1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chromeos/cert_loader.h"
6
7 #include "base/bind.h"
8 #include "base/files/file_util.h"
9 #include "base/memory/scoped_ptr.h"
10 #include "base/message_loop/message_loop.h"
11 #include "base/run_loop.h"
12 #include "crypto/nss_util_internal.h"
13 #include "crypto/scoped_nss_types.h"
14 #include "crypto/scoped_test_nss_chromeos_user.h"
15 #include "net/base/net_errors.h"
16 #include "net/base/test_data_directory.h"
17 #include "net/cert/nss_cert_database_chromeos.h"
18 #include "net/cert/x509_certificate.h"
19 #include "net/test/cert_test_util.h"
20 #include "testing/gtest/include/gtest/gtest.h"
21
22 namespace chromeos {
23 namespace {
24
IsCertInCertificateList(const net::X509Certificate * cert,const net::CertificateList & cert_list)25 bool IsCertInCertificateList(const net::X509Certificate* cert,
26 const net::CertificateList& cert_list) {
27 for (net::CertificateList::const_iterator it = cert_list.begin();
28 it != cert_list.end();
29 ++it) {
30 if (net::X509Certificate::IsSameOSCert((*it)->os_cert_handle(),
31 cert->os_cert_handle())) {
32 return true;
33 }
34 }
35 return false;
36 }
37
FailOnPrivateSlotCallback(crypto::ScopedPK11Slot slot)38 void FailOnPrivateSlotCallback(crypto::ScopedPK11Slot slot) {
39 EXPECT_FALSE(true) << "GetPrivateSlotForChromeOSUser callback called even "
40 << "though the private slot had been initialized.";
41 }
42
43 class CertLoaderTest : public testing::Test,
44 public CertLoader::Observer {
45 public:
CertLoaderTest()46 CertLoaderTest() : cert_loader_(NULL),
47 primary_user_("primary"),
48 certificates_loaded_events_count_(0U) {
49 }
50
~CertLoaderTest()51 virtual ~CertLoaderTest() {}
52
SetUp()53 virtual void SetUp() OVERRIDE {
54 ASSERT_TRUE(primary_user_.constructed_successfully());
55 ASSERT_TRUE(
56 crypto::GetPublicSlotForChromeOSUser(primary_user_.username_hash()));
57
58 CertLoader::Initialize();
59 cert_loader_ = CertLoader::Get();
60 cert_loader_->AddObserver(this);
61 }
62
TearDown()63 virtual void TearDown() {
64 cert_loader_->RemoveObserver(this);
65 CertLoader::Shutdown();
66 }
67
68 protected:
StartCertLoaderWithPrimaryUser()69 void StartCertLoaderWithPrimaryUser() {
70 FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);
71 cert_loader_->StartWithNSSDB(primary_db_.get());
72
73 base::RunLoop().RunUntilIdle();
74 GetAndResetCertificatesLoadedEventsCount();
75 }
76
77 // CertLoader::Observer:
78 // The test keeps count of times the observer method was called.
OnCertificatesLoaded(const net::CertificateList & cert_list,bool initial_load)79 virtual void OnCertificatesLoaded(const net::CertificateList& cert_list,
80 bool initial_load) OVERRIDE {
81 EXPECT_TRUE(certificates_loaded_events_count_ == 0 || !initial_load);
82 certificates_loaded_events_count_++;
83 }
84
85 // Returns the number of |OnCertificatesLoaded| calls observed since the
86 // last call to this method equals |value|.
GetAndResetCertificatesLoadedEventsCount()87 size_t GetAndResetCertificatesLoadedEventsCount() {
88 size_t result = certificates_loaded_events_count_;
89 certificates_loaded_events_count_ = 0;
90 return result;
91 }
92
93 // Finishes initialization for the |user| and returns a user's NSS database
94 // instance.
