OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <string.h> | 8 #include <string.h> |
9 | 9 |
10 #include <openssl/bio.h> | 10 #include <openssl/bio.h> |
(...skipping 19 matching lines...) Expand all Loading... | |
30 #include "net/cert/mock_cert_verifier.h" | 30 #include "net/cert/mock_cert_verifier.h" |
31 #include "net/cert/test_root_certs.h" | 31 #include "net/cert/test_root_certs.h" |
32 #include "net/dns/host_resolver.h" | 32 #include "net/dns/host_resolver.h" |
33 #include "net/http/transport_security_state.h" | 33 #include "net/http/transport_security_state.h" |
34 #include "net/socket/client_socket_factory.h" | 34 #include "net/socket/client_socket_factory.h" |
35 #include "net/socket/client_socket_handle.h" | 35 #include "net/socket/client_socket_handle.h" |
36 #include "net/socket/socket_test_util.h" | 36 #include "net/socket/socket_test_util.h" |
37 #include "net/socket/tcp_client_socket.h" | 37 #include "net/socket/tcp_client_socket.h" |
38 #include "net/ssl/default_server_bound_cert_store.h" | 38 #include "net/ssl/default_server_bound_cert_store.h" |
39 #include "net/ssl/openssl_client_key_store.h" | 39 #include "net/ssl/openssl_client_key_store.h" |
40 #include "net/ssl/server_bound_cert_service.h" | 40 #include "net/ssl/server_bound_cert_service.h" |
wtc
2014/05/06 17:56:24
Some of the headers should be removed, for example
haavardm
2014/05/07 13:53:43
Done.
| |
41 #include "net/ssl/ssl_cert_request_info.h" | 41 #include "net/ssl/ssl_cert_request_info.h" |
42 #include "net/ssl/ssl_config_service.h" | 42 #include "net/ssl/ssl_config_service.h" |
43 #include "net/test/cert_test_util.h" | 43 #include "net/test/cert_test_util.h" |
44 #include "net/test/spawned_test_server/spawned_test_server.h" | 44 #include "net/test/spawned_test_server/spawned_test_server.h" |
45 #include "testing/gtest/include/gtest/gtest.h" | 45 #include "testing/gtest/include/gtest/gtest.h" |
46 #include "testing/platform_test.h" | 46 #include "testing/platform_test.h" |
47 | 47 |
48 namespace net { | 48 namespace net { |
49 | 49 |
50 namespace { | 50 namespace { |
51 | 51 |
52 // These client auth tests are currently dependent on OpenSSL's struct X509. | 52 // These client auth tests are currently dependent on OpenSSL's struct X509. |
53 #if defined(USE_OPENSSL_CERTS) | 53 #if defined(USE_OPENSSL_CERTS) |
54 typedef OpenSSLClientKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY; | 54 typedef OpenSSLClientKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY; |
55 | 55 |
56 // BIO_free is a macro, it can't be used as a template parameter. | 56 // BIO_free is a macro, it can't be used as a template parameter. |
57 void BIO_free_func(BIO* bio) { | 57 void BIO_free_func(BIO* bio) { |
58 BIO_free(bio); | 58 BIO_free(bio); |
59 } | 59 } |
60 | 60 |
61 typedef crypto::ScopedOpenSSL<BIO, BIO_free_func> ScopedBIO; | 61 typedef crypto::ScopedOpenSSL<BIO, BIO_free_func> ScopedBIO; |
62 typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA; | 62 typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA; |
63 typedef crypto::ScopedOpenSSL<BIGNUM, BN_free> ScopedBIGNUM; | 63 typedef crypto::ScopedOpenSSL<BIGNUM, BN_free> ScopedBIGNUM; |
64 | 64 |
65 const SSLConfig kDefaultSSLConfig; | 65 const SSLConfig kDefaultSSLConfig; |
66 | 66 |
67 // A ServerBoundCertStore that always returns an error when asked for a | |
68 // certificate. | |
69 class FailingServerBoundCertStore : public ServerBoundCertStore { | |
70 virtual int GetServerBoundCert(const std::string& server_identifier, | |
71 base::Time* expiration_time, | |
72 std::string* private_key_result, | |
73 std::string* cert_result, | |
74 const GetCertCallback& callback) OVERRIDE { | |
75 return ERR_UNEXPECTED; | |
76 } | |
77 virtual void SetServerBoundCert(const std::string& server_identifier, | |
78 base::Time creation_time, | |
79 base::Time expiration_time, | |
80 const std::string& private_key, | |
81 const std::string& cert) OVERRIDE {} | |
82 virtual void DeleteServerBoundCert(const std::string& server_identifier, | |
83 const base::Closure& completion_callback) | |
84 OVERRIDE {} | |
85 virtual void DeleteAllCreatedBetween(base::Time delete_begin, | |
86 base::Time delete_end, | |
