summaryrefslogtreecommitdiffstats
path: root/security/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc
blob: e7d6bc28b510f886f20531d49d251d3534dc5e1f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#include "cert.h"
#include "certdb.h"
#include "nspr.h"
#include "nss.h"
#include "pk11pub.h"
#include "secerr.h"

#include "nss_scoped_ptrs.h"
#include "util.h"

#define GTEST_HAS_RTTI 0
#include "gtest/gtest.h"

namespace nss_test {

class SoftokenBuiltinsTest : public ::testing::Test {
 protected:
  SoftokenBuiltinsTest() : nss_db_dir_("SoftokenBuiltinsTest.d-") {}
  SoftokenBuiltinsTest(const std::string &prefix) : nss_db_dir_(prefix) {}

  virtual void SetUp() {
    std::string nss_init_arg("sql:");
    nss_init_arg.append(nss_db_dir_.GetUTF8Path());
    ASSERT_EQ(SECSuccess, NSS_Initialize(nss_init_arg.c_str(), "", "",
                                         SECMOD_DB, NSS_INIT_NOROOTINIT));
  }

  virtual void TearDown() {
    ASSERT_EQ(SECSuccess, NSS_Shutdown());
    const std::string &nss_db_dir_path = nss_db_dir_.GetPath();
    ASSERT_EQ(0, unlink((nss_db_dir_path + "/cert9.db").c_str()));
    ASSERT_EQ(0, unlink((nss_db_dir_path + "/key4.db").c_str()));
    ASSERT_EQ(0, unlink((nss_db_dir_path + "/pkcs11.txt").c_str()));
  }

  virtual void LoadModule() {
    ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
    ASSERT_TRUE(slot);
    EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
    SECStatus result = SECMOD_AddNewModule(
        "Builtins-testlib", DLL_PREFIX "nssckbi-testlib." DLL_SUFFIX, 0, 0);
    ASSERT_EQ(result, SECSuccess);
  }

  ScopedUniqueDirectory nss_db_dir_;
};

// The next tests in this class are used to test the Distrust Fields.
// More details about these fields in lib/ckfw/builtins/README.
TEST_F(SoftokenBuiltinsTest, CheckNoDistrustFields) {
  const char *kCertNickname =
      "Builtin Object Token:Distrust Fields Test - no_distrust";
  LoadModule();

  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
  ASSERT_TRUE(cert_handle);
  ScopedCERTCertificate cert(
      CERT_FindCertByNickname(cert_handle, kCertNickname));
  ASSERT_TRUE(cert);

  EXPECT_EQ(PR_FALSE,
            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
                                 CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
  EXPECT_EQ(PR_FALSE,
            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
                                 CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
  ASSERT_FALSE(cert->distrust);
}

TEST_F(SoftokenBuiltinsTest, CheckOkDistrustFields) {
  const char *kCertNickname =
      "Builtin Object Token:Distrust Fields Test - ok_distrust";
  LoadModule();

  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
  ASSERT_TRUE(cert_handle);
  ScopedCERTCertificate cert(
      CERT_FindCertByNickname(cert_handle, kCertNickname));
  ASSERT_TRUE(cert);

  const char *kExpectedDERValueServer = "200617000000Z";
  const char *kExpectedDERValueEmail = "071014085320Z";
  // When a valid timestamp is encoded, the result length is exactly 13.
  const unsigned int kDistrustFieldSize = 13;

  ASSERT_TRUE(cert->distrust);
  ASSERT_EQ(kDistrustFieldSize, cert->distrust->serverDistrustAfter.len);
  ASSERT_NE(nullptr, cert->distrust->serverDistrustAfter.data);
  EXPECT_TRUE(!memcmp(kExpectedDERValueServer,
                      cert->distrust->serverDistrustAfter.data,
                      kDistrustFieldSize));

  ASSERT_EQ(kDistrustFieldSize, cert->distrust->emailDistrustAfter.len);
  ASSERT_NE(nullptr, cert->distrust->emailDistrustAfter.data);
  EXPECT_TRUE(!memcmp(kExpectedDERValueEmail,
                      cert->distrust->emailDistrustAfter.data,
                      kDistrustFieldSize));
}

TEST_F(SoftokenBuiltinsTest, CheckInvalidDistrustFields) {
  const char *kCertNickname =
      "Builtin Object Token:Distrust Fields Test - err_distrust";
  LoadModule();

  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
  ASSERT_TRUE(cert_handle);
  ScopedCERTCertificate cert(
      CERT_FindCertByNickname(cert_handle, kCertNickname));
  ASSERT_TRUE(cert);

  // The field should never be set to TRUE in production, we are just
  // testing if this field is readable, even if set to TRUE.
  EXPECT_EQ(PR_TRUE,
            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
                                 CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
  // If something other than CK_BBOOL CK_TRUE, it will be considered FALSE
  // Here, there is an OCTAL value, but with unexpected content (1 digit less).
  EXPECT_EQ(PR_FALSE,
            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
                                 CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
  ASSERT_FALSE(cert->distrust);
}

}  // namespace nss_test