FinishUserInitAndGetDatabase(crypto::ScopedTestNSSChromeOSUser * user,scoped_ptr<net::NSSCertDatabaseChromeOS> * database)95 void FinishUserInitAndGetDatabase(
96 crypto::ScopedTestNSSChromeOSUser* user,
97 scoped_ptr<net::NSSCertDatabaseChromeOS>* database) {
98 ASSERT_TRUE(user->constructed_successfully());
99
100 user->FinishInit();
101
102 crypto::ScopedPK11Slot private_slot(
103 crypto::GetPrivateSlotForChromeOSUser(
104 user->username_hash(),
105 base::Bind(&FailOnPrivateSlotCallback)));
106 ASSERT_TRUE(private_slot);
107
108 database->reset(new net::NSSCertDatabaseChromeOS(
109 crypto::GetPublicSlotForChromeOSUser(user->username_hash()),
110 private_slot.Pass()));
111 (*database)->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
112 }
113
GetDbPrivateSlotId(net::NSSCertDatabase * db)114 int GetDbPrivateSlotId(net::NSSCertDatabase* db) {
115 return static_cast<int>(PK11_GetSlotID(db->GetPrivateSlot().get()));
116 }
117
ImportCACert(const std::string & cert_file,net::NSSCertDatabase * database,net::CertificateList * imported_certs)118 void ImportCACert(const std::string& cert_file,
119 net::NSSCertDatabase* database,
120 net::CertificateList* imported_certs) {
121 ASSERT_TRUE(database);
122 ASSERT_TRUE(imported_certs);
123
124 // Add a certificate to the user's db.
125 *imported_certs = net::CreateCertificateListFromFile(
126 net::GetTestCertsDirectory(),
127 cert_file,
128 net::X509Certificate::FORMAT_AUTO);
129 ASSERT_EQ(1U, imported_certs->size());
130
131 net::NSSCertDatabase::ImportCertFailureList failed;
132 ASSERT_TRUE(database->ImportCACerts(*imported_certs,
133 net::NSSCertDatabase::TRUST_DEFAULT,
134 &failed));
135 ASSERT_TRUE(failed.empty());
136 }
137
ImportClientCertAndKey(const std::string & pkcs12_file,net::NSSCertDatabase * database,net::CertificateList * imported_certs)138 void ImportClientCertAndKey(const std::string& pkcs12_file,
139 net::NSSCertDatabase* database,
140 net::CertificateList* imported_certs) {
141 ASSERT_TRUE(database);
142 ASSERT_TRUE(imported_certs);
143
144 std::string pkcs12_data;
145 base::FilePath pkcs12_file_path =
146 net::GetTestCertsDirectory().Append(pkcs12_file);
147 ASSERT_TRUE(base::ReadFileToString(pkcs12_file_path, &pkcs12_data));
148
149 net::CertificateList client_cert_list;
150 scoped_refptr<net::CryptoModule> module(net::CryptoModule::CreateFromHandle(
151 database->GetPrivateSlot().get()));
152 ASSERT_EQ(net::OK,
153 database->ImportFromPKCS12(module.get(),
154 pkcs12_data,
155 base::string16(),
156 false,
157 imported_certs));
158 ASSERT_EQ(1U, imported_certs->size());
159 }
160
161 CertLoader* cert_loader_;
162
163 // The user is primary as the one whose certificates CertLoader handles, it
164 // has nothing to do with crypto::InitializeNSSForChromeOSUser is_primary_user
165 // parameter (which is irrelevant for these tests).
166 crypto::ScopedTestNSSChromeOSUser primary_user_;
167 scoped_ptr<net::NSSCertDatabaseChromeOS> primary_db_;
168
169 base::MessageLoop message_loop_;
170
171 private:
172 size_t certificates_loaded_events_count_;
173 };
174
TEST_F(CertLoaderTest,Basic)175 TEST_F(CertLoaderTest, Basic) {
176 EXPECT_FALSE(cert_loader_->CertificatesLoading());
177 EXPECT_FALSE(cert_loader_->certificates_loaded());
178 EXPECT_FALSE(cert_loader_->IsHardwareBacked());
179
180 FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);
181
182 cert_loader_->StartWithNSSDB(primary_db_.get());
183
184 EXPECT_FALSE(cert_loader_->certificates_loaded());
185 EXPECT_TRUE(cert_loader_->CertificatesLoading());
186 EXPECT_TRUE(cert_loader_->cert_list().empty());
187
188 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
189 base::RunLoop().RunUntilIdle();
190 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
191
192 EXPECT_TRUE(cert_loader_->certificates_loaded());
193 EXPECT_FALSE(cert_loader_->CertificatesLoading());
194
195 // Default CA cert roots should get loaded.
