blob: 4d7b96c4112e1d31997215a35155e1db9dde4a33 [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chromeos/cert_loader.h"
#include <stddef.h>
#include <memory>
#include <utility>
#include "base/bind.h"
#include "base/files/file_util.h"
#include "base/message_loop/message_loop.h"
#include "base/run_loop.h"
#include "base/test/scoped_task_scheduler.h"
#include "crypto/scoped_nss_types.h"
#include "crypto/scoped_test_nss_db.h"
#include "net/cert/nss_cert_database_chromeos.h"
#include "net/cert/x509_certificate.h"
#include "net/test/cert_test_util.h"
#include "net/test/test_data_directory.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace chromeos {
namespace {
bool IsCertInCertificateList(const net::X509Certificate* cert,
const net::CertificateList& cert_list) {
for (net::CertificateList::const_iterator it = cert_list.begin();
it != cert_list.end();
++it) {
if (net::X509Certificate::IsSameOSCert((*it)->os_cert_handle(),
cert->os_cert_handle())) {
return true;
}
}
return false;
}
size_t CountCertOccurencesInCertificateList(
const net::X509Certificate* cert,
const net::CertificateList& cert_list) {
size_t count = 0;
for (net::CertificateList::const_iterator it = cert_list.begin();
it != cert_list.end(); ++it) {
if (net::X509Certificate::IsSameOSCert((*it)->os_cert_handle(),
cert->os_cert_handle())) {
++count;
}
}
return count;
}
class TestNSSCertDatabase : public net::NSSCertDatabaseChromeOS {
public:
TestNSSCertDatabase(crypto::ScopedPK11Slot public_slot,
crypto::ScopedPK11Slot private_slot)
: NSSCertDatabaseChromeOS(std::move(public_slot),
std::move(private_slot)) {}
~TestNSSCertDatabase() override {}
// Make this method visible in the public interface.
void NotifyObserversCertDBChanged() {
NSSCertDatabaseChromeOS::NotifyObserversCertDBChanged();
}
};
// Describes a client certificate along with a key, stored in
// net::GetTestCertsDirectory().
struct TestClientCertWithKey {
const char* cert_pem_filename;
const char* key_pk8_filename;
};
const TestClientCertWithKey TEST_CLIENT_CERT_1 = {"client_1.pem",
"client_1.pk8"};
const TestClientCertWithKey TEST_CLIENT_CERT_2 = {"client_2.pem",
"client_2.pk8"};
class CertLoaderTest : public testing::Test,
public CertLoader::Observer {
public:
CertLoaderTest()
: cert_loader_(nullptr),
scoped_task_scheduler_(&message_loop_),
certificates_loaded_events_count_(0U) {}
~CertLoaderTest() override {}
void SetUp() override {
ASSERT_TRUE(primary_db_.is_open());
CertLoader::Initialize();
cert_loader_ = CertLoader::Get();
cert_loader_->AddObserver(this);
}
void TearDown() override {
cert_loader_->RemoveObserver(this);
CertLoader::Shutdown();
}
protected:
void StartCertLoaderWithPrimaryDB() {
CreateCertDatabase(&primary_db_, &primary_certdb_);
cert_loader_->SetUserNSSDB(primary_certdb_.get());
base::RunLoop().RunUntilIdle();
GetAndResetCertificatesLoadedEventsCount();
}
// Starts the cert loader with a primary cert database which has access to the
// system token.
void StartCertLoaderWithPrimaryDBAndSystemToken() {
CreateCertDatabase(&primary_db_, &primary_certdb_);
AddSystemToken(primary_certdb_.get());
cert_loader_->SetUserNSSDB(primary_certdb_.get());
base::RunLoop().RunUntilIdle();
GetAndResetCertificatesLoadedEventsCount();
}
// CertLoader::Observer:
// The test keeps count of times the observer method was called.
void OnCertificatesLoaded(const net::CertificateList& cert_list,
bool initial_load) override {
EXPECT_TRUE(certificates_loaded_events_count_ == 0 || !initial_load);
certificates_loaded_events_count_++;
}
// Returns the number of |OnCertificatesLoaded| calls observed since the
// last call to this method equals |value|.
