| OLD | NEW |
|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "remoting/host/token_validator_base.h" | 5 #include "remoting/host/token_validator_base.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/atomic_sequence_num.h" | 9 #include "base/atomic_sequence_num.h" |
| 10 #include "base/memory/ptr_util.h" |
| 10 #include "crypto/rsa_private_key.h" | 11 #include "crypto/rsa_private_key.h" |
| 11 #include "net/cert/x509_util.h" | 12 #include "net/cert/x509_util.h" |
| 13 #include "net/ssl/client_cert_identity_test_util.h" |
| 14 #include "net/ssl/test_ssl_private_key.h" |
| 12 #include "testing/gtest/include/gtest/gtest.h" | 15 #include "testing/gtest/include/gtest/gtest.h" |
| 13 | 16 |
| 14 namespace { | 17 namespace { |
| 15 | 18 |
| 16 const char kTokenUrl[] = "https://example.com/token"; | 19 const char kTokenUrl[] = "https://example.com/token"; |
| 17 const char kTokenValidationUrl[] = "https://example.com/validate"; | 20 const char kTokenValidationUrl[] = "https://example.com/validate"; |
| 18 const char kTokenValidationCertIssuer[] = "*"; | 21 const char kTokenValidationCertIssuer[] = "*"; |
| 19 | 22 |
| 20 base::StaticAtomicSequenceNumber g_serial_number; | 23 base::StaticAtomicSequenceNumber g_serial_number; |
| 21 | 24 |
| 22 scoped_refptr<net::X509Certificate> CreateFakeCert(base::Time valid_start, | 25 std::unique_ptr<net::FakeClientCertIdentity> CreateFakeCert( |
| 23 base::Time valid_expiry) { | 26 base::Time valid_start, |
| 24 std::unique_ptr<crypto::RSAPrivateKey> unused_key; | 27 base::Time valid_expiry) { |
| 28 std::unique_ptr<crypto::RSAPrivateKey> rsa_private_key; |
| 25 std::string cert_der; | 29 std::string cert_der; |
| 26 net::x509_util::CreateKeyAndSelfSignedCert( | 30 net::x509_util::CreateKeyAndSelfSignedCert( |
| 27 "CN=subject", g_serial_number.GetNext(), valid_start, valid_expiry, | 31 "CN=subject", g_serial_number.GetNext(), valid_start, valid_expiry, |
| 28 &unused_key, &cert_der); | 32 &rsa_private_key, &cert_der); |
| 29 return net::X509Certificate::CreateFromBytes(cert_der.data(), | 33 |
| 30 cert_der.size()); | 34 scoped_refptr<net::X509Certificate> cert = |
| 35 net::X509Certificate::CreateFromBytes(cert_der.data(), cert_der.size()); |
| 36 if (!cert) |
| 37 return nullptr; |
| 38 |
| 39 scoped_refptr<net::SSLPrivateKey> ssl_private_key = |
| 40 net::WrapRSAPrivateKey(rsa_private_key.get()); |
| 41 if (!ssl_private_key) |
| 42 return nullptr; |
| 43 |
| 44 return base::MakeUnique<net::FakeClientCertIdentity>(cert, ssl_private_key); |
| 31 } | 45 } |
| 32 | 46 |
| 33 } // namespace | 47 } // namespace |
| 34 | 48 |
| 35 namespace remoting { | 49 namespace remoting { |
| 36 | 50 |
| 37 class TestTokenValidator : TokenValidatorBase { | 51 class TestTokenValidator : TokenValidatorBase { |
| 38 public: | 52 public: |
| 39 explicit TestTokenValidator(const ThirdPartyAuthConfig& config); | 53 explicit TestTokenValidator(const ThirdPartyAuthConfig& config); |
| 40 ~TestTokenValidator() override; | 54 ~TestTokenValidator() override; |
| 41 | 55 |
| 42 void SelectCertificates(net::CertificateList selected_certs); | 56 void SelectCertificates(net::ClientCertIdentityList selected_certs); |
| 43 | 57 |
| 44 void ExpectContinueWithCertificate(net::X509Certificate* client_cert); | 58 void ExpectContinueWithCertificate( |
| 59 const net::FakeClientCertIdentity* identity); |
| 45 | 60 |
| 46 protected: | 61 protected: |
| 47 void ContinueWithCertificate(net::X509Certificate* client_cert, | 62 void ContinueWithCertificate( |
