| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This test suite uses SSLClientSocket to test the implementation of | 5 // This test suite uses SSLClientSocket to test the implementation of |
| 6 // SSLServerSocket. In order to establish connections between the sockets | 6 // SSLServerSocket. In order to establish connections between the sockets |
| 7 // we need two additional classes: | 7 // we need two additional classes: |
| 8 // 1. FakeSocket | 8 // 1. FakeSocket |
| 9 // Connects SSL socket to FakeDataChannel. This class is just a stub. | 9 // Connects SSL socket to FakeDataChannel. This class is just a stub. |
| 10 // | 10 // |
| (...skipping 12 matching lines...) Expand all Loading... |
| 23 #include "base/compiler_specific.h" | 23 #include "base/compiler_specific.h" |
| 24 #include "base/files/file_path.h" | 24 #include "base/files/file_path.h" |
| 25 #include "base/files/file_util.h" | 25 #include "base/files/file_util.h" |
| 26 #include "base/location.h" | 26 #include "base/location.h" |
| 27 #include "base/logging.h" | 27 #include "base/logging.h" |
| 28 #include "base/message_loop/message_loop.h" | 28 #include "base/message_loop/message_loop.h" |
| 29 #include "base/single_thread_task_runner.h" | 29 #include "base/single_thread_task_runner.h" |
| 30 #include "base/thread_task_runner_handle.h" | 30 #include "base/thread_task_runner_handle.h" |
| 31 #include "crypto/nss_util.h" | 31 #include "crypto/nss_util.h" |
| 32 #include "crypto/rsa_private_key.h" | 32 #include "crypto/rsa_private_key.h" |
| 33 #include "crypto/signature_creator.h" |
| 33 #include "net/base/address_list.h" | 34 #include "net/base/address_list.h" |
| 34 #include "net/base/completion_callback.h" | 35 #include "net/base/completion_callback.h" |
| 35 #include "net/base/host_port_pair.h" | 36 #include "net/base/host_port_pair.h" |
| 36 #include "net/base/io_buffer.h" | 37 #include "net/base/io_buffer.h" |
| 37 #include "net/base/ip_endpoint.h" | 38 #include "net/base/ip_endpoint.h" |
| 38 #include "net/base/net_errors.h" | 39 #include "net/base/net_errors.h" |
| 39 #include "net/base/test_data_directory.h" | 40 #include "net/base/test_data_directory.h" |
| 40 #include "net/cert/cert_status_flags.h" | 41 #include "net/cert/cert_status_flags.h" |
| 41 #include "net/cert/mock_cert_verifier.h" | 42 #include "net/cert/mock_cert_verifier.h" |
| 43 #include "net/cert/mock_client_cert_verifier.h" |
| 42 #include "net/cert/x509_certificate.h" | 44 #include "net/cert/x509_certificate.h" |
| 43 #include "net/http/transport_security_state.h" | 45 #include "net/http/transport_security_state.h" |
| 44 #include "net/log/net_log.h" | 46 #include "net/log/net_log.h" |
| 45 #include "net/socket/client_socket_factory.h" | 47 #include "net/socket/client_socket_factory.h" |
| 46 #include "net/socket/socket_test_util.h" | 48 #include "net/socket/socket_test_util.h" |
| 47 #include "net/socket/ssl_client_socket.h" | 49 #include "net/socket/ssl_client_socket.h" |
| 48 #include "net/socket/stream_socket.h" | 50 #include "net/socket/stream_socket.h" |
| 51 #include "net/ssl/ssl_cert_request_info.h" |
| 49 #include "net/ssl/ssl_cipher_suite_names.h" | 52 #include "net/ssl/ssl_cipher_suite_names.h" |
| 50 #include "net/ssl/ssl_connection_status_flags.h" | 53 #include "net/ssl/ssl_connection_status_flags.h" |
| 51 #include "net/ssl/ssl_info.h" | 54 #include "net/ssl/ssl_info.h" |
| 55 #include "net/ssl/ssl_private_key.h" |
| 52 #include "net/ssl/ssl_server_config.h" | 56 #include "net/ssl/ssl_server_config.h" |
