OLD | NEW |
| (Empty) |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/base/keygen_handler.h" | |
6 | |
7 #include <stdint.h> | |
8 | |
9 #include <string> | |
10 #include <utility> | |
11 | |
12 #include "base/base64.h" | |
13 #include "base/bind.h" | |
14 #include "base/location.h" | |
15 #include "base/logging.h" | |
16 #include "base/strings/string_piece.h" | |
17 #include "base/synchronization/waitable_event.h" | |
18 #include "base/threading/worker_pool.h" | |
19 #include "build/build_config.h" | |
20 #include "testing/gtest/include/gtest/gtest.h" | |
21 #include "third_party/boringssl/src/include/openssl/bytestring.h" | |
22 #include "third_party/boringssl/src/include/openssl/evp.h" | |
23 | |
24 #if defined(USE_NSS_CERTS) | |
25 #include <private/pprthred.h> // PR_DetachThread | |
26 #include "crypto/nss_crypto_module_delegate.h" | |
27 #include "crypto/scoped_test_nss_db.h" | |
28 #endif | |
29 | |
30 namespace net { | |
31 | |
32 namespace { | |
33 | |
34 #if defined(USE_NSS_CERTS) | |
35 class StubCryptoModuleDelegate : public crypto::NSSCryptoModuleDelegate { | |
36 public: | |
37 explicit StubCryptoModuleDelegate(crypto::ScopedPK11Slot slot) | |
38 : slot_(std::move(slot)) {} | |
39 | |
40 std::string RequestPassword(const std::string& slot_name, | |
41 bool retry, | |
42 bool* cancelled) override { | |
43 return std::string(); | |
44 } | |
45 | |
46 crypto::ScopedPK11Slot RequestSlot() override { | |
47 return crypto::ScopedPK11Slot(PK11_ReferenceSlot(slot_.get())); | |
48 } | |
49 | |
50 private: | |
51 crypto::ScopedPK11Slot slot_; | |
52 }; | |
53 #endif | |
54 | |
55 const char kChallenge[] = "some challenge"; | |
56 | |
57 class KeygenHandlerTest : public ::testing::Test { | |
58 public: | |
59 KeygenHandlerTest() {} | |
60 ~KeygenHandlerTest() override {} | |
61 | |
62 std::unique_ptr<KeygenHandler> CreateKeygenHandler() { | |
63 std::unique_ptr<KeygenHandler> handler( | |
64 new KeygenHandler(768, kChallenge, GURL("http://www.example.com"))); | |
65 #if defined(USE_NSS_CERTS) | |
66 handler->set_crypto_module_delegate( | |
67 std::unique_ptr<crypto::NSSCryptoModuleDelegate>( | |
68 new StubCryptoModuleDelegate(crypto::ScopedPK11Slot( | |
69 PK11_ReferenceSlot(test_nss_db_.slot()))))); | |
70 #endif | |
71 return handler; | |
72 } | |
73 | |
74 private: | |
75 #if defined(USE_NSS_CERTS) | |
76 crypto::ScopedTestNSSDB test_nss_db_; | |
77 #endif | |
78 }; | |
79 | |
80 base::StringPiece StringPieceFromCBS(const CBS& cbs) { | |
81 return base::StringPiece(reinterpret_cast<const char*>(CBS_data(&cbs)), | |
82 CBS_len(&cbs)); | |
83 } | |
84 | |
85 // Assert that |result| is a valid output for KeygenHandler given challenge | |
86 // string of |challenge|. | |
87 void AssertValidSignedPublicKeyAndChallenge(const std::string& result, | |
88 const std::string& challenge) { | |
89 // Verify it's valid base64: | |
90 std::string spkac; | |
91 ASSERT_TRUE(base::Base64Decode(result, &spkac)); | |
92 | |
93 // Parse the following structure: | |
94 // | |
95 // PublicKeyAndChallenge ::= SEQUENCE { | |
96 // spki SubjectPublicKeyInfo, | |
97 // challenge IA5STRING | |
98 // } | |
99 // SignedPublicKeyAndChallenge ::= SEQUENCE { | |
100 // publicKeyAndChallenge PublicKeyAndChallenge, | |
101 // signatureAlgorithm AlgorithmIdentifier, | |
102 // signature BIT STRING | |
103 // } | |
104 | |
105 CBS cbs; | |
106 CBS_init(&cbs, reinterpret_cast<const uint8_t*>(spkac.data()), spkac.size()); | |
107 | |
108 // The input should consist of a SEQUENCE. | |
109 CBS child; | |
110 ASSERT_TRUE(CBS_get_asn1(&cbs, &child, CBS_ASN1_SEQUENCE)); | |
111 ASSERT_EQ(0u, CBS_len(&cbs)); | |
112 | |
113 // Extract the raw PublicKeyAndChallenge. | |
114 CBS public_key_and_challenge_raw; | |
115 ASSERT_TRUE(CBS_get_asn1_element(&child, &public_key_and_challenge_raw, | |
116 CBS_ASN1_SEQUENCE)); | |
117 | |
118 // Parse out the PublicKeyAndChallenge. | |
119 CBS copy = public_key_and_challenge_raw; | |
120 CBS public_key_and_challenge; | |
121 ASSERT_TRUE( | |
122 CBS_get_asn1(©, &public_key_and_challenge, CBS_ASN1_SEQUENCE)); | |
123 ASSERT_EQ(0u, CBS_len(©)); | |
124 bssl::UniquePtr<EVP_PKEY> key( | |
125 EVP_parse_public_key(&public_key_and_challenge)); | |
