OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include <openssl/evp.h> | |
6 #include <openssl/rsa.h> | |
7 | |
8 #include "base/files/file_path.h" | |
9 #include "base/macros.h" | |
bartfab (slow)
2015/09/03 17:30:53
Nit: Not used.
pneubeck (no reviews)
2015/09/07 17:21:33
Done.
| |
10 #include "base/memory/scoped_ptr.h" | |
11 #include "base/strings/string_number_conversions.h" | |
12 #include "base/strings/utf_string_conversions.h" | |
13 #include "chrome/browser/extensions/extension_apitest.h" | |
14 #include "chrome/browser/ui/tabs/tab_strip_model.h" | |
15 #include "chrome/test/base/ui_test_utils.h" | |
16 #include "chromeos/chromeos_switches.h" | |
bartfab (slow)
2015/09/03 17:30:53
Nit: Not used.
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
pneubeck (no reviews)
2015/09/07 17:21:33
Done.
| |
17 #include "components/policy/core/browser/browser_policy_connector.h" | |
18 #include "components/policy/core/common/mock_configuration_policy_provider.h" | |
19 #include "components/policy/core/common/policy_map.h" | |
20 #include "components/policy/core/common/policy_types.h" | |
21 #include "content/public/browser/render_frame_host.h" | |
22 #include "content/public/browser/web_contents.h" | |
23 #include "content/public/test/test_navigation_observer.h" | |
24 #include "content/public/test/test_utils.h" | |
25 #include "crypto/rsa_private_key.h" | |
26 #include "crypto/scoped_openssl_types.h" | |
27 #include "extensions/test/result_catcher.h" | |
28 #include "net/base/escape.h" | |
bartfab (slow)
2015/09/03 17:30:53
Nit: Not used.
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
29 #include "net/base/test_data_directory.h" | |
bartfab (slow)
2015/09/03 17:30:53
Nit: Not used.
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
30 #include "net/cert/test_root_certs.h" | |
bartfab (slow)
2015/09/03 17:30:52
Nit: Not used.
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
31 #include "net/test/spawned_test_server/spawned_test_server.h" | |
32 #include "policy/policy_constants.h" | |
33 #include "testing/gmock/include/gmock/gmock.h" | |
34 | |
35 using testing::Return; | |
36 using testing::_; | |
37 | |
38 namespace { | |
39 | |
40 void IgnoreResult(base::Closure callback, const base::Value* value) { | |
bartfab (slow)
2015/09/03 17:30:53
Nit 1: Pass |callback| by const reference.
Nit 2:
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
41 callback.Run(); | |
42 } | |
43 | |
44 void StoreBool(bool* result, base::Closure callback, const base::Value* value) { | |
bartfab (slow)
2015/09/03 17:30:53
Nit: Pass |callback| by const reference.
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
45 value->GetAsBoolean(result); | |
46 callback.Run(); | |
47 } | |
48 | |
49 void StoreString(std::string* result, | |
bartfab (slow)
2015/09/03 17:30:52
Nit: #include <string>
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
50 base::Closure callback, | |
bartfab (slow)
2015/09/03 17:30:53
Nit: Pass |callback| by const reference.
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
51 const base::Value* value) { | |
52 value->GetAsString(result); | |
53 callback.Run(); | |
54 } | |
55 | |
56 void StoreDigest(base::Closure callback, | |
bartfab (slow)
2015/09/03 17:30:53
Nit 1: Pass |callback| by const reference.
Nit 2:
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
57 std::vector<uint8>* digest, | |
bartfab (slow)
2015/09/03 17:30:53
Nit 1: Here and throughout the file: s/uint8/uint8
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
58 const base::Value* value) { | |
59 const base::BinaryValue* binary = nullptr; | |
60 value->GetAsBinary(&binary); | |
61 const uint8* const binary_begin = | |
bartfab (slow)
2015/09/03 17:30:53
Nit: const pointer to const.
pneubeck (no reviews)
2015/09/07 17:21:32
It is already. Isn't it?
bartfab (slow)
2015/09/08 14:55:16
Sorry :).
| |
62 reinterpret_cast<const uint8*>(binary->GetBuffer()); | |
63 digest->assign(binary_begin, binary_begin + binary->GetSize()); | |
64 | |
65 callback.Run(); | |
66 } | |
67 | |
68 // See net::SSLPrivateKey::SignDigest for the expected padding and DigestInfo | |
69 // prefixing. | |
70 bool RsaSign(const std::vector<uint8>& digest, | |
71 crypto::RSAPrivateKey* key, | |
72 std::vector<uint8>* signature) { | |
73 crypto::ScopedRSA rsa_key(EVP_PKEY_get1_RSA(key->key())); | |
74 if (!rsa_key) | |
75 return false; | |
76 | |
77 uint8_t* prefixed_digest = nullptr; | |
78 size_t prefixed_digest_len = 0; | |
bartfab (slow)
2015/09/03 17:30:53
Nit: #include <stddef.h>
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
79 int is_alloced = 0; | |
80 if (!RSA_add_pkcs1_prefix(&prefixed_digest, &prefixed_digest_len, &is_alloced, | |
81 NID_sha1, vector_as_array(&digest), | |
bartfab (slow)
2015/09/03 17:30:52
Nit: #include "base/stl_util.h"
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
82 digest.size())) { | |
83 return false; | |
84 } | |
85 size_t len = 0; | |
86 signature->resize(RSA_size(rsa_key.get())); | |
87 const int rv = RSA_sign_raw(rsa_key.get(), &len, vector_as_array(signature), | |
88 signature->size(), prefixed_digest, | |
89 prefixed_digest_len, RSA_PKCS1_PADDING); | |
90 if (is_alloced) | |
91 free(prefixed_digest); | |
bartfab (slow)
2015/09/03 17:30:52
Nit: #include <stdlib.h>
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
92 | |
93 if (rv) { | |
94 signature->resize(len); | |
95 return true; | |
96 } else { | |
97 signature->clear(); | |
98 return false; | |
99 } | |
100 } | |
101 | |
102 // Create a string that if evaluated in Javascript returns a Uint8Array with | |
bartfab (slow)
2015/09/03 17:30:53
Nit: s/Javascript/JavaScript/
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
103 // |bytes| as content. | |
104 std::string JsUint8Array(const std::vector<uint8>& bytes) { | |
105 std::string res = "new Uint8Array(["; | |
106 for (size_t i = 0; i < bytes.size(); i++) { | |
bartfab (slow)
2015/09/03 17:30:53
Nit: Why not use an iterator?
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
107 res += base::UintToString(bytes[i]); | |
108 if (i < bytes.size() - 1) { | |
bartfab (slow)
2015/09/03 17:30:53
JavaScript actually allows trailing commas, so you
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
109 res += ", "; | |
110 } | |
111 } | |
112 res += "])"; | |
113 return res; | |
114 } | |
115 | |
116 class CertificateProviderApiTest : public ExtensionApiTest { | |
117 public: | |
118 CertificateProviderApiTest() {} | |
119 | |
120 void SetUpInProcessBrowserTestFixture() override { | |
121 EXPECT_CALL(provider_, IsInitializationComplete(_)) | |
122 .WillRepeatedly(Return(true)); | |
123 policy::BrowserPolicyConnector::SetPolicyProviderForTesting(&provider_); | |
124 | |
125 ExtensionApiTest::SetUpInProcessBrowserTestFixture(); | |
126 } | |
127 | |
128 void SetUpOnMainThread() override { | |
129 // Setup the AutoSelectCertificateForUrls policy to avoid the client | |
bartfab (slow)
2015/09/03 17:30:52
Nit: s/Setup/Set up/
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
130 // certificate selection dialog. | |
131 const std::string autoselect_pattern = | |
132 "{\"pattern\": \"*\", \"filter\": {\"ISSUER\": {\"CN\": \"root\"}}}"; | |
133 | |
134 scoped_ptr<base::ListValue> autoselect_policy(new base::ListValue); | |
135 autoselect_policy->AppendString(autoselect_pattern); | |
136 | |
137 policy::PolicyMap policy; | |
138 policy.Set(policy::key::kAutoSelectCertificateForUrls, | |
139 policy::POLICY_LEVEL_MANDATORY, policy::POLICY_SCOPE_USER, | |
140 autoselect_policy.release(), nullptr); | |
141 provider_.UpdateChromePolicy(policy); | |
142 | |
143 content::RunAllPendingInMessageLoop(); | |
144 } | |
145 | |
146 protected: | |
147 policy::MockConfigurationPolicyProvider provider_; | |
148 }; | |
149 | |
150 } // namespace | |
151 | |
152 IN_PROC_BROWSER_TEST_F(CertificateProviderApiTest, Basic) { | |
153 // Start an HTTPS test server that requests a client certificates. | |
bartfab (slow)
2015/09/03 17:30:52
Nit: s/certificates/certificate/
pneubeck (no reviews)
2015/09/07 17:21:33
Done.
