Add end to end client cert auth test for wss

chrome/test/base/ui_test_utils.cc

Index: chrome/test/base/ui_test_utils.cc
diff --git a/chrome/test/base/ui_test_utils.cc b/chrome/test/base/ui_test_utils.cc
index 031ea05f0e2b70cb7029183db94d376eb4402b1f..569728f6fa61bb4b7969c9ede8d38459af48812a 100644
--- a/chrome/test/base/ui_test_utils.cc
+++ b/chrome/test/base/ui_test_utils.cc
@@ -877,7 +877,8 @@ void MessageLoopRunner::Quit() {
 TestWebSocketServer::TestWebSocketServer()
     : started_(false),
       port_(kDefaultWsPort),
-      secure_(false) {
+      secure_(false),
+      client_authentication_(false) {
 #if defined(OS_POSIX)
   process_group_id_ = base::kNullProcessHandle;
 #endif
@@ -892,6 +893,11 @@ void TestWebSocketServer::UseTLS() {
   secure_ = true;
 }
 
+void TestWebSocketServer::UseClientAuthentication() {
+  secure_ = true;

[wtc, 2012/07/11 21:35:57]

Nit: this method probably should not set secure_ to true.

client_authentication_ does require secure_, but it seems
better to require them to be set separately.

[Takashi Toyoshima, 2012/07/12 05:20:13]

Done.

+  client_authentication_ = true;
+}
+
 bool TestWebSocketServer::Start(const FilePath& root_directory) {
   if (started_)
     return true;
@@ -909,6 +915,13 @@ bool TestWebSocketServer::Start(const FilePath& root_directory) {
     LOG(ERROR) << "Unable to create a temporary directory.";
     return false;
   }
+  FilePath cacert_path(root_directory);

[wtc, 2012/07/11 21:35:57]

The declaration of the cacert_path variable can be moved
inside the "if (client_authentication_)" block.

[Takashi Toyoshima, 2012/07/12 05:20:13]

Done.

+  if (client_authentication_) {
+    cmd_line->AppendArg("--ca-certificate");

[wtc, 2012/07/11 21:35:57]

It is strange that the --ca-certificate option alone causes
the test server to request client authentication.

[Takashi Toyoshima, 2012/07/12 05:20:13]

Currently, just adding '--ca-certificate <filename>' enables client cert
authentication in pywebsocket.
If you feel this is strange, I will fix this argument style in pywebsocket and
here.
So, how about adding '--request-client-cert-authentication' in addition to
'--ca-certificate'?

FYI, pywebsocket options for TLS follow,
Usage: standalone.py [options]

Options:
(snip)
  -t, --tls             use TLS (wss://)
  -k PRIVATE_KEY, --private-key=PRIVATE_KEY, --private_key=PRIVATE_KEY
                        TLS private key file.
  -c CERTIFICATE, --certificate=CERTIFICATE
                        TLS certificate file.
  --ca-certificate=CA_CERTIFICATE
                        TLS CA certificate file for client authentication.
(snip)

[wtc, 2012/07/12 23:10:48]

Thank you for the info.  I suggest that you use two separate
options for requesting client auth and for specifying the
CA certificate for client auth.

--ca-certificate should be renamed to indicate that it is
for client certificates.  I suggest you imitate the option
names of net/tools/testserver/testserver.py:

  option_parser.add_option('', '--ssl-client-auth', action='store_true',
                           help='Require SSL client auth on every connection.')
  option_parser.add_option('', '--ssl-client-ca', action='append', default=[],
                           help='Specify that the client certificate request '
                           'should include the CA named in the subject of '
                           'the DER-encoded certificate contained in the '
                           'specified file. This option may appear multiple '
                           'times, indicating multiple CA names should be '
                           'sent in the request.')

+    cacert_path = cacert_path.Append(FILE_PATH_LITERAL("ssl"));
+    cacert_path = cacert_path.Append(FILE_PATH_LITERAL("cacert.pem"));
+    cmd_line->AppendArgNative(cacert_path.value());
+  }
   cmd_line->AppendArgNative(FILE_PATH_LITERAL("--output-dir=") +
                             temp_dir_.path().value());
   websocket_pid_file_ = temp_dir_.path().AppendASCII("websocket.pid");