Google Git
Sign in
chromium / chromium / src.git / 41c4a4142135f3710054556a7081ba018c26fd9f / . / net / ssl / ssl_client_auth_cache_unittest.cc
blob: 367d69a45fa89edf42df9b24833c1783d71ee919 [file] [log] [blame]
Avi Drissman64595482022-09-14 20:52:29[diff] [blame]1// Copyright 2009 The Chromium Authors
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
[email protected]536fd0b2013-03-14 17:41:57[diff] [blame]5#include "net/ssl/ssl_client_auth_cache.h"
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]6
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]7#include <utility>
8
Avi Drissman41c4a412023-01-11 22:45:37[diff] [blame^]9#include "base/functional/callback.h"
[email protected]f002abb2013-06-28 02:30:21[diff] [blame]10#include "base/time/time.h"
[email protected]6e7845ae2013-03-29 21:48:11[diff] [blame]11#include "net/cert/x509_certificate.h"
svaldez7872fd02015-11-19 21:10:54[diff] [blame]12#include "net/ssl/ssl_private_key.h"
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]13#include "net/ssl/test_ssl_private_key.h"
rsleevif300d6832016-06-22 22:10:39[diff] [blame]14#include "net/test/cert_test_util.h"
15#include "net/test/test_data_directory.h"
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]16#include "testing/gtest/include/gtest/gtest.h"
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]17#include "third_party/boringssl/src/include/openssl/evp.h"
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]18
19namespace net {
20
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]21namespace {
22scoped_refptr<SSLPrivateKey> MakeMockKey() {
23 bssl::UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
24 return WrapOpenSSLPrivateKey(std::move(pkey));
25}
26} // namespace
svaldez7872fd02015-11-19 21:10:54[diff] [blame]27
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]28TEST(SSLClientAuthCacheTest, LookupAddRemove) {
29 SSLClientAuthCache cache;
30
[email protected]791879c2013-12-17 07:22:41[diff] [blame]31 HostPortPair server1("foo1", 443);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]32 scoped_refptr<X509Certificate> cert1(
rsleevif300d6832016-06-22 22:10:39[diff] [blame]33 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
34 ASSERT_TRUE(cert1);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]35
[email protected]791879c2013-12-17 07:22:41[diff] [blame]36 HostPortPair server2("foo2", 443);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]37 scoped_refptr<X509Certificate> cert2(
rsleevif300d6832016-06-22 22:10:39[diff] [blame]38 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"));
39 ASSERT_TRUE(cert2);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]40
[email protected]791879c2013-12-17 07:22:41[diff] [blame]41 HostPortPair server3("foo3", 443);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]42 scoped_refptr<X509Certificate> cert3(
rsleevif300d6832016-06-22 22:10:39[diff] [blame]43 ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem"));
44 ASSERT_TRUE(cert3);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]45
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]46 scoped_refptr<X509Certificate> cached_cert;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]47 scoped_refptr<SSLPrivateKey> cached_pkey;
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]48 // Lookup non-existent client certificate.
rsleevif300d6832016-06-22 22:10:39[diff] [blame]49 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]50 EXPECT_FALSE(cache.Lookup(server1, &cached_cert, &cached_pkey));
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]51
52 // Add client certificate for server1.
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]53 cache.Add(server1, cert1.get(), MakeMockKey());
rsleevif300d6832016-06-22 22:10:39[diff] [blame]54 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]55 EXPECT_TRUE(cache.Lookup(server1, &cached_cert, &cached_pkey));
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]56 EXPECT_EQ(cert1, cached_cert);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]57
58 // Add client certificate for server2.
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]59 cache.Add(server2, cert2.get(), MakeMockKey());
rsleevif300d6832016-06-22 22:10:39[diff] [blame]60 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]61 EXPECT_TRUE(cache.Lookup(server1, &cached_cert, &cached_pkey));
dchengc80fed2a2014-08-27 21:47:36[diff] [blame]62 EXPECT_EQ(cert1.get(), cached_cert.get());
rsleevif300d6832016-06-22 22:10:39[diff] [blame]63 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]64 EXPECT_TRUE(cache.Lookup(server2, &cached_cert, &cached_pkey));
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]65 EXPECT_EQ(cert2, cached_cert);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]66
67 // Overwrite the client certificate for server1.
