Add net/android/keystore.h

net/android/keystore_unittest.cc

+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <openssl/dsa.h>
+#include <openssl/ecdsa.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+
+#include "base/android/jni_android.h"
+#include "base/android/jni_array.h"
+#include "base/android/scoped_java_ref.h"
+#include "base/basictypes.h"
+#include "base/bind.h"
+#include "base/callback.h"
+#include "base/compiler_specific.h"
+#include "crypto/openssl_util.h"
+#include "jni/AndroidKeyStoreTestUtil_jni.h"
+#include "net/android/keystore.h"
+#include "net/android/keystore_openssl.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+using base::android::AttachCurrentThread;
+using base::android::ScopedJavaLocalRef;
+using base::android::ToJavaByteArray;
+
+// Technical note:
+//
+// This source file not only checks that signing with SignWithPrivateKey()
+// works correctly, it also verifies that the generated signature matches
+// 100% of what OpenSSL generates when calling RSA_sign(NID_md5_sha1,...),
+// DSA_sign(0, ...) or ECDSA_sign(0, ...).
+//
+// That's crucial to ensure that this function can later be used to
+// implement client certificate support. More specifically, that it is
+// possible to create a custom EVP_PKEY that uses SignWithPrivateKey()
+// internally to perform RSA/DSA/ECDSA signing, as invoked by the
+// OpenSSL code at ssl/s3_clnt.c:ssl3_send_client_verify().
+//
+// Finally, it also checks that using the EVP_PKEY generated with
+// GetOpenSSLPrivateKeyWrapper() works too as well.
+//
+
+namespace net {
+namespace android {
+
+namespace {
+
+JNIEnv* InitEnv() {
+  JNIEnv* env = AttachCurrentThread();
+  static bool inited = false;
+  if (!inited) {
+    RegisterNativesImpl(env);
+    inited = true;
+  }
+  return env;
+}
+
+// Returns true if running on an Android version older than 4.2
+bool IsOnAndroidOlderThan_4_2(void) {
+  JNIEnv* env = InitEnv();
+  const int kAndroid42ApiLevel = 16;
+  int level = Java_AndroidKeyStoreTestUtil_GetSdkApiLevel(env);
+  return level < kAndroid42ApiLevel;
+}
+
+// Implements the callback expected by ERR_print_errors_cb().
+// used by GetOpenSSLErrorString.
+int openssl_print_error_callback(const char* msg, size_t msglen, void* u) {
+  std::string* result = reinterpret_cast<std::string*>(u);
+  result->append(msg, msglen);
+  return 1;
+}
+
+// Retrieve OpenSSL error as a string
+std::string GetOpenSSLErrorString(void) {
+  std::string result;
+  ERR_print_errors_cb(openssl_print_error_callback, &result);
+  return result;
+}
+
+// Retrieve a JNI local ref from encoded PKCS#8 data.
+ScopedJavaLocalRef<jobject> GetPKCS8PrivateKey(
+    SSLClientCertType key_type,
+    const unsigned char* pkcs8_bytes,
+    size_t pkcs8_size) {
+  JNIEnv* env = InitEnv();
+  ScopedJavaLocalRef<jbyteArray> bytes(
+      ToJavaByteArray(env,
+                      reinterpret_cast<const uint8*>(pkcs8_bytes),
+                      pkcs8_size));
+
+    ScopedJavaLocalRef<jobject> key(
+        Java_AndroidKeyStoreTestUtil_CreatePrivateKeyFromPKCS8(
+            env, key_type, bytes.obj()));
+
+    return key;
+}
+
+// Create an OpenSSL EVP_PKEY object from a PKCS#8 in-memory content.
