSTest, ListCerts) {
154 // This test isn't terribly useful, though it will at least let valgrind test
155 // for leaks.
156 CertificateList certs;
157 cert_db_->SetSlowTaskRunnerForTest(base::MessageLoopProxy::current());
158 cert_db_->ListCerts(base::Bind(&SwapCertList, base::Unretained(&certs)));
159 EXPECT_EQ(0U, certs.size());
160
161 base::RunLoop().RunUntilIdle();
162
163 // The test DB is empty, but let's assume there will always be something in
164 // the other slots.
165 EXPECT_LT(0U, certs.size());
166 }
167
168 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
169 std::string pkcs12_data = ReadTestFile("client.p12");
170
171 EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
172 cert_db_->ImportFromPKCS12(slot_.get(),
173 pkcs12_data,
174 base::string16(),
175 true, // is_extractable
176 NULL));
177
178 // Test db should still be empty.
179 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
180 }
181
182 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
183 std::string pkcs12_data = ReadTestFile("client.p12");
184
185 EXPECT_EQ(OK,
186 cert_db_->ImportFromPKCS12(slot_.get(),
187 pkcs12_data,
188 ASCIIToUTF16("12345"),
189 true, // is_extractable
190 NULL));
191
192 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
193 ASSERT_EQ(1U, cert_list.size());
194 scoped_refptr<X509Certificate> cert(cert_list[0]);
195
196 EXPECT_EQ("testusercert",
197 cert->subject().common_name);
198
199 // TODO(mattm): move export test to separate test case?
200 std::string exported_data;
201 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
202 &exported_data));
203 ASSERT_LT(0U, exported_data.size());
204 // TODO(mattm): further verification of exported data?
205 }
206
207 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
208 std::string pkcs12_data = ReadTestFile("client.p12");
209
210 EXPECT_EQ(OK,
211 cert_db_->ImportFromPKCS12(slot_.get(),
212 pkcs12_data,
213 ASCIIToUTF16("12345"),
214 true, // is_extractable
215 NULL));
216 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
217
218 // NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
219 // it's ever used. This test verifies that.
220 EXPECT_EQ(OK,
221 cert_db_->ImportFromPKCS12(slot_.get(),
222 pkcs12_data,
223 ASCIIToUTF16("12345"),
224 true, // is_extractable
225 NULL));
226 EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
227 }
228
229 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
230 std::string pkcs12_data = ReadTestFile("client.p12");
231
232 EXPECT_EQ(OK,
233 cert_db_->ImportFromPKCS12(slot_.get(),
234 pkcs12_data,
235 ASCIIToUTF16("12345"),
236 false, // is_extractable
237 NULL));
238
239 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
240 ASSERT_EQ(1U, cert_list.size());
241 scoped_refptr<X509Certificate> cert(cert_list[0]);
242
243 EXPECT_EQ("testusercert",
244 cert->subject().common_name);
245
246 std::string exported_data;
247 EXPECT_EQ(0, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
248 &exported_data));
249 }
250
251 // Importing a PKCS#12 file with a certificate but no corresponding
252 // private key should not mark an existing private key as unextractable.
253 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
254 std::string pkcs12_data = ReadTestFile("client.p12");
255 EXPECT_EQ(OK,
256 cert_db_->ImportFromPKCS12(slot_.get(),
257 pkcs12_data,
258 ASCIIToUTF16("12345"),
259 true, // is_extractable
260 NULL));
261
262 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
263 ASSERT_EQ(1U, cert_list.size());
264
265 // Now import a PKCS#12 file with just a certificate but no private key.
266 pkcs12_data = ReadTestFile("client-nokey.p12");
267 EXPECT_EQ(OK,
268 cert_db_->ImportFromPKCS12(slot_.get(),
269 pkcs12_data,
270 ASCIIToUTF16("12345"),
271 false, // is_extractable
272 NULL));
273
274 cert_list = ListCertsInSlot(slot_->os_module_handle());
275 ASSERT_EQ(1U, cert_list.size());
276
277 // Make sure the imported private key is still extractable.
