1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/quic/test_tools/crypto_test_utils.h" 6 7 #include <openssl/bn.h> 8 #include <openssl/ec.h> 9 #include <openssl/ecdsa.h> 10 #include <openssl/evp.h> 11 #include <openssl/obj_mac.h> 12 #include <openssl/sha.h> 13 14 #include "crypto/openssl_util.h" 15 #include "crypto/secure_hash.h" 16 #include "net/quic/crypto/channel_id.h" 17 18 using base::StringPiece; 19 using std::string; 20 21 namespace { 22 23 void EvpMdCtxCleanUp(EVP_MD_CTX* ctx) { 24 (void)EVP_MD_CTX_cleanup(ctx); 25 } 26 27 } // namespace anonymous 28 29 namespace net { 30 31 namespace test { 32 33 class TestChannelIDKey : public ChannelIDKey { 34 public: 35 explicit TestChannelIDKey(EVP_PKEY* ecdsa_key) : ecdsa_key_(ecdsa_key) {} 36 virtual ~TestChannelIDKey() OVERRIDE {} 37 38 // ChannelIDKey implementation. 39 40 virtual bool Sign(StringPiece signed_data, 41 string* out_signature) const OVERRIDE { 42 EVP_MD_CTX md_ctx; 43 EVP_MD_CTX_init(&md_ctx); 44 crypto::ScopedOpenSSL<EVP_MD_CTX, EvpMdCtxCleanUp> 45 md_ctx_cleanup(&md_ctx); 46 47 if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, 48 ecdsa_key_.get()) != 1) { 49 return false; 50 } 51 52 EVP_DigestUpdate(&md_ctx, ChannelIDVerifier::kContextStr, 53 strlen(ChannelIDVerifier::kContextStr) + 1); 54 EVP_DigestUpdate(&md_ctx, ChannelIDVerifier::kClientToServerStr, 55 strlen(ChannelIDVerifier::kClientToServerStr) + 1); 56 EVP_DigestUpdate(&md_ctx, signed_data.data(), signed_data.size()); 57 58 size_t sig_len; 59 if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len)) { 60 return false; 61 } 62 63 scoped_ptr<uint8[]> der_sig(new uint8[sig_len]); 64 if (!EVP_DigestSignFinal(&md_ctx, der_sig.get(), &sig_len)) { 65 return false; 66 } 67 68 uint8* derp = der_sig.get(); 69 crypto::ScopedOpenSSL<ECDSA_SIG, ECDSA_SIG_free> sig( 70 d2i_ECDSA_SIG(NULL, const_cast<const uint8**>(&derp), sig_len)); 71 if (sig.get() == NULL) { 72 return false; 73 } 74 75 // The signature consists of a pair of 32-byte numbers. 76 static const size_t kSignatureLength = 32 * 2; 77 scoped_ptr<uint8[]> signature(new uint8[kSignatureLength]); 78 memset(signature.get(), 0, kSignatureLength); 79 BN_bn2bin(sig.get()->r, signature.get() + 32 - BN_num_bytes(sig.get()->r)); 80 BN_bn2bin(sig.get()->s, signature.get() + 64 - BN_num_bytes(sig.get()->s)); 81 82 *out_signature = string(reinterpret_cast<char*>(signature.get()), 83 kSignatureLength); 84 85 return true; 86 } 87 88 virtual string SerializeKey() const OVERRIDE { 89 // i2d_PublicKey will produce an ANSI X9.62 public key which, for a P-256 90 // key, is 0x04 (meaning uncompressed) followed by the x and y field 91 // elements as 32-byte, big-endian numbers. 92 static const int kExpectedKeyLength = 65; 93 94 int len = i2d_PublicKey(ecdsa_key_.get(), NULL); 95 if (len != kExpectedKeyLength) { 96 return ""; 97 } 98 99 uint8 buf[kExpectedKeyLength]; 100 uint8* derp = buf; 101 i2d_PublicKey(ecdsa_key_.get(), &derp); 102 103 return string(reinterpret_cast<char*>(buf + 1), kExpectedKeyLength - 1); 104 } 105 106 private: 107 crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> ecdsa_key_; 108 }; 109 110 class TestChannelIDSource : public ChannelIDSource { 111 public: 112 virtual ~TestChannelIDSource() {} 113 114 // ChannelIDSource implementation. 115 116 virtual QuicAsyncStatus GetChannelIDKey( 117 const string& hostname, 118 scoped_ptr<ChannelIDKey>* channel_id_key, 119 ChannelIDSourceCallback* /*callback*/) OVERRIDE { 120 channel_id_key->reset(new TestChannelIDKey(HostnameToKey(hostname))); 121 return QUIC_SUCCESS; 122 } 123 124 private: 125 static EVP_PKEY* HostnameToKey(const string& hostname) { 126 // In order to generate a deterministic key for a given hostname the 127 // hostname is hashed with SHA-256 and the resulting digest is treated as a 128 // big-endian number. The most-significant bit is cleared to ensure that 129 // the resulting value is less than the order of the group and then it's 130 // taken as a private key. Given the private key, the public key is 131 // calculated with a group multiplication. 132 SHA256_CTX sha256; 133 SHA256_Init(&sha256); 134 SHA256_Update(&sha256, hostname.data(), hostname.size()); 135 136 unsigned char digest[SHA256_DIGEST_LENGTH]; 137 SHA256_Final(digest, &sha256); 138 139 // Ensure that the digest is less than the order of the P-256 group by 140 // clearing the most-significant bit. 141 digest[0] &= 0x7f; 142 143 crypto::ScopedOpenSSL<BIGNUM, BN_free> k(BN_new()); 144 CHECK(BN_bin2bn(digest, sizeof(digest), k.get()) != NULL); 145 146 crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free> p256( 147 EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); 148 CHECK(p256.get()); 149 150 crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ecdsa_key(EC_KEY_new()); 151 CHECK(ecdsa_key.get() != NULL && 152 EC_KEY_set_group(ecdsa_key.get(), p256.get())); 153 154 crypto::ScopedOpenSSL<EC_POINT, EC_POINT_free> point( 155 EC_POINT_new(p256.get())); 156 CHECK(EC_POINT_mul(p256.get(), point.get(), k.get(), NULL, NULL, NULL)); 157 158 EC_KEY_set_private_key(ecdsa_key.get(), k.get()); 159 EC_KEY_set_public_key(ecdsa_key.get(), point.get()); 160 161 crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> pkey(EVP_PKEY_new()); 162 // EVP_PKEY_set1_EC_KEY takes a reference so no |release| here. 163 EVP_PKEY_set1_EC_KEY(pkey.get(), ecdsa_key.get()); 164 165 return pkey.release(); 166 } 167 }; 168 169 // static 170 ChannelIDSource* CryptoTestUtils::ChannelIDSourceForTesting() { 171 return new TestChannelIDSource(); 172 } 173 174 } // namespace test 175 176 } // namespace net 177