summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2014-07-25 10:09:52 +0000
committerpneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2014-07-25 10:09:52 +0000
commit30bb2810b94727989aaae07b4ff93d1a8f239e21 (patch)
tree61ef7e671ed1fc3dd46a3918d93dfd639479105c
parente9c8d3aaa6200b1a0683dcf3db0a39ca7a40d59f (diff)
downloadchromium_src-30bb2810b94727989aaae07b4ff93d1a8f239e21.zip
chromium_src-30bb2810b94727989aaae07b4ff93d1a8f239e21.tar.gz
chromium_src-30bb2810b94727989aaae07b4ff93d1a8f239e21.tar.bz2
Remove the deprecated NSSCertDatabase::GetInstance() .
The NSSCertDatabase singleton for Linux is now maintained by nss_context_linux.cc . BUG=329735 Review URL: https://codereview.chromium.org/405973003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@285551 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat
-rw-r--r--chrome/browser/net/nss_context.h2
-rw-r--r--chrome/browser/net/nss_context_linux.cc20
-rw-r--r--chrome/common/net/x509_certificate_model_unittest.cc22
-rw-r--r--chromeos/cert_loader.cc6
-rw-r--r--chromeos/cert_loader_unittest.cc14
-rw-r--r--net/cert/nss_cert_database.cc33
-rw-r--r--net/cert/nss_cert_database.h27
-rw-r--r--net/cert/nss_cert_database_chromeos.cc13
-rw-r--r--net/cert/nss_cert_database_chromeos.h4
-rw-r--r--net/cert/nss_cert_database_unittest.cc113
10 files changed, 115 insertions, 139 deletions
diff --git a/chrome/browser/net/nss_context.h b/chrome/browser/net/nss_context.h
index feb178c..33023c0 100644
--- a/chrome/browser/net/nss_context.h
+++ b/chrome/browser/net/nss_context.h
@@ -40,7 +40,7 @@ crypto::ScopedPK11Slot GetPrivateNSSKeySlotForResourceContext(
// |callback| will be run once the DB is initialized. Ownership is not
// transferred, but the caller may save the pointer, which will remain valid for
// the lifetime of the ResourceContext.
-// Should be called only on the IO thread.
+// Must be called only on the IO thread.
net::NSSCertDatabase* GetNSSCertDatabaseForResourceContext(
content::ResourceContext* context,
const base::Callback<void(net::NSSCertDatabase*)>& callback)
diff --git a/chrome/browser/net/nss_context_linux.cc b/chrome/browser/net/nss_context_linux.cc
index 5aa18e6..9021a90 100644
--- a/chrome/browser/net/nss_context_linux.cc
+++ b/chrome/browser/net/nss_context_linux.cc
@@ -8,6 +8,10 @@
#include "crypto/nss_util_internal.h"
#include "net/cert/nss_cert_database.h"
+namespace {
+net::NSSCertDatabase* g_nss_cert_database = NULL;
+} // namespace
+
crypto::ScopedPK11Slot GetPublicNSSKeySlotForResourceContext(
content::ResourceContext* context) {
DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
@@ -24,6 +28,18 @@ crypto::ScopedPK11Slot GetPrivateNSSKeySlotForResourceContext(
net::NSSCertDatabase* GetNSSCertDatabaseForResourceContext(
content::ResourceContext* context,
const base::Callback<void(net::NSSCertDatabase*)>& callback) {
- DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
- return net::NSSCertDatabase::GetInstance();
+ // This initialization is not thread safe. This CHECK ensures that this code
+ // is only run on a single thread.
+ CHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+ if (!g_nss_cert_database) {
+ // Linux has only a single persistent slot compared to ChromeOS's separate
+ // public and private slot.
+ // Redirect any slot usage to this persistent slot on Linux.
+ g_nss_cert_database = new net::NSSCertDatabase(
+ crypto::ScopedPK11Slot(
+ crypto::GetPersistentNSSKeySlot()) /* public slot */,
+ crypto::ScopedPK11Slot(
+ crypto::GetPersistentNSSKeySlot()) /* private slot */);
+ }
+ return g_nss_cert_database;
}
diff --git a/chrome/common/net/x509_certificate_model_unittest.cc b/chrome/common/net/x509_certificate_model_unittest.cc
index 3be8890..8d010d7 100644
--- a/chrome/common/net/x509_certificate_model_unittest.cc
+++ b/chrome/common/net/x509_certificate_model_unittest.cc
@@ -11,6 +11,7 @@
#include "testing/gtest/include/gtest/gtest.h"
#if defined(USE_NSS)
+#include "crypto/nss_util_internal.h"
#include "net/cert/nss_cert_database.h"
#endif
@@ -223,9 +224,16 @@ TEST(X509CertificateModelTest, GetTypeCA) {
EXPECT_EQ(net::CA_CERT,
x509_certificate_model::GetType(cert->os_cert_handle()));
+ // Additional parantheses required to disambiguate from function declaration.
