OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <memory> | 5 #include <memory> |
6 #include <utility> | 6 #include <utility> |
7 | 7 |
8 #include "base/callback_helpers.h" | 8 #include "base/callback_helpers.h" |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "base/macros.h" | 10 #include "base/macros.h" |
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
68 | 68 |
69 CertVerifier* cert_verifier() { return cert_verifier_.get(); } | 69 CertVerifier* cert_verifier() { return cert_verifier_.get(); } |
70 | 70 |
71 private: | 71 private: |
72 ScopedTestRoot scoped_root_; | 72 ScopedTestRoot scoped_root_; |
73 std::unique_ptr<CertVerifier> cert_verifier_; | 73 std::unique_ptr<CertVerifier> cert_verifier_; |
74 std::unique_ptr<TransportSecurityState> transport_security_state_; | 74 std::unique_ptr<TransportSecurityState> transport_security_state_; |
75 std::unique_ptr<CTVerifier> cert_transparency_verifier_; | 75 std::unique_ptr<CTVerifier> cert_transparency_verifier_; |
76 }; | 76 }; |
77 | 77 |
78 const char kSignature[] = "signature"; | |
79 const char kSCT[] = "CryptoServerTests"; | |
80 | |
81 class FakeProofSource : public ProofSource { | |
82 public: | |
83 FakeProofSource() {} | |
84 ~FakeProofSource() override {} | |
85 | |
86 // ProofSource interface | |
87 bool Initialize(const base::FilePath& cert_path, | |
88 const base::FilePath& key_path, | |
89 const base::FilePath& sct_path) { | |
90 std::string cert_data; | |
91 if (!base::ReadFileToString(cert_path, &cert_data)) { | |
92 DLOG(FATAL) << "Unable to read certificates."; | |
93 return false; | |
94 } | |
95 | |
96 CertificateList certs_in_file = | |
97 X509Certificate::CreateCertificateListFromBytes( | |
98 cert_data.data(), cert_data.size(), X509Certificate::FORMAT_AUTO); | |
99 | |
100 if (certs_in_file.empty()) { | |
101 DLOG(FATAL) << "No certificates."; | |
102 return false; | |
103 } | |
104 | |
105 vector<string> certs; | |
106 for (const scoped_refptr<X509Certificate>& cert : certs_in_file) { | |
107 std::string der_encoded_cert; | |
108 if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), | |
109 &der_encoded_cert)) { | |
110 return false; | |
111 } | |
112 certs.push_back(der_encoded_cert); | |
113 } | |
114 chain_ = new ProofSource::Chain(certs); | |
115 return true; | |
116 } | |
117 | |
118 bool GetProof(const IPAddress& server_ip, | |
119 const std::string& hostname, | |
120 const std::string& server_config, | |
121 QuicVersion quic_version, | |
122 StringPiece chlo_hash, | |
123 bool ecdsa_ok, | |
124 scoped_refptr<ProofSource::Chain>* out_chain, | |
125 std::string* out_signature, | |
126 std::string* out_leaf_cert_sct) override { | |
127 out_signature->assign(kSignature); | |
128 *out_chain = chain_; | |
129 *out_leaf_cert_sct = kSCT; | |
130 return true; | |
131 } | |
132 | |
133 private: | |
134 scoped_refptr<ProofSource::Chain> chain_; | |
135 | |
136 DISALLOW_COPY_AND_ASSIGN(FakeProofSource); | |
137 }; | |
138 | |
139 class FakeProofVerifier : public TestProofVerifierChromium { | |
140 public: | |
141 FakeProofVerifier( | |
142 std::unique_ptr<CertVerifier> cert_verifier, | |
143 std::unique_ptr<TransportSecurityState> transport_security_state, | |
144 std::unique_ptr<CTVerifier> cert_transparency_verifier, | |
145 const std::string& cert_file) | |
146 : TestProofVerifierChromium(std::move(cert_verifier), | |
147 std::move(transport_security_state), | |
148 std::move(cert_transparency_verifier), | |
149 cert_file) {} | |
150 ~FakeProofVerifier() override {} | |
151 | |
152 // ProofVerifier interface | |
153 QuicAsyncStatus VerifyProof( | |
154 const std::string& hostname, | |
155 const uint16_t port, | |
156 const std::string& server_config, | |
157 QuicVersion quic_version, | |
