Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / webrtc / 34cdd2d402b08aee4e17a6fd38c87e0e5cd7aa30 / . / rtc_base / sslidentity_unittest.cc
blob: 7d9f82c2c60940a22c5403970186cb9cc505aa7f [file] [log] [blame]
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]1/*
2 * Copyright 2011 The WebRTC Project Authors. All rights reserved.
3 *
4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree.
9 */
10
jbauch555604a2016-04-26 03:13:22 -0700[diff] [blame]11#include <memory>
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]12#include <string>
13
Mirko Bonadei92ea95e2017-09-15 06:47:31 +0200[diff] [blame]14#include "rtc_base/fakesslidentity.h"
15#include "rtc_base/gunit.h"
16#include "rtc_base/helpers.h"
17#include "rtc_base/ssladapter.h"
18#include "rtc_base/sslfingerprint.h"
19#include "rtc_base/sslidentity.h"
20#include "rtc_base/stringutils.h"
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]21
22using rtc::SSLIdentity;
23
24const char kTestCertificate[] = "-----BEGIN CERTIFICATE-----\n"
25 "MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV\n"
26 "BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD\n"
27 "VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0\n"
28 "MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG\n"
29 "A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl\n"
30 "cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP\n"
31 "Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//\n"
32 "Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4\n"
33 "GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM\n"
34 "k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz\n"
35 "itAE+OjGF+PFKbwX8Q==\n"
36 "-----END CERTIFICATE-----\n";
37
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]38const unsigned char kTestCertSha1[] = {
39 0xA6, 0xC8, 0x59, 0xEA, 0xC3, 0x7E, 0x6D, 0x33,
40 0xCF, 0xE2, 0x69, 0x9D, 0x74, 0xE6, 0xF6, 0x8A,
41 0x9E, 0x47, 0xA7, 0xCA};
42const unsigned char kTestCertSha224[] = {
43 0xd4, 0xce, 0xc6, 0xcf, 0x28, 0xcb, 0xe9, 0x77,
44 0x38, 0x36, 0xcf, 0xb1, 0x3b, 0x4a, 0xd7, 0xbd,
45 0xae, 0x24, 0x21, 0x08, 0xcf, 0x6a, 0x44, 0x0d,
46 0x3f, 0x94, 0x2a, 0x5b};
47const unsigned char kTestCertSha256[] = {
48 0x41, 0x6b, 0xb4, 0x93, 0x47, 0x79, 0x77, 0x24,
49 0x77, 0x0b, 0x8b, 0x2e, 0xa6, 0x2b, 0xe0, 0xf9,
50 0x0a, 0xed, 0x1f, 0x31, 0xa6, 0xf7, 0x5c, 0xa1,
51 0x5a, 0xc4, 0xb0, 0xa2, 0xa4, 0x78, 0xb9, 0x76};
52const unsigned char kTestCertSha384[] = {
53 0x42, 0x31, 0x9a, 0x79, 0x1d, 0xd6, 0x08, 0xbf,
54 0x3b, 0xba, 0x36, 0xd8, 0x37, 0x4a, 0x9a, 0x75,
55 0xd3, 0x25, 0x6e, 0x28, 0x92, 0xbe, 0x06, 0xb7,
56 0xc5, 0xa0, 0x83, 0xe3, 0x86, 0xb1, 0x03, 0xfc,
57 0x64, 0x47, 0xd6, 0xd8, 0xaa, 0xd9, 0x36, 0x60,
58 0x04, 0xcc, 0xbe, 0x7d, 0x6a, 0xe8, 0x34, 0x49};
59const unsigned char kTestCertSha512[] = {
60 0x51, 0x1d, 0xec, 0x02, 0x3d, 0x51, 0x45, 0xd3,
61 0xd8, 0x1d, 0xa4, 0x9d, 0x43, 0xc9, 0xee, 0x32,
62 0x6f, 0x4f, 0x37, 0xee, 0xab, 0x3f, 0x25, 0xdf,
63 0x72, 0xfc, 0x61, 0x1a, 0xd5, 0x92, 0xff, 0x6b,
64 0x28, 0x71, 0x58, 0xb3, 0xe1, 0x8a, 0x18, 0xcf,
65 0x61, 0x33, 0x0e, 0x14, 0xc3, 0x04, 0xaa, 0x07,
66 0xf6, 0xa5, 0xda, 0xdc, 0x42, 0x42, 0x22, 0x35,
67 0xce, 0x26, 0x58, 0x4a, 0x33, 0x6d, 0xbc, 0xb6};
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]68
hbose29352b2016-08-25 03:52:38 -0700[diff] [blame]69// These PEM strings were created by generating an identity with
70// |SSLIdentity::Generate| and invoking |identity->PrivateKeyToPEMString()|,
71// |identity->PublicKeyToPEMString()| and
72// |identity->certificate().ToPEMString()|. If the crypto library is updated,
73// and the update changes the string form of the keys, these will have to be
74// updated too. The fingerprint, fingerprint algorithm and base64 certificate
75// were created by calling |identity->certificate().GetStats()|.
