Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/gcm_driver/crypto/gcm_encryption_provider.h" | 5 #include "components/gcm_driver/crypto/gcm_encryption_provider.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include <sstream> | 9 #include <sstream> |
| 10 #include <string> | 10 #include <string> |
| 11 | 11 |
| 12 #include "base/base64url.h" | 12 #include "base/base64url.h" |
| 13 #include "base/bind.h" | 13 #include "base/bind.h" |
| 14 #include "base/bind_helpers.h" | |
| 14 #include "base/files/scoped_temp_dir.h" | 15 #include "base/files/scoped_temp_dir.h" |
| 15 #include "base/message_loop/message_loop.h" | 16 #include "base/message_loop/message_loop.h" |
| 16 #include "base/run_loop.h" | 17 #include "base/run_loop.h" |
| 17 #include "base/strings/string_number_conversions.h" | 18 #include "base/strings/string_number_conversions.h" |
| 18 #include "base/strings/string_piece.h" | 19 #include "base/strings/string_piece.h" |
| 19 #include "base/strings/string_util.h" | 20 #include "base/strings/string_util.h" |
| 20 #include "base/test/histogram_tester.h" | 21 #include "base/test/histogram_tester.h" |
| 21 #include "components/gcm_driver/common/gcm_messages.h" | 22 #include "components/gcm_driver/common/gcm_messages.h" |
| 22 #include "components/gcm_driver/crypto/gcm_key_store.h" | 23 #include "components/gcm_driver/crypto/gcm_key_store.h" |
| 23 #include "components/gcm_driver/crypto/gcm_message_cryptographer.h" | 24 #include "components/gcm_driver/crypto/gcm_message_cryptographer.h" |
| 24 #include "components/gcm_driver/crypto/p256_key_util.h" | 25 #include "components/gcm_driver/crypto/p256_key_util.h" |
| 25 #include "crypto/random.h" | 26 #include "crypto/random.h" |
| 26 #include "testing/gtest/include/gtest/gtest.h" | 27 #include "testing/gtest/include/gtest/gtest.h" |
| 27 | 28 |
| 28 namespace gcm { | 29 namespace gcm { |
| 29 namespace { | 30 namespace { |
| 30 | 31 |
| 31 const char kExampleAppId[] = "my-app-id"; | 32 const char kExampleAppId[] = "my-app-id"; |
| 33 const char kExampleAuthorizedEntity[] = "my-sender-id"; | |
| 32 const char kExampleMessage[] = "Hello, world, this is the GCM Driver!"; | 34 const char kExampleMessage[] = "Hello, world, this is the GCM Driver!"; |
| 33 | 35 |
| 34 const char kValidEncryptionHeader[] = | 36 const char kValidEncryptionHeader[] = |
| 35 "keyid=foo;salt=MTIzNDU2Nzg5MDEyMzQ1Ng;rs=1024"; | 37 "keyid=foo;salt=MTIzNDU2Nzg5MDEyMzQ1Ng;rs=1024"; |
| 36 const char kInvalidEncryptionHeader[] = "keyid"; | 38 const char kInvalidEncryptionHeader[] = "keyid"; |
| 37 | 39 |
| 38 const char kValidCryptoKeyHeader[] = | 40 const char kValidCryptoKeyHeader[] = |
| 39 "keyid=foo;dh=BL_UGhfudEkXMUd4U4-D4nP5KHxKjQHsW6j88ybbehXM7fqi1OMFefDUEi0eJ" | 41 "keyid=foo;dh=BL_UGhfudEkXMUd4U4-D4nP5KHxKjQHsW6j88ybbehXM7fqi1OMFefDUEi0eJ" |
| 40 "vsKfyVBWYkQjH-lSPJKxjAyslg"; | 42 "vsKfyVBWYkQjH-lSPJKxjAyslg"; |
| 41 const char kInvalidCryptoKeyHeader[] = "keyid"; | 43 const char kInvalidCryptoKeyHeader[] = "keyid"; |
| (...skipping 16 matching lines...) Expand all Loading... | |
| 58 // |encryption_provider_| owns a ProtoDatabaseImpl whose destructor deletes | 60 // |encryption_provider_| owns a ProtoDatabaseImpl whose destructor deletes |
