net/socket/ssl_client_socket_openssl_unittest.cc - Issue 12220104: Wire up SSL client authentication for OpenSSL/Android through the net/ stack

Side by Side Diff: net/socket/ssl_client_socket_openssl_unittest.cc

Issue 12220104: Wire up SSL client authentication for OpenSSL/Android through the net/ stack (Closed) Base URL: http://git.chromium.org/chromium/src.git@master

Patch Set: Created 7 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "net/socket/ssl_client_socket.h"

	6

	7 #include <errno.h>

	8 #include <string.h>

	9

	10 #include <openssl/bio.h>

	11 #include <openssl/bn.h>

	12 #include <openssl/evp.h>

	13 #include <openssl/pem.h>

	14 #include <openssl/rsa.h>

	15

	16 #include "base/file_util.h"

	17 #include "base/files/file_path.h"

	18 #include "base/memory/ref_counted.h"

	19 #include "base/memory/scoped_handle.h"

	20 #include "base/values.h"

	21 #include "crypto/openssl_util.h"

	22 #include "net/base/address_list.h"

	23 #include "net/base/cert_test_util.h"

	24 #include "net/base/host_resolver.h"

	25 #include "net/base/io_buffer.h"

	26 #include "net/base/mock_cert_verifier.h"

	27 #include "net/base/net_errors.h"

	28 #include "net/base/net_log.h"

	29 #include "net/base/net_log_unittest.h"

	30 #include "net/base/openssl_private_key_store.h"

	31 #include "net/base/ssl_cert_request_info.h"

	32 #include "net/base/ssl_config_service.h"

	33 #include "net/base/test_completion_callback.h"

	34 #include "net/base/test_data_directory.h"

	35 #include "net/base/test_root_certs.h"

	36 #include "net/socket/client_socket_factory.h"

	37 #include "net/socket/client_socket_handle.h"

	38 #include "net/socket/socket_test_util.h"

	39 #include "net/socket/tcp_client_socket.h"

	40 #include "net/test/test_server.h"

	41 #include "testing/gtest/include/gtest/gtest.h"

	42 #include "testing/platform_test.h"

	43

	44 namespace net {

	45

	46 namespace {

	47

	48 typedef OpenSSLPrivateKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY;

	49

	50 // BIO_free is a macro, it can't be used as a template parameter.

	51 void BIO_free_func(BIO* bio) {

	52 BIO_free(bio);

	53 }

	54

	55 typedef crypto::ScopedOpenSSL<BIO, BIO_free_func> ScopedBIO;

	56 typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA;

	57 typedef crypto::ScopedOpenSSL<BIGNUM, BN_free> ScopedBIGNUM;

	58

	59
	Ryan Sleevi 2013/02/25 19:51:07 style: unnecessary vertical whitespace style: unnecessary vertical whitespace digit1 2013/02/26 11:03:13 Removed. Removed.
	60 // Loads a PEM-encoded private key file into a scoped EVP_PKEY object.

	61 // \|filepath\| is the private key file path.

	62 // \|*pkey\| is reset to the new EVP_PKEY on success, untouched otherwise.

	63 // Returns true on success, false on failure.

	64 bool LoadPrivateKeyOpenSSL(

	65 const base::FilePath& filepath,

	66 OpenSSLPrivateKeyStore::ScopedEVP_PKEY* pkey) {

	67 std::string data;

	68 if (!file_util::ReadFileToString(filepath, &data)) {

	69 LOG(ERROR) << "Could not read private key file: "

	70 << filepath.value() << ": " << strerror(errno);

	71 return false;

	72 }

	73 ScopedBIO bio(

	74 BIO_new_mem_buf(

	75 const_cast<char>(reinterpret_cast<const char>(data.data())),

	76 static_cast<int>(data.size())));

	77 if (!bio.get()) {

	78 LOG(ERROR) << "Could not allocate BIO for buffer?";

	79 return false;

	80 }

	81 EVP_PKEY* result = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL);

	82 if (result == NULL) {

	83 LOG(ERROR) << "Could not decode private key file: "

	84 << filepath.value();

	85 return false;

	86 }

	87 pkey->reset(result);

	88 return true;

	89 }

	90

	91 const SSLConfig kDefaultSSLConfig;
	Ryan Sleevi 2013/02/25 19:51:07 Move this to line 58/59 Move this to line 58/59 digit1 2013/02/26 11:03:13 Done. Show quoted text On 2013/02/25 19:51:07, Ryan Sleevi wrote: > Move this to line 58/59 Done.
	92