| 48 net::SSLPrivateKey* client_private_key) override; | 63 scoped_refptr<net::X509Certificate> client_cert, |
| 64 scoped_refptr<net::SSLPrivateKey> client_private_key) override; |
| 49 | 65 |
| 50 private: | 66 private: |
| 51 void StartValidateRequest(const std::string& token) override {} | 67 void StartValidateRequest(const std::string& token) override {} |
| 52 | 68 |
| 53 net::X509Certificate* expected_client_cert_ = nullptr; | 69 net::X509Certificate* expected_client_cert_ = nullptr; |
| 70 net::SSLPrivateKey* expected_private_key_ = nullptr; |
| 54 }; | 71 }; |
| 55 | 72 |
| 56 TestTokenValidator::TestTokenValidator(const ThirdPartyAuthConfig& config) : | 73 TestTokenValidator::TestTokenValidator(const ThirdPartyAuthConfig& config) : |
| 57 TokenValidatorBase(config, "", nullptr) { | 74 TokenValidatorBase(config, "", nullptr) { |
| 58 } | 75 } |
| 59 | 76 |
| 60 TestTokenValidator::~TestTokenValidator() {} | 77 TestTokenValidator::~TestTokenValidator() {} |
| 61 | 78 |
| 62 void TestTokenValidator::SelectCertificates( | 79 void TestTokenValidator::SelectCertificates( |
| 63 net::CertificateList selected_certs) { | 80 net::ClientCertIdentityList selected_certs) { |
| 64 OnCertificatesSelected(nullptr, std::move(selected_certs)); | 81 OnCertificatesSelected(nullptr, std::move(selected_certs)); |
| 65 } | 82 } |
| 66 | 83 |
| 67 void TestTokenValidator::ExpectContinueWithCertificate( | 84 void TestTokenValidator::ExpectContinueWithCertificate( |
| 68 net::X509Certificate* client_cert) { | 85 const net::FakeClientCertIdentity* identity) { |
| 69 expected_client_cert_ = client_cert; | 86 if (identity) { |
| 87 expected_client_cert_ = identity->certificate(); |
| 88 expected_private_key_ = identity->ssl_private_key(); |
| 89 } else { |
| 90 expected_client_cert_ = nullptr; |
| 91 expected_private_key_ = nullptr; |
| 92 } |
| 70 } | 93 } |
| 71 | 94 |
| 72 void TestTokenValidator::ContinueWithCertificate( | 95 void TestTokenValidator::ContinueWithCertificate( |
| 73 net::X509Certificate* client_cert, | 96 scoped_refptr<net::X509Certificate> client_cert, |
| 74 net::SSLPrivateKey* client_private_key) { | 97 scoped_refptr<net::SSLPrivateKey> client_private_key) { |
| 75 EXPECT_EQ(expected_client_cert_, client_cert); | 98 EXPECT_EQ(expected_client_cert_, client_cert.get()); |
| 99 EXPECT_EQ(expected_private_key_, client_private_key.get()); |
| 76 } | 100 } |
| 77 | 101 |
| 78 class TokenValidatorBaseTest : public testing::Test { | 102 class TokenValidatorBaseTest : public testing::Test { |
| 79 public: | 103 public: |
| 80 void SetUp() override; | 104 void SetUp() override; |
| 81 protected: | 105 protected: |
| 82 std::unique_ptr<TestTokenValidator> token_validator_; | 106 std::unique_ptr<TestTokenValidator> token_validator_; |
| 83 }; | 107 }; |
| 84 | 108 |
| 85 void TokenValidatorBaseTest::SetUp() { | 109 void TokenValidatorBaseTest::SetUp() { |
| 86 ThirdPartyAuthConfig config; | 110 ThirdPartyAuthConfig config; |
| 87 config.token_url = GURL(kTokenUrl); | 111 config.token_url = GURL(kTokenUrl); |
| 88 config.token_validation_url = GURL(kTokenValidationUrl); | 112 config.token_validation_url = GURL(kTokenValidationUrl); |
| 89 config.token_validation_cert_issuer = kTokenValidationCertIssuer; | 113 config.token_validation_cert_issuer = kTokenValidationCertIssuer; |
| 90 token_validator_.reset(new TestTokenValidator(config)); | 114 token_validator_.reset(new TestTokenValidator(config)); |
| 91 } | 115 } |
| 92 | 116 |
