| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/socket/ssl_client_socket.h" | |
| 6 | |
| 7 #include <errno.h> | |
| 8 #include <openssl/bio.h> | |
| 9 #include <openssl/bn.h> | |
| 10 #include <openssl/evp.h> | |
| 11 #include <openssl/pem.h> | |
| 12 #include <openssl/rsa.h> | |
| 13 #include <string.h> | |
| 14 #include <utility> | |
| 15 | |
| 16 #include "base/files/file_path.h" | |
| 17 #include "base/files/file_util.h" | |
| 18 #include "base/memory/ref_counted.h" | |
| 19 #include "base/values.h" | |
| 20 #include "crypto/openssl_util.h" | |
| 21 #include "crypto/scoped_openssl_types.h" | |
| 22 #include "net/base/address_list.h" | |
| 23 #include "net/base/io_buffer.h" | |
| 24 #include "net/base/net_errors.h" | |
| 25 #include "net/base/test_completion_callback.h" | |
| 26 #include "net/base/test_data_directory.h" | |
| 27 #include "net/cert/mock_cert_verifier.h" | |
| 28 #include "net/cert/test_root_certs.h" | |
| 29 #include "net/dns/host_resolver.h" | |
| 30 #include "net/http/transport_security_state.h" | |
| 31 #include "net/log/net_log.h" | |
| 32 #include "net/socket/client_socket_factory.h" | |
| 33 #include "net/socket/client_socket_handle.h" | |
| 34 #include "net/socket/socket_test_util.h" | |
| 35 #include "net/socket/tcp_client_socket.h" | |
| 36 #include "net/ssl/openssl_client_key_store.h" | |
| 37 #include "net/ssl/ssl_cert_request_info.h" | |
| 38 #include "net/ssl/ssl_config_service.h" | |
| 39 #include "net/ssl/ssl_platform_key.h" | |
| 40 #include "net/test/cert_test_util.h" | |
| 41 #include "net/test/spawned_test_server/spawned_test_server.h" | |
| 42 #include "testing/gtest/include/gtest/gtest.h" | |
| 43 #include "testing/platform_test.h" | |
| 44 | |
| 45 namespace net { | |
| 46 | |
| 47 namespace { | |
| 48 | |
| 49 // These client auth tests are currently dependent on OpenSSL's struct X509. | |
| 50 #if defined(USE_OPENSSL_CERTS) | |
| 51 | |
| 52 // Loads a PEM-encoded private key file into a scoped EVP_PKEY object. | |
| 53 // |filepath| is the private key file path. | |
| 54 // |*pkey| is reset to the new EVP_PKEY on success, untouched otherwise. | |
| 55 // Returns true on success, false on failure. | |
| 56 bool LoadPrivateKeyOpenSSL( | |
| 57 const base::FilePath& filepath, | |
| 58 crypto::ScopedEVP_PKEY* pkey) { | |
| 59 std::string data; | |
| 60 if (!base::ReadFileToString(filepath, &data)) { | |
| 61 LOG(ERROR) << "Could not read private key file: " | |
| 62 << filepath.value() << ": " << strerror(errno); | |
| 63 return false; | |
| 64 } | |
| 65 crypto::ScopedBIO bio(BIO_new_mem_buf( | |
| 66 const_cast<char*>(reinterpret_cast<const char*>(data.data())), | |
| 67 static_cast<int>(data.size()))); | |
| 68 if (!bio.get()) { | |
| 69 LOG(ERROR) << "Could not allocate BIO for buffer?"; | |
| 70 return false; | |
| 71 } | |
| 72 EVP_PKEY* result = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL); | |
| 73 if (result == NULL) { | |
| 74 LOG(ERROR) << "Could not decode private key file: " | |
| 75 << filepath.value(); | |
| 76 return false; | |
| 77 } | |
| 78 pkey->reset(result); | |
| 79 return true; | |
| 80 } | |
| 81 | |
| 82 class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest { | |
| 83 public: | |
| 84 SSLClientSocketOpenSSLClientAuthTest() | |
| 85 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), | |
| 86 cert_verifier_(new MockCertVerifier), | |
| 87 transport_security_state_(new TransportSecurityState) { | |
| 88 cert_verifier_->set_default_result(OK); | |
| 89 context_.cert_verifier = cert_verifier_.get(); | |
| 90 context_.transport_security_state = transport_security_state_.get(); | |
| 91 key_store_ = OpenSSLClientKeyStore::GetInstance(); | |
| 92 } | |
| 93 | |
