net/base/openssl_private_key_store_unittest.cc - Issue 12220104: Wire up SSL client authentication for OpenSSL/Android through the net/ stack

Side by Side Diff: net/base/openssl_private_key_store_unittest.cc

Issue 12220104: Wire up SSL client authentication for OpenSSL/Android through the net/ stack (Closed) Base URL: http://git.chromium.org/chromium/src.git@master

Patch Set: remove chrome/browser changes + fix linux_redux build Created 7 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "net/base/openssl_private_key_store.h"

	6

	7 #include "base/memory/ref_counted.h"

	8 #include "net/base/cert_test_util.h"

	9 #include "net/base/test_data_directory.h"

	10 #include "testing/gtest/include/gtest/gtest.h"

	11

	12 namespace net {

	13

	14 namespace {

	15

	16 typedef OpenSSLPrivateKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY;

	17

	18 // Return the internal reference count of a given EVP_PKEY.

	19 int EVP_PKEY_get_refcount(EVP_PKEY* pkey) {

	20 return pkey->references;

	21 }

	22

	23 }

	24

	25 // A common test class to ensure that the store is flushed after

	26 // each test case.

	27 class OpenSSLPrivateKeyStoreTest : public ::testing::Test {

	28 protected:

	29 virtual void SetUp() OVERRIDE {

	30 store_ = net::OpenSSLPrivateKeyStore::GetInstance();

	31 }

	32

	33 virtual void TearDown() OVERRIDE {

	34 if (store_)

	35 store_->Flush();

	36 }

	37

	38 OpenSSLPrivateKeyStore* store_;

	39 };

	40

	41 // Check that GetInstance() returns non-null

	42 TEST_F(OpenSSLPrivateKeyStoreTest, GetInstance) {

	43 ASSERT_TRUE(store_);

	44 }

	45

	46 // Check that Flush() works correctly.

	47 TEST_F(OpenSSLPrivateKeyStoreTest, Flush) {

	48 ASSERT_TRUE(store_);

	49

	50 scoped_refptr<X509Certificate> cert_1(

	51 ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));

	52 ASSERT_TRUE(cert_1);

	53

	54 ScopedEVP_PKEY priv_key(EVP_PKEY_new());

	55 ASSERT_TRUE(priv_key.get());

	56

	57 ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(),

	58 priv_key.get()));

	59

	60 store_->Flush();

	61

	62 // Retrieve the private key now. This shall fail.

	63 ScopedEVP_PKEY pkey;

	64 ASSERT_FALSE(store_->FetchClientCertPrivateKey(cert_1.get(), &pkey));

	65 ASSERT_FALSE(pkey.get());

	66 }

	67

	68 // Check that trying to retrieve the private key of an unknown certificate

	69 // simply fails by returning null.

	70 TEST_F(OpenSSLPrivateKeyStoreTest, FetchEmptyPrivateKey) {

	71 ASSERT_TRUE(store_);

	72

	73 scoped_refptr<X509Certificate> cert_1(

	74 ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));

	75 ASSERT_TRUE(cert_1);

	76

	77 // Retrieve the private key now. This shall fail.

	78 ScopedEVP_PKEY pkey;

	79 ASSERT_FALSE(store_->FetchClientCertPrivateKey(cert_1.get(), &pkey));

	80 ASSERT_FALSE(pkey.get());

	81 }

	82

	83 // Check that any private key recorded through RecordClientCertPrivateKey

	84 // can be retrieved with FetchClientCertPrivateKey.

	85 TEST_F(OpenSSLPrivateKeyStoreTest, RecordAndFetchPrivateKey) {

	86 ASSERT_TRUE(store_);

	87

	88 // Any certificate / key pair will do, the store is not supposed to

	89 // check that the private and certificate public keys match. This is

	90 // by design since the private EVP_PKEY could be a wrapper around a

	91 // JNI reference, with no way to access the real private key bits.

	92 scoped_refptr<X509Certificate> cert_1(

	93 ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));

	94 ASSERT_TRUE(cert_1);

	95

	96 ScopedEVP_PKEY priv_key(EVP_PKEY_new());

	97 ASSERT_TRUE(priv_key.get());

	98 ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key.get()));

	99

	100 // Add the key a first time, this shall succeed, and increment the

	101 // reference count.

	102 ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(),

	103 priv_key.get()));

	104 ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get()));

	105

	106 // Two successive calls with the same certificate / private key shall

	107 // also succeed, but the key's reference count won't be incremented.

	108 ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(),

	109 priv_key.get()));

	110 ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get()));

	111

	112 // Retrieve the private key now. This shall succeed and increment

	113 // the private key's reference count.

	114 {

	115 ScopedEVP_PKEY pkey2;

	116 ASSERT_TRUE(store_->FetchClientCertPrivateKey(cert_1.get(), &pkey2));

	117 ASSERT_EQ(pkey2.get(), priv_key.get());

	118 ASSERT_EQ(3, EVP_PKEY_get_refcount(priv_key.get()));

	119 // Release pkey2 here.