| 59 // the underlying LevelDB database on the task runner. | 61 // the underlying LevelDB database on the task runner. |
| 60 base::RunLoop().RunUntilIdle(); | 62 base::RunLoop().RunUntilIdle(); |
| 61 } | 63 } |
| 62 | 64 |
| 63 // To be used as a callback for GCMEncryptionProvider::GetEncryptionInfo(). | 65 // To be used as a callback for GCMEncryptionProvider::GetEncryptionInfo(). |
| 64 void DidGetEncryptionInfo(std::string* p256dh_out, | 66 void DidGetEncryptionInfo(std::string* p256dh_out, |
| 65 std::string* auth_secret_out, | 67 std::string* auth_secret_out, |
| 66 const std::string& p256dh, | 68 const std::string& p256dh, |
| 67 const std::string& auth_secret) { | 69 const std::string& auth_secret) { |
| 68 *p256dh_out = p256dh; | 70 if (p256dh_out) |
| 69 *auth_secret_out = auth_secret; | 71 *p256dh_out = p256dh; |
| 72 if (auth_secret_out) | |
| 73 *auth_secret_out = auth_secret; | |
| 70 } | 74 } |
| 71 | 75 |
| 72 // To be used as a callback for GCMKeyStore::CreateKeys(). | 76 // To be used as a callback for GCMKeyStore::{GetKeys,CreateKeys}. |
| 73 void DidCreateKeys(KeyPair* pair_out, std::string* auth_secret_out, | 77 void HandleKeysCallback(KeyPair* pair_out, |
| 74 const KeyPair& pair, const std::string& auth_secret) { | 78 std::string* auth_secret_out, |
| 75 *pair_out = pair; | 79 const KeyPair& pair, |
| 76 *auth_secret_out = auth_secret; | 80 const std::string& auth_secret) { |
| 81 if (pair_out) | |
| 82 *pair_out = pair; | |
| 83 if (auth_secret_out) | |
| 84 *auth_secret_out = auth_secret; | |
| 77 } | 85 } |
| 78 | 86 |
| 79 protected: | 87 protected: |
| 80 // Decrypts the |message| and then synchronously waits until either the | 88 // Decrypts the |message| and then synchronously waits until either the |
| 81 // success or failure callbacks has been invoked. | 89 // success or failure callbacks has been invoked. |
| 82 void Decrypt(const IncomingMessage& message) { | 90 void Decrypt(const IncomingMessage& message) { |
| 83 encryption_provider_->DecryptMessage( | 91 encryption_provider_->DecryptMessage( |
| 84 kExampleAppId, message, | 92 kExampleAppId, message, |
| 85 base::Bind(&GCMEncryptionProviderTest::DidDecryptMessage, | 93 base::Bind(&GCMEncryptionProviderTest::DidDecryptMessage, |
| 86 base::Unretained(this))); | 94 base::Unretained(this))); |
| 87 | 95 |
| 88 // The encryption keys will be read asynchronously. | 96 // The encryption keys will be read asynchronously. |
| 89 base::RunLoop().RunUntilIdle(); | 97 base::RunLoop().RunUntilIdle(); |
| 90 } | 98 } |
| 91 | 99 |
| 100 // Checks that the underlying key store has a key for the |kExampleAppId| + | |
| 101 // authorized entity pair if and only if |should_have_key| is true. Must wrap | |
| 102 // with ASSERT/EXPECT_NO_FATAL_FAILURE. | |
| 103 void CheckHasKey(const std::string& instance_id_authorized_entity, | |
| 104 bool should_have_key) { | |
| 105 KeyPair pair; | |
| 106 std::string auth_secret; | |
| 107 encryption_provider()->key_store_->GetKeys( | |
| 108 kExampleAppId, instance_id_authorized_entity, | |
| 109 false /* fallback_to_empty_authorized_entity */, | |
