OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/ssl/client_cert_store_nss.h" | 5 #include "net/ssl/client_cert_store_nss.h" |
6 | 6 |
7 #include <cert.h> | 7 #include <cert.h> |
8 #include <certt.h> | 8 #include <certt.h> |
9 #include <pk11pub.h> | 9 #include <pk11pub.h> |
10 | 10 |
11 #include <memory> | 11 #include <memory> |
12 #include <string> | 12 #include <string> |
13 | 13 |
14 #include "base/bind.h" | 14 #include "base/bind.h" |
| 15 #include "base/files/file_util.h" |
| 16 #include "base/memory/ptr_util.h" |
15 #include "base/memory/ref_counted.h" | 17 #include "base/memory/ref_counted.h" |
16 #include "base/run_loop.h" | 18 #include "base/run_loop.h" |
17 #include "crypto/scoped_test_nss_db.h" | 19 #include "crypto/scoped_test_nss_db.h" |
18 #include "net/cert/x509_certificate.h" | 20 #include "net/cert/x509_certificate.h" |
| 21 #include "net/ssl/client_cert_identity_test_util.h" |
19 #include "net/ssl/client_cert_store_unittest-inl.h" | 22 #include "net/ssl/client_cert_store_unittest-inl.h" |
20 #include "net/ssl/ssl_cert_request_info.h" | 23 #include "net/ssl/ssl_cert_request_info.h" |
| 24 #include "net/ssl/ssl_private_key.h" |
| 25 #include "net/ssl/ssl_private_key_test_util.h" |
21 #include "net/test/cert_test_util.h" | 26 #include "net/test/cert_test_util.h" |
22 #include "testing/gtest/include/gtest/gtest.h" | 27 #include "testing/gtest/include/gtest/gtest.h" |
23 | 28 |
24 namespace net { | 29 namespace net { |
25 | 30 |
26 namespace { | 31 namespace { |
27 | 32 |
28 void SaveCertsAndQuitCallback(CertificateList* out_certs, | 33 void SaveIdentitiesAndQuitCallback(ClientCertIdentityList* out_identities, |
29 base::Closure quit_closure, | 34 base::Closure quit_closure, |
30 CertificateList in_certs) { | 35 ClientCertIdentityList in_identities) { |
31 *out_certs = std::move(in_certs); | 36 *out_identities = std::move(in_identities); |
32 quit_closure.Run(); | 37 quit_closure.Run(); |
33 } | 38 } |
34 | 39 |
| 40 void SavePrivateKeyAndQuitCallback(scoped_refptr<net::SSLPrivateKey>* out_key, |
| 41 base::Closure quit_closure, |
| 42 scoped_refptr<net::SSLPrivateKey> in_key) { |
| 43 *out_key = std::move(in_key); |
| 44 quit_closure.Run(); |
| 45 } |
| 46 |
35 } // namespace | 47 } // namespace |
36 | 48 |
37 class ClientCertStoreNSSTestDelegate { | 49 class ClientCertStoreNSSTestDelegate { |
38 public: | 50 public: |
39 ClientCertStoreNSSTestDelegate() {} | 51 ClientCertStoreNSSTestDelegate() {} |
40 | 52 |
41 bool SelectClientCerts(const CertificateList& input_certs, | 53 bool SelectClientCerts(const CertificateList& input_certs, |
42 const SSLCertRequestInfo& cert_request_info, | 54 const SSLCertRequestInfo& cert_request_info, |
43 CertificateList* selected_certs) { | 55 ClientCertIdentityList* selected_identities) { |
44 // Filters |input_certs| using the logic being used to filter the system | 56 *selected_identities = |
45 // store when GetClientCerts() is called. | 57 FakeClientCertIdentityListFromCertificateList(input_certs); |
46 ClientCertStoreNSS::FilterCertsOnWorkerThread( | 58 |
47 input_certs, cert_request_info, selected_certs); | 59 // Filters |selected_identities| using the logic being used to filter the |
| 60 // system store when GetClientCerts() is called. |
| 61 ClientCertStoreNSS::FilterCertsOnWorkerThread(selected_identities, |
| 62 cert_request_info); |
48 return true; | 63 return true; |
49 } | 64 } |
50 }; | 65 }; |
51 | 66 |
52 INSTANTIATE_TYPED_TEST_CASE_P(NSS, | 67 INSTANTIATE_TYPED_TEST_CASE_P(NSS, |
53 ClientCertStoreTest, | 68 ClientCertStoreTest, |
54 ClientCertStoreNSSTestDelegate); | 69 ClientCertStoreNSSTestDelegate); |
55 | 70 |