+EVP_PKEY* GetOpenSSLPKCS8PrivateKey(int type,
+                                    const unsigned char* key_bytes,
+                                    size_t key_size) {
+  const unsigned char* p = key_bytes;
+  long p_length = static_cast<long>(key_size);
+  return d2i_PrivateKey(type, NULL, &p, p_length);
+}
+
+// A simple test RSA 2048-bits key, in PKCS#8 format, the following was
+// generated with:
+//
+// openssl genrsa -out key.pem 2048
+// openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem
+//     -out key.pkcs8 -nocrypt
+// xxd -i key.pkcs8
+//
+const unsigned char test_rsa_key_pkcs8[] = {

[Ryan Sleevi, 2013/01/26 01:51:57]

Why can you not just keep these as separate files, out of line from the source,
like we do with certificates? Makes it much easier to maintain and debug.

[digit1, 2013/01/28 10:16:30]

Yes, I'll move the data to files.

+  0x30, 0x82, 0x04, 0xbd, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
+  0x04, 0xa7, 0x30, 0x82, 0x04, 0xa3, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01,
+  0x01, 0x00, 0xc0, 0x41, 0x18, 0x86, 0x1c, 0xe3, 0x60, 0xd7, 0xec, 0x38,
+  0x70, 0xd0, 0x35, 0x64, 0x6e, 0x0e, 0x4f, 0xaf, 0x3f, 0x05, 0x57, 0x05,
+  0xc3, 0xe9, 0x8d, 0xc3, 0x92, 0x14, 0xa1, 0xea, 0xab, 0xe3, 0x5f, 0x61,
+  0x70, 0x9a, 0xd7, 0x43, 0x2f, 0xc2, 0x31, 0xd7, 0x8c, 0x65, 0x89, 0xea,
+  0x8b, 0xdb, 0xa7, 0x9f, 0x9e, 0xba, 0xea, 0x48, 0x7d, 0x71, 0x10, 0x11,
+  0x86, 0x9d, 0x55, 0x68, 0xd4, 0x31, 0xa0, 0x33, 0x06, 0x5f, 0x0f, 0x43,
+  0xe5, 0x52, 0x46, 0x8d, 0xc1, 0x26, 0xb2, 0x08, 0xd6, 0xa5, 0x9f, 0x85,
+  0x24, 0xb0, 0x4d, 0x7e, 0x2a, 0x7b, 0x4e, 0xcd, 0x54, 0xe5, 0x11, 0xf8,
+  0x39, 0xf5, 0x13, 0x5c, 0xb4, 0xff, 0x07, 0x82, 0xaf, 0xdc, 0x05, 0x27,
+  0x35, 0x5a, 0x48, 0xc9, 0xa0, 0x3b, 0xe5, 0x03, 0x33, 0x32, 0x9a, 0x60,
