Chromium Code Reviews Chromium Code Reviews
Issue 994743003:
Support for client certs in ssl_server_socket.
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/socket/ssl_server_socket_unittest.cc |
| diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc |
| index d13dba869585a229ca4affcb23912071bc672337..3f0c81d13c0bd1979ec856eadd5f127149d6b429 100644 |
| --- a/net/socket/ssl_server_socket_unittest.cc |
| +++ b/net/socket/ssl_server_socket_unittest.cc |
| @@ -41,6 +41,7 @@ |
| #include "net/socket/socket_test_util.h" |
| #include "net/socket/ssl_client_socket.h" |
| #include "net/socket/stream_socket.h" |
| +#include "net/ssl/ssl_cert_request_info.h" |
| #include "net/ssl/ssl_config_service.h" |
| #include "net/ssl/ssl_info.h" |
| #include "net/test/cert_test_util.h" |
| @@ -71,7 +72,7 @@ class FakeDataChannel { |
| read_buf_len_ = buf_len; |
| return ERR_IO_PENDING; |
| } |
| - return PropogateData(buf, buf_len); |
| + return PropagateData(buf, buf_len); |
| } |
| int Write(IOBuffer* buf, int buf_len, const CompletionCallback& callback) { |
| @@ -102,14 +103,20 @@ class FakeDataChannel { |
| // asynchronously, which is necessary to reproduce bug 127822. |
| void Close() { |
| closed_ = true; |
| + if (!read_callback_.is_null()) { |
| + base::MessageLoop::current()->PostTask( |
| + FROM_HERE, base::Bind(&FakeDataChannel::DoReadCallback, |
| + weak_factory_.GetWeakPtr())); |
| + } |
| } |
| private: |
| void DoReadCallback() { |
| - if (read_callback_.is_null() || data_.empty()) |
| + if (read_callback_.is_null()) |
| + return; |
| + int copied = PropagateData(read_buf_, read_buf_len_); |
| + if (!copied && !closed_) |
| return; |
| - |
| - int copied = PropogateData(read_buf_, read_buf_len_); |
| CompletionCallback callback = read_callback_; |
| read_callback_.Reset(); |
| read_buf_ = NULL; |
| @@ -126,7 +133,9 @@ class FakeDataChannel { |
| callback.Run(ERR_CONNECTION_RESET); |
| } |
| - int PropogateData(scoped_refptr<IOBuffer> read_buf, int read_buf_len) { |
| + int PropagateData(scoped_refptr<IOBuffer> read_buf, int read_buf_len) { |
| + if (data_.empty()) |
| + return 0; |
| scoped_refptr<DrainableIOBuffer> buf = data_.front(); |
| int copied = std::min(buf->BytesRemaining(), read_buf_len); |
| memcpy(read_buf->data(), buf->data(), copied); |
| @@ -278,11 +287,25 @@ TEST(FakeSocketTest, DataTransfer) { |
| class SSLServerSocketTest : public PlatformTest { |
| public: |
| + enum ClientCertSupply { |
| + kNoneSupplied = 0, |
| + kCorrectCertSupplied = 1, |
| + kWrongCertSupplied = 2 |
| + }; |
| + |
| + enum ClientCertExpect { |
| + kNoneExpected = 0, |
| + kCertAllowed = 1, |
| + kCertRequired = 2 |
| + }; |
| + |
| SSLServerSocketTest() |
| : socket_factory_(ClientSocketFactory::GetDefaultFactory()), |
| cert_verifier_(new MockCertVerifier()), |
| + client_cert_verifier_(new MockCertVerifier()), |
| transport_security_state_(new TransportSecurityState) { |
| cert_verifier_->set_default_result(CERT_STATUS_AUTHORITY_INVALID); |
| + client_cert_verifier_->set_default_result(CERT_STATUS_AUTHORITY_INVALID); |
| } |
| protected: |
| @@ -293,46 +316,99 @@ class SSLServerSocketTest : public PlatformTest { |
| scoped_ptr<StreamSocket> server_socket( |
| new FakeSocket(&channel_2_, &channel_1_)); |
| - base::FilePath certs_dir(GetTestCertsDirectory()); |
| - |
| - base::FilePath cert_path = certs_dir.AppendASCII("unittest.selfsigned.der"); |
| - std::string cert_der; |
| - ASSERT_TRUE(base::ReadFileToString(cert_path, &cert_der)); |
| - |
| - scoped_refptr<X509Certificate> cert = |
| - X509Certificate::CreateFromBytes(cert_der.data(), cert_der.size()); |
| - |
| - base::FilePath key_path = certs_dir.AppendASCII("unittest.key.bin"); |
| - std::string key_string; |
| - ASSERT_TRUE(base::ReadFileToString(key_path, &key_string)); |
| - std::vector<uint8> key_vector( |
| - reinterpret_cast<const uint8*>(key_string.data()), |
| - reinterpret_cast<const uint8*>(key_string.data() + |
| - key_string.length())); |
| - |
