diff options
author | pneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-08-06 17:15:48 +0000 |
---|---|---|
committer | pneubeck@chromium.org <pneubeck@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-08-06 17:15:48 +0000 |
commit | 18e8d54f5e70ed8576fdb97aaed5de00ad663e72 (patch) | |
tree | f3b3710eadd94552bf4ef30471bd2a9aaa3366da /chromeos/network/network_cert_migrator_unittest.cc | |
parent | d8f1fa0dbe1507b1330c19315ddcfb7c6ef68e70 (diff) | |
download | chromium_src-18e8d54f5e70ed8576fdb97aaed5de00ad663e72.zip chromium_src-18e8d54f5e70ed8576fdb97aaed5de00ad663e72.tar.gz chromium_src-18e8d54f5e70ed8576fdb97aaed5de00ad663e72.tar.bz2 |
Add migration from CaCert NSS nicknames to PEM.
BUG=263044
Review URL: https://chromiumcodereview.appspot.com/20087002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@215914 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chromeos/network/network_cert_migrator_unittest.cc')
-rw-r--r-- | chromeos/network/network_cert_migrator_unittest.cc | 264 |
1 files changed, 264 insertions, 0 deletions
diff --git a/chromeos/network/network_cert_migrator_unittest.cc b/chromeos/network/network_cert_migrator_unittest.cc new file mode 100644 index 0000000..ee2dcdf --- /dev/null +++ b/chromeos/network/network_cert_migrator_unittest.cc @@ -0,0 +1,264 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "chromeos/network/network_cert_migrator.h" + +#include <cert.h> + +#include "base/file_util.h" +#include "base/files/file_path.h" +#include "base/run_loop.h" +#include "chromeos/dbus/dbus_thread_manager.h" +#include "chromeos/dbus/shill_service_client.h" +#include "chromeos/login/login_state.h" +#include "chromeos/network/network_state_handler.h" +#include "crypto/nss_util.h" +#include "net/base/crypto_module.h" +#include "net/base/net_errors.h" +#include "net/base/test_data_directory.h" +#include "net/cert/nss_cert_database.h" +#include "net/cert/x509_certificate.h" +#include "net/test/cert_test_util.h" +#include "testing/gtest/include/gtest/gtest.h" +#include "third_party/cros_system_api/dbus/service_constants.h" + +namespace chromeos { + +namespace { + +const char* kWifiStub = "wifi_stub"; +const char* kVPNStub = "vpn_stub"; +const char* kNSSNickname = "nss_nickname"; +const char* kFakePEM = "pem"; + +} // namespace + +class NetworkCertMigratorTest : public testing::Test { + public: + NetworkCertMigratorTest() {} + virtual ~NetworkCertMigratorTest() {} + + virtual void SetUp() OVERRIDE { + ASSERT_TRUE(test_nssdb_.is_open()); + slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule(); + ASSERT_TRUE(slot_->os_module_handle()); + + LoginState::Initialize(); + + DBusThreadManager::InitializeWithStub(); + service_test_ = + DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); + message_loop_.RunUntilIdle(); + service_test_->ClearServices(); + message_loop_.RunUntilIdle(); + + CertLoader::Initialize(); + CertLoader::Get()->SetSlowTaskRunnerForTest( + message_loop_.message_loop_proxy()); + CertLoader::Get()->SetCryptoTaskRunner(message_loop_.message_loop_proxy()); + } + + virtual void TearDown() OVERRIDE { + network_cert_migrator_.reset(); + network_state_handler_.reset(); + CertLoader::Shutdown(); + DBusThreadManager::Shutdown(); + LoginState::Shutdown(); + CleanupTestCert(); + } + + protected: + void SetupTestCACert() { + scoped_refptr<net::X509Certificate> cert_wo_nickname = + net::CreateCertificateListFromFile(net::GetTestCertsDirectory(), + "eku-test-root.pem", + net::X509Certificate::FORMAT_AUTO) + .back(); + net::X509Certificate::GetPEMEncoded(cert_wo_nickname->os_cert_handle(), + &test_ca_cert_pem_); + std::string der_encoded; + net::X509Certificate::GetDEREncoded(cert_wo_nickname->os_cert_handle(), + &der_encoded); + cert_wo_nickname = NULL; + + test_ca_cert_ = net::X509Certificate::CreateFromBytesWithNickname( + der_encoded.data(), der_encoded.size(), kNSSNickname); + net::NSSCertDatabase* cert_database = net::NSSCertDatabase::GetInstance(); + net::CertificateList cert_list; + cert_list.push_back(test_ca_cert_); + net::NSSCertDatabase::ImportCertFailureList failures; + EXPECT_TRUE(cert_database->ImportCACerts( + cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures)); + ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error); + } + + void SetupNetworkHandlers() { + network_state_handler_.reset(NetworkStateHandler::InitializeForTest()); + network_cert_migrator_.reset(new NetworkCertMigrator); + network_cert_migrator_->Init(network_state_handler_.get()); + } + + void SetupWifiWithNss() { + const bool add_to_visible = true; + const bool add_to_watchlist = true; + service_test_->AddService(kWifiStub, + kWifiStub, + flimflam::kTypeWifi, + flimflam::kStateOnline, + add_to_visible, + add_to_watchlist); + service_test_->SetServiceProperty(kWifiStub, + flimflam::kEapCaCertNssProperty, + base::StringValue(kNSSNickname)); + } + + void