|  | // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 
|  | // Use of this source code is governed by a BSD-style license that can be | 
|  | // found in the LICENSE file. | 
|  |  | 
|  | #include "net/ssl/openssl_client_key_store.h" | 
|  |  | 
|  | #include "base/memory/ref_counted.h" | 
|  | #include "crypto/scoped_openssl_types.h" | 
|  | #include "net/base/test_data_directory.h" | 
|  | #include "net/test/cert_test_util.h" | 
|  | #include "testing/gtest/include/gtest/gtest.h" | 
|  |  | 
|  | namespace net { | 
|  |  | 
|  | namespace { | 
|  |  | 
|  | // Return the internal reference count of a given EVP_PKEY. | 
|  | int EVP_PKEY_get_refcount(EVP_PKEY* pkey) { | 
|  | return pkey->references; | 
|  | } | 
|  |  | 
|  | // A common test class to ensure that the store is flushed after | 
|  | // each test. | 
|  | class OpenSSLClientKeyStoreTest : public ::testing::Test { | 
|  | public: | 
|  | OpenSSLClientKeyStoreTest() | 
|  | : store_(OpenSSLClientKeyStore::GetInstance()) { | 
|  | } | 
|  |  | 
|  | ~OpenSSLClientKeyStoreTest() override { | 
|  | if (store_) | 
|  | store_->Flush(); | 
|  | } | 
|  |  | 
|  | protected: | 
|  | OpenSSLClientKeyStore* store_; | 
|  | }; | 
|  |  | 
|  | // Check that GetInstance() returns non-null | 
|  | TEST_F(OpenSSLClientKeyStoreTest, GetInstance) { | 
|  | ASSERT_TRUE(store_); | 
|  | } | 
|  |  | 
|  | // Check that Flush() works correctly. | 
|  | TEST_F(OpenSSLClientKeyStoreTest, Flush) { | 
|  | ASSERT_TRUE(store_); | 
|  |  | 
|  | scoped_refptr<X509Certificate> cert_1( | 
|  | ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem")); | 
|  | ASSERT_TRUE(cert_1.get()); | 
|  |  | 
|  | crypto::ScopedEVP_PKEY priv_key(EVP_PKEY_new()); | 
|  | ASSERT_TRUE(priv_key.get()); | 
|  |  | 
|  | ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(), | 
|  | priv_key.get())); | 
|  |  | 
|  | store_->Flush(); | 
|  |  | 
|  | // Retrieve the private key. This should fail because the store | 
|  | // was flushed. | 
|  | crypto::ScopedEVP_PKEY pkey = store_->FetchClientCertPrivateKey(cert_1.get()); | 
|  | ASSERT_FALSE(pkey.get()); | 
|  | } | 
|  |  | 
|  | // Check that trying to retrieve the private key of an unknown certificate | 
|  | // simply fails by returning null. | 
|  | TEST_F(OpenSSLClientKeyStoreTest, FetchEmptyPrivateKey) { | 
|  | ASSERT_TRUE(store_); | 
|  |  | 
|  | scoped_refptr<X509Certificate> cert_1( | 
|  | ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem")); | 
|  | ASSERT_TRUE(cert_1.get()); | 
|  |  | 
|  | // Retrieve the private key now. This should fail because it was | 
|  | // never recorded in the store. | 
|  | crypto::ScopedEVP_PKEY pkey = store_->FetchClientCertPrivateKey(cert_1.get()); | 
|  | ASSERT_FALSE(pkey.get()); | 
|  | } | 
|  |  | 
|  | // Check that any private key recorded through RecordClientCertPrivateKey | 
|  | // can be retrieved with FetchClientCertPrivateKey. | 
|  | TEST_F(OpenSSLClientKeyStoreTest, RecordAndFetchPrivateKey) { | 
|  | ASSERT_TRUE(store_); | 
|  |  | 
|  | // Any certificate / key pair will do, the store is not supposed to | 
|  | // check that the private and certificate public keys match. This is | 
|  | // by design since the private EVP_PKEY could be a wrapper around a | 
|  | // JNI reference, with no way to access the real private key bits. | 
|  | scoped_refptr<X509Certificate> cert_1( | 
