Commit bba56ef1 authored by David Benjamin's avatar David Benjamin Committed by Commit Bot

Switch a bunch of SSLClientSocket tests to EmbeddedTestServer

The tests which require configuring fine-grained test server behavior
or, worse, bugs will be harder to resolve (maybe it's time to implement
a barebones MockSSLServer in BoringSSL), but a lot of them can use
EmbeddedTestServer easily.

Since EmbeddedTestServer now pulls in TLS 1.3 which is vastly different
from TLS 1.2, I've made most tests parameterized by version just to be a
bit more thorough in testing.

Bug: 492672
Change-Id: I87232d82d1c3a6f70099976fe4629457856b9f37
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1874247Reviewed-by: default avatarSteven Valdez <svaldez@chromium.org>
Commit-Queue: David Benjamin <davidben@chromium.org>
Cr-Commit-Position: refs/heads/master@{#710405}
parent 47a61042
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15821419482712091348 (0xdb90f931ad7faad4)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=C CA
Serial Number:
7d:19:e5:55:d1:85:7c:54:62:f6:56:00:7a:cf:78:a9:38:29:81:ff
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = C CA
Validity
Not Before: Aug 14 02:47:11 2014 GMT
Not After : Aug 11 02:47:11 2024 GMT
Subject: CN=C CA
Not Before: Oct 18 22:24:10 2019 GMT
Not After : Oct 15 22:24:10 2029 GMT
Subject: CN = C CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
RSA Public-Key: (2048 bit)
Modulus:
00:a7:3d:f2:7d:cf:2c:cd:eb:2c:bc:03:65:da:ae:
96:29:80:29:8d:c5:42:e1:93:d9:3a:d7:78:9b:b5:
be:7b:ef:df:c9:fd:86:30:18:c6:38:92:c6:a5:63:
2e:ba:d0:9c:16:91:af:b3:80:38:14:5f:88:ca:b3:
8b:a4:c4:ba:2f:c4:d4:c0:c0:2e:43:6c:1e:af:5e:
9c:6a:9c:96:17:c3:89:ab:af:2a:93:7d:76:ea:34:
2a:56:c9:5c:e9:72:50:f7:d1:e6:a0:2c:ee:df:27:
a8:2f:17:c1:f6:fd:80:d6:dd:19:64:fe:7f:b7:80:
a6:00:94:28:0e:01:fa:9b:40:d2:ed:43:2c:b1:10:
2e:b0:57:5a:e4:5a:2f:86:6c:63:fa:22:d4:e2:c6:
81:c0:d8:76:7e:54:a6:81:b7:b0:bb:ac:66:80:ed:
a1:ab:25:6f:4d:7d:b6:cc:37:65:74:30:df:52:84:
4b:93:f7:95:76:96:fb:db:fe:b9:d3:2c:ff:65:4d:
89:09:15:32:3c:5d:60:68:79:57:9b:98:59:bc:d7:
c2:93:30:91:81:7c:fc:d5:7e:46:3c:85:ef:4d:d2:
9e:96:b0:86:95:78:20:6f:bd:a0:72:3f:d1:25:4c:
f7:2e:c5:a1:21:5a:c7:7b:5e:98:73:15:37:0a:9d:
80:0b
00:97:21:4e:ff:ff:22:dd:de:6d:cc:05:75:3b:37:
80:28:9f:61:8b:a2:ac:9b:3b:b1:e6:3a:a4:35:ce:
7b:95:ce:d2:2f:95:f1:c2:51:c2:9d:21:71:dd:06:
3a:eb:67:68:59:2d:f6:19:b1:7d:98:06:c2:c4:19:
34:2a:00:0a:f1:0a:0b:76:39:ba:0f:e9:69:bc:14:
c9:fa:38:b4:f6:38:55:45:3d:21:c7:b8:20:e3:47:
ac:5b:9e:ec:7f:a9:8b:72:00:79:5c:25:13:01:86:
a9:6a:d9:12:b1:d2:3a:a1:cc:e5:e0:63:b2:0d:ea:
aa:a7:42:f9:de:cf:de:e0:15:9b:6e:cd:86:81:d8:
5f:3f:a1:7b:bc:97:31:40:0e:17:a3:aa:c4:48:5a:
5c:c8:e5:89:92:68:85:08:6c:cb:31:35:9c:fb:1e:
d3:66:35:ee:d9:d7:ea:b8:5c:3e:d0:60:94:4c:3d:
2b:21:6b:72:b8:3a:16:e4:f1:ea:97:74:0c:cf:27:
a5:03:c1:b7:c3:d9:4d:5a:3d:c5:8e:3f:ca:99:b4:
b6:59:c6:9f:22:38:0d:4d:c7:f7:11:f8:d0:71:99:
5d:4b:e2:30:62:00:fb:01:c9:ca:3e:ed:6a:d8:6d:
2d:0f:1a:77:33:02:b4:41:b3:ba:f6:1c:38:be:54:
c9:73
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
08:C0:24:F4:0D:BB:C2:01:35:30:BA:2C:41:96:6B:16:DB:F8:22:F5
63:B1:47:26:FC:DB:79:3F:76:96:69:4D:EA:7E:D0:B7:6A:D2:3F:A8
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
5f:95:30:a9:ee:b0:b0:b4:fb:0e:3e:7a:df:57:6e:cc:e4:59:
45:bf:93:08:62:d2:98:f6:7b:37:cf:b6:f5:8c:8d:82:dc:c8:
f0:af:3b:0d:1e:cc:c4:b7:b1:f3:da:58:f9:29:d6:f7:ed:16:
63:51:dc:d3:1c:37:2f:a3:f4:29:0f:91:5d:90:2e:d2:c7:ef:
1b:55:01:c9:ad:cb:7b:45:da:2d:65:01:c7:3f:b5:a4:78:b1:
22:81:d3:a6:6c:c6:ba:5e:23:88:1d:d5:3e:7d:c6:15:88:88:
19:f7:c4:83:a6:27:96:9e:4b:c5:ef:7e:2c:6a:09:e1:3f:79:
2d:91:27:ab:28:12:18:6f:b3:b8:cf:0f:06:1d:d7:75:47:9b:
39:4d:66:3c:b4:12:58:0a:b8:b2:d7:c7:99:26:a0:9c:e4:90:
cd:5e:1b:0a:50:d1:61:20:ff:b7:c7:da:7e:7c:e5:e7:d3:91:
a8:82:f8:90:f4:2d:aa:6e:b7:28:59:02:42:fc:90:a2:1d:f9:
d4:74:b0:a3:c4:9c:95:9a:33:e2:30:dd:7d:6e:58:e7:b0:41:
de:b3:db:7f:16:da:94:e6:99:32:49:d4:69:6b:68:be:95:2e:
2e:fa:fd:eb:ec:67:87:24:f6:74:cc:1c:3b:32:fa:45:24:a9:
ff:f5:df:12
Signature Algorithm: sha256WithRSAEncryption
8e:4d:6c:49:c9:9c:f9:cb:a0:81:9b:65:31:c7:bc:8c:c0:75:
4d:60:16:ef:bb:b6:b4:2a:5d:68:34:d7:e0:53:1f:3e:84:b6:
aa:7d:fd:a1:c9:29:88:83:2e:ab:f3:87:43:a8:d8:5c:a8:1b:
e0:58:50:84:03:05:15:03:01:07:30:d0:4a:f9:95:f1:86:be:
45:5b:31:f0:88:12:22:d7:7a:fb:0b:9f:95:41:ba:df:40:e3:
b2:71:e7:4e:09:91:1c:5f:51:b3:ce:a5:00:0b:82:d1:04:f2:
1c:5a:14:4b:1b:3f:2d:41:11:7c:33:37:89:56:b4:b7:fa:d8:
b9:20:8d:bd:a6:68:60:2a:3c:aa:61:38:74:d4:0a:16:41:70:
d8:75:c4:6d:04:a8:b6:a5:0f:e7:02:52:0b:7d:44:d6:1b:2f:
ca:06:aa:61:3d:8d:82:3f:34:c5:bb:08:69:6f:6c:b7:53:e5:
52:3d:dd:7b:1c:1f:d3:7d:38:43:ca:c7:75:9a:a8:a1:93:27:
13:b0:57:1a:ff:22:90:1f:b2:69:da:7a:a4:2f:16:51:fa:81:
6c:ed:c0:19:42:58:b5:21:67:c1:54:93:db:55:86:c7:97:09:
76:18:32:55:2a:b4:b1:ac:12:bc:3f:00:3d:b5:1c:ef:55:c4:
f0:6c:a1:17
-----BEGIN CERTIFICATE-----
MIIC4zCCAcugAwIBAgIJANuQ+TGtf6rUMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNV
BAMMBEMgQ0EwHhcNMTQwODE0MDI0NzExWhcNMjQwODExMDI0NzExWjAPMQ0wCwYD
VQQDDARDIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApz3yfc8s
zessvANl2q6WKYApjcVC4ZPZOtd4m7W+e+/fyf2GMBjGOJLGpWMuutCcFpGvs4A4
FF+IyrOLpMS6L8TUwMAuQ2wer16capyWF8OJq68qk3126jQqVslc6XJQ99HmoCzu
3yeoLxfB9v2A1t0ZZP5/t4CmAJQoDgH6m0DS7UMssRAusFda5Fovhmxj+iLU4saB
wNh2flSmgbewu6xmgO2hqyVvTX22zDdldDDfUoRLk/eVdpb72/650yz/ZU2JCRUy
PF1gaHlXm5hZvNfCkzCRgXz81X5GPIXvTdKelrCGlXggb72gcj/RJUz3LsWhIVrH
e16YcxU3Cp2ACwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQI
wCT0DbvCATUwuixBlmsW2/gi9TAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEF
BQADggEBAF+VMKnusLC0+w4+et9XbszkWUW/kwhi0pj2ezfPtvWMjYLcyPCvOw0e
zMS3sfPaWPkp1vftFmNR3NMcNy+j9CkPkV2QLtLH7xtVAcmty3tF2i1lAcc/taR4
sSKB06ZsxrpeI4gd1T59xhWIiBn3xIOmJ5aeS8XvfixqCeE/eS2RJ6soEhhvs7jP
DwYd13VHmzlNZjy0ElgKuLLXx5kmoJzkkM1eGwpQ0WEg/7fH2n585efTkaiC+JD0
LaputyhZAkL8kKId+dR0sKPEnJWaM+Iw3X1uWOewQd6z238W2pTmmTJJ1GlraL6V
Li76/evsZ4ck9nTMHDsy+kUkqf/13xI=
MIIC7jCCAdagAwIBAgIUfRnlVdGFfFRi9lYAes94qTgpgf8wDQYJKoZIhvcNAQEL
BQAwDzENMAsGA1UEAwwEQyBDQTAeFw0xOTEwMTgyMjI0MTBaFw0yOTEwMTUyMjI0
MTBaMA8xDTALBgNVBAMMBEMgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCXIU7//yLd3m3MBXU7N4Aon2GLoqybO7HmOqQ1znuVztIvlfHCUcKdIXHd
BjrrZ2hZLfYZsX2YBsLEGTQqAArxCgt2OboP6Wm8FMn6OLT2OFVFPSHHuCDjR6xb
nux/qYtyAHlcJRMBhqlq2RKx0jqhzOXgY7IN6qqnQvnez97gFZtuzYaB2F8/oXu8
lzFADhejqsRIWlzI5YmSaIUIbMsxNZz7HtNmNe7Z1+q4XD7QYJRMPSsha3K4Ohbk
8eqXdAzPJ6UDwbfD2U1aPcWOP8qZtLZZxp8iOA1Nx/cR+NBxmV1L4jBiAPsByco+
7WrYbS0PGnczArRBs7r2HDi+VMlzAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFGOxRyb823k/dpZpTep+0Ldq0j+oMA4GA1UdDwEB/wQEAwIBBjAN
