Regenerate the root certificate and end-entity certificates used for …

…various tests in net_unittests, now that Windows can temporarily trust certificates for the duration of tests. In addition, add unittests for net::TestRootCerts, which depend on the certs being tested not being trusted by the system beforehand. BUG=8470, 5552 TEST=TestRootCertsTest.* TBR=zelidrag Review URL: https://chromiumcodereview.appspot.com/5535006 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@207443 0039d316-1c4b-4281-b951-d872f2087c98
AryanGitHub · Jun 20, 2013 · d321e74 · d321e74
1 parent 3f76834
commit d321e74
Show file tree

Hide file tree

Showing 23 changed files with 790 additions and 216 deletions.
diff --git a/chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc b/chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc
@@ -152,7 +152,7 @@ TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) {
 TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) {
   // |ca_cert| is the issuer of |cert|.
   scoped_refptr<net::X509Certificate> ca_cert =
-      LoadCertificate("root_ca_cert.crt", net::CA_CERT);
+      LoadCertificate("root_ca_cert.pem", net::CA_CERT);
   ASSERT_TRUE(ca_cert.get());
   scoped_refptr<net::X509Certificate> cert =
       LoadCertificate("ok_cert.pem", net::SERVER_CERT);
@@ -206,7 +206,7 @@ TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) {
 
   // |ca_cert| is the issuer of |cert|.
   scoped_refptr<net::X509Certificate> ca_cert =
-      LoadCertificate("root_ca_cert.crt", net::CA_CERT);
+      LoadCertificate("root_ca_cert.pem", net::CA_CERT);
   ASSERT_TRUE(ca_cert.get());
   scoped_refptr<net::X509Certificate> cert =
       LoadCertificate("ok_cert.pem", net::SERVER_CERT);
@@ -251,7 +251,7 @@ TEST_F(PolicyCertVerifierTest, ProfileRemainsTainted) {
 
   // |ca_cert| is the issuer of |cert|.
   scoped_refptr<net::X509Certificate> ca_cert =
-      LoadCertificate("root_ca_cert.crt", net::CA_CERT);
+      LoadCertificate("root_ca_cert.pem", net::CA_CERT);
   ASSERT_TRUE(ca_cert.get());
   scoped_refptr<net::X509Certificate> cert =
       LoadCertificate("ok_cert.pem", net::SERVER_CERT);

diff --git a/chrome/common/net/x509_certificate_model_unittest.cc b/chrome/common/net/x509_certificate_model_unittest.cc
@@ -14,7 +14,7 @@
 TEST(X509CertificateModelTest, GetTypeCA) {
   scoped_refptr<net::X509Certificate> cert(
       net::ImportCertFromFile(net::GetTestCertsDirectory(),
-                              "root_ca_cert.crt"));
+                              "root_ca_cert.pem"));
   ASSERT_TRUE(cert.get());
 
 #if defined(USE_OPENSSL)

diff --git a/chrome/interactive_ui_tests.isolate b/chrome/interactive_ui_tests.isolate
@@ -26,7 +26,7 @@
       'variables': {
         'isolate_dependency_tracked': [
           '../net/data/ssl/certificates/ok_cert.pem',
-          '../net/data/ssl/certificates/root_ca_cert.crt',
+          '../net/data/ssl/certificates/root_ca_cert.pem',
           '../net/tools/testserver/asn1.py',
           '../net/tools/testserver/echo_message.py',
           '../net/tools/testserver/minica.py',

diff --git a/net/android/javatests/src/org/chromium/net/X509UtilTest.java b/net/android/javatests/src/org/chromium/net/X509UtilTest.java
@@ -36,7 +36,7 @@ public class X509UtilTest extends InstrumentationTestCase {
     private static final String NON_CRITICAL_CODE_SIGNING_EE = "non-crit-codeSigning-chain.pem";
     private static final String WEB_CLIENT_AUTH_EE = "invalid_key_usage_cert.der";
     private static final String OK_CERT = "ok_cert.pem";
-    private static final String GOOD_ROOT_CA = "root_ca_cert.crt";
+    private static final String GOOD_ROOT_CA = "root_ca_cert.pem";
 
     private static final String BEGIN_MARKER = "-----BEGIN CERTIFICATE-----";
     private static final String END_MARKER = "-----END CERTIFICATE-----";

diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
@@ -820,7 +820,7 @@ TEST_F(CertVerifyProcTest, AdditionalTrustAnchors) {
 
   // |ca_cert| is the issuer of |cert|.
   CertificateList ca_cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "root_ca_cert.crt",
+      GetTestCertsDirectory(), "root_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_cert_list.size());
   scoped_refptr<X509Certificate> ca_cert(ca_cert_list[0]);

diff --git a/net/cert/nss_cert_database_unittest.cc b/net/cert/nss_cert_database_unittest.cc
@@ -267,7 +267,7 @@ TEST_F(CertDatabaseNSSTest, ImportFromPKCS12InvalidFile) {
 
 TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
   CertificateList certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "root_ca_cert.crt",
+      GetTestCertsDirectory(), "root_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
   EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
@@ -282,7 +282,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
-  EXPECT_EQ("Test CA", cert->subject().common_name);
+  EXPECT_EQ("Test Root CA", cert->subject().common_name);
 
   EXPECT_EQ(NSSCertDatabase::TRUSTED_SSL,
             cert_db_->GetCertTrust(cert.get(), CA_CERT));
@@ -298,7 +298,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
 
 TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
   CertificateList certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "root_ca_cert.crt",
+      GetTestCertsDirectory(), "root_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
   EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
@@ -313,7 +313,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
-  EXPECT_EQ("Test CA", cert->subject().common_name);
+  EXPECT_EQ("Test Root CA", cert->subject().common_name);
 
   EXPECT_EQ(NSSCertDatabase::TRUSTED_EMAIL,
             cert_db_->GetCertTrust(cert.get(), CA_CERT));
@@ -329,7 +329,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
 
 TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
   CertificateList certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "root_ca_cert.crt",
+      GetTestCertsDirectory(), "root_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
   EXPECT_FALSE(certs[0]->os_cert_handle()->isperm);
@@ -344,7 +344,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(1U, cert_list.size());
   scoped_refptr<X509Certificate> cert(cert_list[0]);
-  EXPECT_EQ("Test CA", cert->subject().common_name);
+  EXPECT_EQ("Test Root CA", cert->subject().common_name);
 
   EXPECT_EQ(NSSCertDatabase::TRUSTED_OBJ_SIGN,
             cert_db_->GetCertTrust(cert.get(), CA_CERT));
@@ -490,7 +490,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertHierarchyTree) {
 
 TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
   CertificateList certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "root_ca_cert.crt",
+      GetTestCertsDirectory(), "root_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
   ASSERT_TRUE(ReadCertIntoList("dod_ca_13_cert.der", &certs));
@@ -512,7 +512,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACertNotHierarchy) {
 
   CertificateList cert_list = ListCertsInSlot(slot_->os_module_handle());
   ASSERT_EQ(1U, cert_list.size());
-  EXPECT_EQ("Test CA", cert_list[0]->subject().common_name);
+  EXPECT_EQ("Test Root CA", cert_list[0]->subject().common_name);
 }
 
 // http://crbug.com/108009 - Disabled, as google.chain.pem is an expired
@@ -629,7 +629,7 @@ TEST_F(CertDatabaseNSSTest, ImportServerCert_SelfSigned_Trusted) {
 
 TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert) {
   CertificateList ca_certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "root_ca_cert.crt",
+      GetTestCertsDirectory(), "root_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_certs.size());
 
@@ -671,7 +671,7 @@ TEST_F(CertDatabaseNSSTest, ImportCaAndServerCert_DistrustServer) {
   }
 
   CertificateList ca_certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "root_ca_cert.crt",
+      GetTestCertsDirectory(), "root_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, ca_certs.size());
 

diff --git a/net/cert/test_root_certs_android.cc b/net/cert/test_root_certs_android.cc
@@ -18,6 +18,7 @@ bool TestRootCerts::Add(X509Certificate* certificate) {
       return false;
   android::AddTestRootCertificate(
       reinterpret_cast<const uint8*>(cert_bytes.data()), cert_bytes.size());
+  empty_ = false;
   return true;
 }
 

