diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-05-23 11:07:14 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-05-23 11:07:14 +0000 |
| commit | 308e87f9c3f9220e18102cfa97a57ca5efe845ef (patch) | |
| tree | 66a120d13c0c0d002178a9b272d1f379d9befcfb /net/cert/nss_cert_database_unittest.cc | |
| parent | 45be8d87149b5a5de7e496b25b8c826868e12c92 (diff) | |
| download | chromium_src-308e87f9c3f9220e18102cfa97a57ca5efe845ef.zip chromium_src-308e87f9c3f9220e18102cfa97a57ca5efe845ef.tar.gz chromium_src-308e87f9c3f9220e18102cfa97a57ca5efe845ef.tar.bz2 | |
Generate unique certificate nicknames on Linux/CrOS.
When importing certificates on Linux/CrOS where the user has a pre-existing
cert, generate a unique certificate nickname if the DER-encoded subjects do
not match, as required by NSS.
This updates the template from being:
<subject common name>'s <issuer common name> ID
to:
<subject display name>'s <issuer display name> ID [#d]
Where #d will be appended with an incrementing number until a unique nickname
is found. Note that "display name" represents a gradiation that starts with
common name, then organization name, than organizational unit name.
Note: This does not address PKCS#12 importing - only importing CA certificates
(root and intermediate) and server certificates via the UI, or the handling
of application/x-x509-user-cert (via download).
BUG=237870
TEST=net_unittests added. Additionally, test that server & CA certificates can
still be imported fine through the UI.
Review URL: https://chromiumcodereview.appspot.com/15315003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@201748 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert/nss_cert_database_unittest.cc')
| -rw-r--r-- | net/cert/nss_cert_database_unittest.cc | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/net/cert/nss_cert_database_unittest.cc b/net/cert/nss_cert_database_unittest.cc index 4f65005f..2f6fbeb 100644 --- a/net/cert/nss_cert_database_unittest.cc +++ b/net/cert/nss_cert_database_unittest.cc @@ -938,4 +938,47 @@ TEST_F(CertDatabaseNSSTest, TrustIntermediateCa4) { EXPECT_EQ(0U, verify_result2.cert_status); } +// Importing two certificates with the same issuer and subject common name, +// but overall distinct subject names, should succeed and generate a unique +// nickname for the second certificate. +TEST_F(CertDatabaseNSSTest, ImportDuplicateCommonName) { + CertificateList certs = + CreateCertificateListFromFile(GetTestCertsDirectory(), + "duplicate_cn_1.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, certs.size()); + + EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size()); + + // Import server cert with default trust. + NSSCertDatabase::ImportCertFailureList failed; + EXPECT_TRUE(cert_db_->ImportServerCert( + certs, NSSCertDatabase::TRUST_DEFAULT, &failed)); + EXPECT_EQ(0U, failed.size()); + EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, + cert_db_->GetCertTrust(certs[0], SERVER_CERT)); + + CertificateList new_certs = ListCertsInSlot(slot_->os_module_handle()); + ASSERT_EQ(1U, new_certs.size()); + + // Now attempt to import a different certificate with the same common name. + CertificateList certs2 = + CreateCertificateListFromFile(GetTestCertsDirectory(), + "duplicate_cn_2.pem", + X509Certificate::FORMAT_AUTO); + ASSERT_EQ(1U, certs2.size()); + + // Import server cert with default trust. + EXPECT_TRUE(cert_db_->ImportServerCert( + certs2, NSSCertDatabase::TRUST_DEFAULT, &failed)); + EXPECT_EQ(0U, failed.size()); + EXPECT_EQ(NSSCertDatabase::TRUST_DEFAULT, + cert_db_->GetCertTrust(certs2[0], SERVER_CERT)); + + new_certs = ListCertsInSlot(slot_->os_module_handle()); + ASSERT_EQ(2U, new_certs.size()); + EXPECT_STRNE(new_certs[0]->os_cert_handle()->nickname, + new_certs[1]->os_cert_handle()->nickname); +} + } // namespace net |