1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/base/keygen_handler.h"
9 #include "base/base64.h"
10 #include "base/bind.h"
11 #include "base/location.h"
12 #include "base/logging.h"
13 #include "base/threading/worker_pool.h"
14 #include "base/threading/thread_restrictions.h"
15 #include "base/synchronization/waitable_event.h"
16 #include "build/build_config.h"
17 #include "testing/gtest/include/gtest/gtest.h"
20 #include <private/pprthred.h> // PR_DetachThread
21 #include "crypto/nss_crypto_module_delegate.h"
22 #include "crypto/scoped_test_nss_db.h"
30 class StubCryptoModuleDelegate
: public crypto::NSSCryptoModuleDelegate
{
32 explicit StubCryptoModuleDelegate(crypto::ScopedPK11Slot slot
)
33 : slot_(slot
.Pass()) {}
35 std::string
RequestPassword(const std::string
& slot_name
,
37 bool* cancelled
) override
{
41 crypto::ScopedPK11Slot
RequestSlot() override
{
42 return crypto::ScopedPK11Slot(PK11_ReferenceSlot(slot_
.get()));
46 crypto::ScopedPK11Slot slot_
;
50 class KeygenHandlerTest
: public ::testing::Test
{
52 KeygenHandlerTest() {}
53 ~KeygenHandlerTest() override
{}
55 scoped_ptr
<KeygenHandler
> CreateKeygenHandler() {
56 scoped_ptr
<KeygenHandler
> handler(new KeygenHandler(
57 768, "some challenge", GURL("http://www.example.com")));
59 handler
->set_crypto_module_delegate(
60 scoped_ptr
<crypto::NSSCryptoModuleDelegate
>(
61 new StubCryptoModuleDelegate(crypto::ScopedPK11Slot(
62 PK11_ReferenceSlot(test_nss_db_
.slot())))));
64 return handler
.Pass();
69 crypto::ScopedTestNSSDB test_nss_db_
;
73 // Assert that |result| is a valid output for KeygenHandler given challenge
74 // string of |challenge|.
75 void AssertValidSignedPublicKeyAndChallenge(const std::string
& result
,
76 const std::string
& challenge
) {
77 ASSERT_GT(result
.length(), 0U);
79 // Verify it's valid base64:
81 ASSERT_TRUE(base::Base64Decode(result
, &spkac
));
82 // In lieu of actually parsing and validating the DER data,
83 // just check that it exists and has a reasonable length.
84 // (It's almost always 590 bytes, but the DER encoding of the random key
85 // and signature could sometimes be a few bytes different.)
86 ASSERT_GE(spkac
.length(), 200U);
87 ASSERT_LE(spkac
.length(), 300U);
90 // The value of |result| can be validated by prefixing 'SPKAC=' to it
91 // and piping it through
92 // openssl spkac -verify
93 // whose output should look like:
95 // Public Key Algorithm: rsaEncryption
96 // RSA Public Key: (2048 bit)
97 // Modulus (2048 bit):
98 // 00:b6:cc:14:c9:43:b5:2d:51:65:7e:11:8b:80:9e: .....
99 // Exponent: 65537 (0x10001)
100 // Challenge String: some challenge
101 // Signature Algorithm: md5WithRSAEncryption
102 // 92:f3:cc:ff:0b:d3:d0:4a:3a:4c:ba:ff:d6:38:7f:a5:4b:b5: .....
105 // The value of |spkac| can be ASN.1-parsed with:
106 // openssl asn1parse -inform DER
109 TEST_F(KeygenHandlerTest
, SmokeTest
) {
110 scoped_ptr
<KeygenHandler
> handler(CreateKeygenHandler());
111 handler
->set_stores_key(false); // Don't leave the key-pair behind
112 std::string result
= handler
->GenKeyAndSignChallenge();
113 VLOG(1) << "KeygenHandler produced: " << result
;
114 AssertValidSignedPublicKeyAndChallenge(result
, "some challenge");
117 void ConcurrencyTestCallback(const std::string
& challenge
,
118 base::WaitableEvent
* event
,
119 scoped_ptr
<KeygenHandler
> handler
,
120 std::string
* result
) {
121 // We allow Singleton use on the worker thread here since we use a
122 // WaitableEvent to synchronize, so it's safe.
123 base::ThreadRestrictions::ScopedAllowSingleton scoped_allow_singleton
;
124 handler
->set_stores_key(false); // Don't leave the key-pair behind.
125 *result
= handler
->GenKeyAndSignChallenge();
128 // Detach the thread from NSPR.
129 // Calling NSS functions attaches the thread to NSPR, which stores
130 // the NSPR thread ID in thread-specific data.
131 // The threads in our thread pool terminate after we have called
132 // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets
133 // segfaults on shutdown when the threads' thread-specific data
139 // We asynchronously generate the keys so as not to hang up the IO thread. This
140 // test tries to catch concurrency problems in the keygen implementation.
141 TEST_F(KeygenHandlerTest
, ConcurrencyTest
) {
142 const int NUM_HANDLERS
= 5;
143 base::WaitableEvent
* events
[NUM_HANDLERS
] = { NULL
};
144 std::string results
[NUM_HANDLERS
];
145 for (int i
= 0; i
< NUM_HANDLERS
; i
++) {
146 scoped_ptr
<KeygenHandler
> handler(CreateKeygenHandler());
147 events
[i
] = new base::WaitableEvent(false, false);
148 base::WorkerPool::PostTask(FROM_HERE
,
149 base::Bind(ConcurrencyTestCallback
,
152 base::Passed(&handler
),
157 for (int i
= 0; i
< NUM_HANDLERS
; i
++) {
158 // Make sure the job completed
163 VLOG(1) << "KeygenHandler " << i
<< " produced: " << results
[i
];
164 AssertValidSignedPublicKeyAndChallenge(results
[i
], "some challenge");