+ net::NSSCertDatabase db(
+ (crypto::ScopedPK11Slot(
+ crypto::GetPersistentNSSKeySlot())) /* public slot */,
+ crypto::ScopedPK11Slot(
+ crypto::GetPersistentNSSKeySlot()) /* private lot */);
+
// Test that explicitly distrusted CA certs are still returned as CA_CERT
// type. See http://crbug.com/96654.
- EXPECT_TRUE(net::NSSCertDatabase::GetInstance()->SetCertTrust(
+ EXPECT_TRUE(db.SetCertTrust(
cert.get(), net::CA_CERT, net::NSSCertDatabase::DISTRUSTED_SSL));
EXPECT_EQ(net::CA_CERT,
@@ -251,16 +259,22 @@ TEST(X509CertificateModelTest, GetTypeServer) {
EXPECT_EQ(net::OTHER_CERT,
x509_certificate_model::GetType(cert->os_cert_handle()));
- net::NSSCertDatabase* cert_db = net::NSSCertDatabase::GetInstance();
+ // Additional parantheses required to disambiguate from function declaration.
+ net::NSSCertDatabase db(
+ (crypto::ScopedPK11Slot(
+ crypto::GetPersistentNSSKeySlot())) /* public slot */,
+ crypto::ScopedPK11Slot(
+ crypto::GetPersistentNSSKeySlot()) /* private lot */);
+
// Test GetCertType with server certs and explicit trust.
- EXPECT_TRUE(cert_db->SetCertTrust(
+ EXPECT_TRUE(db.SetCertTrust(
cert.get(), net::SERVER_CERT, net::NSSCertDatabase::TRUSTED_SSL));
EXPECT_EQ(net::SERVER_CERT,
x509_certificate_model::GetType(cert->os_cert_handle()));
// Test GetCertType with server certs and explicit distrust.
- EXPECT_TRUE(cert_db->SetCertTrust(
+ EXPECT_TRUE(db.SetCertTrust(
cert.get(), net::SERVER_CERT, net::NSSCertDatabase::DISTRUSTED_SSL));
EXPECT_EQ(net::SERVER_CERT,
diff --git a/chromeos/cert_loader.cc b/chromeos/cert_loader.cc
index b72d43a..8c222795 100644
--- a/chromeos/cert_loader.cc
+++ b/chromeos/cert_loader.cc
@@ -88,8 +88,7 @@ int CertLoader::TPMTokenSlotID() const {
if (!database_)
return -1;
crypto::ScopedPK11Slot slot(database_->GetPrivateSlot());
- if (!slot)
- return -1;
+ DCHECK(slot);
return static_cast<int>(PK11_GetSlotID(slot.get()));
}
@@ -99,8 +98,7 @@ bool CertLoader::IsHardwareBacked() const {
if (!database_)
return false;
crypto::ScopedPK11Slot slot(database_->GetPrivateSlot());
- if (!slot)
- return false;
+ DCHECK(slot);
return PK11_IsHW(slot.get());
}
diff --git a/chromeos/cert_loader_unittest.cc b/chromeos/cert_loader_unittest.cc
index fc47704..216a8db 100644
--- a/chromeos/cert_loader_unittest.cc
+++ b/chromeos/cert_loader_unittest.cc
@@ -305,19 +305,5 @@ TEST_F(CertLoaderTest, UpdatedOnCACertTrustChange) {
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
}
-TEST_F(CertLoaderTest, DatabaseWithUnsetSlots) {
- primary_db_.reset(new net::NSSCertDatabaseChromeOS(crypto::ScopedPK11Slot(),
- crypto::ScopedPK11Slot()));
- primary_db_->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
- cert_loader_->StartWithNSSDB(primary_db_.get());
-
- base::RunLoop().RunUntilIdle();
- EXPECT_EQ(1u, GetAndResetCertificatesLoadedEventsCount());
-
- EXPECT_TRUE(cert_loader_->certificates_loaded());
- EXPECT_EQ(-1, cert_loader_->TPMTokenSlotID());
- EXPECT_FALSE(cert_loader_->IsHardwareBacked());
-}
-
} // namespace
} // namespace chromeos
diff --git a/net/cert/nss_cert_database.cc b/net/cert/nss_cert_database.cc
index 38e60c6..8b69ca5 100644
--- a/net/cert/nss_cert_database.cc
+++ b/net/cert/nss_cert_database.cc
@@ -12,15 +12,12 @@
#include "base/bind.h"
#include "base/callback.h"