76static const char kRSA_PRIVATE_KEY_PEM[] =
77 "-----BEGIN PRIVATE KEY-----\n"
78 "MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMQPqDStRlYeDpkX\n"
79 "erRmv+a1naM8vSVSY0gG2plnrnofViWRW3MRqWC+020MsIj3hPZeSAnt/y/FL/nr\n"
80 "4Ea7NXcwdRo1/1xEK7U/f/cjSg1aunyvHCHwcFcMr31HLFvHr0ZgcFwbgIuFLNEl\n"
81 "7kK5HMO9APz1ntUjek8BmBj8yMl9AgMBAAECgYA8FWBC5GcNtSBcIinkZyigF0A7\n"
82 "6j081sa+J/uNz4xUuI257ZXM6biygUhhvuXK06/XoIULJfhyN0fAm1yb0HtNhiUs\n"
83 "kMOYeon6b8FqFaPjrQf7Gr9FMiIHXNK19uegTMKztXyPZoUWlX84X0iawY95x0Y3\n"
84 "73f6P2rN2UOjlVVjAQJBAOKy3l2w3Zj2w0oAJox0eMwl+RxBNt1C42SHrob2mFUT\n"
85 "rytpVVYOasr8CoDI0kjacjI94sLum+buJoXXX6YTGO0CQQDdZwlYIEkoS3ftfxPa\n"
86 "Ai0YTBzAWvHJg0r8Gk/TkHo6IM+LSsZ9ZYUv/vBe4BKLw1I4hZ+bQvBiq+f8ROtk\n"
87 "+TDRAkAPL3ghwoU1h+IRBO2QHwUwd6K2N9AbBi4BP+168O3HVSg4ujeTKigRLMzv\n"
88 "T4R2iNt5bhfQgvdCgtVlxcWMdF8JAkBwDCg3eEdt5BuyjwBt8XH+/O4ED0KUWCTH\n"
89 "x00k5dZlupsuhE5Fwe4QpzXg3gekwdnHjyCCQ/NCDHvgOMTkmhQxAkA9V03KRX9b\n"
90 "bhvEzY/fu8gEp+EzsER96/D79az5z1BaMGL5OPM2xHBPJATKlswnAa7Lp3QKGZGk\n"
91 "TxslfL18J71s\n"
92 "-----END PRIVATE KEY-----\n";
93static const char kRSA_PUBLIC_KEY_PEM[] =
94 "-----BEGIN PUBLIC KEY-----\n"
95 "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDED6g0rUZWHg6ZF3q0Zr/mtZ2j\n"
96 "PL0lUmNIBtqZZ656H1YlkVtzEalgvtNtDLCI94T2XkgJ7f8vxS/56+BGuzV3MHUa\n"
97 "Nf9cRCu1P3/3I0oNWrp8rxwh8HBXDK99Ryxbx69GYHBcG4CLhSzRJe5CuRzDvQD8\n"
98 "9Z7VI3pPAZgY/MjJfQIDAQAB\n"
99 "-----END PUBLIC KEY-----\n";
100static const char kRSA_CERT_PEM[] =
101 "-----BEGIN CERTIFICATE-----\n"
102 "MIIBnDCCAQWgAwIBAgIJAOEHLgeWYwrpMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNV\n"
103 "BAMMBXRlc3QxMB4XDTE2MDQyNDE4MTAyMloXDTE2MDUyNTE4MTAyMlowEDEOMAwG\n"
104 "A1UEAwwFdGVzdDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMQPqDStRlYe\n"
105 "DpkXerRmv+a1naM8vSVSY0gG2plnrnofViWRW3MRqWC+020MsIj3hPZeSAnt/y/F\n"
106 "L/nr4Ea7NXcwdRo1/1xEK7U/f/cjSg1aunyvHCHwcFcMr31HLFvHr0ZgcFwbgIuF\n"
107 "LNEl7kK5HMO9APz1ntUjek8BmBj8yMl9AgMBAAEwDQYJKoZIhvcNAQELBQADgYEA\n"
108 "C3ehaZFl+oEYN069C2ht/gMzuC77L854RF/x7xRtNZzkcg9TVgXXdM3auUvJi8dx\n"
109 "yTpU3ixErjQvoZew5ngXTEvTY8BSQUijJEaLWh8n6NDKRbEGTdAk8nPAmq9hdCFq\n"
110 "e3UkexqNHm3g/VxG4NUC1Y+w29ai0/Rgh+VvgbDwK+Q=\n"
111 "-----END CERTIFICATE-----\n";
112static const char kRSA_FINGERPRINT[] =
113 "3C:E8:B2:70:09:CF:A9:09:5A:F4:EF:8F:8D:8A:32:FF:EA:04:91:BA:6E:D4:17:78:16"
114 ":2A:EE:F9:9A:DD:E2:2B";
115static const char kRSA_FINGERPRINT_ALGORITHM[] =
116 "sha-256";
117static const char kRSA_BASE64_CERTIFICATE[] =
118 "MIIBnDCCAQWgAwIBAgIJAOEHLgeWYwrpMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNVBAMMBXRlc3"
119 "QxMB4XDTE2MDQyNDE4MTAyMloXDTE2MDUyNTE4MTAyMlowEDEOMAwGA1UEAwwFdGVzdDEwgZ8w"
120 "DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMQPqDStRlYeDpkXerRmv+a1naM8vSVSY0gG2plnrn"
121 "ofViWRW3MRqWC+020MsIj3hPZeSAnt/y/FL/nr4Ea7NXcwdRo1/1xEK7U/f/cjSg1aunyvHCHw"
122 "cFcMr31HLFvHr0ZgcFwbgIuFLNEl7kK5HMO9APz1ntUjek8BmBj8yMl9AgMBAAEwDQYJKoZIhv"
123 "cNAQELBQADgYEAC3ehaZFl+oEYN069C2ht/gMzuC77L854RF/x7xRtNZzkcg9TVgXXdM3auUvJ"
124 "i8dxyTpU3ixErjQvoZew5ngXTEvTY8BSQUijJEaLWh8n6NDKRbEGTdAk8nPAmq9hdCFqe3Ukex"
125 "qNHm3g/VxG4NUC1Y+w29ai0/Rgh+VvgbDwK+Q=";
126
127static const char kECDSA_PRIVATE_KEY_PEM[] =
128 "-----BEGIN PRIVATE KEY-----\n"
129 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg/AkEA2hklq7dQ2rN\n"
130 "ZxYL6hOUACL4pn7P4FYlA3ZQhIChRANCAAR7YgdO3utP/8IqVRq8G4VZKreMAxeN\n"
131 "rUa12twthv4uFjuHAHa9D9oyAjncmn+xvZZRyVmKrA56jRzENcEEHoAg\n"
132 "-----END PRIVATE KEY-----\n";
133static const char kECDSA_PUBLIC_KEY_PEM[] =
134 "-----BEGIN PUBLIC KEY-----\n"
135 "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEe2IHTt7rT//CKlUavBuFWSq3jAMX\n"
136 "ja1GtdrcLYb+LhY7hwB2vQ/aMgI53Jp/sb2WUclZiqwOeo0cxDXBBB6AIA==\n"
137 "-----END PUBLIC KEY-----\n";
138static const char kECDSA_CERT_PEM[] =
139 "-----BEGIN CERTIFICATE-----\n"
140 "MIIBFDCBu6ADAgECAgkArpkxjw62sW4wCgYIKoZIzj0EAwIwEDEOMAwGA1UEAwwF\n"
141 "dGVzdDMwHhcNMTYwNDI0MTgxNDM4WhcNMTYwNTI1MTgxNDM4WjAQMQ4wDAYDVQQD\n"
142 "DAV0ZXN0MzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHtiB07e60//wipVGrwb\n"
143 "hVkqt4wDF42tRrXa3C2G/i4WO4cAdr0P2jICOdyaf7G9llHJWYqsDnqNHMQ1wQQe\n"
144 "gCAwCgYIKoZIzj0EAwIDSAAwRQIhANyreQ/K5yuPPpirsd0e/4WGLHou6bIOSQks\n"
145 "DYzo56NmAiAKOr3u8ol3LmygbUCwEvtWrS8QcJDygxHPACo99hkekw==\n"
146 "-----END CERTIFICATE-----\n";
147static const char kECDSA_FINGERPRINT[] =
148 "9F:47:FA:88:76:3D:18:B8:00:A0:59:9D:C3:5D:34:0B:1F:B8:99:9E:68:DA:F3:A5:DA"
149 ":50:33:A9:FF:4D:31:89";
150static const char kECDSA_FINGERPRINT_ALGORITHM[] =
151 "sha-256";
152static const char kECDSA_BASE64_CERTIFICATE[] =
153 "MIIBFDCBu6ADAgECAgkArpkxjw62sW4wCgYIKoZIzj0EAwIwEDEOMAwGA1UEAwwFdGVzdDMwHh"
154 "cNMTYwNDI0MTgxNDM4WhcNMTYwNTI1MTgxNDM4WjAQMQ4wDAYDVQQDDAV0ZXN0MzBZMBMGByqG"
155 "SM49AgEGCCqGSM49AwEHA0IABHtiB07e60//wipVGrwbhVkqt4wDF42tRrXa3C2G/i4WO4cAdr"
156 "0P2jICOdyaf7G9llHJWYqsDnqNHMQ1wQQegCAwCgYIKoZIzj0EAwIDSAAwRQIhANyreQ/K5yuP"
157 "Ppirsd0e/4WGLHou6bIOSQksDYzo56NmAiAKOr3u8ol3LmygbUCwEvtWrS8QcJDygxHPACo99h"
158 "kekw==";
159
160struct IdentityAndInfo {
161 std::unique_ptr<rtc::SSLIdentity> identity;
162 std::vector<std::string> ders;
163 std::vector<std::string> pems;
164 std::vector<std::string> fingerprints;
165};
166
167IdentityAndInfo CreateFakeIdentityAndInfoFromDers(
168 const std::vector<std::string>& ders) {
169 RTC_CHECK(!ders.empty());
170 IdentityAndInfo info;
171 info.ders = ders;
172 for (const std::string& der : ders) {
173 info.pems.push_back(rtc::SSLIdentity::DerToPem(
174 "CERTIFICATE",
175 reinterpret_cast<const unsigned char*>(der.c_str()),
176 der.length()));
177 }
178 info.identity.reset(
179 new rtc::FakeSSLIdentity(rtc::FakeSSLCertificate(info.pems)));
180 // Strip header/footer and newline characters of PEM strings.
181 for (size_t i = 0; i < info.pems.size(); ++i) {
182 rtc::replace_substrs("-----BEGIN CERTIFICATE-----", 27,
183 "", 0, &info.pems[i]);
184 rtc::replace_substrs("-----END CERTIFICATE-----", 25,
185 "", 0, &info.pems[i]);
186 rtc::replace_substrs("\n", 1,
187 "", 0, &info.pems[i]);
188 }
189 // Fingerprint of leaf certificate.
190 std::unique_ptr<rtc::SSLFingerprint> fp(
191 rtc::SSLFingerprint::Create("sha-1", &info.identity->certificate()));
192 EXPECT_TRUE(fp);
193 info.fingerprints.push_back(fp->GetRfc4572Fingerprint());
194 // Fingerprints of the rest of the chain.
195 std::unique_ptr<rtc::SSLCertChain> chain =
196 info.identity->certificate().GetChain();
197 if (chain) {
198 for (size_t i = 0; i < chain->GetSize(); i++) {
199 fp.reset(rtc::SSLFingerprint::Create("sha-1", &chain->Get(i)));
200 EXPECT_TRUE(fp);
201 info.fingerprints.push_back(fp->GetRfc4572Fingerprint());
202 }
203 }
204 EXPECT_EQ(info.ders.size(), info.fingerprints.size());
205 return info;
206}
207
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]208class SSLIdentityTest : public testing::Test {
209 public:
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]210 SSLIdentityTest() {}
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]211
212 ~SSLIdentityTest() {
213 }
214
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]215 virtual void SetUp() {
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]216 identity_rsa1_.reset(SSLIdentity::Generate("test1", rtc::KT_RSA));
217 identity_rsa2_.reset(SSLIdentity::Generate("test2", rtc::KT_RSA));
218 identity_ecdsa1_.reset(SSLIdentity::Generate("test3", rtc::KT_ECDSA));
219 identity_ecdsa2_.reset(SSLIdentity::Generate("test4", rtc::KT_ECDSA));
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]220
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]221 ASSERT_TRUE(identity_rsa1_);
222 ASSERT_TRUE(identity_rsa2_);
223 ASSERT_TRUE(identity_ecdsa1_);
224 ASSERT_TRUE(identity_ecdsa2_);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]225
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]226 test_cert_.reset(rtc::SSLCertificate::FromPEMString(kTestCertificate));
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]227 ASSERT_TRUE(test_cert_);
228 }
229
230 void TestGetSignatureDigestAlgorithm() {
231 std::string digest_algorithm;
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]232
233 ASSERT_TRUE(identity_rsa1_->certificate().GetSignatureDigestAlgorithm(
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]234 &digest_algorithm));
Joachim Bauch1b794d52015-05-12 03:32:11 +0200[diff] [blame]235 ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]236
237 ASSERT_TRUE(identity_rsa2_->certificate().GetSignatureDigestAlgorithm(
238 &digest_algorithm));
239 ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
240
241 ASSERT_TRUE(identity_ecdsa1_->certificate().GetSignatureDigestAlgorithm(
242 &digest_algorithm));
243 ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
244
245 ASSERT_TRUE(identity_ecdsa2_->certificate().GetSignatureDigestAlgorithm(
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]246 &digest_algorithm));
Joachim Bauch1b794d52015-05-12 03:32:11 +0200[diff] [blame]247 ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]248
249 // The test certificate has an MD5-based signature.
250 ASSERT_TRUE(test_cert_->GetSignatureDigestAlgorithm(&digest_algorithm));
251 ASSERT_EQ(rtc::DIGEST_MD5, digest_algorithm);
252 }
253
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]254 typedef unsigned char DigestType[rtc::MessageDigest::kMaxSize];
255
256 void TestDigestHelper(DigestType digest,
257 const SSLIdentity* identity,
258 const std::string& algorithm,
259 size_t expected_len) {
260 DigestType digest1;
261 size_t digest_len;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]262 bool rv;
263
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]264 memset(digest, 0, expected_len);
265 rv = identity->certificate().ComputeDigest(algorithm, digest,
266 sizeof(DigestType), &digest_len);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]267 EXPECT_TRUE(rv);
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]268 EXPECT_EQ(expected_len, digest_len);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]269
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]270 // Repeat digest computation for the identity as a sanity check.
