search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add details (where missing) for histograms and remove a few that are not worth provid...
[chromium-blink-merge.git] / net / socket / ssl_client_socket_openssl_unittest.cc
blob91c9a93aa7eb3c1af8b230436d79c002dd5df4b2
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/socket/ssl_client_socket.h"
6
7 #include <errno.h>
8 #include <string.h>
9
10 #include <openssl/bio.h>
11 #include <openssl/bn.h>
12 #include <openssl/evp.h>
13 #include <openssl/pem.h>
14 #include <openssl/rsa.h>
15
16 #include "base/file_util.h"
17 #include "base/files/file_path.h"
18 #include "base/memory/ref_counted.h"
19 #include "base/memory/scoped_handle.h"
20 #include "base/message_loop/message_loop_proxy.h"
21 #include "base/values.h"
22 #include "crypto/openssl_util.h"
23 #include "net/base/address_list.h"
24 #include "net/base/io_buffer.h"
25 #include "net/base/net_errors.h"
26 #include "net/base/net_log.h"
27 #include "net/base/net_log_unittest.h"
28 #include "net/base/test_completion_callback.h"
29 #include "net/base/test_data_directory.h"
30 #include "net/cert/mock_cert_verifier.h"
31 #include "net/cert/test_root_certs.h"
32 #include "net/dns/host_resolver.h"
33 #include "net/http/transport_security_state.h"
34 #include "net/socket/client_socket_factory.h"
35 #include "net/socket/client_socket_handle.h"
36 #include "net/socket/socket_test_util.h"
37 #include "net/socket/tcp_client_socket.h"
38 #include "net/ssl/default_server_bound_cert_store.h"
39 #include "net/ssl/openssl_client_key_store.h"
40 #include "net/ssl/server_bound_cert_service.h"
41 #include "net/ssl/ssl_cert_request_info.h"
42 #include "net/ssl/ssl_config_service.h"
43 #include "net/test/cert_test_util.h"
44 #include "net/test/spawned_test_server/spawned_test_server.h"
45 #include "testing/gtest/include/gtest/gtest.h"
46 #include "testing/platform_test.h"
47
48 namespace net {
49
50 namespace {
51
52 // These client auth tests are currently dependent on OpenSSL's struct X509.
53 #if defined(USE_OPENSSL_CERTS)
54 typedef OpenSSLClientKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY;
55
56 // BIO_free is a macro, it can't be used as a template parameter.
57 void BIO_free_func(BIO* bio) {
58 BIO_free(bio);
59 }
60
61 typedef crypto::ScopedOpenSSL<BIO, BIO_free_func> ScopedBIO;
62 typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA;
63 typedef crypto::ScopedOpenSSL<BIGNUM, BN_free> ScopedBIGNUM;
64
65 const SSLConfig kDefaultSSLConfig;
66
67 // A ServerBoundCertStore that always returns an error when asked for a
68 // certificate.
69 class FailingServerBoundCertStore : public ServerBoundCertStore {
70 virtual int GetServerBoundCert(const std::string& server_identifier,
71 base::Time* expiration_time,
72 std::string* private_key_result,
73 std::string* cert_result,
74 const GetCertCallback& callback) OVERRIDE {
75 return ERR_UNEXPECTED;
76 }
77 virtual void SetServerBoundCert(const std::string& server_identifier,
78 base::Time creation_time,
79 base::Time expiration_time,
80 const std::string& private_key,
81 const std::string& cert) OVERRIDE {}
82 virtual void DeleteServerBoundCert(const std::string& server_identifier,
83 const base::Closure& completion_callback)
84 OVERRIDE {}
85 virtual void DeleteAllCreatedBetween(base::Time delete_begin,
86 base::Time delete_end,
87 const base::Closure& completion_callback)
88 OVERRIDE {}
89 virtual void DeleteAll(const base::Closure& completion_callback) OVERRIDE {}
90 virtual void GetAllServerBoundCerts(const GetCertListCallback& callback)
91 OVERRIDE {}
92 virtual int GetCertCount() OVERRIDE { return 0; }
93 virtual void SetForceKeepSessionState() OVERRIDE {}
94 };
95
96 // Loads a PEM-encoded private key file into a scoped EVP_PKEY object.
97 // |filepath| is the private key file path.
98 // |*pkey| is reset to the new EVP_PKEY on success, untouched otherwise.
99 // Returns true on success, false on failure.
