search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Adding the orphaned options pages to the navigation
[chromium-blink-merge.git] / net / socket / ssl_client_socket_openssl_unittest.cc
blobba45a0cbfcedaed698d178d51da41d69c6685e07
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/socket/ssl_client_socket.h"
6
7 #include <errno.h>
8 #include <string.h>
9
10 #include <openssl/bio.h>
11 #include <openssl/bn.h>
12 #include <openssl/evp.h>
13 #include <openssl/pem.h>
14 #include <openssl/rsa.h>
15
16 #include "base/files/file_path.h"
17 #include "base/files/file_util.h"
18 #include "base/memory/ref_counted.h"
19 #include "base/message_loop/message_loop_proxy.h"
20 #include "base/values.h"
21 #include "crypto/openssl_util.h"
22 #include "crypto/scoped_openssl_types.h"
23 #include "net/base/address_list.h"
24 #include "net/base/io_buffer.h"
25 #include "net/base/net_errors.h"
26 #include "net/base/net_log.h"
27 #include "net/base/net_log_unittest.h"
28 #include "net/base/test_completion_callback.h"
29 #include "net/base/test_data_directory.h"
30 #include "net/cert/mock_cert_verifier.h"
31 #include "net/cert/test_root_certs.h"
32 #include "net/dns/host_resolver.h"
33 #include "net/http/transport_security_state.h"
34 #include "net/socket/client_socket_factory.h"
35 #include "net/socket/client_socket_handle.h"
36 #include "net/socket/socket_test_util.h"
37 #include "net/socket/tcp_client_socket.h"
38 #include "net/ssl/openssl_client_key_store.h"
39 #include "net/ssl/ssl_cert_request_info.h"
40 #include "net/ssl/ssl_config_service.h"
41 #include "net/test/cert_test_util.h"
42 #include "net/test/spawned_test_server/spawned_test_server.h"
43 #include "testing/gtest/include/gtest/gtest.h"
44 #include "testing/platform_test.h"
45
46 namespace net {
47
48 namespace {
49
50 // These client auth tests are currently dependent on OpenSSL's struct X509.
51 #if defined(USE_OPENSSL_CERTS)
52
53 // Loads a PEM-encoded private key file into a scoped EVP_PKEY object.
54 // |filepath| is the private key file path.
55 // |*pkey| is reset to the new EVP_PKEY on success, untouched otherwise.
56 // Returns true on success, false on failure.
57 bool LoadPrivateKeyOpenSSL(
58 const base::FilePath& filepath,
59 crypto::ScopedEVP_PKEY* pkey) {
60 std::string data;
61 if (!base::ReadFileToString(filepath, &data)) {
62 LOG(ERROR) << "Could not read private key file: "
63 << filepath.value() << ": " << strerror(errno);
64 return false;
65 }
66 crypto::ScopedBIO bio(BIO_new_mem_buf(
67 const_cast<char*>(reinterpret_cast<const char*>(data.data())),
68 static_cast<int>(data.size())));
69 if (!bio.get()) {
70 LOG(ERROR) << "Could not allocate BIO for buffer?";
71 return false;
72 }
73 EVP_PKEY* result = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL);
74 if (result == NULL) {
75 LOG(ERROR) << "Could not decode private key file: "
76 << filepath.value();
77 return false;
78 }
79 pkey->reset(result);
80 return true;
81 }
82
83 class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest {
84 public:
85 SSLClientSocketOpenSSLClientAuthTest()
86 : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
87 cert_verifier_(new MockCertVerifier),
88 transport_security_state_(new TransportSecurityState) {
89 cert_verifier_->set_default_result(OK);
90 context_.cert_verifier = cert_verifier_.get();
91 context_.transport_security_state = transport_security_state_.get();
92 key_store_ = OpenSSLClientKeyStore::GetInstance();
93 }
94
95 ~SSLClientSocketOpenSSLClientAuthTest() override { key_store_->Flush(); }
96
97 protected:
98 scoped_ptr<SSLClientSocket> CreateSSLClientSocket(
99 scoped_ptr<StreamSocket> transport_socket,
100 const HostPortPair& host_and_port,
101 const SSLConfig& ssl_config) {
102 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle);
103 connection->SetSocket(transport_socket.Pass());
104 return socket_factory_->CreateSSLClientSocket(connection.Pass(),
105 host_and_port,
106 ssl_config,
107 context_);
108 }
109
110 // Connect to a HTTPS test server.
111 bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) {
112 test_server_.reset(new SpawnedTestServer(SpawnedTestServer::TYPE_HTTPS,
113 ssl_options,
114 base::FilePath()));
115 if (!test_server_->Start()) {
116 LOG(ERROR) << "Could not start SpawnedTestServer";
117 return false;
118 }
119
120 if (!test_server_->GetAddressList(&addr_)) {
121 LOG(ERROR) << "Could not get SpawnedTestServer address list";
122 return false;
123 }
124
125 transport_.reset(new TCPClientSocket(
126 addr_, &log_, NetLog::Source()));
127 int rv = callback_.GetResult(
128 transport_->Connect(callback_.callback()));
129 if (rv != OK) {
130 LOG(ERROR) << "Could not connect to SpawnedTestServer";
131 return false;
132 }
133 return true;
134 }
135
136 // Record a certificate's private key to ensure it can be used
137 // by the OpenSSL-based SSLClientSocket implementation.