| - scoped_ptr<crypto::RSAPrivateKey> private_key( |
| - crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_vector)); |
| + std::string server_cert_der; |
| + scoped_refptr<X509Certificate> server_cert( |
| + ReadTestCert("unittest.selfsigned.der", &server_cert_der)); |
| + scoped_ptr<crypto::RSAPrivateKey> server_private_key( |
| + ReadTestKey("unittest.key.bin")); |
| - SSLConfig ssl_config; |
| - ssl_config.false_start_enabled = false; |
| - ssl_config.channel_id_enabled = false; |
| + SSLConfig ssl_client_config; |
| + ssl_client_config.false_start_enabled = false; |
| + ssl_client_config.channel_id_enabled = false; |
| // Certificate provided by the host doesn't need authority. |
| SSLConfig::CertAndStatus cert_and_status; |
| cert_and_status.cert_status = CERT_STATUS_AUTHORITY_INVALID; |
| - cert_and_status.der_cert = cert_der; |
| - ssl_config.allowed_bad_certs.push_back(cert_and_status); |
| + cert_and_status.der_cert = server_cert_der; |
| + ssl_client_config.allowed_bad_certs.push_back(cert_and_status); |
| + SSLConfig ssl_server_config; |
| HostPortPair host_and_pair("unittest", 0); |
| SSLClientSocketContext context; |
| context.cert_verifier = cert_verifier_.get(); |
| context.transport_security_state = transport_security_state_.get(); |
| - client_socket_ = |
| - socket_factory_->CreateSSLClientSocket( |
| - client_connection.Pass(), host_and_pair, ssl_config, context); |
| - server_socket_ = CreateSSLServerSocket( |
| - server_socket.Pass(), |
| - cert.get(), private_key.get(), SSLConfig()); |
| + socket_factory_->ClearSSLSessionCache(); |
| + client_socket_ = socket_factory_->CreateSSLClientSocket( |
| + client_connection.Pass(), host_and_pair, ssl_client_config, context); |
| + |
| + server_socket_ = |
| + CreateSSLServerSocket(server_socket.Pass(), server_cert.get(), |
| + server_private_key.get(), ssl_server_config); |
| + } |
| + |
| + void InitializeClientCertsForClient(ClientCertSupply supply) { |
| + scoped_refptr<X509Certificate> cert; |
| + scoped_ptr<crypto::RSAPrivateKey> key; |
| + if (supply != kNoneSupplied) { |
| + const char* cert_file_name = supply == kCorrectCertSupplied |
| + ? kClientCertFileName |
| + : kWrongClientCertFileName; |
| + const char* private_key_file_name = supply == kCorrectCertSupplied |
| + ? kClientPrivateKeyFileName |
| + : kWrongClientPrivateKeyFileName; |
| + cert = ImportCertFromFile(GetTestCertsDirectory(), cert_file_name); |
| + key.reset(ReadTestKey(private_key_file_name)); |
| + } |
| + client_socket_->ForceClientCertificateAndKeyForTest(cert, key.Pass()); |
| + } |
| + |
| + void InitializeClientCertsForServer(ClientCertExpect expect) { |
| + if (expect == kNoneExpected) |
| + return; |
| + |
| + server_socket_->SetAllowClientCert(true); |
| + |
| + if (expect == kCertRequired) { |
| + scoped_refptr<X509Certificate> expected_client_ca_cert( |
| + ImportCertFromFile(GetTestCertsDirectory(), kClientCertCAFileName)); |
| + CertificateList ca_list; |
| + ca_list.push_back(expected_client_ca_cert); |
| + server_socket_->SetClientCertCAList(ca_list); |
| + scoped_refptr<X509Certificate> expected_client_cert( |
| + ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName)); |
| + CertVerifyResult ignored; |
| + ignored.verified_cert = expected_client_cert; |
| + ignored.cert_status = 0; |
| + client_cert_verifier_->AddResultForCert(expected_client_cert.get(), |
| + ignored, OK); |
| + server_socket_->SetClientCertVerifier(client_cert_verifier_.get()); |
| + } |
| + } |
| + |
| + X509Certificate* ReadTestCert(const base::StringPiece& name, |
| + std::string* cert_der) { |
| + base::FilePath certs_dir(GetTestCertsDirectory()); |
| + base::FilePath cert_path = certs_dir.AppendASCII(name); |
| + std::string unneeded; |
| + if (!cert_der) { |
| + cert_der = &unneeded; |
| + } |
|
Ryan Sleevi
2015/03/19 04:38:25
no braces
|
| + if (!base::ReadFileToString(cert_path, cert_der)) |
| + return NULL; |
| + return X509Certificate::CreateFromBytes(cert_der->data(), cert_der->size()); |