87 const base::Closure& completion_callback) | |
88 OVERRIDE {} | |
89 virtual void DeleteAll(const base::Closure& completion_callback) OVERRIDE {} | |
90 virtual void GetAllServerBoundCerts(const GetCertListCallback& callback) | |
91 OVERRIDE {} | |
92 virtual int GetCertCount() OVERRIDE { return 0; } | |
93 virtual void SetForceKeepSessionState() OVERRIDE {} | |
94 }; | |
95 | |
96 // Loads a PEM-encoded private key file into a scoped EVP_PKEY object. | 67 // Loads a PEM-encoded private key file into a scoped EVP_PKEY object. |
97 // |filepath| is the private key file path. | 68 // |filepath| is the private key file path. |
98 // |*pkey| is reset to the new EVP_PKEY on success, untouched otherwise. | 69 // |*pkey| is reset to the new EVP_PKEY on success, untouched otherwise. |
99 // Returns true on success, false on failure. | 70 // Returns true on success, false on failure. |
100 bool LoadPrivateKeyOpenSSL( | 71 bool LoadPrivateKeyOpenSSL( |
101 const base::FilePath& filepath, | 72 const base::FilePath& filepath, |
102 OpenSSLClientKeyStore::ScopedEVP_PKEY* pkey) { | 73 OpenSSLClientKeyStore::ScopedEVP_PKEY* pkey) { |
103 std::string data; | 74 std::string data; |
104 if (!base::ReadFileToString(filepath, &data)) { | 75 if (!base::ReadFileToString(filepath, &data)) { |
105 LOG(ERROR) << "Could not read private key file: " | 76 LOG(ERROR) << "Could not read private key file: " |
(...skipping 28 matching lines...) Expand all Loading... | |
134 context_.cert_verifier = cert_verifier_.get(); | 105 context_.cert_verifier = cert_verifier_.get(); |
135 context_.transport_security_state = transport_security_state_.get(); | 106 context_.transport_security_state = transport_security_state_.get(); |
136 key_store_ = net::OpenSSLClientKeyStore::GetInstance(); | 107 key_store_ = net::OpenSSLClientKeyStore::GetInstance(); |
137 } | 108 } |
138 | 109 |
139 virtual ~SSLClientSocketOpenSSLClientAuthTest() { | 110 virtual ~SSLClientSocketOpenSSLClientAuthTest() { |
140 key_store_->Flush(); | 111 key_store_->Flush(); |
141 } | 112 } |
142 | 113 |
143 protected: | 114 protected: |
144 void EnabledChannelID() { | |
145 cert_service_.reset( | |
146 new ServerBoundCertService(new DefaultServerBoundCertStore(NULL), | |
147 base::MessageLoopProxy::current())); | |
148 context_.server_bound_cert_service = cert_service_.get(); | |
149 } | |
150 | |
151 void EnabledFailingChannelID() { | |
152 cert_service_.reset( | |
153 new ServerBoundCertService(new FailingServerBoundCertStore(), | |
154 base::MessageLoopProxy::current())); | |
155 context_.server_bound_cert_service = cert_service_.get(); | |
156 } | |
157 | |
158 scoped_ptr<SSLClientSocket> CreateSSLClientSocket( | 115 scoped_ptr<SSLClientSocket> CreateSSLClientSocket( |
159 scoped_ptr<StreamSocket> transport_socket, | 116 scoped_ptr<StreamSocket> transport_socket, |
160 const HostPortPair& host_and_port, | 117 const HostPortPair& host_and_port, |
161 const SSLConfig& ssl_config) { | 118 const SSLConfig& ssl_config) { |
162 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle); | 119 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle); |
163 connection->SetSocket(transport_socket.Pass()); | 120 connection->SetSocket(transport_socket.Pass()); |
164 return socket_factory_->CreateSSLClientSocket(connection.Pass(), | 121 return socket_factory_->CreateSSLClientSocket(connection.Pass(), |
165 host_and_port, | 122 host_and_port, |
166 ssl_config, | 123 ssl_config, |
167 context_); | 124 context_); |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
229 | 186 |
230 | 187 |
231 // Check that the client certificate was sent. | 188 // Check that the client certificate was sent. |
232 // Returns true on success. | 189 // Returns true on success. |
233 bool CheckSSLClientSocketSentCert() { | 190 bool CheckSSLClientSocketSentCert() { |
234 SSLInfo ssl_info; | 191 SSLInfo ssl_info; |
235 sock_->GetSSLInfo(&ssl_info); | 192 sock_->GetSSLInfo(&ssl_info); |
236 return ssl_info.client_cert_sent; | 193 return ssl_info.client_cert_sent; |
237 } | 194 } |
238 | 195 |
239 scoped_ptr<ServerBoundCertService> cert_service_; | 196 scoped_ptr<ServerBoundCertService> cert_service_; |
wtc
2014/05/06 17:56:24
Delete the cert_service_ member.
