Support generation of EC keys using P256 curve and support ECDSA certs.

webrtc/p2p/base/dtlstransportchannel_unittest.cc

 /*
  *  Copyright 2011 The WebRTC Project Authors. All rights reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 44 matching lines @@
       packet_size_(0),
       use_dtls_srtp_(false),
       ssl_max_version_(rtc::SSL_PROTOCOL_DTLS_10),
       negotiated_dtls_(false),
       received_dtls_client_hello_(false),
       received_dtls_server_hello_(false) {
   }
   void SetIceProtocol(cricket::TransportProtocol proto) {
     protocol_ = proto;
   }
-  void CreateIdentity() {
-    identity_.reset(rtc::SSLIdentity::Generate(name_));
+  void CreateIdentity(rtc::KeyType key_type) {
+    identity_.reset(rtc::SSLIdentity::Generate(name_, key_type));
   }
   rtc::SSLIdentity* identity() { return identity_.get(); }
   void SetupSrtp() {
     ASSERT(identity_.get() != NULL);
     use_dtls_srtp_ = true;
   }
   void SetupMaxProtocolVersion(rtc::SSLProtocolVersion version) {
     ASSERT(transport_.get() == NULL);
     ssl_max_version_ = version;
   }
@@ skipping 328 matching lines @@
 
   void SetChannelCount(size_t channel_ct) {
     channel_ct_ = static_cast<int>(channel_ct);
   }
   void SetMaxProtocolVersions(rtc::SSLProtocolVersion c1,
                               rtc::SSLProtocolVersion c2) {
     client1_.SetupMaxProtocolVersion(c1);
     client2_.SetupMaxProtocolVersion(c2);
     ssl_expected_version_ = std::min(c1, c2);
   }
-  void PrepareDtls(bool c1, bool c2) {
+  void PrepareDtls(bool c1, bool c2, rtc::KeyType key_type) {
     if (c1) {
-      client1_.CreateIdentity();
+      client1_.CreateIdentity(key_type);
     }
     if (c2) {
-      client2_.CreateIdentity();
+      client2_.CreateIdentity(key_type);
     }
     if (c1 && c2)
       use_dtls_ = true;
   }
   void PrepareDtlsSrtp(bool c1, bool c2) {
     if (!use_dtls_)
       return;
 
     if (c1)
       client1_.SetupSrtp();
@@ skipping 176 matching lines @@
 
 // Create two channels without DTLS, and transfer SRTP data.
 TEST_F(DtlsTransportChannelTest, TestTransferSrtpTwoChannels) {
   SetChannelCount(2);
   ASSERT_TRUE(Connect());
   TestTransfer(0, 1000, 100, true);
   TestTransfer(1, 1000, 100, true);
 }
 
 // Connect with DTLS, and transfer some data.
-TEST_F(DtlsTransportChannelTest, TestTransferDtls) {
+TEST_F(DtlsTransportChannelTest, TestTransferDtlsRSA) {

[juberti1, 2015/06/26 19:16:02]

These all seem like they should be KT_DEFAULT (and no change to the test name).
The actual testing of ECDSA/RSA operation is done by the lower-level tests in
sslidentity/adapter_unittest.

[torbjorng (webrtc), 2015/07/02 12:35:08]

Done.

   MAYBE_SKIP_TEST(HaveDtls);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   ASSERT_TRUE(Connect());
   TestTransfer(0, 1000, 100, false);
 }
 
 // Create two channels with DTLS, and transfer some data.
 TEST_F(DtlsTransportChannelTest, TestTransferDtlsTwoChannels) {
   MAYBE_SKIP_TEST(HaveDtls);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   ASSERT_TRUE(Connect());
   TestTransfer(0, 1000, 100, false);
   TestTransfer(1, 1000, 100, false);
 }
 
 // Connect with A doing DTLS and B not, and transfer some data.
 TEST_F(DtlsTransportChannelTest, TestTransferDtlsRejected) {
-  PrepareDtls(true, false);
+  PrepareDtls(true, false, rtc::KT_RSA);
   ASSERT_TRUE(Connect());
   TestTransfer(0, 1000, 100, false);
 }
 
 // Connect with B doing DTLS and A not, and transfer some data.
 TEST_F(DtlsTransportChannelTest, TestTransferDtlsNotOffered) {
-  PrepareDtls(false, true);
+  PrepareDtls(false, true, rtc::KT_RSA);
   ASSERT_TRUE(Connect());
   TestTransfer(0, 1000, 100, false);
 }
 
 // Create two channels with DTLS 1.0 and check ciphers.
 TEST_F(DtlsTransportChannelTest, TestDtls12None) {
   MAYBE_SKIP_TEST(HaveDtls);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_10);
   ASSERT_TRUE(Connect());
 }
 