278 std::string exported_data;
279 EXPECT_EQ(1, cert_db_->ExportToPKCS12(cert_list, ASCIIToUTF16("exportpw"),
280 &exported_data));
281 ASSERT_LT(0U, exported_data.size());
282 }
283
284 TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
285 std::string pkcs12_data = "Foobarbaz";
286
287 EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
288 cert_db_->ImportFromPKCS12(slot_.get(),
289 pkcs12_data,
290 base::string16(),
291 true, // is_extractable
292 NULL));
293
294 // Test db should still be empty.
295 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
296 }
297
298 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
299 CertificateList certs = CreateCertificateListFromFile(
300 GetTestCertsDirectory(), "root_ca_cert.pem",
301 X509Certificate::FORMAT_AUTO);
302 ASSERT_EQ(1U, certs.size());
303 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
304
305 // Import it.
306 NSSCertDatabase::ImportCertFailureList failed;
307 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
308 &failed));
309
310 EXPECT_EQ(0U, failed.size());
311
312 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
313 ASSERT_EQ(1U, cert_list.size());
314 scoped_refptr<X509Certificate> cert(cert_list[0]);
315 EXPECT_EQ("Test Root CA", cert->subject().common_name);
316
317 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
318 cert_db_->GetCertTrust(cert.get(), CA_CERT));
319
320 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
321 CERTDB_TRUSTED_CLIENT_CA),
322 cert->os_cert_handle()->trust->sslFlags);
323 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
324 cert->os_cert_handle()->trust->emailFlags);
325 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
326 cert->os_cert_handle()->trust->objectSigningFlags);
327 }
328
329 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
330 CertificateList certs = CreateCertificateListFromFile(
331 GetTestCertsDirectory(), "root_ca_cert.pem",
332 X509Certificate::FORMAT_AUTO);
333 ASSERT_EQ(1U, certs.size());
334 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
335
336 // Import it.
337 NSSCertDatabase::ImportCertFailureList failed;
338 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_EMAIL,
339 &failed));
340
341 EXPECT_EQ(0U, failed.size());
342
343 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
344 ASSERT_EQ(1U, cert_list.size());
345 scoped_refptr<X509Certificate> cert(cert_list[0]);
346 EXPECT_EQ("Test Root CA", cert->subject().common_name);
347
348 EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL,
349 cert_db_->GetCertTrust(cert.get(), CA_CERT));
350
351 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
352 cert->os_cert_handle()->trust->sslFlags);
353 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
354 CERTDB_TRUSTED_CLIENT_CA),
355 cert->os_cert_handle()->trust->emailFlags);
356 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
357 cert->os_cert_handle()->trust->objectSigningFlags);
358 }
359
360 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
361 CertificateList certs = CreateCertificateListFromFile(
362 GetTestCertsDirectory(), "root_ca_cert.pem",
363 X509Certificate::FORMAT_AUTO);
364 ASSERT_EQ(1U, certs.size());
365 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
366
367 // Import it.
368 NSSCertDatabase::ImportCertFailureList failed;
369 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_OBJ_SIGN,
370 &failed));
371
372 EXPECT_EQ(0U, failed.size());
373
374 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
375 ASSERT_EQ(1U, cert_list.size());
376 scoped_refptr<X509Certificate> cert(cert_list[0]);
377 EXPECT_EQ("Test Root CA", cert->subject().common_name);
378
379 EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN,
380 cert_db_->GetCertTrust(cert.get(), CA_CERT));
381
382 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
383 cert->os_cert_handle()->trust->sslFlags);
384 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
385 cert->os_cert_handle()->trust->emailFlags);
386 EXPECT_EQ(unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
387 CERTDB_TRUSTED_CLIENT_CA),
388 cert->os_cert_handle()->trust->objectSigningFlags);
389 }
390
391 TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
392 CertificateList certs = CreateCertificateListFromFile(
393 GetTestCertsDirectory(), "ok_cert.pem",
394 X509Certificate::FORMAT_AUTO);
395 ASSERT_EQ(1U, certs.size());
396 EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
397
398 // Import it.
399 NSSCertDatabase::ImportCertFailureList failed;
400 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUSTED_SSL,
401 &failed));
402 ASSERT_EQ(1U, failed.size());
403 // Note: this compares pointers directly. It's okay in this case because
404 // ImportCACerts returns the same pointers that were passed in. In the
405 // general case IsSameOSCert should be used.
406 EXPECT_EQ(certs[0], failed[0].certificate);
407 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
408
409 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
410 }
411
412 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
413 CertificateList certs;
414 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
415 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
416 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
417
418 // Import it.
419 NSSCertDatabase::ImportCertFailureList failed;
420 // Have to specify email trust for the cert verification of the child cert to
421 // work (see
422 // http://mxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#752
423 // "XXX This choice of trustType seems arbitrary.")
424 EXPECT_TRUE(cert_db_->ImportCACerts(
425 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
426 &failed));
427
428 ASSERT_EQ(2U, failed.size());
429 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
430 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
431 EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
432 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
433
434 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
435 ASSERT_EQ(1U, cert_list.size());
436 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
437 }
438
439 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
440 CertificateList certs;
441 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
442
443 // First import just the root.
444 NSSCertDatabase::ImportCertFailureList failed;
445 EXPECT_TRUE(cert_db_->ImportCACerts(
446 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
447 &failed));
448
449 EXPECT_EQ(0U, failed.size());
450 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
451 ASSERT_EQ(1U, cert_list.size());
452 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
453
454 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
455 ASSERT_TRUE(ReadCertIntoList("www_us_army_mil_cert.der", &certs));
456
457 // Now import with the other certs in the list too. Even though the root is
458 // already present, we should still import the rest.
459 failed.clear();
460 EXPECT_TRUE(cert_db_->ImportCACerts(
461 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
462 &failed));
463
464 ASSERT_EQ(3U, failed.size());
465 EXPECT_EQ("DoD Root CA 2", failed[0].certificate->subject().common_name);
466 EXPECT_EQ(ERR_IMPORT_CERT_ALREADY_EXISTS, failed[0].net_error);
467 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
468 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
469 EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
470 EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
471
472 cert_list = ListCertsInSlot(slot_->os_module_handle());
473 ASSERT_EQ(1U, cert_list.size());
474 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
475 }
476
477 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
478 CertificateList certs;
479 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
480 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
481
482 // Import it.
483 NSSCertDatabase::ImportCertFailureList failed;
484 EXPECT_TRUE(cert_db_->ImportCACerts(certs, NSSCertDatabase::TRUST_DEFAULT,
485 &failed));
486
487 ASSERT_EQ(1U, failed.size());
488 EXPECT_EQ("DOD CA-17", failed[0].certificate->subject().common_name);
489 // TODO(mattm): should check for net error equivalent of
490 // SEC_ERROR_UNTRUSTED_ISSUER
491 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
492
493 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
494 ASSERT_EQ(1U, cert_list.size());
495 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
496 }
497
498 TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
499 CertificateList certs;
500 ASSERT_TRUE(ReadCertIntoList("dod_root_ca_2_cert.der", &certs));
501 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
502 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
503
504 // Import it.