158 StringPiece chlo_hash, | |
159 const std::vector<std::string>& certs, | |
160 const std::string& cert_sct, | |
161 const std::string& signature, | |
162 const ProofVerifyContext* verify_context, | |
163 std::string* error_details, | |
164 std::unique_ptr<ProofVerifyDetails>* verify_details, | |
165 ProofVerifierCallback* callback) override { | |
166 error_details->clear(); | |
167 std::unique_ptr<ProofVerifyDetailsChromium> verify_details_chromium( | |
168 new ProofVerifyDetailsChromium); | |
169 DCHECK(!certs.empty()); | |
170 // Convert certs to X509Certificate. | |
171 vector<StringPiece> cert_pieces(certs.size()); | |
172 for (unsigned i = 0; i < certs.size(); i++) { | |
173 cert_pieces[i] = base::StringPiece(certs[i]); | |
174 } | |
175 scoped_refptr<X509Certificate> x509_cert = | |
176 X509Certificate::CreateFromDERCertChain(cert_pieces); | |
177 | |
178 if (!x509_cert.get()) { | |
179 *error_details = "Failed to create certificate chain"; | |
180 verify_details_chromium->cert_verify_result.cert_status = | |
181 CERT_STATUS_INVALID; | |
182 *verify_details = std::move(verify_details_chromium); | |
183 return QUIC_FAILURE; | |
184 } | |
185 | |
186 const ProofVerifyContextChromium* chromium_context = | |
187 reinterpret_cast<const ProofVerifyContextChromium*>(verify_context); | |
188 std::unique_ptr<CertVerifier::Request> cert_verifier_request_; | |
189 TestCompletionCallback test_callback; | |
190 int result = cert_verifier()->Verify( | |
191 x509_cert.get(), hostname, std::string(), | |
192 chromium_context->cert_verify_flags, | |
193 SSLConfigService::GetCRLSet().get(), | |
194 &verify_details_chromium->cert_verify_result, test_callback.callback(), | |
195 &cert_verifier_request_, chromium_context->net_log); | |
196 if (result != OK) { | |
197 std::string error_string = ErrorToString(result); | |
198 *error_details = StringPrintf("Failed to verify certificate chain: %s", | |
199 error_string.c_str()); | |
200 verify_details_chromium->cert_verify_result.cert_status = | |
201 CERT_STATUS_INVALID; | |
202 *verify_details = std::move(verify_details_chromium); | |
203 return QUIC_FAILURE; | |
204 } | |
205 if (signature != kSignature) { | |
206 *error_details = "Invalid proof"; | |
207 verify_details_chromium->cert_verify_result.cert_status = | |
208 CERT_STATUS_INVALID; | |
209 *verify_details = std::move(verify_details_chromium); | |
210 return QUIC_FAILURE; | |
211 } | |
212 *verify_details = std::move(verify_details_chromium); | |
213 return QUIC_SUCCESS; | |
214 } | |
215 | |
216 private: | |
217 DISALLOW_COPY_AND_ASSIGN(FakeProofVerifier); | |
218 }; | |
219 | |
220 } // namespace | 78 } // namespace |
221 | 79 |
222 // static | 80 // static |
223 ProofSource* CryptoTestUtils::ProofSourceForTesting() { | 81 ProofSource* CryptoTestUtils::ProofSourceForTesting() { |
224 #if defined(USE_OPENSSL) | |
225 ProofSourceChromium* source = new ProofSourceChromium(); | 82 ProofSourceChromium* source = new ProofSourceChromium(); |
226 #else | |
227 FakeProofSource* source = new FakeProofSource(); | |
228 #endif | |
229 base::FilePath certs_dir = GetTestCertsDirectory(); | 83 base::FilePath certs_dir = GetTestCertsDirectory(); |
230 CHECK(source->Initialize( | 84 CHECK(source->Initialize( |
231 certs_dir.AppendASCII("quic_chain.crt"), | 85 certs_dir.AppendASCII("quic_chain.crt"), |
232 certs_dir.AppendASCII("quic_test.example.com.key.pkcs8"), | 86 certs_dir.AppendASCII("quic_test.example.com.key.pkcs8"), |
233 certs_dir.AppendASCII("quic_test.example.com.key.sct"))); | 87 certs_dir.AppendASCII("quic_test.example.com.key.sct"))); |
234 return source; | 88 return source; |
235 } | 89 } |
236 | 90 |
237 // static | 91 // static |