| 110 base::Bind(&GCMEncryptionProviderTest::HandleKeysCallback, | |
| 111 base::Unretained(this), &pair, &auth_secret)); | |
| 112 | |
| 113 base::RunLoop().RunUntilIdle(); | |
| 114 | |
| 115 if (should_have_key) { | |
| 116 ASSERT_GT(pair.public_key().size(), 0u); | |
| 117 ASSERT_GT(pair.private_key().size(), 0u); | |
| 118 ASSERT_GT(auth_secret.size(), 0u); | |
| 119 } else { | |
| 120 ASSERT_EQ(0u, pair.public_key().size()); | |
| 121 ASSERT_EQ(0u, pair.private_key().size()); | |
| 122 ASSERT_EQ(0u, auth_secret.size()); | |
| 123 } | |
| 124 } | |
| 125 | |
| 92 // Returns the result of the previous decryption operation. | 126 // Returns the result of the previous decryption operation. |
| 93 GCMEncryptionProvider::DecryptionResult decryption_result() { | 127 GCMEncryptionProvider::DecryptionResult decryption_result() { |
| 94 return decryption_result_; | 128 return decryption_result_; |
| 95 } | 129 } |
| 96 | 130 |
| 97 // Returns the message resulting from the previous decryption operation. | 131 // Returns the message resulting from the previous decryption operation. |
| 98 const IncomingMessage& decrypted_message() { return decrypted_message_; } | 132 const IncomingMessage& decrypted_message() { return decrypted_message_; } |
| 99 | 133 |
| 100 GCMEncryptionProvider* encryption_provider() { | 134 GCMEncryptionProvider* encryption_provider() { |
| 101 return encryption_provider_.get(); | 135 return encryption_provider_.get(); |
| 102 } | 136 } |
| 103 | 137 |
| 138 // Performs a full round-trip test of the encryption feature. Must wrap this | |
| 139 // in ASSERT_NO_FATAL_FAILURE. | |
| 140 void TestEncryptionRoundTrip( | |
| 141 const std::string& app_id, | |
| 142 const std::string& instance_id_authorized_entity); | |
| 143 | |
| 104 private: | 144 private: |
| 105 void DidDecryptMessage(GCMEncryptionProvider::DecryptionResult result, | 145 void DidDecryptMessage(GCMEncryptionProvider::DecryptionResult result, |
| 106 const IncomingMessage& message) { | 146 const IncomingMessage& message) { |
| 107 decryption_result_ = result; | 147 decryption_result_ = result; |
| 108 decrypted_message_ = message; | 148 decrypted_message_ = message; |
| 109 } | 149 } |
| 110 | 150 |
| 111 base::MessageLoop message_loop_; | 151 base::MessageLoop message_loop_; |
| 112 base::ScopedTempDir scoped_temp_dir_; | 152 base::ScopedTempDir scoped_temp_dir_; |
| 113 base::HistogramTester histogram_tester_; | 153 base::HistogramTester histogram_tester_; |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 200 message.data["encryption"] = kValidEncryptionHeader; | 240 message.data["encryption"] = kValidEncryptionHeader; |
| 201 message.data["crypto-key"] = kValidCryptoKeyHeader; | 241 message.data["crypto-key"] = kValidCryptoKeyHeader; |
| 202 message.raw_data = "foo"; | 242 message.raw_data = "foo"; |
| 203 | 243 |
| 204 ASSERT_NO_FATAL_FAILURE(Decrypt(message)); | 244 ASSERT_NO_FATAL_FAILURE(Decrypt(message)); |
| 205 EXPECT_EQ(GCMEncryptionProvider::DECRYPTION_RESULT_NO_KEYS, | 245 EXPECT_EQ(GCMEncryptionProvider::DECRYPTION_RESULT_NO_KEYS, |
| 206 decryption_result()); | 246 decryption_result()); |
| 207 | 247 |
