Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 124 insertions, 0 deletions

diff --git a/security/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc b/security/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc
new file mode 100644
index 0000000000..e7d6bc28b5
--- /dev/null
+++ b/security/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc
@@ -0,0 +1,124 @@
+#include "cert.h"
+#include "certdb.h"
+#include "nspr.h"
+#include "nss.h"
+#include "pk11pub.h"
+#include "secerr.h"
+
+#include "nss_scoped_ptrs.h"
+#include "util.h"
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+class SoftokenBuiltinsTest : public ::testing::Test {
+ protected:
+  SoftokenBuiltinsTest() : nss_db_dir_("SoftokenBuiltinsTest.d-") {}
+  SoftokenBuiltinsTest(const std::string &prefix) : nss_db_dir_(prefix) {}
+
+  virtual void SetUp() {
+    std::string nss_init_arg("sql:");
+    nss_init_arg.append(nss_db_dir_.GetUTF8Path());
+    ASSERT_EQ(SECSuccess, NSS_Initialize(nss_init_arg.c_str(), "", "",
+                                         SECMOD_DB, NSS_INIT_NOROOTINIT));
+  }
+
+  virtual void TearDown() {
+    ASSERT_EQ(SECSuccess, NSS_Shutdown());
+    const std::string &nss_db_dir_path = nss_db_dir_.GetPath();
+    ASSERT_EQ(0, unlink((nss_db_dir_path + "/cert9.db").c_str()));
+    ASSERT_EQ(0, unlink((nss_db_dir_path + "/key4.db").c_str()));
+    ASSERT_EQ(0, unlink((nss_db_dir_path + "/pkcs11.txt").c_str()));
+  }
+
+  virtual void LoadModule() {
+    ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+    ASSERT_TRUE(slot);
+    EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
+    SECStatus result = SECMOD_AddNewModule(
+        "Builtins-testlib", DLL_PREFIX "nssckbi-testlib." DLL_SUFFIX, 0, 0);
+    ASSERT_EQ(result, SECSuccess);
+  }
+
+  ScopedUniqueDirectory nss_db_dir_;
+};
+
+// The next tests in this class are used to test the Distrust Fields.
+// More details about these fields in lib/ckfw/builtins/README.
+TEST_F(SoftokenBuiltinsTest, CheckNoDistrustFields) {
+  const char *kCertNickname =
+      "Builtin Object Token:Distrust Fields Test - no_distrust";
+  LoadModule();
+
+  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
+  ASSERT_TRUE(cert_handle);
+  ScopedCERTCertificate cert(
+      CERT_FindCertByNickname(cert_handle, kCertNickname));
+  ASSERT_TRUE(cert);
+
+  EXPECT_EQ(PR_FALSE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
+  EXPECT_EQ(PR_FALSE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
+  ASSERT_FALSE(cert->distrust);
+}
+
+TEST_F(SoftokenBuiltinsTest, CheckOkDistrustFields) {
+  const char *kCertNickname =
+      "Builtin Object Token:Distrust Fields Test - ok_distrust";
+  LoadModule();
+
+  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
+  ASSERT_TRUE(cert_handle);
+  ScopedCERTCertificate cert(
+      CERT_FindCertByNickname(cert_handle, kCertNickname));
+  ASSERT_TRUE(cert);
+
+  const char *kExpectedDERValueServer = "200617000000Z";
+  const char *kExpectedDERValueEmail = "071014085320Z";
+  // When a valid timestamp is encoded, the result length is exactly 13.
+  const unsigned int kDistrustFieldSize = 13;
+
+  ASSERT_TRUE(cert->distrust);
+  ASSERT_EQ(kDistrustFieldSize, cert->distrust->serverDistrustAfter.len);
+  ASSERT_NE(nullptr, cert->distrust->serverDistrustAfter.data);
+  EXPECT_TRUE(!memcmp(kExpectedDERValueServer,
+                      cert->distrust->serverDistrustAfter.data,
+                      kDistrustFieldSize));
+
+  ASSERT_EQ(kDistrustFieldSize, cert->distrust->emailDistrustAfter.len);
+  ASSERT_NE(nullptr, cert->distrust->emailDistrustAfter.data);
+  EXPECT_TRUE(!memcmp(kExpectedDERValueEmail,
+                      cert->distrust->emailDistrustAfter.data,
+                      kDistrustFieldSize));
+}
+
+TEST_F(SoftokenBuiltinsTest, CheckInvalidDistrustFields) {
+  const char *kCertNickname =
+      "Builtin Object Token:Distrust Fields Test - err_distrust";
+  LoadModule();
+
+  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
+  ASSERT_TRUE(cert_handle);
+  ScopedCERTCertificate cert(
+      CERT_FindCertByNickname(cert_handle, kCertNickname));
+  ASSERT_TRUE(cert);
+
+  // The field should never be set to TRUE in production, we are just
+  // testing if this field is readable, even if set to TRUE.
+  EXPECT_EQ(PR_TRUE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
+  // If something other than CK_BBOOL CK_TRUE, it will be considered FALSE
+  // Here, there is an OCTAL value, but with unexpected content (1 digit less).
+  EXPECT_EQ(PR_FALSE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
+  ASSERT_FALSE(cert->distrust);
+}
+
+}  // namespace nss_test