size_t GetAndResetCertificatesLoadedEventsCount() {
size_t result = certificates_loaded_events_count_;
certificates_loaded_events_count_ = 0;
return result;
}
void CreateCertDatabase(crypto::ScopedTestNSSDB* db,
std::unique_ptr<TestNSSCertDatabase>* certdb) {
ASSERT_TRUE(db->is_open());
certdb->reset(new TestNSSCertDatabase(
crypto::ScopedPK11Slot(PK11_ReferenceSlot(db->slot())),
crypto::ScopedPK11Slot(PK11_ReferenceSlot(db->slot()))));
(*certdb)->SetSlowTaskRunnerForTest(message_loop_.task_runner());
}
void ImportCACert(const std::string& cert_file,
net::NSSCertDatabase* database,
net::CertificateList* imported_certs) {
ASSERT_TRUE(database);
ASSERT_TRUE(imported_certs);
*imported_certs = net::CreateCertificateListFromFile(
net::GetTestCertsDirectory(),
cert_file,
net::X509Certificate::FORMAT_AUTO);
ASSERT_EQ(1U, imported_certs->size());
net::NSSCertDatabase::ImportCertFailureList failed;
ASSERT_TRUE(database->ImportCACerts(*imported_certs,
net::NSSCertDatabase::TRUST_DEFAULT,
&failed));
ASSERT_TRUE(failed.empty());
}
// Import a client cert described by |test_cert| and key into a PKCS11 slot.
// Then notify |database_to_notify| (which is presumably using that slot) that
// new certificates are available.
scoped_refptr<net::X509Certificate> ImportClientCertAndKey(
TestNSSCertDatabase* database_to_notify,
PK11SlotInfo* slot_to_use,
const TestClientCertWithKey& test_cert) {
// Import a client cert signed by that CA.
scoped_refptr<net::X509Certificate> client_cert(
net::ImportClientCertAndKeyFromFile(
net::GetTestCertsDirectory(), test_cert.cert_pem_filename,
test_cert.key_pk8_filename, slot_to_use));
database_to_notify->NotifyObserversCertDBChanged();
return client_cert;
}
// Import |TEST_CLIENT_CERT_1| into a PKCS11 slot. Then notify
// |database_to_notify| (which is presumably using that slot) that new
// certificates are avialable.
scoped_refptr<net::X509Certificate> ImportClientCertAndKey(
TestNSSCertDatabase* database_to_notify,
PK11SlotInfo* slot_to_use) {
return ImportClientCertAndKey(database_to_notify, slot_to_use,
TEST_CLIENT_CERT_1);
}
// Import a client cert into |database|'s private slot.
scoped_refptr<net::X509Certificate> ImportClientCertAndKey(
TestNSSCertDatabase* database) {
return ImportClientCertAndKey(database, database->GetPrivateSlot().get());
}
// Adds the PKCS11 slot from |system_db_| to |certdb| as system slot.
void AddSystemToken(TestNSSCertDatabase* certdb) {
ASSERT_TRUE(system_db_.is_open());
certdb->SetSystemSlot(
crypto::ScopedPK11Slot(PK11_ReferenceSlot(system_db_.slot())));
}
CertLoader* cert_loader_;
// The user is primary as the one whose certificates CertLoader handles, it
// has nothing to do with crypto::InitializeNSSForChromeOSUser is_primary_user
// parameter (which is irrelevant for these tests).
crypto::ScopedTestNSSDB primary_db_;
std::unique_ptr<TestNSSCertDatabase> primary_certdb_;
// Additional NSS DB simulating the system token.
crypto::ScopedTestNSSDB system_db_;
// A NSSCertDatabase which only uses the system token (simulated by
// system_db_).
std::unique_ptr<TestNSSCertDatabase> system_certdb_;
base::MessageLoop message_loop_;
private:
base::test::ScopedTaskScheduler scoped_task_scheduler_;
size_t certificates_loaded_events_count_;
};
} // namespace
TEST_F(CertLoaderTest, BasicOnlyUserDB) {
EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running());
EXPECT_FALSE(cert_loader_->initial_load_finished());
CreateCertDatabase(&primary_db_, &primary_certdb_);
cert_loader_->SetUserNSSDB(primary_certdb_.get());
EXPECT_FALSE(cert_loader_->initial_load_finished());
EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running());
EXPECT_TRUE(cert_loader_->all_certs().empty());
EXPECT_TRUE(cert_loader_->system_certs().empty());
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
base::RunLoop().RunUntilIdle();
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
EXPECT_TRUE(cert_loader_->initial_load_finished());
EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running());
// Default CA cert roots should get loaded.
EXPECT_FALSE(cert_loader_->all_certs().empty());
EXPECT_TRUE(cert_loader_->system_certs().empty());
}
TEST_F(CertLoaderTest, BasicOnlySystemDB) {
EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running());
EXPECT_FALSE(cert_loader_->initial_load_finished());
CreateCertDatabase(&system_db_, &system_certdb_);
cert_loader_->SetSystemNSSDB(system_certdb_.get());
EXPECT_FALSE(cert_loader_->initial_load_finished());
EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running());
EXPECT_TRUE(cert_loader_->all_certs().empty());
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
base::RunLoop().RunUntilIdle();
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
EXPECT_TRUE(cert_loader_->initial_load_finished());
EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running());
// Default CA cert roots should get loaded.
