OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/socket/ssl_client_socket.h" | |
6 | |
7 #include <errno.h> | |
8 #include <string.h> | |
9 | |
10 #include <openssl/bio.h> | |
11 #include <openssl/bn.h> | |
12 #include <openssl/evp.h> | |
13 #include <openssl/pem.h> | |
14 #include <openssl/rsa.h> | |
15 | |
16 #include "base/files/file_path.h" | |
17 #include "base/files/file_util.h" | |
18 #include "base/memory/ref_counted.h" | |
19 #include "base/message_loop/message_loop_proxy.h" | |
20 #include "base/values.h" | |
21 #include "crypto/openssl_util.h" | |
22 #include "crypto/scoped_openssl_types.h" | |
23 #include "net/base/address_list.h" | |
24 #include "net/base/io_buffer.h" | |
25 #include "net/base/net_errors.h" | |
26 #include "net/base/net_log.h" | |
27 #include "net/base/net_log_unittest.h" | |
28 #include "net/base/test_completion_callback.h" | |
29 #include "net/base/test_data_directory.h" | |
30 #include "net/cert/mock_cert_verifier.h" | |
31 #include "net/cert/test_root_certs.h" | |
32 #include "net/dns/host_resolver.h" | |
33 #include "net/http/transport_security_state.h" | |
34 #include "net/socket/client_socket_factory.h" | |
35 #include "net/socket/client_socket_handle.h" | |
36 #include "net/socket/socket_test_util.h" | |
37 #include "net/socket/tcp_client_socket.h" | |
38 #include "net/ssl/openssl_client_key_store.h" | |
39 #include "net/ssl/ssl_cert_request_info.h" | |
40 #include "net/ssl/ssl_config_service.h" | |
41 #include "net/test/cert_test_util.h" | |
42 #include "net/test/spawned_test_server/spawned_test_server.h" | |
43 #include "testing/gtest/include/gtest/gtest.h" | |
44 #include "testing/platform_test.h" | |
45 | |
46 namespace net { | |
47 | |
48 namespace { | |
49 | |
50 // These client auth tests are currently dependent on OpenSSL's struct X509. | |
51 #if defined(USE_OPENSSL_CERTS) | |
52 | |
53 // Loads a PEM-encoded private key file into a scoped EVP_PKEY object. | |
54 // |filepath| is the private key file path. | |
55 // |*pkey| is reset to the new EVP_PKEY on success, untouched otherwise. | |
56 // Returns true on success, false on failure. | |
57 bool LoadPrivateKeyOpenSSL( | |
58 const base::FilePath& filepath, | |
59 crypto::ScopedEVP_PKEY* pkey) { | |
60 std::string data; | |
61 if (!base::ReadFileToString(filepath, &data)) { | |
62 LOG(ERROR) << "Could not read private key file: " | |
63 << filepath.value() << ": " << strerror(errno); | |
64 return false; | |
65 } | |
66 crypto::ScopedBIO bio(BIO_new_mem_buf( | |
67 const_cast<char*>(reinterpret_cast<const char*>(data.data())), | |
68 static_cast<int>(data.size()))); | |
69 if (!bio.get()) { | |
70 LOG(ERROR) << "Could not allocate BIO for buffer?"; | |
71 return false; | |
72 } | |
73 EVP_PKEY* result = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL); | |
74 if (result == NULL) { | |
75 LOG(ERROR) << "Could not decode private key file: " | |
76 << filepath.value(); | |
77 return false; | |
78 } | |
79 pkey->reset(result); | |
80 return true; | |
81 } | |
82 | |
83 class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest { | |
84 public: | |
85 SSLClientSocketOpenSSLClientAuthTest() | |
86 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), | |
87 cert_verifier_(new MockCertVerifier), | |
88 transport_security_state_(new TransportSecurityState) { | |
89 cert_verifier_->set_default_result(OK); | |
90 context_.cert_verifier = cert_verifier_.get(); | |
91 context_.transport_security_state = transport_security_state_.get(); | |
92 key_store_ = OpenSSLClientKeyStore::GetInstance(); | |
93 } | |
94 | |
95 ~SSLClientSocketOpenSSLClientAuthTest() override { key_store_->Flush(); } | |
96 | |
97 protected: | |
98 scoped_ptr<SSLClientSocket> CreateSSLClientSocket( | |
99 scoped_ptr<StreamSocket> transport_socket, | |
100 const HostPortPair& host_and_port, | |
101 const SSLConfig& ssl_config) { | |
102 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle); | |
103 connection->SetSocket(transport_socket.Pass()); | |
104 return socket_factory_->CreateSSLClientSocket(connection.Pass(), | |
105 host_and_port, | |
106 ssl_config, | |
107 context_); | |
108 } | |
109 | |
110 // Connect to a HTTPS test server. | |
111 bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) { | |
112 test_server_.reset(new SpawnedTestServer(SpawnedTestServer::TYPE_HTTPS, | |
113 ssl_options, | |
114 base::FilePath())); | |
115 if (!test_server_->Start()) { | |
116 LOG(ERROR) << "Could not start SpawnedTestServer"; | |
117 return false; | |
118 } | |
119 | |
120 if (!test_server_->GetAddressList(&addr_)) { | |
121 LOG(ERROR) << "Could not get SpawnedTestServer address list"; | |
122 return false; | |
123 } | |
124 | |
125 transport_.reset(new TCPClientSocket( | |
126 addr_, &log_, NetLog::Source())); | |
127 int rv = callback_.GetResult( | |
128 transport_->Connect(callback_.callback())); | |
129 if (rv != OK) { | |
130 LOG(ERROR) << "Could not connect to SpawnedTestServer"; | |
131 return false; | |
132 } | |
133 return true; | |
134 } | |
135 | |
136 // Record a certificate's private key to ensure it can be used | |
137 // by the OpenSSL-based SSLClientSocket implementation. | |
138 // |ssl_config| provides a client certificate. | |
139 // |private_key| must be an EVP_PKEY for the corresponding private key. | |
140 // Returns true on success, false on failure. | |
141 bool RecordPrivateKey(SSLConfig& ssl_config, | |
142 EVP_PKEY* private_key) { | |
143 return key_store_->RecordClientCertPrivateKey( | |
144 ssl_config.client_cert.get(), private_key); | |
145 } | |
146 | |
147 // Create an SSLClientSocket object and use it to connect to a test | |
148 // server, then wait for connection results. This must be called after | |
149 // a succesful ConnectToTestServer() call. | |
150 // |ssl_config| the SSL configuration to use. | |
151 // |result| will retrieve the ::Connect() result value. | |
152 // Returns true on succes, false otherwise. Success means that the socket | |
153 // could be created and its Connect() was called, not that the connection | |
154 // itself was a success. | |
155 bool CreateAndConnectSSLClientSocket(const SSLConfig& ssl_config, | |
156 int* result) { | |
157 sock_ = CreateSSLClientSocket(transport_.Pass(), | |
158 test_server_->host_port_pair(), | |
159 ssl_config); | |
160 | |
161 if (sock_->IsConnected()) { | |
162 LOG(ERROR) << "SSL Socket prematurely connected"; | |
163 return false; | |
164 } | |
165 | |
166 *result = callback_.GetResult(sock_->Connect(callback_.callback())); | |
167 return true; | |
168 } | |
169 | |
170 | |
171 // Check that the client certificate was sent. | |
172 // Returns true on success. | |
173 bool CheckSSLClientSocketSentCert() { | |
174 SSLInfo ssl_info; | |
175 sock_->GetSSLInfo(&ssl_info); | |
176 return ssl_info.client_cert_sent; | |
177 } | |
178 | |
179 ClientSocketFactory* socket_factory_; | |
180 scoped_ptr<MockCertVerifier> cert_verifier_; | |
181 scoped_ptr<TransportSecurityState> transport_security_state_; | |
182 SSLClientSocketContext context_; | |
183 OpenSSLClientKeyStore* key_store_; | |
184 scoped_ptr<SpawnedTestServer> test_server_; | |
185 AddressList addr_; | |
186 TestCompletionCallback callback_; | |
187 CapturingNetLog log_; | |
188 scoped_ptr<StreamSocket> transport_; | |
189 scoped_ptr<SSLClientSocket> sock_; | |
190 }; | |
191 | |
192 // Connect to a server requesting client authentication, do not send | |
193 // any client certificates. It should refuse the connection. | |
194 TEST_F(SSLClientSocketOpenSSLClientAuthTest, NoCert) { | |
195 SpawnedTestServer::SSLOptions ssl_options; | |
196 ssl_options.request_client_certificate = true; | |
197 | |
198 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
199 | |
200 base::FilePath certs_dir = GetTestCertsDirectory(); | |
201 | |
202 int rv; | |
203 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv)); | |
204 | |
205 EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, rv); | |
206 EXPECT_FALSE(sock_->IsConnected()); | |
207 } | |
208 | |
209 // Connect to a server requesting client authentication, and send it | |
210 // an empty certificate. It should refuse the connection. | |
211 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendEmptyCert) { | |
212 SpawnedTestServer::SSLOptions ssl_options; | |
213 ssl_options.request_client_certificate = true; | |
214 ssl_options.client_authorities.push_back( | |
215 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem")); | |
216 | |
217 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
218 | |
219 base::FilePath certs_dir = GetTestCertsDirectory(); | |
220 SSLConfig ssl_config; | |
221 ssl_config.send_client_cert = true; | |
222 ssl_config.client_cert = NULL; | |
223 | |
224 int rv; | |
225 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
226 | |
227 EXPECT_EQ(OK, rv); | |
228 EXPECT_TRUE(sock_->IsConnected()); | |
229 } | |
230 | |
231 // Connect to a server requesting client authentication. Send it a | |
232 // matching certificate. It should allow the connection. | |
233 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendGoodCert) { | |
234 SpawnedTestServer::SSLOptions ssl_options; | |
235 ssl_options.request_client_certificate = true; | |
236 ssl_options.client_authorities.push_back( | |
237 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem")); | |
238 | |
239 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
240 | |
241 base::FilePath certs_dir = GetTestCertsDirectory(); | |
242 SSLConfig ssl_config; | |
243 ssl_config.send_client_cert = true; | |
244 ssl_config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem"); | |
245 | |
246 // This is required to ensure that signing works with the client | |
247 // certificate's private key. | |
248 crypto::ScopedEVP_PKEY client_private_key; | |
249 ASSERT_TRUE(LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"), | |
250 &client_private_key)); | |
251 EXPECT_TRUE(RecordPrivateKey(ssl_config, client_private_key.get())); | |
252 | |
253 int rv; | |
254 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
255 | |
256 EXPECT_EQ(OK, rv); | |
257 EXPECT_TRUE(sock_->IsConnected()); | |
258 | |
259 EXPECT_TRUE(CheckSSLClientSocketSentCert()); | |
260 | |
261 sock_->Disconnect(); | |
262 EXPECT_FALSE(sock_->IsConnected()); | |
263 } | |
264 #endif // defined(USE_OPENSSL_CERTS) | |
265 | |
266 } // namespace | |
267 } // namespace net | |
OLD | NEW |