505 NSSCertDatabase::ImportCertFailureList failed;
506 EXPECT_TRUE(cert_db_->ImportCACerts(
507 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL,
508 &failed));
509
510 EXPECT_EQ(2U, failed.size());
511 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
512 EXPECT_EQ(ERR_FAILED, failed[0].net_error); // The certificate expired.
513 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
514 EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
515
516 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
517 ASSERT_EQ(1U, cert_list.size());
518 EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
519 }
520
521 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
522 CertificateList certs = CreateCertificateListFromFile(
523 GetTestCertsDirectory(), "root_ca_cert.pem",
524 X509Certificate::FORMAT_AUTO);
525 ASSERT_EQ(1U, certs.size());
526 ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
527 ASSERT_TRUE(ReadCertIntoList("dod_ca_17_cert.der", &certs));
528
529 // Import it.
530 NSSCertDatabase::ImportCertFailureList failed;
531 EXPECT_TRUE(cert_db_->ImportCACerts(
532 certs, NSSCertDatabase::TRUSTED_SSL | NSSCertDatabase::TRUSTED_EMAIL |
533 NSSCertDatabase::TRUSTED_OBJ_SIGN, &failed));
534
535 ASSERT_EQ(2U, failed.size());
536 // TODO(mattm): should check for net error equivalent of
537 // SEC_ERROR_UNKNOWN_ISSUER
538 EXPECT_EQ("DOD CA-13", failed[0].certificate->subject().common_name);
539 EXPECT_EQ(ERR_FAILED, failed[0].net_error);
540 EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
541 EXPECT_EQ(ERR_FAILED, failed[1].net_error);
542
543 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
544 ASSERT_EQ(1U, cert_list.size());
545 EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);
546 }
547
548 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired
549 // certificate.
550 TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
551 // Need to import intermediate cert for the verify of google cert, otherwise
552 // it will try to fetch it automatically with cert_pi_useAIACertFetch, which
553 // will cause OCSPCreateSession on the main thread, which is not allowed.
554 CertificateList certs = CreateCertificateListFromFile(
555 GetTestCertsDirectory(), "google.chain.pem",
556 X509Certificate::FORMAT_AUTO);
557 ASSERT_EQ(2U, certs.size());
558
559 NSSCertDatabase::ImportCertFailureList failed;
560 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
561 &failed));
562
563 EXPECT_EQ(0U, failed.size());
564
565 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
566 ASSERT_EQ(2U, cert_list.size());
567 scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
568 scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
569 EXPECT_EQ("www.google.com", goog_cert->subject().common_name);
570 EXPECT_EQ("Thawte SGC CA", thawte_cert->subject().common_name);
571
572 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
573 cert_db_->GetCertTrust(goog_cert.get(), SERVER_CERT));
574
575 EXPECT_EQ(0U, goog_cert->os_cert_handle()->trust->sslFlags);
576
577 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
578 int flags = 0;
579 CertVerifyResult verify_result;
580 int error = verify_proc->Verify(goog_cert.get(),
581 "www.google.com",
582 flags,
583 NULL,
584 empty_cert_list_,
585 &verify_result);
586 EXPECT_EQ(OK, error);
587 EXPECT_EQ(0U, verify_result.cert_status);
588 }
589
590 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
591 CertificateList certs;
592 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
593
594 NSSCertDatabase::ImportCertFailureList failed;
595 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
596 &failed));
597
598 EXPECT_EQ(0U, failed.size());
599
600 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
601 ASSERT_EQ(1U, cert_list.size());
602 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
603
604 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
605 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
606 EXPECT_EQ(0U, puny_cert->os_cert_handle()->trust->sslFlags);
607
608 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
609 int flags = 0;
610 CertVerifyResult verify_result;
611 int error = verify_proc->Verify(puny_cert.get(),
612 "xn--wgv71a119e.com",
613 flags,
614 NULL,
615 empty_cert_list_,
616 &verify_result);
617 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
618 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result.cert_status);
619 }
620
621 TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
622 CertificateList certs;
623 ASSERT_TRUE(ReadCertIntoList("punycodetest.der", &certs));
624
625 NSSCertDatabase::ImportCertFailureList failed;
626 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUSTED_SSL,
627 &failed));
628
629 EXPECT_EQ(0U, failed.size());
630
631 CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
632 ASSERT_EQ(1U, cert_list.size());
633 scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
634
635 EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
636 cert_db_->GetCertTrust(puny_cert.get(), SERVER_CERT));
637 EXPECT_EQ(unsigned(CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD),
638 puny_cert->os_cert_handle()->trust->sslFlags);
639
640 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
641 int flags = 0;
642 CertVerifyResult verify_result;
643 int error = verify_proc->Verify(puny_cert.get(),
644 "xn--wgv71a119e.com",
645 flags,
646 NULL,
647 empty_cert_list_,
648 &verify_result);
649 EXPECT_EQ(OK, error);
650 EXPECT_EQ(0U, verify_result.cert_status);
651 }
652
653 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
654 CertificateList ca_certs = CreateCertificateListFromFile(
655 GetTestCertsDirectory(), "root_ca_cert.pem",
656 X509Certificate::FORMAT_AUTO);
657 ASSERT_EQ(1U, ca_certs.size());
658
659 // Import CA cert and trust it.