| 208 std::string public_key, auth_secret; | 248 std::string public_key, auth_secret; |
| 209 encryption_provider()->GetEncryptionInfo( | 249 encryption_provider()->GetEncryptionInfo( |
| 210 kExampleAppId, | 250 kExampleAppId, "" /* empty authorized entity for GCM registration */, |
| 211 base::Bind(&GCMEncryptionProviderTest::DidGetEncryptionInfo, | 251 base::Bind(&GCMEncryptionProviderTest::DidGetEncryptionInfo, |
| 212 base::Unretained(this), &public_key, &auth_secret)); | 252 base::Unretained(this), &public_key, &auth_secret)); |
| 213 | 253 |
| 214 // Getting (or creating) the public key will be done asynchronously. | 254 // Getting (or creating) the public key will be done asynchronously. |
| 215 base::RunLoop().RunUntilIdle(); | 255 base::RunLoop().RunUntilIdle(); |
| 216 | 256 |
| 217 ASSERT_GT(public_key.size(), 0u); | 257 ASSERT_GT(public_key.size(), 0u); |
| 218 ASSERT_GT(auth_secret.size(), 0u); | 258 ASSERT_GT(auth_secret.size(), 0u); |
| 219 | 259 |
| 220 ASSERT_NO_FATAL_FAILURE(Decrypt(message)); | 260 ASSERT_NO_FATAL_FAILURE(Decrypt(message)); |
| 221 EXPECT_NE(GCMEncryptionProvider::DECRYPTION_RESULT_NO_KEYS, | 261 EXPECT_NE(GCMEncryptionProvider::DECRYPTION_RESULT_NO_KEYS, |
| 222 decryption_result()); | 262 decryption_result()); |
| 223 } | 263 } |
| 224 | 264 |
| 225 TEST_F(GCMEncryptionProviderTest, EncryptionRoundTrip) { | 265 TEST_F(GCMEncryptionProviderTest, VerifiesKeyRemovalGCMRegistration) { |
|
Peter Beverloo
2016/05/09 14:10:10
While I'm all for tests, this doesn't actually tes
johnme
2016/05/09 18:15:54
This (and its twin, VerifiesKeyRemovalInstanceIDTo
| |
| 266 // Removing encryption info for an InstanceID token shouldn't affect a legacy | |
| 267 // GCM registration. | |
| 268 | |
| 269 // Legacy GCM callers pass an empty string for instance_id_authorized_entity. | |
| 270 std::string instance_id_authorized_entity_gcm = ""; | |
| 271 std::string instance_id_authorized_entity_1 = | |
| 272 kExampleAuthorizedEntity + std::string("1"); | |
| 273 std::string instance_id_authorized_entity_2 = | |
| 274 kExampleAuthorizedEntity + std::string("2"); | |
| 275 | |
| 276 // Should create encryption info. | |
| 277 std::string public_key, auth_secret; | |
| 278 encryption_provider()->GetEncryptionInfo( | |
| 279 kExampleAppId, instance_id_authorized_entity_gcm, | |
| 280 base::Bind(&GCMEncryptionProviderTest::DidGetEncryptionInfo, | |
| 281 base::Unretained(this), &public_key, &auth_secret)); | |
| 282 | |
| 283 // Should get encryption info created above (although these calls are async | |
|
Peter Beverloo
2016/05/09 14:10:09
Instead of the comment in parenthesis, can we just
johnme
2016/05/09 18:15:54
Sure; instead I expanded GCMKeyStoreTest.CreateGet
| |
| 284 // with no RunUntilIdle between, they should get handled in order of posting). | |
| 285 std::string read_public_key, read_auth_secret; | |
| 286 encryption_provider()->GetEncryptionInfo( | |
| 287 kExampleAppId, instance_id_authorized_entity_gcm, | |
| 288 base::Bind(&GCMEncryptionProviderTest::DidGetEncryptionInfo, | |
| 289 base::Unretained(this), &read_public_key, &read_auth_secret)); | |
| 290 | |
| 291 base::RunLoop().RunUntilIdle(); | |