| 93 TEST_F(TokenValidatorBaseTest, TestSelectCertificate) { | 117 TEST_F(TokenValidatorBaseTest, TestSelectCertificate) { |
| 94 base::Time now = base::Time::Now(); | 118 base::Time now = base::Time::Now(); |
| 95 | 119 |
| 96 scoped_refptr<net::X509Certificate> cert_expired_5_minutes_ago = | 120 std::unique_ptr<net::FakeClientCertIdentity> cert_expired_5_minutes_ago = |
| 97 CreateFakeCert(now - base::TimeDelta::FromMinutes(10), | 121 CreateFakeCert(now - base::TimeDelta::FromMinutes(10), |
| 98 now - base::TimeDelta::FromMinutes(5)); | 122 now - base::TimeDelta::FromMinutes(5)); |
| 99 ASSERT_TRUE(cert_expired_5_minutes_ago); | 123 ASSERT_TRUE(cert_expired_5_minutes_ago); |
| 100 | 124 |
| 101 scoped_refptr<net::X509Certificate> cert_start_5min_expire_5min = | 125 std::unique_ptr<net::FakeClientCertIdentity> cert_start_5min_expire_5min = |
| 102 CreateFakeCert(now - base::TimeDelta::FromMinutes(5), | 126 CreateFakeCert(now - base::TimeDelta::FromMinutes(5), |
| 103 now + base::TimeDelta::FromMinutes(5)); | 127 now + base::TimeDelta::FromMinutes(5)); |
| 104 ASSERT_TRUE(cert_start_5min_expire_5min); | 128 ASSERT_TRUE(cert_start_5min_expire_5min); |
| 105 | 129 |
| 106 scoped_refptr<net::X509Certificate> cert_start_10min_expire_5min = | 130 std::unique_ptr<net::FakeClientCertIdentity> cert_start_10min_expire_5min = |
| 107 CreateFakeCert(now - base::TimeDelta::FromMinutes(10), | 131 CreateFakeCert(now - base::TimeDelta::FromMinutes(10), |
| 108 now + base::TimeDelta::FromMinutes(5)); | 132 now + base::TimeDelta::FromMinutes(5)); |
| 109 ASSERT_TRUE(cert_start_10min_expire_5min); | 133 ASSERT_TRUE(cert_start_10min_expire_5min); |
| 110 | 134 |
| 111 scoped_refptr<net::X509Certificate> cert_start_5min_expire_10min = | 135 std::unique_ptr<net::FakeClientCertIdentity> cert_start_5min_expire_10min = |
| 112 CreateFakeCert(now - base::TimeDelta::FromMinutes(5), | 136 CreateFakeCert(now - base::TimeDelta::FromMinutes(5), |
| 113 now + base::TimeDelta::FromMinutes(10)); | 137 now + base::TimeDelta::FromMinutes(10)); |
| 114 ASSERT_TRUE(cert_start_5min_expire_10min); | 138 ASSERT_TRUE(cert_start_5min_expire_10min); |
| 115 | 139 |
| 116 // No certificate. | 140 // No certificate. |
| 117 net::CertificateList certificates {}; | |
| 118 token_validator_->ExpectContinueWithCertificate(nullptr); | 141 token_validator_->ExpectContinueWithCertificate(nullptr); |
| 119 token_validator_->SelectCertificates(std::move(certificates)); | 142 token_validator_->SelectCertificates(net::ClientCertIdentityList()); |
| 120 | 143 { |
| 121 // One invalid certificate. | 144 // One invalid certificate. |
| 122 certificates = { cert_expired_5_minutes_ago }; | 145 net::ClientCertIdentityList client_certs; |
| 123 token_validator_->ExpectContinueWithCertificate(nullptr); | 146 client_certs.push_back(cert_expired_5_minutes_ago->Copy()); |
| 124 token_validator_->SelectCertificates(std::move(certificates)); | 147 token_validator_->ExpectContinueWithCertificate(nullptr); |
| 125 | 148 token_validator_->SelectCertificates(std::move(client_certs)); |
| 126 // One valid certificate. | 149 } |
| 127 certificates = { cert_start_5min_expire_5min }; | 150 { |
| 128 token_validator_->ExpectContinueWithCertificate( | 151 // One valid certificate. |
| 129 cert_start_5min_expire_5min.get()); | 152 net::ClientCertIdentityList client_certs; |
| 130 token_validator_->SelectCertificates(std::move(certificates)); | 153 client_certs.push_back(cert_start_5min_expire_5min->Copy()); |