660 NSSCertDatabase::ImportCertFailureList failed;
661 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
662 &failed));
663 EXPECT_EQ(0U, failed.size());
664
665 CertificateList certs = CreateCertificateListFromFile(
666 GetTestCertsDirectory(), "ok_cert.pem",
667 X509Certificate::FORMAT_AUTO);
668 ASSERT_EQ(1U, certs.size());
669
670 // Import server cert with default trust.
671 EXPECT_TRUE(cert_db_->ImportServerCert(certs, NSSCertDatabase::TRUST_DEFAULT,
672 &failed));
673 EXPECT_EQ(0U, failed.size());
674
675 // Server cert should verify.
676 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
677 int flags = 0;
678 CertVerifyResult verify_result;
679 int error = verify_proc->Verify(certs[0].get(),
680 "127.0.0.1",
681 flags,
682 NULL,
683 empty_cert_list_,
684 &verify_result);
685 EXPECT_EQ(OK, error);
686 EXPECT_EQ(0U, verify_result.cert_status);
687 }
688
689 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
690 CertificateList ca_certs = CreateCertificateListFromFile(
691 GetTestCertsDirectory(), "root_ca_cert.pem",
692 X509Certificate::FORMAT_AUTO);
693 ASSERT_EQ(1U, ca_certs.size());
694
695 // Import CA cert and trust it.
696 NSSCertDatabase::ImportCertFailureList failed;
697 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
698 &failed));
699 EXPECT_EQ(0U, failed.size());
700
701 CertificateList certs = CreateCertificateListFromFile(
702 GetTestCertsDirectory(), "ok_cert.pem",
703 X509Certificate::FORMAT_AUTO);
704 ASSERT_EQ(1U, certs.size());
705
706 // Import server cert without inheriting trust from issuer (explicit
707 // distrust).
708 EXPECT_TRUE(cert_db_->ImportServerCert(
709 certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
710 EXPECT_EQ(0U, failed.size());
711 EXPECT_EQ(NSSCertDatabase::DISTRUSTED_SSL,
712 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
713
714 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
715 certs[0]->os_cert_handle()->trust->sslFlags);
716
717 // Server cert should fail to verify.
718 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
719 int flags = 0;
720 CertVerifyResult verify_result;
721 int error = verify_proc->Verify(certs[0].get(),
722 "127.0.0.1",
723 flags,
724 NULL,
725 empty_cert_list_,
726 &verify_result);
727 EXPECT_EQ(ERR_CERT_REVOKED, error);
728 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
729 }
730
731 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa) {
732 CertificateList ca_certs = CreateCertificateListFromFile(
733 GetTestCertsDirectory(), "2048-rsa-root.pem",
734 X509Certificate::FORMAT_AUTO);
735 ASSERT_EQ(1U, ca_certs.size());
736
737 // Import Root CA cert and distrust it.