271 memset(digest1, 0xff, expected_len);
272 rv = identity->certificate().ComputeDigest(algorithm, digest1,
273 sizeof(DigestType), &digest_len);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]274 EXPECT_TRUE(rv);
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]275 EXPECT_EQ(expected_len, digest_len);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]276
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]277 EXPECT_EQ(0, memcmp(digest, digest1, expected_len));
278 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]279
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]280 void TestDigestForGeneratedCert(const std::string& algorithm,
281 size_t expected_len) {
282 DigestType digest[4];
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]283
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]284 ASSERT_TRUE(expected_len <= sizeof(DigestType));
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]285
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]286 TestDigestHelper(digest[0], identity_rsa1_.get(), algorithm, expected_len);
287 TestDigestHelper(digest[1], identity_rsa2_.get(), algorithm, expected_len);
288 TestDigestHelper(digest[2], identity_ecdsa1_.get(), algorithm,
289 expected_len);
290 TestDigestHelper(digest[3], identity_ecdsa2_.get(), algorithm,
291 expected_len);
292
293 // Sanity check that all four digests are unique. This could theoretically
294 // fail, since cryptographic hash collisions have a non-zero probability.
295 for (int i = 0; i < 4; i++) {
296 for (int j = 0; j < 4; j++) {
297 if (i != j)
298 EXPECT_NE(0, memcmp(digest[i], digest[j], expected_len));
299 }
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]300 }
301 }
302
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]303 void TestDigestForFixedCert(const std::string& algorithm,
304 size_t expected_len,
305 const unsigned char* expected_digest) {
306 bool rv;
307 DigestType digest;
308 size_t digest_len;
309
310 ASSERT_TRUE(expected_len <= sizeof(DigestType));
311
312 rv = test_cert_->ComputeDigest(algorithm, digest, sizeof(digest),
313 &digest_len);
314 EXPECT_TRUE(rv);
315 EXPECT_EQ(expected_len, digest_len);
316 EXPECT_EQ(0, memcmp(digest, expected_digest, expected_len));
317 }
318
hbos6b470a92016-04-28 05:14:21 -0700[diff] [blame]319 void TestCloningIdentity(const SSLIdentity& identity) {
320 // Convert |identity| to PEM strings and create a new identity by converting
321 // back from the string format.
322 std::string priv_pem = identity.PrivateKeyToPEMString();
323 std::string publ_pem = identity.PublicKeyToPEMString();
324 std::string cert_pem = identity.certificate().ToPEMString();
325 std::unique_ptr<SSLIdentity> clone(
326 SSLIdentity::FromPEMStrings(priv_pem, cert_pem));
327 EXPECT_TRUE(clone);
328
329 // Make sure the clone is identical to the original.
330 EXPECT_TRUE(identity == *clone);
331 ASSERT_EQ(identity.certificate().CertificateExpirationTime(),
332 clone->certificate().CertificateExpirationTime());
333
334 // At this point we are confident that the identities are identical. To be
335 // extra sure, we compare PEM strings of the clone with the original. Note
336 // that the PEM strings of two identities are not strictly guaranteed to be
337 // equal (they describe structs whose members could be listed in a different
338 // order, for example). But because the same function is used to produce
339 // both PEMs, its a good enough bet that this comparison will work. If the
340 // assumption stops holding in the future we can always remove this from the
341 // unittest.
342 std::string clone_priv_pem = clone->PrivateKeyToPEMString();
343 std::string clone_publ_pem = clone->PublicKeyToPEMString();
344 std::string clone_cert_pem = clone->certificate().ToPEMString();
345 ASSERT_EQ(priv_pem, clone_priv_pem);
346 ASSERT_EQ(publ_pem, clone_publ_pem);
347 ASSERT_EQ(cert_pem, clone_cert_pem);
348 }
349
350 protected:
jbauch555604a2016-04-26 03:13:22 -0700[diff] [blame]351 std::unique_ptr<SSLIdentity> identity_rsa1_;
352 std::unique_ptr<SSLIdentity> identity_rsa2_;
353 std::unique_ptr<SSLIdentity> identity_ecdsa1_;
354 std::unique_ptr<SSLIdentity> identity_ecdsa2_;
355 std::unique_ptr<rtc::SSLCertificate> test_cert_;
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]356};
357
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]358TEST_F(SSLIdentityTest, FixedDigestSHA1) {
359 TestDigestForFixedCert(rtc::DIGEST_SHA_1, 20, kTestCertSha1);
360}
361
362// HASH_AlgSHA224 is not supported in the chromium linux build.