| 53 #include "net/test/cert_test_util.h" | 57 #include "net/test/cert_test_util.h" |
| 54 #include "testing/gtest/include/gtest/gtest.h" | 58 #include "testing/gtest/include/gtest/gtest.h" |
| 55 #include "testing/platform_test.h" | 59 #include "testing/platform_test.h" |
| 56 | 60 |
| 57 namespace net { | 61 namespace net { |
| 58 | 62 |
| 59 namespace { | 63 namespace { |
| 60 | 64 |
| 65 const char kClientCertFileName[] = "client_1.pem"; |
| 66 const char kClientPrivateKeyFileName[] = "client_1.pk8"; |
| 67 const char kWrongClientCertFileName[] = "client_2.pem"; |
| 68 const char kWrongClientPrivateKeyFileName[] = "client_2.pk8"; |
| 69 const char kClientCertCAFileName[] = "client_1_ca.pem"; |
| 70 |
| 61 class FakeDataChannel { | 71 class FakeDataChannel { |
| 62 public: | 72 public: |
| 63 FakeDataChannel() | 73 FakeDataChannel() |
| 64 : read_buf_len_(0), | 74 : read_buf_len_(0), |
| 65 closed_(false), | 75 closed_(false), |
| 66 write_called_after_close_(false), | 76 write_called_after_close_(false), |
| 67 weak_factory_(this) { | 77 weak_factory_(this) { |
| 68 } | 78 } |
| 69 | 79 |
| 70 int Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback) { | 80 int Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback) { |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 102 weak_factory_.GetWeakPtr())); | 112 weak_factory_.GetWeakPtr())); |
| 103 return buf_len; | 113 return buf_len; |
| 104 } | 114 } |
| 105 | 115 |
| 106 // Closes the FakeDataChannel. After Close() is called, Read() returns 0, | 116 // Closes the FakeDataChannel. After Close() is called, Read() returns 0, |
| 107 // indicating EOF, and Write() fails with ERR_CONNECTION_RESET. Note that | 117 // indicating EOF, and Write() fails with ERR_CONNECTION_RESET. Note that |
| 108 // after the FakeDataChannel is closed, the first Write() call completes | 118 // after the FakeDataChannel is closed, the first Write() call completes |
| 109 // asynchronously, which is necessary to reproduce bug 127822. | 119 // asynchronously, which is necessary to reproduce bug 127822. |
| 110 void Close() { | 120 void Close() { |
| 111 closed_ = true; | 121 closed_ = true; |
| 122 data_.push( |
| 123 new DrainableIOBuffer(new StringIOBuffer(std::string("0", 1)), 1)); |
| 124 if (!read_callback_.is_null()) { |
| 125 base::MessageLoop::current()->PostTask( |
| 126 FROM_HERE, base::Bind(&FakeDataChannel::DoReadCallback, |
| 127 weak_factory_.GetWeakPtr())); |
| 128 } |
| 112 } | 129 } |
| 113 | 130 |
| 114 private: | 131 private: |
| 115 void DoReadCallback() { | 132 void DoReadCallback() { |
| 116 if (read_callback_.is_null() || data_.empty()) | 133 if (read_callback_.is_null() || data_.empty()) |
| 117 return; | 134 return; |
| 118 | |
| 119 int copied = PropagateData(read_buf_, read_buf_len_); | 135 int copied = PropagateData(read_buf_, read_buf_len_); |
| 120 CompletionCallback callback = read_callback_; | 136 CompletionCallback callback = read_callback_; |
| 121 read_callback_.Reset(); | 137 read_callback_.Reset(); |
| 122 read_buf_ = NULL; | 138 read_buf_ = NULL; |
| 123 read_buf_len_ = 0; | 139 read_buf_len_ = 0; |
| 124 callback.Run(copied); | 140 callback.Run(copied); |
| 125 } | 141 } |
| 126 | 142 |
| 127 void DoWriteCallback() { | 143 void DoWriteCallback() { |
| 128 if (write_callback_.is_null()) | 144 if (write_callback_.is_null()) |
| (...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 247 } | 263 } |
| 248 | 264 |
| 249 private: | 265 private: |
| 250 BoundNetLog net_log_; | 266 BoundNetLog net_log_; |
| 251 FakeDataChannel* incoming_; | 267 FakeDataChannel* incoming_; |
| 252 FakeDataChannel* outgoing_; | 268 FakeDataChannel* outgoing_; |
| 253 | 269 |
| 254 DISALLOW_COPY_AND_ASSIGN(FakeSocket); | 270 DISALLOW_COPY_AND_ASSIGN(FakeSocket); |
| 255 }; | 271 }; |
| 256 | 272 |
| 273 class TestSSLPrivateKey : public SSLPrivateKey { |
| 274 public: |
| 275 TestSSLPrivateKey(crypto::RSAPrivateKey* rsa_private_key) |
| 276 : rsa_private_key_(rsa_private_key) {} |
| 277 |
| 278 ~TestSSLPrivateKey() override {} |
| 279 |
| 280 Type GetType() override { return SSLPrivateKey::Type::RSA; } |
| 281 |
| 282 std::vector<SSLPrivateKey::Hash> GetDigestPreferences() override { |
| 283 static const SSLPrivateKey::Hash kHashes[] = {SSLPrivateKey::Hash::SHA256, |
| 284 SSLPrivateKey::Hash::SHA1}; |
| 285 return std::vector<SSLPrivateKey::Hash>(kHashes, |
| 286 kHashes + arraysize(kHashes)); |
| 287 } |
| 288 |
| 289 // NOTE: The following algorithm assumes the answer is a power of 2, which is |
| 290 // true for the test keys in use. |
| 291 size_t GetMaxSignatureLengthInBytes() override { |
| 292 std::vector<uint8> public_key_info; |
| 293 rsa_private_key_->ExportPublicKey(&public_key_info); |
| 294 uint result = 1; |
| 295 while ((result << 1) < public_key_info.size()) |
| 296 result <<= 1; |
| 297 return result; |
| 298 } |
| 299 |
| 300 void SignDigest(Hash hash, |
| 301 const base::StringPiece& input, |
| 302 const SignCallback& callback) override { |
| 303 std::vector<uint8> signature; |
| 304 crypto::SignatureCreator::HashAlgorithm hash_alg; |
| 305 switch (hash) { |
| 306 case Hash::SHA1: |
| 307 hash_alg = crypto::SignatureCreator::SHA1; |
| 308 break; |
| 309 |
| 310 case Hash::SHA256: |
| 311 hash_alg = crypto::SignatureCreator::SHA256; |
| 312 break; |
| 313 |
| 314 default: |
| 315 FAIL() << "Unsupported hash function"; |
| 316 } |
| 317 crypto::SignatureCreator::Sign(rsa_private_key_.get(), hash_alg, |
| 318 reinterpret_cast<const uint8*>(input.data()), |
| 319 input.size(), &signature); |
| 320 base::ThreadTaskRunnerHandle::Get()->PostTask( |
| 321 FROM_HERE, base::Bind(callback, OK, signature)); |
| 322 } |
| 323 |
| 324 private: |
| 325 void CompleteSignDigest(Error err, const std::vector<uint8_t>& signature) {} |
| 326 scoped_ptr<crypto::RSAPrivateKey> rsa_private_key_; |
| 327 |
| 328 DISALLOW_COPY_AND_ASSIGN(TestSSLPrivateKey); |
| 329 }; |
| 330 |
| 257 } // namespace | 331 } // namespace |
| 258 | 332 |
| 259 // Verify the correctness of the test helper classes first. | 333 // Verify the correctness of the test helper classes first. |
| 260 TEST(FakeSocketTest, DataTransfer) { | 334 TEST(FakeSocketTest, DataTransfer) { |
| 261 // Establish channels between two sockets. | 335 // Establish channels between two sockets. |
| 262 FakeDataChannel channel_1; | 336 FakeDataChannel channel_1; |
| 263 FakeDataChannel channel_2; | 337 FakeDataChannel channel_2; |
| 264 FakeSocket client(&channel_1, &channel_2); | 338 FakeSocket client(&channel_1, &channel_2); |
| 265 FakeSocket server(&channel_2, &channel_1); | 339 FakeSocket server(&channel_2, &channel_1); |
| 266 | 340 |
| (...skipping 24 matching lines...) Expand all Loading... |
| 291 EXPECT_LE(written, kTestDataSize); | 365 EXPECT_LE(written, kTestDataSize); |
| 292 | 366 |
| 293 read = callback.WaitForResult(); | 367 read = callback.WaitForResult(); |
| 294 EXPECT_GT(read, 0); | 368 EXPECT_GT(read, 0); |
| 295 EXPECT_LE(read, written); | 369 EXPECT_LE(read, written); |
| 296 EXPECT_EQ(0, memcmp(kTestData, read_buf->data(), read)); | 370 EXPECT_EQ(0, memcmp(kTestData, read_buf->data(), read)); |