| 94 ~SSLClientSocketOpenSSLClientAuthTest() override { key_store_->Flush(); } | |
| 95 | |
| 96 protected: | |
| 97 scoped_ptr<SSLClientSocket> CreateSSLClientSocket( | |
| 98 scoped_ptr<StreamSocket> transport_socket, | |
| 99 const HostPortPair& host_and_port, | |
| 100 const SSLConfig& ssl_config) { | |
| 101 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle); | |
| 102 connection->SetSocket(std::move(transport_socket)); | |
| 103 return socket_factory_->CreateSSLClientSocket( | |
| 104 std::move(connection), host_and_port, ssl_config, context_); | |
| 105 } | |
| 106 | |
| 107 // Connect to a HTTPS test server. | |
| 108 bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) { | |
| 109 test_server_.reset(new SpawnedTestServer(SpawnedTestServer::TYPE_HTTPS, | |
| 110 ssl_options, | |
| 111 base::FilePath())); | |
| 112 if (!test_server_->Start()) { | |
| 113 LOG(ERROR) << "Could not start SpawnedTestServer"; | |
| 114 return false; | |
| 115 } | |
| 116 | |
| 117 if (!test_server_->GetAddressList(&addr_)) { | |
| 118 LOG(ERROR) << "Could not get SpawnedTestServer address list"; | |
| 119 return false; | |
| 120 } | |
| 121 | |
| 122 transport_.reset(new TCPClientSocket( | |
| 123 addr_, &log_, NetLog::Source())); | |
| 124 int rv = callback_.GetResult( | |
| 125 transport_->Connect(callback_.callback())); | |
| 126 if (rv != OK) { | |
| 127 LOG(ERROR) << "Could not connect to SpawnedTestServer"; | |
| 128 return false; | |
| 129 } | |
| 130 return true; | |
| 131 } | |
| 132 | |
| 133 // Record a certificate's private key to ensure it can be used | |
| 134 // by the OpenSSL-based SSLClientSocket implementation. | |
| 135 // |ssl_config| provides a client certificate. | |
| 136 // |private_key| must be an EVP_PKEY for the corresponding private key. | |
| 137 // Returns true on success, false on failure. | |
| 138 bool RecordPrivateKey(SSLConfig& ssl_config, | |
| 139 EVP_PKEY* private_key) { | |
| 140 return key_store_->RecordClientCertPrivateKey( | |
| 141 ssl_config.client_cert.get(), private_key); | |
| 142 } | |
| 143 | |
| 144 // Create an SSLClientSocket object and use it to connect to a test | |
| 145 // server, then wait for connection results. This must be called after | |
| 146 // a succesful ConnectToTestServer() call. | |
| 147 // |ssl_config| the SSL configuration to use. | |
| 148 // |result| will retrieve the ::Connect() result value. | |
| 149 // Returns true on succes, false otherwise. Success means that the socket | |
| 150 // could be created and its Connect() was called, not that the connection | |
| 151 // itself was a success. | |
| 152 bool CreateAndConnectSSLClientSocket(const SSLConfig& ssl_config, | |
| 153 int* result) { | |
| 154 sock_ = CreateSSLClientSocket(std::move(transport_), | |
| 155 test_server_->host_port_pair(), ssl_config); | |
| 156 | |
| 157 if (sock_->IsConnected()) { | |
| 158 LOG(ERROR) << "SSL Socket prematurely connected"; | |
| 159 return false; | |
| 160 } | |
| 161 | |
| 162 *result = callback_.GetResult(sock_->Connect(callback_.callback())); | |
| 163 return true; | |
| 164 } | |
| 165 | |
| 166 | |
| 167 // Check that the client certificate was sent. | |
| 168 // Returns true on success. | |
| 169 bool CheckSSLClientSocketSentCert() { | |
| 170 SSLInfo ssl_info; | |
| 171 sock_->GetSSLInfo(&ssl_info); | |
| 172 return ssl_info.client_cert_sent; | |
| 173 } | |
| 174 | |
| 175 ClientSocketFactory* socket_factory_; | |
| 176 scoped_ptr<MockCertVerifier> cert_verifier_; | |
| 177 scoped_ptr<TransportSecurityState> transport_security_state_; | |
| 178 SSLClientSocketContext context_; | |
| 179 OpenSSLClientKeyStore* key_store_; | |
| 180 scoped_ptr<SpawnedTestServer> test_server_; | |