| 292 | |
| 293 EXPECT_GT(public_key.size(), 0u); | |
| 294 EXPECT_GT(auth_secret.size(), 0u); | |
| 295 EXPECT_EQ(public_key, read_public_key); | |
| 296 EXPECT_EQ(auth_secret, read_auth_secret); | |
| 297 | |
| 298 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_gcm, true)); | |
|
Peter Beverloo
2016/05/09 14:10:10
This should be an ASSERT_NO_FATAL_FAILURE. There i
johnme
2016/05/09 18:15:54
Done (ditto below, since it's always the first fai
| |
| 299 | |
| 300 encryption_provider()->RemoveEncryptionInfo(kExampleAppId, | |
| 301 instance_id_authorized_entity_1, | |
| 302 base::Bind(&base::DoNothing)); | |
| 303 | |
| 304 base::RunLoop().RunUntilIdle(); | |
| 305 | |
| 306 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_gcm, true)); | |
| 307 | |
| 308 encryption_provider()->RemoveEncryptionInfo(kExampleAppId, "*", | |
| 309 base::Bind(&base::DoNothing)); | |
| 310 | |
| 311 base::RunLoop().RunUntilIdle(); | |
| 312 | |
| 313 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_gcm, true)); | |
| 314 | |
| 315 encryption_provider()->RemoveEncryptionInfo(kExampleAppId, | |
| 316 instance_id_authorized_entity_gcm, | |
| 317 base::Bind(&base::DoNothing)); | |
| 318 | |
| 319 base::RunLoop().RunUntilIdle(); | |
| 320 | |
| 321 EXPECT_NO_FATAL_FAILURE( | |
| 322 CheckHasKey(instance_id_authorized_entity_gcm, false)); | |
| 323 } | |
| 324 | |
| 325 TEST_F(GCMEncryptionProviderTest, VerifiesKeyRemovalInstanceIDToken) { | |
| 326 // Removing encryption info for a legacy GCM registration shouldn't affect an | |
| 327 // InstanceID token. | |
| 328 | |
| 329 // Legacy GCM callers pass an empty string for instance_id_authorized_entity. | |
| 330 std::string instance_id_authorized_entity_gcm = ""; | |
| 331 std::string instance_id_authorized_entity_1 = | |
| 332 kExampleAuthorizedEntity + std::string("1"); | |
| 333 std::string instance_id_authorized_entity_2 = | |
| 334 kExampleAuthorizedEntity + std::string("2"); | |
| 335 | |
| 336 std::string public_key_1, auth_secret_1; | |
| 337 encryption_provider()->GetEncryptionInfo( | |
| 338 kExampleAppId, instance_id_authorized_entity_1, | |
| 339 base::Bind(&GCMEncryptionProviderTest::DidGetEncryptionInfo, | |
| 340 base::Unretained(this), &public_key_1, &auth_secret_1)); | |
| 341 | |
| 342 base::RunLoop().RunUntilIdle(); | |
| 343 | |
| 344 EXPECT_GT(public_key_1.size(), 0u); | |
| 345 EXPECT_GT(auth_secret_1.size(), 0u); | |
| 346 | |
| 347 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_1, true)); | |
| 348 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_2, false)); | |
| 349 | |
| 350 std::string public_key_2, auth_secret_2; | |
| 351 encryption_provider()->GetEncryptionInfo( | |
| 352 kExampleAppId, instance_id_authorized_entity_2, | |
| 353 base::Bind(&GCMEncryptionProviderTest::DidGetEncryptionInfo, | |
| 354 base::Unretained(this), &public_key_2, &auth_secret_2)); | |
| 355 | |
| 356 base::RunLoop().RunUntilIdle(); | |
| 357 | |
| 358 EXPECT_GT(public_key_2.size(), 0u); | |
| 359 EXPECT_GT(auth_secret_2.size(), 0u); | |
| 360 EXPECT_NE(public_key_1, public_key_2); | |
| 361 EXPECT_NE(auth_secret_1, auth_secret_2); | |
| 362 | |
