Chromium Code Reviews Chromium Code Reviews
Issue 1304143010:
Plumbing SSLPrivateKey
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 | 9 |
| 10 #include <openssl/bio.h> | 10 #include <openssl/bio.h> |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 26 #include "net/base/test_data_directory.h" | 26 #include "net/base/test_data_directory.h" |
| 27 #include "net/cert/mock_cert_verifier.h" | 27 #include "net/cert/mock_cert_verifier.h" |
| 28 #include "net/cert/test_root_certs.h" | 28 #include "net/cert/test_root_certs.h" |
| 29 #include "net/dns/host_resolver.h" | 29 #include "net/dns/host_resolver.h" |
| 30 #include "net/http/transport_security_state.h" | 30 #include "net/http/transport_security_state.h" |
| 31 #include "net/log/net_log.h" | 31 #include "net/log/net_log.h" |
| 32 #include "net/socket/client_socket_factory.h" | 32 #include "net/socket/client_socket_factory.h" |
| 33 #include "net/socket/client_socket_handle.h" | 33 #include "net/socket/client_socket_handle.h" |
| 34 #include "net/socket/socket_test_util.h" | 34 #include "net/socket/socket_test_util.h" |
| 35 #include "net/socket/tcp_client_socket.h" | 35 #include "net/socket/tcp_client_socket.h" |
| 36 #include "net/ssl/openssl_client_key_store.h" | |
| 37 #include "net/ssl/ssl_cert_request_info.h" | 36 #include "net/ssl/ssl_cert_request_info.h" |
| 38 #include "net/ssl/ssl_config_service.h" | 37 #include "net/ssl/ssl_config_service.h" |
| 38 #include "net/ssl/ssl_platform_key.h" | |
| 39 #include "net/test/cert_test_util.h" | 39 #include "net/test/cert_test_util.h" |
| 40 #include "net/test/spawned_test_server/spawned_test_server.h" | 40 #include "net/test/spawned_test_server/spawned_test_server.h" |
| 41 #include "testing/gtest/include/gtest/gtest.h" | 41 #include "testing/gtest/include/gtest/gtest.h" |
| 42 #include "testing/platform_test.h" | 42 #include "testing/platform_test.h" |
| 43 | 43 |
| 44 namespace net { | 44 namespace net { |
| 45 | 45 |
| 46 namespace { | 46 namespace { |
| 47 | 47 |
| 48 // These client auth tests are currently dependent on OpenSSL's struct X509. | 48 // These client auth tests are currently dependent on OpenSSL's struct X509. |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 80 | 80 |
| 81 class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest { | 81 class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest { |
| 82 public: | 82 public: |
| 83 SSLClientSocketOpenSSLClientAuthTest() | 83 SSLClientSocketOpenSSLClientAuthTest() |
| 84 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), | 84 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), |
| 85 cert_verifier_(new MockCertVerifier), | 85 cert_verifier_(new MockCertVerifier), |
| 86 transport_security_state_(new TransportSecurityState) { | 86 transport_security_state_(new TransportSecurityState) { |
| 87 cert_verifier_->set_default_result(OK); | 87 cert_verifier_->set_default_result(OK); |
| 88 context_.cert_verifier = cert_verifier_.get(); | 88 context_.cert_verifier = cert_verifier_.get(); |
| 89 context_.transport_security_state = transport_security_state_.get(); | 89 context_.transport_security_state = transport_security_state_.get(); |
| 90 key_store_ = OpenSSLClientKeyStore::GetInstance(); | |
| 91 } | 90 } |
| 92 | 91 |
| 93 ~SSLClientSocketOpenSSLClientAuthTest() override { key_store_->Flush(); } | 92 ~SSLClientSocketOpenSSLClientAuthTest() override {} |
| 94 | 93 |
| 95 protected: | 94 protected: |
| 96 scoped_ptr<SSLClientSocket> CreateSSLClientSocket( | 95 scoped_ptr<SSLClientSocket> CreateSSLClientSocket( |
| 97 scoped_ptr<StreamSocket> transport_socket, | 96 scoped_ptr<StreamSocket> transport_socket, |
| 98 const HostPortPair& host_and_port, | 97 const HostPortPair& host_and_port, |
| 99 const SSLConfig& ssl_config) { | 98 const SSLConfig& ssl_config) { |
| 100 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle); | 99 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle); |
| 101 connection->SetSocket(transport_socket.Pass()); | 100 connection->SetSocket(transport_socket.Pass()); |
| 102 return socket_factory_->CreateSSLClientSocket(connection.Pass(), | 101 return socket_factory_->CreateSSLClientSocket(connection.Pass(), |