238 ProofVerifier* ProofVerifierForTestingInternal(bool use_real_proof_verifier) { | 92 ProofVerifier* ProofVerifierForTestingInternal(bool use_real_proof_verifier) { |
239 // TODO(rch): use a real cert verifier? | 93 // TODO(rch): use a real cert verifier? |
240 std::unique_ptr<MockCertVerifier> cert_verifier(new MockCertVerifier()); | 94 std::unique_ptr<MockCertVerifier> cert_verifier(new MockCertVerifier()); |
241 net::CertVerifyResult verify_result; | 95 net::CertVerifyResult verify_result; |
242 verify_result.verified_cert = | 96 verify_result.verified_cert = |
243 ImportCertFromFile(GetTestCertsDirectory(), "quic_test.example.com.crt"); | 97 ImportCertFromFile(GetTestCertsDirectory(), "quic_test.example.com.crt"); |
244 cert_verifier->AddResultForCertAndHost(verify_result.verified_cert.get(), | 98 cert_verifier->AddResultForCertAndHost(verify_result.verified_cert.get(), |
245 "test.example.com", verify_result, OK); | 99 "test.example.com", verify_result, OK); |
246 verify_result.verified_cert = ImportCertFromFile( | 100 verify_result.verified_cert = ImportCertFromFile( |
247 GetTestCertsDirectory(), "quic_test_ecc.example.com.crt"); | 101 GetTestCertsDirectory(), "quic_test_ecc.example.com.crt"); |
248 cert_verifier->AddResultForCertAndHost(verify_result.verified_cert.get(), | 102 cert_verifier->AddResultForCertAndHost(verify_result.verified_cert.get(), |
249 "test.example.com", verify_result, OK); | 103 "test.example.com", verify_result, OK); |
250 if (use_real_proof_verifier) { | 104 if (use_real_proof_verifier) { |
251 return new TestProofVerifierChromium( | 105 return new TestProofVerifierChromium( |
252 std::move(cert_verifier), base::WrapUnique(new TransportSecurityState), | 106 std::move(cert_verifier), base::WrapUnique(new TransportSecurityState), |
253 base::WrapUnique(new MultiLogCTVerifier), "quic_root.crt"); | 107 base::WrapUnique(new MultiLogCTVerifier), "quic_root.crt"); |
254 } | 108 } |
255 #if defined(USE_OPENSSL) | |
256 return new TestProofVerifierChromium( | 109 return new TestProofVerifierChromium( |
257 std::move(cert_verifier), base::WrapUnique(new TransportSecurityState), | 110 std::move(cert_verifier), base::WrapUnique(new TransportSecurityState), |
258 base::WrapUnique(new MultiLogCTVerifier), "quic_root.crt"); | 111 base::WrapUnique(new MultiLogCTVerifier), "quic_root.crt"); |
259 #else | |
260 return new FakeProofVerifier( | |
261 std::move(cert_verifier), base::WrapUnique(new TransportSecurityState), | |
262 base::WrapUnique(new MultiLogCTVerifier), "quic_root.crt"); | |
263 #endif | |
264 } | 112 } |
265 | 113 |
266 // static | 114 // static |
267 ProofVerifier* CryptoTestUtils::ProofVerifierForTesting() { | 115 ProofVerifier* CryptoTestUtils::ProofVerifierForTesting() { |
268 return ProofVerifierForTestingInternal(/*use_real_proof_verifier=*/false); | 116 return ProofVerifierForTestingInternal(/*use_real_proof_verifier=*/false); |
269 } | 117 } |
270 | 118 |
271 // static | 119 // static |
272 ProofVerifier* CryptoTestUtils::RealProofVerifierForTesting() { | 120 ProofVerifier* CryptoTestUtils::RealProofVerifierForTesting() { |
273 return ProofVerifierForTestingInternal(/*use_real_proof_verifier=*/true); | 121 return ProofVerifierForTestingInternal(/*use_real_proof_verifier=*/true); |
274 } | 122 } |
275 | 123 |
276 // static | 124 // static |
277 ProofVerifyContext* CryptoTestUtils::ProofVerifyContextForTesting() { | 125 ProofVerifyContext* CryptoTestUtils::ProofVerifyContextForTesting() { |
278 return new ProofVerifyContextChromium(/*cert_verify_flags=*/0, BoundNetLog()); | 126 return new ProofVerifyContextChromium(/*cert_verify_flags=*/0, BoundNetLog()); |
279 } | 127 } |
280 | 128 |
281 } // namespace test | 129 } // namespace test |
282 | 130 |
283 } // namespace net | 131 } // namespace net |
OLD | NEW |