| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/ssl/ssl_platform_key_mac.h" |
| 6 |
| 7 #include <CoreFoundation/CoreFoundation.h> |
| 8 #include <Security/SecCertificate.h> |
| 9 #include <Security/SecImportExport.h> |
| 10 #include <Security/SecKeychain.h> |
| 11 |
| 12 #include <string> |
| 13 |
| 14 #include "base/files/file_path.h" |
| 15 #include "base/files/file_util.h" |
| 16 #include "base/files/scoped_temp_dir.h" |
| 17 #include "base/mac/scoped_cftyperef.h" |
| 18 #include "base/memory/ref_counted.h" |
| 19 #include "net/ssl/ssl_private_key.h" |
| 20 #include "net/ssl/ssl_private_key_test_util.h" |
| 21 #include "net/test/cert_test_util.h" |
| 22 #include "net/test/test_data_directory.h" |
| 23 #include "testing/gtest/include/gtest/gtest.h" |
| 24 #include "third_party/boringssl/src/include/openssl/bytestring.h" |
| 25 #include "third_party/boringssl/src/include/openssl/ec_key.h" |
| 26 #include "third_party/boringssl/src/include/openssl/evp.h" |
| 27 #include "third_party/boringssl/src/include/openssl/mem.h" |
| 28 #include "third_party/boringssl/src/include/openssl/rsa.h" |
| 29 |
| 30 namespace net { |
| 31 |
| 32 namespace { |
| 33 |
| 34 struct TestKey { |
| 35 const char* cert_file; |
| 36 const char* key_file; |
| 37 SSLPrivateKey::Type key_type; |
| 38 }; |
| 39 |
| 40 const TestKey kTestKeys[] = { |
| 41 {"client_1.pem", "client_1.pk8", SSLPrivateKey::Type::RSA}, |
| 42 {"client_4.pem", "client_4.pk8", SSLPrivateKey::Type::ECDSA_P256}, |
| 43 {"client_5.pem", "client_5.pk8", SSLPrivateKey::Type::ECDSA_P384}, |
| 44 {"client_6.pem", "client_6.pk8", SSLPrivateKey::Type::ECDSA_P521}, |
| 45 }; |
| 46 |
| 47 std::string TestKeyToString(const testing::TestParamInfo<TestKey>& params) { |
| 48 return SSLPrivateKeyTypeToString(params.param.key_type); |
| 49 } |
| 50 |
| 51 } // namespace |
| 52 |
| 53 class SSLPlatformKeyMacTest : public testing::TestWithParam<TestKey> {}; |
| 54 |
| 55 TEST_P(SSLPlatformKeyMacTest, KeyMatches) { |
| 56 const TestKey& test_key = GetParam(); |
| 57 |
| 58 // Load test data. |
| 59 scoped_refptr<X509Certificate> cert = |
| 60 ImportCertFromFile(GetTestCertsDirectory(), test_key.cert_file); |
| 61 ASSERT_TRUE(cert); |
| 62 |
| 63 std::string pkcs8; |
| 64 base::FilePath pkcs8_path = |
| 65 GetTestCertsDirectory().AppendASCII(test_key.key_file); |
| 66 ASSERT_TRUE(base::ReadFileToString(pkcs8_path, &pkcs8)); |
| 67 |
| 68 // Create a temporary keychain. |
| 69 base::ScopedTempDir keychain_dir; |
| 70 ASSERT_TRUE(keychain_dir.CreateUniqueTempDir()); |
| 71 base::FilePath keychain_path = |
| 72 keychain_dir.GetPath().AppendASCII("test_keychain.keychain"); |
| 73 base::ScopedCFTypeRef<SecKeychainRef> keychain; |
| 74 ASSERT_EQ(noErr, |
| 75 SecKeychainCreate(keychain_path.value().c_str(), 0, "", FALSE, |
| 76 nullptr, keychain.InitializeInto())); |
| 77 |
| 78 // Insert the certificate into the keychain. |
| 79 ASSERT_EQ(noErr, |
| 80 SecCertificateAddToKeychain(cert->os_cert_handle(), keychain)); |
| 81 |
| 82 // Import the key into the keychain. Apple doesn't accept unencrypted PKCS#8, |
| 83 // but it accepts the low-level RSAPrivateKey and ECPrivateKey types as |
| 84 // "kSecFormatOpenSSL", so produce those. There doesn't appear to be a way to |
| 85 // tell it which key type we have, so leave this unspecified and have it |
| 86 // guess. |
| 87 CBS cbs; |
| 88 CBS_init(&cbs, reinterpret_cast<const uint8_t*>(pkcs8.data()), pkcs8.size()); |
| 89 bssl::UniquePtr<EVP_PKEY> openssl_key(EVP_parse_private_key(&cbs)); |
| 90 ASSERT_TRUE(openssl_key); |
| 91 EXPECT_EQ(0u, CBS_len(&cbs)); |
| 92 |
| 93 bssl::ScopedCBB cbb; |
| 94 ASSERT_TRUE(CBB_init(cbb.get(), 0)); |
| 95 if (EVP_PKEY_id(openssl_key.get()) == EVP_PKEY_RSA) { |
| 96 ASSERT_TRUE(RSA_marshal_private_key(cbb.get(), |
| 97 EVP_PKEY_get0_RSA(openssl_key.get()))); |
| 98 } else if (EVP_PKEY_id(openssl_key.get()) == EVP_PKEY_EC) { |
| 99 ASSERT_TRUE(EC_KEY_marshal_private_key( |
| 100 cbb.get(), EVP_PKEY_get0_EC_KEY(openssl_key.get()), 0)); |
| 101 } else { |
| 102 ASSERT_TRUE(false); |
| 103 } |
| 104 |
| 105 uint8_t* encoded; |
| 106 size_t encoded_len; |
| 107 ASSERT_TRUE(CBB_finish(cbb.get(), &encoded, &encoded_len)); |
| 108 bssl::UniquePtr<uint8_t> scoped_encoded(encoded); |
| 109 |
| 110 base::ScopedCFTypeRef<CFDataRef> encoded_ref(CFDataCreateWithBytesNoCopy( |
| 111 kCFAllocatorDefault, encoded, encoded_len, kCFAllocatorNull)); |
| 112 SecExternalFormat format = kSecFormatOpenSSL; |
| 113 SecExternalItemType item_type = kSecItemTypePrivateKey; |
| 114 ASSERT_EQ(noErr, SecItemImport(encoded_ref, nullptr, &format, &item_type, 0, |
| 115 nullptr, keychain, nullptr)); |
| 116 |
| 117 // Finally, test the code to look up the key. |
| 118 scoped_refptr<SSLPrivateKey> key = |
| 119 FetchClientCertPrivateKeyFromKeychain(cert.get(), keychain); |
| 120 ASSERT_TRUE(key); |
| 121 |
| 122 // All Mac keys are expected to have the same hash preferences. |
| 123 std::vector<SSLPrivateKey::Hash> expected_hashes = { |
| 124 SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384, |
| 125 SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1, |
| 126 }; |
| 127 EXPECT_EQ(expected_hashes, key->GetDigestPreferences()); |
| 128 |
| 129 TestSSLPrivateKeyMatches(key.get(), pkcs8); |
| 130 } |
| 131 |
| 132 INSTANTIATE_TEST_CASE_P(, |
| 133 SSLPlatformKeyMacTest, |
| 134 testing::ValuesIn(kTestKeys), |
| 135 TestKeyToString); |
| 136 |
| 137 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2566273008:
Use SecKeyCreateSignature on macOS 10.12 and later. (Closed)