+  0xe7, 0x0d, 0xce, 0x23, 0xb7, 0xbf, 0x6e, 0x9e, 0x14, 0x6f, 0xe0, 0x5f,
+  0x36, 0x98, 0xdd, 0x1e, 0xde, 0x29, 0x51, 0x2c, 0x10, 0xc1, 0x4b, 0x07,
+  0x98, 0x60, 0x51, 0x88, 0x75, 0x76, 0x4b, 0xcb, 0x19, 0x22, 0x0c, 0x4e,
+  0xc5, 0x5f, 0xb0, 0x40, 0xb7, 0x6b, 0x5b, 0x45, 0xd7, 0x5d, 0xaa, 0x09,
+  0xe2, 0xdc, 0x8f, 0x6c, 0x07, 0xa7, 0x75, 0x4f, 0x2c, 0x5d, 0xd8, 0xa4,
+  0x2f, 0xdd, 0x8c, 0xc8, 0xa6, 0x3a, 0xaf, 0x5c, 0xf5, 0x2d, 0xbb, 0x4d,
+  0x8c, 0xf4, 0xc7, 0x01, 0x9b, 0x95, 0x1b, 0x51, 0x3d, 0x44, 0x87, 0xa0,
+  0x48, 0x79, 0xc0, 0x79, 0x23, 0x98, 0x86, 0xae, 0x20, 0xa1, 0x67, 0xf0,
+  0x20, 0x03, 0x46, 0x8c, 0xc2, 0x96, 0xdf, 0x22, 0x70, 0xa8, 0xed, 0xef,
+  0x8e, 0xa9, 0x09, 0x32, 0x9d, 0xe5, 0x95, 0x53, 0x36, 0x67, 0x69, 0xfe,
+  0x11, 0x38, 0x74, 0xda, 0x9f, 0x7f, 0xba, 0x17, 0xd3, 0x31, 0x94, 0xd3,
+  0xe3, 0x66, 0xb6, 0x84, 0x79, 0x01, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02,
+  0x82, 0x01, 0x00, 0x55, 0xc5, 0x34, 0xe1, 0xb0, 0x45, 0xa8, 0xd0, 0xeb,
+  0xec, 0x0a, 0x38, 0x79, 0x79, 0x82, 0xb8, 0x13, 0xc8, 0xc5, 0x3e, 0xe6,
+  0xa2, 0x05, 0xd3, 0x4e, 0x91, 0xaf, 0xbc, 0x50, 0xb8, 0x57, 0x53, 0x2b,
+  0x1c, 0x57, 0x96, 0x5c, 0xee, 0xf6, 0x81, 0x96, 0xa6, 0xe9, 0x55, 0xeb,
+  0x7f, 0x9e, 0x41, 0xb2, 0xb8, 0xbd, 0xa1, 0xfa, 0x1f, 0xb9, 0x07, 0x15,
+  0xfa, 0x1b, 0xaa, 0x59, 0x8e, 0x59, 0x0c, 0x82, 0xc2, 0x00, 0xd7, 0xac,
+  0x01, 0xc8, 0x6f, 0x3a, 0x56, 0xc7, 0x93, 0x31, 0xde, 0x4b, 0x94, 0xbc,
+  0x64, 0x34, 0x08, 0x0b, 0xaa, 0x7b, 0xdd, 0x63, 0x3c, 0xab, 0xe1, 0x3e,
+  0x71, 0x15, 0xba, 0x46, 0x97, 0x17, 0x90, 0xa7, 0x93, 0x20, 0x4d, 0xf2,
+  0x66, 0x99, 0xa0, 0xdb, 0xd4, 0x48, 0x0e, 0x30, 0x8f, 0x8a, 0xe9, 0xca,
+  0x81, 0xec, 0xd2, 0xf5, 0xe2, 0x6d, 0x79, 0x94, 0x2a, 0x26, 0x47, 0x34,
+  0xa4, 0x2a, 0xf6, 0x31, 0x78, 0x4e, 0xcc, 0xea, 0x1c, 0xf1, 0xa5, 0x64,