| |
154 net::SpawnedTestServer::SSLOptions ssl_options; | |
155 ssl_options.request_client_certificate = true; | |
156 net::SpawnedTestServer https_server( | |
157 net::SpawnedTestServer::TYPE_HTTPS, ssl_options, | |
158 base::FilePath(FILE_PATH_LITERAL("chrome/test/data"))); | |
bartfab (slow)
2015/09/03 17:30:53
Nit: Use |PathService::Get(chrome::DIR_TEST_DATA,
| |
159 ASSERT_TRUE(https_server.Start()); | |
160 | |
161 extensions::ResultCatcher catcher; | |
162 | |
163 const base::FilePath extension_path = | |
164 test_data_dir_.AppendASCII("certificate_provider"); | |
165 const extensions::Extension* extension = LoadExtension(extension_path); | |
bartfab (slow)
2015/09/03 17:30:52
Nit 1: const pointer to const.
Nit 2: #include "ex
pneubeck (no reviews)
2015/09/07 17:21:33
Done.
| |
166 ui_test_utils::NavigateToURL(browser(), | |
167 extension->GetResourceURL("basic.html")); | |
168 | |
169 ASSERT_TRUE(catcher.GetNextResult()) << catcher.message(); | |
170 VLOG(1) << "Extension registered. Navigate to the test https page."; | |
171 | |
172 content::WebContents* const extension_contents = | |
173 browser()->tab_strip_model()->GetActiveWebContents(); | |
174 | |
175 content::TestNavigationObserver navigation_observer( | |
176 nullptr /* no WebContents */); | |
177 navigation_observer.StartWatchingNewWebContents(); | |
178 ui_test_utils::NavigateToURLWithDisposition( | |
179 browser(), https_server.GetURL("client-cert"), NEW_FOREGROUND_TAB, | |
180 ui_test_utils::BROWSER_TEST_NONE); | |
181 | |
182 content::WebContents* const https_contents = | |
183 browser()->tab_strip_model()->GetActiveWebContents(); | |
184 | |
185 VLOG(1) << "Wait for the extension to receive the sign request."; | |
186 ASSERT_TRUE(catcher.GetNextResult()) << catcher.message(); | |
187 | |
188 VLOG(1) << "Fetch the digest from the sign request."; | |
189 std::vector<uint8> request_digest; | |
190 { | |
191 base::RunLoop run_loop; | |
bartfab (slow)
2015/09/03 17:30:52
Nit: #include "base/run_loop.h"
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
192 extension_contents->GetMainFrame()->ExecuteJavaScriptForTests( | |
193 base::ASCIIToUTF16( | |
194 "(function() {return signDigestRequest.digest;})();"), | |
bartfab (slow)
2015/09/03 17:30:53
Nit: Does this really need to be wrapped into a fu
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
195 base::Bind(&StoreDigest, run_loop.QuitClosure(), &request_digest)); | |
bartfab (slow)
2015/09/03 17:30:53
Nit: #include "base/bind.h"
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
196 run_loop.Run(); | |
197 } | |
198 | |
199 VLOG(1) << "Sign the digest using the private key."; | |
200 std::string key_pk8; | |
201 base::ReadFileToString(extension_path.AppendASCII("l1_leaf.pk8"), &key_pk8); | |
bartfab (slow)
2015/09/03 17:30:53
Nit: #include "base/files/file_util.h"
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
202 | |
203 const uint8* const key_pk8_begin = | |
204 reinterpret_cast<const uint8*>(key_pk8.data()); | |
205 scoped_ptr<crypto::RSAPrivateKey> key( | |
206 crypto::RSAPrivateKey::CreateFromPrivateKeyInfo( | |
207 std::vector<uint8>(key_pk8_begin, key_pk8_begin + key_pk8.size()))); | |
208 ASSERT_TRUE(key); | |
209 | |
210 std::vector<uint8> signature; | |
211 ASSERT_TRUE(RsaSign(request_digest, key.get(), &signature)); | |
bartfab (slow)
2015/09/03 17:30:53
Nit: EXPECT_TRUE() should be sufficient here.
pneubeck (no reviews)
2015/09/07 17:21:33
Done.
| |
212 | |
213 VLOG(1) << "Inject the signature back to the extension and let it reply."; | |
214 { | |
215 base::RunLoop run_loop; | |
216 const std::string code = "(function() {replyWithSignature(" + | |
bartfab (slow)
2015/09/03 17:30:53
Nit: As above, does this really need to be wrapped
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
217 JsUint8Array(signature) + ");})();"; | |
218 extension_contents->GetMainFrame()->ExecuteJavaScriptForTests( | |
219 base::ASCIIToUTF16(code), | |
220 base::Bind(&IgnoreResult, run_loop.QuitClosure())); | |
221 run_loop.Run(); | |
222 } | |
223 | |
224 VLOG(1) << "Wait for the https navigation to finish."; | |
225 navigation_observer.Wait(); | |
226 | |
227 VLOG(1) << "Check whether the server acknowledged that a client certificate " | |
228 "was presented."; | |
229 { | |
230 base::RunLoop run_loop; | |
231 std::string https_reply; | |
232 https_contents->GetMainFrame()->ExecuteJavaScriptForTests( | |
233 base::ASCIIToUTF16( | |
234 "(function() {return document.body.textContent;})();"), | |
bartfab (slow)
2015/09/03 17:30:53
Nit: As above, does this really need to be wrapped
pneubeck (no reviews)
2015/09/07 17:21:32
Done.
| |
235 base::Bind(&StoreString, &https_reply, run_loop.QuitClosure())); | |
236 run_loop.Run(); | |
237 // Expect the server to return the fingerprint of the client cert that we | |
238 // presented, which should be the fingerprint of 'l1_leaf.der'. | |
239 // The fingerprint can be calculated independently using: | |
240 // openssl x509 -inform DER -noout -fingerprint -in \ | |
241 // chrome/test/data/extensions/api_test/certificate_provider/l1_leaf.der | |
242 ASSERT_EQ( | |
243 "got client cert with fingerprint: " | |
244 "2ab3f55e06eb8b36a741fe285a769da45edb2695", | |
245 https_reply); | |
246 } | |
247 | |
248 // Replying to the same signature request a second time must fail. | |
249 { | |
250 base::RunLoop run_loop; | |
251 const std::string code = "replyWithSignatureSecondTime();"; | |
252 bool result = false; | |
253 extension_contents->GetMainFrame()->ExecuteJavaScriptForTests( | |
254 base::ASCIIToUTF16(code), | |
255 base::Bind(&StoreBool, &result, run_loop.QuitClosure())); | |
256 run_loop.Run(); | |
257 EXPECT_TRUE(result); | |
258 } | |
259 } | |
OLD | NEW |