search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Lots of random cleanups, mostly for native_theme_win.cc:
[chromium-blink-merge.git] / net / android / keystore_unittest.cc
blob076693f850f97fccdad41630ea508d42cef11072
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <openssl/bn.h>
6 #include <openssl/dsa.h>
7 #include <openssl/ecdsa.h>
8 #include <openssl/err.h>
9 #include <openssl/evp.h>
10 #include <openssl/pem.h>
11 #include <openssl/rsa.h>
12 #include <openssl/x509.h>
13
14 #include "base/android/build_info.h"
15 #include "base/android/jni_android.h"
16 #include "base/android/jni_array.h"
17 #include "base/android/scoped_java_ref.h"
18 #include "base/basictypes.h"
19 #include "base/bind.h"
20 #include "base/callback.h"
21 #include "base/compiler_specific.h"
22 #include "base/file_util.h"
23 #include "base/files/file_path.h"
24 #include "base/files/scoped_file.h"
25 #include "base/strings/string_number_conversions.h"
26 #include "base/strings/string_util.h"
27 #include "crypto/openssl_util.h"
28 #include "crypto/scoped_openssl_types.h"
29 #include "jni/AndroidKeyStoreTestUtil_jni.h"
30 #include "net/android/keystore.h"
31 #include "net/android/keystore_openssl.h"
32 #include "net/base/test_data_directory.h"
33 #include "testing/gtest/include/gtest/gtest.h"
34
35 // Technical note:
36 //
37 // This source file not only checks that signing with
38 // RawSignDigestWithPrivateKey() works correctly, it also verifies that
39 // the generated signature matches 100% of what OpenSSL generates when
40 // calling RSA_sign(NID_md5_sha1,...), DSA_sign(0, ...) or
41 // ECDSA_sign(0, ...).
42 //
43 // That's crucial to ensure that this function can later be used to
44 // implement client certificate support. More specifically, that it is
45 // possible to create a custom EVP_PKEY that uses
46 // RawSignDigestWithPrivateKey() internally to perform RSA/DSA/ECDSA
47 // signing, as invoked by the OpenSSL code at
48 // openssl/ssl/s3_clnt.c:ssl3_send_client_verify().
49 //
50 // For more details, read the comments in AndroidKeyStore.java.
51 //
52 // Finally, it also checks that using the EVP_PKEY generated with
53 // GetOpenSSLPrivateKeyWrapper() works correctly.
54
55 namespace net {
56 namespace android {
57
58 namespace {
59
60 typedef crypto::ScopedOpenSSL<PKCS8_PRIV_KEY_INFO,
61 PKCS8_PRIV_KEY_INFO_free>::Type
62 ScopedPKCS8_PRIV_KEY_INFO;
63
64 typedef base::android::ScopedJavaLocalRef<jobject> ScopedJava;
65
66 JNIEnv* InitEnv() {
67 JNIEnv* env = base::android::AttachCurrentThread();
68 static bool inited = false;
69 if (!inited) {
70 RegisterNativesImpl(env);
71 inited = true;
72 }
73 return env;
74 }
75
76 // Returns true if running on an Android version older than 4.2
77 bool IsOnAndroidOlderThan_4_2(void) {
78 const int kAndroid42ApiLevel = 17;
79 int level = base::android::BuildInfo::GetInstance()->sdk_int();
80 return level < kAndroid42ApiLevel;
81 }
82
83 // Implements the callback expected by ERR_print_errors_cb().
84 // used by GetOpenSSLErrorString below.
85 int openssl_print_error_callback(const char* msg, size_t msglen, void* u) {
86 std::string* result = reinterpret_cast<std::string*>(u);
87 result->append(msg, msglen);
88 return 1;
89 }
90
91 // Retrieves the OpenSSL error as a string
92 std::string GetOpenSSLErrorString(void) {
93 std::string result;
94 ERR_print_errors_cb(openssl_print_error_callback, &result);
95 return result;
96 }
97
98 // Resize a string to |size| bytes of data, then return its data buffer
99 // address cast as an 'unsigned char*', as expected by OpenSSL functions.
100 // |str| the target string.
101 // |size| the number of bytes to write into the string.
102 // Return the string's new buffer in memory, as an 'unsigned char*'
103 // pointer.
104 unsigned char* OpenSSLWriteInto(std::string* str, size_t size) {
105 return reinterpret_cast<unsigned char*>(WriteInto(str, size + 1));
106 }
107
108 // Load a given private key file into an EVP_PKEY.
109 // |filename| is the key file path.
110 // Returns a new EVP_PKEY on success, NULL on failure.
111 EVP_PKEY* ImportPrivateKeyFile(const char* filename) {
112 // Load file in memory.
113 base::FilePath certs_dir = GetTestCertsDirectory();
114 base::FilePath file_path = certs_dir.AppendASCII(filename);
115 base::ScopedFILE handle(base::OpenFile(file_path, "rb"));
116 if (!handle.get()) {
117 LOG(ERROR) << "Could not open private key file: " << filename;
118 return NULL;
119 }
120 // Assume it is PEM_encoded. Load it as an EVP_PKEY.
121 EVP_PKEY* pkey = PEM_read_PrivateKey(handle.get(), NULL, NULL, NULL);
122 if (!pkey) {
123 LOG(ERROR) << "Could not load public key file: " << filename
124 << ", " << GetOpenSSLErrorString();
125 return NULL;
126 }
127 return pkey;
128 }
129
130 // Convert a private key into its PKCS#8 encoded representation.
131 // |pkey| is the EVP_PKEY handle for the private key.
132 // |pkcs8| will receive the PKCS#8 bytes.
133 // Returns true on success, false otherwise.
134 bool GetPrivateKeyPkcs8Bytes(const crypto::ScopedEVP_PKEY& pkey,
135 std::string* pkcs8) {
136 // Convert to PKCS#8 object.
137 ScopedPKCS8_PRIV_KEY_INFO p8_info(EVP_PKEY2PKCS8(pkey.get()));
138 if (!p8_info.get()) {
139 LOG(ERROR) << "Can't get PKCS#8 private key from EVP_PKEY: "
140 << GetOpenSSLErrorString();
141 return false;
142 }
143
144 // Then convert it
145 int len = i2d_PKCS8_PRIV_KEY_INFO(p8_info.get(), NULL);
146 unsigned char* p = OpenSSLWriteInto(pkcs8, static_cast<size_t>(len));
147 i2d_PKCS8_PRIV_KEY_INFO(p8_info.get(), &p);
148 return true;
149 }
150
151 bool ImportPrivateKeyFileAsPkcs8(const char* filename,
152 std::string* pkcs8) {
153 crypto::ScopedEVP_PKEY pkey(ImportPrivateKeyFile(filename));
154 if (!pkey.get())
155 return false;
156 return GetPrivateKeyPkcs8Bytes(pkey, pkcs8);
157 }
158
159 // Same as ImportPrivateKey, but for public ones.
160 EVP_PKEY* ImportPublicKeyFile(const char* filename) {
161 // Load file as PEM data.
162 base::FilePath certs_dir = GetTestCertsDirectory();
163 base::FilePath file_path = certs_dir.AppendASCII(filename);
164 base::ScopedFILE handle(base::OpenFile(file_path, "rb"));
165 if (!handle.get()) {
166 LOG(ERROR) << "Could not open public key file: " << filename;
167 return NULL;
168 }
169 EVP_PKEY* pkey = PEM_read_PUBKEY(handle.get(), NULL, NULL, NULL);
170 if (!pkey) {
171 LOG(ERROR) << "Could not load public key file: " << filename
172 << ", " << GetOpenSSLErrorString();
173 return NULL;
174 }
175 return pkey;
176 }
177
178 // Retrieve a JNI local ref from encoded PKCS#8 data.