|  | ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem")); | 
|  | ASSERT_TRUE(cert_1.get()); | 
|  |  | 
|  | crypto::ScopedEVP_PKEY priv_key(EVP_PKEY_new()); | 
|  | ASSERT_TRUE(priv_key.get()); | 
|  | ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key.get())); | 
|  |  | 
|  | // Add the key a first time, this should increment its reference count. | 
|  | ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(), | 
|  | priv_key.get())); | 
|  | ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get())); | 
|  |  | 
|  | // Two successive calls with the same certificate / private key shall | 
|  | // also succeed, but the key's reference count should not be incremented. | 
|  | ASSERT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(), | 
|  | priv_key.get())); | 
|  | ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get())); | 
|  |  | 
|  | // Retrieve the private key. This should increment the private key's | 
|  | // reference count. | 
|  | crypto::ScopedEVP_PKEY pkey2 = | 
|  | store_->FetchClientCertPrivateKey(cert_1.get()); | 
|  | ASSERT_EQ(pkey2.get(), priv_key.get()); | 
|  | ASSERT_EQ(3, EVP_PKEY_get_refcount(priv_key.get())); | 
|  |  | 
|  | // Flush the store explicitely, this should decrement the private | 
|  | // key's reference count. | 
|  | store_->Flush(); | 
|  | ASSERT_EQ(2, EVP_PKEY_get_refcount(priv_key.get())); | 
|  | } | 
|  |  | 
|  | // Same test, but with two certificates / private keys. | 
|  | TEST_F(OpenSSLClientKeyStoreTest, RecordAndFetchTwoPrivateKeys) { | 
|  | scoped_refptr<X509Certificate> cert_1( | 
|  | ImportCertFromFile(GetTestCertsDirectory(), "client_1.pem")); | 
|  | ASSERT_TRUE(cert_1.get()); | 
|  |  | 
|  | scoped_refptr<X509Certificate> cert_2( | 
|  | ImportCertFromFile(GetTestCertsDirectory(), "client_2.pem")); | 
|  | ASSERT_TRUE(cert_2.get()); | 
|  |  | 
|  | crypto::ScopedEVP_PKEY priv_key1(EVP_PKEY_new()); | 
|  | ASSERT_TRUE(priv_key1.get()); | 
|  | ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key1.get())); | 
|  |  | 
|  | crypto::ScopedEVP_PKEY priv_key2(EVP_PKEY_new()); | 
|  | ASSERT_TRUE(priv_key2.get()); | 
|  | ASSERT_EQ(1, EVP_PKEY_get_refcount(priv_key2.get())); | 
|  |  | 
|  | ASSERT_NE(priv_key1.get(), priv_key2.get()); | 
|  |  | 
|  | // Add the key a first time, this shall succeed, and increment the | 
|  | // reference count. | 
|  | EXPECT_TRUE(store_->RecordClientCertPrivateKey(cert_1.get(), | 
|  | priv_key1.get())); | 
|  | EXPECT_TRUE(store_->RecordClientCertPrivateKey(cert_2.get(), | 
|  | priv_key2.get())); | 
|  | EXPECT_EQ(2, EVP_PKEY_get_refcount(priv_key1.get())); | 
|  | EXPECT_EQ(2, EVP_PKEY_get_refcount(priv_key2.get())); | 
|  |  | 
|  | // Retrieve the private key now. This shall succeed and increment | 
|  | // the private key's reference count. | 
|  | crypto::ScopedEVP_PKEY fetch_key1 = | 
|  | store_->FetchClientCertPrivateKey(cert_1.get()); | 
|  | crypto::ScopedEVP_PKEY fetch_key2 = | 
|  | store_->FetchClientCertPrivateKey(cert_2.get()); | 
|  |  | 
|  | EXPECT_TRUE(fetch_key1.get()); | 
|  | EXPECT_TRUE(fetch_key2.get()); | 
|  |  | 
|  | EXPECT_EQ(fetch_key1.get(), priv_key1.get()); | 
|  | EXPECT_EQ(fetch_key2.get(), priv_key2.get()); | 
|  |  | 
|  | EXPECT_EQ(3, EVP_PKEY_get_refcount(priv_key1.get())); | 
|  | EXPECT_EQ(3, EVP_PKEY_get_refcount(priv_key2.get())); | 
|  | } | 
|  |  | 
|  | }  // namespace | 
|  | }  // namespace net |