diff --git a/net/cert/test_root_certs_unittest.cc b/net/cert/test_root_certs_unittest.cc
@@ -0,0 +1,142 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/files/file_path.h"
+#include "build/build_config.h"
+#include "net/base/net_errors.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/cert_status_flags.h"
+#include "net/cert/cert_verify_proc.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/test_root_certs.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/cert_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+#if defined(USE_NSS) || defined(OS_IOS)
+#include <nss.h>
+#endif
+
+namespace net {
+
+namespace {
+
+// The local test root certificate.
+const char kRootCertificateFile[] = "root_ca_cert.pem";
+// A certificate issued by the local test root for 127.0.0.1.
+const char kGoodCertificateFile[] = "ok_cert.pem";
+
+}  // namespace
+
+// Test basic functionality when adding from an existing X509Certificate.
+TEST(TestRootCertsTest, AddFromPointer) {
+  scoped_refptr<X509Certificate> root_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), kRootCertificateFile);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
+
+  TestRootCerts* test_roots = TestRootCerts::GetInstance();
+  ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
+  EXPECT_TRUE(test_roots->IsEmpty());
+
+  EXPECT_TRUE(test_roots->Add(root_cert));
+  EXPECT_FALSE(test_roots->IsEmpty());
+
+  test_roots->Clear();
+  EXPECT_TRUE(test_roots->IsEmpty());
+}
+
+// Test basic functionality when adding directly from a file, which should
+// behave the same as when adding from an existing certificate.
+TEST(TestRootCertsTest, AddFromFile) {
+  TestRootCerts* test_roots = TestRootCerts::GetInstance();
+  ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
+  EXPECT_TRUE(test_roots->IsEmpty());
+
+  base::FilePath cert_path =
+      GetTestCertsDirectory().AppendASCII(kRootCertificateFile);
+  EXPECT_TRUE(test_roots->AddFromFile(cert_path));
+  EXPECT_FALSE(test_roots->IsEmpty());
+
+  test_roots->Clear();
+  EXPECT_TRUE(test_roots->IsEmpty());
+}
+
+// Test that TestRootCerts actually adds the appropriate trust status flags
+// when requested, and that the trusted status is cleared once the root is
+// removed the TestRootCerts. This test acts as a canary/sanity check for
+// the results of the rest of net_unittests, ensuring that the trust status
+// is properly being set and cleared.
+TEST(TestRootCertsTest, OverrideTrust) {
+#if defined(USE_NSS) || defined(OS_IOS)
+  if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) {
+    // See http://bugzil.la/863947 for details
+    LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15";
+    return;
+  }
+#endif
+
+  TestRootCerts* test_roots = TestRootCerts::GetInstance();
+  ASSERT_NE(static_cast<TestRootCerts*>(NULL), test_roots);
+  EXPECT_TRUE(test_roots->IsEmpty());
+
+  scoped_refptr<X509Certificate> test_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), kGoodCertificateFile);
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), test_cert);
+
+  // Test that the good certificate fails verification, because the root
+  // certificate should not yet be trusted.
+  int flags = 0;
+  CertVerifyResult bad_verify_result;
+  scoped_refptr<CertVerifyProc> verify_proc(CertVerifyProc::CreateDefault());
+  int bad_status = verify_proc->Verify(test_cert,
+                                       "127.0.0.1",
+                                       flags,
+                                       NULL,
+                                       CertificateList(),
+                                       &bad_verify_result);
+  EXPECT_NE(OK, bad_status);
+  EXPECT_NE(0u, bad_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
+
+  // Add the root certificate and mark it as trusted.
+  EXPECT_TRUE(test_roots->AddFromFile(
+      GetTestCertsDirectory().AppendASCII(kRootCertificateFile)));
+  EXPECT_FALSE(test_roots->IsEmpty());
+
+  // Test that the certificate verification now succeeds, because the
+  // TestRootCerts is successfully imbuing trust.
+  CertVerifyResult good_verify_result;
+  int good_status = verify_proc->Verify(test_cert,
+                                        "127.0.0.1",
+                                        flags,
+                                        NULL,
+                                        CertificateList(),
+                                        &good_verify_result);
+  EXPECT_EQ(OK, good_status);
+  EXPECT_EQ(0u, good_verify_result.cert_status);
+
+  test_roots->Clear();
+  EXPECT_TRUE(test_roots->IsEmpty());
+
+  // Ensure that when the TestRootCerts is cleared, the trust settings
+  // revert to their original state, and don't linger. If trust status
+  // lingers, it will likely break other tests in net_unittests.
+  CertVerifyResult restored_verify_result;
+  int restored_status = verify_proc->Verify(test_cert,
+                                            "127.0.0.1",
+                                            flags,
+                                            NULL,
+                                            CertificateList(),
+                                            &restored_verify_result);
+  EXPECT_NE(OK, restored_status);
+  EXPECT_NE(0u,
+            restored_verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
+  EXPECT_EQ(bad_status, restored_status);
+  EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status);
+}
+
+// TODO(rsleevi): Add tests for revocation checking via CRLs, ensuring that
+// TestRootCerts properly injects itself into the validation process. See
+// http://crbug.com/63958
+
+}  // namespace net
diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README
@@ -23,13 +23,6 @@ unit tests.
 - dod_root_ca_2_cert.der : A certificate chain for regression tests of
      http://crbug.com/31497.
 
-- expired_cert.pem : An expired certificate, used by test_server.cc.
-
-- ok_cert.pem : A valid certificate, used by test_server.cc
-
-- root_ca_cert.crt : The testing root CA used to sign the test_server.cc's
-     certificates.
-
 - unosoft_hu_cert : Certificate used by X509CertificateTest.UnoSoftCertParsing.
 
 - client.p12 : A PKCS #12 file containing a client certificate and a private
@@ -212,3 +205,11 @@ unit tests.
 - no_subject_common_name_cert.pem: Used to test the function that generates a
   NSS certificate nickname for a user certificate. This certificate's Subject
   field doesn't have a common name.
+
+- expired_cert.pem
+- ok_cert.pem
+- root_ca_cert.pem
+     These certificates are the common certificates used by the Python test
+     server for simulating HTTPS connections. They are generated by running
+     the script net/data/ssl/scripts/generate-test-certs.sh.
+