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]68 cache.Add(server1, cert3.get(), MakeMockKey());
rsleevif300d6832016-06-22 22:10:39[diff] [blame]69 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]70 EXPECT_TRUE(cache.Lookup(server1, &cached_cert, &cached_pkey));
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]71 EXPECT_EQ(cert3, cached_cert);
rsleevif300d6832016-06-22 22:10:39[diff] [blame]72 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]73 EXPECT_TRUE(cache.Lookup(server2, &cached_cert, &cached_pkey));
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]74 EXPECT_EQ(cert2, cached_cert);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]75
76 // Remove client certificate of server1.
77 cache.Remove(server1);
rsleevif300d6832016-06-22 22:10:39[diff] [blame]78 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]79 EXPECT_FALSE(cache.Lookup(server1, &cached_cert, &cached_pkey));
rsleevif300d6832016-06-22 22:10:39[diff] [blame]80 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]81 EXPECT_TRUE(cache.Lookup(server2, &cached_cert, &cached_pkey));
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]82 EXPECT_EQ(cert2, cached_cert);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]83
84 // Remove non-existent client certificate.
85 cache.Remove(server1);
rsleevif300d6832016-06-22 22:10:39[diff] [blame]86 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]87 EXPECT_FALSE(cache.Lookup(server1, &cached_cert, &cached_pkey));
rsleevif300d6832016-06-22 22:10:39[diff] [blame]88 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]89 EXPECT_TRUE(cache.Lookup(server2, &cached_cert, &cached_pkey));
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]90 EXPECT_EQ(cert2, cached_cert);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]91}
92
93// Check that if the server differs only by port number, it is considered
94// a separate server.
95TEST(SSLClientAuthCacheTest, LookupWithPort) {
96 SSLClientAuthCache cache;
97
[email protected]791879c2013-12-17 07:22:41[diff] [blame]98 HostPortPair server1("foo", 443);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]99 scoped_refptr<X509Certificate> cert1(
rsleevif300d6832016-06-22 22:10:39[diff] [blame]100 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
101 ASSERT_TRUE(cert1);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]102
[email protected]791879c2013-12-17 07:22:41[diff] [blame]103 HostPortPair server2("foo", 8443);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]104 scoped_refptr<X509Certificate> cert2(
rsleevif300d6832016-06-22 22:10:39[diff] [blame]105 ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem"));
106 ASSERT_TRUE(cert2);
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]107
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]108 cache.Add(server1, cert1.get(), MakeMockKey());
109 cache.Add(server2, cert2.get(), MakeMockKey());
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]110
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]111 scoped_refptr<X509Certificate> cached_cert;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]112 scoped_refptr<SSLPrivateKey> cached_pkey;
113 EXPECT_TRUE(cache.Lookup(server1, &cached_cert, &cached_pkey));
dchengc80fed2a2014-08-27 21:47:36[diff] [blame]114 EXPECT_EQ(cert1.get(), cached_cert.get());
svaldez7872fd02015-11-19 21:10:54[diff] [blame]115 EXPECT_TRUE(cache.Lookup(server2, &cached_cert, &cached_pkey));
dchengc80fed2a2014-08-27 21:47:36[diff] [blame]116 EXPECT_EQ(cert2.get(), cached_cert.get());
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]117}
118
rsleevif300d6832016-06-22 22:10:39[diff] [blame]119// Check that the a nullptr certificate, indicating the user has declined to
120// send a certificate, is properly cached.
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]121TEST(SSLClientAuthCacheTest, LookupNullPreference) {
122 SSLClientAuthCache cache;
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]123
[email protected]791879c2013-12-17 07:22:41[diff] [blame]124 HostPortPair server1("foo", 443);
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]125 scoped_refptr<X509Certificate> cert1(
rsleevif300d6832016-06-22 22:10:39[diff] [blame]126 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
127 ASSERT_TRUE(cert1);
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]128
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]129 cache.Add(server1, nullptr, MakeMockKey());
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]130
131 scoped_refptr<X509Certificate> cached_cert(cert1);
svaldez7872fd02015-11-19 21:10:54[diff] [blame]132 scoped_refptr<SSLPrivateKey> cached_pkey;
rsleevif300d6832016-06-22 22:10:39[diff] [blame]133 // Make sure that |cached_cert| is updated to nullptr, indicating the user
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]134 // declined to send a certificate to |server1|.
svaldez7872fd02015-11-19 21:10:54[diff] [blame]135 EXPECT_TRUE(cache.Lookup(server1, &cached_cert, &cached_pkey));
rsleevif300d6832016-06-22 22:10:39[diff] [blame]136 EXPECT_EQ(nullptr, cached_cert.get());
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]137
138 // Remove the existing cached certificate.