126 ASSERT_TRUE(key); | |
127 CBS challenge_spkac; | |
128 ASSERT_TRUE(CBS_get_asn1(&public_key_and_challenge, &challenge_spkac, | |
129 CBS_ASN1_IA5STRING)); | |
130 ASSERT_EQ(0u, CBS_len(&public_key_and_challenge)); | |
131 | |
132 // The challenge must match. | |
133 ASSERT_EQ(challenge, StringPieceFromCBS(challenge_spkac)); | |
134 | |
135 // The next element must be the AlgorithmIdentifier for MD5 with RSA. | |
136 static const uint8_t kMd5WithRsaEncryption[] = { | |
137 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, | |
138 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, | |
139 }; | |
140 CBS algorithm; | |
141 ASSERT_TRUE(CBS_get_bytes(&child, &algorithm, sizeof(kMd5WithRsaEncryption))); | |
142 ASSERT_EQ( | |
143 base::StringPiece(reinterpret_cast<const char*>(kMd5WithRsaEncryption), | |
144 sizeof(kMd5WithRsaEncryption)), | |
145 StringPieceFromCBS(algorithm)); | |
146 | |
147 // Finally, parse the signature. | |
148 CBS signature; | |
149 ASSERT_TRUE(CBS_get_asn1(&child, &signature, CBS_ASN1_BITSTRING)); | |
150 ASSERT_EQ(0u, CBS_len(&child)); | |
151 uint8_t pad; | |
152 ASSERT_TRUE(CBS_get_u8(&signature, &pad)); | |
153 ASSERT_EQ(0u, pad); | |
154 | |
155 // Check the signature. | |
156 bssl::ScopedEVP_MD_CTX ctx; | |
157 ASSERT_TRUE( | |
158 EVP_DigestVerifyInit(ctx.get(), nullptr, EVP_md5(), nullptr, key.get())); | |
159 ASSERT_TRUE(EVP_DigestVerifyUpdate(ctx.get(), | |
160 CBS_data(&public_key_and_challenge_raw), | |
161 CBS_len(&public_key_and_challenge_raw))); | |
162 ASSERT_TRUE(EVP_DigestVerifyFinal(ctx.get(), CBS_data(&signature), | |
163 CBS_len(&signature))); | |
164 } | |
165 | |
166 TEST_F(KeygenHandlerTest, SmokeTest) { | |
167 std::unique_ptr<KeygenHandler> handler(CreateKeygenHandler()); | |
168 handler->set_stores_key(false); // Don't leave the key-pair behind | |
169 std::string result = handler->GenKeyAndSignChallenge(); | |
170 VLOG(1) << "KeygenHandler produced: " << result; | |
171 AssertValidSignedPublicKeyAndChallenge(result, kChallenge); | |
172 } | |
173 | |
174 void ConcurrencyTestCallback(const std::string& challenge, | |
175 base::WaitableEvent* event, | |
176 std::unique_ptr<KeygenHandler> handler, | |
177 std::string* result) { | |
178 handler->set_stores_key(false); // Don't leave the key-pair behind. | |
179 *result = handler->GenKeyAndSignChallenge(); | |
180 event->Signal(); | |
181 #if defined(USE_NSS_CERTS) | |
182 // Detach the thread from NSPR. | |
183 // Calling NSS functions attaches the thread to NSPR, which stores | |
184 // the NSPR thread ID in thread-specific data. | |
185 // The threads in our thread pool terminate after we have called | |
186 // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets | |
187 // segfaults on shutdown when the threads' thread-specific data | |
188 // destructors run. | |
189 PR_DetachThread(); | |
190 #endif | |
191 } | |
192 | |
193 // We asynchronously generate the keys so as not to hang up the IO thread. This | |
194 // test tries to catch concurrency problems in the keygen implementation. | |
195 TEST_F(KeygenHandlerTest, ConcurrencyTest) { | |
196 const int NUM_HANDLERS = 5; | |
197 base::WaitableEvent* events[NUM_HANDLERS] = { NULL }; | |
198 std::string results[NUM_HANDLERS]; | |
199 for (int i = 0; i < NUM_HANDLERS; i++) { | |
200 std::unique_ptr<KeygenHandler> handler(CreateKeygenHandler()); | |
201 events[i] = new base::WaitableEvent( | |
202 base::WaitableEvent::ResetPolicy::AUTOMATIC, | |
203 base::WaitableEvent::InitialState::NOT_SIGNALED); | |
204 base::WorkerPool::PostTask(FROM_HERE, | |
205 base::Bind(ConcurrencyTestCallback, | |
206 "some challenge", | |
207 events[i], | |
208 base::Passed(&handler), | |
209 &results[i]), | |
210 true); | |
211 } | |
212 | |
213 for (int i = 0; i < NUM_HANDLERS; i++) { | |
214 // Make sure the job completed | |
215 events[i]->Wait(); | |
216 delete events[i]; | |
217 events[i] = NULL; | |
218 | |
219 VLOG(1) << "KeygenHandler " << i << " produced: " << results[i]; | |
220 AssertValidSignedPublicKeyAndChallenge(results[i], "some challenge"); | |
221 } | |
222 } | |
223 | |
224 } // namespace | |
225 | |
226 } // namespace net | |
OLD | NEW |