GetEapCACertProperties(std::string* nss_nickname, std::string* ca_pem) { + nss_nickname->clear(); + ca_pem->clear(); + const base::DictionaryValue* properties = + service_test_->GetServiceProperties(kWifiStub); + properties->GetStringWithoutPathExpansion(flimflam::kEapCaCertNssProperty, + nss_nickname); + const base::ListValue* ca_pems = NULL; + properties->GetListWithoutPathExpansion(shill::kEapCaCertPemProperty, + &ca_pems); + if (ca_pems && !ca_pems->empty()) + ca_pems->GetString(0, ca_pem); + } + + void SetupVpnWithNss(bool open_vpn) { + const bool add_to_visible = true; + const bool add_to_watchlist = true; + service_test_->AddService(kVPNStub, + kVPNStub, + flimflam::kTypeVPN, + flimflam::kStateIdle, + add_to_visible, + add_to_watchlist); + base::DictionaryValue provider; + const char* nss_property = open_vpn ? flimflam::kOpenVPNCaCertNSSProperty + : flimflam::kL2tpIpsecCaCertNssProperty; + provider.SetStringWithoutPathExpansion(nss_property, kNSSNickname); + service_test_->SetServiceProperty( + kVPNStub, flimflam::kProviderProperty, provider); + } + + void GetVpnCACertProperties(bool open_vpn, + std::string* nss_nickname, + std::string* ca_pem) { + nss_nickname->clear(); + ca_pem->clear(); + const base::DictionaryValue* properties = + service_test_->GetServiceProperties(kVPNStub); + const base::DictionaryValue* provider = NULL; + properties->GetDictionaryWithoutPathExpansion(flimflam::kProviderProperty, + &provider); + if (!provider) + return; + const char* nss_property = open_vpn ? flimflam::kOpenVPNCaCertNSSProperty + : flimflam::kL2tpIpsecCaCertNssProperty; + provider->GetStringWithoutPathExpansion(nss_property, nss_nickname); + const base::ListValue* ca_pems = NULL; + const char* pem_property = open_vpn ? shill::kOpenVPNCaCertPemProperty + : shill::kL2tpIpsecCaCertPemProperty; + provider->GetListWithoutPathExpansion(pem_property, &ca_pems); + if (ca_pems && !ca_pems->empty()) + ca_pems->GetString(0, ca_pem); + } + + ShillServiceClient::TestInterface* service_test_; + scoped_refptr<net::X509Certificate> test_ca_cert_; + std::string test_ca_cert_pem_; + base::MessageLoop message_loop_; + + private: + void CleanupTestCert() { + ASSERT_TRUE(net::NSSCertDatabase::GetInstance()->DeleteCertAndKey( + test_ca_cert_.get())); + } + + scoped_ptr<NetworkStateHandler> network_state_handler_; + scoped_ptr<NetworkCertMigrator> network_cert_migrator_; + scoped_refptr<net::CryptoModule> slot_; + crypto::ScopedTestNSSDB test_nssdb_; + + DISALLOW_COPY_AND_ASSIGN(NetworkCertMigratorTest); +}; + +TEST_F(NetworkCertMigratorTest, MigrateNssOnInitialization) { + // Add a new network for migration before the handlers are initialized. + SetupWifiWithNss(); + SetupTestCACert(); + SetupNetworkHandlers(); + + message_loop_.RunUntilIdle(); + std::string nss_nickname, ca_pem; + GetEapCACertProperties(&nss_nickname, &ca_pem); + EXPECT_TRUE(nss_nickname.empty()); + EXPECT_EQ(test_ca_cert_pem_, ca_pem); +} + +TEST_F(NetworkCertMigratorTest, MigrateNssOnNetworkAppearance) { + SetupTestCACert(); + SetupNetworkHandlers(); + message_loop_.RunUntilIdle(); + + // Add a new network for migration after the handlers are initialized. + SetupWifiWithNss(); + + message_loop_.RunUntilIdle(); + std::string nss_nickname, ca_pem; + GetEapCACertProperties(&nss_nickname, &ca_pem); + EXPECT_TRUE(nss_nickname.empty()); + EXPECT_EQ(test_ca_cert_pem_, ca_pem); +} + +TEST_F(NetworkCertMigratorTest, DoNotMigrateNssIfPemSet) { + // Add a new network with an already set PEM property. + SetupWifiWithNss(); + base::ListValue ca_pems; + ca_pems.AppendString(kFakePEM); + service_test_->SetServiceProperty( + kWifiStub, shill::kEapCaCertPemProperty, ca_pems); + + SetupTestCACert(); + SetupNetworkHandlers(); + message_loop_.RunUntilIdle(); + + std::string nss_nickname, ca_pem; + GetEapCACertProperties(&nss_nickname, &ca_pem); + EXPECT_TRUE(nss_nickname.empty()); + EXPECT_EQ(kFakePEM, ca_pem); +} + +TEST_F(NetworkCertMigratorTest, MigrateOpenVpn) { + // Add a new network for migration before the handlers are initialized. + SetupVpnWithNss(true /* OpenVPN */); + + SetupTestCACert(); + SetupNetworkHandlers(); + + message_loop_.RunUntilIdle(); + std::string nss_nickname, ca_pem; + GetVpnCACertProperties(true /* OpenVPN */, &nss_nickname, &ca_pem); + EXPECT_TRUE(nss_nickname.empty()); + EXPECT_EQ(test_ca_cert_pem_, ca_pem); +} + +TEST_F(NetworkCertMigratorTest, MigrateIpsecVpn) { + // Add a new network for migration before the handlers are initialized. + SetupVpnWithNss(false /* not OpenVPN */); + + SetupTestCACert(); + SetupNetworkHandlers(); + + message_loop_.RunUntilIdle(); + std::string nss_nickname, ca_pem; + GetVpnCACertProperties(false /* not OpenVPN */, &nss_nickname, &ca_pem); + EXPECT_TRUE(nss_nickname.empty()); + EXPECT_EQ(test_ca_cert_pem_, ca_pem); +} + + +} // namespace chromeos |