haavardm
2014/05/07 13:53:43
Done.
| |
240 ClientSocketFactory* socket_factory_; | 197 ClientSocketFactory* socket_factory_; |
241 scoped_ptr<MockCertVerifier> cert_verifier_; | 198 scoped_ptr<MockCertVerifier> cert_verifier_; |
242 scoped_ptr<TransportSecurityState> transport_security_state_; | 199 scoped_ptr<TransportSecurityState> transport_security_state_; |
243 SSLClientSocketContext context_; | 200 SSLClientSocketContext context_; |
244 OpenSSLClientKeyStore* key_store_; | 201 OpenSSLClientKeyStore* key_store_; |
245 scoped_ptr<SpawnedTestServer> test_server_; | 202 scoped_ptr<SpawnedTestServer> test_server_; |
246 AddressList addr_; | 203 AddressList addr_; |
247 TestCompletionCallback callback_; | 204 TestCompletionCallback callback_; |
248 CapturingNetLog log_; | 205 CapturingNetLog log_; |
249 scoped_ptr<StreamSocket> transport_; | 206 scoped_ptr<StreamSocket> transport_; |
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
316 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 273 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
317 | 274 |
318 EXPECT_EQ(OK, rv); | 275 EXPECT_EQ(OK, rv); |
319 EXPECT_TRUE(sock_->IsConnected()); | 276 EXPECT_TRUE(sock_->IsConnected()); |
320 | 277 |
321 EXPECT_TRUE(CheckSSLClientSocketSentCert()); | 278 EXPECT_TRUE(CheckSSLClientSocketSentCert()); |
322 | 279 |
323 sock_->Disconnect(); | 280 sock_->Disconnect(); |
324 EXPECT_FALSE(sock_->IsConnected()); | 281 EXPECT_FALSE(sock_->IsConnected()); |
325 } | 282 } |
326 | |
327 // Connect to a server using channel id. It should allow the connection. | |
328 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendChannelID) { | |
329 SpawnedTestServer::SSLOptions ssl_options; | |
330 | |
331 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
332 | |
333 EnabledChannelID(); | |
334 SSLConfig ssl_config = kDefaultSSLConfig; | |
335 ssl_config.channel_id_enabled = true; | |
336 | |
337 int rv; | |
338 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
339 | |
340 EXPECT_EQ(OK, rv); | |
341 EXPECT_TRUE(sock_->IsConnected()); | |
342 EXPECT_TRUE(sock_->WasChannelIDSent()); | |
343 | |
344 sock_->Disconnect(); | |
345 EXPECT_FALSE(sock_->IsConnected()); | |
346 } | |
347 | |
348 // Connect to a server using channel id but without sending a key. It should | |
349 // fail. | |
350 TEST_F(SSLClientSocketOpenSSLClientAuthTest, FailingChannelID) { | |
351 SpawnedTestServer::SSLOptions ssl_options; | |
352 | |
353 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
354 | |
355 EnabledFailingChannelID(); | |
356 SSLConfig ssl_config = kDefaultSSLConfig; | |
357 ssl_config.channel_id_enabled = true; | |
358 | |
359 int rv; | |
360 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
361 | |
362 EXPECT_EQ(ERR_UNEXPECTED, rv); | |
363 EXPECT_FALSE(sock_->IsConnected()); | |
364 } | |
365 #endif // defined(USE_OPENSSL_CERTS) | 283 #endif // defined(USE_OPENSSL_CERTS) |
366 | 284 |
367 } // namespace | 285 } // namespace |
368 } // namespace net | 286 } // namespace net |
OLD | NEW |