net/cert/test_root_certs_unittest.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "base/files/file_path.h"
   6 #include "build/build_config.h"
   7 #include "net/base/net_errors.h"
   8 #include "net/base/test_data_directory.h"
   9 #include "net/cert/cert_status_flags.h"
  10 #include "net/cert/cert_verify_proc.h"
  11 #include "net/cert/cert_verify_result.h"
  12 #include "net/cert/test_root_certs.h"
  13 #include "net/cert/x509_certificate.h"
  14 #include "net/test/cert_test_util.h"
  15 #include "testing/gtest/include/gtest/gtest.h"
  16
  17 #if defined(USE_NSS) || defined(OS_IOS)
  18 #include <nss.h>
  19 #endif
  20
  21 namespace net {
  22
  23 namespace {
  24
  25 // The local test root certificate.
  26 const char kRootCertificateFile[] = "root_ca_cert.pem";
  27 // A certificate issued by the local test root for 127.0.0.1.
  28 const char kGoodCertificateFile[] = "ok_cert.pem";
  29
  30 }  // namespace
  31
  32 // Test basic functionality when adding from an existing X509Certificate.
  33 TEST(TestRootCertsTest, AddFromPointer) {
  34   scoped_refptr<X509Certificate> root_cert =
  35       ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
  36   ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
  37
  38   TestRootCerts* test_roots = TestRootCerts::GetInstance();
  39   ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
  40   EXPECT_TRUE(test_roots->IsEmpty());
  41
  42   EXPECT_TRUE(test_roots->Add(root_cert.get()));
  43   EXPECT_FALSE(test_roots->IsEmpty());
  44
  45   test_roots->Clear();
  46   EXPECT_TRUE(test_roots->IsEmpty());
  47 }
  48
  49 // Test basic functionality when adding directly from a file, which should
  50 // behave the same as when adding from an existing certificate.
  51 TEST(TestRootCertsTest, AddFromFile) {
  52   TestRootCerts* test_roots = TestRootCerts::GetInstance();
  53   ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
  54   EXPECT_TRUE(test_roots->IsEmpty());
  55
  56   base::FilePath cert_path =
  57       GetTestCertsDirectory().AppendASCII(kRootCertificateFile);
  58   EXPECT_TRUE(test_roots->AddFromFile(cert_path));
  59   EXPECT_FALSE(test_roots->IsEmpty());
  60
  61   test_roots->Clear();
  62   EXPECT_TRUE(test_roots->IsEmpty());
  63 }
  64
  65 // Test that TestRootCerts actually adds the appropriate trust status flags
  66 // when requested, and that the trusted status is cleared once the root is
  67 // removed the TestRootCerts. This test acts as a canary/sanity check for
  68 // the results of the rest of net_unittests, ensuring that the trust status
  69 // is properly being set and cleared.
  70 TEST(TestRootCertsTest, OverrideTrust) {
  71 #if defined(USE_NSS) || defined(OS_IOS)
  72   if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
  73     // See http://bugzil.la/863947 for details
  74     LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
  75     return;
  76   }
  77 #endif
  78
  79   TestRootCerts* test_roots = TestRootCerts::GetInstance();
  80   ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
  81   EXPECT_TRUE(test_roots->IsEmpty());
  82
  83   scoped_refptr<X509Certificate> test_cert =
  84       ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile);
  85   ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert.get());
  86
  87   // Test that the good certificate fails verification, because the root
  88   // certificate should not yet be trusted.
  89   int flags = 0;
  90   CertVerifyResult bad_verify_result;
  91   scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
  92   int bad_status = verify_proc->Verify(test_cert.get(),
  93                                        "127.0.0.1",
  94                                        flags,
  95                                        NULL,
  96                                        CertificateList(),
  97                                        &bad_verify_result);
  98   EXPECT_NE(OK, bad_status);
  99   EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
 100
 101   // Add the root certificate and mark it as trusted.
 102   EXPECT_TRUE(test_roots->AddFromFile(
 103       GetTestCertsDirectory().AppendASCII(kRootCertificateFile)));
 104   EXPECT_FALSE(test_roots->IsEmpty());
 105
 106   // Test that the certificate verification now succeeds, because the
 107   // TestRootCerts is successfully imbuing trust.
 108   CertVerifyResult good_verify_result;
 109   int good_status = verify_proc->Verify(test_cert.get(),
 110                                         "127.0.0.1",
 111                                         flags,
 112                                         NULL,
 113                                         CertificateList(),
 114                                         &good_verify_result);
 115   EXPECT_EQ(OK, good_status);
 116   EXPECT_EQ(0u, good_verify_result.cert_status);
 117
 118   test_roots->Clear();
 119   EXPECT_TRUE(test_roots->IsEmpty());
 120
 121   // Ensure that when the TestRootCerts is cleared, the trust settings
 122   // revert to their original state, and don't linger. If trust status
 123   // lingers, it will likely break other tests in net_unittests.
 124   CertVerifyResult restored_verify_result;
 125   int restored_status = verify_proc->Verify(test_cert.get(),
 126                                             "127.0.0.1",
 127                                             flags,
 128                                             NULL,
 129                                             CertificateList(),
 130                                             &restored_verify_result);
 131   EXPECT_NE(OK, restored_status);
 132   EXPECT_NE(0u,
 133             restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
 134   EXPECT_EQ(bad_status, restored_status);
 135   EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status);
 136 }
 137
 138 #if defined(USE_NSS) || (defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID))
 139 TEST(TestRootCertsTest, Contains) {
 140   // Another test root certificate.
 141   const char kRootCertificateFile2[] = "2048-rsa-root.pem";
 142
 143   TestRootCerts* test_roots = TestRootCerts::GetInstance();
 144   ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
 145
 146   scoped_refptr<X509Certificate> root_cert_1 =
 147       ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
 148   ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_1.get());
 149
 150   scoped_refptr<X509Certificate> root_cert_2 =
 151       ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile2);
 152   ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert_2.get());
 153
 154   EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle()));
 155   EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
 156
 157   EXPECT_TRUE(test_roots->Add(root_cert_1.get()));
 158   EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle()));
 159   EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
 160
 161   EXPECT_TRUE(test_roots->Add(root_cert_2.get()));
 162   EXPECT_TRUE(test_roots->Contains(root_cert_1->os_cert_handle()));
 163   EXPECT_TRUE(test_roots->Contains(root_cert_2->os_cert_handle()));
 164
 165   test_roots->Clear();
 166   EXPECT_FALSE(test_roots->Contains(root_cert_1->os_cert_handle()));
 167   EXPECT_FALSE(test_roots->Contains(root_cert_2->os_cert_handle()));
 168 }
 169 #endif
 170
 171 // TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that
 172 // TestRootCerts properly injects itself into the validation process. See
 173 // http://crbug.com/63958
 174
 175 }  // namespace net