net/cert/test_root_certs_unittest.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "base/files/file_path.h"
   6 #include "build/build_config.h"
   7 #include "net/base/net_errors.h"
   8 #include "net/base/test_data_directory.h"
   9 #include "net/cert/cert_status_flags.h"
  10 #include "net/cert/cert_verify_proc.h"
  11 #include "net/cert/cert_verify_result.h"
  12 #include "net/cert/test_root_certs.h"
  13 #include "net/cert/x509_certificate.h"
  14 #include "net/test/cert_test_util.h"
  15 #include "testing/gtest/include/gtest/gtest.h"
  16
  17 #if defined(USE_NSS_CERTS) || defined(OS_IOS)
  18 #include <nss.h>
  19 #endif
  20
  21 namespace net {
  22
  23 namespace {
  24
  25 // The local test root certificate.
  26 const char kRootCertificateFile[] = "root_ca_cert.pem";
  27 // A certificate issued by the local test root for 127.0.0.1.
  28 const char kGoodCertificateFile[] = "ok_cert.pem";
  29
  30 }  // namespace
  31
  32 // Test basic functionality when adding from an existing X509Certificate.
  33 TEST(TestRootCertsTest, AddFromPointer) {
  34   scoped_refptr<X509Certificate> root_cert =
  35       ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
  36   ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
  37
  38   TestRootCerts* test_roots = TestRootCerts::GetInstance();
  39   ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
  40   EXPECT_TRUE(test_roots->IsEmpty());
  41
  42   EXPECT_TRUE(test_roots->Add(root_cert.get()));
  43   EXPECT_FALSE(test_roots->IsEmpty());
  44
  45   test_roots->Clear();
  46   EXPECT_TRUE(test_roots->IsEmpty());
  47 }
  48
  49 // Test basic functionality when adding directly from a file, which should
  50 // behave the same as when adding from an existing certificate.
  51 TEST(TestRootCertsTest, AddFromFile) {
  52   TestRootCerts* test_roots = TestRootCerts::GetInstance();
  53   ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
  54   EXPECT_TRUE(test_roots->IsEmpty());
  55
  56   base::FilePath cert_path =
  57       GetTestCertsDirectory().AppendASCII(kRootCertificateFile);
  58   EXPECT_TRUE(test_roots->AddFromFile(cert_path));
  59   EXPECT_FALSE(test_roots->IsEmpty());
  60
  61   test_roots->Clear();
  62   EXPECT_TRUE(test_roots->IsEmpty());
  63 }
  64
  65 // Test that TestRootCerts actually adds the appropriate trust status flags
  66 // when requested, and that the trusted status is cleared once the root is
  67 // removed the TestRootCerts. This test acts as a canary/sanity check for
  68 // the results of the rest of net_unittests, ensuring that the trust status
  69 // is properly being set and cleared.
  70 TEST(TestRootCertsTest, OverrideTrust) {
  71 #if defined(USE_NSS_CERTS) || defined(OS_IOS)
  72   if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
  73     // See http://bugzil.la/863947 for details
  74     LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
  75     return;
  76   }
  77 #endif
  78
  79   TestRootCerts* test_roots = TestRootCerts::GetInstance();
  80   ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
  81   EXPECT_TRUE(test_roots->IsEmpty());
  82
  83   scoped_refptr<X509Certificate> test_cert =
  84       ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile);
  85   ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert.get());
  86
  87   // Test that the good certificate fails verification, because the root
  88   // certificate should not yet be trusted.
  89   int flags = 0;
  90   CertVerifyResult bad_verify_result;
  91   scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
  92   int bad_status =
  93       verify_proc->Verify(test_cert.get(), "127.0.0.1", std::string(), flags,
  94                           NULL, CertificateList(), &bad_verify_result);
  95   EXPECT_NE(OK, bad_status);
  96   EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
  97
  98   // Add the root certificate and mark it as trusted.
  99   EXPECT_TRUE(test_roots->AddFromFile(
 100       GetTestCertsDirectory().AppendASCII(kRootCertificateFile)));
 101   EXPECT_FALSE(test_roots->IsEmpty());
 102
 103   // Test that the certificate verification now succeeds, because the
 104   // TestRootCerts is successfully imbuing trust.
 105   CertVerifyResult good_verify_result;
 106   int good_status =
 107       verify_proc->Verify(test_cert.get(), "127.0.0.1", std::string(), flags,
 108                           NULL, CertificateList(), &good_verify_result);
 109   EXPECT_EQ(OK, good_status);
 110   EXPECT_EQ(0u, good_verify_result.cert_status);
 111
 112   test_roots->Clear();
 113   EXPECT_TRUE(test_roots->IsEmpty());
 114
 115   // Ensure that when the TestRootCerts is cleared, the trust settings
 116   // revert to their original state, and don't linger. If trust status
 117   // lingers, it will likely break other tests in net_unittests.
 118   CertVerifyResult restored_verify_result;
 119   int restored_status =
 120       verify_proc->Verify(test_cert.get(), "127.0.0.1", std::string(), flags,
 121                           NULL, CertificateList(), &restored_verify_result);
 122   EXPECT_NE(OK, restored_status);
 123   EXPECT_NE(0u,
 124             restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
 125   EXPECT_EQ(bad_status, restored_status);
 126   EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status);
 127 }
 128
 129 #if defined(USE_NSS_CERTS) || \
 130     (defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID))
 131 TEST(TestRootCertsTest, Contains) {
 132   // Another test root certificate.
 133   const char kRootCertificateFile2[] = "2048-rsa-root.pem";
 134
 135   TestRootCerts* test_roots = TestRootCerts::GetInstance();
 136   ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
 137
 138   scoped_refptr<X509Certificate> root_cert_1 =
 139       ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
 140   ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_1.get());
 141
 142   scoped_refptr<X509Certificate> root_cert_2 =
 143       ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile2);
 144   ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_2.get());
 145
 146   EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle()));
 147   EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
 148
 149   EXPECT_TRUE(test_roots->Add(root_cert_1.get()));
 150   EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle()));
 151   EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
 152
 153   EXPECT_TRUE(test_roots->Add(root_cert_2.get()));
 154   EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle()));
 155   EXPECT_TRUE(test_roots->Contains(root_cert_2->os_cert_handle()));
 156
 157   test_roots->Clear();
 158   EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle()));
 159   EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
 160 }
 161 #endif
 162
 163 // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that
 164 // TestRootCerts properly injects itself into the validation process. See
 165 // http://crbug.com/63958
 166
 167 }  // namespace net