+  0x29, 0x32, 0x0d, 0xab, 0xe0, 0x34, 0x5a, 0xec, 0xb7, 0x38, 0xca, 0x96,
+  0x3b, 0x04, 0x42, 0xfc, 0xbc, 0xd0, 0x7b, 0x44, 0xc7, 0x10, 0xa4, 0xac,
+  0x02, 0x12, 0x60, 0xbd, 0x2a, 0xf5, 0x1a, 0x1f, 0xa4, 0x21, 0xc5, 0x83,
+  0x42, 0x25, 0xcb, 0x1a, 0x51, 0xe7, 0x38, 0xe7, 0xa8, 0x21, 0xeb, 0x33,
+  0xf7, 0x0a, 0x78, 0x4d, 0xf9, 0x7c, 0x39, 0x79, 0xa3, 0x36, 0x45, 0x6b,
+  0x68, 0x73, 0x39, 0x15, 0x4b, 0x01, 0x39, 0x45, 0xae, 0xb4, 0xd5, 0x18,
+  0xce, 0xab, 0x7d, 0x0b, 0x94, 0xd2, 0x45, 0x0c, 0xec, 0x88, 0x43, 0x84,
+  0x36, 0x3d, 0x5f, 0x4f, 0x23, 0x90, 0x86, 0x40, 0x2c, 0xd5, 0xdd, 0x93,
+  0x3a, 0x08, 0x16, 0xb1, 0x92, 0x9d, 0x23, 0xe2, 0xc1, 0x56, 0xd8, 0x17,
+  0x2b, 0x72, 0xd1, 0xa0, 0xa8, 0xfc, 0x21, 0x02, 0x81, 0x81, 0x00, 0xf0,
+  0x7f, 0x17, 0x65, 0x8e, 0xd1, 0x5e, 0x30, 0x14, 0xa7, 0x93, 0x37, 0x11,
+  0xde, 0xbe, 0x25, 0xc5, 0x5b, 0x40, 0x60, 0x94, 0x28, 0x9b, 0x88, 0x74,
+  0x47, 0xe2, 0x04, 0x65, 0xc6, 0x30, 0xc3, 0x3c, 0xa1, 0xa6, 0x76, 0x3a,
+  0xb2, 0x8e, 0x5f, 0xec, 0xb6, 0xe4, 0x06, 0x2c, 0x19, 0x24, 0x09, 0x5b,
+  0xc5, 0xa7, 0xf4, 0x06, 0xdb, 0xa3, 0x2b, 0x35, 0xbc, 0x28, 0x91, 0xc4,
+  0xff, 0x61, 0x72, 0x3f, 0xb3, 0x7e, 0x22, 0x4c, 0x52, 0xa7, 0xe3, 0x12,
+  0x29, 0xc4, 0xdd, 0x7f, 0x8c, 0xa6, 0x76, 0x82, 0x82, 0x91, 0x6d, 0xd7,
+  0xec, 0x2d, 0x2f, 0xaa, 0x6a, 0x44, 0x11, 0xdc, 0x5b, 0xa5, 0xb6, 0xfe,
+  0x3d, 0x2c, 0x36, 0x06, 0x84, 0x8a, 0x82, 0xbd, 0x24, 0xe5, 0x0c, 0xd6,
+  0x1a, 0x5f, 0x10, 0x1c, 0x92, 0x9c, 0xdb, 0xce, 0x8f, 0x9e, 0x2f, 0x3d,
+  0x01, 0xd2, 0x75, 0x58, 0xdd, 0x0b, 0x4d, 0x02, 0x81, 0x81, 0x00, 0xcc,
+  0xa5, 0xdd, 0x5f, 0x26, 0x99, 0x91, 0x3a, 0xab, 0x30, 0xf2, 0x01, 0x75,
+  0xe2, 0x59, 0x75, 0x98, 0xc9, 0x32, 0x89, 0x29, 0x36, 0x77, 0x7d, 0x7a,
+  0xa0, 0xee, 0x9d, 0xce, 0xe6, 0xe9, 0x47, 0xd0, 0x2b, 0x6b, 0x69, 0x81,