BgkqhkiG9w0BAQsFAAOCAQEAjk1sScmc+cuggZtlMce8jMB1TWAW77u2tCpdaDTX
4FMfPoS2qn39ockpiIMuq/OHQ6jYXKgb4FhQhAMFFQMBBzDQSvmV8Ya+RVsx8IgS
Itd6+wuflUG630DjsnHnTgmRHF9Rs86lAAuC0QTyHFoUSxs/LUERfDM3iVa0t/rY
uSCNvaZoYCo8qmE4dNQKFkFw2HXEbQSotqUP5wJSC31E1hsvygaqYT2Ngj80xbsI
aW9st1PlUj3dexwf0304Q8rHdZqooZMnE7BXGv8ikB+yadp6pC8WUfqBbO3AGUJY
tSFnwVST21WGx5cJdhgyVSq0sawSvD8APbUc71XE8GyhFw==
-----END CERTIFICATE-----
......@@ -135,12 +135,15 @@ CA_COMMON_NAME="B CA" \
-out out/A.pem \
-config redundant-ca.cnf
# EmbeddedTestServer only supports PKCS#8 format.
try openssl pkcs8 -topk8 -nocrypt -in out/A.key -out out/A-pkcs8.key
echo Create redundant-server-chain.pem
try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \
try /bin/sh -c "cat out/A-pkcs8.key out/A.pem out/B.pem out/C.pem out/D.pem \
> ../certificates/redundant-server-chain.pem"
echo Create redundant-validated-chain.pem
try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem \
try /bin/sh -c "cat out/A-pkcs8.key out/A.pem out/B.pem out/C2.pem \
> ../certificates/redundant-validated-chain.pem"
echo Create redundant-validated-chain-root.pem
......
This diff is collapsed.
......@@ -955,9 +955,9 @@ void SSLServerContextImpl::Init() {
if (ssl_server_config_.client_cert_type !=
SSLServerConfig::ClientCertType::NO_CLIENT_CERT &&
!ssl_server_config_.cert_authorities_.empty()) {
!ssl_server_config_.cert_authorities.empty()) {
bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> stack(sk_CRYPTO_BUFFER_new_null());
for (const auto& authority : ssl_server_config_.cert_authorities_) {
for (const auto& authority : ssl_server_config_.cert_authorities) {
sk_CRYPTO_BUFFER_push(stack.get(),
x509_util::CreateCryptoBuffer(authority).release());
}
......
......@@ -453,7 +453,7 @@ class SSLServerSocketTest : public PlatformTest, public WithTaskEnvironment {
static const uint8_t kClientCertCAName[] = {
0x30, 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55,
0x04, 0x03, 0x0c, 0x04, 0x42, 0x20, 0x43, 0x41};
server_ssl_config_.cert_authorities_.push_back(std::string(
server_ssl_config_.cert_authorities.push_back(std::string(
std::begin(kClientCertCAName), std::end(kClientCertCAName)));
scoped_refptr<X509Certificate> expected_client_cert(
......
......@@ -73,7 +73,7 @@ struct NET_EXPORT SSLServerConfig {
// List of DER-encoded X.509 DistinguishedName of certificate authorities
// to be included in the CertificateRequest handshake message,
// if client certificates are required.
std::vector<std::string> cert_authorities_;
std::vector<std::string> cert_authorities;
// Provides the ClientCertVerifier that is to be used to verify
// client certificates during the handshake.
......
......@@ -166,6 +166,7 @@ void EmbeddedTestServer::InitializeSSLServerContext() {
std::unique_ptr<crypto::RSAPrivateKey> server_key(
crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_vector));
CHECK(server_key);
context_ =
CreateSSLServerContext(GetCertificate().get(), *server_key, ssl_config_);
}
......@@ -310,12 +311,18 @@ std::string EmbeddedTestServer::GetCertificateName() const {
return "localhost_cert.pem";
case CERT_EXPIRED:
return "expired_cert.pem";
case CERT_CHAIN_WRONG_ROOT:
// This chain uses its own dedicated test root certificate to avoid
// side-effects that may affect testing.
return "redundant-server-chain.pem";
case CERT_COMMON_NAME_ONLY:
return "common_name_only.pem";
case CERT_SHA1_LEAF:
return "sha1_leaf.pem";
case CERT_OK_BY_INTERMEDIATE:
return "ok_cert_by_intermediate.pem";
case CERT_BAD_VALIDITY:
return "bad_validity.pem";
}
return "ok_cert.pem";
......
......@@ -100,6 +100,12 @@ class EmbeddedTestServer {
CERT_MISMATCHED_NAME,
CERT_EXPIRED,
// Cross-signed certificate to test PKIX path building. Contains an
// intermediate cross-signed by an unknown root, while the client (via
// TestRootStore) is expected to have a self-signed version of the
// intermediate.
CERT_CHAIN_WRONG_ROOT,
// Causes the testserver to use a hostname that is a domain
// instead of an IP.
CERT_COMMON_NAME_IS_DOMAIN,
......@@ -113,6 +119,10 @@ class EmbeddedTestServer {
// A certificate that is signed by an intermediate certificate.
CERT_OK_BY_INTERMEDIATE,
// A certificate with invalid notBefore and notAfter times. Windows'
// certificate library will not parse this certificate.
CERT_BAD_VALIDITY,
};
typedef base::RepeatingCallback<std::unique_ptr<HttpResponse>(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment