• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "net/ssl/openssl_client_key_store.h"
6 
7 #include "base/memory/ref_counted.h"
8 #include "crypto/scoped_openssl_types.h"
9 #include "net/base/test_data_directory.h"
10 #include "net/test/cert_test_util.h"
11 #include "testing/gtest/include/gtest/gtest.h"
12 
13 namespace net {
14 
15 namespace {
16 
17 // Return the internal reference count of a given EVP_PKEY.
EVP_PKEY_get_refcount(EVP_PKEY * pkey)18 int EVP_PKEY_get_refcount(EVP_PKEY* pkey) {
19   return pkey->references;
20 }
21 
22 // A common test class to ensure that the store is flushed after
23 // each test.
24 class OpenSSLClientKeyStoreTest : public ::testing::Test {
25  public:
OpenSSLClientKeyStoreTest()26   OpenSSLClientKeyStoreTest()
27     : store_(OpenSSLClientKeyStore::GetInstance()) {
28   }
29 
~OpenSSLClientKeyStoreTest()30   virtual ~OpenSSLClientKeyStoreTest() {
31     if (store_)
32       store_->Flush();
33   }
34 
35  protected:
36   OpenSSLClientKeyStore* store_;
37 };
38 
39 // Check that GetInstance() returns non-null
TEST_F(OpenSSLClientKeyStoreTest,GetInstance)40 TEST_F(OpenSSLClientKeyStoreTest, GetInstance) {
41   ASSERT_TRUE(store_);
42 }
43 
44 // Check that Flush() works correctly.
TEST_F(OpenSSLClientKeyStoreTest,Flush)45 TEST_F(OpenSSLClientKeyStoreTest, Flush) {
46   ASSERT_TRUE(store_);
47 
48   scoped_refptr<X509Certificate> cert_1(
49       ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));
50   ASSERT_TRUE(cert_1.get());
51 
52   crypto::ScopedEVP_PKEY priv_key(EVP_PKEY_new());
53   ASSERT_TRUE(priv_key.get());
54 
55   ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(),
56                                                  priv_key.get()));
57 
58   store_->Flush();
59 
60   // Retrieve the private key. This should fail because the store
61   // was flushed.
62   crypto::ScopedEVP_PKEY pkey = store_->FetchClientCertPrivateKey(cert_1.get());
63   ASSERT_FALSE(pkey.get());
64 }
65 
66 // Check that trying to retrieve the private key of an unknown certificate
67 // simply fails by returning null.
TEST_F(OpenSSLClientKeyStoreTest,FetchEmptyPrivateKey)68 TEST_F(OpenSSLClientKeyStoreTest, FetchEmptyPrivateKey) {
69   ASSERT_TRUE(store_);
70 
71   scoped_refptr<X509Certificate> cert_1(
72       ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));
73   ASSERT_TRUE(cert_1.get());
74 
75   // Retrieve the private key now. This should fail because it was
76   // never recorded in the store.
77   crypto::ScopedEVP_PKEY pkey = store_->FetchClientCertPrivateKey(cert_1.get());
78   ASSERT_FALSE(pkey.get());
79 }
80 
81 // Check that any private key recorded through RecordClientCertPrivateKey
82 // can be retrieved with FetchClientCertPrivateKey.
TEST_F(OpenSSLClientKeyStoreTest,RecordAndFetchPrivateKey)83 TEST_F(OpenSSLClientKeyStoreTest, RecordAndFetchPrivateKey) {
84   ASSERT_TRUE(store_);
85 
86   // Any certificate / key pair will do, the store is not supposed to
87   // check that the private and certificate public keys match. This is
88   // by design since the private EVP_PKEY could be a wrapper around a
89   // JNI reference, with no way to access the real private key bits.
90   scoped_refptr<X509Certificate> cert_1(
91       ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));
92   ASSERT_TRUE(cert_1.get());
93 
94   crypto::ScopedEVP_PKEY priv_key(EVP_PKEY_new());
95   ASSERT_TRUE(priv_key.get());
96   ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key.get()));
97 
98   // Add the key a first time, this should increment its reference count.
99   ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(),
100                                                  priv_key.get()));
101   ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get()));
102 
103   // Two successive calls with the same certificate / private key shall
104   // also succeed, but the key's reference count should not be incremented.
105   ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(),
106                                                  priv_key.get()));
107   ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get()));
108 
109   // Retrieve the private key. This should increment the private key's
110   // reference count.
111   crypto::ScopedEVP_PKEY pkey2 =
112       store_->FetchClientCertPrivateKey(cert_1.get());
113   ASSERT_EQ(pkey2.get(), priv_key.get());
114   ASSERT_EQ(3, EVP_PKEY_get_refcount(priv_key.get()));
115 
116   // Flush the store explicitely, this should decrement the private
117   // key's reference count.
118   store_->Flush();
119   ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get()));
120 }
121 
122 // Same test, but with two certificates / private keys.
TEST_F(OpenSSLClientKeyStoreTest,RecordAndFetchTwoPrivateKeys)123 TEST_F(OpenSSLClientKeyStoreTest, RecordAndFetchTwoPrivateKeys) {
124   scoped_refptr<X509Certificate> cert_1(
125       ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem"));
126   ASSERT_TRUE(cert_1.get());
127 
128   scoped_refptr<X509Certificate> cert_2(
129       ImportCertFromFile(GetTestCertsDirectory(), "client_2.pem"));
130   ASSERT_TRUE(cert_2.get());
131 
132   crypto::ScopedEVP_PKEY priv_key1(EVP_PKEY_new());
133   ASSERT_TRUE(priv_key1.get());
134   ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key1.get()));
135 
136   crypto::ScopedEVP_PKEY priv_key2(EVP_PKEY_new());
137   ASSERT_TRUE(priv_key2.get());
138   ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key2.get()));
139 
140   ASSERT_NE(priv_key1.get(), priv_key2.get());
141 
142   // Add the key a first time, this shall succeed, and increment the
143   // reference count.
144   EXPECT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(),
145                                                  priv_key1.get()));
146   EXPECT_TRUE(store_->RecordClientCertPrivateKey(cert_2.get(),
147                                                  priv_key2.get()));
148   EXPECT_EQ(2, EVP_PKEY_get_refcount(priv_key1.get()));
149   EXPECT_EQ(2, EVP_PKEY_get_refcount(priv_key2.get()));
150 
151   // Retrieve the private key now. This shall succeed and increment
152   // the private key's reference count.
153   crypto::ScopedEVP_PKEY fetch_key1 =
154       store_->FetchClientCertPrivateKey(cert_1.get());
155   crypto::ScopedEVP_PKEY fetch_key2 =
156       store_->FetchClientCertPrivateKey(cert_2.get());
157 
158   EXPECT_TRUE(fetch_key1.get());
159   EXPECT_TRUE(fetch_key2.get());
160 
161   EXPECT_EQ(fetch_key1.get(), priv_key1.get());
162   EXPECT_EQ(fetch_key2.get(), priv_key2.get());
163 
164   EXPECT_EQ(3, EVP_PKEY_get_refcount(priv_key1.get()));
165   EXPECT_EQ(3, EVP_PKEY_get_refcount(priv_key2.get()));
166 }
167 
168 }  // namespace
169 }  // namespace net
170