1 // Copyright 2020 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "quiche/quic/core/crypto/proof_source_x509.h"
6
7 #include <memory>
8
9 #include "absl/strings/string_view.h"
10 #include "openssl/ssl.h"
11 #include "quiche/quic/core/crypto/certificate_view.h"
12 #include "quiche/quic/core/crypto/proof_source.h"
13 #include "quiche/quic/platform/api/quic_expect_bug.h"
14 #include "quiche/quic/platform/api/quic_ip_address.h"
15 #include "quiche/quic/platform/api/quic_socket_address.h"
16 #include "quiche/quic/platform/api/quic_test.h"
17 #include "quiche/quic/test_tools/test_certificates.h"
18 #include "quiche/common/platform/api/quiche_reference_counted.h"
19
20 namespace quic {
21 namespace test {
22 namespace {
23
MakeChain(absl::string_view cert)24 quiche::QuicheReferenceCountedPointer<ProofSource::Chain> MakeChain(
25 absl::string_view cert) {
26 return quiche::QuicheReferenceCountedPointer<ProofSource::Chain>(
27 new ProofSource::Chain(std::vector<std::string>{std::string(cert)}));
28 }
29
30 class ProofSourceX509Test : public QuicTest {
31 public:
ProofSourceX509Test()32 ProofSourceX509Test()
33 : test_chain_(MakeChain(kTestCertificate)),
34 wildcard_chain_(MakeChain(kWildcardCertificate)),
35 test_key_(
36 CertificatePrivateKey::LoadFromDer(kTestCertificatePrivateKey)),
37 wildcard_key_(CertificatePrivateKey::LoadFromDer(
38 kWildcardCertificatePrivateKey)) {
39 QUICHE_CHECK(test_key_ != nullptr);
40 QUICHE_CHECK(wildcard_key_ != nullptr);
41 }
42
43 protected:
44 quiche::QuicheReferenceCountedPointer<ProofSource::Chain> test_chain_,
45 wildcard_chain_;
46 std::unique_ptr<CertificatePrivateKey> test_key_, wildcard_key_;
47 };
48
TEST_F(ProofSourceX509Test,AddCertificates)49 TEST_F(ProofSourceX509Test, AddCertificates) {
50 std::unique_ptr<ProofSourceX509> proof_source =
51 ProofSourceX509::Create(test_chain_, std::move(*test_key_));
52 ASSERT_TRUE(proof_source != nullptr);
53 EXPECT_TRUE(proof_source->AddCertificateChain(wildcard_chain_,
54 std::move(*wildcard_key_)));
55 }
56
TEST_F(ProofSourceX509Test,AddCertificateKeyMismatch)57 TEST_F(ProofSourceX509Test, AddCertificateKeyMismatch) {
58 std::unique_ptr<ProofSourceX509> proof_source =
59 ProofSourceX509::Create(test_chain_, std::move(*test_key_));
60 ASSERT_TRUE(proof_source != nullptr);
61 test_key_ = CertificatePrivateKey::LoadFromDer(kTestCertificatePrivateKey);
62 EXPECT_QUIC_BUG((void)proof_source->AddCertificateChain(
63 wildcard_chain_, std::move(*test_key_)),
64 "Private key does not match");
65 }
66
TEST_F(ProofSourceX509Test,CertificateSelection)67 TEST_F(ProofSourceX509Test, CertificateSelection) {
68 std::unique_ptr<ProofSourceX509> proof_source =
69 ProofSourceX509::Create(test_chain_, std::move(*test_key_));
70 ASSERT_TRUE(proof_source != nullptr);
71 ASSERT_TRUE(proof_source->AddCertificateChain(wildcard_chain_,
72 std::move(*wildcard_key_)));
73
74 // Default certificate.
75 bool cert_matched_sni;
76 EXPECT_EQ(proof_source
77 ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
78 "unknown.test", &cert_matched_sni)
79 ->certs[0],
80 kTestCertificate);
81 EXPECT_FALSE(cert_matched_sni);
82 // mail.example.org is explicitly a SubjectAltName in kTestCertificate.
83 EXPECT_EQ(proof_source
84 ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
85 "mail.example.org", &cert_matched_sni)
86 ->certs[0],
87 kTestCertificate);
88 EXPECT_TRUE(cert_matched_sni);
89 // www.foo.test is in kWildcardCertificate.
90 EXPECT_EQ(proof_source
91 ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
92 "www.foo.test", &cert_matched_sni)
93 ->certs[0],
94 kWildcardCertificate);
95 EXPECT_TRUE(cert_matched_sni);
96 // *.wildcard.test is in kWildcardCertificate.
97 EXPECT_EQ(proof_source
98 ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
99 "www.wildcard.test", &cert_matched_sni)
100 ->certs[0],
101 kWildcardCertificate);
102 EXPECT_TRUE(cert_matched_sni);
103 EXPECT_EQ(proof_source
104 ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
105 "etc.wildcard.test", &cert_matched_sni)
106 ->certs[0],
107 kWildcardCertificate);
108 EXPECT_TRUE(cert_matched_sni);
109 // wildcard.test itself is not in kWildcardCertificate.
110 EXPECT_EQ(proof_source
111 ->GetCertChain(QuicSocketAddress(), QuicSocketAddress(),
112 "wildcard.test", &cert_matched_sni)
113 ->certs[0],
114 kTestCertificate);
115 EXPECT_FALSE(cert_matched_sni);
116 }
117
TEST_F(ProofSourceX509Test,TlsSignature)118 TEST_F(ProofSourceX509Test, TlsSignature) {
119 class Callback : public ProofSource::SignatureCallback {
120 public:
121 void Run(bool ok, std::string signature,
122 std::unique_ptr<ProofSource::Details> /*details*/) override {
123 ASSERT_TRUE(ok);
124 std::unique_ptr<CertificateView> view =
125 CertificateView::ParseSingleCertificate(kTestCertificate);
126 EXPECT_TRUE(view->VerifySignature("Test data", signature,
127 SSL_SIGN_RSA_PSS_RSAE_SHA256));
128 }
129 };
130
131 std::unique_ptr<ProofSourceX509> proof_source =
132 ProofSourceX509::Create(test_chain_, std::move(*test_key_));
133 ASSERT_TRUE(proof_source != nullptr);
134
135 proof_source->ComputeTlsSignature(QuicSocketAddress(), QuicSocketAddress(),
136 "example.com", SSL_SIGN_RSA_PSS_RSAE_SHA256,
137 "Test data", std::make_unique<Callback>());
138 }
139
140 } // namespace
141 } // namespace test
142 } // namespace quic
143