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]363TEST_F(SSLIdentityTest, FixedDigestSHA224) {
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]364 TestDigestForFixedCert(rtc::DIGEST_SHA_224, 28, kTestCertSha224);
365}
366
367TEST_F(SSLIdentityTest, FixedDigestSHA256) {
368 TestDigestForFixedCert(rtc::DIGEST_SHA_256, 32, kTestCertSha256);
369}
370
371TEST_F(SSLIdentityTest, FixedDigestSHA384) {
372 TestDigestForFixedCert(rtc::DIGEST_SHA_384, 48, kTestCertSha384);
373}
374
375TEST_F(SSLIdentityTest, FixedDigestSHA512) {
376 TestDigestForFixedCert(rtc::DIGEST_SHA_512, 64, kTestCertSha512);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]377}
378
379// HASH_AlgSHA224 is not supported in the chromium linux build.
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]380TEST_F(SSLIdentityTest, DigestSHA224) {
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]381 TestDigestForGeneratedCert(rtc::DIGEST_SHA_224, 28);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]382}
383
384TEST_F(SSLIdentityTest, DigestSHA256) {
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]385 TestDigestForGeneratedCert(rtc::DIGEST_SHA_256, 32);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]386}
387
388TEST_F(SSLIdentityTest, DigestSHA384) {
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]389 TestDigestForGeneratedCert(rtc::DIGEST_SHA_384, 48);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]390}
391
392TEST_F(SSLIdentityTest, DigestSHA512) {
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]393 TestDigestForGeneratedCert(rtc::DIGEST_SHA_512, 64);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]394}
395
hbos6b470a92016-04-28 05:14:21 -0700[diff] [blame]396TEST_F(SSLIdentityTest, IdentityComparison) {
397 EXPECT_TRUE(*identity_rsa1_ == *identity_rsa1_);
398 EXPECT_FALSE(*identity_rsa1_ == *identity_rsa2_);
399 EXPECT_FALSE(*identity_rsa1_ == *identity_ecdsa1_);
400 EXPECT_FALSE(*identity_rsa1_ == *identity_ecdsa2_);
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]401
hbos6b470a92016-04-28 05:14:21 -0700[diff] [blame]402 EXPECT_TRUE(*identity_rsa2_ == *identity_rsa2_);
403 EXPECT_FALSE(*identity_rsa2_ == *identity_ecdsa1_);
404 EXPECT_FALSE(*identity_rsa2_ == *identity_ecdsa2_);
405
406 EXPECT_TRUE(*identity_ecdsa1_ == *identity_ecdsa1_);
407 EXPECT_FALSE(*identity_ecdsa1_ == *identity_ecdsa2_);
408}
409
410TEST_F(SSLIdentityTest, FromPEMStringsRSA) {
jbauch555604a2016-04-26 03:13:22 -0700[diff] [blame]411 std::unique_ptr<SSLIdentity> identity(
hbose29352b2016-08-25 03:52:38 -0700[diff] [blame]412 SSLIdentity::FromPEMStrings(kRSA_PRIVATE_KEY_PEM, kRSA_CERT_PEM));
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]413 EXPECT_TRUE(identity);
hbos6b470a92016-04-28 05:14:21 -0700[diff] [blame]414 EXPECT_EQ(kRSA_PRIVATE_KEY_PEM, identity->PrivateKeyToPEMString());
415 EXPECT_EQ(kRSA_PUBLIC_KEY_PEM, identity->PublicKeyToPEMString());
hbose29352b2016-08-25 03:52:38 -0700[diff] [blame]416 EXPECT_EQ(kRSA_CERT_PEM, identity->certificate().ToPEMString());
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]417}
418
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]419TEST_F(SSLIdentityTest, FromPEMStringsEC) {
jbauch555604a2016-04-26 03:13:22 -0700[diff] [blame]420 std::unique_ptr<SSLIdentity> identity(
hbose29352b2016-08-25 03:52:38 -0700[diff] [blame]421 SSLIdentity::FromPEMStrings(kECDSA_PRIVATE_KEY_PEM, kECDSA_CERT_PEM));
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]422 EXPECT_TRUE(identity);
hbos6b470a92016-04-28 05:14:21 -0700[diff] [blame]423 EXPECT_EQ(kECDSA_PRIVATE_KEY_PEM, identity->PrivateKeyToPEMString());
424 EXPECT_EQ(kECDSA_PUBLIC_KEY_PEM, identity->PublicKeyToPEMString());
hbose29352b2016-08-25 03:52:38 -0700[diff] [blame]425 EXPECT_EQ(kECDSA_CERT_PEM, identity->certificate().ToPEMString());
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]426}
Torbjorn Granlundb6d4ec42015-08-17 14:08:59 +0200[diff] [blame]427
hbos6b470a92016-04-28 05:14:21 -0700[diff] [blame]428TEST_F(SSLIdentityTest, CloneIdentityRSA) {
429 TestCloningIdentity(*identity_rsa1_);
430 TestCloningIdentity(*identity_rsa2_);
431}
432
433TEST_F(SSLIdentityTest, CloneIdentityECDSA) {
