File: ssl_private_key_kcer_unittest.cc

package info (click to toggle)
chromium 138.0.7204.183-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 6,071,908 kB
  • sloc: cpp: 34,937,088; ansic: 7,176,967; javascript: 4,110,704; python: 1,419,953; asm: 946,768; xml: 739,971; pascal: 187,324; sh: 89,623; perl: 88,663; objc: 79,944; sql: 50,304; cs: 41,786; fortran: 24,137; makefile: 21,806; php: 13,980; tcl: 13,166; yacc: 8,925; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (102 lines) | stat: -rw-r--r-- 4,248 bytes parent folder | download | duplicates (8) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 
// Copyright 2024 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "chromeos/ash/components/kcer/ssl_private_key_kcer.h"

#include "base/test/test_future.h"
#include "chromeos/ash/components/kcer/kcer.h"
#include "chromeos/ash/components/kcer/kcer_nss/test_utils.h"
#include "content/public/test/browser_task_environment.h"
#include "crypto/scoped_test_nss_db.h"
#include "net/test/test_data_directory.h"
#include "testing/gtest/include/gtest/gtest.h"

namespace kcer {

class SSLPrivateKeyKcerTest : public testing::Test {
 protected:
  content::BrowserTaskEnvironment task_environment_{
      base::test::TaskEnvironment::TimeSource::MOCK_TIME,
      base::test::TaskEnvironment::MainThreadType::UI,
      content::BrowserTaskEnvironment::REAL_IO_THREAD};

  crypto::ScopedTestNSSDB nss_db_;
  TestKcerHolder kcer_holder_{/*user_slot=*/nss_db_.slot(),
                              /*device_slot=*/nullptr};
  std::vector<uint8_t> data_to_sign_{1, 2, 3, 4, 5, 6, 7, 8};
};

// Test that SSLPrivateKeyKcer can successfully sign data.
TEST_F(SSLPrivateKeyKcerTest, SignSuccess) {
  base::expected<KeyAndCert, Error> cert_and_key = ImportTestKeyAndCert(
      kcer_holder_.GetKcer(), Token::kUser, "client_1.key", "client_1.pem");
  ASSERT_TRUE(cert_and_key.has_value());

  auto key = base::MakeRefCounted<SSLPrivateKeyKcer>(
      kcer_holder_.GetKcer(), cert_and_key->cert, KeyType::kRsa,
      /*supported_schemes=*/
      base::flat_set<SigningScheme>({SigningScheme::kRsaPkcs1Sha256}));

  base::test::TestFuture<net::Error, const std::vector<uint8_t>&> sign_waiter;
  key->Sign(SSL_SIGN_RSA_PKCS1_SHA256, data_to_sign_,
            sign_waiter.GetCallback());
  EXPECT_EQ(sign_waiter.Get<net::Error>(), net::OK);

  EXPECT_TRUE(VerifySignature(
      SigningScheme::kRsaPkcs1Sha256, cert_and_key->key.GetSpki(),
      DataToSign(std::move(data_to_sign_)), Signature(sign_waiter.Get<1>()),
      /*strict=*/true));
}

// Test that SSLPrivateKeyKcerTest correctly fails to sign data when Kcer
// fails to find the cert.
TEST_F(SSLPrivateKeyKcerTest, SignFailure) {
  scoped_refptr<const Cert> cert =
      base::MakeRefCounted<Cert>(Token::kUser, Pkcs11Id({1, 2, 3}), "nickname",
                                 /*x509_cert=*/nullptr);
  auto key = base::MakeRefCounted<SSLPrivateKeyKcer>(
      kcer_holder_.GetKcer(), cert, KeyType::kRsa,
      /*supported_schemes=*/
      base::flat_set<SigningScheme>({SigningScheme::kRsaPkcs1Sha256}));

  base::test::TestFuture<net::Error, const std::vector<uint8_t>&> sign_waiter;
  key->Sign(SSL_SIGN_RSA_PKCS1_SHA256, data_to_sign_,
            sign_waiter.GetCallback());
  EXPECT_EQ(sign_waiter.Get<net::Error>(),
            net::Error::ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
}

// Test that SSLPrivateKeyKcerTest correctly fails to sign data when the
// cert is null.
TEST_F(SSLPrivateKeyKcerTest, CertIsNullFailure) {
  auto key = base::MakeRefCounted<SSLPrivateKeyKcer>(
      kcer_holder_.GetKcer(), /*cert=*/nullptr, KeyType::kRsa,
      /*supported_schemes=*/
      base::flat_set<SigningScheme>({SigningScheme::kRsaPkcs1Sha256}));

  base::test::TestFuture<net::Error, const std::vector<uint8_t>&> sign_waiter;
  key->Sign(SSL_SIGN_RSA_PKCS1_SHA256, data_to_sign_,
            sign_waiter.GetCallback());
  EXPECT_EQ(sign_waiter.Get<net::Error>(), net::Error::ERR_UNEXPECTED);
}

// Test that SSLPrivateKeyKcerTest correctly fails to sign data when the
// Kcer is null.
TEST_F(SSLPrivateKeyKcerTest, KcerIsNullFailure) {
  base::expected<KeyAndCert, Error> cert_and_key = ImportTestKeyAndCert(
      kcer_holder_.GetKcer(), Token::kUser, "client_1.key", "client_1.pem");
  ASSERT_TRUE(cert_and_key.has_value());

  auto key = base::MakeRefCounted<SSLPrivateKeyKcer>(
      /*kcer=*/nullptr, cert_and_key->cert, KeyType::kRsa,
      /*supported_schemes=*/
      base::flat_set<SigningScheme>({SigningScheme::kRsaPkcs1Sha256}));

  base::test::TestFuture<net::Error, const std::vector<uint8_t>&> sign_waiter;
  key->Sign(SSL_SIGN_RSA_PKCS1_SHA256, data_to_sign_,
            sign_waiter.GetCallback());
  EXPECT_EQ(sign_waiter.Get<net::Error>(), net::Error::ERR_CONTEXT_SHUT_DOWN);
}

}  // namespace kcer