Tidy up ssl_platform_key_android_unittest.cc.

net/ssl/ssl_platform_key_android_unittest.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include <openssl/bytestring.h>
 #include <openssl/digest.h>
 #include <openssl/ecdsa.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
+#include <openssl/x509.h>
 
-#include "base/android/build_info.h"
 #include "base/android/jni_android.h"
 #include "base/android/jni_array.h"
 #include "base/android/scoped_java_ref.h"
 #include "base/bind.h"
-#include "base/callback.h"
-#include "base/compiler_specific.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
-#include "base/files/scoped_file.h"
 #include "base/run_loop.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
-#include "crypto/auto_cbb.h"
 #include "crypto/openssl_util.h"
-#include "crypto/scoped_openssl_types.h"
 #include "net/android/keystore.h"
-#include "net/ssl/scoped_openssl_types.h"
+#include "net/cert/x509_certificate.h"
 #include "net/ssl/ssl_platform_key_android.h"
 #include "net/ssl/ssl_private_key.h"
+#include "net/test/cert_test_util.h"
 #include "net/test/jni/AndroidKeyStoreTestUtil_jni.h"
 #include "net/test/test_data_directory.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
 namespace {
 
 typedef base::android::ScopedJavaLocalRef<jobject> ScopedJava;
 
 // Resize a string to |size| bytes of data, then return its data buffer
 // address cast as an 'unsigned char*', as expected by OpenSSL functions.
 // |str| the target string.
 // |size| the number of bytes to write into the string.
 // Return the string's new buffer in memory, as an 'unsigned char*'
 // pointer.
 unsigned char* OpenSSLWriteInto(std::string* str, size_t size) {
   return reinterpret_cast<unsigned char*>(base::WriteInto(str, size + 1));
 }
 
+bool ReadTestFile(const char* filename, std::string* pkcs8) {
+  base::FilePath certs_dir = GetTestCertsDirectory();
+  base::FilePath file_path = certs_dir.AppendASCII(filename);
+  return base::ReadFileToString(file_path, pkcs8);
+}
+
 // Load a given private key file into an EVP_PKEY.
 // |filename| is the key file path.
 // Returns a new EVP_PKEY on success, NULL on failure.
-EVP_PKEY* ImportPrivateKeyFile(const char* filename) {
+bssl::UniquePtr<EVP_PKEY> ImportPrivateKeyFile(const char* filename) {
+  std::string pkcs8;
+  if (!ReadTestFile(filename, &pkcs8))
+    return nullptr;
+
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  CBS cbs;
+  CBS_init(&cbs, reinterpret_cast<const uint8_t*>(pkcs8.data()), pkcs8.size());
+  bssl::UniquePtr<EVP_PKEY> pkey(EVP_parse_private_key(&cbs));
+  if (!pkey) {
+    LOG(ERROR) << "Could not load private key file: " << filename;
+    return nullptr;
+  }
 
-  // Load file in memory.
-  base::FilePath certs_dir = GetTestCertsDirectory();
-  base::FilePath file_path = certs_dir.AppendASCII(filename);
-  base::ScopedFILE handle(base::OpenFile(file_path, "rb"));
-  if (!handle) {
-    LOG(ERROR) << "Could not open private key file: " << filename;
-    return NULL;
-  }
-  // Assume it is PEM_encoded. Load it as an EVP_PKEY.
-  EVP_PKEY* pkey = PEM_read_PrivateKey(handle.get(), NULL, NULL, NULL);
-  if (!pkey) {
-    LOG(ERROR) << "Could not load public key file: " << filename;
-    return NULL;
-  }
   return pkey;
 }
 
-// Convert a private key into its PKCS#8 encoded representation.
-// |pkey| is the EVP_PKEY handle for the private key.
-// |pkcs8| will receive the PKCS#8 bytes.
-// Returns true on success, false otherwise.
-bool GetPrivateKeyPkcs8Bytes(const crypto::ScopedEVP_PKEY& pkey,
-                             std::string* pkcs8) {
-  uint8_t* der;
-  size_t der_len;
-  crypto::AutoCBB cbb;
-  if (!CBB_init(cbb.get(), 0) ||
-      !EVP_marshal_private_key(cbb.get(), pkey.get()) ||
-      !CBB_finish(cbb.get(), &der, &der_len)) {
-    return false;
-  }
-  pkcs8->assign(reinterpret_cast<const char*>(der), der_len);
-  OPENSSL_free(der);
-  return true;
-}
-
-bool ImportPrivateKeyFileAsPkcs8(const char* filename, std::string* pkcs8) {
-  crypto::ScopedEVP_PKEY pkey(ImportPrivateKeyFile(filename));
-  if (!pkey)
-    return false;
-  return GetPrivateKeyPkcs8Bytes(pkey, pkcs8);
-}
-
-// Same as ImportPrivateKey, but for public ones.
-EVP_PKEY* ImportPublicKeyFile(const char* filename) {
+// Imports the public key from the specified test certificate.
+bssl::UniquePtr<EVP_PKEY> ImportPublicKeyFromCertificateFile(
+    const char* filename) {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
-  // Load file as PEM data.
-  base::FilePath certs_dir = GetTestCertsDirectory();
-  base::FilePath file_path = certs_dir.AppendASCII(filename);
-  base::ScopedFILE handle(base::OpenFile(file_path, "rb"));
-  if (!handle) {
-    LOG(ERROR) << "Could not open public key file: " << filename;
-    return NULL;
+  scoped_refptr<X509Certificate> cert =
+      ImportCertFromFile(GetTestCertsDirectory(), filename);
+  if (!cert) {
+    LOG(ERROR) << "Could not open certificate file: " << filename;
+    return nullptr;
   }
-  EVP_PKEY* pkey = PEM_read_PUBKEY(handle.get(), NULL, NULL, NULL);
+
+  bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(cert->os_cert_handle()));
   if (!pkey) {
-    LOG(ERROR) << "Could not load public key file: " << filename;
-    return NULL;
+    LOG(ERROR) << "Could not load public key from certificate: " << filename;
+    return nullptr;
   }
+
   return pkey;
 }
 