+  0x1b, 0xd7, 0x19, 0x04, 0x51, 0xb0, 0x72, 0x9c, 0x87, 0x41, 0x7d, 0x94,
+  0x01, 0x3f, 0x36, 0x10, 0x92, 0x9f, 0x2f, 0x7e, 0xf1, 0x49, 0x1f, 0x1b,
+  0x40, 0x9c, 0xbe, 0xa4, 0x37, 0xe8, 0xa4, 0x9c, 0xc3, 0xfd, 0xb0, 0xe0,
+  0x48, 0xb2, 0xd7, 0xc5, 0x41, 0xd1, 0x4e, 0xda, 0xee, 0x4c, 0xbf, 0x45,
+  0xa9, 0xef, 0xe3, 0x1d, 0x9d, 0x99, 0xdf, 0xa3, 0xc3, 0x55, 0x25, 0x22,
+  0xba, 0x32, 0xc4, 0xfe, 0xa0, 0x8f, 0x50, 0xfa, 0x05, 0x64, 0xa5, 0xd9,
+  0x92, 0x2b, 0x27, 0xc9, 0x96, 0x23, 0xe3, 0xe3, 0xeb, 0xde, 0x47, 0xa7,
+  0x3d, 0x33, 0x8d, 0xb6, 0x73, 0x02, 0x85, 0x02, 0x81, 0x80, 0x58, 0xe8,
+  0x63, 0x19, 0xe4, 0x66, 0x7a, 0x4f, 0x84, 0x13, 0x3f, 0x55, 0x48, 0x81,
+  0xf4, 0x01, 0xba, 0xa8, 0x35, 0x70, 0x7e, 0xd5, 0x54, 0x4a, 0x69, 0xd2,
+  0x79, 0x37, 0xee, 0xf8, 0x09, 0xe6, 0xe3, 0x6f, 0x4f, 0x3e, 0xbe, 0x0c,
+  0x6c, 0x9e, 0x01, 0xc0, 0xcb, 0x23, 0x8d, 0x01, 0xee, 0x54, 0x97, 0x5c,
+  0xc6, 0xee, 0x6b, 0xea, 0x9e, 0xb3, 0xc6, 0xb5, 0xbc, 0xb9, 0xc6, 0xfe,
+  0x32, 0x64, 0x2e, 0x30, 0x89, 0x1c, 0xdc, 0xe2, 0x61, 0xb6, 0x8c, 0x6c,
+  0x6c, 0x9f, 0x06, 0x1c, 0x55, 0x1d, 0xd2, 0xb9, 0xba, 0x51, 0xc5, 0x55,
+  0x46, 0x8f, 0x2c, 0x8d, 0x04, 0x85, 0x25, 0xd5, 0xab, 0xb9, 0xae, 0xdb,
+  0xa6, 0x90, 0x82, 0x70, 0x55, 0x54, 0x67, 0xe0, 0x4f, 0xdd, 0x22, 0xf9,
+  0xb4, 0xd3, 0x1b, 0xfd, 0x07, 0x88, 0x2b, 0x20, 0xe4, 0xf5, 0xc9, 0xb3,
+  0xf6, 0xbd, 0xf3, 0x10, 0x24, 0xb1, 0x02, 0x81, 0x80, 0x7b, 0x67, 0x3d,
+  0x51, 0x26, 0x36, 0x8e, 0x23, 0xa1, 0x9d, 0x57, 0x21, 0x58, 0x53, 0x90,
+  0x7c, 0x60, 0x10, 0x5a, 0xff, 0xe8, 0xb1, 0x26, 0x66, 0xac, 0xee, 0xa4,
+  0x54, 0xd6, 0xb1, 0xd9, 0x53, 0xeb, 0x8c, 0x73, 0x2d, 0xe0, 0xa3, 0xc8,
+  0x16, 0x16, 0xcb, 0xa7, 0xa9, 0xc5, 0x07, 0xae, 0x8f, 0x2a, 0x13, 0x82,
+  0x69, 0x78, 0x9e, 0xe1, 0x8c, 0xc3, 0x70, 0x7e, 0x16, 0x5a, 0xd9, 0xa0,
+  0x6b, 0x39, 0x1d, 0x59, 0x95, 0x01, 0xcf, 0x11, 0x88, 0x7a, 0x06, 0x7c,
+  0x89, 0xae, 0x32, 0x1d, 0x23, 0xfe, 0xd2, 0x99, 0xc6, 0xf1, 0x1c, 0x23,
+  0x42, 0x81, 0xd6, 0x4a, 0x36, 0x58, 0x4a, 0xee, 0x6a, 0x01, 0x41, 0xe4,
+  0x61, 0x73, 0xe5, 0x9f, 0xe6, 0x45, 0x8d, 0xc0, 0xfe, 0x5d, 0x6f, 0x4d,
+  0xc4, 0xa5, 0x43, 0x7b, 0x0a, 0xed, 0xa2, 0x8a, 0x9c, 0x0c, 0x95, 0xd4,
+  0x23, 0x8d, 0x34, 0x56, 0xfd, 0x02, 0x81, 0x81, 0x00, 0xe2, 0x05, 0xb1,
+  0xe7, 0x6b, 0xf1, 0xa9, 0xa5, 0xe1, 0x48, 0xb5, 0xe0, 0x76, 0x95, 0xa0,
+  0x7e, 0xb0, 0xa6, 0x32, 0x2d, 0x16, 0x07, 0xe9, 0x30, 0x90, 0xf4, 0xfe,
+  0x54, 0x98, 0x7c, 0xdc, 0xf5, 0x67, 0x87, 0xa1, 0x1c, 0x18, 0x49, 0x06,
+  0x4a, 0xaf, 0xbb, 0xbb, 0xb1, 0x0b, 0xcc, 0x3d, 0x89, 0x2a, 0x70, 0x18,
+  0x39, 0x92, 0x6f, 0xc4, 0xcb, 0x76, 0xe6, 0x1e, 0xd5, 0x72, 0xc1, 0x98,
+  0x75, 0x5c, 0xdb, 0x15, 0x01, 0x1f, 0xb7, 0xcd, 0xc2, 0x88, 0xc5, 0x2c,
+  0x5d, 0x1d, 0x76, 0x1c, 0xd5, 0xcd, 0xb5, 0xa0, 0x18, 0xd7, 0x0d, 0x53,
+  0x43, 0xb7, 0x31, 0x51, 0x30, 0x27, 0xf5, 0x60, 0x8c, 0x8e, 0x17, 0x44,
+  0xac, 0xeb, 0xac, 0xde, 0x39, 0x28, 0x78, 0x02, 0x95, 0xeb, 0x2f, 0xaa,
+  0xd8, 0x26, 0x76, 0xbd, 0xeb, 0x0e, 0x3f, 0x99, 0xe6, 0xb6, 0xf5, 0xcf,
+  0xd3, 0xe2, 0xf4, 0xa2, 0xab
+};
+
+// Retrieve a JNI local ref for our test RSA key.
+ScopedJavaLocalRef<jobject> GetRSATestKey() {
+  return GetPKCS8PrivateKey(CLIENT_CERT_RSA_SIGN,
+                            test_rsa_key_pkcs8,
+                            sizeof(test_rsa_key_pkcs8));
+}
+
+// Retrieve the OpenSSL object for our test RSA key.
+EVP_PKEY* GetRSATestKeyOpenSSL() {
+  return GetOpenSSLPKCS8PrivateKey(EVP_PKEY_RSA,
+                                   test_rsa_key_pkcs8,
+                                   sizeof(test_rsa_key_pkcs8));
+}
+
+// A simple 2048-bits DSA test key.