738 NSSCertDatabase::ImportCertFailureList failed;
739 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::DISTRUSTED_SSL,
740 &failed));
741 EXPECT_EQ(0U, failed.size());
742
743 CertificateList intermediate_certs = CreateCertificateListFromFile(
744 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
745 X509Certificate::FORMAT_AUTO);
746 ASSERT_EQ(1U, intermediate_certs.size());
747
748 // Import Intermediate CA cert and trust it.
749 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
750 NSSCertDatabase::TRUSTED_SSL, &failed));
751 EXPECT_EQ(0U, failed.size());
752
753 CertificateList certs = CreateCertificateListFromFile(
754 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
755 X509Certificate::FORMAT_AUTO);
756 ASSERT_EQ(1U, certs.size());
757
758 // Import server cert with default trust.
759 EXPECT_TRUE(cert_db_->ImportServerCert(
760 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
761 EXPECT_EQ(0U, failed.size());
762 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
763 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
764
765 // Server cert should verify.
766 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
767 int flags = 0;
768 CertVerifyResult verify_result;
769 int error = verify_proc->Verify(certs[0].get(),
770 "127.0.0.1",
771 flags,
772 NULL,
773 empty_cert_list_,
774 &verify_result);
775 EXPECT_EQ(OK, error);
776 EXPECT_EQ(0U, verify_result.cert_status);
777
778 // Trust the root cert and distrust the intermediate.
779 EXPECT_TRUE(cert_db_->SetCertTrust(
780 ca_certs[0].get(), CA_CERT, NSSCertDatabase::TRUSTED_SSL));
781 EXPECT_TRUE(cert_db_->SetCertTrust(
782 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::DISTRUSTED_SSL));
783 EXPECT_EQ(
784 unsigned(CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA),
785 ca_certs[0]->os_cert_handle()->trust->sslFlags);
786 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
787 ca_certs[0]->os_cert_handle()->trust->emailFlags);
788 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
789 ca_certs[0]->os_cert_handle()->trust->objectSigningFlags);
790 EXPECT_EQ(unsigned(CERTDB_TERMINAL_RECORD),
791 intermediate_certs[0]->os_cert_handle()->trust->sslFlags);
792 EXPECT_EQ(unsigned(CERTDB_VALID_CA),
793 intermediate_certs[0]->os_cert_handle()->trust->emailFlags);
794 EXPECT_EQ(
795 unsigned(CERTDB_VALID_CA),
796 intermediate_certs[0]->os_cert_handle()->trust->objectSigningFlags);
797
798 // Server cert should fail to verify.
799 CertVerifyResult verify_result2;
800 error = verify_proc->Verify(certs[0].get(),
801 "127.0.0.1",
802 flags,
803 NULL,
804 empty_cert_list_,
805 &verify_result2);
806 EXPECT_EQ(ERR_CERT_REVOKED, error);
807 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result2.cert_status);
808 }
809
810 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa2) {
811 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
812 // See http://bugzil.la/863947 for details.
813 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
814 return;
815 }
816
817 NSSCertDatabase::ImportCertFailureList failed;
818
819 CertificateList intermediate_certs = CreateCertificateListFromFile(
820 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
821 X509Certificate::FORMAT_AUTO);
822 ASSERT_EQ(1U, intermediate_certs.size());
823
824 // Import Intermediate CA cert and trust it.
825 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
826 NSSCertDatabase::TRUSTED_SSL, &failed));
827 EXPECT_EQ(0U, failed.size());
828
829 CertificateList certs = CreateCertificateListFromFile(
830 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
831 X509Certificate::FORMAT_AUTO);
832 ASSERT_EQ(1U, certs.size());
833
834 // Import server cert with default trust.
835 EXPECT_TRUE(cert_db_->ImportServerCert(
836 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
837 EXPECT_EQ(0U, failed.size());
838 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
839 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
840
841 // Server cert should verify.