 // Create two channels with DTLS 1.2 and check ciphers.
 TEST_F(DtlsTransportChannelTest, TestDtls12Both) {
   MAYBE_SKIP_TEST(HaveDtls);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_12);
   ASSERT_TRUE(Connect());
 }
 
 // Create two channels with DTLS 1.0 / DTLS 1.2 and check ciphers.
 TEST_F(DtlsTransportChannelTest, TestDtls12Client1) {
   MAYBE_SKIP_TEST(HaveDtls);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_12, rtc::SSL_PROTOCOL_DTLS_10);
   ASSERT_TRUE(Connect());
 }
 
 // Create two channels with DTLS 1.2 / DTLS 1.0 and check ciphers.
 TEST_F(DtlsTransportChannelTest, TestDtls12Client2) {
   MAYBE_SKIP_TEST(HaveDtls);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   SetMaxProtocolVersions(rtc::SSL_PROTOCOL_DTLS_10, rtc::SSL_PROTOCOL_DTLS_12);
   ASSERT_TRUE(Connect());
 }
 
 // Connect with DTLS, negotiate DTLS-SRTP, and transfer SRTP using bypass.
 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtp) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(true, true);
   ASSERT_TRUE(Connect());
   TestTransfer(0, 1000, 100, true);
 }
 
 // Connect with DTLS-SRTP, transfer an invalid SRTP packet, and expects -1
 // returned.
 TEST_F(DtlsTransportChannelTest, TestTransferDtlsInvalidSrtpPacket) {
   MAYBE_SKIP_TEST(HaveDtls);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(true, true);
   ASSERT_TRUE(Connect());
   int result = client1_.SendInvalidSrtpPacket(0, 100);
   ASSERT_EQ(-1, result);
 }
 
 // Connect with DTLS. A does DTLS-SRTP but B does not.
 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpRejected) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(true, false);
   ASSERT_TRUE(Connect());
 }
 
 // Connect with DTLS. B does DTLS-SRTP but A does not.
 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpNotOffered) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(false, true);
   ASSERT_TRUE(Connect());
 }
 
 // Create two channels with DTLS, negotiate DTLS-SRTP, and transfer bypass SRTP.
 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpTwoChannels) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(true, true);
   ASSERT_TRUE(Connect());
   TestTransfer(0, 1000, 100, true);
   TestTransfer(1, 1000, 100, true);
 }
 
 // Create a single channel with DTLS, and send normal data and SRTP data on it.
 TEST_F(DtlsTransportChannelTest, TestTransferDtlsSrtpDemux) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(true, true);
   ASSERT_TRUE(Connect());
   TestTransfer(0, 1000, 100, false);
   TestTransfer(0, 1000, 100, true);
 }
 
 // Testing when the remote is passive.
 TEST_F(DtlsTransportChannelTest, TestTransferDtlsAnswererIsPassive) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(true, true);
   ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
                       cricket::CONNECTIONROLE_PASSIVE));
   TestTransfer(0, 1000, 100, true);
   TestTransfer(1, 1000, 100, true);
 }
 
 // Testing with the legacy DTLS client which doesn't use setup attribute.
 // In this case legacy is the answerer.
 TEST_F(DtlsTransportChannelTest, TestDtlsSetupWithLegacyAsAnswerer) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   NegotiateWithLegacy();
   rtc::SSLRole channel1_role;
   rtc::SSLRole channel2_role;
   EXPECT_TRUE(client1_.transport()->GetSslRole(&channel1_role));
   EXPECT_TRUE(client2_.transport()->GetSslRole(&channel2_role));
   EXPECT_EQ(rtc::SSL_SERVER, channel1_role);
   EXPECT_EQ(rtc::SSL_CLIENT, channel2_role);
 }
 
 // Testing re offer/answer after the session is estbalished. Roles will be
 // kept same as of the previous negotiation.
 TEST_F(DtlsTransportChannelTest, TestDtlsReOfferFromOfferer) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(true, true);
   // Initial role for client1 is ACTPASS and client2 is ACTIVE.
   ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
                       cricket::CONNECTIONROLE_ACTIVE));
   TestTransfer(0, 1000, 100, true);
   TestTransfer(1, 1000, 100, true);
   // Using input roles for the re-offer.
   Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS,
               cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER);
   TestTransfer(0, 1000, 100, true);
   TestTransfer(1, 1000, 100, true);
 }
 
 TEST_F(DtlsTransportChannelTest, TestDtlsReOfferFromAnswerer) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(true, true);
   // Initial role for client1 is ACTPASS and client2 is ACTIVE.
   ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
                       cricket::CONNECTIONROLE_ACTIVE));
   TestTransfer(0, 1000, 100, true);
   TestTransfer(1, 1000, 100, true);
   // Using input roles for the re-offer.
   Renegotiate(&client2_, cricket::CONNECTIONROLE_PASSIVE,
               cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER);
   TestTransfer(0, 1000, 100, true);
   TestTransfer(1, 1000, 100, true);
 }
 
