1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/socket/ssl_client_socket.h"
10 #include <openssl/bio.h>
11 #include <openssl/bn.h>
12 #include <openssl/evp.h>
13 #include <openssl/pem.h>
14 #include <openssl/rsa.h>
16 #include "base/file_util.h"
17 #include "base/files/file_path.h"
18 #include "base/memory/ref_counted.h"
19 #include "base/message_loop/message_loop_proxy.h"
20 #include "base/values.h"
21 #include "crypto/openssl_util.h"
22 #include "net/base/address_list.h"
23 #include "net/base/io_buffer.h"
24 #include "net/base/net_errors.h"
25 #include "net/base/net_log.h"
26 #include "net/base/net_log_unittest.h"
27 #include "net/base/test_completion_callback.h"
28 #include "net/base/test_data_directory.h"
29 #include "net/cert/mock_cert_verifier.h"
30 #include "net/cert/test_root_certs.h"
31 #include "net/dns/host_resolver.h"
32 #include "net/http/transport_security_state.h"
33 #include "net/socket/client_socket_factory.h"
34 #include "net/socket/client_socket_handle.h"
35 #include "net/socket/socket_test_util.h"
36 #include "net/socket/tcp_client_socket.h"
37 #include "net/ssl/openssl_client_key_store.h"
38 #include "net/ssl/ssl_cert_request_info.h"
39 #include "net/ssl/ssl_config_service.h"
40 #include "net/test/cert_test_util.h"
41 #include "net/test/spawned_test_server/spawned_test_server.h"
42 #include "testing/gtest/include/gtest/gtest.h"
43 #include "testing/platform_test.h"
49 // These client auth tests are currently dependent on OpenSSL's struct X509.
50 #if defined(USE_OPENSSL_CERTS)
51 typedef OpenSSLClientKeyStore::ScopedEVP_PKEY ScopedEVP_PKEY;
53 // BIO_free is a macro, it can't be used as a template parameter.
54 void BIO_free_func(BIO* bio) {
58 typedef crypto::ScopedOpenSSL<BIO, BIO_free_func> ScopedBIO;
59 typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA;
60 typedef crypto::ScopedOpenSSL<BIGNUM, BN_free> ScopedBIGNUM;
62 const SSLConfig kDefaultSSLConfig;
64 // Loads a PEM-encoded private key file into a scoped EVP_PKEY object.
65 // |filepath| is the private key file path.
66 // |*pkey| is reset to the new EVP_PKEY on success, untouched otherwise.
67 // Returns true on success, false on failure.
68 bool LoadPrivateKeyOpenSSL(
69 const base::FilePath& filepath,
70 OpenSSLClientKeyStore::ScopedEVP_PKEY* pkey) {
72 if (!base::ReadFileToString(filepath, &data)) {
73 LOG(ERROR) << "Could not read private key file: "
74 << filepath.value() << ": " << strerror(errno);
79 const_cast<char*>(reinterpret_cast<const char*>(data.data())),
80 static_cast<int>(data.size())));
82 LOG(ERROR) << "Could not allocate BIO for buffer?";
85 EVP_PKEY* result = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL);
87 LOG(ERROR) << "Could not decode private key file: "
95 class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest {
97 SSLClientSocketOpenSSLClientAuthTest()
98 : socket_factory_(net::ClientSocketFactory::GetDefaultFactory()),
99 cert_verifier_(new net::MockCertVerifier),
100 transport_security_state_(new net::TransportSecurityState) {
101 cert_verifier_->set_default_result(net::OK);
102 context_.cert_verifier = cert_verifier_.get();
103 context_.transport_security_state = transport_security_state_.get();
104 key_store_ = net::OpenSSLClientKeyStore::GetInstance();
107 virtual ~SSLClientSocketOpenSSLClientAuthTest() {
112 scoped_ptr<SSLClientSocket> CreateSSLClientSocket(
113 scoped_ptr<StreamSocket> transport_socket,
114 const HostPortPair& host_and_port,
115 const SSLConfig& ssl_config) {
116 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle);
117 connection->SetSocket(transport_socket.Pass());
118 return socket_factory_->CreateSSLClientSocket(connection.Pass(),
124 // Connect to a HTTPS test server.
125 bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) {
126 test_server_.reset(new SpawnedTestServer(SpawnedTestServer::TYPE_HTTPS,
129 if (!test_server_->Start()) {
130 LOG(ERROR) << "Could not start SpawnedTestServer";
134 if (!test_server_->GetAddressList(&addr_)) {
135 LOG(ERROR) << "Could not get SpawnedTestServer address list";
139 transport_.reset(new TCPClientSocket(
140 addr_, &log_, NetLog::Source()));
141 int rv = callback_.GetResult(
142 transport_->Connect(callback_.callback()));
144 LOG(ERROR) << "Could not connect to SpawnedTestServer";
150 // Record a certificate's private key to ensure it can be used
151 // by the OpenSSL-based SSLClientSocket implementation.
152 // |ssl_config| provides a client certificate.
153 // |private_key| must be an EVP_PKEY for the corresponding private key.
154 // Returns true on success, false on failure.
155 bool RecordPrivateKey(SSLConfig& ssl_config,
156 EVP_PKEY* private_key) {
157 return key_store_->RecordClientCertPrivateKey(
158 ssl_config.client_cert.get(), private_key);
161 // Create an SSLClientSocket object and use it to connect to a test
162 // server, then wait for connection results. This must be called after
163 // a succesful ConnectToTestServer() call.
164 // |ssl_config| the SSL configuration to use.
165 // |result| will retrieve the ::Connect() result value.
166 // Returns true on succes, false otherwise. Success means that the socket
167 // could be created and its Connect() was called, not that the connection
168 // itself was a success.
169 bool CreateAndConnectSSLClientSocket(SSLConfig& ssl_config,
171 sock_ = CreateSSLClientSocket(transport_.Pass(),
172 test_server_->host_port_pair(),
175 if (sock_->IsConnected()) {
176 LOG(ERROR) << "SSL Socket prematurely connected";
180 *result = callback_.GetResult(sock_->Connect(callback_.callback()));
185 // Check that the client certificate was sent.
186 // Returns true on success.
187 bool CheckSSLClientSocketSentCert() {
189 sock_->GetSSLInfo(&ssl_info);
190 return ssl_info.client_cert_sent;
193 ClientSocketFactory* socket_factory_;
194 scoped_ptr<MockCertVerifier> cert_verifier_;
195 scoped_ptr<TransportSecurityState> transport_security_state_;
196 SSLClientSocketContext context_;
197 OpenSSLClientKeyStore* key_store_;
198 scoped_ptr<SpawnedTestServer> test_server_;
200 TestCompletionCallback callback_;
201 CapturingNetLog log_;
202 scoped_ptr<StreamSocket> transport_;
203 scoped_ptr<SSLClientSocket> sock_;
206 // Connect to a server requesting client authentication, do not send
207 // any client certificates. It should refuse the connection.
208 TEST_F(SSLClientSocketOpenSSLClientAuthTest, NoCert) {
209 SpawnedTestServer::SSLOptions ssl_options;
210 ssl_options.request_client_certificate = true;
212 ASSERT_TRUE(ConnectToTestServer(ssl_options));
214 base::FilePath certs_dir = GetTestCertsDirectory();
215 SSLConfig ssl_config = kDefaultSSLConfig;
218 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
220 EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, rv);
221 EXPECT_FALSE(sock_->IsConnected());
224 // Connect to a server requesting client authentication, and send it
225 // an empty certificate. It should refuse the connection.
226 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendEmptyCert) {
227 SpawnedTestServer::SSLOptions ssl_options;
228 ssl_options.request_client_certificate = true;
229 ssl_options.client_authorities.push_back(
230 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem"));
232 ASSERT_TRUE(ConnectToTestServer(ssl_options));
234 base::FilePath certs_dir = GetTestCertsDirectory();
235 SSLConfig ssl_config = kDefaultSSLConfig;
236 ssl_config.send_client_cert = true;
237 ssl_config.client_cert = NULL;
240 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
243 EXPECT_TRUE(sock_->IsConnected());
246 // Connect to a server requesting client authentication. Send it a
247 // matching certificate. It should allow the connection.
248 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendGoodCert) {
249 SpawnedTestServer::SSLOptions ssl_options;
250 ssl_options.request_client_certificate = true;
251 ssl_options.client_authorities.push_back(
252 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem"));
254 ASSERT_TRUE(ConnectToTestServer(ssl_options));
256 base::FilePath certs_dir = GetTestCertsDirectory();
257 SSLConfig ssl_config = kDefaultSSLConfig;
258 ssl_config.send_client_cert = true;
259 ssl_config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem");
261 // This is required to ensure that signing works with the client
262 // certificate's private key.
263 OpenSSLClientKeyStore::ScopedEVP_PKEY client_private_key;
264 ASSERT_TRUE(LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"),
265 &client_private_key));
266 EXPECT_TRUE(RecordPrivateKey(ssl_config, client_private_key.get()));
269 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
272 EXPECT_TRUE(sock_->IsConnected());
274 EXPECT_TRUE(CheckSSLClientSocketSentCert());
277 EXPECT_FALSE(sock_->IsConnected());
279 #endif // defined(USE_OPENSSL_CERTS)