EXPECT_FALSE(cert_loader_->all_certs().empty());
}
// Tests the CertLoader with a system DB and then with an additional user DB
// which does not have access to the system token.
TEST_F(CertLoaderTest, SystemAndUnaffiliatedUserDB) {
CreateCertDatabase(&system_db_, &system_certdb_);
scoped_refptr<net::X509Certificate> system_token_cert(ImportClientCertAndKey(
system_certdb_.get(), system_db_.slot(), TEST_CLIENT_CERT_1));
CreateCertDatabase(&primary_db_, &primary_certdb_);
scoped_refptr<net::X509Certificate> user_token_cert(ImportClientCertAndKey(
primary_certdb_.get(), primary_db_.slot(), TEST_CLIENT_CERT_2));
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running());
EXPECT_FALSE(cert_loader_->initial_load_finished());
cert_loader_->SetSystemNSSDB(system_certdb_.get());
EXPECT_FALSE(cert_loader_->initial_load_finished());
EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running());
EXPECT_TRUE(cert_loader_->all_certs().empty());
EXPECT_TRUE(cert_loader_->system_certs().empty());
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
base::RunLoop().RunUntilIdle();
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
EXPECT_TRUE(cert_loader_->initial_load_finished());
EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running());
EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(),
cert_loader_->system_certs()));
EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(),
cert_loader_->all_certs()));
cert_loader_->SetUserNSSDB(primary_certdb_.get());
EXPECT_TRUE(cert_loader_->initial_load_finished());
EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running());
EXPECT_FALSE(cert_loader_->all_certs().empty());
EXPECT_FALSE(cert_loader_->system_certs().empty());
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
base::RunLoop().RunUntilIdle();
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
EXPECT_TRUE(cert_loader_->initial_load_finished());
EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running());
EXPECT_FALSE(IsCertInCertificateList(user_token_cert.get(),
cert_loader_->system_certs()));
EXPECT_TRUE(IsCertInCertificateList(user_token_cert.get(),
cert_loader_->all_certs()));
}
// Tests the CertLoader with a system DB and then with an additional user DB
// which has access to the system token.
TEST_F(CertLoaderTest, SystemAndAffiliatedUserDB) {
CreateCertDatabase(&system_db_, &system_certdb_);
scoped_refptr<net::X509Certificate> system_token_cert(ImportClientCertAndKey(
system_certdb_.get(), system_db_.slot(), TEST_CLIENT_CERT_1));
CreateCertDatabase(&primary_db_, &primary_certdb_);
scoped_refptr<net::X509Certificate> user_token_cert(ImportClientCertAndKey(
primary_certdb_.get(), primary_db_.slot(), TEST_CLIENT_CERT_2));
AddSystemToken(primary_certdb_.get());
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running());
EXPECT_FALSE(cert_loader_->initial_load_finished());
cert_loader_->SetSystemNSSDB(system_certdb_.get());
EXPECT_FALSE(cert_loader_->initial_load_finished());
EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running());
EXPECT_TRUE(cert_loader_->all_certs().empty());
EXPECT_TRUE(cert_loader_->system_certs().empty());
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
base::RunLoop().RunUntilIdle();
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
EXPECT_TRUE(cert_loader_->initial_load_finished());
EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running());
EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(),
cert_loader_->system_certs()));
EXPECT_TRUE(IsCertInCertificateList(system_token_cert.get(),
cert_loader_->all_certs()));
cert_loader_->SetUserNSSDB(primary_certdb_.get());
EXPECT_TRUE(cert_loader_->initial_load_finished());
EXPECT_TRUE(cert_loader_->initial_load_of_any_database_running());
EXPECT_FALSE(cert_loader_->all_certs().empty());
EXPECT_FALSE(cert_loader_->system_certs().empty());
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
base::RunLoop().RunUntilIdle();
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
EXPECT_TRUE(cert_loader_->initial_load_finished());
EXPECT_FALSE(cert_loader_->initial_load_of_any_database_running());
EXPECT_FALSE(IsCertInCertificateList(user_token_cert.get(),
cert_loader_->system_certs()));
EXPECT_EQ(1U, CountCertOccurencesInCertificateList(
user_token_cert.get(), cert_loader_->all_certs()));
}
TEST_F(CertLoaderTest, CertLoaderUpdatesCertListOnNewCert) {
StartCertLoaderWithPrimaryDB();
net::CertificateList certs;
ImportCACert("root_ca_cert.pem", primary_certdb_.get(), &certs);
// Certs are loaded asynchronously, so the new cert should not yet be in the
// cert list.