434 TestCloningIdentity(*identity_ecdsa1_);
435 TestCloningIdentity(*identity_ecdsa2_);
436}
437
henrike@webrtc.orgf0488722014-05-13 18:00:26 +0000[diff] [blame]438TEST_F(SSLIdentityTest, PemDerConversion) {
439 std::string der;
440 EXPECT_TRUE(SSLIdentity::PemToDer("CERTIFICATE", kTestCertificate, &der));
441
442 EXPECT_EQ(kTestCertificate, SSLIdentity::DerToPem(
443 "CERTIFICATE",
444 reinterpret_cast<const unsigned char*>(der.data()), der.length()));
445}
446
447TEST_F(SSLIdentityTest, GetSignatureDigestAlgorithm) {
448 TestGetSignatureDigestAlgorithm();
449}
Torbjorn Granlund46c9cc02015-12-01 13:06:34 +0100[diff] [blame]450
hbose29352b2016-08-25 03:52:38 -0700[diff] [blame]451TEST_F(SSLIdentityTest, SSLCertificateGetStatsRSA) {
452 std::unique_ptr<SSLIdentity> identity(
453 SSLIdentity::FromPEMStrings(kRSA_PRIVATE_KEY_PEM, kRSA_CERT_PEM));
454 std::unique_ptr<rtc::SSLCertificateStats> stats =
455 identity->certificate().GetStats();
456 EXPECT_EQ(stats->fingerprint, kRSA_FINGERPRINT);
457 EXPECT_EQ(stats->fingerprint_algorithm, kRSA_FINGERPRINT_ALGORITHM);
458 EXPECT_EQ(stats->base64_certificate, kRSA_BASE64_CERTIFICATE);
459 EXPECT_FALSE(stats->issuer);
460}
461
462TEST_F(SSLIdentityTest, SSLCertificateGetStatsECDSA) {
463 std::unique_ptr<SSLIdentity> identity(
464 SSLIdentity::FromPEMStrings(kECDSA_PRIVATE_KEY_PEM, kECDSA_CERT_PEM));
465 std::unique_ptr<rtc::SSLCertificateStats> stats =
466 identity->certificate().GetStats();
467 EXPECT_EQ(stats->fingerprint, kECDSA_FINGERPRINT);
468 EXPECT_EQ(stats->fingerprint_algorithm, kECDSA_FINGERPRINT_ALGORITHM);
469 EXPECT_EQ(stats->base64_certificate, kECDSA_BASE64_CERTIFICATE);
470 EXPECT_FALSE(stats->issuer);
471}
472
473TEST_F(SSLIdentityTest, SSLCertificateGetStatsWithChain) {
474 std::vector<std::string> ders;
475 ders.push_back("every der results in");
476 ders.push_back("an identity + certificate");
477 ders.push_back("in a certificate chain");
478 IdentityAndInfo info = CreateFakeIdentityAndInfoFromDers(ders);
479 EXPECT_TRUE(info.identity);
480 EXPECT_EQ(info.ders, ders);
481 EXPECT_EQ(info.pems.size(), info.ders.size());
482 EXPECT_EQ(info.fingerprints.size(), info.ders.size());
483
484 std::unique_ptr<rtc::SSLCertificateStats> first_stats =
485 info.identity->certificate().GetStats();
486 rtc::SSLCertificateStats* cert_stats = first_stats.get();
487 for (size_t i = 0; i < info.ders.size(); ++i) {
488 EXPECT_EQ(cert_stats->fingerprint, info.fingerprints[i]);
489 EXPECT_EQ(cert_stats->fingerprint_algorithm, "sha-1");
490 EXPECT_EQ(cert_stats->base64_certificate, info.pems[i]);
491 cert_stats = cert_stats->issuer.get();
492 EXPECT_EQ(static_cast<bool>(cert_stats), i + 1 < info.ders.size());
493 }
494}
495
Torbjorn Granlund46c9cc02015-12-01 13:06:34 +0100[diff] [blame]496class SSLIdentityExpirationTest : public testing::Test {
497 public:
498 SSLIdentityExpirationTest() {
499 // Set use of the test RNG to get deterministic expiration timestamp.
500 rtc::SetRandomTestMode(true);
501 }
502 ~SSLIdentityExpirationTest() {
503 // Put it back for the next test.
504 rtc::SetRandomTestMode(false);
505 }
506
507 void TestASN1TimeToSec() {
508 struct asn_example {
509 const char* string;
510 bool long_format;
511 int64_t want;
512 } static const data[] = {
513 // Valid examples.
514 {"19700101000000Z", true, 0},
515 {"700101000000Z", false, 0},
516 {"19700101000001Z", true, 1},
517 {"700101000001Z", false, 1},
518 {"19700101000100Z", true, 60},
519 {"19700101000101Z", true, 61},
520 {"19700101010000Z", true, 3600},
521 {"19700101010001Z", true, 3601},
522 {"19700101010100Z", true, 3660},
523 {"19700101010101Z", true, 3661},
524 {"710911012345Z", false, 53400225},
525 {"20000101000000Z", true, 946684800},
526 {"20000101000000Z", true, 946684800},
527 {"20151130140156Z", true, 1448892116},
528 {"151130140156Z", false, 1448892116},
529 {"20491231235959Z", true, 2524607999},
530 {"491231235959Z", false, 2524607999},
531 {"20500101000000Z", true, 2524607999+1},
532 {"20700101000000Z", true, 3155760000},
533 {"21000101000000Z", true, 4102444800},
534 {"24000101000000Z", true, 13569465600},
535
536 // Invalid examples.
