| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/base/keygen_handler.h" | |
| 6 | |
| 7 #include <stdint.h> | |
| 8 | |
| 9 #include <string> | |
| 10 #include <utility> | |
| 11 | |
| 12 #include "base/base64.h" | |
| 13 #include "base/bind.h" | |
| 14 #include "base/location.h" | |
| 15 #include "base/logging.h" | |
| 16 #include "base/strings/string_piece.h" | |
| 17 #include "base/synchronization/waitable_event.h" | |
| 18 #include "base/threading/thread_restrictions.h" | |
| 19 #include "base/threading/worker_pool.h" | |
| 20 #include "build/build_config.h" | |
| 21 #include "testing/gtest/include/gtest/gtest.h" | |
| 22 #include "third_party/boringssl/src/include/openssl/bytestring.h" | |
| 23 #include "third_party/boringssl/src/include/openssl/evp.h" | |
| 24 | |
| 25 #if defined(USE_NSS_CERTS) | |
| 26 #include <private/pprthred.h> // PR_DetachThread | |
| 27 #include "crypto/nss_crypto_module_delegate.h" | |
| 28 #include "crypto/scoped_test_nss_db.h" | |
| 29 #endif | |
| 30 | |
| 31 namespace net { | |
| 32 | |
| 33 namespace { | |
| 34 | |
| 35 #if defined(USE_NSS_CERTS) | |
| 36 class StubCryptoModuleDelegate : public crypto::NSSCryptoModuleDelegate { | |
| 37 public: | |
| 38 explicit StubCryptoModuleDelegate(crypto::ScopedPK11Slot slot) | |
| 39 : slot_(std::move(slot)) {} | |
| 40 | |
| 41 std::string RequestPassword(const std::string& slot_name, | |
| 42 bool retry, | |
| 43 bool* cancelled) override { | |
| 44 return std::string(); | |
| 45 } | |
| 46 | |
| 47 crypto::ScopedPK11Slot RequestSlot() override { | |
| 48 return crypto::ScopedPK11Slot(PK11_ReferenceSlot(slot_.get())); | |
| 49 } | |
| 50 | |
| 51 private: | |
| 52 crypto::ScopedPK11Slot slot_; | |
| 53 }; | |
| 54 #endif | |
| 55 | |
| 56 const char kChallenge[] = "some challenge"; | |
| 57 | |
| 58 class KeygenHandlerTest : public ::testing::Test { | |
| 59 public: | |
| 60 KeygenHandlerTest() {} | |
| 61 ~KeygenHandlerTest() override {} | |
| 62 | |
| 63 std::unique_ptr<KeygenHandler> CreateKeygenHandler() { | |
| 64 std::unique_ptr<KeygenHandler> handler( | |
| 65 new KeygenHandler(768, kChallenge, GURL("http://www.example.com"))); | |
| 66 #if defined(USE_NSS_CERTS) | |
| 67 handler->set_crypto_module_delegate( | |
| 68 std::unique_ptr<crypto::NSSCryptoModuleDelegate>( | |
| 69 new StubCryptoModuleDelegate(crypto::ScopedPK11Slot( | |
| 70 PK11_ReferenceSlot(test_nss_db_.slot()))))); | |
| 71 #endif | |
| 72 return handler; | |
| 73 } | |
| 74 | |
| 75 private: | |
| 76 #if defined(USE_NSS_CERTS) | |
| 77 crypto::ScopedTestNSSDB test_nss_db_; | |
| 78 #endif | |
| 79 }; | |
| 80 | |
| 81 base::StringPiece StringPieceFromCBS(const CBS& cbs) { | |
| 82 return base::StringPiece(reinterpret_cast<const char*>(CBS_data(&cbs)), | |
| 83 CBS_len(&cbs)); | |
| 84 } | |
| 85 | |
| 86 // Assert that |result| is a valid output for KeygenHandler given challenge | |
| 87 // string of |challenge|. | |
| 88 void AssertValidSignedPublicKeyAndChallenge(const std::string& result, | |
| 89 const std::string& challenge) { | |
