// Copyright 2014 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "chromeos/cert_loader.h" #include "base/bind.h" #include "base/file_util.h" #include "base/memory/scoped_ptr.h" #include "base/message_loop/message_loop.h" #include "base/run_loop.h" #include "crypto/nss_util.h" #include "crypto/nss_util_internal.h" #include "crypto/scoped_nss_types.h" #include "net/base/net_errors.h" #include "net/base/test_data_directory.h" #include "net/cert/nss_cert_database_chromeos.h" #include "net/cert/x509_certificate.h" #include "net/test/cert_test_util.h" #include "testing/gtest/include/gtest/gtest.h" namespace chromeos { namespace { bool IsCertInCertificateList(const net::X509Certificate* cert, const net::CertificateList& cert_list) { for (net::CertificateList::const_iterator it = cert_list.begin(); it != cert_list.end(); ++it) { if (net::X509Certificate::IsSameOSCert((*it)->os_cert_handle(), cert->os_cert_handle())) { return true; } } return false; } void FailOnPrivateSlotCallback(crypto::ScopedPK11Slot slot) { EXPECT_FALSE(true) << "GetPrivateSlotForChromeOSUser callback called even " << "though the private slot had been initialized."; } class CertLoaderTest : public testing::Test, public CertLoader::Observer { public: CertLoaderTest() : cert_loader_(NULL), primary_user_("primary"), certificates_loaded_events_count_(0U) { } virtual ~CertLoaderTest() {} virtual void SetUp() OVERRIDE { ASSERT_TRUE(primary_user_.constructed_successfully()); ASSERT_TRUE( crypto::GetPublicSlotForChromeOSUser(primary_user_.username_hash())); CertLoader::Initialize(); cert_loader_ = CertLoader::Get(); cert_loader_->AddObserver(this); } virtual void TearDown() { cert_loader_->RemoveObserver(this); CertLoader::Shutdown(); } protected: void StartCertLoaderWithPrimaryUser() { FinishUserInitAndGetDatabase(&primary_user_, &primary_db_); cert_loader_->StartWithNSSDB(primary_db_.get()); base::RunLoop().RunUntilIdle(); GetAndResetCertificatesLoadedEventsCount(); } // CertLoader::Observer: // The test keeps count of times the observer method was called. virtual void OnCertificatesLoaded(const net::CertificateList& cert_list, bool initial_load) OVERRIDE { EXPECT_TRUE(certificates_loaded_events_count_ == 0 || !initial_load); certificates_loaded_events_count_++; } // Returns the number of |OnCertificatesLoaded| calls observed since the // last call to this method equals |value|. size_t GetAndResetCertificatesLoadedEventsCount() { size_t result = certificates_loaded_events_count_; certificates_loaded_events_count_ = 0; return result; } // Finishes initialization for the |user| and returns a user's NSS database // instance. void FinishUserInitAndGetDatabase( crypto::ScopedTestNSSChromeOSUser* user, scoped_ptr* database) { ASSERT_TRUE(user->constructed_successfully()); user->FinishInit(); crypto::ScopedPK11Slot private_slot( crypto::GetPrivateSlotForChromeOSUser( user->username_hash(), base::Bind(&FailOnPrivateSlotCallback))); ASSERT_TRUE(private_slot); database->reset(new net::NSSCertDatabaseChromeOS( crypto::GetPublicSlotForChromeOSUser(user->username_hash()), private_slot.Pass())); (*database)->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy()); } int GetDbPrivateSlotId(net::NSSCertDatabase* db) { return static_cast(PK11_GetSlotID(db->GetPrivateSlot().get())); } void ImportCACert(const std::string& cert_file, net::NSSCertDatabase* database, net::CertificateList* imported_certs) { ASSERT_TRUE(database); ASSERT_TRUE(imported_certs); // Add a certificate to the user's db. *imported_certs = net::CreateCertificateListFromFile( net::GetTestCertsDirectory(), cert_file, net::X509Certificate::FORMAT_AUTO); ASSERT_EQ(1U, imported_certs->size()); net::NSSCertDatabase::ImportCertFailureList failed; ASSERT_TRUE(database->ImportCACerts(*imported_certs, net::NSSCertDatabase::TRUST_DEFAULT, &failed)); ASSERT_TRUE(failed.empty()); } void ImportClientCertAndKey(const std::string& pkcs12_file, net::NSSCertDatabase* database, net::CertificateList* imported_certs) { ASSERT_TRUE(database); ASSERT_TRUE(imported_certs); std::string pkcs12_data; base::FilePath pkcs12_file_path = net::GetTestCertsDirectory().Append(pkcs12_file); ASSERT_TRUE(base::ReadFileToString(pkcs12_file_path, &pkcs12_data)); net::CertificateList client_cert_list; scoped_refptr module(net::CryptoModule::CreateFromHandle( database->GetPrivateSlot().get())); ASSERT_EQ( net::OK, database->ImportFromPKCS12(module, pkcs12_data, base::string16(), false, imported_certs)); ASSERT_EQ(1U, imported_certs->size()); } CertLoader* cert_loader_; // The user is primary as the one whose certificates CertLoader handles, it // has nothing to do with crypto::InitializeNSSForChromeOSUser is_primary_user // parameter (which is irrelevant for these tests). crypto::ScopedTestNSSChromeOSUser primary_user_; scoped_ptr primary_db_; base::MessageLoop message_loop_; private: size_t certificates_loaded_events_count_; }; TEST_F(CertLoaderTest, Basic) { EXPECT_FALSE(cert_loader_->CertificatesLoading()); EXPECT_FALSE(cert_loader_->certificates_loaded()); EXPECT_FALSE(cert_loader_->IsHardwareBacked()); FinishUserInitAndGetDatabase(&primary_user_, &primary_db_); cert_loader_->StartWithNSSDB(primary_db_.get()); EXPECT_FALSE(cert_loader_->certificates_loaded()); EXPECT_TRUE(cert_loader_->CertificatesLoading()); EXPECT_TRUE(cert_loader_->cert_list().empty()); ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); base::RunLoop().RunUntilIdle(); EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); EXPECT_TRUE(cert_loader_->certificates_loaded()); EXPECT_FALSE(cert_loader_->CertificatesLoading()); EXPECT_EQ(GetDbPrivateSlotId(primary_db_.get()), cert_loader_->TPMTokenSlotID()); // Default CA cert roots should get loaded. EXPECT_FALSE(cert_loader_->cert_list().empty()); } TEST_F(CertLoaderTest, CertLoaderUpdatesCertListOnNewCert) { StartCertLoaderWithPrimaryUser(); net::CertificateList certs; ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs); // Certs are loaded asynchronously, so the new cert should not yet be in the // cert list. EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list())); ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); base::RunLoop().RunUntilIdle(); EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); // The certificate list should be updated now, as the message loop's been run. EXPECT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list())); } TEST_F(CertLoaderTest, CertLoaderNoUpdateOnSecondaryDbChanges) { crypto::ScopedTestNSSChromeOSUser secondary_user("secondary"); scoped_ptr secondary_db; StartCertLoaderWithPrimaryUser(); FinishUserInitAndGetDatabase(&secondary_user, &secondary_db); net::CertificateList certs; ImportCACert("root_ca_cert.pem", secondary_db.get(), &certs); base::RunLoop().RunUntilIdle(); EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list())); } TEST_F(CertLoaderTest, ClientLoaderUpdateOnNewClientCert) { StartCertLoaderWithPrimaryUser(); net::CertificateList certs; ImportClientCertAndKey("websocket_client_cert.p12", primary_db_.get(), &certs); ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); base::RunLoop().RunUntilIdle(); EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); EXPECT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list())); } TEST_F(CertLoaderTest, CertLoaderNoUpdateOnNewClientCertInSecondaryDb) { crypto::ScopedTestNSSChromeOSUser secondary_user("secondary"); scoped_ptr secondary_db; StartCertLoaderWithPrimaryUser(); FinishUserInitAndGetDatabase(&secondary_user, &secondary_db); net::CertificateList certs; ImportClientCertAndKey("websocket_client_cert.p12", secondary_db.get(), &certs); base::RunLoop().RunUntilIdle(); EXPECT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list())); } TEST_F(CertLoaderTest, UpdatedOnCertRemoval) { StartCertLoaderWithPrimaryUser(); net::CertificateList certs; ImportClientCertAndKey("websocket_client_cert.p12", primary_db_.get(), &certs); base::RunLoop().RunUntilIdle(); ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); ASSERT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list())); primary_db_->DeleteCertAndKey(certs[0]); ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); base::RunLoop().RunUntilIdle(); EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); ASSERT_FALSE(IsCertInCertificateList(certs[0], cert_loader_->cert_list())); } TEST_F(CertLoaderTest, UpdatedOnCACertTrustChange) { StartCertLoaderWithPrimaryUser(); net::CertificateList certs; ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs); base::RunLoop().RunUntilIdle(); ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); ASSERT_TRUE(IsCertInCertificateList(certs[0], cert_loader_->cert_list())); // The value that should have been set by |ImportCACert|. ASSERT_EQ(net::NSSCertDatabase::TRUST_DEFAULT, primary_db_->GetCertTrust(certs[0], net::CA_CERT)); ASSERT_TRUE(primary_db_->SetCertTrust( certs[0], net::CA_CERT, net::NSSCertDatabase::TRUSTED_SSL)); // Cert trust change should trigger certificate reload in cert_loader_. ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount()); base::RunLoop().RunUntilIdle(); EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount()); } TEST_F(CertLoaderTest, DatabaseWithUnsetSlots) { primary_db_.reset(new net::NSSCertDatabaseChromeOS(crypto::ScopedPK11Slot(), crypto::ScopedPK11Slot())); primary_db_->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy()); cert_loader_->StartWithNSSDB(primary_db_.get()); base::RunLoop().RunUntilIdle(); EXPECT_EQ(1u, GetAndResetCertificatesLoadedEventsCount()); EXPECT_TRUE(cert_loader_->certificates_loaded()); EXPECT_EQ(-1, cert_loader_->TPMTokenSlotID()); EXPECT_FALSE(cert_loader_->IsHardwareBacked()); } } // namespace } // namespace chromeos