842 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
843 int flags = 0;
844 CertVerifyResult verify_result;
845 int error = verify_proc->Verify(certs[0].get(),
846 "127.0.0.1",
847 flags,
848 NULL,
849 empty_cert_list_,
850 &verify_result);
851 EXPECT_EQ(OK, error);
852 EXPECT_EQ(0U, verify_result.cert_status);
853
854 // Without explicit trust of the intermediate, verification should fail.
855 EXPECT_TRUE(cert_db_->SetCertTrust(
856 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
857
858 // Server cert should fail to verify.
859 CertVerifyResult verify_result2;
860 error = verify_proc->Verify(certs[0].get(),
861 "127.0.0.1",
862 flags,
863 NULL,
864 empty_cert_list_,
865 &verify_result2);
866 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
867 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
868 }
869
870 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa3) {
871 if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
872 // See http://bugzil.la/863947 for details.
873 LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
874 return;
875 }
876
877 NSSCertDatabase::ImportCertFailureList failed;
878
879 CertificateList ca_certs = CreateCertificateListFromFile(
880 GetTestCertsDirectory(), "2048-rsa-root.pem",
881 X509Certificate::FORMAT_AUTO);
882 ASSERT_EQ(1U, ca_certs.size());
883
884 // Import Root CA cert and default trust it.
885 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUST_DEFAULT,
886 &failed));
887 EXPECT_EQ(0U, failed.size());
888
889 CertificateList intermediate_certs = CreateCertificateListFromFile(
890 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
891 X509Certificate::FORMAT_AUTO);
892 ASSERT_EQ(1U, intermediate_certs.size());
893
894 // Import Intermediate CA cert and trust it.
895 EXPECT_TRUE(cert_db_->ImportCACerts(intermediate_certs,
896 NSSCertDatabase::TRUSTED_SSL, &failed));
897 EXPECT_EQ(0U, failed.size());
898
899 CertificateList certs = CreateCertificateListFromFile(
900 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
901 X509Certificate::FORMAT_AUTO);
902 ASSERT_EQ(1U, certs.size());
903
904 // Import server cert with default trust.
905 EXPECT_TRUE(cert_db_->ImportServerCert(
906 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
907 EXPECT_EQ(0U, failed.size());
908 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
909 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
910
911 // Server cert should verify.
912 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
913 int flags = 0;
914 CertVerifyResult verify_result;
915 int error = verify_proc->Verify(certs[0].get(),
916 "127.0.0.1",
917 flags,
918 NULL,
919 empty_cert_list_,
920 &verify_result);
921 EXPECT_EQ(OK, error);
922 EXPECT_EQ(0U, verify_result.cert_status);
923
924 // Without explicit trust of the intermediate, verification should fail.
925 EXPECT_TRUE(cert_db_->SetCertTrust(
926 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
927
928 // Server cert should fail to verify.
929 CertVerifyResult verify_result2;
930 error = verify_proc->Verify(certs[0].get(),
931 "127.0.0.1",
932 flags,
933 NULL,
934 empty_cert_list_,
935 &verify_result2);
936 EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
937 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, verify_result2.cert_status);
938 }
939
940 TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) {
941 NSSCertDatabase::ImportCertFailureList failed;
942
943 CertificateList ca_certs = CreateCertificateListFromFile(
944 GetTestCertsDirectory(), "2048-rsa-root.pem",
945 X509Certificate::FORMAT_AUTO);
946 ASSERT_EQ(1U, ca_certs.size());
947
948 // Import Root CA cert and trust it.
