| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/socket/ssl_client_socket.h" | |
| 6 | |
| 7 #include <errno.h> | |
| 8 #include <string.h> | |
| 9 | |
| 10 #include <openssl/bio.h> | |
| 11 #include <openssl/bn.h> | |
| 12 #include <openssl/evp.h> | |
| 13 #include <openssl/pem.h> | |
| 14 #include <openssl/rsa.h> | |
| 15 | |
| 16 #include "base/files/file_path.h" | |
| 17 #include "base/files/file_util.h" | |
| 18 #include "base/memory/ref_counted.h" | |
| 19 #include "base/message_loop/message_loop_proxy.h" | |
| 20 #include "base/values.h" | |
| 21 #include "crypto/openssl_util.h" | |
| 22 #include "crypto/scoped_openssl_types.h" | |
| 23 #include "net/base/address_list.h" | |
| 24 #include "net/base/io_buffer.h" | |
| 25 #include "net/base/net_errors.h" | |
| 26 #include "net/base/net_log.h" | |
| 27 #include "net/base/net_log_unittest.h" | |
| 28 #include "net/base/test_completion_callback.h" | |
| 29 #include "net/base/test_data_directory.h" | |
| 30 #include "net/cert/mock_cert_verifier.h" | |
| 31 #include "net/cert/test_root_certs.h" | |
| 32 #include "net/dns/host_resolver.h" | |
| 33 #include "net/http/transport_security_state.h" | |
| 34 #include "net/socket/client_socket_factory.h" | |
| 35 #include "net/socket/client_socket_handle.h" | |
| 36 #include "net/socket/socket_test_util.h" | |
| 37 #include "net/socket/tcp_client_socket.h" | |
| 38 #include "net/ssl/openssl_client_key_store.h" | |
| 39 #include "net/ssl/ssl_cert_request_info.h" | |
| 40 #include "net/ssl/ssl_config_service.h" | |
| 41 #include "net/test/cert_test_util.h" | |
| 42 #include "net/test/spawned_test_server/spawned_test_server.h" | |
| 43 #include "testing/gtest/include/gtest/gtest.h" | |
| 44 #include "testing/platform_test.h" | |
| 45 | |
| 46 namespace net { | |
| 47 | |
| 48 namespace { | |
| 49 | |
| 50 // These client auth tests are currently dependent on OpenSSL's struct X509. | |
| 51 #if defined(USE_OPENSSL_CERTS) | |
| 52 | |
| 53 // Loads a PEM-encoded private key file into a scoped EVP_PKEY object. | |
| 54 // |filepath| is the private key file path. | |
| 55 // |*pkey| is reset to the new EVP_PKEY on success, untouched otherwise. | |
| 56 // Returns true on success, false on failure. | |
| 57 bool LoadPrivateKeyOpenSSL( | |
| 58 const base::FilePath& filepath, | |
| 59 crypto::ScopedEVP_PKEY* pkey) { | |
| 60 std::string data; | |
| 61 if (!base::ReadFileToString(filepath, &data)) { | |
| 62 LOG(ERROR) << "Could not read private key file: " | |
| 63 << filepath.value() << ": " << strerror(errno); | |
| 64 return false; | |
| 65 } | |
| 66 crypto::ScopedBIO bio(BIO_new_mem_buf( | |
| 67 const_cast<char*>(reinterpret_cast<const char*>(data.data())), | |
| 68 static_cast<int>(data.size()))); | |
| 69 if (!bio.get()) { | |
| 70 LOG(ERROR) << "Could not allocate BIO for buffer?"; | |
| 71 return false; | |
| 72 } | |
| 73 EVP_PKEY* result = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL); | |
| 74 if (result == NULL) { | |
| 75 LOG(ERROR) << "Could not decode private key file: " | |
| 76 << filepath.value(); | |
| 77 return false; | |
| 78 } | |
| 79 pkey->reset(result); | |
| 80 return true; | |
| 81 } | |
| 82 | |
| 83 class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest { | |
| 84 public: | |
| 85 SSLClientSocketOpenSSLClientAuthTest() | |
| 86 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), | |
| 87 cert_verifier_(new MockCertVerifier), | |
| 88 transport_security_state_(new TransportSecurityState) { | |
| 89 cert_verifier_->set_default_result(OK); | |
| 90 context_.cert_verifier = cert_verifier_.get(); | |
| 91 context_.transport_security_state = transport_security_state_.get(); | |