| 363 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_1, true)); | |
| 364 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_2, true)); | |
| 365 | |
| 366 std::string read_public_key_1, read_auth_secret_1; | |
| 367 encryption_provider()->GetEncryptionInfo( | |
| 368 kExampleAppId, instance_id_authorized_entity_1, | |
| 369 base::Bind(&GCMEncryptionProviderTest::DidGetEncryptionInfo, | |
| 370 base::Unretained(this), &read_public_key_1, | |
| 371 &read_auth_secret_1)); | |
| 372 | |
| 373 base::RunLoop().RunUntilIdle(); | |
| 374 | |
| 375 // Should have returned existing info for instance_id_authorized_entity_1. | |
| 376 EXPECT_EQ(public_key_1, read_public_key_1); | |
| 377 EXPECT_EQ(auth_secret_1, read_auth_secret_1); | |
| 378 | |
| 379 encryption_provider()->RemoveEncryptionInfo(kExampleAppId, | |
| 380 instance_id_authorized_entity_gcm, | |
| 381 base::Bind(&base::DoNothing)); | |
| 382 | |
| 383 base::RunLoop().RunUntilIdle(); | |
| 384 | |
| 385 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_1, true)); | |
| 386 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_2, true)); | |
| 387 | |
| 388 encryption_provider()->RemoveEncryptionInfo(kExampleAppId, | |
| 389 instance_id_authorized_entity_1, | |
| 390 base::Bind(&base::DoNothing)); | |
| 391 | |
| 392 base::RunLoop().RunUntilIdle(); | |
| 393 | |
| 394 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_1, false)); | |
| 395 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_2, true)); | |
| 396 | |
| 397 std::string public_key_1_refreshed, auth_secret_1_refreshed; | |
| 398 encryption_provider()->GetEncryptionInfo( | |
| 399 kExampleAppId, instance_id_authorized_entity_1, | |
| 400 base::Bind(&GCMEncryptionProviderTest::DidGetEncryptionInfo, | |
| 401 base::Unretained(this), &public_key_1_refreshed, | |
| 402 &auth_secret_1_refreshed)); | |
| 403 | |
| 404 base::RunLoop().RunUntilIdle(); | |
| 405 | |
| 406 // Since the info was removed, GetEncryptionInfo should have created new info. | |
| 407 EXPECT_GT(public_key_1_refreshed.size(), 0u); | |
| 408 EXPECT_GT(auth_secret_1_refreshed.size(), 0u); | |
| 409 EXPECT_NE(public_key_1, public_key_1_refreshed); | |
| 410 EXPECT_NE(auth_secret_1, auth_secret_1_refreshed); | |
| 411 EXPECT_NE(public_key_2, public_key_1_refreshed); | |
| 412 EXPECT_NE(auth_secret_2, auth_secret_1_refreshed); | |
| 413 | |
| 414 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_1, true)); | |
| 415 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_2, true)); | |
| 416 | |
| 417 encryption_provider()->RemoveEncryptionInfo(kExampleAppId, "*", | |
| 418 base::Bind(&base::DoNothing)); | |
| 419 | |
| 420 base::RunLoop().RunUntilIdle(); | |
| 421 | |
| 422 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_1, false)); | |
| 423 EXPECT_NO_FATAL_FAILURE(CheckHasKey(instance_id_authorized_entity_2, false)); | |
| 424 } | |
| 425 | |
| 426 void GCMEncryptionProviderTest::TestEncryptionRoundTrip( | |
| 427 const std::string& app_id, | |
| 428 const std::string& instance_id_authorized_entity) { | |
| 226 // Performs a full round-trip of the encryption feature, including getting a | 429 // Performs a full round-trip of the encryption feature, including getting a |
