Google Git
Sign in
chromium / chromium / src / b48a96bc4bda4d9526245fb33ea66f6f8700466d / . / net / ssl / client_cert_store_impl_unittest.cc
blob: 500e156169dbf8e2b77d87e5e77b61c677b1607f [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/ssl/client_cert_store_impl.h"
#include <string>
#include <vector>
#include "base/files/file_path.h"
#include "base/memory/ref_counted.h"
#include "base/memory/scoped_ptr.h"
#include "net/base/test_data_directory.h"
#include "net/test/cert_test_util.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace net {
namespace {
// "CN=B CA" - DER encoded DN of the issuer of client_1.pem
const unsigned char kAuthority1DN[] = {
0x30, 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
0x04, 0x42, 0x20, 0x43, 0x41
};
// "CN=E CA" - DER encoded DN of the issuer of client_2.pem
unsigned char kAuthority2DN[] = {
0x30, 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
0x04, 0x45, 0x20, 0x43, 0x41
};
} // namespace
class ClientCertStoreImplTest : public ::testing::Test {
protected:
bool SelectClientCerts(const CertificateList& input_certs,
const SSLCertRequestInfo& cert_request_info,
CertificateList* selected_certs) {
return store_.SelectClientCertsForTesting(
input_certs, cert_request_info, selected_certs);
}
#if defined(OS_MACOSX) && !defined(OS_IOS)
bool SelectClientCertsGivenPreferred(
const scoped_refptr<X509Certificate>& preferred_cert,
const CertificateList& regular_certs,
const SSLCertRequestInfo& request,
CertificateList* selected_certs) {
return store_.SelectClientCertsGivenPreferredForTesting(
preferred_cert, regular_certs, request, selected_certs);
}
#endif
private:
ClientCertStoreImpl store_;
};
TEST_F(ClientCertStoreImplTest, EmptyQuery) {
std::vector<scoped_refptr<X509Certificate> > certs;
scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
std::vector<scoped_refptr<X509Certificate> > selected_certs;
bool rv = SelectClientCerts(certs, *request.get(), &selected_certs);
EXPECT_TRUE(rv);
EXPECT_EQ(0u, selected_certs.size());
}
// Verify that CertRequestInfo with empty |cert_authorities| matches all
// issuers, rather than no issuers.
TEST_F(ClientCertStoreImplTest, AllIssuersAllowed) {
scoped_refptr<X509Certificate> cert(
ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));
ASSERT_TRUE(cert.get());
std::vector<scoped_refptr<X509Certificate> > certs;
certs.push_back(cert);
scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
std::vector<scoped_refptr<X509Certificate> > selected_certs;
bool rv = SelectClientCerts(certs, *request.get(), &selected_certs);
EXPECT_TRUE(rv);
ASSERT_EQ(1u, selected_certs.size());
EXPECT_TRUE(selected_certs[0]->Equals(cert.get()));
}
// Verify that certificates are correctly filtered against CertRequestInfo with
// |cert_authorities| containing only |authority_1_DN|.
TEST_F(ClientCertStoreImplTest, CertAuthorityFiltering) {
scoped_refptr<X509Certificate> cert_1(
ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));
ASSERT_TRUE(cert_1.get());
scoped_refptr<X509Certificate> cert_2(
ImportCertFromFile(GetTestCertsDirectory(), "client_2.pem"));
ASSERT_TRUE(cert_2.get());
std::vector<std::string> authority_1(
1, std::string(reinterpret_cast<const char*>(kAuthority1DN),
sizeof(kAuthority1DN)));
std::vector<std::string> authority_2(
1, std::string(reinterpret_cast<const char*>(kAuthority2DN),
sizeof(kAuthority2DN)));
EXPECT_TRUE(cert_1->IsIssuedByEncoded(authority_1));
EXPECT_FALSE(cert_1->IsIssuedByEncoded(authority_2));
EXPECT_TRUE(cert_2->IsIssuedByEncoded(authority_2));
EXPECT_FALSE(cert_2->IsIssuedByEncoded(authority_1));
std::vector<scoped_refptr<X509Certificate> > certs;
certs.push_back(cert_1);
certs.push_back(cert_2);
scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
request->cert_authorities = authority_1;
std::vector<scoped_refptr<X509Certificate> > selected_certs;
bool rv = SelectClientCerts(certs, *request.get(), &selected_certs);
EXPECT_TRUE(rv);
ASSERT_EQ(1u, selected_certs.size());
EXPECT_TRUE(selected_certs[0]->Equals(cert_1.get()));
}
#if defined(OS_MACOSX) && !defined(OS_IOS)
// Verify that the preferred cert gets filtered out when it doesn't match the
// server criteria.
TEST_F(ClientCertStoreImplTest, FilterOutThePreferredCert) {
scoped_refptr<X509Certificate> cert_1(
ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));
ASSERT_TRUE(cert_1.get());
std::vector<std::string> authority_2(
1, std::string(reinterpret_cast<const char*>(kAuthority2DN),
sizeof(kAuthority2DN)));
EXPECT_FALSE(cert_1->IsIssuedByEncoded(authority_2));
std::vector<scoped_refptr<X509Certificate> > certs;
scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
request->cert_authorities = authority_2;
std::vector<scoped_refptr<X509Certificate> > selected_certs;
bool rv = SelectClientCertsGivenPreferred(
cert_1, certs, *request.get(), &selected_certs);
EXPECT_TRUE(rv);
EXPECT_EQ(0u, selected_certs.size());
}
// Verify that the preferred cert takes the first position in the output list,
// when it does not get filtered out.
TEST_F(ClientCertStoreImplTest, PreferredCertGoesFirst) {
scoped_refptr<X509Certificate> cert_1(
ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));
ASSERT_TRUE(cert_1.get());
scoped_refptr<X509Certificate> cert_2(
ImportCertFromFile(GetTestCertsDirectory(), "client_2.pem"));
ASSERT_TRUE(cert_2.get());
std::vector<scoped_refptr<X509Certificate> > certs;
certs.push_back(cert_2);
scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo());
std::vector<scoped_refptr<X509Certificate> > selected_certs;
bool rv = SelectClientCertsGivenPreferred(
cert_1, certs, *request.get(), &selected_certs);
EXPECT_TRUE(rv);
ASSERT_EQ(2u, selected_certs.size());
EXPECT_TRUE(selected_certs[0]->Equals(cert_1.get()));
EXPECT_TRUE(selected_certs[1]->Equals(cert_2.get()));
}
#endif
} // namespace net