139 cache.Remove(server1);
rsleevif300d6832016-06-22 22:10:39[diff] [blame]140 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]141 EXPECT_FALSE(cache.Lookup(server1, &cached_cert, &cached_pkey));
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]142
143 // Add a new preference for a specific certificate.
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]144 cache.Add(server1, cert1.get(), MakeMockKey());
rsleevif300d6832016-06-22 22:10:39[diff] [blame]145 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]146 EXPECT_TRUE(cache.Lookup(server1, &cached_cert, &cached_pkey));
[email protected]ec229bc92010-11-22 09:51:45[diff] [blame]147 EXPECT_EQ(cert1, cached_cert);
148
rsleevif300d6832016-06-22 22:10:39[diff] [blame]149 // Replace the specific preference with a nullptr certificate.
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]150 cache.Add(server1, nullptr, MakeMockKey());
rsleevif300d6832016-06-22 22:10:39[diff] [blame]151 cached_cert = nullptr;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]152 EXPECT_TRUE(cache.Lookup(server1, &cached_cert, &cached_pkey));
rsleevif300d6832016-06-22 22:10:39[diff] [blame]153 EXPECT_EQ(nullptr, cached_cert.get());
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]154}
155
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]156// Check that the Clear() method removes all cache entries.
157TEST(SSLClientAuthCacheTest, Clear) {
[email protected]916f7182011-02-23 16:45:23[diff] [blame]158 SSLClientAuthCache cache;
[email protected]916f7182011-02-23 16:45:23[diff] [blame]159
[email protected]791879c2013-12-17 07:22:41[diff] [blame]160 HostPortPair server1("foo", 443);
[email protected]916f7182011-02-23 16:45:23[diff] [blame]161 scoped_refptr<X509Certificate> cert1(
rsleevif300d6832016-06-22 22:10:39[diff] [blame]162 ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem"));
163 ASSERT_TRUE(cert1);
[email protected]916f7182011-02-23 16:45:23[diff] [blame]164
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]165 cache.Add(server1, cert1.get(), MakeMockKey());
[email protected]916f7182011-02-23 16:45:23[diff] [blame]166
[email protected]791879c2013-12-17 07:22:41[diff] [blame]167 HostPortPair server2("foo2", 443);
David Benjaminb65b0732018-11-09 20:33:53[diff] [blame]168 cache.Add(server2, nullptr, MakeMockKey());
[email protected]916f7182011-02-23 16:45:23[diff] [blame]169
170 scoped_refptr<X509Certificate> cached_cert;
svaldez7872fd02015-11-19 21:10:54[diff] [blame]171 scoped_refptr<SSLPrivateKey> cached_pkey;
[email protected]916f7182011-02-23 16:45:23[diff] [blame]172
173 // Demonstrate the set up is correct.
svaldez7872fd02015-11-19 21:10:54[diff] [blame]174 EXPECT_TRUE(cache.Lookup(server1, &cached_cert, &cached_pkey));
[email protected]916f7182011-02-23 16:45:23[diff] [blame]175 EXPECT_EQ(cert1, cached_cert);
176
svaldez7872fd02015-11-19 21:10:54[diff] [blame]177 EXPECT_TRUE(cache.Lookup(server2, &cached_cert, &cached_pkey));
rsleevif300d6832016-06-22 22:10:39[diff] [blame]178 EXPECT_EQ(nullptr, cached_cert.get());
[email protected]916f7182011-02-23 16:45:23[diff] [blame]179
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]180 cache.Clear();
[email protected]916f7182011-02-23 16:45:23[diff] [blame]181
182 // Check that we no longer have entries for either server.
svaldez7872fd02015-11-19 21:10:54[diff] [blame]183 EXPECT_FALSE(cache.Lookup(server1, &cached_cert, &cached_pkey));
184 EXPECT_FALSE(cache.Lookup(server2, &cached_cert, &cached_pkey));
[email protected]916f7182011-02-23 16:45:23[diff] [blame]185}
186
[email protected]56c866a22009-06-18 19:38:58[diff] [blame]187} // namespace net