-#include "base/lazy_instance.h"
#include "base/logging.h"
#include "base/memory/scoped_ptr.h"
#include "base/observer_list_threadsafe.h"
#include "base/task_runner.h"
#include "base/task_runner_util.h"
#include "base/threading/worker_pool.h"
-#include "crypto/nss_util.h"
-#include "crypto/nss_util_internal.h"
#include "crypto/scoped_nss_types.h"
#include "net/base/crypto_module.h"
#include "net/base/net_errors.h"
@@ -42,6 +39,8 @@ namespace net {
namespace {
+// TODO(pneubeck): Move this class out of NSSCertDatabase and to the caller of
+// the c'tor of NSSCertDatabase, see https://crbug.com/395983 .
// Helper that observes events from the NSSCertDatabase and forwards them to
// the given CertDatabase.
class CertNotificationForwarder : public NSSCertDatabase::Observer {
@@ -70,9 +69,6 @@ class CertNotificationForwarder : public NSSCertDatabase::Observer {
DISALLOW_COPY_AND_ASSIGN(CertNotificationForwarder);
};
-base::LazyInstance<NSSCertDatabase>::Leaky
- g_nss_cert_database = LAZY_INSTANCE_INITIALIZER;
-
} // namespace
NSSCertDatabase::ImportCertFailure::ImportCertFailure(
@@ -82,20 +78,15 @@ NSSCertDatabase::ImportCertFailure::ImportCertFailure(
NSSCertDatabase::ImportCertFailure::~ImportCertFailure() {}
-// static
-NSSCertDatabase* NSSCertDatabase::GetInstance() {
- // TODO(mattm): Remove this ifdef guard once the linux impl of
- // GetNSSCertDatabaseForResourceContext does not call GetInstance.
-#if defined(OS_CHROMEOS)
- LOG(ERROR) << "NSSCertDatabase::GetInstance() is deprecated."
- << "See http://crbug.com/329735.";
-#endif
- return &g_nss_cert_database.Get();
-}
-
-NSSCertDatabase::NSSCertDatabase()
- : observer_list_(new ObserverListThreadSafe<Observer>),
+NSSCertDatabase::NSSCertDatabase(crypto::ScopedPK11Slot public_slot,
+ crypto::ScopedPK11Slot private_slot)
+ : public_slot_(public_slot.Pass()),
+ private_slot_(private_slot.Pass()),
+ observer_list_(new ObserverListThreadSafe<Observer>),
weak_factory_(this) {
+ DCHECK(public_slot_);
+ DCHECK(private_slot_);
+
// This also makes sure that NSS has been initialized.
CertDatabase* cert_db = CertDatabase::GetInstance();
cert_notification_forwarder_.reset(new CertNotificationForwarder(cert_db));
@@ -140,11 +131,11 @@ void NSSCertDatabase::ListCertsInSlot(const ListCertsCallback& callback,
}
crypto::ScopedPK11Slot NSSCertDatabase::GetPublicSlot() const {
- return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
+ return crypto::ScopedPK11Slot(PK11_ReferenceSlot(public_slot_.get()));
}
crypto::ScopedPK11Slot NSSCertDatabase::GetPrivateSlot() const {
- return crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot());
+ return crypto::ScopedPK11Slot(PK11_ReferenceSlot(private_slot_.get()));
}
CryptoModule* NSSCertDatabase::GetPublicModule() const {
diff --git a/net/cert/nss_cert_database.h b/net/cert/nss_cert_database.h
index 120e50d..4c47429 100644
--- a/net/cert/nss_cert_database.h
+++ b/net/cert/nss_cert_database.h
@@ -20,7 +20,6 @@
#include "net/cert/x509_certificate.h"
namespace base {
-template <typename T> struct DefaultLazyInstanceTraits;
class TaskRunner;
}
template <class ObserverType> class ObserverListThreadSafe;
@@ -35,7 +34,6 @@ typedef std::vector<scoped_refptr<CryptoModule> > CryptoModuleList;
// singleton.
class NET_EXPORT NSSCertDatabase {
public:
-
class NET_EXPORT Observer {
public:
virtual ~Observer() {}
@@ -102,8 +100,17 @@ class NET_EXPORT NSSCertDatabase {
typedef base::Callback<void(bool)> DeleteCertCallback;
- // DEPRECATED: See http://crbug.com/329735.
- static NSSCertDatabase* GetInstance();
+ // Creates a NSSCertDatabase that will store public information (such as
+ // certificates and trust records) in |public_slot|, and private information
+ // (such as keys) in |private_slot|.
+ // In general, code should avoid creating an NSSCertDatabase directly,
+ // as doing so requires making opinionated decisions about where to store
+ // data, and instead prefer to be passed an existing NSSCertDatabase
+ // instance.
+ // Both slots must not be NULL but can be identical.
+ NSSCertDatabase(crypto::ScopedPK11Slot public_slot,
+ crypto::ScopedPK11Slot private_slot);
+ virtual ~NSSCertDatabase();
// Get a list of unique certificates in the certificate database (one
// instance of all certificates).
@@ -124,10 +131,10 @@ class NET_EXPORT NSSCertDatabase {
PK11SlotInfo* slot);
// Get the default slot for public key data.
- virtual crypto::ScopedPK11Slot GetPublicSlot() const;
+ crypto::ScopedPK11Slot GetPublicSlot() const;
// Get the default slot for private key or mixed private/public key data.
- virtual crypto::ScopedPK11Slot GetPrivateSlot() const;
+ crypto::ScopedPK11Slot GetPrivateSlot() const;
// Get the default module for public key data.
// The returned pointer must be stored in a scoped_refptr<CryptoModule>.
@@ -232,9 +239,6 @@ class NET_EXPORT NSSCertDatabase {
const scoped_refptr<base::TaskRunner>& task_runner);
protected:
- NSSCertDatabase();
- virtual ~NSSCertDatabase();
-
// Certificate listing implementation used by |ListCerts*| and
// |ListCertsSync|. Static so it may safely be used on the worker thread.
// If |slot| is NULL, obtains the certs of all slots, otherwise only of
@@ -248,8 +252,6 @@ class NET_EXPORT NSSCertDatabase {
scoped_refptr<base::TaskRunner> GetSlowTaskRunner() const;
private:
- friend struct base::DefaultLazyInstanceTraits<NSSCertDatabase>;
-
// Registers |observer| to receive notifications of certificate changes. The
// thread on which this is called is the thread on which |observer| will be
// called back with notifications.
@@ -277,6 +279,9 @@ class NET_EXPORT NSSCertDatabase {
// it may safely be used on the worker thread.
static bool DeleteCertAndKeyImpl(scoped_refptr<X509Certificate> cert);
+ crypto::ScopedPK11Slot public_slot_;
+ crypto::ScopedPK11Slot private_slot_;
+
// A helper observer that forwards events from this database to CertDatabase.
scoped_ptr<Observer> cert_notification_forwarder_;
diff --git a/net/cert/nss_cert_database_chromeos.cc b/net/cert/nss_cert_database_chromeos.cc
index 41852a7..60f7f2e 100644
--- a/net/cert/nss_cert_database_chromeos.cc
+++ b/net/cert/nss_cert_database_chromeos.cc
@@ -21,8 +21,7 @@ namespace net {
NSSCertDatabaseChromeOS::NSSCertDatabaseChromeOS(
crypto::ScopedPK11Slot public_slot,
crypto::ScopedPK11Slot private_slot)
- : public_slot_(public_slot.Pass()),
- private_slot_(private_slot.Pass()) {
+ : NSSCertDatabase(public_slot.Pass(), private_slot.Pass()) {
profile_filter_.Init(GetPublicSlot(), GetPrivateSlot());
}
@@ -46,16 +45,6 @@ void NSSCertDatabaseChromeOS::ListCerts(
base::Bind(callback, base::Passed(&certs)));
}
-crypto::ScopedPK11Slot NSSCertDatabaseChromeOS::GetPublicSlot() const {
- return crypto::ScopedPK11Slot(
- public_slot_ ? PK11_ReferenceSlot(public_slot_.get()) : NULL);
-}
-
-crypto::ScopedPK11Slot NSSCertDatabaseChromeOS::GetPrivateSlot() const {
- return crypto::ScopedPK11Slot(
- private_slot_ ? PK11_ReferenceSlot(private_slot_.get()) : NULL);
-}
-
void NSSCertDatabaseChromeOS::ListModules(CryptoModuleList* modules,
bool need_rw) const {
NSSCertDatabase::ListModules(modules, need_rw);
diff --git a/net/cert/nss_cert_database_chromeos.h b/net/cert/nss_cert_database_chromeos.h
index 07a1e67..b68f742 100644
--- a/net/cert/nss_cert_database_chromeos.h
+++ b/net/cert/nss_cert_database_chromeos.h
@@ -24,8 +24,6 @@ class NET_EXPORT NSSCertDatabaseChromeOS : public NSSCertDatabase {
virtual void ListCertsSync(CertificateList* certs) OVERRIDE;
virtual void ListCerts(const NSSCertDatabase::ListCertsCallback& callback)
OVERRIDE;
- virtual crypto::ScopedPK11Slot GetPublicSlot() const OVERRIDE;
- virtual crypto::ScopedPK11Slot GetPrivateSlot() const OVERRIDE;
virtual void ListModules(CryptoModuleList* modules, bool need_rw) const
OVERRIDE;
@@ -41,8 +39,6 @@ class NET_EXPORT NSSCertDatabaseChromeOS : public NSSCertDatabase {
static void ListCertsImpl(const NSSProfileFilterChromeOS& profile_filter,
CertificateList* certs);
- crypto::ScopedPK11Slot public_slot_;
- crypto::ScopedPK11Slot private_slot_;
NSSProfileFilterChromeOS profile_filter_;
DISALLOW_COPY_AND_ASSIGN(NSSCertDatabaseChromeOS);
diff --git a/net/cert/nss_cert_database_unittest.cc b/net/cert/nss_cert_database_unittest.cc
index 342e0b9..71e1264 100644
--- a/net/cert/nss_cert_database_unittest.cc
+++ b/net/cert/nss_cert_database_unittest.cc
@@ -58,28 +58,27 @@ class CertDatabaseNSSTest : public testing::Test {
public:
virtual void SetUp() {
ASSERT_TRUE(test_nssdb_.is_open());
- cert_db_ = NSSCertDatabase::GetInstance();
- slot_ = cert_db_->GetPublicModule();
+ cert_db_.reset(new NSSCertDatabase(
+ crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot()),
+ crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot())));
+ public_module_ = cert_db_->GetPublicModule();
// Test db should be empty at start of test.
- EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
+ EXPECT_EQ(0U, ListCerts().size());
}
virtual void TearDown() {
- // Don't try to cleanup if the setup failed.
- ASSERT_TRUE(slot_->os_module_handle());
-
- EXPECT_TRUE(CleanupSlotContents());
-
// Run the message loop to process any observer callbacks (e.g. for the
// ClientSocketFactory singleton) so that the scoped ref ptrs created in
// NSSCertDatabase::NotifyObservers* get released.
base::MessageLoop::current()->RunUntilIdle();
-
- EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
}
protected:
+ net::CryptoModule* GetPublicModule() {
+ return public_module_.get();
+ }
+
static std::string ReadTestFile(const std::string& name) {
std::string result;
base::FilePath cert_path = GetTestCertsDirectory().AppendASCII(name);
@@ -98,9 +97,11 @@ class CertDatabaseNSSTest : public testing::Test {
return true;
}
- static CertificateList ListCertsInSlot(PK11SlotInfo* slot) {
+ CertificateList ListCerts() {
CertificateList result;
- CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
+
+ CERTCertList* cert_list =
+ PK11_ListCertsInSlot(cert_db_->GetPublicSlot().get());
for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
!CERT_LIST_END(node, cert_list);
node = CERT_LIST_NEXT(node)) {
@@ -114,30 +115,10 @@ class CertDatabaseNSSTest : public testing::Test {
return result;
}
- scoped_refptr<CryptoModule> slot_;
- NSSCertDatabase* cert_db_;
+ scoped_ptr<NSSCertDatabase> cert_db_;
const CertificateList empty_cert_list_;
-
- private:
- bool CleanupSlotContents() {
- bool ok = true;
- CertificateList certs = ListCertsInSlot(slot_->os_module_handle());
- CERTCertTrust default_trust = {0};
- for (size_t i = 0; i < certs.size(); ++i) {
- // Reset cert trust values to defaults before deleting. Otherwise NSS
- // somehow seems to remember the trust which can break following tests.
