1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/base/keygen_handler.h" 6 7 #include <string> 8 9 #include "base/base64.h" 10 #include "base/bind.h" 11 #include "base/location.h" 12 #include "base/logging.h" 13 #include "base/threading/worker_pool.h" 14 #include "base/threading/thread_restrictions.h" 15 #include "base/synchronization/waitable_event.h" 16 #include "build/build_config.h" 17 #include "testing/gtest/include/gtest/gtest.h" 18 19 #if defined(USE_NSS) 20 #include <private/pprthred.h> // PR_DetachThread 21 #include "crypto/nss_crypto_module_delegate.h" 22 #include "crypto/scoped_test_nss_db.h" 23 #endif 24 25 namespace net { 26 27 namespace { 28 29 #if defined(USE_NSS) 30 class StubCryptoModuleDelegate : public crypto::NSSCryptoModuleDelegate { 31 public: 32 explicit StubCryptoModuleDelegate(crypto::ScopedPK11Slot slot) 33 : slot_(slot.Pass()) {} 34 35 virtual std::string RequestPassword(const std::string& slot_name, 36 bool retry, 37 bool* cancelled) OVERRIDE{ 38 return std::string(); 39 } 40 41 virtual crypto::ScopedPK11Slot RequestSlot() OVERRIDE { 42 return crypto::ScopedPK11Slot(PK11_ReferenceSlot(slot_.get())); 43 } 44 45 private: 46 crypto::ScopedPK11Slot slot_; 47 }; 48 #endif 49 50 class KeygenHandlerTest : public ::testing::Test { 51 public: 52 KeygenHandlerTest() {} 53 virtual ~KeygenHandlerTest() {} 54 55 scoped_ptr<KeygenHandler> CreateKeygenHandler() { 56 scoped_ptr<KeygenHandler> handler(new KeygenHandler( 57 768, "some challenge", GURL("http://www.example.com"))); 58 #if defined(USE_NSS) 59 handler->set_crypto_module_delegate( 60 scoped_ptr<crypto::NSSCryptoModuleDelegate>( 61 new StubCryptoModuleDelegate(crypto::ScopedPK11Slot( 62 PK11_ReferenceSlot(test_nss_db_.slot()))))); 63 #endif 64 return handler.Pass(); 65 } 66 67 private: 68 #if defined(USE_NSS) 69 crypto::ScopedTestNSSDB test_nss_db_; 70 #endif 71 }; 72 73 // Assert that |result| is a valid output for KeygenHandler given challenge 74 // string of |challenge|. 75 void AssertValidSignedPublicKeyAndChallenge(const std::string& result, 76 const std::string& challenge) { 77 ASSERT_GT(result.length(), 0U); 78 79 // Verify it's valid base64: 80 std::string spkac; 81 ASSERT_TRUE(base::Base64Decode(result, &spkac)); 82 // In lieu of actually parsing and validating the DER data, 83 // just check that it exists and has a reasonable length. 84 // (It's almost always 590 bytes, but the DER encoding of the random key 85 // and signature could sometimes be a few bytes different.) 86 ASSERT_GE(spkac.length(), 200U); 87 ASSERT_LE(spkac.length(), 300U); 88 89 // NOTE: 90 // The value of |result| can be validated by prefixing 'SPKAC=' to it 91 // and piping it through 92 // openssl spkac -verify 93 // whose output should look like: 94 // Netscape SPKI: 95 // Public Key Algorithm: rsaEncryption 96 // RSA Public Key: (2048 bit) 97 // Modulus (2048 bit): 98 // 00:b6:cc:14:c9:43:b5:2d:51:65:7e:11:8b:80:9e: ..... 99 // Exponent: 65537 (0x10001) 100 // Challenge String: some challenge 101 // Signature Algorithm: md5WithRSAEncryption 102 // 92:f3:cc:ff:0b:d3:d0:4a:3a:4c:ba:ff:d6:38:7f:a5:4b:b5: ..... 103 // Signature OK 104 // 105 // The value of |spkac| can be ASN.1-parsed with: 106 // openssl asn1parse -inform DER 107 } 108 109 TEST_F(KeygenHandlerTest, SmokeTest) { 110 scoped_ptr<KeygenHandler> handler(CreateKeygenHandler()); 111 handler->set_stores_key(false); // Don't leave the key-pair behind 112 std::string result = handler->GenKeyAndSignChallenge(); 113 VLOG(1) << "KeygenHandler produced: " << result; 114 AssertValidSignedPublicKeyAndChallenge(result, "some challenge"); 115 } 116 117 void ConcurrencyTestCallback(const std::string& challenge, 118 base::WaitableEvent* event, 119 scoped_ptr<KeygenHandler> handler, 120 std::string* result) { 121 // We allow Singleton use on the worker thread here since we use a 122 // WaitableEvent to synchronize, so it's safe. 123 base::ThreadRestrictions::ScopedAllowSingleton scoped_allow_singleton; 124 handler->set_stores_key(false); // Don't leave the key-pair behind. 125 *result = handler->GenKeyAndSignChallenge(); 126 event->Signal(); 127 #if defined(USE_NSS) 128 // Detach the thread from NSPR. 129 // Calling NSS functions attaches the thread to NSPR, which stores 130 // the NSPR thread ID in thread-specific data. 131 // The threads in our thread pool terminate after we have called 132 // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets 133 // segfaults on shutdown when the threads' thread-specific data 134 // destructors run. 135 PR_DetachThread(); 136 #endif 137 } 138 139 // We asynchronously generate the keys so as not to hang up the IO thread. This 140 // test tries to catch concurrency problems in the keygen implementation. 141 TEST_F(KeygenHandlerTest, ConcurrencyTest) { 142 const int NUM_HANDLERS = 5; 143 base::WaitableEvent* events[NUM_HANDLERS] = { NULL }; 144 std::string results[NUM_HANDLERS]; 145 for (int i = 0; i < NUM_HANDLERS; i++) { 146 scoped_ptr<KeygenHandler> handler(CreateKeygenHandler()); 147 events[i] = new base::WaitableEvent(false, false); 148 base::WorkerPool::PostTask(FROM_HERE, 149 base::Bind(ConcurrencyTestCallback, 150 "some challenge", 151 events[i], 152 base::Passed(&handler), 153 &results[i]), 154 true); 155 } 156 157 for (int i = 0; i < NUM_HANDLERS; i++) { 158 // Make sure the job completed 159 events[i]->Wait(); 160 delete events[i]; 161 events[i] = NULL; 162 163 VLOG(1) << "KeygenHandler " << i << " produced: " << results[i]; 164 AssertValidSignedPublicKeyAndChallenge(results[i], "some challenge"); 165 } 166 } 167 168 } // namespace 169 170 } // namespace net 171