179 ScopedJava GetPKCS8PrivateKeyJava(PrivateKeyType key_type,
180 const std::string& pkcs8_key) {
181 JNIEnv* env = InitEnv();
182 base::android::ScopedJavaLocalRef<jbyteArray> bytes(
183 base::android::ToJavaByteArray(
184 env,
185 reinterpret_cast<const uint8*>(pkcs8_key.data()),
186 pkcs8_key.size()));
187
188 ScopedJava key(
189 Java_AndroidKeyStoreTestUtil_createPrivateKeyFromPKCS8(
190 env, key_type, bytes.obj()));
191
192 return key;
193 }
194
195 const char kTestRsaKeyFile[] = "android-test-key-rsa.pem";
196
197 // The RSA test hash must be 36 bytes exactly.
198 const char kTestRsaHash[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
199
200 // Retrieve a JNI local ref for our test RSA key.
201 ScopedJava GetRSATestKeyJava() {
202 std::string key;
203 if (!ImportPrivateKeyFileAsPkcs8(kTestRsaKeyFile, &key))
204 return ScopedJava();
205 return GetPKCS8PrivateKeyJava(PRIVATE_KEY_TYPE_RSA, key);
206 }
207
208 const char kTestDsaKeyFile[] = "android-test-key-dsa.pem";
209 const char kTestDsaPublicKeyFile[] = "android-test-key-dsa-public.pem";
210
211 // The DSA test hash must be 20 bytes exactly.
212 const char kTestDsaHash[] = "0123456789ABCDEFGHIJ";
213
214 // Retrieve a JNI local ref for our test DSA key.
215 ScopedJava GetDSATestKeyJava() {
216 std::string key;
217 if (!ImportPrivateKeyFileAsPkcs8(kTestDsaKeyFile, &key))
218 return ScopedJava();
219 return GetPKCS8PrivateKeyJava(PRIVATE_KEY_TYPE_DSA, key);
220 }
221
222 // Call this function to verify that one message signed with our
223 // test DSA private key is correct. Since DSA signing introduces
224 // random elements in the signature, it is not possible to compare
225 // signature bits directly. However, one can use the public key
226 // to do the check.
227 bool VerifyTestDSASignature(const base::StringPiece& message,
228 const base::StringPiece& signature) {
229 crypto::ScopedEVP_PKEY pkey(ImportPublicKeyFile(kTestDsaPublicKeyFile));
230 if (!pkey.get())
231 return false;
232
233 crypto::ScopedDSA pub_key(EVP_PKEY_get1_DSA(pkey.get()));
234 if (!pub_key.get()) {
235 LOG(ERROR) << "Could not get DSA public key: "
236 << GetOpenSSLErrorString();
237 return false;
238 }
239
240 const unsigned char* digest =
241 reinterpret_cast<const unsigned char*>(message.data());
242 int digest_len = static_cast<int>(message.size());
243 const unsigned char* sigbuf =
244 reinterpret_cast<const unsigned char*>(signature.data());
245 int siglen = static_cast<int>(signature.size());
246
247 int ret = DSA_verify(
248 0, digest, digest_len, sigbuf, siglen, pub_key.get());
249 if (ret != 1) {
250 LOG(ERROR) << "DSA_verify() failed: " << GetOpenSSLErrorString();
251 return false;
252 }
253 return true;
254 }
255
256 const char kTestEcdsaKeyFile[] = "android-test-key-ecdsa.pem";
257 const char kTestEcdsaPublicKeyFile[] = "android-test-key-ecdsa-public.pem";
258
259 // The test hash for ECDSA keys must be 20 bytes exactly.
260 const char kTestEcdsaHash[] = "0123456789ABCDEFGHIJ";
261
262 // Retrieve a JNI local ref for our test ECDSA key.