| 103 host_and_port, | 102 host_and_port, |
| (...skipping 20 matching lines...) Expand all Loading... | |
| 124 addr_, &log_, NetLog::Source())); | 123 addr_, &log_, NetLog::Source())); |
| 125 int rv = callback_.GetResult( | 124 int rv = callback_.GetResult( |
| 126 transport_->Connect(callback_.callback())); | 125 transport_->Connect(callback_.callback())); |
| 127 if (rv != OK) { | 126 if (rv != OK) { |
| 128 LOG(ERROR) << "Could not connect to SpawnedTestServer"; | 127 LOG(ERROR) << "Could not connect to SpawnedTestServer"; |
| 129 return false; | 128 return false; |
| 130 } | 129 } |
| 131 return true; | 130 return true; |
| 132 } | 131 } |
| 133 | 132 |
| 134 // Record a certificate's private key to ensure it can be used | |
| 135 // by the OpenSSL-based SSLClientSocket implementation. | |
| 136 // |ssl_config| provides a client certificate. | |
| 137 // |private_key| must be an EVP_PKEY for the corresponding private key. | |
| 138 // Returns true on success, false on failure. | |
| 139 bool RecordPrivateKey(SSLConfig& ssl_config, | |
| 140 EVP_PKEY* private_key) { | |
| 141 return key_store_->RecordClientCertPrivateKey( | |
| 142 ssl_config.client_cert.get(), private_key); | |
| 143 } | |
| 144 | |
| 145 // Create an SSLClientSocket object and use it to connect to a test | 133 // Create an SSLClientSocket object and use it to connect to a test |
| 146 // server, then wait for connection results. This must be called after | 134 // server, then wait for connection results. This must be called after |
| 147 // a succesful ConnectToTestServer() call. | 135 // a succesful ConnectToTestServer() call. |
| 148 // |ssl_config| the SSL configuration to use. | 136 // |ssl_config| the SSL configuration to use. |
| 149 // |result| will retrieve the ::Connect() result value. | 137 // |result| will retrieve the ::Connect() result value. |
| 150 // Returns true on succes, false otherwise. Success means that the socket | 138 // Returns true on succes, false otherwise. Success means that the socket |
| 151 // could be created and its Connect() was called, not that the connection | 139 // could be created and its Connect() was called, not that the connection |
| 152 // itself was a success. | 140 // itself was a success. |
| 153 bool CreateAndConnectSSLClientSocket(const SSLConfig& ssl_config, | 141 bool CreateAndConnectSSLClientSocket(const SSLConfig& ssl_config, |
| 154 int* result) { | 142 int* result) { |
| (...skipping 16 matching lines...) Expand all Loading... | |
| 171 bool CheckSSLClientSocketSentCert() { | 159 bool CheckSSLClientSocketSentCert() { |
| 172 SSLInfo ssl_info; | 160 SSLInfo ssl_info; |
| 173 sock_->GetSSLInfo(&ssl_info); | 161 sock_->GetSSLInfo(&ssl_info); |
| 174 return ssl_info.client_cert_sent; | 162 return ssl_info.client_cert_sent; |
| 175 } | 163 } |
| 176 | 164 |
| 177 ClientSocketFactory* socket_factory_; | 165 ClientSocketFactory* socket_factory_; |
| 178 scoped_ptr<MockCertVerifier> cert_verifier_; | 166 scoped_ptr<MockCertVerifier> cert_verifier_; |
| 179 scoped_ptr<TransportSecurityState> transport_security_state_; | 167 scoped_ptr<TransportSecurityState> transport_security_state_; |
| 180 SSLClientSocketContext context_; | 168 SSLClientSocketContext context_; |
| 181 OpenSSLClientKeyStore* key_store_; | |
| 182 scoped_ptr<SpawnedTestServer> test_server_; | 169 scoped_ptr<SpawnedTestServer> test_server_; |
| 183 AddressList addr_; | 170 AddressList addr_; |
| 184 TestCompletionCallback callback_; | 171 TestCompletionCallback callback_; |
| 185 NetLog log_; | 172 NetLog log_; |
| 186 scoped_ptr<StreamSocket> transport_; | 173 scoped_ptr<StreamSocket> transport_; |
| 187 scoped_ptr<SSLClientSocket> sock_; | 174 scoped_ptr<SSLClientSocket> sock_; |
| 188 }; | 175 }; |
| 189 | 176 |
| 190 // Connect to a server requesting client authentication, do not send | 177 // Connect to a server requesting client authentication, do not send |
| 191 // any client certificates. It should refuse the connection. | 178 // any client certificates. It should refuse the connection. |
| (...skipping 19 matching lines...) Expand all Loading... | |
| 211 ssl_options.request_client_certificate = true; | 198 ssl_options.request_client_certificate = true; |