| 181 AddressList addr_; | |
| 182 TestCompletionCallback callback_; | |
| 183 NetLog log_; | |
| 184 scoped_ptr<StreamSocket> transport_; | |
| 185 scoped_ptr<SSLClientSocket> sock_; | |
| 186 }; | |
| 187 | |
| 188 // Connect to a server requesting client authentication, do not send | |
| 189 // any client certificates. It should refuse the connection. | |
| 190 TEST_F(SSLClientSocketOpenSSLClientAuthTest, NoCert) { | |
| 191 SpawnedTestServer::SSLOptions ssl_options; | |
| 192 ssl_options.request_client_certificate = true; | |
| 193 | |
| 194 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
| 195 | |
| 196 base::FilePath certs_dir = GetTestCertsDirectory(); | |
| 197 | |
| 198 int rv; | |
| 199 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv)); | |
| 200 | |
| 201 EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, rv); | |
| 202 EXPECT_FALSE(sock_->IsConnected()); | |
| 203 } | |
| 204 | |
| 205 // Connect to a server requesting client authentication, and send it | |
| 206 // an empty certificate. It should refuse the connection. | |
| 207 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendEmptyCert) { | |
| 208 SpawnedTestServer::SSLOptions ssl_options; | |
| 209 ssl_options.request_client_certificate = true; | |
| 210 ssl_options.client_authorities.push_back( | |
| 211 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem")); | |
| 212 | |
| 213 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
| 214 | |
| 215 base::FilePath certs_dir = GetTestCertsDirectory(); | |
| 216 SSLConfig ssl_config; | |
| 217 ssl_config.send_client_cert = true; | |
| 218 ssl_config.client_cert = NULL; | |
| 219 ssl_config.client_private_key = NULL; | |
| 220 | |
| 221 int rv; | |
| 222 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
| 223 | |
| 224 EXPECT_EQ(OK, rv); | |
| 225 EXPECT_TRUE(sock_->IsConnected()); | |
| 226 } | |
| 227 | |
| 228 // Connect to a server requesting client authentication. Send it a | |
| 229 // matching certificate. It should allow the connection. | |
| 230 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendGoodCert) { | |
| 231 SpawnedTestServer::SSLOptions ssl_options; | |
| 232 ssl_options.request_client_certificate = true; | |
| 233 ssl_options.client_authorities.push_back( | |
| 234 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem")); | |
| 235 | |
| 236 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
| 237 | |
| 238 base::FilePath certs_dir = GetTestCertsDirectory(); | |
| 239 SSLConfig ssl_config; | |
| 240 ssl_config.send_client_cert = true; | |
| 241 ssl_config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem"); | |
| 242 | |
| 243 // This is required to ensure that signing works with the client | |
| 244 // certificate's private key. | |
| 245 crypto::ScopedEVP_PKEY client_private_key; | |
| 246 ASSERT_TRUE(LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"), | |
| 247 &client_private_key)); | |
| 248 EXPECT_TRUE(RecordPrivateKey(ssl_config, client_private_key.get())); | |
| 249 | |
| 250 ssl_config.client_private_key = | |
| 251 FetchClientCertPrivateKey(ssl_config.client_cert.get()); | |
| 252 | |
| 253 int rv; | |
| 254 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
| 255 | |
| 256 EXPECT_EQ(OK, rv); | |
| 257 EXPECT_TRUE(sock_->IsConnected()); | |
| 258 | |
| 259 EXPECT_TRUE(CheckSSLClientSocketSentCert()); | |
| 260 | |
| 261 sock_->Disconnect(); | |
| 262 EXPECT_FALSE(sock_->IsConnected()); | |
| 263 } | |
| 264 #endif // defined(USE_OPENSSL_CERTS) | |
| 265 | |
| 266 } // namespace | |
| 267 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1639463003:
Use SSLPrivateKey for testing client authentication (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master