Chromium Code Reviews Chromium Code Reviews
Issue 1189583002:
Support generation of EC keys using P256 curve and support ECDSA certs. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master| Index: webrtc/base/sslidentity_unittest.cc |
| diff --git a/webrtc/base/sslidentity_unittest.cc b/webrtc/base/sslidentity_unittest.cc |
| index fd754114288c1cd7a9b97bc429973df42a5ec474..7e30d62c12f06a89e3a9d0300da322e073e05b1a 100644 |
| --- a/webrtc/base/sslidentity_unittest.cc |
| +++ b/webrtc/base/sslidentity_unittest.cc |
| @@ -38,33 +38,46 @@ const unsigned char kTestCertSha1[] = {0xA6, 0xC8, 0x59, 0xEA, |
| class SSLIdentityTest : public testing::Test { |
| public: |
| - SSLIdentityTest() : |
| - identity1_(), identity2_() { |
| - } |
| + SSLIdentityTest() |
| + : identity_rsa1_(), |
|
juberti1
2015/07/21 22:54:13
These don't need to be initialized.
torbjorng (webrtc)
2015/08/17 12:12:45
Done.
|
| + identity_rsa2_(), |
| + identity_ecdsa1_(), |
| + identity_ecdsa2_() {} |
| ~SSLIdentityTest() { |
| } |
| virtual void SetUp() { |
| - identity1_.reset(SSLIdentity::Generate("test1")); |
| - identity2_.reset(SSLIdentity::Generate("test2")); |
| + identity_rsa1_.reset(SSLIdentity::Generate("test1", rtc::KT_RSA)); |
| + identity_rsa2_.reset(SSLIdentity::Generate("test2", rtc::KT_RSA)); |
| + identity_ecdsa1_.reset(SSLIdentity::Generate("test3", rtc::KT_ECDSA)); |
| + identity_ecdsa2_.reset(SSLIdentity::Generate("test4", rtc::KT_ECDSA)); |
| - ASSERT_TRUE(identity1_); |
| - ASSERT_TRUE(identity2_); |
| + ASSERT_TRUE(identity_rsa1_); |
| + ASSERT_TRUE(identity_rsa2_); |
| + ASSERT_TRUE(identity_ecdsa1_); |
| + ASSERT_TRUE(identity_ecdsa2_); |
| - test_cert_.reset( |
| - rtc::SSLCertificate::FromPEMString(kTestCertificate)); |
| + test_cert_.reset(rtc::SSLCertificate::FromPEMString(kTestCertificate)); |
| ASSERT_TRUE(test_cert_); |
| } |
| void TestGetSignatureDigestAlgorithm() { |
| std::string digest_algorithm; |
| - // Both NSSIdentity::Generate and OpenSSLIdentity::Generate are |
| - // hard-coded to generate RSA-SHA256 certificates. |
| - ASSERT_TRUE(identity1_->certificate().GetSignatureDigestAlgorithm( |
| + |
| + ASSERT_TRUE(identity_rsa1_->certificate().GetSignatureDigestAlgorithm( |
| + &digest_algorithm)); |
| + ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); |
| + |
| + ASSERT_TRUE(identity_rsa2_->certificate().GetSignatureDigestAlgorithm( |
| &digest_algorithm)); |
| ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); |
| - ASSERT_TRUE(identity2_->certificate().GetSignatureDigestAlgorithm( |
| + |
| + ASSERT_TRUE(identity_ecdsa1_->certificate().GetSignatureDigestAlgorithm( |
| + &digest_algorithm)); |
| + ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); |
| + |
| + ASSERT_TRUE(identity_ecdsa2_->certificate().GetSignatureDigestAlgorithm( |
| &digest_algorithm)); |
| ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); |
| @@ -73,58 +86,80 @@ class SSLIdentityTest : public testing::Test { |
| ASSERT_EQ(rtc::DIGEST_MD5, digest_algorithm); |
| } |
| - void TestDigest(const std::string &algorithm, size_t expected_len, |
| - const unsigned char *expected_digest = NULL) { |
| - unsigned char digest1[64]; |
| - unsigned char digest1b[64]; |
| - unsigned char digest2[64]; |
| - size_t digest1_len; |
| - size_t digest1b_len; |
| - size_t digest2_len; |
| + typedef unsigned char DigestType[64]; // 64 is the largest hash used here. |
|
juberti1
2015/07/21 22:54:13
You can use MessageDigest::kMaxSize instead of 64
torbjorng (webrtc)
2015/08/17 12:12:45
Done.
|
| + |
| + void TestDigestHelper(DigestType digest, |
| + const SSLIdentity* identity, |
| + const std::string& algorithm, |
| + size_t expected_len) { |
| + DigestType digest1; |
| + size_t digest_len; |
| bool rv; |
| - rv = identity1_->certificate().ComputeDigest(algorithm, |
| - digest1, sizeof(digest1), |
| - &digest1_len); |
| + memset(digest, 0, expected_len); |
| + rv = identity->certificate().ComputeDigest(algorithm, digest, |
| + sizeof(DigestType), &digest_len); |
| EXPECT_TRUE(rv); |
| - EXPECT_EQ(expected_len, digest1_len); |
| + EXPECT_EQ(expected_len, digest_len); |
| - rv = identity1_->certificate().ComputeDigest(algorithm, |
| - digest1b, sizeof(digest1b), |
| - &digest1b_len); |
| + // Repeat digest computation for the identity as a sanity check. |
| + memset(digest1, 0xff, expected_len); |
| + rv = identity->certificate().ComputeDigest(algorithm, digest1, |
| + sizeof(DigestType), &digest_len); |
| EXPECT_TRUE(rv); |
| - EXPECT_EQ(expected_len, digest1b_len); |
| - EXPECT_EQ(0, memcmp(digest1, digest1b, expected_len)); |
| + EXPECT_EQ(expected_len, digest_len); |
| + |
| + EXPECT_EQ(0, memcmp(digest, digest1, expected_len)); |
| + } |
| + void TestDigest(const std::string& algorithm, size_t expected_len) { |
|
juberti1
2015/07/21 22:54:13
I would call this TestDigestForGeneratedCerts, or
torbjorng (webrtc)
2015/08/17 12:12:45
Done.
|
| + DigestType digest[4]; |
| - rv = identity2_->certificate().ComputeDigest(algorithm, |
| - digest2, sizeof(digest2), |
| - &digest2_len); |
| - EXPECT_TRUE(rv); |
| - EXPECT_EQ(expected_len, digest2_len); |
| - EXPECT_NE(0, memcmp(digest1, digest2, expected_len)); |
| - |
| - // If we have an expected hash for the test cert, check it. |
| - if (expected_digest) { |
| - unsigned char digest3[64]; |
| - size_t digest3_len; |
| - |
| - rv = test_cert_->ComputeDigest(algorithm, digest3, sizeof(digest3), |
| - &digest3_len); |
| - EXPECT_TRUE(rv); |
| - EXPECT_EQ(expected_len, digest3_len); |
| - EXPECT_EQ(0, memcmp(digest3, expected_digest, expected_len)); |
| + ASSERT_TRUE(expected_len <= 64); |
|
juberti1
2015/07/21 22:54:13
Suggest using <= sizeof(digest[0]), to avoid accid
torbjorng (webrtc)
2015/08/17 12:12:45
Done, except using sizeof(DigestType).
|
| + |
| + TestDigestHelper(digest[0], identity_rsa1_.get(), algorithm, expected_len); |
| + TestDigestHelper(digest[1], identity_rsa2_.get(), algorithm, expected_len); |
| + TestDigestHelper(digest[2], identity_ecdsa1_.get(), algorithm, |
| + expected_len); |
| + TestDigestHelper(digest[3], identity_ecdsa2_.get(), algorithm, |
| + expected_len); |
| + |
| + // Sanity check that all four digests are unique. This could theoretically |
| + // fail, since SHA256 collisions have a non-zero probability. |
| + for (int i = 0; i < 4; i++) { |
| + for (int j = 0; j < 4; j++) { |
| + if (i != j) |
| + EXPECT_NE(0, memcmp(digest[i], digest[j], expected_len)); |
| + } |
| } |
| } |
| + void TestDigestExample(const std::string& algorithm, |
|
juberti1
2015/07/21 22:54:13
I would call this TestDigestForFixedCert
torbjorng (webrtc)
2015/08/17 12:12:45
Done.
|
| + size_t expected_len, |
| + const unsigned char* expected_digest) { |
| + bool rv; |
| + DigestType digest; |
| + size_t digest_len; |
| + |
| + ASSERT_TRUE(expected_len <= 64); |
|
juberti1
2015/07/21 22:54:13
<= sizeof(digest)
torbjorng (webrtc)
2015/08/17 12:12:45
Done.