| 212 ssl_options.client_authorities.push_back( | 199 ssl_options.client_authorities.push_back( |
| 213 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem")); | 200 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem")); |
| 214 | 201 |
| 215 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | 202 ASSERT_TRUE(ConnectToTestServer(ssl_options)); |
| 216 | 203 |
| 217 base::FilePath certs_dir = GetTestCertsDirectory(); | 204 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 218 SSLConfig ssl_config; | 205 SSLConfig ssl_config; |
| 219 ssl_config.send_client_cert = true; | 206 ssl_config.send_client_cert = true; |
| 220 ssl_config.client_cert = NULL; | 207 ssl_config.client_cert = NULL; |
| 208 ssl_config.client_private_key = NULL; | |
| 221 | 209 |
| 222 int rv; | 210 int rv; |
| 223 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 211 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 224 | 212 |
| 225 EXPECT_EQ(OK, rv); | 213 EXPECT_EQ(OK, rv); |
| 226 EXPECT_TRUE(sock_->IsConnected()); | 214 EXPECT_TRUE(sock_->IsConnected()); |
| 227 } | 215 } |
| 228 | 216 |
| 229 // Connect to a server requesting client authentication. Send it a | 217 // Connect to a server requesting client authentication. Send it a |
| 230 // matching certificate. It should allow the connection. | 218 // matching certificate. It should allow the connection. |
| 231 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendGoodCert) { | 219 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendGoodCert) { |
| 232 SpawnedTestServer::SSLOptions ssl_options; | 220 SpawnedTestServer::SSLOptions ssl_options; |
| 233 ssl_options.request_client_certificate = true; | 221 ssl_options.request_client_certificate = true; |
| 234 ssl_options.client_authorities.push_back( | 222 ssl_options.client_authorities.push_back( |
| 235 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem")); | 223 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem")); |
| 236 | 224 |
| 237 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | 225 ASSERT_TRUE(ConnectToTestServer(ssl_options)); |
| 238 | 226 |
| 239 base::FilePath certs_dir = GetTestCertsDirectory(); | 227 base::FilePath certs_dir = GetTestCertsDirectory(); |
| 240 SSLConfig ssl_config; | 228 SSLConfig ssl_config; |
| 241 ssl_config.send_client_cert = true; | 229 ssl_config.send_client_cert = true; |
| 242 ssl_config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem"); | 230 ssl_config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem"); |
| 243 | 231 |
| 244 // This is required to ensure that signing works with the client | 232 // This is required to ensure that signing works with the client |
| 245 // certificate's private key. | 233 // certificate's private key. |
| 246 crypto::ScopedEVP_PKEY client_private_key; | 234 crypto::ScopedEVP_PKEY client_private_key; |
| 247 ASSERT_TRUE(LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"), | 235 ASSERT_TRUE(LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"), |
| 248 &client_private_key)); | 236 &client_private_key)); |
| 249 EXPECT_TRUE(RecordPrivateKey(ssl_config, client_private_key.get())); | 237 ssl_config.client_private_key = |
| 250 | 238 net::WrapOpenSSLPrivateKey(client_private_key.Pass()); |
|
davidben
2015/10/13 20:32:16
Ooh. We could basically promote these tests to run
svaldez
2015/10/14 15:06:18
Acknowledged.
| |
| 251 int rv; | 239 int rv; |
| 252 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 240 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 253 | 241 |
| 254 EXPECT_EQ(OK, rv); | 242 EXPECT_EQ(OK, rv); |
| 255 EXPECT_TRUE(sock_->IsConnected()); | 243 EXPECT_TRUE(sock_->IsConnected()); |
| 256 | 244 |
| 257 EXPECT_TRUE(CheckSSLClientSocketSentCert()); | 245 EXPECT_TRUE(CheckSSLClientSocketSentCert()); |
| 258 | 246 |
| 259 sock_->Disconnect(); | 247 sock_->Disconnect(); |
| 260 EXPECT_FALSE(sock_->IsConnected()); | 248 EXPECT_FALSE(sock_->IsConnected()); |
| 261 } | 249 } |
| 262 #endif // defined(USE_OPENSSL_CERTS) | 250 #endif // defined(USE_OPENSSL_CERTS) |
| 263 | 251 |
| 264 } // namespace | 252 } // namespace |
| 265 } // namespace net | 253 } // namespace net |
| OLD | NEW |