100 bool LoadPrivateKeyOpenSSL(
101 const base::FilePath& filepath,
102 OpenSSLClientKeyStore::ScopedEVP_PKEY* pkey) {
103 std::string data;
104 if (!base::ReadFileToString(filepath, &data)) {
105 LOG(ERROR) << "Could not read private key file: "
106 << filepath.value() << ": " << strerror(errno);
107 return false;
108 }
109 ScopedBIO bio(
110 BIO_new_mem_buf(
111 const_cast<char*>(reinterpret_cast<const char*>(data.data())),
112 static_cast<int>(data.size())));
113 if (!bio.get()) {
114 LOG(ERROR) << "Could not allocate BIO for buffer?";
115 return false;
116 }
117 EVP_PKEY* result = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL);
118 if (result == NULL) {
119 LOG(ERROR) << "Could not decode private key file: "
120 << filepath.value();
121 return false;
122 }
123 pkey->reset(result);
124 return true;
125 }
126
127 class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest {
128 public:
129 SSLClientSocketOpenSSLClientAuthTest()
130 : socket_factory_(net::ClientSocketFactory::GetDefaultFactory()),
131 cert_verifier_(new net::MockCertVerifier),
132 transport_security_state_(new net::TransportSecurityState) {
133 cert_verifier_->set_default_result(net::OK);
134 context_.cert_verifier = cert_verifier_.get();
135 context_.transport_security_state = transport_security_state_.get();
136 key_store_ = net::OpenSSLClientKeyStore::GetInstance();
137 }
138
139 virtual ~SSLClientSocketOpenSSLClientAuthTest() {
140 key_store_->Flush();
141 }
142
143 protected:
144 void EnabledChannelID() {
145 cert_service_.reset(
146 new ServerBoundCertService(new DefaultServerBoundCertStore(NULL),
147 base::MessageLoopProxy::current()));
148 context_.server_bound_cert_service = cert_service_.get();
149 }
150
151 void EnabledFailingChannelID() {
152 cert_service_.reset(
153 new ServerBoundCertService(new FailingServerBoundCertStore(),
154 base::MessageLoopProxy::current()));
155 context_.server_bound_cert_service = cert_service_.get();
156 }
157
158 scoped_ptr<SSLClientSocket> CreateSSLClientSocket(
159 scoped_ptr<StreamSocket> transport_socket,
160 const HostPortPair& host_and_port,
161 const SSLConfig& ssl_config) {
162 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle);
163 connection->SetSocket(transport_socket.Pass());
164 return socket_factory_->CreateSSLClientSocket(connection.Pass(),
165 host_and_port,
166 ssl_config,
167 context_);
168 }
169
170 // Connect to a HTTPS test server.
171 bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) {
172 test_server_.reset(new SpawnedTestServer(SpawnedTestServer::TYPE_HTTPS,
173 ssl_options,
174 base::FilePath()));
175 if (!test_server_->Start()) {
176 LOG(ERROR) << "Could not start SpawnedTestServer";
177 return false;
178 }
179
180 if (!test_server_->GetAddressList(&addr_)) {
181 LOG(ERROR) << "Could not get SpawnedTestServer address list";
182 return false;
183 }
184
185 transport_.reset(new TCPClientSocket(
186 addr_, &log_, NetLog::Source()));
187 int rv = callback_.GetResult(
188 transport_->Connect(callback_.callback()));
189 if (rv != OK) {
190 LOG(ERROR) << "Could not connect to SpawnedTestServer";
191 return false;
192 }
193 return true;
194 }
195
196 // Record a certificate's private key to ensure it can be used
197 // by the OpenSSL-based SSLClientSocket implementation.
198 // |ssl_config| provides a client certificate.
199 // |private_key| must be an EVP_PKEY for the corresponding private key.
200 // Returns true on success, false on failure.
201 bool RecordPrivateKey(SSLConfig& ssl_config,
202 EVP_PKEY* private_key) {
203 return key_store_->RecordClientCertPrivateKey(
204 ssl_config.client_cert.get(), private_key);
205 }
206
207 // Create an SSLClientSocket object and use it to connect to a test
208 // server, then wait for connection results. This must be called after
209 // a succesful ConnectToTestServer() call.
210 // |ssl_config| the SSL configuration to use.
211 // |result| will retrieve the ::Connect() result value.
212 // Returns true on succes, false otherwise. Success means that the socket
213 // could be created and its Connect() was called, not that the connection
214 // itself was a success.
215 bool CreateAndConnectSSLClientSocket(SSLConfig& ssl_config,
216 int* result) {
217 sock_ = CreateSSLClientSocket(transport_.Pass(),
218 test_server_->host_port_pair(),
219 ssl_config);
220
221 if (sock_->IsConnected()) {
222 LOG(ERROR) << "SSL Socket prematurely connected";
223 return false;
224 }
225
226 *result = callback_.GetResult(sock_->Connect(callback_.callback()));
227 return true;
228 }
229
230
231 // Check that the client certificate was sent.
232 // Returns true on success.
233 bool CheckSSLClientSocketSentCert() {
234 SSLInfo ssl_info;
235 sock_->GetSSLInfo(&ssl_info);
236 return ssl_info.client_cert_sent;
237 }
238
239 scoped_ptr<ServerBoundCertService> cert_service_;
240 ClientSocketFactory* socket_factory_;
241 scoped_ptr<MockCertVerifier> cert_verifier_;
242 scoped_ptr<TransportSecurityState> transport_security_state_;
243 SSLClientSocketContext context_;
244 OpenSSLClientKeyStore* key_store_;
245 scoped_ptr<SpawnedTestServer> test_server_;
246 AddressList addr_;
247 TestCompletionCallback callback_;
248 CapturingNetLog log_;
249 scoped_ptr<StreamSocket> transport_;
250 scoped_ptr<SSLClientSocket> sock_;
251 };
252
253 // Connect to a server requesting client authentication, do not send
254 // any client certificates. It should refuse the connection.
255 TEST_F(SSLClientSocketOpenSSLClientAuthTest, NoCert) {
256 SpawnedTestServer::SSLOptions ssl_options;
257 ssl_options.request_client_certificate = true;
258
259 ASSERT_TRUE(ConnectToTestServer(ssl_options));
260
261 base::FilePath certs_dir = GetTestCertsDirectory();
262 SSLConfig ssl_config = kDefaultSSLConfig;
263
264 int rv;
265 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
266
267 EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, rv);
268 EXPECT_FALSE(sock_->IsConnected());
269 }
270
271 // Connect to a server requesting client authentication, and send it
272 // an empty certificate. It should refuse the connection.
273 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendEmptyCert) {
274 SpawnedTestServer::SSLOptions ssl_options;
275 ssl_options.request_client_certificate = true;
276 ssl_options.client_authorities.push_back(
277 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem"));
278
279 ASSERT_TRUE(ConnectToTestServer(ssl_options));
280
281 base::FilePath certs_dir = GetTestCertsDirectory();
282 SSLConfig ssl_config = kDefaultSSLConfig;
283 ssl_config.send_client_cert = true;
284 ssl_config.client_cert = NULL;
285
286 int rv;
287 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
288
289 EXPECT_EQ(OK, rv);
290 EXPECT_TRUE(sock_->IsConnected());
291 }
292
293 // Connect to a server requesting client authentication. Send it a
294 // matching certificate. It should allow the connection.
295 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendGoodCert) {
296 SpawnedTestServer::SSLOptions ssl_options;
297 ssl_options.request_client_certificate = true;
298 ssl_options.client_authorities.push_back(
299 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem"));
300
301 ASSERT_TRUE(ConnectToTestServer(ssl_options));
302
303 base::FilePath certs_dir = GetTestCertsDirectory();
304 SSLConfig ssl_config = kDefaultSSLConfig;
305 ssl_config.send_client_cert = true;
306 ssl_config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem");
307
308 // This is required to ensure that signing works with the client
309 // certificate's private key.
310 OpenSSLClientKeyStore::ScopedEVP_PKEY client_private_key;
311 ASSERT_TRUE(LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"),
312 &client_private_key));
313 EXPECT_TRUE(RecordPrivateKey(ssl_config, client_private_key.get()));
314
315 int rv;
316 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
317
318 EXPECT_EQ(OK, rv);
319 EXPECT_TRUE(sock_->IsConnected());
320
321 EXPECT_TRUE(CheckSSLClientSocketSentCert());
322
323 sock_->Disconnect();
324 EXPECT_FALSE(sock_->IsConnected());
325 }
326
327 // Connect to a server using channel id. It should allow the connection.
328 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendChannelID) {
329 SpawnedTestServer::SSLOptions ssl_options;
330
331 ASSERT_TRUE(ConnectToTestServer(ssl_options));
332
333 EnabledChannelID();
334 SSLConfig ssl_config = kDefaultSSLConfig;
335 ssl_config.channel_id_enabled = true;
336
337 int rv;
338 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
339
340 EXPECT_EQ(OK, rv);
341 EXPECT_TRUE(sock_->IsConnected());
342 EXPECT_TRUE(sock_->WasChannelIDSent());
343
344 sock_->Disconnect();
345 EXPECT_FALSE(sock_->IsConnected());
346 }
347
348 // Connect to a server using channel id but without sending a key. It should
349 // fail.
350 TEST_F(SSLClientSocketOpenSSLClientAuthTest, FailingChannelID) {
351 SpawnedTestServer::SSLOptions ssl_options;
352
353 ASSERT_TRUE(ConnectToTestServer(ssl_options));
354
355 EnabledFailingChannelID();
356 SSLConfig ssl_config = kDefaultSSLConfig;
357 ssl_config.channel_id_enabled = true;
358
359 int rv;
360 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
361
362 EXPECT_EQ(ERR_UNEXPECTED, rv);
363 EXPECT_FALSE(sock_->IsConnected());
364 }
365 #endif // defined(USE_OPENSSL_CERTS)
366
367 } // namespace
368 } // namespace net