| + } |
| + |
| + crypto::RSAPrivateKey* ReadTestKey(const base::StringPiece& name) { |
| + base::FilePath certs_dir(GetTestCertsDirectory()); |
| + base::FilePath key_path = certs_dir.AppendASCII(name); |
| + std::string key_string; |
| + if (!base::ReadFileToString(key_path, &key_string)) |
| + return NULL; |
| + std::vector<uint8> key_vector( |
| + reinterpret_cast<const uint8*>(key_string.data()), |
| + reinterpret_cast<const uint8*>(key_string.data() + |
| + key_string.length())); |
| + return crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_vector); |
| } |
| FakeDataChannel channel_1_; |
| @@ -341,7 +417,15 @@ class SSLServerSocketTest : public PlatformTest { |
| scoped_ptr<SSLServerSocket> server_socket_; |
| ClientSocketFactory* socket_factory_; |
| scoped_ptr<MockCertVerifier> cert_verifier_; |
| + scoped_ptr<MockCertVerifier> client_cert_verifier_; |
| scoped_ptr<TransportSecurityState> transport_security_state_; |
| + CertificateList trusted_certs_; |
| + |
| + const char* kClientCertFileName = "client_1.pem"; |
|
Ryan Sleevi
2015/03/19 04:38:25
STYLE:
const char kClientCertFilename[] =
But r
|
| + const char* kClientPrivateKeyFileName = "client_1.pk8"; |
| + const char* kWrongClientCertFileName = "client_2.pem"; |
| + const char* kWrongClientPrivateKeyFileName = "client_2.pk8"; |
| + const char* kClientCertCAFileName = "client_1_ca.pem"; |
| }; |
| // This test only executes creation of client and server sockets. This is to |
| @@ -379,6 +463,147 @@ TEST_F(SSLServerSocketTest, Handshake) { |
| EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info.cert_status); |
| } |
| +// TODO(dougsteed). The following tests using client certificates cannot |
| +// be performed if NSS with platform-based client auth is in use. That's because |
| +// the tests use SSLClientSocket to make requests against the server, and on |
| +// those builds, that class does not support supplying of a test key and cert. |
| +// An alternative approach that would broaden the applicability of these tests |
| +// would be to build and use the openssl flavor of SSLClientSocket, even |
| +// on NSS platforms. |
| +#if !defined(USE_NSS) || !defined(NSS_PLATFORM_CLIENT_AUTH) |
| + |
| +// This test executes Connect() on SSLClientSocket and Handshake() on |
| +// SSLServerSocket to make sure handshaking between the two sockets is |
| +// completed successfully, using client certificate. |
| +TEST_F(SSLServerSocketTest, HandshakeWithClientCert) { |
| + scoped_refptr<X509Certificate> client_cert = |
| + ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName); |
| + Initialize(); |
| + InitializeClientCertsForServer(kCertAllowed); |
| + InitializeClientCertsForClient(kCorrectCertSupplied); |
| + |
| + TestCompletionCallback connect_callback; |
| + TestCompletionCallback handshake_callback; |
| + |
| + int server_ret = server_socket_->Handshake(handshake_callback.callback()); |
| + EXPECT_TRUE(server_ret == OK || server_ret == ERR_IO_PENDING); |
| + |
| + int client_ret = client_socket_->Connect(connect_callback.callback()); |
| + EXPECT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING); |
| + |
| + if (client_ret == ERR_IO_PENDING) { |
| + EXPECT_EQ(OK, connect_callback.WaitForResult()); |
| + } |
| + if (server_ret == ERR_IO_PENDING) { |
| + EXPECT_EQ(OK, handshake_callback.WaitForResult()); |
| + } |
| + |
| + // Make sure the cert status is expected. |
| + SSLInfo ssl_info; |
| + client_socket_->GetSSLInfo(&ssl_info); |
| + EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info.cert_status); |
| + server_socket_->GetSSLInfo(&ssl_info); |
| + EXPECT_TRUE(ssl_info.client_cert_sent); |
| + EXPECT_TRUE(ssl_info.client_cert_sent); |
| + EXPECT_TRUE(ssl_info.cert.get()); |
| + EXPECT_TRUE(client_cert->Equals(ssl_info.cert.get())); |
| +} |
| + |
| +TEST_F(SSLServerSocketTest, HandshakeWithClientCertAllowedNotSupplied) { |
| + scoped_refptr<X509Certificate> client_cert = |
| + ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName); |
| + Initialize(); |
| + InitializeClientCertsForServer(kCertAllowed); |
| + InitializeClientCertsForClient(kNoneSupplied); |
| + |
| + TestCompletionCallback connect_callback; |
| + TestCompletionCallback handshake_callback; |
| + |
| + int server_ret = server_socket_->Handshake(handshake_callback.callback()); |
| + EXPECT_TRUE(server_ret == OK || server_ret == ERR_IO_PENDING); |
| + |
| + int client_ret = client_socket_->Connect(connect_callback.callback()); |
| + EXPECT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING); |
| + |
| + if (client_ret == ERR_IO_PENDING) { |
| + EXPECT_EQ(OK, connect_callback.WaitForResult()); |
| + } |
| + if (server_ret == ERR_IO_PENDING) { |
| + EXPECT_EQ(OK, handshake_callback.WaitForResult()); |
| + } |
| +} |
| + |
| +TEST_F(SSLServerSocketTest, HandshakeWithClientCertRequiredNotSupplied) { |
| + Initialize(); |
| + InitializeClientCertsForServer(kCertRequired); |
| + // We use the default setting for the client socket. This causes the client to |
| + // get SSL_CLIENT_AUTH_CERT_NEEDED. This code path allows us to access the |
| + // cert_authorities from the CertificateRequest. |
| + |
| + TestCompletionCallback connect_callback; |
| + TestCompletionCallback handshake_callback; |
| + |
| + int server_ret = server_socket_->Handshake(handshake_callback.callback()); |
| + EXPECT_TRUE(server_ret == ERR_IO_PENDING); |
| + |
| + int client_ret = client_socket_->Connect(connect_callback.callback()); |
| + EXPECT_TRUE(client_ret == ERR_SSL_CLIENT_AUTH_CERT_NEEDED || |
| + client_ret == ERR_IO_PENDING); |
| + |
| + if (client_ret == ERR_IO_PENDING) { |
| + EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, |
| + connect_callback.WaitForResult()); |
| + } |
| + |
| + scoped_refptr<SSLCertRequestInfo> request_info = new SSLCertRequestInfo(); |
| + client_socket_->GetSSLCertRequestInfo(request_info.get()); |
| + |
| + // Check that the authority name that arrived in the CertificateRequest |
| + // handshake message is as expected. |
| + scoped_refptr<X509Certificate> client_cert = |
| + ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName); |
| + EXPECT_TRUE(client_cert->IsIssuedByEncoded(request_info->cert_authorities)); |
| + |
| + client_socket_->Disconnect(); |
| + |
| + if (server_ret == ERR_IO_PENDING) { |
| + server_ret = handshake_callback.WaitForResult(); |
| + EXPECT_TRUE(server_ret == ERR_CONNECTION_CLOSED || |
| + server_ret == ERR_FAILED); |
| + } |
| +} |
| + |
| +TEST_F(SSLServerSocketTest, HandshakeWithWrongClientCertSupplied) { |
| + scoped_refptr<X509Certificate> client_cert = |
| + ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName); |
| + Initialize(); |
| + InitializeClientCertsForServer(kCertRequired); |
| + InitializeClientCertsForClient(kWrongCertSupplied); |
| + |
| + TestCompletionCallback connect_callback; |
| + TestCompletionCallback handshake_callback; |
| + |
| + int server_ret = server_socket_->Handshake(handshake_callback.callback()); |
| + EXPECT_TRUE(server_ret == ERR_IO_PENDING); |
| + |
| + int client_ret = client_socket_->Connect(connect_callback.callback()); |
| + EXPECT_TRUE(client_ret == ERR_BAD_SSL_CLIENT_AUTH_CERT || |
| + client_ret == ERR_IO_PENDING); |
| + |
| + if (client_ret == ERR_IO_PENDING) { |
| + EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT, connect_callback.WaitForResult()); |
| + } |
| + |
| + server_ret = handshake_callback.WaitForResult(); |
| + // We get a different result on NSS and OpenSSL. That's because an error |
| + // mapping with OpenSSL makes an assumption that is true for SSLClientSocket |
| + // but not SSLServerSocket (namely that peer cert rejection only occurs due to |
| + // a cert change during renego). |
| + EXPECT_TRUE(server_ret == ERR_BAD_SSL_CLIENT_AUTH_CERT || |
| + server_ret == ERR_SSL_SERVER_CERT_CHANGED); |
| +} |
| +#endif //!defined(USE_NSS) || !defined(NSS_PLATFORM_CLIENT_AUTH) |
| + |
| TEST_F(SSLServerSocketTest, DataTransfer) { |
| Initialize(); |