263 ScopedJava GetECDSATestKeyJava() {
264 std::string key;
265 if (!ImportPrivateKeyFileAsPkcs8(kTestEcdsaKeyFile, &key))
266 return ScopedJava();
267 return GetPKCS8PrivateKeyJava(PRIVATE_KEY_TYPE_ECDSA, key);
268 }
269
270 // Call this function to verify that one message signed with our
271 // test DSA private key is correct. Since DSA signing introduces
272 // random elements in the signature, it is not possible to compare
273 // signature bits directly. However, one can use the public key
274 // to do the check.
275 bool VerifyTestECDSASignature(const base::StringPiece& message,
276 const base::StringPiece& signature) {
277 crypto::ScopedEVP_PKEY pkey(ImportPublicKeyFile(kTestEcdsaPublicKeyFile));
278 if (!pkey.get())
279 return false;
280 crypto::ScopedEC_KEY pub_key(EVP_PKEY_get1_EC_KEY(pkey.get()));
281 if (!pub_key.get()) {
282 LOG(ERROR) << "Could not get ECDSA public key: "
283 << GetOpenSSLErrorString();
284 return false;
285 }
286
287 const unsigned char* digest =
288 reinterpret_cast<const unsigned char*>(message.data());
289 int digest_len = static_cast<int>(message.size());
290 const unsigned char* sigbuf =
291 reinterpret_cast<const unsigned char*>(signature.data());
292 int siglen = static_cast<int>(signature.size());
293
294 int ret = ECDSA_verify(
295 0, digest, digest_len, sigbuf, siglen, pub_key.get());
296 if (ret != 1) {
297 LOG(ERROR) << "ECDSA_verify() failed: " << GetOpenSSLErrorString();
298 return false;
299 }
300 return true;
301 }
302
303 // Sign a message with OpenSSL, return the result as a string.
304 // |message| is the message to be signed.
305 // |openssl_key| is an OpenSSL EVP_PKEY to use.
306 // |result| receives the result.
307 // Returns true on success, false otherwise.
308 bool SignWithOpenSSL(const base::StringPiece& message,
309 EVP_PKEY* openssl_key,
310 std::string* result) {
311 const unsigned char* digest =
312 reinterpret_cast<const unsigned char*>(message.data());
313 unsigned int digest_len = static_cast<unsigned int>(message.size());
314 std::string signature;
315 size_t signature_size;
316 size_t max_signature_size;
317 int key_type = EVP_PKEY_id(openssl_key);
318 switch (key_type) {
319 case EVP_PKEY_RSA:
320 {
321 crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(openssl_key));
322 if (!rsa.get()) {
323 LOG(ERROR) << "Could not get RSA from EVP_PKEY: "
324 << GetOpenSSLErrorString();
325 return false;
326 }
327 // With RSA, the signature will always be RSA_size() bytes.
328 max_signature_size = static_cast<size_t>(RSA_size(rsa.get()));
329 unsigned char* p = OpenSSLWriteInto(&signature,
330 max_signature_size);
331 unsigned int p_len = 0;
332 int ret = RSA_sign(
333 NID_md5_sha1, digest, digest_len, p, &p_len, rsa.get());
334 if (ret != 1) {
335 LOG(ERROR) << "RSA_sign() failed: " << GetOpenSSLErrorString();
336 return false;
337 }
338 signature_size = static_cast<size_t>(p_len);
339 break;
340 }
341 case EVP_PKEY_DSA:
342 {
343 crypto::ScopedDSA dsa(EVP_PKEY_get1_DSA(openssl_key));
344 if (!dsa.get()) {
345 LOG(ERROR) << "Could not get DSA from EVP_PKEY: "
346 << GetOpenSSLErrorString();
347 return false;
348 }
349 // Note, the actual signature can be smaller than DSA_size()
350 max_signature_size = static_cast<size_t>(DSA_size(dsa.get()));
351 unsigned char* p = OpenSSLWriteInto(&signature,
352 max_signature_size);
353 unsigned int p_len = 0;
354 // Note: first parameter is ignored by function.