| 90 // Verify it's valid base64: | |
| 91 std::string spkac; | |
| 92 ASSERT_TRUE(base::Base64Decode(result, &spkac)); | |
| 93 | |
| 94 // Parse the following structure: | |
| 95 // | |
| 96 // PublicKeyAndChallenge ::= SEQUENCE { | |
| 97 // spki SubjectPublicKeyInfo, | |
| 98 // challenge IA5STRING | |
| 99 // } | |
| 100 // SignedPublicKeyAndChallenge ::= SEQUENCE { | |
| 101 // publicKeyAndChallenge PublicKeyAndChallenge, | |
| 102 // signatureAlgorithm AlgorithmIdentifier, | |
| 103 // signature BIT STRING | |
| 104 // } | |
| 105 | |
| 106 CBS cbs; | |
| 107 CBS_init(&cbs, reinterpret_cast<const uint8_t*>(spkac.data()), spkac.size()); | |
| 108 | |
| 109 // The input should consist of a SEQUENCE. | |
| 110 CBS child; | |
| 111 ASSERT_TRUE(CBS_get_asn1(&cbs, &child, CBS_ASN1_SEQUENCE)); | |
| 112 ASSERT_EQ(0u, CBS_len(&cbs)); | |
| 113 | |
| 114 // Extract the raw PublicKeyAndChallenge. | |
| 115 CBS public_key_and_challenge_raw; | |
| 116 ASSERT_TRUE(CBS_get_asn1_element(&child, &public_key_and_challenge_raw, | |
| 117 CBS_ASN1_SEQUENCE)); | |
| 118 | |
| 119 // Parse out the PublicKeyAndChallenge. | |
| 120 CBS copy = public_key_and_challenge_raw; | |
| 121 CBS public_key_and_challenge; | |
| 122 ASSERT_TRUE( | |
| 123 CBS_get_asn1(©, &public_key_and_challenge, CBS_ASN1_SEQUENCE)); | |
| 124 ASSERT_EQ(0u, CBS_len(©)); | |
| 125 bssl::UniquePtr<EVP_PKEY> key( | |
| 126 EVP_parse_public_key(&public_key_and_challenge)); | |
| 127 ASSERT_TRUE(key); | |
| 128 CBS challenge_spkac; | |
| 129 ASSERT_TRUE(CBS_get_asn1(&public_key_and_challenge, &challenge_spkac, | |
| 130 CBS_ASN1_IA5STRING)); | |
| 131 ASSERT_EQ(0u, CBS_len(&public_key_and_challenge)); | |
| 132 | |
| 133 // The challenge must match. | |
| 134 ASSERT_EQ(challenge, StringPieceFromCBS(challenge_spkac)); | |
| 135 | |
| 136 // The next element must be the AlgorithmIdentifier for MD5 with RSA. | |
| 137 static const uint8_t kMd5WithRsaEncryption[] = { | |
| 138 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, | |
| 139 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, | |
| 140 }; | |
| 141 CBS algorithm; | |
| 142 ASSERT_TRUE(CBS_get_bytes(&child, &algorithm, sizeof(kMd5WithRsaEncryption))); | |
| 143 ASSERT_EQ( | |
| 144 base::StringPiece(reinterpret_cast<const char*>(kMd5WithRsaEncryption), | |
| 145 sizeof(kMd5WithRsaEncryption)), | |
| 146 StringPieceFromCBS(algorithm)); | |
| 147 | |
| 148 // Finally, parse the signature. | |
| 149 CBS signature; | |
| 150 ASSERT_TRUE(CBS_get_asn1(&child, &signature, CBS_ASN1_BITSTRING)); | |
| 151 ASSERT_EQ(0u, CBS_len(&child)); | |
| 152 uint8_t pad; | |
| 153 ASSERT_TRUE(CBS_get_u8(&signature, &pad)); | |
| 154 ASSERT_EQ(0u, pad); | |
| 155 | |
| 156 // Check the signature. | |
| 157 bssl::ScopedEVP_MD_CTX ctx; | |
| 158 ASSERT_TRUE( | |
| 159 EVP_DigestVerifyInit(ctx.get(), nullptr, EVP_md5(), nullptr, key.get())); | |
| 160 ASSERT_TRUE(EVP_DigestVerifyUpdate(ctx.get(), | |
| 161 CBS_data(&public_key_and_challenge_raw), | |
| 162 CBS_len(&public_key_and_challenge_raw))); | |
| 163 ASSERT_TRUE(EVP_DigestVerifyFinal(ctx.get(), CBS_data(&signature), | |
| 164 CBS_len(&signature))); | |
| 165 } | |
| 166 | |
| 167 TEST_F(KeygenHandlerTest, SmokeTest) { | |
| 168 std::unique_ptr<KeygenHandler> handler(CreateKeygenHandler()); | |
| 169 handler->set_stores_key(false); // Don't leave the key-pair behind | |
| 170 std::string result = handler->GenKeyAndSignChallenge(); | |
| 171 VLOG(1) << "KeygenHandler produced: " << result; | |
| 172 AssertValidSignedPublicKeyAndChallenge(result, kChallenge); | |
| 173 } | |
| 174 | |
| 175 void ConcurrencyTestCallback(const std::string& challenge, | |
| 176 base::WaitableEvent* event, | |
| 177 std::unique_ptr<KeygenHandler> handler, | |
| 178 std::string* result) { | |
| 179 // We allow Singleton use on the worker thread here since we use a | |
| 180 // WaitableEvent to synchronize, so it's safe. | |
| 181 base::ThreadRestrictions::ScopedAllowSingleton scoped_allow_singleton; | |
| 182 handler->set_stores_key(false); // Don't leave the key-pair behind. | |
| 183 *result = handler->GenKeyAndSignChallenge(); | |
| 184 event->Signal(); | |
| 185 #if defined(USE_NSS_CERTS) | |
| 186 // Detach the thread from NSPR. | |
| 187 // Calling NSS functions attaches the thread to NSPR, which stores | |
| 188 // the NSPR thread ID in thread-specific data. | |
| 189 // The threads in our thread pool terminate after we have called | |
| 190 // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets | |
| 191 // segfaults on shutdown when the threads' thread-specific data | |
| 192 // destructors run. | |
| 193 PR_DetachThread(); | |
| 194 #endif | |
| 195 } | |
| 196 | |
| 197 // We asynchronously generate the keys so as not to hang up the IO thread. This | |
| 198 // test tries to catch concurrency problems in the keygen implementation. | |
| 199 TEST_F(KeygenHandlerTest, ConcurrencyTest) { | |
| 200 const int NUM_HANDLERS = 5; | |
| 201 base::WaitableEvent* events[NUM_HANDLERS] = { NULL }; | |
| 202 std::string results[NUM_HANDLERS]; | |
| 203 for (int i = 0; i < NUM_HANDLERS; i++) { | |
| 204 std::unique_ptr<KeygenHandler> handler(CreateKeygenHandler()); | |
| 205 events[i] = new base::WaitableEvent( | |
| 206 base::WaitableEvent::ResetPolicy::AUTOMATIC, | |
| 207 base::WaitableEvent::InitialState::NOT_SIGNALED); | |
| 208 base::WorkerPool::PostTask(FROM_HERE, | |
| 209 base::Bind(ConcurrencyTestCallback, | |
| 210 "some challenge", | |
| 211 events[i], | |
| 212 base::Passed(&handler), | |
| 213 &results[i]), | |
| 214 true); | |
| 215 } | |
| 216 | |
| 217 for (int i = 0; i < NUM_HANDLERS; i++) { | |
| 218 // Make sure the job completed | |
| 219 events[i]->Wait(); | |
| 220 delete events[i]; | |
| 221 events[i] = NULL; | |
| 222 | |
| 223 VLOG(1) << "KeygenHandler " << i << " produced: " << results[i]; | |
| 224 AssertValidSignedPublicKeyAndChallenge(results[i], "some challenge"); | |
| 225 } | |
| 226 } | |
| 227 | |
| 228 } // namespace | |
| 229 | |
| 230 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2536993002:
Remove support for the keygen tag (Closed)