| 92 key_store_ = OpenSSLClientKeyStore::GetInstance(); | |
| 93 } | |
| 94 | |
| 95 ~SSLClientSocketOpenSSLClientAuthTest() override { key_store_->Flush(); } | |
| 96 | |
| 97 protected: | |
| 98 scoped_ptr<SSLClientSocket> CreateSSLClientSocket( | |
| 99 scoped_ptr<StreamSocket> transport_socket, | |
| 100 const HostPortPair& host_and_port, | |
| 101 const SSLConfig& ssl_config) { | |
| 102 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle); | |
| 103 connection->SetSocket(transport_socket.Pass()); | |
| 104 return socket_factory_->CreateSSLClientSocket(connection.Pass(), | |
| 105 host_and_port, | |
| 106 ssl_config, | |
| 107 context_); | |
| 108 } | |
| 109 | |
| 110 // Connect to a HTTPS test server. | |
| 111 bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) { | |
| 112 test_server_.reset(new SpawnedTestServer(SpawnedTestServer::TYPE_HTTPS, | |
| 113 ssl_options, | |
| 114 base::FilePath())); | |
| 115 if (!test_server_->Start()) { | |
| 116 LOG(ERROR) << "Could not start SpawnedTestServer"; | |
| 117 return false; | |
| 118 } | |
| 119 | |
| 120 if (!test_server_->GetAddressList(&addr_)) { | |
| 121 LOG(ERROR) << "Could not get SpawnedTestServer address list"; | |
| 122 return false; | |
| 123 } | |
| 124 | |
| 125 transport_.reset(new TCPClientSocket( | |
| 126 addr_, &log_, NetLog::Source())); | |
| 127 int rv = callback_.GetResult( | |
| 128 transport_->Connect(callback_.callback())); | |
| 129 if (rv != OK) { | |
| 130 LOG(ERROR) << "Could not connect to SpawnedTestServer"; | |
| 131 return false; | |
| 132 } | |
| 133 return true; | |
| 134 } | |
| 135 | |
| 136 // Record a certificate's private key to ensure it can be used | |
| 137 // by the OpenSSL-based SSLClientSocket implementation. | |
| 138 // |ssl_config| provides a client certificate. | |
| 139 // |private_key| must be an EVP_PKEY for the corresponding private key. | |
| 140 // Returns true on success, false on failure. | |
| 141 bool RecordPrivateKey(SSLConfig& ssl_config, | |
| 142 EVP_PKEY* private_key) { | |
| 143 return key_store_->RecordClientCertPrivateKey( | |
| 144 ssl_config.client_cert.get(), private_key); | |
| 145 } | |
| 146 | |
| 147 // Create an SSLClientSocket object and use it to connect to a test | |
| 148 // server, then wait for connection results. This must be called after | |
| 149 // a succesful ConnectToTestServer() call. | |
| 150 // |ssl_config| the SSL configuration to use. | |
| 151 // |result| will retrieve the ::Connect() result value. | |
| 152 // Returns true on succes, false otherwise. Success means that the socket | |
| 153 // could be created and its Connect() was called, not that the connection | |
| 154 // itself was a success. | |
| 155 bool CreateAndConnectSSLClientSocket(const SSLConfig& ssl_config, | |
| 156 int* result) { | |
| 157 sock_ = CreateSSLClientSocket(transport_.Pass(), | |
| 158 test_server_->host_port_pair(), | |
| 159 ssl_config); | |
| 160 | |
| 161 if (sock_->IsConnected()) { | |
| 162 LOG(ERROR) << "SSL Socket prematurely connected"; | |
| 163 return false; | |
| 164 } | |
| 165 | |
| 166 *result = callback_.GetResult(sock_->Connect(callback_.callback())); | |
| 167 return true; | |
| 168 } | |
| 169 | |
| 170 | |
| 171 // Check that the client certificate was sent. | |
| 172 // Returns true on success. | |
| 173 bool CheckSSLClientSocketSentCert() { | |
| 174 SSLInfo ssl_info; | |
| 175 sock_->GetSSLInfo(&ssl_info); | |
| 176 return ssl_info.client_cert_sent; | |
| 177 } | |
| 178 | |
| 179 ClientSocketFactory* socket_factory_; | |
| 180 scoped_ptr<MockCertVerifier> cert_verifier_; | |
| 181 scoped_ptr<TransportSecurityState> transport_security_state_; | |
| 182 SSLClientSocketContext context_; | |