| 297 } | 371 } |
| 298 | 372 |
| 299 class SSLServerSocketTest : public PlatformTest { | 373 class SSLServerSocketTest : public PlatformTest { |
| 300 public: | 374 public: |
| 375 enum ClientCertSupply { |
| 376 kNoneSupplied = 0, |
| 377 kCorrectCertSupplied = 1, |
| 378 kWrongCertSupplied = 2 |
| 379 }; |
| 380 |
| 381 enum ClientCertExpect { kNoneExpected = 0, kCertRequired = 2 }; |
| 382 |
| 301 SSLServerSocketTest() | 383 SSLServerSocketTest() |
| 302 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), | 384 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), |
| 303 cert_verifier_(new MockCertVerifier()), | 385 cert_verifier_(new MockCertVerifier()), |
| 386 client_cert_verifier_(new MockClientCertVerifier()), |
| 304 transport_security_state_(new TransportSecurityState) { | 387 transport_security_state_(new TransportSecurityState) { |
| 305 cert_verifier_->set_default_result(CERT_STATUS_AUTHORITY_INVALID); | 388 cert_verifier_->set_default_result(CERT_STATUS_AUTHORITY_INVALID); |
| 389 client_cert_verifier_->set_default_result(CERT_STATUS_AUTHORITY_INVALID); |
| 306 } | 390 } |
| 307 | 391 |
| 308 protected: | 392 protected: |
| 309 void Initialize() { | 393 void Initialize() { |
| 310 scoped_ptr<ClientSocketHandle> client_connection(new ClientSocketHandle); | 394 scoped_ptr<ClientSocketHandle> client_connection(new ClientSocketHandle); |
| 311 client_connection->SetSocket( | 395 client_connection->SetSocket( |
| 312 scoped_ptr<StreamSocket>(new FakeSocket(&channel_1_, &channel_2_))); | 396 scoped_ptr<StreamSocket>(new FakeSocket(&channel_1_, &channel_2_))); |
| 313 scoped_ptr<StreamSocket> server_socket( | 397 scoped_ptr<StreamSocket> server_socket( |
| 314 new FakeSocket(&channel_2_, &channel_1_)); | 398 new FakeSocket(&channel_2_, &channel_1_)); |
| 315 | 399 |
| 316 base::FilePath certs_dir(GetTestCertsDirectory()); | 400 std::string server_cert_der; |
| 317 | 401 scoped_refptr<X509Certificate> server_cert( |
| 318 base::FilePath cert_path = certs_dir.AppendASCII("unittest.selfsigned.der"); | 402 ReadTestCert("unittest.selfsigned.der", &server_cert_der)); |
| 319 std::string cert_der; | 403 scoped_ptr<crypto::RSAPrivateKey> server_private_key( |
| 320 ASSERT_TRUE(base::ReadFileToString(cert_path, &cert_der)); | 404 ReadTestKey("unittest.key.bin")); |
| 321 | |
| 322 scoped_refptr<X509Certificate> cert = | |
| 323 X509Certificate::CreateFromBytes(cert_der.data(), cert_der.size()); | |
| 324 | |
| 325 base::FilePath key_path = certs_dir.AppendASCII("unittest.key.bin"); | |
| 326 std::string key_string; | |
| 327 ASSERT_TRUE(base::ReadFileToString(key_path, &key_string)); | |
| 328 std::vector<uint8> key_vector( | |
| 329 reinterpret_cast<const uint8*>(key_string.data()), | |
| 330 reinterpret_cast<const uint8*>(key_string.data() + | |
| 331 key_string.length())); | |
| 332 | |
| 333 scoped_ptr<crypto::RSAPrivateKey> private_key( | |
| 334 crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_vector)); | |
| 335 | 405 |
| 336 client_ssl_config_.false_start_enabled = false; | 406 client_ssl_config_.false_start_enabled = false; |
| 337 client_ssl_config_.channel_id_enabled = false; | 407 client_ssl_config_.channel_id_enabled = false; |
| 338 | 408 |
| 339 // Certificate provided by the host doesn't need authority. | 409 // Certificate provided by the host doesn't need authority. |
| 340 SSLConfig::CertAndStatus cert_and_status; | 410 SSLConfig::CertAndStatus cert_and_status; |