56 // Tests that ClientCertStoreNSS attempts to build a certificate chain by | 71 // Tests that ClientCertStoreNSS attempts to build a certificate chain by |
57 // querying NSS before return a certificate. | 72 // querying NSS before return a certificate. |
58 TEST(ClientCertStoreNSSTest, BuildsCertificateChain) { | 73 TEST(ClientCertStoreNSSTest, BuildsCertificateChain) { |
59 // Set up a test DB and import client_1.pem and client_1_ca.pem. | 74 // Set up a test DB and import client_1.pem and client_1_ca.pem. |
60 crypto::ScopedTestNSSDB test_db; | 75 crypto::ScopedTestNSSDB test_db; |
61 scoped_refptr<X509Certificate> client_1(ImportClientCertAndKeyFromFile( | 76 scoped_refptr<X509Certificate> client_1(ImportClientCertAndKeyFromFile( |
62 GetTestCertsDirectory(), "client_1.pem", "client_1.pk8", test_db.slot())); | 77 GetTestCertsDirectory(), "client_1.pem", "client_1.pk8", test_db.slot())); |
63 ASSERT_TRUE(client_1.get()); | 78 ASSERT_TRUE(client_1.get()); |
64 scoped_refptr<X509Certificate> client_1_ca( | 79 scoped_refptr<X509Certificate> client_1_ca( |
65 ImportCertFromFile(GetTestCertsDirectory(), "client_1_ca.pem")); | 80 ImportCertFromFile(GetTestCertsDirectory(), "client_1_ca.pem")); |
66 ASSERT_TRUE(client_1_ca.get()); | 81 ASSERT_TRUE(client_1_ca.get()); |
67 ASSERT_EQ(SECSuccess, | 82 ASSERT_EQ(SECSuccess, |
68 PK11_ImportCert(test_db.slot(), client_1_ca->os_cert_handle(), | 83 PK11_ImportCert(test_db.slot(), client_1_ca->os_cert_handle(), |
69 CK_INVALID_HANDLE, "client_1_ca", | 84 CK_INVALID_HANDLE, "client_1_ca", |
70 PR_FALSE /* includeTrust (unused) */)); | 85 PR_FALSE /* includeTrust (unused) */)); |
| 86 std::string pkcs8_key; |
| 87 ASSERT_TRUE(base::ReadFileToString( |
| 88 GetTestCertsDirectory().AppendASCII("client_1.pk8"), &pkcs8_key)); |
71 | 89 |
72 std::unique_ptr<ClientCertStoreNSS> store( | 90 std::unique_ptr<ClientCertStoreNSS> store( |
73 new ClientCertStoreNSS(ClientCertStoreNSS::PasswordDelegateFactory())); | 91 new ClientCertStoreNSS(ClientCertStoreNSS::PasswordDelegateFactory())); |
74 | 92 |
| 93 // All NSS keys are expected to have the same hash preferences. |
| 94 const std::vector<SSLPrivateKey::Hash> expected_hashes = { |
| 95 SSLPrivateKey::Hash::SHA512, SSLPrivateKey::Hash::SHA384, |
| 96 SSLPrivateKey::Hash::SHA256, SSLPrivateKey::Hash::SHA1, |
| 97 }; |
| 98 |
75 { | 99 { |
76 // Request certificates matching B CA, |client_1|'s issuer. | 100 // Request certificates matching B CA, |client_1|'s issuer. |
77 scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo); | 101 scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo); |
78 request->cert_authorities.push_back(std::string( | 102 request->cert_authorities.push_back(std::string( |
79 reinterpret_cast<const char*>(kAuthority1DN), sizeof(kAuthority1DN))); | 103 reinterpret_cast<const char*>(kAuthority1DN), sizeof(kAuthority1DN))); |
80 | 104 |
81 CertificateList selected_certs; | 105 ClientCertIdentityList selected_identities; |
82 base::RunLoop loop; | 106 base::RunLoop loop; |
83 store->GetClientCerts(*request.get(), | 107 store->GetClientCerts(*request.get(), |
84 base::Bind(SaveCertsAndQuitCallback, &selected_certs, | 108 base::Bind(SaveIdentitiesAndQuitCallback, |
85 loop.QuitClosure())); | 109 &selected_identities, loop.QuitClosure())); |
86 loop.Run(); | 110 loop.Run(); |
87 | 111 |
88 // The result be |client_1| with no intermediates. | 112 // The result be |client_1| with no intermediates. |
89 ASSERT_EQ(1u, selected_certs.size()); | 113 ASSERT_EQ(1u, selected_identities.size()); |
90 scoped_refptr<X509Certificate> selected_cert = selected_certs[0]; | 114 scoped_refptr<X509Certificate> selected_cert = |