 // Test that any change in role after the intial setup will result in failure.
 TEST_F(DtlsTransportChannelTest, TestDtlsRoleReversal) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(true, true);
   ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
                       cricket::CONNECTIONROLE_PASSIVE));
 
   // Renegotiate from client2 with actpass and client1 as active.
   Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTPASS,
               cricket::CONNECTIONROLE_ACTIVE,
               NF_REOFFER | NF_EXPECT_FAILURE);
 }
 
 // Test that using different setup attributes which results in similar ssl
 // role as the initial negotiation will result in success.
 TEST_F(DtlsTransportChannelTest, TestDtlsReOfferWithDifferentSetupAttr) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(true, true);
   ASSERT_TRUE(Connect(cricket::CONNECTIONROLE_ACTPASS,
                       cricket::CONNECTIONROLE_PASSIVE));
   // Renegotiate from client2 with actpass and client1 as active.
   Renegotiate(&client2_, cricket::CONNECTIONROLE_ACTIVE,
               cricket::CONNECTIONROLE_ACTPASS, NF_REOFFER);
   TestTransfer(0, 1000, 100, true);
   TestTransfer(1, 1000, 100, true);
 }
 
 // Test that re-negotiation can be started before the clients become connected
 // in the first negotiation.
 TEST_F(DtlsTransportChannelTest, TestRenegotiateBeforeConnect) {
   MAYBE_SKIP_TEST(HaveDtlsSrtp);
   SetChannelCount(2);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   PrepareDtlsSrtp(true, true);
   Negotiate();
 
   Renegotiate(&client1_, cricket::CONNECTIONROLE_ACTPASS,
               cricket::CONNECTIONROLE_ACTIVE, NF_REOFFER);
   bool rv = client1_.Connect(&client2_);
   EXPECT_TRUE(rv);
   EXPECT_TRUE_WAIT(client1_.writable() && client2_.writable(), 10000);
 
   TestTransfer(0, 1000, 100, true);
   TestTransfer(1, 1000, 100, true);
 }
 
 // Test Certificates state after negotiation but before connection.
 TEST_F(DtlsTransportChannelTest, TestCertificatesBeforeConnect) {
   MAYBE_SKIP_TEST(HaveDtls);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   Negotiate();
 
   rtc::scoped_ptr<rtc::SSLIdentity> identity1;
   rtc::scoped_ptr<rtc::SSLIdentity> identity2;
   rtc::scoped_ptr<rtc::SSLCertificate> remote_cert1;
   rtc::scoped_ptr<rtc::SSLCertificate> remote_cert2;
 
   // After negotiation, each side has a distinct local certificate, but still no
   // remote certificate, because connection has not yet occurred.
   ASSERT_TRUE(client1_.transport()->GetIdentity(identity1.accept()));
   ASSERT_TRUE(client2_.transport()->GetIdentity(identity2.accept()));
   ASSERT_NE(identity1->certificate().ToPEMString(),
             identity2->certificate().ToPEMString());
   ASSERT_FALSE(
       client1_.transport()->GetRemoteCertificate(remote_cert1.accept()));
   ASSERT_FALSE(remote_cert1 != NULL);
   ASSERT_FALSE(
       client2_.transport()->GetRemoteCertificate(remote_cert2.accept()));
   ASSERT_FALSE(remote_cert2 != NULL);
 }
 
 // Test Certificates state after connection.
 TEST_F(DtlsTransportChannelTest, TestCertificatesAfterConnect) {
   MAYBE_SKIP_TEST(HaveDtls);
-  PrepareDtls(true, true);
+  PrepareDtls(true, true, rtc::KT_RSA);
   ASSERT_TRUE(Connect());
 
   rtc::scoped_ptr<rtc::SSLIdentity> identity1;
   rtc::scoped_ptr<rtc::SSLIdentity> identity2;
   rtc::scoped_ptr<rtc::SSLCertificate> remote_cert1;
   rtc::scoped_ptr<rtc::SSLCertificate> remote_cert2;
 
   // After connection, each side has a distinct local certificate.
   ASSERT_TRUE(client1_.transport()->GetIdentity(identity1.accept()));
   ASSERT_TRUE(client2_.transport()->GetIdentity(identity2.accept()));
   ASSERT_NE(identity1->certificate().ToPEMString(),
             identity2->certificate().ToPEMString());
 
   // Each side's remote certificate is the other side's local certificate.
   ASSERT_TRUE(
       client1_.transport()->GetRemoteCertificate(remote_cert1.accept()));
   ASSERT_EQ(remote_cert1->ToPEMString(),
             identity2->certificate().ToPEMString());
   ASSERT_TRUE(
       client2_.transport()->GetRemoteCertificate(remote_cert2.accept()));
   ASSERT_EQ(remote_cert2->ToPEMString(),
             identity1->certificate().ToPEMString());
 }