| 341 cert_and_status.cert_status = CERT_STATUS_AUTHORITY_INVALID; | 411 cert_and_status.cert_status = CERT_STATUS_AUTHORITY_INVALID; |
| 342 cert_and_status.der_cert = cert_der; | 412 cert_and_status.der_cert = server_cert_der; |
| 343 client_ssl_config_.allowed_bad_certs.push_back(cert_and_status); | 413 client_ssl_config_.allowed_bad_certs.push_back(cert_and_status); |
| 344 | 414 |
| 345 HostPortPair host_and_pair("unittest", 0); | 415 HostPortPair host_and_pair("unittest", 0); |
| 346 SSLClientSocketContext context; | 416 SSLClientSocketContext context; |
| 347 context.cert_verifier = cert_verifier_.get(); | 417 context.cert_verifier = cert_verifier_.get(); |
| 348 context.transport_security_state = transport_security_state_.get(); | 418 context.transport_security_state = transport_security_state_.get(); |
| 419 socket_factory_->ClearSSLSessionCache(); |
| 349 client_socket_ = socket_factory_->CreateSSLClientSocket( | 420 client_socket_ = socket_factory_->CreateSSLClientSocket( |
| 350 client_connection.Pass(), host_and_pair, client_ssl_config_, context); | 421 client_connection.Pass(), host_and_pair, client_ssl_config_, context); |
| 351 server_socket_ = | 422 server_socket_ = CreateSSLServerSocket( |
| 352 CreateSSLServerSocket(server_socket.Pass(), cert.get(), | 423 server_socket.Pass(), server_cert.get(), server_private_key.get(), |
| 353 private_key.get(), server_ssl_config_); | 424 server_ssl_config_, server_context_); |
| 425 } |
| 426 |
| 427 void InitializeClientCertsForClient(ClientCertSupply supply) { |
| 428 scoped_refptr<X509Certificate> cert; |
| 429 scoped_ptr<net::SSLPrivateKey> key; |
| 430 if (supply != kNoneSupplied) { |
| 431 const char* cert_file_name = supply == kCorrectCertSupplied |
| 432 ? kClientCertFileName |
| 433 : kWrongClientCertFileName; |
| 434 const char* private_key_file_name = supply == kCorrectCertSupplied |
| 435 ? kClientPrivateKeyFileName |
| 436 : kWrongClientPrivateKeyFileName; |
| 437 cert = ImportCertFromFile(GetTestCertsDirectory(), cert_file_name); |
| 438 key.reset(new TestSSLPrivateKey(ReadTestKey(private_key_file_name))); |
| 439 } |
| 440 client_socket_->ForceClientCertificateAndKeyForTesting(cert, key.Pass()); |
| 441 } |
| 442 |
| 443 void InitializeClientCertsForServer(ClientCertExpect expect) { |
| 444 if (expect == kNoneExpected) |
| 445 return; |
| 446 |
| 447 server_ssl_config_.require_client_cert = true; |
| 448 |
| 449 if (expect == kCertRequired) { |
| 450 scoped_refptr<X509Certificate> expected_client_ca_cert( |
| 451 ImportCertFromFile(GetTestCertsDirectory(), kClientCertCAFileName)); |
| 452 CertificateList ca_list; |
| 453 ca_list.push_back(expected_client_ca_cert); |
| 454 server_ssl_config_.client_cert_ca_list = ca_list; |
| 455 scoped_refptr<X509Certificate> expected_client_cert( |
| 456 ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName)); |
| 457 CertVerifyResult ignored; |
| 458 ignored.verified_cert = expected_client_cert; |
| 459 ignored.cert_status = 0; |
| 460 client_cert_verifier_->AddResultForCert(expected_client_cert.get(), OK); |
| 461 |
| 462 server_context_.client_cert_verifier = client_cert_verifier_.get(); |
| 463 } |
| 464 } |
| 465 |
| 466 X509Certificate* ReadTestCert(const base::StringPiece& name, |
| 467 std::string* cert_der) { |
| 468 base::FilePath certs_dir(GetTestCertsDirectory()); |
| 469 base::FilePath cert_path = certs_dir.AppendASCII(name); |
| 470 std::string unneeded; |
| 471 if (!cert_der) |
| 472 cert_der = &unneeded; |
| 473 if (!base::ReadFileToString(cert_path, cert_der)) |
| 474 return NULL; |