138 // |ssl_config| provides a client certificate.
139 // |private_key| must be an EVP_PKEY for the corresponding private key.
140 // Returns true on success, false on failure.
141 bool RecordPrivateKey(SSLConfig& ssl_config,
142 EVP_PKEY* private_key) {
143 return key_store_->RecordClientCertPrivateKey(
144 ssl_config.client_cert.get(), private_key);
145 }
146
147 // Create an SSLClientSocket object and use it to connect to a test
148 // server, then wait for connection results. This must be called after
149 // a succesful ConnectToTestServer() call.
150 // |ssl_config| the SSL configuration to use.
151 // |result| will retrieve the ::Connect() result value.
152 // Returns true on succes, false otherwise. Success means that the socket
153 // could be created and its Connect() was called, not that the connection
154 // itself was a success.
155 bool CreateAndConnectSSLClientSocket(const SSLConfig& ssl_config,
156 int* result) {
157 sock_ = CreateSSLClientSocket(transport_.Pass(),
158 test_server_->host_port_pair(),
159 ssl_config);
160
161 if (sock_->IsConnected()) {
162 LOG(ERROR) << "SSL Socket prematurely connected";
163 return false;
164 }
165
166 *result = callback_.GetResult(sock_->Connect(callback_.callback()));
167 return true;
168 }
169
170
171 // Check that the client certificate was sent.
172 // Returns true on success.
173 bool CheckSSLClientSocketSentCert() {
174 SSLInfo ssl_info;
175 sock_->GetSSLInfo(&ssl_info);
176 return ssl_info.client_cert_sent;
177 }
178
179 ClientSocketFactory* socket_factory_;
180 scoped_ptr<MockCertVerifier> cert_verifier_;
181 scoped_ptr<TransportSecurityState> transport_security_state_;
182 SSLClientSocketContext context_;
183 OpenSSLClientKeyStore* key_store_;
184 scoped_ptr<SpawnedTestServer> test_server_;
185 AddressList addr_;
186 TestCompletionCallback callback_;
187 CapturingNetLog log_;
188 scoped_ptr<StreamSocket> transport_;
189 scoped_ptr<SSLClientSocket> sock_;
190 };
191
192 // Connect to a server requesting client authentication, do not send
193 // any client certificates. It should refuse the connection.
194 TEST_F(SSLClientSocketOpenSSLClientAuthTest, NoCert) {
195 SpawnedTestServer::SSLOptions ssl_options;
196 ssl_options.request_client_certificate = true;
197
198 ASSERT_TRUE(ConnectToTestServer(ssl_options));
199
200 base::FilePath certs_dir = GetTestCertsDirectory();
201
202 int rv;
203 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
204
205 EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, rv);
206 EXPECT_FALSE(sock_->IsConnected());
207 }
208
209 // Connect to a server requesting client authentication, and send it
210 // an empty certificate. It should refuse the connection.
211 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendEmptyCert) {
212 SpawnedTestServer::SSLOptions ssl_options;
213 ssl_options.request_client_certificate = true;
214 ssl_options.client_authorities.push_back(
215 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem"));
216
217 ASSERT_TRUE(ConnectToTestServer(ssl_options));
218
219 base::FilePath certs_dir = GetTestCertsDirectory();
220 SSLConfig ssl_config;
221 ssl_config.send_client_cert = true;
222 ssl_config.client_cert = NULL;
223
224 int rv;
225 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
226
227 EXPECT_EQ(OK, rv);
228 EXPECT_TRUE(sock_->IsConnected());
229 }
230
231 // Connect to a server requesting client authentication. Send it a
232 // matching certificate. It should allow the connection.
233 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendGoodCert) {
234 SpawnedTestServer::SSLOptions ssl_options;
235 ssl_options.request_client_certificate = true;
236 ssl_options.client_authorities.push_back(
237 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem"));
238
239 ASSERT_TRUE(ConnectToTestServer(ssl_options));
240
241 base::FilePath certs_dir = GetTestCertsDirectory();
242 SSLConfig ssl_config;
243 ssl_config.send_client_cert = true;
244 ssl_config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem");
245
246 // This is required to ensure that signing works with the client
247 // certificate's private key.
248 crypto::ScopedEVP_PKEY client_private_key;
249 ASSERT_TRUE(LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"),
250 &client_private_key));
251 EXPECT_TRUE(RecordPrivateKey(ssl_config, client_private_key.get()));
252
253 int rv;
254 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
255
256 EXPECT_EQ(OK, rv);
257 EXPECT_TRUE(sock_->IsConnected());
258
259 EXPECT_TRUE(CheckSSLClientSocketSentCert());
260
261 sock_->Disconnect();
262 EXPECT_FALSE(sock_->IsConnected());
263 }
264 #endif // defined(USE_OPENSSL_CERTS)
265
266 } // namespace
267 } // namespace net