- SECStatus srv = CERT_ChangeCertTrust(
- CERT_GetDefaultCertDB(), certs[i]->os_cert_handle(), &default_trust);
- if (srv != SECSuccess)
- ok = false;
-
- if (!cert_db_->DeleteCertAndKey(certs[i].get()))
- ok = false;
- }
- return ok;
- }
-
crypto::ScopedTestNSSDB test_nssdb_;
+ scoped_refptr<net::CryptoModule> public_module_;
};
TEST_F(CertDatabaseNSSTest, ListCertsSync) {
@@ -169,27 +150,27 @@ TEST_F(CertDatabaseNSSTest, ImportFromPKCS12WrongPassword) {
std::string pkcs12_data = ReadTestFile("client.p12");
EXPECT_EQ(ERR_PKCS12_IMPORT_BAD_PASSWORD,
- cert_db_->ImportFromPKCS12(slot_.get(),
+ cert_db_->ImportFromPKCS12(GetPublicModule(),
pkcs12_data,
base::string16(),
true, // is_extractable
NULL));
// Test db should still be empty.
- EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
+ EXPECT_EQ(0U, ListCerts().size());
}
TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsExtractableAndExportAgain) {
std::string pkcs12_data = ReadTestFile("client.p12");
EXPECT_EQ(OK,
- cert_db_->ImportFromPKCS12(slot_.get(),
+ cert_db_->ImportFromPKCS12(GetPublicModule(),
pkcs12_data,
ASCIIToUTF16("12345"),
true, // is_extractable
NULL));
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
@@ -208,35 +189,35 @@ TEST_F(CertDatabaseNSSTest, ImportFromPKCS12Twice) {
std::string pkcs12_data = ReadTestFile("client.p12");
EXPECT_EQ(OK,
- cert_db_->ImportFromPKCS12(slot_.get(),
+ cert_db_->ImportFromPKCS12(GetPublicModule(),
pkcs12_data,
ASCIIToUTF16("12345"),
true, // is_extractable
NULL));
- EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
+ EXPECT_EQ(1U, ListCerts().size());
// NSS has a SEC_ERROR_PKCS12_DUPLICATE_DATA error, but it doesn't look like
// it's ever used. This test verifies that.
EXPECT_EQ(OK,
- cert_db_->ImportFromPKCS12(slot_.get(),
+ cert_db_->ImportFromPKCS12(GetPublicModule(),
pkcs12_data,
ASCIIToUTF16("12345"),
true, // is_extractable
NULL));
- EXPECT_EQ(1U, ListCertsInSlot(slot_->os_module_handle()).size());
+ EXPECT_EQ(1U, ListCerts().size());
}
TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
std::string pkcs12_data = ReadTestFile("client.p12");
EXPECT_EQ(OK,
- cert_db_->ImportFromPKCS12(slot_.get(),
+ cert_db_->ImportFromPKCS12(GetPublicModule(),
pkcs12_data,
ASCIIToUTF16("12345"),
false, // is_extractable
NULL));
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
@@ -253,25 +234,25 @@ TEST_F(CertDatabaseNSSTest, ImportFromPKCS12AsUnextractableAndExportAgain) {
TEST_F(CertDatabaseNSSTest, ImportFromPKCS12OnlyMarkIncludedKey) {
std::string pkcs12_data = ReadTestFile("client.p12");
EXPECT_EQ(OK,
- cert_db_->ImportFromPKCS12(slot_.get(),
+ cert_db_->ImportFromPKCS12(GetPublicModule(),
pkcs12_data,
ASCIIToUTF16("12345"),
true, // is_extractable
NULL));
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
// Now import a PKCS#12 file with just a certificate but no private key.
pkcs12_data = ReadTestFile("client-nokey.p12");
EXPECT_EQ(OK,
- cert_db_->ImportFromPKCS12(slot_.get(),
+ cert_db_->ImportFromPKCS12(GetPublicModule(),
pkcs12_data,
ASCIIToUTF16("12345"),
false, // is_extractable
NULL));
- cert_list = ListCertsInSlot(slot_->os_module_handle());
+ cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
// Make sure the imported private key is still extractable.