949 EXPECT_TRUE(cert_db_->ImportCACerts(ca_certs, NSSCertDatabase::TRUSTED_SSL,
950 &failed));
951 EXPECT_EQ(0U, failed.size());
952
953 CertificateList intermediate_certs = CreateCertificateListFromFile(
954 GetTestCertsDirectory(), "2048-rsa-intermediate.pem",
955 X509Certificate::FORMAT_AUTO);
956 ASSERT_EQ(1U, intermediate_certs.size());
957
958 // Import Intermediate CA cert and distrust it.
959 EXPECT_TRUE(cert_db_->ImportCACerts(
960 intermediate_certs, NSSCertDatabase::DISTRUSTED_SSL, &failed));
961 EXPECT_EQ(0U, failed.size());
962
963 CertificateList certs = CreateCertificateListFromFile(
964 GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
965 X509Certificate::FORMAT_AUTO);
966 ASSERT_EQ(1U, certs.size());
967
968 // Import server cert with default trust.
969 EXPECT_TRUE(cert_db_->ImportServerCert(
970 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
971 EXPECT_EQ(0U, failed.size());
972 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
973 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
974
975 // Server cert should not verify.
976 scoped_refptr<CertVerifyProc> verify_proc(new CertVerifyProcNSS());
977 int flags = 0;
978 CertVerifyResult verify_result;
979 int error = verify_proc->Verify(certs[0].get(),
980 "127.0.0.1",
981 flags,
982 NULL,
983 empty_cert_list_,
984 &verify_result);
985 EXPECT_EQ(ERR_CERT_REVOKED, error);
986 EXPECT_EQ(CERT_STATUS_REVOKED, verify_result.cert_status);
987
988 // Without explicit distrust of the intermediate, verification should succeed.
989 EXPECT_TRUE(cert_db_->SetCertTrust(
990 intermediate_certs[0].get(), CA_CERT, NSSCertDatabase::TRUST_DEFAULT));
991
992 // Server cert should verify.
993 CertVerifyResult verify_result2;
994 error = verify_proc->Verify(certs[0].get(),
995 "127.0.0.1",
996 flags,
997 NULL,
998 empty_cert_list_,
999 &verify_result2);
1000 EXPECT_EQ(OK, error);
1001 EXPECT_EQ(0U, verify_result2.cert_status);
1002 }
1003
1004 // Importing two certificates with the same issuer and subject common name,
1005 // but overall distinct subject names, should succeed and generate a unique
1006 // nickname for the second certificate.
1007 TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
1008 CertificateList certs =
1009 CreateCertificateListFromFile(GetTestCertsDirectory(),
1010 "duplicate_cn_1.pem",
1011 X509Certificate::FORMAT_AUTO);
1012 ASSERT_EQ(1U, certs.size());
1013
1014 EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
1015
1016 // Import server cert with default trust.
1017 NSSCertDatabase::ImportCertFailureList failed;
1018 EXPECT_TRUE(cert_db_->ImportServerCert(
1019 certs, NSSCertDatabase::TRUST_DEFAULT, &failed));
1020 EXPECT_EQ(0U, failed.size());
1021 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
1022 cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
1023
1024 CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle());
1025 ASSERT_EQ(1U, new_certs.size());
1026
1027 // Now attempt to import a different certificate with the same common name.
1028 CertificateList certs2 =
1029 CreateCertificateListFromFile(GetTestCertsDirectory(),
1030 "duplicate_cn_2.pem",
1031 X509Certificate::FORMAT_AUTO);
1032 ASSERT_EQ(1U, certs2.size());
1033
1034 // Import server cert with default trust.
1035 EXPECT_TRUE(cert_db_->ImportServerCert(
1036 certs2, NSSCertDatabase::TRUST_DEFAULT, &failed));
1037 EXPECT_EQ(0U, failed.size());
1038 EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
1039 cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT));
1040
1041 new_certs = ListCertsInSlot(slot_->os_module_handle());
1042 ASSERT_EQ(2U, new_certs.size());
1043 EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname,
1044 new_certs[1]->os_cert_handle()->nickname);
1045 }
1046
1047 } // namespace net