1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/base/keygen_handler.h"
#include <string>
#include <utility>
#include "base/base64.h"
#include "base/bind.h"
#include "base/location.h"
#include "base/logging.h"
#include "base/synchronization/waitable_event.h"
#include "base/threading/thread_restrictions.h"
#include "base/threading/worker_pool.h"
#include "build/build_config.h"
#include "testing/gtest/include/gtest/gtest.h"
#if defined(USE_NSS_CERTS)
#include <private/pprthred.h> // PR_DetachThread
#include "crypto/nss_crypto_module_delegate.h"
#include "crypto/scoped_test_nss_db.h"
#endif
namespace net {
namespace {
#if defined(USE_NSS_CERTS)
class StubCryptoModuleDelegate : public crypto::NSSCryptoModuleDelegate {
public:
explicit StubCryptoModuleDelegate(crypto::ScopedPK11Slot slot)
: slot_(std::move(slot)) {}
std::string RequestPassword(const std::string& slot_name,
bool retry,
bool* cancelled) override {
return std::string();
}
crypto::ScopedPK11Slot RequestSlot() override {
return crypto::ScopedPK11Slot(PK11_ReferenceSlot(slot_.get()));
}
private:
crypto::ScopedPK11Slot slot_;
};
#endif
class KeygenHandlerTest : public ::testing::Test {
public:
KeygenHandlerTest() {}
~KeygenHandlerTest() override {}
scoped_ptr<KeygenHandler> CreateKeygenHandler() {
scoped_ptr<KeygenHandler> handler(new KeygenHandler(
768, "some challenge", GURL("http://www.example.com")));
#if defined(USE_NSS_CERTS)
handler->set_crypto_module_delegate(
scoped_ptr<crypto::NSSCryptoModuleDelegate>(
new StubCryptoModuleDelegate(crypto::ScopedPK11Slot(
PK11_ReferenceSlot(test_nss_db_.slot())))));
#endif
return handler;
}
private:
#if defined(USE_NSS_CERTS)
crypto::ScopedTestNSSDB test_nss_db_;
#endif
};
// Assert that |result| is a valid output for KeygenHandler given challenge
// string of |challenge|.
void AssertValidSignedPublicKeyAndChallenge(const std::string& result,
const std::string& challenge) {
ASSERT_GT(result.length(), 0U);
// Verify it's valid base64:
std::string spkac;
ASSERT_TRUE(base::Base64Decode(result, &spkac));
// In lieu of actually parsing and validating the DER data,
// just check that it exists and has a reasonable length.
// (It's almost always 590 bytes, but the DER encoding of the random key
// and signature could sometimes be a few bytes different.)
ASSERT_GE(spkac.length(), 200U);
ASSERT_LE(spkac.length(), 300U);
// NOTE:
// The value of |result| can be validated by prefixing 'SPKAC=' to it
// and piping it through
// openssl spkac -verify
// whose output should look like:
// Netscape SPKI:
// Public Key Algorithm: rsaEncryption
// RSA Public Key: (2048 bit)
// Modulus (2048 bit):
// 00:b6:cc:14:c9:43:b5:2d:51:65:7e:11:8b:80:9e: .....
// Exponent: 65537 (0x10001)
// Challenge String: some challenge
// Signature Algorithm: md5WithRSAEncryption
// 92:f3:cc:ff:0b:d3:d0:4a:3a:4c:ba:ff:d6:38:7f:a5:4b:b5: .....
// Signature OK
//
// The value of |spkac| can be ASN.1-parsed with:
// openssl asn1parse -inform DER
}
TEST_F(KeygenHandlerTest, SmokeTest) {
scoped_ptr<KeygenHandler> handler(CreateKeygenHandler());
handler->set_stores_key(false); // Don't leave the key-pair behind
std::string result = handler->GenKeyAndSignChallenge();
VLOG(1) << "KeygenHandler produced: " << result;
AssertValidSignedPublicKeyAndChallenge(result, "some challenge");
}
void ConcurrencyTestCallback(const std::string& challenge,
base::WaitableEvent* event,
scoped_ptr<KeygenHandler> handler,
std::string* result) {
// We allow Singleton use on the worker thread here since we use a
// WaitableEvent to synchronize, so it's safe.
base::ThreadRestrictions::ScopedAllowSingleton scoped_allow_singleton;
handler->set_stores_key(false); // Don't leave the key-pair behind.
*result = handler->GenKeyAndSignChallenge();
event->Signal();
#if defined(USE_NSS_CERTS)
// Detach the thread from NSPR.
// Calling NSS functions attaches the thread to NSPR, which stores
// the NSPR thread ID in thread-specific data.
// The threads in our thread pool terminate after we have called
// PR_Cleanup. Unless we detach them from NSPR, net_unittests gets
// segfaults on shutdown when the threads' thread-specific data
// destructors run.
PR_DetachThread();
#endif
}
// We asynchronously generate the keys so as not to hang up the IO thread. This
// test tries to catch concurrency problems in the keygen implementation.
TEST_F(KeygenHandlerTest, ConcurrencyTest) {
const int NUM_HANDLERS = 5;
base::WaitableEvent* events[NUM_HANDLERS] = { NULL };
std::string results[NUM_HANDLERS];
for (int i = 0; i < NUM_HANDLERS; i++) {
scoped_ptr<KeygenHandler> handler(CreateKeygenHandler());
events[i] = new base::WaitableEvent(false, false);
base::WorkerPool::PostTask(FROM_HERE,
base::Bind(ConcurrencyTestCallback,
"some challenge",
events[i],
base::Passed(&handler),
&results[i]),
true);
}
for (int i = 0; i < NUM_HANDLERS; i++) {
// Make sure the job completed
events[i]->Wait();
delete events[i];
events[i] = NULL;
VLOG(1) << "KeygenHandler " << i << " produced: " << results[i];
AssertValidSignedPublicKeyAndChallenge(results[i], "some challenge");
}
}
} // namespace
} // namespace net
|