@@ -285,14 +266,14 @@ TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
std::string pkcs12_data = "Foobarbaz";
EXPECT_EQ(ERR_PKCS12_IMPORT_INVALID_FILE,
- cert_db_->ImportFromPKCS12(slot_.get(),
+ cert_db_->ImportFromPKCS12(GetPublicModule(),
pkcs12_data,
base::string16(),
true, // is_extractable
NULL));
// Test db should still be empty.
- EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
+ EXPECT_EQ(0U, ListCerts().size());
}
TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
@@ -309,7 +290,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
EXPECT_EQ(0U, failed.size());
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
EXPECT_EQ("Test Root CA", cert->subject().common_name);
@@ -340,7 +321,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
EXPECT_EQ(0U, failed.size());
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
EXPECT_EQ("Test Root CA", cert->subject().common_name);
@@ -371,7 +352,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
EXPECT_EQ(0U, failed.size());
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> cert(cert_list[0]);
EXPECT_EQ("Test Root CA", cert->subject().common_name);
@@ -406,7 +387,7 @@ TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
EXPECT_EQ(certs[0], failed[0].certificate);
EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[0].net_error);
- EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
+ EXPECT_EQ(0U, ListCerts().size());
}
TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
@@ -431,7 +412,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchy) {
EXPECT_EQ("www.us.army.mil", failed[1].certificate->subject().common_name);
EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[1].net_error);
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
}
@@ -447,7 +428,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
&failed));
EXPECT_EQ(0U, failed.size());
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
@@ -469,7 +450,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyDupeRoot) {
EXPECT_EQ("www.us.army.mil", failed[2].certificate->subject().common_name);
EXPECT_EQ(ERR_IMPORT_CA_CERT_NOT_CA, failed[2].net_error);
- cert_list = ListCertsInSlot(slot_->os_module_handle());
+ cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
}
@@ -490,7 +471,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyUntrusted) {
// SEC_ERROR_UNTRUSTED_ISSUER
EXPECT_EQ(ERR_FAILED, failed[0].net_error);
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
}
@@ -513,7 +494,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
EXPECT_EQ(ERR_FAILED, failed[1].net_error); // The certificate expired.
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("DoD Root CA 2", cert_list[0]->subject().common_name);
}
@@ -540,7 +521,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
EXPECT_EQ("DOD CA-17", failed[1].certificate->subject().common_name);
EXPECT_EQ(ERR_FAILED, failed[1].net_error);
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);
}
@@ -562,7 +543,7 @@ TEST_F(CertDatabaseNSSTest, DISABLED_ImportServerCert) {
EXPECT_EQ(0U, failed.size());
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(2U, cert_list.size());
scoped_refptr<X509Certificate> goog_cert(cert_list[0]);
scoped_refptr<X509Certificate> thawte_cert(cert_list[1]);
@@ -597,7 +578,7 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned) {
EXPECT_EQ(0U, failed.size());
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
@@ -628,7 +609,7 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
EXPECT_EQ(0U, failed.size());
- CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList cert_list = ListCerts();
ASSERT_EQ(1U, cert_list.size());
scoped_refptr<X509Certificate> puny_cert(cert_list[0]);
@@ -1011,7 +992,7 @@ TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, certs.size());
- EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
+ EXPECT_EQ(0U, ListCerts().size());
// Import server cert with default trust.
NSSCertDatabase::ImportCertFailureList failed;
@@ -1021,7 +1002,7 @@ TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
cert_db_->GetCertTrust(certs[0].get(), SERVER_CERT));
- CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle());
+ CertificateList new_certs = ListCerts();
ASSERT_EQ(1U, new_certs.size());
// Now attempt to import a different certificate with the same common name.
@@ -1038,7 +1019,7 @@ TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) {
EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT,
cert_db_->GetCertTrust(certs2[0].get(), SERVER_CERT));
- new_certs = ListCertsInSlot(slot_->os_module_handle());
+ new_certs = ListCerts();
ASSERT_EQ(2U, new_certs.size());
EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname,
new_certs[1]->os_cert_handle()->nickname);
generated by cgit v1.1 at 2025-02-11 08:55:26 +0000