| 475 return X509Certificate::CreateFromBytes(cert_der->data(), cert_der->size()); |
| 476 } |
| 477 |
| 478 crypto::RSAPrivateKey* ReadTestKey(const base::StringPiece& name) { |
| 479 base::FilePath certs_dir(GetTestCertsDirectory()); |
| 480 base::FilePath key_path = certs_dir.AppendASCII(name); |
| 481 std::string key_string; |
| 482 if (!base::ReadFileToString(key_path, &key_string)) |
| 483 return NULL; |
| 484 std::vector<uint8> key_vector( |
| 485 reinterpret_cast<const uint8*>(key_string.data()), |
| 486 reinterpret_cast<const uint8*>(key_string.data() + |
| 487 key_string.length())); |
| 488 return crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_vector); |
| 354 } | 489 } |
| 355 | 490 |
| 356 FakeDataChannel channel_1_; | 491 FakeDataChannel channel_1_; |
| 357 FakeDataChannel channel_2_; | 492 FakeDataChannel channel_2_; |
| 358 SSLConfig client_ssl_config_; | 493 SSLConfig client_ssl_config_; |
| 359 SSLServerConfig server_ssl_config_; | 494 SSLServerConfig server_ssl_config_; |
| 495 SSLServerSocketContext server_context_; |
| 360 scoped_ptr<SSLClientSocket> client_socket_; | 496 scoped_ptr<SSLClientSocket> client_socket_; |
| 361 scoped_ptr<SSLServerSocket> server_socket_; | 497 scoped_ptr<SSLServerSocket> server_socket_; |
| 362 ClientSocketFactory* socket_factory_; | 498 ClientSocketFactory* socket_factory_; |
| 363 scoped_ptr<MockCertVerifier> cert_verifier_; | 499 scoped_ptr<MockCertVerifier> cert_verifier_; |
| 500 scoped_ptr<MockClientCertVerifier> client_cert_verifier_; |
| 364 scoped_ptr<TransportSecurityState> transport_security_state_; | 501 scoped_ptr<TransportSecurityState> transport_security_state_; |
| 502 CertificateList trusted_certs_; |
| 365 }; | 503 }; |
| 366 | 504 |
| 367 // This test only executes creation of client and server sockets. This is to | 505 // This test only executes creation of client and server sockets. This is to |
| 368 // test that creation of sockets doesn't crash and have minimal code to run | 506 // test that creation of sockets doesn't crash and have minimal code to run |
| 369 // under valgrind in order to help debugging memory problems. | 507 // under valgrind in order to help debugging memory problems. |
| 370 TEST_F(SSLServerSocketTest, Initialize) { | 508 TEST_F(SSLServerSocketTest, Initialize) { |
| 371 Initialize(); | 509 Initialize(); |
| 372 } | 510 } |
| 373 | 511 |
| 374 // This test executes Connect() on SSLClientSocket and Handshake() on | 512 // This test executes Connect() on SSLClientSocket and Handshake() on |
| (...skipping 29 matching lines...) Expand all Loading... |
| 404 SSLConnectionStatusToCipherSuite(ssl_info.connection_status); | 542 SSLConnectionStatusToCipherSuite(ssl_info.connection_status); |
| 405 const char* key_exchange; | 543 const char* key_exchange; |
| 406 const char* cipher; | 544 const char* cipher; |
| 407 const char* mac; | 545 const char* mac; |
| 408 bool is_aead; | 546 bool is_aead; |
| 409 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, cipher_suite); | 547 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, cipher_suite); |
| 410 EXPECT_STREQ("ECDHE_RSA", key_exchange); | 548 EXPECT_STREQ("ECDHE_RSA", key_exchange); |
| 411 EXPECT_TRUE(is_aead); | 549 EXPECT_TRUE(is_aead); |
| 412 } | 550 } |
| 413 | 551 |
| 552 // TODO(dougsteed) The following tests using client certificates cannot |
| 553 // be performed if NSS with platform-based client auth is in use. That's because |
| 554 // the tests use SSLClientSocket to make requests against the server, and on |
| 555 // those builds, that class does not support supplying of a test key and cert. |
| 556 // An alternative approach that would broaden the applicability of these tests |
| 557 // would be to build and use the openssl flavor of SSLClientSocket, even |
| 558 // on NSS platforms. |
| 559 #if defined(USE_OPENSSL) || !defined(NSS_PLATFORM_CLIENT_AUTH) |
| 560 |
| 561 // This test executes Connect() on SSLClientSocket and Handshake() on |
| 562 // SSLServerSocket to make sure handshaking between the two sockets is |
| 563 // completed successfully, using client certificate. |
| 564 TEST_F(SSLServerSocketTest, HandshakeWithClientCert) { |
| 565 scoped_refptr<X509Certificate> client_cert = |
| 566 ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName); |
| 567 InitializeClientCertsForServer(kCertRequired); |
| 568 Initialize(); |
| 569 InitializeClientCertsForClient(kCorrectCertSupplied); |
| 570 |
| 571 TestCompletionCallback connect_callback; |
| 572 TestCompletionCallback handshake_callback; |
| 573 |
| 574 int server_ret = server_socket_->Handshake(handshake_callback.callback()); |
| 575 EXPECT_TRUE(server_ret == OK || server_ret == ERR_IO_PENDING); |
| 576 |
| 577 int client_ret = client_socket_->Connect(connect_callback.callback()); |
| 578 EXPECT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING); |
| 579 |
| 580 if (client_ret == ERR_IO_PENDING) { |
| 581 EXPECT_EQ(OK, connect_callback.WaitForResult()); |
| 582 } |
| 583 if (server_ret == ERR_IO_PENDING) { |
| 584 EXPECT_EQ(OK, handshake_callback.WaitForResult()); |
| 585 } |
| 586 |
| 587 // Make sure the cert status is expected. |
| 588 SSLInfo ssl_info; |
| 589 client_socket_->GetSSLInfo(&ssl_info); |
| 590 EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info.cert_status); |
| 591 server_socket_->GetSSLInfo(&ssl_info); |
| 592 EXPECT_TRUE(ssl_info.client_cert_sent); |
| 593 EXPECT_TRUE(ssl_info.client_cert_sent); |
| 594 EXPECT_TRUE(ssl_info.cert.get()); |
| 595 EXPECT_TRUE(client_cert->Equals(ssl_info.cert.get())); |
| 596 } |
| 597 |
| 598 TEST_F(SSLServerSocketTest, HandshakeWithClientCertRequiredNotSupplied) { |
| 599 InitializeClientCertsForServer(kCertRequired); |
| 600 Initialize(); |
| 601 // We use the default setting for the client socket. This causes the client to |
| 602 // get SSL_CLIENT_AUTH_CERT_NEEDED. This code path allows us to access the |
| 603 // cert_authorities from the CertificateRequest. |
| 604 |
| 605 TestCompletionCallback connect_callback; |
| 606 TestCompletionCallback handshake_callback; |
| 607 int server_ret = server_socket_->Handshake(handshake_callback.callback()); |
| 608 EXPECT_TRUE(server_ret == ERR_IO_PENDING); |
| 609 |
| 610 int client_ret = client_socket_->Connect(connect_callback.callback()); |
| 611 EXPECT_TRUE(client_ret == ERR_SSL_CLIENT_AUTH_CERT_NEEDED || |
| 612 client_ret == ERR_IO_PENDING); |
| 613 |
| 614 if (client_ret == ERR_IO_PENDING) { |
| 615 EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, |
| 616 connect_callback.WaitForResult()); |
| 617 } |
| 618 |
| 619 scoped_refptr<SSLCertRequestInfo> request_info = new SSLCertRequestInfo(); |
| 620 client_socket_->GetSSLCertRequestInfo(request_info.get()); |
| 621 |
| 622 // Check that the authority name that arrived in the CertificateRequest |
| 623 // handshake message is as expected. |
| 624 scoped_refptr<X509Certificate> client_cert = |
| 625 ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName); |
| 626 EXPECT_TRUE(client_cert->IsIssuedByEncoded(request_info->cert_authorities)); |
| 627 |
| 628 client_socket_->Disconnect(); |
