1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/socket/ssl_client_socket.h"
6
7 #include <errno.h>
8 #include <string.h>
9
10 #include <openssl/bio.h>
11 #include <openssl/bn.h>
12 #include <openssl/evp.h>
13 #include <openssl/pem.h>
14 #include <openssl/rsa.h>
15
16 #include "base/files/file_path.h"
17 #include "base/files/file_util.h"
18 #include "base/memory/ref_counted.h"
19 #include "base/message_loop/message_loop_proxy.h"
20 #include "base/values.h"
21 #include "crypto/openssl_util.h"
22 #include "crypto/scoped_openssl_types.h"
23 #include "net/base/address_list.h"
24 #include "net/base/io_buffer.h"
25 #include "net/base/net_errors.h"
26 #include "net/base/net_log.h"
27 #include "net/base/net_log_unittest.h"
28 #include "net/base/test_completion_callback.h"
29 #include "net/base/test_data_directory.h"
30 #include "net/cert/mock_cert_verifier.h"
31 #include "net/cert/test_root_certs.h"
32 #include "net/dns/host_resolver.h"
33 #include "net/http/transport_security_state.h"
34 #include "net/socket/client_socket_factory.h"
35 #include "net/socket/client_socket_handle.h"
36 #include "net/socket/socket_test_util.h"
37 #include "net/socket/tcp_client_socket.h"
38 #include "net/ssl/openssl_client_key_store.h"
39 #include "net/ssl/ssl_cert_request_info.h"
40 #include "net/ssl/ssl_config_service.h"
41 #include "net/test/cert_test_util.h"
42 #include "net/test/spawned_test_server/spawned_test_server.h"
43 #include "testing/gtest/include/gtest/gtest.h"
44 #include "testing/platform_test.h"
45
46 namespace net {
47
48 namespace {
49
50 // These client auth tests are currently dependent on OpenSSL's struct X509.
51 #if defined(USE_OPENSSL_CERTS)
52
53 const SSLConfig kDefaultSSLConfig;
54
55 // Loads a PEM-encoded private key file into a scoped EVP_PKEY object.
56 // |filepath| is the private key file path.
57 // |*pkey| is reset to the new EVP_PKEY on success, untouched otherwise.
58 // Returns true on success, false on failure.
LoadPrivateKeyOpenSSL(const base::FilePath & filepath,crypto::ScopedEVP_PKEY * pkey)59 bool LoadPrivateKeyOpenSSL(
60 const base::FilePath& filepath,
61 crypto::ScopedEVP_PKEY* pkey) {
62 std::string data;
63 if (!base::ReadFileToString(filepath, &data)) {
64 LOG(ERROR) << "Could not read private key file: "
65 << filepath.value() << ": " << strerror(errno);
66 return false;
67 }
68 crypto::ScopedBIO bio(BIO_new_mem_buf(
69 const_cast<char*>(reinterpret_cast<const char*>(data.data())),
70 static_cast<int>(data.size())));
71 if (!bio.get()) {
72 LOG(ERROR) << "Could not allocate BIO for buffer?";
73 return false;
74 }
75 EVP_PKEY* result = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL);
76 if (result == NULL) {
77 LOG(ERROR) << "Could not decode private key file: "
78 << filepath.value();
79 return false;
80 }
81 pkey->reset(result);
82 return true;
83 }
84
85 class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest {
86 public:
SSLClientSocketOpenSSLClientAuthTest()87 SSLClientSocketOpenSSLClientAuthTest()
88 : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
89 cert_verifier_(new MockCertVerifier),
90 transport_security_state_(new TransportSecurityState) {
91 cert_verifier_->set_default_result(OK);
92 context_.cert_verifier = cert_verifier_.get();
93 context_.transport_security_state = transport_security_state_.get();
94 key_store_ = OpenSSLClientKeyStore::GetInstance();
95 }
96
~SSLClientSocketOpenSSLClientAuthTest()97 virtual ~SSLClientSocketOpenSSLClientAuthTest() {
98 key_store_->Flush();
99 }
100
101 protected:
CreateSSLClientSocket(scoped_ptr<StreamSocket> transport_socket,const HostPortPair & host_and_port,const SSLConfig & ssl_config)102 scoped_ptr<SSLClientSocket> CreateSSLClientSocket(
103 scoped_ptr<StreamSocket> transport_socket,
104 const HostPortPair& host_and_port,
105 const SSLConfig& ssl_config) {
106 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle);
107 connection->SetSocket(transport_socket.Pass());
108 return socket_factory_->CreateSSLClientSocket(connection.Pass(),
109 host_and_port,
110 ssl_config,
111 context_);
112 }
113
114 // Connect to a HTTPS test server.
ConnectToTestServer(SpawnedTestServer::SSLOptions & ssl_options)115 bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) {
116 test_server_.reset(new SpawnedTestServer(SpawnedTestServer::TYPE_HTTPS,
117 ssl_options,
118 base::FilePath()));
119 if (!test_server_->Start()) {
120 LOG(ERROR) << "Could not start SpawnedTestServer";
121 return false;
122 }
123
124 if (!test_server_->GetAddressList(&addr_)) {
125 LOG(ERROR) << "Could not get SpawnedTestServer address list";
126 return false;
127 }
128
129 transport_.reset(new TCPClientSocket(
130 addr_, &log_, NetLog::Source()));
131 int rv = callback_.GetResult(
132 transport_->Connect(callback_.callback()));
133 if (rv != OK) {
134 LOG(ERROR) << "Could not connect to SpawnedTestServer";
135 return false;
136 }
137 return true;
138 }
139
140 // Record a certificate's private key to ensure it can be used
141 // by the OpenSSL-based SSLClientSocket implementation.