537 {"19700101000000", true, -1}, // missing Z long format
538 {"19700101000000X", true, -1}, // X instead of Z long format
539 {"197001010000000", true, -1}, // 0 instead of Z long format
540 {"1970010100000000Z", true, -1}, // excess digits long format
541 {"700101000000", false, -1}, // missing Z short format
542 {"700101000000X", false, -1}, // X instead of Z short format
543 {"7001010000000", false, -1}, // 0 instead of Z short format
544 {"70010100000000Z", false, -1}, // excess digits short format
545 {":9700101000000Z", true, -1}, // invalid character
546 {"1:700101000001Z", true, -1}, // invalid character
547 {"19:00101000100Z", true, -1}, // invalid character
548 {"197:0101000101Z", true, -1}, // invalid character
549 {"1970:101010000Z", true, -1}, // invalid character
550 {"19700:01010001Z", true, -1}, // invalid character
551 {"197001:1010100Z", true, -1}, // invalid character
552 {"1970010:010101Z", true, -1}, // invalid character
553 {"70010100:000Z", false, -1}, // invalid character
554 {"700101000:01Z", false, -1}, // invalid character
555 {"2000010100:000Z", true, -1}, // invalid character
556 {"21000101000:00Z", true, -1}, // invalid character
557 {"240001010000:0Z", true, -1}, // invalid character
558 {"500101000000Z", false, -1}, // but too old for epoch
559 {"691231235959Z", false, -1}, // too old for epoch
560 {"19611118043000Z", false, -1}, // way too old for epoch
561 };
562
563 unsigned char buf[20];
564
565 // Run all examples and check for the expected result.
566 for (const auto& entry : data) {
567 size_t length = strlen(entry.string);
568 memcpy(buf, entry.string, length); // Copy the ASN1 string...
569 buf[length] = rtc::CreateRandomId(); // ...and terminate it with junk.
570 int64_t res = rtc::ASN1TimeToSec(buf, length, entry.long_format);
571 LOG(LS_VERBOSE) << entry.string;
572 ASSERT_EQ(entry.want, res);
573 }
574 // Run all examples again, but with an invalid length.
575 for (const auto& entry : data) {
576 size_t length = strlen(entry.string);
577 memcpy(buf, entry.string, length); // Copy the ASN1 string...
578 buf[length] = rtc::CreateRandomId(); // ...and terminate it with junk.
579 int64_t res = rtc::ASN1TimeToSec(buf, length - 1, entry.long_format);
580 LOG(LS_VERBOSE) << entry.string;
581 ASSERT_EQ(-1, res);
582 }
583 }
584
585 void TestExpireTime(int times) {
torbjornge8dc0812016-02-15 09:35:54 -0800[diff] [blame]586 // We test just ECDSA here since what we're out to exercise is the
587 // interfaces for expiration setting and reading.
Torbjorn Granlund46c9cc02015-12-01 13:06:34 +0100[diff] [blame]588 for (int i = 0; i < times; i++) {
Torbjorn Granlund46c9cc02015-12-01 13:06:34 +0100[diff] [blame]589 // We limit the time to < 2^31 here, i.e., we stay before 2038, since else
590 // we hit time offset limitations in OpenSSL on some 32-bit systems.
Taylor Brandstetter88dec832016-03-15 09:57:55 -0700[diff] [blame]591 time_t time_before_generation = time(nullptr);
592 time_t lifetime =
593 rtc::CreateRandomId() % (0x80000000 - time_before_generation);
torbjornge8dc0812016-02-15 09:35:54 -0800[diff] [blame]594 rtc::KeyParams key_params = rtc::KeyParams::ECDSA(rtc::EC_NIST_P256);
595 SSLIdentity* identity =
Torbjorn Granlund1d846b22016-03-31 16:21:04 +0200[diff] [blame]596 rtc::SSLIdentity::GenerateWithExpiration("", key_params, lifetime);
Taylor Brandstetter88dec832016-03-15 09:57:55 -0700[diff] [blame]597 time_t time_after_generation = time(nullptr);
598 EXPECT_LE(time_before_generation + lifetime,
599 identity->certificate().CertificateExpirationTime());
600 EXPECT_GE(time_after_generation + lifetime,
Torbjorn Granlund46c9cc02015-12-01 13:06:34 +0100[diff] [blame]601 identity->certificate().CertificateExpirationTime());
602 delete identity;
603 }
604 }
605};
606
607TEST_F(SSLIdentityExpirationTest, TestASN1TimeToSec) {
608 TestASN1TimeToSec();
609}
610
611TEST_F(SSLIdentityExpirationTest, TestExpireTime) {
612 TestExpireTime(500);
613}