| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/ssl/ssl_platform_key.h" |
| 6 |
| 7 #include <keyhi.h> |
| 8 #include <pk11pub.h> |
| 9 #include <stdint.h> |
| 10 #include <string.h> |
| 11 |
| 12 #include <memory> |
| 13 #include <string> |
| 14 #include <vector> |
| 15 |
| 16 #include "base/files/file_path.h" |
| 17 #include "base/files/file_util.h" |
| 18 #include "base/memory/ref_counted.h" |
| 19 #include "crypto/ec_private_key.h" |
| 20 #include "crypto/scoped_nss_types.h" |
| 21 #include "crypto/scoped_test_nss_db.h" |
| 22 #include "net/ssl/ssl_private_key.h" |
| 23 #include "net/ssl/ssl_private_key_test_util.h" |
| 24 #include "net/test/cert_test_util.h" |
| 25 #include "net/test/test_data_directory.h" |
| 26 #include "testing/gtest/include/gtest/gtest.h" |
| 27 #include "third_party/boringssl/src/include/openssl/bytestring.h" |
| 28 #include "third_party/boringssl/src/include/openssl/ec.h" |
| 29 #include "third_party/boringssl/src/include/openssl/ec_key.h" |
| 30 #include "third_party/boringssl/src/include/openssl/evp.h" |
| 31 #include "third_party/boringssl/src/include/openssl/mem.h" |
| 32 |
| 33 namespace net { |
| 34 |
| 35 namespace { |
| 36 |
| 37 struct TestKey { |
| 38 const char* cert_file; |
| 39 const char* key_file; |
| 40 SSLPrivateKey::Type key_type; |
| 41 }; |
| 42 |
| 43 const TestKey kTestKeys[] = { |
| 44 {"client_1.pem", "client_1.pk8", SSLPrivateKey::Type::RSA}, |
| 45 {"client_4.pem", "client_4.pk8", SSLPrivateKey::Type::ECDSA_P256}, |
| 46 {"client_5.pem", "client_5.pk8", SSLPrivateKey::Type::ECDSA_P384}, |
| 47 {"client_6.pem", "client_6.pk8", SSLPrivateKey::Type::ECDSA_P521}, |
| 48 }; |
| 49 |
| 50 std::string TestKeyToString(const testing::TestParamInfo<TestKey>& params) { |
| 51 return SSLPrivateKeyTypeToString(params.param.key_type); |
| 52 } |
| 53 |
| 54 } // namespace |
| 55 |
| 56 class SSLPlatformKeyNSSTest : public testing::TestWithParam<TestKey> {}; |
| 57 |
| 58 TEST_P(SSLPlatformKeyNSSTest, KeyMatches) { |
| 59 const TestKey& test_key = GetParam(); |
| 60 |
| 61 std::string pkcs8; |
| 62 base::FilePath pkcs8_path = |
| 63 GetTestCertsDirectory().AppendASCII(test_key.key_file); |
| 64 ASSERT_TRUE(base::ReadFileToString(pkcs8_path, &pkcs8)); |
| 65 |
| 66 // Import the key into a test NSS database. |
| 67 crypto::ScopedTestNSSDB test_db; |
| 68 scoped_refptr<X509Certificate> cert; |
| 69 if (SSLPrivateKey::IsECDSAType(test_key.key_type)) { |
| 70 // NSS cannot import unencrypted ECDSA keys, so we encrypt it with an empty |
| 71 // password and import manually. |
| 72 std::vector<uint8_t> pkcs8_vector(pkcs8.begin(), pkcs8.end()); |
| 73 std::unique_ptr<crypto::ECPrivateKey> ec_private_key = |
| 74 crypto::ECPrivateKey::CreateFromPrivateKeyInfo(pkcs8_vector); |
| 75 ASSERT_TRUE(ec_private_key); |
| 76 std::vector<uint8_t> encrypted; |
| 77 ASSERT_TRUE(ec_private_key->ExportEncryptedPrivateKey("", 1, &encrypted)); |
| 78 |
| 79 SECItem encrypted_item = {siBuffer, encrypted.data(), |
| 80 static_cast<unsigned>(encrypted.size())}; |
| 81 SECKEYEncryptedPrivateKeyInfo epki; |
| 82 memset(&epki, 0, sizeof(epki)); |
| 83 crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); |
| 84 ASSERT_EQ(SECSuccess, |
| 85 SEC_QuickDERDecodeItem( |
| 86 arena.get(), &epki, |
| 87 SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), |
| 88 &encrypted_item)); |
| 89 |
| 90 // NSS uses the serialized public key in X9.62 form as the "public value" |
| 91 // for key ID purposes. |
| 92 bssl::ScopedCBB cbb; |
| 93 ASSERT_TRUE(CBB_init(cbb.get(), 0)); |
| 94 EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(ec_private_key->key()); |
| 95 ASSERT_TRUE(EC_POINT_point2cbb(cbb.get(), EC_KEY_get0_group(ec_key), |
| 96 EC_KEY_get0_public_key(ec_key), |
| 97 POINT_CONVERSION_UNCOMPRESSED, nullptr)); |
| 98 uint8_t* public_value; |
| 99 size_t public_value_len; |
| 100 ASSERT_TRUE(CBB_finish(cbb.get(), &public_value, &public_value_len)); |
| 101 bssl::UniquePtr<uint8_t> scoped_public_value(public_value); |
| 102 SECItem public_item = {siBuffer, public_value, |
| 103 static_cast<unsigned>(public_value_len)}; |
| 104 |
| 105 SECItem password_item = {siBuffer, nullptr, 0}; |
| 106 ASSERT_EQ(SECSuccess, |
| 107 PK11_ImportEncryptedPrivateKeyInfo( |
| 108 test_db.slot(), &epki, &password_item, nullptr /* nickname */, |
| 109 &public_item, PR_TRUE /* permanent */, PR_TRUE /* private */, |
| 110 ecKey, KU_DIGITAL_SIGNATURE, nullptr /* wincx */)); |
| 111 |
| 112 cert = ImportCertFromFile(GetTestCertsDirectory(), test_key.cert_file); |
| 113 ASSERT_TRUE(cert); |
| 114 ASSERT_TRUE(ImportClientCertToSlot(cert, test_db.slot())); |
| 115 } else { |
| 116 cert = ImportClientCertAndKeyFromFile(GetTestCertsDirectory(), |
| 117 test_key.cert_file, test_key.key_file, |
| 118 test_db.slot()); |
| 119 ASSERT_TRUE(cert); |
| 120 } |
| 121 |
| 122 // Look up the key. |
| 123 scoped_refptr<SSLPrivateKey> key = FetchClientCertPrivateKey(cert.get()); |
| 124 ASSERT_TRUE(key); |
| 125 |
| 126 // All NSS keys are expected to have the same hash preferences. |
| 127 std::vector<SSLPrivateKey::Hash> expected_hashes = { |
| 128 SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384, |
| 129 SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1, |
| 130 }; |
| 131 EXPECT_EQ(expected_hashes, key->GetDigestPreferences()); |
| 132 |
| 133 TestSSLPrivateKeyMatches(key.get(), pkcs8); |
| 134 } |
| 135 |
| 136 INSTANTIATE_TEST_CASE_P(, |
| 137 SSLPlatformKeyNSSTest, |
| 138 testing::ValuesIn(kTestKeys), |
| 139 TestKeyToString); |
| 140 |
| 141 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2577683002:
Add unit tests for NSS-backed SSLPrivateKeys. (Closed)