355 int ret = DSA_sign(0, digest, digest_len, p, &p_len, dsa.get());
356 if (ret != 1) {
357 LOG(ERROR) << "DSA_sign() failed: " << GetOpenSSLErrorString();
358 return false;
359 }
360 signature_size = static_cast<size_t>(p_len);
361 break;
362 }
363 case EVP_PKEY_EC:
364 {
365 crypto::ScopedEC_KEY ecdsa(EVP_PKEY_get1_EC_KEY(openssl_key));
366 if (!ecdsa.get()) {
367 LOG(ERROR) << "Could not get EC_KEY from EVP_PKEY: "
368 << GetOpenSSLErrorString();
369 return false;
370 }
371 // Note, the actual signature can be smaller than ECDSA_size()
372 max_signature_size = ECDSA_size(ecdsa.get());
373 unsigned char* p = OpenSSLWriteInto(&signature,
374 max_signature_size);
375 unsigned int p_len = 0;
376 // Note: first parameter is ignored by function.
377 int ret = ECDSA_sign(
378 0, digest, digest_len, p, &p_len, ecdsa.get());
379 if (ret != 1) {
380 LOG(ERROR) << "ECDSA_sign() fialed: " << GetOpenSSLErrorString();
381 return false;
382 }
383 signature_size = static_cast<size_t>(p_len);
384 break;
385 }
386 default:
387 LOG(WARNING) << "Invalid OpenSSL key type: " << key_type;
388 return false;
389 }
390
391 if (signature_size == 0) {
392 LOG(ERROR) << "Signature is empty!";
393 return false;
394 }
395 if (signature_size > max_signature_size) {
396 LOG(ERROR) << "Signature size mismatch, actual " << signature_size
397 << ", expected <= " << max_signature_size;
398 return false;
399 }
400 signature.resize(signature_size);
401 result->swap(signature);
402 return true;
403 }
404
405 // Check that a generated signature for a given message matches
406 // OpenSSL output byte-by-byte.
407 // |message| is the input message.
408 // |signature| is the generated signature for the message.
409 // |openssl_key| is a raw EVP_PKEY for the same private key than the
410 // one which was used to generate the signature.
411 // Returns true on success, false otherwise.
412 bool CompareSignatureWithOpenSSL(const base::StringPiece& message,
413 const base::StringPiece& signature,
414 EVP_PKEY* openssl_key) {
415 std::string openssl_signature;
416 SignWithOpenSSL(message, openssl_key, &openssl_signature);
417
418 if (signature.size() != openssl_signature.size()) {
419 LOG(ERROR) << "Signature size mismatch, actual "
420 << signature.size() << ", expected "
421 << openssl_signature.size();
422 return false;
423 }
424 for (size_t n = 0; n < signature.size(); ++n) {
425 if (openssl_signature[n] != signature[n]) {
426 LOG(ERROR) << "Signature byte mismatch at index " << n
427 << "actual " << signature[n] << ", expected "
428 << openssl_signature[n];
429 LOG(ERROR) << "Actual signature : "
430 << base::HexEncode(signature.data(), signature.size());
431 LOG(ERROR) << "Expected signature: "
432 << base::HexEncode(openssl_signature.data(),
433 openssl_signature.size());
434 return false;
435 }
436 }
437 return true;
438 }
439
440 // Sign a message with our platform API.
441 //
442 // |android_key| is a JNI reference to the platform PrivateKey object.
443 // |openssl_key| is a pointer to an OpenSSL key object for the exact
444 // same key content.
445 // |message| is a message.
446 // |result| will receive the result.
447 void DoKeySigning(jobject android_key,
448 EVP_PKEY* openssl_key,
449 const base::StringPiece& message,
450 std::string* result) {
451 // First, get the platform signature.