| 183 OpenSSLClientKeyStore* key_store_; | |
| 184 scoped_ptr<SpawnedTestServer> test_server_; | |
| 185 AddressList addr_; | |
| 186 TestCompletionCallback callback_; | |
| 187 CapturingNetLog log_; | |
| 188 scoped_ptr<StreamSocket> transport_; | |
| 189 scoped_ptr<SSLClientSocket> sock_; | |
| 190 }; | |
| 191 | |
| 192 // Connect to a server requesting client authentication, do not send | |
| 193 // any client certificates. It should refuse the connection. | |
| 194 TEST_F(SSLClientSocketOpenSSLClientAuthTest, NoCert) { | |
| 195 SpawnedTestServer::SSLOptions ssl_options; | |
| 196 ssl_options.request_client_certificate = true; | |
| 197 | |
| 198 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
| 199 | |
| 200 base::FilePath certs_dir = GetTestCertsDirectory(); | |
| 201 | |
| 202 int rv; | |
| 203 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv)); | |
| 204 | |
| 205 EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, rv); | |
| 206 EXPECT_FALSE(sock_->IsConnected()); | |
| 207 } | |
| 208 | |
| 209 // Connect to a server requesting client authentication, and send it | |
| 210 // an empty certificate. It should refuse the connection. | |
| 211 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendEmptyCert) { | |
| 212 SpawnedTestServer::SSLOptions ssl_options; | |
| 213 ssl_options.request_client_certificate = true; | |
| 214 ssl_options.client_authorities.push_back( | |
| 215 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem")); | |
| 216 | |
| 217 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
| 218 | |
| 219 base::FilePath certs_dir = GetTestCertsDirectory(); | |
| 220 SSLConfig ssl_config; | |
| 221 ssl_config.send_client_cert = true; | |
| 222 ssl_config.client_cert = NULL; | |
| 223 | |
| 224 int rv; | |
| 225 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
| 226 | |
| 227 EXPECT_EQ(OK, rv); | |
| 228 EXPECT_TRUE(sock_->IsConnected()); | |
| 229 } | |
| 230 | |
| 231 // Connect to a server requesting client authentication. Send it a | |
| 232 // matching certificate. It should allow the connection. | |
| 233 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendGoodCert) { | |
| 234 SpawnedTestServer::SSLOptions ssl_options; | |
| 235 ssl_options.request_client_certificate = true; | |
| 236 ssl_options.client_authorities.push_back( | |
| 237 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem")); | |
| 238 | |
| 239 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
| 240 | |
| 241 base::FilePath certs_dir = GetTestCertsDirectory(); | |
| 242 SSLConfig ssl_config; | |
| 243 ssl_config.send_client_cert = true; | |
| 244 ssl_config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem"); | |
| 245 | |
| 246 // This is required to ensure that signing works with the client | |
| 247 // certificate's private key. | |
| 248 crypto::ScopedEVP_PKEY client_private_key; | |
| 249 ASSERT_TRUE(LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"), | |
| 250 &client_private_key)); | |
| 251 EXPECT_TRUE(RecordPrivateKey(ssl_config, client_private_key.get())); | |
| 252 | |
| 253 int rv; | |
| 254 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
| 255 | |
| 256 EXPECT_EQ(OK, rv); | |
| 257 EXPECT_TRUE(sock_->IsConnected()); | |
| 258 | |
| 259 EXPECT_TRUE(CheckSSLClientSocketSentCert()); | |
| 260 | |
| 261 sock_->Disconnect(); | |
| 262 EXPECT_FALSE(sock_->IsConnected()); | |
| 263 } | |
| 264 #endif // defined(USE_OPENSSL_CERTS) | |
| 265 | |
| 266 } // namespace | |
| 267 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 992733002:
Remove //net (except for Android test stuff) and sdch (Closed)
Base URL: git@github.com:domokit/mojo.git@master