| 227 // public/private key-pair and performing the cryptographic operations. This | 430 // public/private key-pair and performing the cryptographic operations. This |
| 228 // is more of an integration test than a unit test. | 431 // is more of an integration test than a unit test. |
| 229 | 432 |
| 230 KeyPair pair, server_pair; | 433 KeyPair pair, server_pair; |
| 231 std::string auth_secret, server_authentication; | 434 std::string auth_secret, server_authentication; |
| 232 | 435 |
| 233 // Retrieve the public/private key-pair immediately from the key store, given | 436 // Retrieve the public/private key-pair immediately from the key store, given |
| 234 // that the GCMEncryptionProvider will only share the public key with users. | 437 // that the GCMEncryptionProvider will only share the public key with users. |
| 235 // Also create a second pair, which will act as the server's keys. | 438 // Also create a second pair, which will act as the server's keys. |
| 236 encryption_provider()->key_store_->CreateKeys( | 439 encryption_provider()->key_store_->CreateKeys( |
| 237 kExampleAppId, | 440 app_id, instance_id_authorized_entity, |
| 238 base::Bind(&GCMEncryptionProviderTest::DidCreateKeys, | 441 base::Bind(&GCMEncryptionProviderTest::HandleKeysCallback, |
| 239 base::Unretained(this), &pair, &auth_secret)); | 442 base::Unretained(this), &pair, &auth_secret)); |
| 240 | 443 |
| 241 encryption_provider()->key_store_->CreateKeys( | 444 encryption_provider()->key_store_->CreateKeys( |
| 242 std::string(kExampleAppId) + "-server", | 445 "server-" + app_id, instance_id_authorized_entity, |
| 243 base::Bind(&GCMEncryptionProviderTest::DidCreateKeys, | 446 base::Bind(&GCMEncryptionProviderTest::HandleKeysCallback, |
| 244 base::Unretained(this), &server_pair, &server_authentication)); | 447 base::Unretained(this), &server_pair, &server_authentication)); |
| 245 | 448 |
| 246 // Creating the public keys will be done asynchronously. | 449 // Creating the public keys will be done asynchronously. |
| 247 base::RunLoop().RunUntilIdle(); | 450 base::RunLoop().RunUntilIdle(); |
| 248 | 451 |
| 249 ASSERT_GT(pair.public_key().size(), 0u); | 452 ASSERT_GT(pair.public_key().size(), 0u); |
| 250 ASSERT_GT(server_pair.public_key().size(), 0u); | 453 ASSERT_GT(server_pair.public_key().size(), 0u); |
| 251 | 454 |
| 252 ASSERT_GT(pair.private_key().size(), 0u); | 455 ASSERT_GT(pair.private_key().size(), 0u); |
| 253 ASSERT_GT(server_pair.private_key().size(), 0u); | 456 ASSERT_GT(server_pair.private_key().size(), 0u); |
| 254 | 457 |
| 255 std::string salt; | 458 std::string salt; |
| 256 | 459 |
| 257 // Creates a cryptographically secure salt of |salt_size| octets in size, and | 460 // Creates a cryptographically secure salt of |salt_size| octets in size, and |
| 258 // calculate the shared secret for the message. | 461 // calculate the shared secret for the message. |
| 259 crypto::RandBytes(base::WriteInto(&salt, 16 + 1), 16); | 462 crypto::RandBytes(base::WriteInto(&salt, 16 + 1), 16); |
| 260 | 463 |
| 261 std::string shared_secret; | 464 std::string shared_secret; |