| 131 | 154 token_validator_->ExpectContinueWithCertificate( |
| 132 // One valid one invalid. | 155 cert_start_5min_expire_5min.get()); |
| 133 certificates = { cert_expired_5_minutes_ago, cert_start_5min_expire_5min }; | 156 token_validator_->SelectCertificates(std::move(client_certs)); |
| 134 token_validator_->ExpectContinueWithCertificate( | 157 } |
| 135 cert_start_5min_expire_5min.get()); | 158 { |
| 136 token_validator_->SelectCertificates(std::move(certificates)); | 159 // One valid one invalid. |
| 137 | 160 net::ClientCertIdentityList client_certs; |
| 138 // Two valid certs. Choose latest created. | 161 client_certs.push_back(cert_expired_5_minutes_ago->Copy()); |
| 139 certificates = { cert_start_10min_expire_5min, cert_start_5min_expire_5min }; | 162 client_certs.push_back(cert_start_5min_expire_5min->Copy()); |
| 140 token_validator_->ExpectContinueWithCertificate( | 163 token_validator_->ExpectContinueWithCertificate( |
| 141 cert_start_5min_expire_5min.get()); | 164 cert_start_5min_expire_5min.get()); |
| 142 token_validator_->SelectCertificates(std::move(certificates)); | 165 token_validator_->SelectCertificates(std::move(client_certs)); |
| 143 | 166 } |
| 144 // Two valid certs. Choose latest expires. | 167 { |
| 145 certificates = { cert_start_5min_expire_5min, cert_start_5min_expire_10min }; | 168 // Two valid certs. Choose latest created. |
| 146 token_validator_->ExpectContinueWithCertificate( | 169 net::ClientCertIdentityList client_certs; |
| 147 cert_start_5min_expire_10min.get()); | 170 client_certs.push_back(cert_start_10min_expire_5min->Copy()); |
| 148 token_validator_->SelectCertificates(std::move(certificates)); | 171 client_certs.push_back(cert_start_5min_expire_5min->Copy()); |
| 149 | 172 token_validator_->ExpectContinueWithCertificate( |
| 150 // Pick the best given all certificates. | 173 cert_start_5min_expire_5min.get()); |
| 151 certificates = { cert_expired_5_minutes_ago, cert_start_5min_expire_5min, | 174 token_validator_->SelectCertificates(std::move(client_certs)); |
| 152 cert_start_5min_expire_10min, cert_start_10min_expire_5min }; | 175 } |
| 176 { |
| 177 // Two valid certs. Choose latest expires. |
| 178 net::ClientCertIdentityList client_certs; |
| 179 client_certs.push_back(cert_start_5min_expire_5min->Copy()); |
| 180 client_certs.push_back(cert_start_5min_expire_10min->Copy()); |
| 153 token_validator_->ExpectContinueWithCertificate( | 181 token_validator_->ExpectContinueWithCertificate( |
| 154 cert_start_5min_expire_10min.get()); | 182 cert_start_5min_expire_10min.get()); |
| 155 token_validator_->SelectCertificates(std::move(certificates)); | 183 token_validator_->SelectCertificates(std::move(client_certs)); |
| 184 } |
| 185 { |
| 186 // Pick the best given all certificates. |
| 187 net::ClientCertIdentityList client_certs; |
| 188 client_certs.push_back(cert_expired_5_minutes_ago->Copy()); |
| 189 client_certs.push_back(cert_start_5min_expire_5min->Copy()); |
| 190 client_certs.push_back(cert_start_5min_expire_10min->Copy()); |
| 191 client_certs.push_back(cert_start_10min_expire_5min->Copy()); |
| 192 token_validator_->ExpectContinueWithCertificate( |
| 193 cert_start_5min_expire_10min.get()); |
| 194 token_validator_->SelectCertificates(std::move(client_certs)); |
| 195 } |
| 156 } | 196 } |
| 157 | 197 |
| 158 } // namespace remoting | 198 } // namespace remoting |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2898573002:
Refactor client cert private key handling. (Closed)