	93 class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest {

	94 protected:

	95 virtual void SetUp() {

	96 socket_factory_ = ClientSocketFactory::GetDefaultFactory();

	97 scoped_ptr<MockCertVerifier> verifier(new MockCertVerifier);

	98 cert_verifier_.swap(verifier);

	99 cert_verifier_->set_default_result(OK);
	Ryan Sleevi 2013/02/25 19:51:07 ?? Why not cert_verifier_.reset(new MockCertVerif ?? Why not cert_verifier_.reset(new MockCertVerifier); cert_verifier_->set_default_result(OK); (eg: why the swap?) digit1 2013/02/26 11:03:13 That's what I did first, but the compiler complain That's what I did first, but the compiler complained that scoped_ptr<> didn't have a reset() method, so I had to use the swap. Must have been a typo though with a slightly too subtle template error message, but the point is moot since the latest patch uses constructor/destructor instead.
	100 context_.cert_verifier = cert_verifier_.get();

	101 key_store_ = OpenSSLPrivateKeyStore::GetInstance();

	102 }

	103

	104 virtual void TearDown() {

	105 key_store_->Flush();

	106 }
	Ryan Sleevi 2013/02/25 19:51:07 test style: SetUp/TearDown seem entirely unnecessa test style: SetUp/TearDown seem entirely unnecessary here, versus using the test ctor and dtor. I raised this in the previous patchset as well. See https://groups.google.com/a/chromium.org/d/topic/chromium-dev/x-D34rZAkc4/dis... digit1 2013/02/26 11:03:13 Done. Sorry, I misread your latest comment on this Done. Sorry, I misread your latest comment on this topic.
	107

	108 SSLClientSocket* CreateSSLClientSocket(

	109 StreamSocket* transport_socket,

	110 const HostPortPair& host_and_port,

	111 const SSLConfig& ssl_config) {

	112 return socket_factory_->CreateSSLClientSocket(transport_socket,

	113 host_and_port,

	114 ssl_config,

	115 context_);

	116 }

	117

	118 // Connect to a HTTPS test server.

	119 bool ConnectToTestServer(TestServer::SSLOptions& ssl_options) {

	120 test_server_.reset(new TestServer(TestServer::TYPE_HTTPS,

	121 ssl_options,

	122 base::FilePath()));

	123 if (!test_server_->Start()) {

	124 LOG(ERROR) << "Could not start TestServer";

	125 return false;

	126 }

	127

	128 if (!test_server_->GetAddressList(&addr_)) {

	129 LOG(ERROR) << "Could not get TestServer address list";

	130 return false;

	131 }

	132

	133 transport_.reset(new TCPClientSocket(

	134 addr_, &log_, NetLog::Source()));

	135 int rv = callback_.GetResult(

	136 transport_->Connect(callback_.callback()));

	137 if (rv != OK) {

	138 LOG(ERROR) << "Could not connect to TestServer";

	139 return false;

	140 }

	141 return true;

	142 }

	143

	144 // Record a certificate's private key to ensure it can be used

	145 // by the OpenSSL-based SSLClientSocket implementation.

	146 // \|ssl_config\| provides a client certificate.

	147 // \|private_key\| must be an EVP_PKEY for the corresponding private key.

	148 // Returns true on success, false on failure.

	149 bool RecordPrivateKey(SSLConfig& ssl_config,

	150 EVP_PKEY* private_key) {

	151 return key_store_->RecordClientCertPrivateKey(

	152 ssl_config.client_cert.get(), private_key);

	153 }

	154

	155 // Create an SSLClientSocket object and use it to connect to a test

	156 // server, then wait for connection results. This must be called after

	157 // a succesful ConnectToTestServer() call.

	158 // \|ssl_config\| the SSL configuration to use.

	159 // \|result\| will retrieve the ::Connect() result value.

	160 // Returns true on succes, false otherwise. Success means that the socket

	161 // could be created and its Connect() was called, not that the connection

	162 // itself was a success.