| 262 ASSERT_TRUE(ComputeSharedP256Secret( | 465 ASSERT_TRUE(ComputeSharedP256Secret( |
| 263 pair.private_key(), pair.public_key_x509(), server_pair.public_key(), | 466 pair.private_key(), pair.public_key_x509(), server_pair.public_key(), |
| 264 &shared_secret)); | 467 &shared_secret)); |
| 265 | 468 |
| 266 IncomingMessage message; | 469 IncomingMessage message; |
| 267 size_t record_size; | 470 size_t record_size; |
| 268 | 471 |
| 472 message.sender_id = kExampleAuthorizedEntity; | |
| 473 | |
| 269 // Encrypts the |kExampleMessage| using the generated shared key and the | 474 // Encrypts the |kExampleMessage| using the generated shared key and the |
| 270 // random |salt|, storing the result in |record_size| and the message. | 475 // random |salt|, storing the result in |record_size| and the message. |
| 271 GCMMessageCryptographer cryptographer( | 476 GCMMessageCryptographer cryptographer( |
| 272 GCMMessageCryptographer::Label::P256, pair.public_key(), | 477 GCMMessageCryptographer::Label::P256, pair.public_key(), |
| 273 server_pair.public_key(), auth_secret); | 478 server_pair.public_key(), auth_secret); |
| 274 | 479 |
| 275 ASSERT_TRUE(cryptographer.Encrypt(kExampleMessage, shared_secret, salt, | 480 ASSERT_TRUE(cryptographer.Encrypt(kExampleMessage, shared_secret, salt, |
| 276 &record_size, &message.raw_data)); | 481 &record_size, &message.raw_data)); |
| 277 | 482 |
| 278 std::string encoded_salt, encoded_key; | 483 std::string encoded_salt, encoded_key; |
| (...skipping 16 matching lines...) Expand all Loading... | |
| 295 | 500 |
| 296 // Decrypt the message, and expect everything to go wonderfully well. | 501 // Decrypt the message, and expect everything to go wonderfully well. |
| 297 ASSERT_NO_FATAL_FAILURE(Decrypt(message)); | 502 ASSERT_NO_FATAL_FAILURE(Decrypt(message)); |
| 298 ASSERT_EQ(GCMEncryptionProvider::DECRYPTION_RESULT_DECRYPTED, | 503 ASSERT_EQ(GCMEncryptionProvider::DECRYPTION_RESULT_DECRYPTED, |
| 299 decryption_result()); | 504 decryption_result()); |
| 300 | 505 |
| 301 EXPECT_TRUE(decrypted_message().decrypted); | 506 EXPECT_TRUE(decrypted_message().decrypted); |
| 302 EXPECT_EQ(kExampleMessage, decrypted_message().raw_data); | 507 EXPECT_EQ(kExampleMessage, decrypted_message().raw_data); |
| 303 } | 508 } |
| 304 | 509 |
| 510 TEST_F(GCMEncryptionProviderTest, EncryptionRoundTripGCMRegistration) { | |
| 511 // GCMEncryptionProvider::DecryptMessage should succeed when the message was | |
| 512 // sent to a legacy GCM registration (empty instance_id_authorized_entity). | |
| 513 ASSERT_NO_FATAL_FAILURE(TestEncryptionRoundTrip( | |
| 514 kExampleAppId, "" /* empty authorized entity for GCM registration */)); | |
| 515 } | |
| 516 | |
| 517 TEST_F(GCMEncryptionProviderTest, EncryptionRoundTripInstanceIDToken) { | |
| 518 // GCMEncryptionProvider::DecryptMessage should succeed when the message was | |
| 519 // sent to an InstanceID token (non-empty instance_id_authorized_entity). | |
| 520 ASSERT_NO_FATAL_FAILURE( | |
| 521 TestEncryptionRoundTrip(kExampleAppId, kExampleAuthorizedEntity)); | |
| 522 } | |
| 523 | |
| 305 } // namespace gcm | 524 } // namespace gcm |
| OLD | NEW |