| 629 |
| 630 if (server_ret == ERR_IO_PENDING) { |
| 631 server_ret = handshake_callback.WaitForResult(); |
| 632 EXPECT_TRUE(server_ret == ERR_CONNECTION_CLOSED || |
| 633 server_ret == ERR_FAILED); |
| 634 } |
| 635 } |
| 636 |
| 637 TEST_F(SSLServerSocketTest, HandshakeWithWrongClientCertSupplied) { |
| 638 scoped_refptr<X509Certificate> client_cert = |
| 639 ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName); |
| 640 InitializeClientCertsForServer(kCertRequired); |
| 641 Initialize(); |
| 642 InitializeClientCertsForClient(kWrongCertSupplied); |
| 643 |
| 644 TestCompletionCallback connect_callback; |
| 645 TestCompletionCallback handshake_callback; |
| 646 |
| 647 int server_ret = server_socket_->Handshake(handshake_callback.callback()); |
| 648 EXPECT_TRUE(server_ret == ERR_IO_PENDING); |
| 649 |
| 650 int client_ret = client_socket_->Connect(connect_callback.callback()); |
| 651 EXPECT_TRUE(client_ret == ERR_BAD_SSL_CLIENT_AUTH_CERT || |
| 652 client_ret == ERR_IO_PENDING); |
| 653 |
| 654 if (client_ret == ERR_IO_PENDING) { |
| 655 EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT, connect_callback.WaitForResult()); |
| 656 } |
| 657 |
| 658 server_ret = handshake_callback.WaitForResult(); |
| 659 // We get a different result on NSS and OpenSSL. That's because an error |
| 660 // mapping with OpenSSL makes an assumption that is true for SSLClientSocket |
| 661 // but not SSLServerSocket (namely that peer cert rejection only occurs due to |
| 662 // a cert change during renego). |
| 663 EXPECT_TRUE(server_ret == ERR_BAD_SSL_CLIENT_AUTH_CERT || |
| 664 server_ret == ERR_SSL_SERVER_CERT_CHANGED); |
| 665 } |
| 666 #endif // defined(USE_OPENSSL) || !defined(NSS_PLATFORM_CLIENT_AUTH) |
| 667 |
| 414 TEST_F(SSLServerSocketTest, DataTransfer) { | 668 TEST_F(SSLServerSocketTest, DataTransfer) { |
| 415 Initialize(); | 669 Initialize(); |
| 416 | 670 |
| 417 TestCompletionCallback connect_callback; | 671 TestCompletionCallback connect_callback; |
| 418 TestCompletionCallback handshake_callback; | 672 TestCompletionCallback handshake_callback; |
| 419 | 673 |
| 420 // Establish connection. | 674 // Establish connection. |
| 421 int client_ret = client_socket_->Connect(connect_callback.callback()); | 675 int client_ret = client_socket_->Connect(connect_callback.callback()); |
| 422 ASSERT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING); | 676 ASSERT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING); |
| 423 | 677 |
| (...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 621 int server_ret = server_socket_->Handshake(handshake_callback.callback()); | 875 int server_ret = server_socket_->Handshake(handshake_callback.callback()); |
| 622 | 876 |
| 623 client_ret = connect_callback.GetResult(client_ret); | 877 client_ret = connect_callback.GetResult(client_ret); |
| 624 server_ret = handshake_callback.GetResult(server_ret); | 878 server_ret = handshake_callback.GetResult(server_ret); |
| 625 | 879 |
| 626 ASSERT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, client_ret); | 880 ASSERT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, client_ret); |
| 627 ASSERT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, server_ret); | 881 ASSERT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, server_ret); |
| 628 } | 882 } |
| 629 | 883 |
| 630 } // namespace net | 884 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1474983003:
Support for client certs in ssl_server_socket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master