| 115 selected_identities[0]->certificate(); |
91 EXPECT_TRUE(X509Certificate::IsSameOSCert(client_1->os_cert_handle(), | 116 EXPECT_TRUE(X509Certificate::IsSameOSCert(client_1->os_cert_handle(), |
92 selected_cert->os_cert_handle())); | 117 selected_cert->os_cert_handle())); |
93 ASSERT_EQ(0u, selected_cert->GetIntermediateCertificates().size()); | 118 ASSERT_EQ(0u, selected_cert->GetIntermediateCertificates().size()); |
| 119 |
| 120 scoped_refptr<SSLPrivateKey> ssl_private_key; |
| 121 base::RunLoop key_loop; |
| 122 selected_identities[0]->AcquirePrivateKey( |
| 123 base::Bind(SavePrivateKeyAndQuitCallback, &ssl_private_key, |
| 124 key_loop.QuitClosure())); |
| 125 key_loop.Run(); |
| 126 |
| 127 ASSERT_TRUE(ssl_private_key); |
| 128 EXPECT_EQ(expected_hashes, ssl_private_key->GetDigestPreferences()); |
| 129 TestSSLPrivateKeyMatches(ssl_private_key.get(), pkcs8_key); |
94 } | 130 } |
95 | 131 |
96 { | 132 { |
97 // Request certificates matching C Root CA, |client_1_ca|'s issuer. | 133 // Request certificates matching C Root CA, |client_1_ca|'s issuer. |
98 scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo); | 134 scoped_refptr<SSLCertRequestInfo> request(new SSLCertRequestInfo); |
99 request->cert_authorities.push_back( | 135 request->cert_authorities.push_back( |
100 std::string(reinterpret_cast<const char*>(kAuthorityRootDN), | 136 std::string(reinterpret_cast<const char*>(kAuthorityRootDN), |
101 sizeof(kAuthorityRootDN))); | 137 sizeof(kAuthorityRootDN))); |
102 | 138 |
103 CertificateList selected_certs; | 139 ClientCertIdentityList selected_identities; |
104 base::RunLoop loop; | 140 base::RunLoop loop; |
105 store->GetClientCerts(*request.get(), | 141 store->GetClientCerts(*request.get(), |
106 base::Bind(SaveCertsAndQuitCallback, &selected_certs, | 142 base::Bind(SaveIdentitiesAndQuitCallback, |
107 loop.QuitClosure())); | 143 &selected_identities, loop.QuitClosure())); |
108 loop.Run(); | 144 loop.Run(); |
109 | 145 |
110 // The result be |client_1| with |client_1_ca| as an intermediate. | 146 // The result be |client_1| with |client_1_ca| as an intermediate. |
111 ASSERT_EQ(1u, selected_certs.size()); | 147 ASSERT_EQ(1u, selected_identities.size()); |
112 scoped_refptr<X509Certificate> selected_cert = selected_certs[0]; | 148 scoped_refptr<X509Certificate> selected_cert = |
| 149 selected_identities[0]->certificate(); |
113 EXPECT_TRUE(X509Certificate::IsSameOSCert(client_1->os_cert_handle(), | 150 EXPECT_TRUE(X509Certificate::IsSameOSCert(client_1->os_cert_handle(), |
114 selected_cert->os_cert_handle())); | 151 selected_cert->os_cert_handle())); |
115 ASSERT_EQ(1u, selected_cert->GetIntermediateCertificates().size()); | 152 ASSERT_EQ(1u, selected_cert->GetIntermediateCertificates().size()); |
116 EXPECT_TRUE(X509Certificate::IsSameOSCert( | 153 EXPECT_TRUE(X509Certificate::IsSameOSCert( |
117 client_1_ca->os_cert_handle(), | 154 client_1_ca->os_cert_handle(), |
118 selected_cert->GetIntermediateCertificates()[0])); | 155 selected_cert->GetIntermediateCertificates()[0])); |
| 156 |
| 157 scoped_refptr<SSLPrivateKey> ssl_private_key; |
| 158 base::RunLoop key_loop; |
| 159 selected_identities[0]->AcquirePrivateKey( |
| 160 base::Bind(SavePrivateKeyAndQuitCallback, &ssl_private_key, |
| 161 key_loop.QuitClosure())); |
| 162 key_loop.Run(); |
| 163 ASSERT_TRUE(ssl_private_key); |
| 164 EXPECT_EQ(expected_hashes, ssl_private_key->GetDigestPreferences()); |
| 165 TestSSLPrivateKeyMatches(ssl_private_key.get(), pkcs8_key); |
119 } | 166 } |
120 } | 167 } |
121 | 168 |
| 169 // TODO(mattm): is it possible to unittest slot unlocking? |
| 170 |
122 } // namespace net | 171 } // namespace net |
OLD | NEW |