142 // |ssl_config| provides a client certificate.
143 // |private_key| must be an EVP_PKEY for the corresponding private key.
144 // Returns true on success, false on failure.
RecordPrivateKey(SSLConfig & ssl_config,EVP_PKEY * private_key)145 bool RecordPrivateKey(SSLConfig& ssl_config,
146 EVP_PKEY* private_key) {
147 return key_store_->RecordClientCertPrivateKey(
148 ssl_config.client_cert.get(), private_key);
149 }
150
151 // Create an SSLClientSocket object and use it to connect to a test
152 // server, then wait for connection results. This must be called after
153 // a succesful ConnectToTestServer() call.
154 // |ssl_config| the SSL configuration to use.
155 // |result| will retrieve the ::Connect() result value.
156 // Returns true on succes, false otherwise. Success means that the socket
157 // could be created and its Connect() was called, not that the connection
158 // itself was a success.
CreateAndConnectSSLClientSocket(SSLConfig & ssl_config,int * result)159 bool CreateAndConnectSSLClientSocket(SSLConfig& ssl_config,
160 int* result) {
161 sock_ = CreateSSLClientSocket(transport_.Pass(),
162 test_server_->host_port_pair(),
163 ssl_config);
164
165 if (sock_->IsConnected()) {
166 LOG(ERROR) << "SSL Socket prematurely connected";
167 return false;
168 }
169
170 *result = callback_.GetResult(sock_->Connect(callback_.callback()));
171 return true;
172 }
173
174
175 // Check that the client certificate was sent.
176 // Returns true on success.
CheckSSLClientSocketSentCert()177 bool CheckSSLClientSocketSentCert() {
178 SSLInfo ssl_info;
179 sock_->GetSSLInfo(&ssl_info);
180 return ssl_info.client_cert_sent;
181 }
182
183 ClientSocketFactory* socket_factory_;
184 scoped_ptr<MockCertVerifier> cert_verifier_;
185 scoped_ptr<TransportSecurityState> transport_security_state_;
186 SSLClientSocketContext context_;
187 OpenSSLClientKeyStore* key_store_;
188 scoped_ptr<SpawnedTestServer> test_server_;
189 AddressList addr_;
190 TestCompletionCallback callback_;
191 CapturingNetLog log_;
192 scoped_ptr<StreamSocket> transport_;
193 scoped_ptr<SSLClientSocket> sock_;
194 };
195
196 // Connect to a server requesting client authentication, do not send
197 // any client certificates. It should refuse the connection.
TEST_F(SSLClientSocketOpenSSLClientAuthTest,NoCert)198 TEST_F(SSLClientSocketOpenSSLClientAuthTest, NoCert) {
199 SpawnedTestServer::SSLOptions ssl_options;
200 ssl_options.request_client_certificate = true;
201
202 ASSERT_TRUE(ConnectToTestServer(ssl_options));
203
204 base::FilePath certs_dir = GetTestCertsDirectory();
205 SSLConfig ssl_config = kDefaultSSLConfig;
206
207 int rv;
208 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
209
210 EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, rv);
211 EXPECT_FALSE(sock_->IsConnected());
212 }
213
214 // Connect to a server requesting client authentication, and send it
215 // an empty certificate. It should refuse the connection.
TEST_F(SSLClientSocketOpenSSLClientAuthTest,SendEmptyCert)216 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendEmptyCert) {
217 SpawnedTestServer::SSLOptions ssl_options;
218 ssl_options.request_client_certificate = true;
219 ssl_options.client_authorities.push_back(
220 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem"));
221
222 ASSERT_TRUE(ConnectToTestServer(ssl_options));
223
224 base::FilePath certs_dir = GetTestCertsDirectory();
225 SSLConfig ssl_config = kDefaultSSLConfig;
226 ssl_config.send_client_cert = true;
227 ssl_config.client_cert = NULL;
228
229 int rv;
230 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
231
232 EXPECT_EQ(OK, rv);
233 EXPECT_TRUE(sock_->IsConnected());
234 }
235
236 // Connect to a server requesting client authentication. Send it a
237 // matching certificate. It should allow the connection.
TEST_F(SSLClientSocketOpenSSLClientAuthTest,SendGoodCert)238 TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendGoodCert) {
239 SpawnedTestServer::SSLOptions ssl_options;
240 ssl_options.request_client_certificate = true;
241 ssl_options.client_authorities.push_back(
242 GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem"));
243
244 ASSERT_TRUE(ConnectToTestServer(ssl_options));
245
246 base::FilePath certs_dir = GetTestCertsDirectory();
247 SSLConfig ssl_config = kDefaultSSLConfig;
248 ssl_config.send_client_cert = true;
249 ssl_config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem");
250
251 // This is required to ensure that signing works with the client
252 // certificate's private key.
253 crypto::ScopedEVP_PKEY client_private_key;
254 ASSERT_TRUE(LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"),
255 &client_private_key));
256 EXPECT_TRUE(RecordPrivateKey(ssl_config, client_private_key.get()));
257
258 int rv;
259 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
260
261 EXPECT_EQ(OK, rv);
262 EXPECT_TRUE(sock_->IsConnected());
263
264 EXPECT_TRUE(CheckSSLClientSocketSentCert());
265
266 sock_->Disconnect();
267 EXPECT_FALSE(sock_->IsConnected());
268 }
269 #endif // defined(USE_OPENSSL_CERTS)
270
271 } // namespace
272 } // namespace net
273