xref: /aosp_15_r20/external/cronet/net/cert/internal/system_trust_store_unittest.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2022 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/cert/internal/system_trust_store.h"
6 
7 #include "net/cert/x509_certificate.h"
8 #include "net/cert/x509_util.h"
9 #include "net/net_buildflags.h"
10 #include "net/test/cert_test_util.h"
11 #include "net/test/test_data_directory.h"
12 #include "testing/gtest/include/gtest/gtest.h"
13 #include "third_party/boringssl/src/pki/parsed_certificate.h"
14 #include "third_party/boringssl/src/pki/trust_store.h"
15 
16 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
17 #include "net/cert/internal/trust_store_chrome.h"
18 #endif  // CHROME_ROOT_STORE_SUPPORTED
19 
20 namespace net {
21 
22 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
23 #include "net/data/ssl/chrome_root_store/chrome-root-store-test-data-inc.cc"  // nogncheck
24 
TEST(SystemTrustStoreChrome,SystemDistrustOverridesChromeTrust)25 TEST(SystemTrustStoreChrome, SystemDistrustOverridesChromeTrust) {
26   CertificateList certs = CreateCertificateListFromFile(
27       GetTestNetDataDirectory().AppendASCII("ssl/chrome_root_store"),
28       "test_store.certs", X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
29   ASSERT_GE(certs.size(), 1u);
30 
31   std::shared_ptr<const bssl::ParsedCertificate> root =
32       bssl::ParsedCertificate::Create(
33           bssl::UpRef(certs[0]->cert_buffer()),
34           x509_util::DefaultParseCertificateOptions(), nullptr);
35   ASSERT_TRUE(root);
36 
37   auto test_system_trust_store = std::make_unique<bssl::TrustStoreInMemory>();
38   auto* test_system_trust_store_ptr = test_system_trust_store.get();
39 
40   std::unique_ptr<TrustStoreChrome> test_trust_store_chrome =
41       TrustStoreChrome::CreateTrustStoreForTesting(
42           base::span<const ChromeRootCertInfo>(kChromeRootCertList),
43           /*version=*/1);
44 
45   std::unique_ptr<SystemTrustStore> system_trust_store_chrome =
46       CreateSystemTrustStoreChromeForTesting(
47           std::move(test_trust_store_chrome),
48           std::move(test_system_trust_store));
49 
50   // With no trust settings in the fake system trust store, the cert is trusted
51   // by the test chrome root store.
52   EXPECT_TRUE(system_trust_store_chrome->GetTrustStore()
53                   ->GetTrust(root.get())
54                   .IsTrustAnchor());
55 
56   // Adding a distrust entry in the fake system trust store should override the
57   // trust in the chrome root store.
58   test_system_trust_store_ptr->AddDistrustedCertificateForTest(root);
59   EXPECT_TRUE(system_trust_store_chrome->GetTrustStore()
60                   ->GetTrust(root.get())
61                   .IsDistrusted());
62 }
63 
TEST(SystemTrustStoreChrome,SystemLeafTrustDoesNotOverrideChromeTrust)64 TEST(SystemTrustStoreChrome, SystemLeafTrustDoesNotOverrideChromeTrust) {
65   CertificateList certs = CreateCertificateListFromFile(
66       GetTestNetDataDirectory().AppendASCII("ssl/chrome_root_store"),
67       "test_store.certs", X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
68   ASSERT_GE(certs.size(), 1u);
69 
70   std::shared_ptr<const bssl::ParsedCertificate> root =
71       bssl::ParsedCertificate::Create(
72           bssl::UpRef(certs[0]->cert_buffer()),
73           x509_util::DefaultParseCertificateOptions(), nullptr);
74   ASSERT_TRUE(root);
75 
76   auto test_system_trust_store = std::make_unique<bssl::TrustStoreInMemory>();
77   auto* test_system_trust_store_ptr = test_system_trust_store.get();
78 
79   std::unique_ptr<TrustStoreChrome> test_trust_store_chrome =
80       TrustStoreChrome::CreateTrustStoreForTesting(
81           base::span<const ChromeRootCertInfo>(kChromeRootCertList),
82           /*version=*/1);
83 
84   std::unique_ptr<SystemTrustStore> system_trust_store_chrome =
85       CreateSystemTrustStoreChromeForTesting(
86           std::move(test_trust_store_chrome),
87           std::move(test_system_trust_store));
88 
89   // With no trust settings in the fake system trust store, the cert is trusted
90   // by the test chrome root store.
91   EXPECT_TRUE(system_trust_store_chrome->GetTrustStore()
92                   ->GetTrust(root.get())
93                   .IsTrustAnchor());
94 
95   // Adding the certificate to the fake system store as a trusted leaf doesn't
96   // matter, the trust in the chrome root store is still preferred.
97   test_system_trust_store_ptr->AddCertificate(
98       root, bssl::CertificateTrust::ForTrustedLeaf());
99   EXPECT_TRUE(system_trust_store_chrome->GetTrustStore()
100                   ->GetTrust(root.get())
101                   .IsTrustAnchor());
102   EXPECT_FALSE(system_trust_store_chrome->GetTrustStore()
103                    ->GetTrust(root.get())
104                    .IsTrustLeaf());
105 }
106 #endif  // CHROME_ROOT_STORE_SUPPORTED
107         //
108 }  // namespace net
109