1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/ssl/openssl_client_key_store.h" 6 7#include "base/memory/ref_counted.h" 8#include "crypto/scoped_openssl_types.h" 9#include "net/base/test_data_directory.h" 10#include "net/test/cert_test_util.h" 11#include "testing/gtest/include/gtest/gtest.h" 12 13namespace net { 14 15namespace { 16 17// Return the internal reference count of a given EVP_PKEY. 18int EVP_PKEY_get_refcount(EVP_PKEY* pkey) { 19 return pkey->references; 20} 21 22// A common test class to ensure that the store is flushed after 23// each test. 24class OpenSSLClientKeyStoreTest : public ::testing::Test { 25 public: 26 OpenSSLClientKeyStoreTest() 27 : store_(OpenSSLClientKeyStore::GetInstance()) { 28 } 29 30 virtual ~OpenSSLClientKeyStoreTest() { 31 if (store_) 32 store_->Flush(); 33 } 34 35 protected: 36 OpenSSLClientKeyStore* store_; 37}; 38 39// Check that GetInstance() returns non-null 40TEST_F(OpenSSLClientKeyStoreTest, GetInstance) { 41 ASSERT_TRUE(store_); 42} 43 44// Check that Flush() works correctly. 45TEST_F(OpenSSLClientKeyStoreTest, Flush) { 46 ASSERT_TRUE(store_); 47 48 scoped_refptr<X509Certificate> cert_1( 49 ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem")); 50 ASSERT_TRUE(cert_1.get()); 51 52 crypto::ScopedEVP_PKEY priv_key(EVP_PKEY_new()); 53 ASSERT_TRUE(priv_key.get()); 54 55 ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(), 56 priv_key.get())); 57 58 store_->Flush(); 59 60 // Retrieve the private key. This should fail because the store 61 // was flushed. 62 crypto::ScopedEVP_PKEY pkey = store_->FetchClientCertPrivateKey(cert_1.get()); 63 ASSERT_FALSE(pkey.get()); 64} 65 66// Check that trying to retrieve the private key of an unknown certificate 67// simply fails by returning null. 68TEST_F(OpenSSLClientKeyStoreTest, FetchEmptyPrivateKey) { 69 ASSERT_TRUE(store_); 70 71 scoped_refptr<X509Certificate> cert_1( 72 ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem")); 73 ASSERT_TRUE(cert_1.get()); 74 75 // Retrieve the private key now. This should fail because it was 76 // never recorded in the store. 77 crypto::ScopedEVP_PKEY pkey = store_->FetchClientCertPrivateKey(cert_1.get()); 78 ASSERT_FALSE(pkey.get()); 79} 80 81// Check that any private key recorded through RecordClientCertPrivateKey 82// can be retrieved with FetchClientCertPrivateKey. 83TEST_F(OpenSSLClientKeyStoreTest, RecordAndFetchPrivateKey) { 84 ASSERT_TRUE(store_); 85 86 // Any certificate / key pair will do, the store is not supposed to 87 // check that the private and certificate public keys match. This is 88 // by design since the private EVP_PKEY could be a wrapper around a 89 // JNI reference, with no way to access the real private key bits. 90 scoped_refptr<X509Certificate> cert_1( 91 ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem")); 92 ASSERT_TRUE(cert_1.get()); 93 94 crypto::ScopedEVP_PKEY priv_key(EVP_PKEY_new()); 95 ASSERT_TRUE(priv_key.get()); 96 ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key.get())); 97 98 // Add the key a first time, this should increment its reference count. 99 ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(), 100 priv_key.get())); 101 ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get())); 102 103 // Two successive calls with the same certificate / private key shall 104 // also succeed, but the key's reference count should not be incremented. 105 ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(), 106 priv_key.get())); 107 ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get())); 108 109 // Retrieve the private key. This should increment the private key's 110 // reference count. 111 crypto::ScopedEVP_PKEY pkey2 = 112 store_->FetchClientCertPrivateKey(cert_1.get()); 113 ASSERT_EQ(pkey2.get(), priv_key.get()); 114 ASSERT_EQ(3, EVP_PKEY_get_refcount(priv_key.get())); 115 116 // Flush the store explicitely, this should decrement the private 117 // key's reference count. 118 store_->Flush(); 119 ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get())); 120} 121 122// Same test, but with two certificates / private keys. 123TEST_F(OpenSSLClientKeyStoreTest, RecordAndFetchTwoPrivateKeys) { 124 scoped_refptr<X509Certificate> cert_1( 125 ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem")); 126 ASSERT_TRUE(cert_1.get()); 127 128 scoped_refptr<X509Certificate> cert_2( 129 ImportCertFromFile(GetTestCertsDirectory(), "client_2.pem")); 130 ASSERT_TRUE(cert_2.get()); 131 132 crypto::ScopedEVP_PKEY priv_key1(EVP_PKEY_new()); 133 ASSERT_TRUE(priv_key1.get()); 134 ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key1.get())); 135 136 crypto::ScopedEVP_PKEY priv_key2(EVP_PKEY_new()); 137 ASSERT_TRUE(priv_key2.get()); 138 ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key2.get())); 139 140 ASSERT_NE(priv_key1.get(), priv_key2.get()); 141 142 // Add the key a first time, this shall succeed, and increment the 143 // reference count. 144 EXPECT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(), 145 priv_key1.get())); 146 EXPECT_TRUE(store_->RecordClientCertPrivateKey(cert_2.get(), 147 priv_key2.get())); 148 EXPECT_EQ(2, EVP_PKEY_get_refcount(priv_key1.get())); 149 EXPECT_EQ(2, EVP_PKEY_get_refcount(priv_key2.get())); 150 151 // Retrieve the private key now. This shall succeed and increment 152 // the private key's reference count. 153 crypto::ScopedEVP_PKEY fetch_key1 = 154 store_->FetchClientCertPrivateKey(cert_1.get()); 155 crypto::ScopedEVP_PKEY fetch_key2 = 156 store_->FetchClientCertPrivateKey(cert_2.get()); 157 158 EXPECT_TRUE(fetch_key1.get()); 159 EXPECT_TRUE(fetch_key2.get()); 160 161 EXPECT_EQ(fetch_key1.get(), priv_key1.get()); 162 EXPECT_EQ(fetch_key2.get(), priv_key2.get()); 163 164 EXPECT_EQ(3, EVP_PKEY_get_refcount(priv_key1.get())); 165 EXPECT_EQ(3, EVP_PKEY_get_refcount(priv_key2.get())); 166} 167 168} // namespace 169} // namespace net 170