#include "cert.h" #include "certdb.h" #include "nspr.h" #include "nss.h" #include "pk11pub.h" #include "secerr.h" #include "nss_scoped_ptrs.h" #include "util.h" #define GTEST_HAS_RTTI 0 #include "gtest/gtest.h" namespace nss_test { class SoftokenBuiltinsTest : public ::testing::Test { protected: SoftokenBuiltinsTest() : nss_db_dir_("SoftokenBuiltinsTest.d-") {} SoftokenBuiltinsTest(const std::string &prefix) : nss_db_dir_(prefix) {} virtual void SetUp() { std::string nss_init_arg("sql:"); nss_init_arg.append(nss_db_dir_.GetUTF8Path()); ASSERT_EQ(SECSuccess, NSS_Initialize(nss_init_arg.c_str(), "", "", SECMOD_DB, NSS_INIT_NOROOTINIT)); } virtual void TearDown() { ASSERT_EQ(SECSuccess, NSS_Shutdown()); const std::string &nss_db_dir_path = nss_db_dir_.GetPath(); ASSERT_EQ(0, unlink((nss_db_dir_path + "/cert9.db").c_str())); ASSERT_EQ(0, unlink((nss_db_dir_path + "/key4.db").c_str())); ASSERT_EQ(0, unlink((nss_db_dir_path + "/pkcs11.txt").c_str())); } virtual void LoadModule() { ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); ASSERT_TRUE(slot); EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr)); SECStatus result = SECMOD_AddNewModule( "Builtins-testlib", DLL_PREFIX "nssckbi-testlib." DLL_SUFFIX, 0, 0); ASSERT_EQ(result, SECSuccess); } ScopedUniqueDirectory nss_db_dir_; }; // The next tests in this class are used to test the Distrust Fields. // More details about these fields in lib/ckfw/builtins/README. TEST_F(SoftokenBuiltinsTest, CheckNoDistrustFields) { const char *kCertNickname = "Builtin Object Token:Distrust Fields Test - no_distrust"; LoadModule(); CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB(); ASSERT_TRUE(cert_handle); ScopedCERTCertificate cert( CERT_FindCertByNickname(cert_handle, kCertNickname)); ASSERT_TRUE(cert); EXPECT_EQ(PR_FALSE, PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE)); EXPECT_EQ(PR_FALSE, PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE)); ASSERT_FALSE(cert->distrust); } TEST_F(SoftokenBuiltinsTest, CheckOkDistrustFields) { const char *kCertNickname = "Builtin Object Token:Distrust Fields Test - ok_distrust"; LoadModule(); CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB(); ASSERT_TRUE(cert_handle); ScopedCERTCertificate cert( CERT_FindCertByNickname(cert_handle, kCertNickname)); ASSERT_TRUE(cert); const char *kExpectedDERValueServer = "200617000000Z"; const char *kExpectedDERValueEmail = "071014085320Z"; // When a valid timestamp is encoded, the result length is exactly 13. const unsigned int kDistrustFieldSize = 13; ASSERT_TRUE(cert->distrust); ASSERT_EQ(kDistrustFieldSize, cert->distrust->serverDistrustAfter.len); ASSERT_NE(nullptr, cert->distrust->serverDistrustAfter.data); EXPECT_TRUE(!memcmp(kExpectedDERValueServer, cert->distrust->serverDistrustAfter.data, kDistrustFieldSize)); ASSERT_EQ(kDistrustFieldSize, cert->distrust->emailDistrustAfter.len); ASSERT_NE(nullptr, cert->distrust->emailDistrustAfter.data); EXPECT_TRUE(!memcmp(kExpectedDERValueEmail, cert->distrust->emailDistrustAfter.data, kDistrustFieldSize)); } TEST_F(SoftokenBuiltinsTest, CheckInvalidDistrustFields) { const char *kCertNickname = "Builtin Object Token:Distrust Fields Test - err_distrust"; LoadModule(); CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB(); ASSERT_TRUE(cert_handle); ScopedCERTCertificate cert( CERT_FindCertByNickname(cert_handle, kCertNickname)); ASSERT_TRUE(cert); // The field should never be set to TRUE in production, we are just // testing if this field is readable, even if set to TRUE. EXPECT_EQ(PR_TRUE, PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE)); // If something other than CK_BBOOL CK_TRUE, it will be considered FALSE // Here, there is an OCTAL value, but with unexpected content (1 digit less). EXPECT_EQ(PR_FALSE, PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE)); ASSERT_FALSE(cert->distrust); } } // namespace nss_test