1// Copyright 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "net/quic/test_tools/crypto_test_utils.h"
6
7#include <openssl/bn.h>
8#include <openssl/ec.h>
9#include <openssl/ecdsa.h>
10#include <openssl/evp.h>
11#include <openssl/obj_mac.h>
12#include <openssl/sha.h>
13
14#include "crypto/openssl_util.h"
15#include "crypto/scoped_openssl_types.h"
16#include "crypto/secure_hash.h"
17#include "net/quic/crypto/channel_id.h"
18
19using base::StringPiece;
20using std::string;
21
22namespace net {
23
24namespace test {
25
26class TestChannelIDKey : public ChannelIDKey {
27 public:
28  explicit TestChannelIDKey(EVP_PKEY* ecdsa_key) : ecdsa_key_(ecdsa_key) {}
29  virtual ~TestChannelIDKey() OVERRIDE {}
30
31  // ChannelIDKey implementation.
32
33  virtual bool Sign(StringPiece signed_data,
34                    string* out_signature) const OVERRIDE {
35    crypto::ScopedEVP_MD_CTX md_ctx(EVP_MD_CTX_create());
36    if (!md_ctx ||
37        EVP_DigestSignInit(md_ctx.get(), NULL, EVP_sha256(), NULL,
38                           ecdsa_key_.get()) != 1) {
39      return false;
40    }
41
42    EVP_DigestUpdate(md_ctx.get(), ChannelIDVerifier::kContextStr,
43                     strlen(ChannelIDVerifier::kContextStr) + 1);
44    EVP_DigestUpdate(md_ctx.get(), ChannelIDVerifier::kClientToServerStr,
45                     strlen(ChannelIDVerifier::kClientToServerStr) + 1);
46    EVP_DigestUpdate(md_ctx.get(), signed_data.data(), signed_data.size());
47
48    size_t sig_len;
49    if (!EVP_DigestSignFinal(md_ctx.get(), NULL, &sig_len)) {
50      return false;
51    }
52
53    scoped_ptr<uint8[]> der_sig(new uint8[sig_len]);
54    if (!EVP_DigestSignFinal(md_ctx.get(), der_sig.get(), &sig_len)) {
55      return false;
56    }
57
58    uint8* derp = der_sig.get();
59    crypto::ScopedECDSA_SIG sig(
60        d2i_ECDSA_SIG(NULL, const_cast<const uint8**>(&derp), sig_len));
61    if (sig.get() == NULL) {
62      return false;
63    }
64
65    // The signature consists of a pair of 32-byte numbers.
66    static const size_t kSignatureLength = 32 * 2;
67    scoped_ptr<uint8[]> signature(new uint8[kSignatureLength]);
68    memset(signature.get(), 0, kSignatureLength);
69    BN_bn2bin(sig.get()->r, signature.get() + 32 - BN_num_bytes(sig.get()->r));
70    BN_bn2bin(sig.get()->s, signature.get() + 64 - BN_num_bytes(sig.get()->s));
71
72    *out_signature = string(reinterpret_cast<char*>(signature.get()),
73                            kSignatureLength);
74
75    return true;
76  }
77
78  virtual string SerializeKey() const OVERRIDE {
79    // i2d_PublicKey will produce an ANSI X9.62 public key which, for a P-256
80    // key, is 0x04 (meaning uncompressed) followed by the x and y field
81    // elements as 32-byte, big-endian numbers.
82    static const int kExpectedKeyLength = 65;
83
84    int len = i2d_PublicKey(ecdsa_key_.get(), NULL);
85    if (len != kExpectedKeyLength) {
86      return "";
87    }
88
89    uint8 buf[kExpectedKeyLength];
90    uint8* derp = buf;
91    i2d_PublicKey(ecdsa_key_.get(), &derp);
92
93    return string(reinterpret_cast<char*>(buf + 1), kExpectedKeyLength - 1);
94  }
95
96 private:
97  crypto::ScopedEVP_PKEY ecdsa_key_;
98};
99
100class TestChannelIDSource : public ChannelIDSource {
101 public:
102  virtual ~TestChannelIDSource() {}
103
104  // ChannelIDSource implementation.
105
106  virtual QuicAsyncStatus GetChannelIDKey(
107      const string& hostname,
108      scoped_ptr<ChannelIDKey>* channel_id_key,
109      ChannelIDSourceCallback* /*callback*/) OVERRIDE {
110    channel_id_key->reset(new TestChannelIDKey(HostnameToKey(hostname)));
111    return QUIC_SUCCESS;
112  }
113
114 private:
115  static EVP_PKEY* HostnameToKey(const string& hostname) {
116    // In order to generate a deterministic key for a given hostname the
117    // hostname is hashed with SHA-256 and the resulting digest is treated as a
118    // big-endian number. The most-significant bit is cleared to ensure that
119    // the resulting value is less than the order of the group and then it's
120    // taken as a private key. Given the private key, the public key is
121    // calculated with a group multiplication.
122    SHA256_CTX sha256;
123    SHA256_Init(&sha256);
124    SHA256_Update(&sha256, hostname.data(), hostname.size());
125
126    unsigned char digest[SHA256_DIGEST_LENGTH];
127    SHA256_Final(digest, &sha256);
128
129    // Ensure that the digest is less than the order of the P-256 group by
130    // clearing the most-significant bit.
131    digest[0] &= 0x7f;
132
133    crypto::ScopedBIGNUM k(BN_new());
134    CHECK(BN_bin2bn(digest, sizeof(digest), k.get()) != NULL);
135
136    crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free>::Type p256(
137        EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
138    CHECK(p256.get());
139
140    crypto::ScopedEC_KEY ecdsa_key(EC_KEY_new());
141    CHECK(ecdsa_key.get() != NULL &&
142          EC_KEY_set_group(ecdsa_key.get(), p256.get()));
143
144    crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free>::Type point(
145        EC_POINT_new(p256.get()));
146    CHECK(EC_POINT_mul(p256.get(), point.get(), k.get(), NULL, NULL, NULL));
147
148    EC_KEY_set_private_key(ecdsa_key.get(), k.get());
149    EC_KEY_set_public_key(ecdsa_key.get(), point.get());
150
151    crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
152    // EVP_PKEY_set1_EC_KEY takes a reference so no |release| here.
153    EVP_PKEY_set1_EC_KEY(pkey.get(), ecdsa_key.get());
154
155    return pkey.release();
156  }
157};
158
159// static
160ChannelIDSource* CryptoTestUtils::ChannelIDSourceForTesting() {
161  return new TestChannelIDSource();
162}
163
164}  // namespace test
165
166}  // namespace net
167