|
| + |
| + rv = test_cert_->ComputeDigest(algorithm, digest, sizeof(digest), |
| + &digest_len); |
| + EXPECT_TRUE(rv); |
| + EXPECT_EQ(expected_len, digest_len); |
| + EXPECT_EQ(0, memcmp(digest, expected_digest, expected_len)); |
| + } |
| + |
| private: |
| - rtc::scoped_ptr<SSLIdentity> identity1_; |
| - rtc::scoped_ptr<SSLIdentity> identity2_; |
| + rtc::scoped_ptr<SSLIdentity> identity_rsa1_; |
| + rtc::scoped_ptr<SSLIdentity> identity_rsa2_; |
| + rtc::scoped_ptr<SSLIdentity> identity_ecdsa1_; |
| + rtc::scoped_ptr<SSLIdentity> identity_ecdsa2_; |
| rtc::scoped_ptr<rtc::SSLCertificate> test_cert_; |
| }; |
| TEST_F(SSLIdentityTest, DigestSHA1) { |
| - TestDigest(rtc::DIGEST_SHA_1, 20, kTestCertSha1); |
| + TestDigestExample(rtc::DIGEST_SHA_1, 20, kTestCertSha1); |
|
juberti1
2015/07/21 22:54:13
I would have a call to both TestDigestForGenerated
torbjorng (webrtc)
2015/08/17 12:12:45
Using more hashes checking fixed data makes sense.
|
| } |
| // HASH_AlgSHA224 is not supported in the chromium linux build. |
| @@ -148,7 +183,7 @@ TEST_F(SSLIdentityTest, DigestSHA512) { |
| TestDigest(rtc::DIGEST_SHA_512, 64); |
| } |
| -TEST_F(SSLIdentityTest, FromPEMStrings) { |
| +TEST_F(SSLIdentityTest, FromPEMStringsRSA) { |
| static const char kRSA_PRIVATE_KEY_PEM[] = |
| "-----BEGIN RSA PRIVATE KEY-----\n" |
| "MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMYRkbhmI7kVA/rM\n" |
| @@ -186,6 +221,39 @@ TEST_F(SSLIdentityTest, FromPEMStrings) { |
| EXPECT_EQ(kCERT_PEM, identity->certificate().ToPEMString()); |
| } |
| +#if SSL_USE_OPENSSL |
| +// This will not work on NSS as PK11_ImportDERPrivateKeyInfoAndReturnKey is not |
| +// ready for EC keys. Furthermore, NSSIdentity::FromPEMStrings is currently |
| +// hardwired for RSA (the header matching via kPemTypeRsaPrivateKey needs |
| +// trivial generalization). |
| +TEST_F(SSLIdentityTest, FromPEMStringsEC) { |
| + static const char kRSA_PRIVATE_KEY_PEM[] = |
| + "-----BEGIN EC PRIVATE KEY-----\n" |
| + "MHcCAQEEIKkIztWLPbs4Y2zWv7VW2Ov4is2ifleCuPgRB8fRv3IkoAoGCCqGSM49\n" |
| + "AwEHoUQDQgAEDPV33NrhSdhg9cBRkUWUXnVMXc3h17i9ARbSmNgminKcBXb8/y8L\n" |
| + "A76cMWQPPM0ybHO8OS7ZVg2U/m+TwE1M2g==\n" |
| + "-----END EC PRIVATE KEY-----\n"; |
| + static const char kCERT_PEM[] = |
| + "-----BEGIN CERTIFICATE-----\n" |
| + "MIIB0jCCAXmgAwIBAgIJAMCjpFt9t6LMMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT\n" |
| + "AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn\n" |
| + "aXRzIFB0eSBMdGQwIBcNMTUwNjMwMTMwMTIyWhgPMjI4OTA0MTMxMzAxMjJaMEUx\n" |
| + "CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl\n" |
| + "cm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQM\n" |
| + "9Xfc2uFJ2GD1wFGRRZRedUxdzeHXuL0BFtKY2CaKcpwFdvz/LwsDvpwxZA88zTJs\n" |
| + "c7w5LtlWDZT+b5PATUzao1AwTjAdBgNVHQ4EFgQUYHq6nxNNIE832ZmaHc/noODO\n" |
| + "rtAwHwYDVR0jBBgwFoAUYHq6nxNNIE832ZmaHc/noODOrtAwDAYDVR0TBAUwAwEB\n" |
| + "/zAKBggqhkjOPQQDAgNHADBEAiAQRojsTyZG0BlKoU7gOt5h+yAMLl2cxmDtOIQr\n" |
| + "GWP/PwIgJynB4AUDsPT0DWmethOXYijB5sY5UPd9DvgmiS/Mr6s=\n" |
| + "-----END CERTIFICATE-----\n"; |
| + |
| + rtc::scoped_ptr<SSLIdentity> identity( |
| + SSLIdentity::FromPEMStrings(kRSA_PRIVATE_KEY_PEM, kCERT_PEM)); |
| + EXPECT_TRUE(identity); |
| + EXPECT_EQ(kCERT_PEM, identity->certificate().ToPEMString()); |
| +} |
| +#endif |
| + |
| TEST_F(SSLIdentityTest, PemDerConversion) { |
| std::string der; |
| EXPECT_TRUE(SSLIdentity::PemToDer("CERTIFICATE", kTestCertificate, &der)); |