452 std::vector<uint8> android_signature;
453 ASSERT_TRUE(
454 RawSignDigestWithPrivateKey(android_key,
455 message,
456 &android_signature));
457
458 result->assign(
459 reinterpret_cast<const char*>(&android_signature[0]),
460 android_signature.size());
461 }
462
463 // Sign a message with our OpenSSL EVP_PKEY wrapper around platform
464 // APIS.
465 //
466 // |android_key| is a JNI reference to the platform PrivateKey object.
467 // |openssl_key| is a pointer to an OpenSSL key object for the exact
468 // same key content.
469 // |message| is a message.
470 // |result| will receive the result.
471 void DoKeySigningWithWrapper(EVP_PKEY* wrapper_key,
472 EVP_PKEY* openssl_key,
473 const base::StringPiece& message,
474 std::string* result) {
475 // First, get the platform signature.
476 std::string wrapper_signature;
477 SignWithOpenSSL(message, wrapper_key, &wrapper_signature);
478 ASSERT_NE(0U, wrapper_signature.size());
479
480 result->assign(
481 reinterpret_cast<const char*>(&wrapper_signature[0]),
482 wrapper_signature.size());
483 }
484
485 } // namespace
486
487 TEST(AndroidKeyStore,GetRSAKeyModulus) {
488 crypto::OpenSSLErrStackTracer err_trace(FROM_HERE);
489 InitEnv();
490
491 // Load the test RSA key.
492 crypto::ScopedEVP_PKEY pkey(ImportPrivateKeyFile(kTestRsaKeyFile));
493 ASSERT_TRUE(pkey.get());
494
495 // Convert it to encoded PKCS#8 bytes.
496 std::string pkcs8_data;
497 ASSERT_TRUE(GetPrivateKeyPkcs8Bytes(pkey, &pkcs8_data));
498
499 // Create platform PrivateKey object from it.
500 ScopedJava key_java = GetPKCS8PrivateKeyJava(PRIVATE_KEY_TYPE_RSA,
501 pkcs8_data);
502 ASSERT_FALSE(key_java.is_null());
503
504 // Retrieve the corresponding modulus through JNI
505 std::vector<uint8> modulus_java;
506 ASSERT_TRUE(GetRSAKeyModulus(key_java.obj(), &modulus_java));
507
508 // Create an OpenSSL BIGNUM from it.
509 crypto::ScopedBIGNUM bn(
510 BN_bin2bn(reinterpret_cast<const unsigned char*>(&modulus_java[0]),
511 static_cast<int>(modulus_java.size()),
512 NULL));
513 ASSERT_TRUE(bn.get());
514
515 // Compare it to the one in the RSA key, they must be identical.
516 crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey.get()));
517 ASSERT_TRUE(rsa.get()) << GetOpenSSLErrorString();
518
519 ASSERT_EQ(0, BN_cmp(bn.get(), rsa.get()->n));
520 }
521
522 TEST(AndroidKeyStore,GetDSAKeyParamQ) {
523 crypto::OpenSSLErrStackTracer err_trace(FROM_HERE);
524 InitEnv();
525
526 // Load the test DSA key.
527 crypto::ScopedEVP_PKEY pkey(ImportPrivateKeyFile(kTestDsaKeyFile));
528 ASSERT_TRUE(pkey.get());
529
530 // Convert it to encoded PKCS#8 bytes.
531 std::string pkcs8_data;
532 ASSERT_TRUE(GetPrivateKeyPkcs8Bytes(pkey, &pkcs8_data));
533
534 // Create platform PrivateKey object from it.
535 ScopedJava key_java = GetPKCS8PrivateKeyJava(PRIVATE_KEY_TYPE_DSA,
536 pkcs8_data);
537 ASSERT_FALSE(key_java.is_null());
538
539 // Retrieve the corresponding Q parameter through JNI
540 std::vector<uint8> q_java;
541 ASSERT_TRUE(GetDSAKeyParamQ(key_java.obj(), &q_java));
542
543 // Create an OpenSSL BIGNUM from it.
544 crypto::ScopedBIGNUM bn(
545 BN_bin2bn(reinterpret_cast<const unsigned char*>(&q_java[0]),
546 static_cast<int>(q_java.size()),
547 NULL));
548 ASSERT_TRUE(bn.get());
549
550 // Compare it to the one in the RSA key, they must be identical.
551 crypto::ScopedDSA dsa(EVP_PKEY_get1_DSA(pkey.get()));
552 ASSERT_TRUE(dsa.get()) << GetOpenSSLErrorString();
553
554 ASSERT_EQ(0, BN_cmp(bn.get(), dsa.get()->q));
555 }
556
557 TEST(AndroidKeyStore,GetPrivateKeyTypeRSA) {
558 crypto::OpenSSLErrStackTracer err_trace(FROM_HERE);
559
560 ScopedJava rsa_key = GetRSATestKeyJava();
561 ASSERT_FALSE(rsa_key.is_null());
562 EXPECT_EQ(PRIVATE_KEY_TYPE_RSA,
563 GetPrivateKeyType(rsa_key.obj()));
564 }
565
566 TEST(AndroidKeyStore,SignWithPrivateKeyRSA) {
567 ScopedJava rsa_key = GetRSATestKeyJava();
568 ASSERT_FALSE(rsa_key.is_null());
569
570 if (IsOnAndroidOlderThan_4_2()) {
571 LOG(INFO) << "This test can't run on Android < 4.2";
572 return;
573 }
574
575 crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestRsaKeyFile));
576 ASSERT_TRUE(openssl_key.get());
577
578 std::string message = kTestRsaHash;
579 ASSERT_EQ(36U, message.size());
580
581 std::string signature;
582 DoKeySigning(rsa_key.obj(), openssl_key.get(), message, &signature);
583 ASSERT_TRUE(
584 CompareSignatureWithOpenSSL(message, signature, openssl_key.get()));
585 // All good.
586 }
587
588 TEST(AndroidKeyStore,SignWithWrapperKeyRSA) {
589 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
590
591 ScopedJava rsa_key = GetRSATestKeyJava();
592 ASSERT_FALSE(rsa_key.is_null());
593
594 crypto::ScopedEVP_PKEY wrapper_key(
595 GetOpenSSLPrivateKeyWrapper(rsa_key.obj()));
596 ASSERT_TRUE(wrapper_key.get() != NULL);
597
598 crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestRsaKeyFile));
599 ASSERT_TRUE(openssl_key.get());
600
601 // Check that RSA_size() works properly on the wrapper key.
602 EXPECT_EQ(EVP_PKEY_size(openssl_key.get()),
603 EVP_PKEY_size(wrapper_key.get()));
604
605 // Message size must be 36 for RSA_sign(NID_md5_sha1,...) to return
606 // without an error.