EXPECT_FALSE(
IsCertInCertificateList(certs[0].get(), cert_loader_->all_certs()));
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
base::RunLoop().RunUntilIdle();
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
// The certificate list should be updated now, as the message loop's been run.
EXPECT_TRUE(
IsCertInCertificateList(certs[0].get(), cert_loader_->all_certs()));
EXPECT_FALSE(cert_loader_->IsCertificateHardwareBacked(certs[0].get()));
}
TEST_F(CertLoaderTest, CertLoaderNoUpdateOnSecondaryDbChanges) {
crypto::ScopedTestNSSDB secondary_db;
std::unique_ptr<TestNSSCertDatabase> secondary_certdb;
StartCertLoaderWithPrimaryDB();
CreateCertDatabase(&secondary_db, &secondary_certdb);
net::CertificateList certs;
ImportCACert("root_ca_cert.pem", secondary_certdb.get(), &certs);
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(
IsCertInCertificateList(certs[0].get(), cert_loader_->all_certs()));
}
TEST_F(CertLoaderTest, ClientLoaderUpdateOnNewClientCert) {
StartCertLoaderWithPrimaryDB();
scoped_refptr<net::X509Certificate> cert(
ImportClientCertAndKey(primary_certdb_.get()));
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
base::RunLoop().RunUntilIdle();
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
EXPECT_TRUE(IsCertInCertificateList(cert.get(), cert_loader_->all_certs()));
}
TEST_F(CertLoaderTest, ClientLoaderUpdateOnNewClientCertInSystemToken) {
StartCertLoaderWithPrimaryDBAndSystemToken();
EXPECT_TRUE(cert_loader_->system_certs().empty());
scoped_refptr<net::X509Certificate> cert(ImportClientCertAndKey(
primary_certdb_.get(), primary_certdb_->GetSystemSlot().get()));
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
base::RunLoop().RunUntilIdle();
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
EXPECT_TRUE(IsCertInCertificateList(cert.get(), cert_loader_->all_certs()));
EXPECT_EQ(1U, cert_loader_->system_certs().size());
EXPECT_TRUE(
IsCertInCertificateList(cert.get(), cert_loader_->system_certs()));
}
TEST_F(CertLoaderTest, CertLoaderNoUpdateOnNewClientCertInSecondaryDb) {
crypto::ScopedTestNSSDB secondary_db;
std::unique_ptr<TestNSSCertDatabase> secondary_certdb;
StartCertLoaderWithPrimaryDB();
CreateCertDatabase(&secondary_db, &secondary_certdb);
scoped_refptr<net::X509Certificate> cert(
ImportClientCertAndKey(secondary_certdb.get()));
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(IsCertInCertificateList(cert.get(), cert_loader_->all_certs()));
}
TEST_F(CertLoaderTest, UpdatedOnCertRemoval) {
StartCertLoaderWithPrimaryDB();
scoped_refptr<net::X509Certificate> cert(
ImportClientCertAndKey(primary_certdb_.get()));
base::RunLoop().RunUntilIdle();
ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
ASSERT_TRUE(IsCertInCertificateList(cert.get(), cert_loader_->all_certs()));
primary_certdb_->DeleteCertAndKey(cert.get());
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
base::RunLoop().RunUntilIdle();
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
ASSERT_FALSE(IsCertInCertificateList(cert.get(), cert_loader_->all_certs()));
}
TEST_F(CertLoaderTest, UpdatedOnCACertTrustChange) {
StartCertLoaderWithPrimaryDB();
net::CertificateList certs;
ImportCACert("root_ca_cert.pem", primary_certdb_.get(), &certs);
base::RunLoop().RunUntilIdle();
ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
ASSERT_TRUE(
IsCertInCertificateList(certs[0].get(), cert_loader_->all_certs()));
// The value that should have been set by |ImportCACert|.
ASSERT_EQ(net::NSSCertDatabase::TRUST_DEFAULT,
primary_certdb_->GetCertTrust(certs[0].get(), net::CA_CERT));
ASSERT_TRUE(primary_certdb_->SetCertTrust(certs[0].get(), net::CA_CERT,
net::NSSCertDatabase::TRUSTED_SSL));
// Cert trust change should trigger certificate reload in cert_loader_.
ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
base::RunLoop().RunUntilIdle();
EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
}
} // namespace chromeos