 // Retrieve a JNI local ref from encoded PKCS#8 data.
 ScopedJava GetPKCS8PrivateKeyJava(android::PrivateKeyType key_type,
                                   const std::string& pkcs8_key) {
   JNIEnv* env = base::android::AttachCurrentThread();
   base::android::ScopedJavaLocalRef<jbyteArray> bytes(
       base::android::ToJavaByteArray(
           env, reinterpret_cast<const uint8_t*>(pkcs8_key.data()),
           pkcs8_key.size()));
 
   ScopedJava key(Java_AndroidKeyStoreTestUtil_createPrivateKeyFromPKCS8(
       env, key_type, bytes));
 
   return key;
 }
 
-const char kTestRsaKeyFile[] = "android-test-key-rsa.pem";
+const char kTestRsaKeyFile[] = "client_1.pk8";
 
 // Retrieve a JNI local ref for our test RSA key.
 ScopedJava GetRSATestKeyJava() {
   std::string key;
-  if (!ImportPrivateKeyFileAsPkcs8(kTestRsaKeyFile, &key))
+  if (!ReadTestFile(kTestRsaKeyFile, &key))
     return ScopedJava();
   return GetPKCS8PrivateKeyJava(android::PRIVATE_KEY_TYPE_RSA, key);
 }
 
-const char kTestEcdsaKeyFile[] = "android-test-key-ecdsa.pem";
-const char kTestEcdsaPublicKeyFile[] = "android-test-key-ecdsa-public.pem";
+const char kTestEcdsaKeyFile[] = "client_4.pk8";
+const char kTestEcdsaCertificateFile[] = "client_4.pem";
 
 // Retrieve a JNI local ref for our test ECDSA key.
 ScopedJava GetECDSATestKeyJava() {
   std::string key;
-  if (!ImportPrivateKeyFileAsPkcs8(kTestEcdsaKeyFile, &key))
+  if (!ReadTestFile(kTestEcdsaKeyFile, &key))
     return ScopedJava();
   return GetPKCS8PrivateKeyJava(android::PRIVATE_KEY_TYPE_ECDSA, key);
 }
 
 // Call this function to verify that one message signed with our
 // test ECDSA private key is correct. Since ECDSA signing introduces
 // random elements in the signature, it is not possible to compare
 // signature bits directly. However, one can use the public key
 // to do the check.
 bool VerifyTestECDSASignature(const base::StringPiece& message,
                               const base::StringPiece& signature) {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
-  crypto::ScopedEVP_PKEY pkey(ImportPublicKeyFile(kTestEcdsaPublicKeyFile));
+  bssl::UniquePtr<EVP_PKEY> pkey =
+      ImportPublicKeyFromCertificateFile(kTestEcdsaCertificateFile);
   if (!pkey)
     return false;
-  crypto::ScopedEC_KEY pub_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
+
+  EC_KEY* pub_key = EVP_PKEY_get0_EC_KEY(pkey.get());
   if (!pub_key) {
     LOG(ERROR) << "Could not get ECDSA public key";
     return false;
   }
 
   const unsigned char* digest =
       reinterpret_cast<const unsigned char*>(message.data());
   int digest_len = static_cast<int>(message.size());
   const unsigned char* sigbuf =
       reinterpret_cast<const unsigned char*>(signature.data());
   int siglen = static_cast<int>(signature.size());
 
-  int ret = ECDSA_verify(0, digest, digest_len, sigbuf, siglen, pub_key.get());
-  if (ret != 1) {
+  if (!ECDSA_verify(0, digest, digest_len, sigbuf, siglen, pub_key)) {
     LOG(ERROR) << "ECDSA_verify() failed";
     return false;
   }
   return true;
 }
 