607 std::string message = kTestRsaHash;
608 ASSERT_EQ(36U, message.size());
609
610 std::string signature;
611 DoKeySigningWithWrapper(wrapper_key.get(),
612 openssl_key.get(),
613 message,
614 &signature);
615 ASSERT_TRUE(
616 CompareSignatureWithOpenSSL(message, signature, openssl_key.get()));
617 }
618
619 TEST(AndroidKeyStore,GetPrivateKeyTypeDSA) {
620 crypto::OpenSSLErrStackTracer err_trace(FROM_HERE);
621
622 ScopedJava dsa_key = GetDSATestKeyJava();
623 ASSERT_FALSE(dsa_key.is_null());
624 EXPECT_EQ(PRIVATE_KEY_TYPE_DSA,
625 GetPrivateKeyType(dsa_key.obj()));
626 }
627
628 TEST(AndroidKeyStore,SignWithPrivateKeyDSA) {
629 ScopedJava dsa_key = GetDSATestKeyJava();
630 ASSERT_FALSE(dsa_key.is_null());
631
632 crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestDsaKeyFile));
633 ASSERT_TRUE(openssl_key.get());
634
635 std::string message = kTestDsaHash;
636 ASSERT_EQ(20U, message.size());
637
638 std::string signature;
639 DoKeySigning(dsa_key.obj(), openssl_key.get(), message, &signature);
640 ASSERT_TRUE(VerifyTestDSASignature(message, signature));
641 }
642
643 TEST(AndroidKeyStore,SignWithWrapperKeyDSA) {
644 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
645
646 ScopedJava dsa_key = GetDSATestKeyJava();
647 ASSERT_FALSE(dsa_key.is_null());
648
649 crypto::ScopedEVP_PKEY wrapper_key(
650 GetOpenSSLPrivateKeyWrapper(dsa_key.obj()));
651 ASSERT_TRUE(wrapper_key.get());
652
653 crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestDsaKeyFile));
654 ASSERT_TRUE(openssl_key.get());
655
656 // Check that DSA_size() works correctly on the wrapper.
657 EXPECT_EQ(EVP_PKEY_size(openssl_key.get()),
658 EVP_PKEY_size(wrapper_key.get()));
659
660 std::string message = kTestDsaHash;
661 std::string signature;
662 DoKeySigningWithWrapper(wrapper_key.get(),
663 openssl_key.get(),
664 message,
665 &signature);
666 ASSERT_TRUE(VerifyTestDSASignature(message, signature));
667 }
668
669 TEST(AndroidKeyStore,GetPrivateKeyTypeECDSA) {
670 crypto::OpenSSLErrStackTracer err_trace(FROM_HERE);
671
672 ScopedJava ecdsa_key = GetECDSATestKeyJava();
673 ASSERT_FALSE(ecdsa_key.is_null());
674 EXPECT_EQ(PRIVATE_KEY_TYPE_ECDSA,
675 GetPrivateKeyType(ecdsa_key.obj()));
676 }
677
678 TEST(AndroidKeyStore,SignWithPrivateKeyECDSA) {
679 ScopedJava ecdsa_key = GetECDSATestKeyJava();
680 ASSERT_FALSE(ecdsa_key.is_null());
681
682 crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestEcdsaKeyFile));
683 ASSERT_TRUE(openssl_key.get());
684
685 std::string message = kTestEcdsaHash;
686 std::string signature;
687 DoKeySigning(ecdsa_key.obj(), openssl_key.get(), message, &signature);
688 ASSERT_TRUE(VerifyTestECDSASignature(message, signature));
689 }
690
691 TEST(AndroidKeyStore, SignWithWrapperKeyECDSA) {
692 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
693
694 ScopedJava ecdsa_key = GetECDSATestKeyJava();
695 ASSERT_FALSE(ecdsa_key.is_null());
696
697 crypto::ScopedEVP_PKEY wrapper_key(
698 GetOpenSSLPrivateKeyWrapper(ecdsa_key.obj()));
699 ASSERT_TRUE(wrapper_key.get());
700
701 crypto::ScopedEVP_PKEY openssl_key(ImportPrivateKeyFile(kTestEcdsaKeyFile));
702 ASSERT_TRUE(openssl_key.get());
703
704 // Check that ECDSA size works correctly on the wrapper.
705 EXPECT_EQ(EVP_PKEY_size(openssl_key.get()),
706 EVP_PKEY_size(wrapper_key.get()));
707
708 std::string message = kTestEcdsaHash;
709 std::string signature;
710 DoKeySigningWithWrapper(wrapper_key.get(),
711 openssl_key.get(),
712 message,
713 &signature);
714 ASSERT_TRUE(VerifyTestECDSASignature(message, signature));
715 }
716
717 } // namespace android
718 } // namespace net