196 EXPECT_FALSE(cert_loader_->cert_list().empty());
197 }
198
TEST_F(CertLoaderTest,CertLoaderUpdatesCertListOnNewCert)199 TEST_F(CertLoaderTest, CertLoaderUpdatesCertListOnNewCert) {
200 StartCertLoaderWithPrimaryUser();
201
202 net::CertificateList certs;
203 ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);
204
205 // Certs are loaded asynchronously, so the new cert should not yet be in the
206 // cert list.
207 EXPECT_FALSE(
208 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
209
210 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
211 base::RunLoop().RunUntilIdle();
212 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
213
214 // The certificate list should be updated now, as the message loop's been run.
215 EXPECT_TRUE(
216 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
217 }
218
TEST_F(CertLoaderTest,CertLoaderNoUpdateOnSecondaryDbChanges)219 TEST_F(CertLoaderTest, CertLoaderNoUpdateOnSecondaryDbChanges) {
220 crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
221 scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;
222
223 StartCertLoaderWithPrimaryUser();
224 FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);
225
226 net::CertificateList certs;
227 ImportCACert("root_ca_cert.pem", secondary_db.get(), &certs);
228
229 base::RunLoop().RunUntilIdle();
230
231 EXPECT_FALSE(
232 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
233 }
234
TEST_F(CertLoaderTest,ClientLoaderUpdateOnNewClientCert)235 TEST_F(CertLoaderTest, ClientLoaderUpdateOnNewClientCert) {
236 StartCertLoaderWithPrimaryUser();
237
238 net::CertificateList certs;
239 ImportClientCertAndKey("websocket_client_cert.p12",
240 primary_db_.get(),
241 &certs);
242
243 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
244 base::RunLoop().RunUntilIdle();
245 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
246
247 EXPECT_TRUE(
248 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
249 }
250
TEST_F(CertLoaderTest,CertLoaderNoUpdateOnNewClientCertInSecondaryDb)251 TEST_F(CertLoaderTest, CertLoaderNoUpdateOnNewClientCertInSecondaryDb) {
252 crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
253 scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;
254
255 StartCertLoaderWithPrimaryUser();
256 FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);
257
258 net::CertificateList certs;
259 ImportClientCertAndKey("websocket_client_cert.p12",
260 secondary_db.get(),
261 &certs);
262
263 base::RunLoop().RunUntilIdle();
264
265 EXPECT_FALSE(
266 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
267 }
268
TEST_F(CertLoaderTest,UpdatedOnCertRemoval)269 TEST_F(CertLoaderTest, UpdatedOnCertRemoval) {
270 StartCertLoaderWithPrimaryUser();
271
272 net::CertificateList certs;
273 ImportClientCertAndKey("websocket_client_cert.p12",
274 primary_db_.get(),
275 &certs);
276
277 base::RunLoop().RunUntilIdle();
278
279 ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
280 ASSERT_TRUE(
281 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
282
283 primary_db_->DeleteCertAndKey(certs[0].get());
284
285 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
286 base::RunLoop().RunUntilIdle();
287 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
288
289 ASSERT_FALSE(
290 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
291 }
292
TEST_F(CertLoaderTest,UpdatedOnCACertTrustChange)293 TEST_F(CertLoaderTest, UpdatedOnCACertTrustChange) {
294 StartCertLoaderWithPrimaryUser();
295
296 net::CertificateList certs;
297 ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);
298
299 base::RunLoop().RunUntilIdle();
300 ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
301 ASSERT_TRUE(
302 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
303
304 // The value that should have been set by |ImportCACert|.
305 ASSERT_EQ(net::NSSCertDatabase::TRUST_DEFAULT,
306 primary_db_->GetCertTrust(certs[0].get(), net::CA_CERT));
307 ASSERT_TRUE(primary_db_->SetCertTrust(
308 certs[0].get(), net::CA_CERT, net::NSSCertDatabase::TRUSTED_SSL));
309
310 // Cert trust change should trigger certificate reload in cert_loader_.
311 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
312 base::RunLoop().RunUntilIdle();
313 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
314 }
315
316 } // namespace
317 } // namespace chromeos
318