	120 }
	Ryan Sleevi 2013/02/13 23:25:55 As mentioned on previous reviews, such scope block As mentioned on previous reviews, such scope blocks are unnecessary and generally discouraged. digit1 2013/02/14 06:23:50 In this case it is intentionally used to release p Show quoted text On 2013/02/13 23:25:55, Ryan Sleevi wrote: > As mentioned on previous reviews, such scope blocks are unnecessary and > generally discouraged. In this case it is intentionally used to release pkey2 and decrease the reference count on the priv_key, which is later tested after the call to Flush(). That's why I added a comment on line 119 to make this explicit. The point is to check that store->Flush() actually releases the reference it holds on the key. It is possible to keep pkey2 alive until the end of the function and check that the final reference count is 2, instead of 1, but I think this version of the code is less ambiguous / more expressive about its intent. Do you still prefer that I remove the scope block? Ryan Sleevi 2013/02/14 07:15:00 I actually find that preferable, in that when read Show quoted text On 2013/02/14 06:23:50, digit1 wrote: > On 2013/02/13 23:25:55, Ryan Sleevi wrote: > > As mentioned on previous reviews, such scope blocks are unnecessary and > > generally discouraged. > > In this case it is intentionally used to release pkey2 and decrease the > reference count on the priv_key, which is later tested after the call to > Flush(). That's why I added a comment on line 119 to make this explicit. > > The point is to check that store->Flush() actually releases the reference it > holds on the key. It is possible to keep pkey2 alive until the end of the > function and check that the final reference count is 2, instead of 1, but I > think this version of the code is less ambiguous / more expressive about its > intent. Do you still prefer that I remove the scope block? I actually find that preferable, in that when reading this, I missed the significance of line 119 as it relates to the test. Alternatively, rather than using the scope block, using .release() would also be at least internally consistent with how such unit tests have historically been used, as part of the general preference to minimize unnecessary indentation (such as how error handling is structured). Something like: ASSERT_EQ(3, EVP_PKEY_get_refcount(priv_key.get())); pkey2.release(); ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get())); // Flush the store ... store_->Flush(); ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key.get())); Making clear the sequences.
	121

	122 // Flush the store explicitely now, and check that this decrements

	123 // the private key's reference count.

	124 store_->Flush();

	125 ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key.get()));

	126 }

	127

	128 // Same test, but with two certificates / private keys.

	129 TEST_F(OpenSSLPrivateKeyStoreTest, RecordAndFetchTwoPrivateKeys) {

	130 scoped_refptr<X509Certificate> cert_1(

	131 ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));

	132 ASSERT_TRUE(cert_1);

	133

	134 scoped_refptr<X509Certificate> cert_2(

	135 ImportCertFromFile(GetTestCertsDirectory(), "client_2.pem"));

	136 ASSERT_TRUE(cert_2);

	137

	138 ScopedEVP_PKEY priv_key1(EVP_PKEY_new());

	139 ASSERT_TRUE(priv_key1.get());

	140 ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key1.get()));

	141

	142 ScopedEVP_PKEY priv_key2(EVP_PKEY_new());

	143 ASSERT_TRUE(priv_key2.get());

	144 ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key2.get()));

	145

	146 ASSERT_NE(priv_key1.get(), priv_key2.get());

	147

	148 // Add the key a first time, this shall succeed, and increment the

	149 // reference count.

	150 EXPECT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(),

	151 priv_key1.get()));

	152 EXPECT_TRUE(store_->RecordClientCertPrivateKey(cert_2.get(),

	153 priv_key2.get()));

	154 EXPECT_EQ(2, EVP_PKEY_get_refcount(priv_key1.get()));

	155 EXPECT_EQ(2, EVP_PKEY_get_refcount(priv_key2.get()));

	156

	157 // Retrieve the private key now. This shall succeed and increment

	158 // the private key's reference count.

	159 ScopedEVP_PKEY fetch_key1;

	160 ASSERT_TRUE(store_->FetchClientCertPrivateKey(cert_1.get(),

	161 &fetch_key1));

	162 ScopedEVP_PKEY fetch_key2;

	163 ASSERT_TRUE(store_->FetchClientCertPrivateKey(cert_2.get(),

	164 &fetch_key2));

	165 EXPECT_TRUE(fetch_key1.get());

	166 EXPECT_TRUE(fetch_key2.get());

	167

	168 EXPECT_EQ(fetch_key1.get(), priv_key1.get());

	169 EXPECT_EQ(fetch_key2.get(), priv_key2.get());

	170

	171 EXPECT_EQ(3, EVP_PKEY_get_refcount(priv_key1.get()));

	172 EXPECT_EQ(3, EVP_PKEY_get_refcount(priv_key2.get()));

	173 }

	174

	175 } // namespace net

OLD	NEW