	163 bool CreateAndConnectSSLClientSocket(SSLConfig& ssl_config,

	164 int* result) {

	165 sock_.reset(CreateSSLClientSocket(transport_.release(),

	166 test_server_->host_port_pair(),

	167 ssl_config));

	168

	169 if (sock_->IsConnected()) {

	170 LOG(ERROR) << "SSL Socket prematurely connected";

	171 return false;

	172 }

	173

	174 *result = callback_.GetResult(sock_->Connect(callback_.callback()));

	175 return true;

	176 }

	177

	178

	179 // Check that the client certificate was sent.

	180 // Returns true on success.

	181 bool CheckSSLClientSocketSentCert() {

	182 SSLInfo ssl_info;

	183 sock_->GetSSLInfo(&ssl_info);

	184 return ssl_info.client_cert_sent;

	185 }

	186

	187 ClientSocketFactory* socket_factory_;

	188 scoped_ptr<MockCertVerifier> cert_verifier_;

	189 SSLClientSocketContext context_;

	190 OpenSSLPrivateKeyStore* key_store_;

	191 scoped_ptr<TestServer> test_server_;

	192 AddressList addr_;

	193 TestCompletionCallback callback_;

	194 CapturingNetLog log_;

	195 scoped_ptr<StreamSocket> transport_;

	196 scoped_ptr<SSLClientSocket> sock_;

	197 };

	198

	199 // Connect to a server requesting client authentication, do not send

	200 // any client certificates. It should refuse the connection.

	201 TEST_F(SSLClientSocketOpenSSLClientAuthTest, NoCert) {

	202 TestServer::SSLOptions ssl_options;

	203 ssl_options.request_client_certificate = true;

	204

	205 ASSERT_TRUE(ConnectToTestServer(ssl_options));

	206

	207 base::FilePath certs_dir = GetTestCertsDirectory();

	208 SSLConfig ssl_config = kDefaultSSLConfig;

	209

	210 int rv;

	211 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));

	212

	213 EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, rv);

	214 EXPECT_FALSE(sock_->IsConnected());

	215 }

	216

	217 // Connect to a server requesting client authentication, and send it

	218 // an empty certificate. It should refuse the connection.

	219 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendEmptyCert) {

	220 TestServer::SSLOptions ssl_options;

	221 ssl_options.request_client_certificate = true;

	222 ssl_options.client_authorities.push_back(

	223 GetTestClientCertsDirectory().AppendASCII("client_1_root.pem"));

	224

	225 ASSERT_TRUE(ConnectToTestServer(ssl_options));

	226

	227 base::FilePath certs_dir = GetTestCertsDirectory();

	228 SSLConfig ssl_config = kDefaultSSLConfig;

	229 ssl_config.send_client_cert = true;

	230 ssl_config.client_cert = NULL;

	231

	232 int rv;

	233 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));

	234

	235 EXPECT_EQ(OK, rv);

	236 EXPECT_TRUE(sock_->IsConnected());

	237 }

	238

	239 // Connect to a server requesting client authentication. Send it a

	240 // matching certificate. It should allow the connection.

	241 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendGoodCert) {

	242 TestServer::SSLOptions ssl_options;

	243 ssl_options.request_client_certificate = true;

	244 ssl_options.client_authorities.push_back(

	245 GetTestClientCertsDirectory().AppendASCII("client_1_root.pem"));

	246

	247 ASSERT_TRUE(ConnectToTestServer(ssl_options));

	248

	249 base::FilePath certs_dir = GetTestCertsDirectory();

	250 SSLConfig ssl_config = kDefaultSSLConfig;

	251 ssl_config.send_client_cert = true;

	252 ssl_config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem");

	253

	254 // This is required to ensure that signing works with the client

	255 // certificate's private key.

	256 OpenSSLPrivateKeyStore::ScopedEVP_PKEY client_private_key;

	257 ASSERT_TRUE(LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"),

	258 &client_private_key));

	259 EXPECT_TRUE(RecordPrivateKey(ssl_config, client_private_key.get()));

	260

	261 int rv;

	262 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));

	263

	264 EXPECT_EQ(OK, rv);

	265 EXPECT_TRUE(sock_->IsConnected());

	266

	267 EXPECT_TRUE(CheckSSLClientSocketSentCert());

	268

	269 sock_->Disconnect();

	270 EXPECT_FALSE(sock_->IsConnected());

	271 }

	272

	273 } // namespace

	274 } // namespace net

OLD	NEW

« net/socket/ssl_client_socket_openssl.cc ('K') | « net/socket/ssl_client_socket_openssl.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »