tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

softoken_nssckbi_testlib_gtest.cc (6389B)

      1 #include "cert.h"
      2 #include "certdb.h"
      3 #include "nspr.h"
      4 #include "nss.h"
      5 #include "pk11pub.h"
      6 #include "secerr.h"
      7 
      8 #include "nss_scoped_ptrs.h"
      9 #include "util.h"
     10 
     11 #define GTEST_HAS_RTTI 0
     12 #include "gtest/gtest.h"
     13 
     14 namespace nss_test {
     15 
     16 class SoftokenBuiltinsTest : public ::testing::Test {
     17 protected:
     18  SoftokenBuiltinsTest() : nss_db_dir_("SoftokenBuiltinsTest.d-") {}
     19  SoftokenBuiltinsTest(const std::string &prefix) : nss_db_dir_(prefix) {}
     20 
     21  virtual void SetUp() {
     22    std::string nss_init_arg("sql:");
     23    nss_init_arg.append(nss_db_dir_.GetUTF8Path());
     24    ASSERT_EQ(SECSuccess, NSS_Initialize(nss_init_arg.c_str(), "", "",
     25                                         SECMOD_DB, NSS_INIT_NOROOTINIT));
     26  }
     27 
     28  virtual void TearDown() {
     29    ASSERT_EQ(SECSuccess, NSS_Shutdown());
     30    const std::string &nss_db_dir_path = nss_db_dir_.GetPath();
     31    ASSERT_EQ(0, unlink((nss_db_dir_path + "/cert9.db").c_str()));
     32    ASSERT_EQ(0, unlink((nss_db_dir_path + "/key4.db").c_str()));
     33    ASSERT_EQ(0, unlink((nss_db_dir_path + "/pkcs11.txt").c_str()));
     34  }
     35 
     36  virtual void LoadModule() {
     37    ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
     38    ASSERT_TRUE(slot);
     39    EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
     40    SECStatus result = SECMOD_AddNewModule(
     41        "Builtins-testlib", DLL_PREFIX "nssckbi-testlib." DLL_SUFFIX, 0, 0);
     42    ASSERT_EQ(result, SECSuccess);
     43  }
     44 
     45  ScopedUniqueDirectory nss_db_dir_;
     46 };
     47 
     48 // The next tests in this class are used to test the Distrust Fields.
     49 // More details about these fields in lib/ckfw/builtins/README.
     50 TEST_F(SoftokenBuiltinsTest, CheckNoDistrustFields) {
     51  const char *kCertNickname =
     52      "Builtin Object Token:Distrust Fields Test - no_distrust";
     53  LoadModule();
     54 
     55  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
     56  ASSERT_TRUE(cert_handle);
     57  ScopedCERTCertificate cert(
     58      CERT_FindCertByNickname(cert_handle, kCertNickname));
     59  ASSERT_TRUE(cert);
     60 
     61  EXPECT_EQ(PR_FALSE,
     62            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
     63                                 CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
     64  EXPECT_EQ(PR_FALSE,
     65            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
     66                                 CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
     67 
     68  SECStatus rv;
     69  PRBool isDistrusted;
     70  PRTime distrustAfter;
     71  rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID,
     72                                       CKA_NSS_SERVER_DISTRUST_AFTER,
     73                                       &isDistrusted, &distrustAfter);
     74  EXPECT_EQ(SECSuccess, rv);
     75  EXPECT_EQ(PR_FALSE, isDistrusted);
     76 
     77  rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID,
     78                                       CKA_NSS_EMAIL_DISTRUST_AFTER,
     79                                       &isDistrusted, &distrustAfter);
     80  EXPECT_EQ(SECSuccess, rv);
     81  EXPECT_EQ(PR_FALSE, isDistrusted);
     82 
     83  ASSERT_FALSE(cert->distrust);
     84 }
     85 
     86 TEST_F(SoftokenBuiltinsTest, CheckOkDistrustFields) {
     87  const char *kCertNickname =
     88      "Builtin Object Token:Distrust Fields Test - ok_distrust";
     89  LoadModule();
     90 
     91  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
     92  ASSERT_TRUE(cert_handle);
     93  ScopedCERTCertificate cert(
     94      CERT_FindCertByNickname(cert_handle, kCertNickname));
     95  ASSERT_TRUE(cert);
     96 
     97  const char *kExpectedDERValueServer = "200617000000Z";
     98  const char *kExpectedDERValueEmail = "071014085320Z";
     99  // When a valid timestamp is encoded, the result length is exactly 13.
    100  const unsigned int kDistrustFieldSize = 13;
    101 
    102  ASSERT_TRUE(cert->distrust);
    103  ASSERT_EQ(kDistrustFieldSize, cert->distrust->serverDistrustAfter.len);
    104  ASSERT_NE(nullptr, cert->distrust->serverDistrustAfter.data);
    105  EXPECT_TRUE(!memcmp(kExpectedDERValueServer,
    106                      cert->distrust->serverDistrustAfter.data,
    107                      kDistrustFieldSize));
    108 
    109  ASSERT_EQ(kDistrustFieldSize, cert->distrust->emailDistrustAfter.len);
    110  ASSERT_NE(nullptr, cert->distrust->emailDistrustAfter.data);
    111  EXPECT_TRUE(!memcmp(kExpectedDERValueEmail,
    112                      cert->distrust->emailDistrustAfter.data,
    113                      kDistrustFieldSize));
    114 
    115  SECStatus rv;
    116  PRBool isDistrusted;
    117  PRTime distrustAfter;
    118  rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID,
    119                                       CKA_NSS_SERVER_DISTRUST_AFTER,
    120                                       &isDistrusted, &distrustAfter);
    121  EXPECT_EQ(SECSuccess, rv);
    122  EXPECT_EQ(PR_TRUE, isDistrusted);
    123  EXPECT_EQ(1592352000000000, distrustAfter);
    124 
    125  rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID,
    126                                       CKA_NSS_EMAIL_DISTRUST_AFTER,
    127                                       &isDistrusted, &distrustAfter);
    128  EXPECT_EQ(SECSuccess, rv);
    129  EXPECT_EQ(PR_TRUE, isDistrusted);
    130  EXPECT_EQ(1192352000000000, distrustAfter);
    131 }
    132 
    133 TEST_F(SoftokenBuiltinsTest, CheckInvalidDistrustFields) {
    134  const char *kCertNickname =
    135      "Builtin Object Token:Distrust Fields Test - err_distrust";
    136  LoadModule();
    137 
    138  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
    139  ASSERT_TRUE(cert_handle);
    140  ScopedCERTCertificate cert(
    141      CERT_FindCertByNickname(cert_handle, kCertNickname));
    142  ASSERT_TRUE(cert);
    143 
    144  // The field should never be set to TRUE in production, we are just
    145  // testing if this field is readable, even if set to TRUE.
    146  EXPECT_EQ(PR_TRUE,
    147            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
    148                                 CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
    149  // If something other than CK_BBOOL CK_TRUE, it will be considered FALSE
    150  // Here, there is an OCTAL value, but with unexpected content (1 digit less).
    151  EXPECT_EQ(PR_FALSE,
    152            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
    153                                 CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
    154  ASSERT_FALSE(cert->distrust);
    155 
    156  SECStatus rv;
    157  PRBool isDistrusted;
    158  PRTime distrustAfter;
    159  rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID,
    160                                       CKA_NSS_SERVER_DISTRUST_AFTER,
    161                                       &isDistrusted, &distrustAfter);
    162  EXPECT_EQ(SECFailure, rv);
    163 
    164  rv = PK11_ReadDistrustAfterAttribute(cert->slot, cert->pkcs11ID,
    165                                       CKA_NSS_EMAIL_DISTRUST_AFTER,
    166                                       &isDistrusted, &distrustAfter);
    167  EXPECT_EQ(SECFailure, rv);
    168 }
    169 
    170 }  // namespace nss_test