 // Sign a message with OpenSSL, return the result as a string.
 // |message| is the message to be signed.
 // |openssl_key| is an OpenSSL EVP_PKEY to use.
 // |result| receives the result.
 // Returns true on success, false otherwise.
 bool SignWithOpenSSL(int hash_nid,
                      const base::StringPiece& message,
                      EVP_PKEY* openssl_key,
                      std::string* result) {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+  RSA* rsa = EVP_PKEY_get0_RSA(openssl_key);
+  if (!rsa) {
+    LOG(ERROR) << "Could not get RSA from EVP_PKEY";
+    return false;
+  }
+
   const unsigned char* digest =
       reinterpret_cast<const unsigned char*>(message.data());
   unsigned int digest_len = static_cast<unsigned int>(message.size());
+
+  // With RSA, the signature will always be RSA_size() bytes.
+  size_t max_signature_size = static_cast<size_t>(RSA_size(rsa));
   std::string signature;
-  size_t signature_size;
-  size_t max_signature_size;
-  int key_type = EVP_PKEY_id(openssl_key);
-  switch (key_type) {
-    case EVP_PKEY_RSA: {
-      crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(openssl_key));
-      if (!rsa) {
-        LOG(ERROR) << "Could not get RSA from EVP_PKEY";
-        return false;
-      }
-      // With RSA, the signature will always be RSA_size() bytes.
-      max_signature_size = static_cast<size_t>(RSA_size(rsa.get()));
-      unsigned char* p = OpenSSLWriteInto(&signature, max_signature_size);
-      unsigned int p_len = 0;
-      int ret = RSA_sign(hash_nid, digest, digest_len, p, &p_len, rsa.get());
-      if (ret != 1) {
-        LOG(ERROR) << "RSA_sign() failed";
-        return false;
-      }
-      signature_size = static_cast<size_t>(p_len);
-      break;
-    }
-    default:
-      LOG(WARNING) << "Invalid OpenSSL key type: " << key_type;
-      return false;
+  unsigned char* p = OpenSSLWriteInto(&signature, max_signature_size);
+  unsigned int p_len = 0;
+  if (!RSA_sign(hash_nid, digest, digest_len, p, &p_len, rsa)) {
+    LOG(ERROR) << "RSA_sign() failed";
+    return false;
   }
 
+  size_t signature_size = static_cast<size_t>(p_len);
   if (signature_size == 0) {
     LOG(ERROR) << "Signature is empty!";
     return false;
   }
   if (signature_size > max_signature_size) {
     LOG(ERROR) << "Signature size mismatch, actual " << signature_size
                << ", expected <= " << max_signature_size;
     return false;
   }
   signature.resize(signature_size);
@@ skipping 78 matching lines @@
 
 TEST(SSLPlatformKeyAndroid, RSA) {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
   ScopedJava rsa_key = GetRSATestKeyJava();
   ASSERT_FALSE(rsa_key.is_null());
 
   scoped_refptr<SSLPrivateKey> wrapper_key = WrapJavaPrivateKey(rsa_key);
   ASSERT_TRUE(wrapper_key);
 
-  crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestRsaKeyFile));
+  bssl::UniquePtr<EVP_PKEY> openssl_key = ImportPrivateKeyFile(kTestRsaKeyFile);
   ASSERT_TRUE(openssl_key);
 
   // Check that the wrapper key returns the correct length and type.
   EXPECT_EQ(SSLPrivateKey::Type::RSA, wrapper_key->GetType());
   EXPECT_EQ(static_cast<size_t>(EVP_PKEY_size(openssl_key.get())),
             wrapper_key->GetMaxSignatureLengthInBytes());
 
   // Test signing against each hash.
   for (const auto& hash : kHashes) {
     SCOPED_TRACE(hash.name);
@@ skipping 11 matching lines @@
 
 TEST(SSLPlatformKeyAndroid, ECDSA) {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
   ScopedJava ecdsa_key = GetECDSATestKeyJava();
   ASSERT_FALSE(ecdsa_key.is_null());
 
   scoped_refptr<SSLPrivateKey> wrapper_key = WrapJavaPrivateKey(ecdsa_key);
   ASSERT_TRUE(wrapper_key);
 
-  crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestEcdsaKeyFile));
+  bssl::UniquePtr<EVP_PKEY> openssl_key =
+      ImportPrivateKeyFile(kTestEcdsaKeyFile);
   ASSERT_TRUE(openssl_key);
 
   // Check that the wrapper key returns the correct length and type.
   EXPECT_EQ(SSLPrivateKey::Type::ECDSA, wrapper_key->GetType());
   EXPECT_EQ(static_cast<size_t>(EVP_PKEY_size(openssl_key.get())),
             wrapper_key->GetMaxSignatureLengthInBytes());
 
   // Test signing against each hash.
   for (const auto& hash : kHashes) {
     // ECDSA does not sign MD5-SHA1.
     if (hash.nid == NID_md5_sha1)
       continue;
 
     SCOPED_TRACE(hash.name);
     const EVP_MD* md = EVP_get_digestbynid(hash.nid);
     ASSERT_TRUE(md);
     std::string digest(EVP_MD_size(md), 'a');
 
     std::string signature;
     DoKeySigningWithWrapper(wrapper_key.get(), hash.hash, digest, &signature);
     ASSERT_TRUE(VerifyTestECDSASignature(digest, signature));
   }
 }
 
 }  // namespace net