+//
+// openssl dsaparam -out dsaparam.pem 2048
+// openssl gendsa -out key.pem dsaparam.pem
+// openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem key.pkcs8
+//     -out key.pkcs8 -nocrypt
+// xxd -i key.pkcs8
+const unsigned char test_dsa_key_pkcs8[] = {
+  0x30, 0x82, 0x02, 0x64, 0x02, 0x01, 0x00, 0x30, 0x82, 0x02, 0x39, 0x06,
+  0x07, 0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x01, 0x30, 0x82, 0x02, 0x2c,
+  0x02, 0x82, 0x01, 0x01, 0x00, 0xef, 0xea, 0xa5, 0x9b, 0xd7, 0x39, 0xd4,
+  0x47, 0x6e, 0x69, 0xd5, 0xb2, 0x6c, 0xce, 0xa4, 0xdd, 0x87, 0xd9, 0xc5,
+  0x6a, 0x6f, 0x9c, 0x00, 0x68, 0x6d, 0xa3, 0x7a, 0x5c, 0x6b, 0x88, 0xcb,
+  0x88, 0xc1, 0x2b, 0x3c, 0x2d, 0x2d, 0x37, 0xaf, 0x10, 0x3f, 0xba, 0x62,
+  0xf2, 0x4f, 0x85, 0xc2, 0xb9, 0xe4, 0xaf, 0xbe, 0x3c, 0x7c, 0xcd, 0x44,
+  0xdf, 0x92, 0xa7, 0x73, 0xd7, 0x9d, 0xed, 0x06, 0x1c, 0x42, 0x98, 0xab,
+  0xc6, 0x0a, 0x4b, 0x05, 0x50, 0x44, 0xd1, 0xec, 0xbb, 0xd3, 0x0b, 0x26,
+  0x45, 0xce, 0xf0, 0x71, 0xda, 0xd6, 0xe6, 0x83, 0xa3, 0x7a, 0x8d, 0x76,
+  0xf5, 0x21, 0xe4, 0x5e, 0x0f, 0x32, 0x44, 0x31, 0xc5, 0x2c, 0x50, 0x88,
+  0xe5, 0x2c, 0xec, 0x94, 0x85, 0xa3, 0xdc, 0x69, 0x2a, 0xcd, 0xa1, 0x14,
+  0xea, 0x9e, 0xac, 0x11, 0xd5, 0xda, 0x2c, 0x47, 0x34, 0xdf, 0xd6, 0x0f,
+  0x30, 0xd5, 0xa6, 0x2f, 0xc0, 0x82, 0x31, 0x38, 0xa8, 0x16, 0x68, 0x3d,
+  0x22, 0x11, 0x11, 0x2c, 0x03, 0x3c, 0x4e, 0x01, 0x0a, 0x8a, 0x37, 0x1c,
+  0x91, 0x2f, 0x11, 0x2a, 0x1c, 0x9e, 0xec, 0x25, 0x4b, 0xb7, 0xa5, 0xb5,
+  0x14, 0x4e, 0xcb, 0xa6, 0xfc, 0x10, 0xa0, 0x6c, 0x00, 0x0e, 0x2d, 0x8e,
+  0xe6, 0x69, 0x8d, 0x4e, 0x8e, 0x04, 0x84, 0xbc, 0x83, 0x83, 0xd4, 0x46,
+  0x07, 0x6c, 0x04, 0x96, 0x04, 0xc0, 0x72, 0xfc, 0xee, 0xaf, 0xbe, 0x6c,
+  0x73, 0x34, 0xd4, 0x57, 0xcf, 0xc6, 0xed, 0x01, 0xd1, 0x9f, 0xe7, 0x69,
+  0x7f, 0x92, 0x80, 0xf3, 0xdf, 0x96, 0xda, 0x78, 0x2c, 0x16, 0xb9, 0x4c,
+  0x62, 0x79, 0x37, 0x1d, 0x97, 0xb4, 0xaa, 0x77, 0xa6, 0x56, 0x6f, 0xb1,
+  0x36, 0xab, 0xb1, 0xd4, 0x56, 0x16, 0xc6, 0x86, 0x51, 0xe0, 0xe4, 0x22,
+  0x9b, 0xae, 0x99, 0xbd, 0x60, 0x0d, 0xbd, 0x9e, 0x13, 0x02, 0x21, 0x00,
+  0x89, 0xe8, 0x1a, 0xac, 0xbf, 0x62, 0xc5, 0x57, 0x24, 0x90, 0x83, 0xfc,
+  0x2f, 0xf1, 0x57, 0x2e, 0x16, 0xa5, 0x99, 0xea, 0x13, 0xc7, 0xb4, 0xe5,
+  0xc0, 0xf2, 0x3a, 0x38, 0x07, 0x88, 0xcc, 0x8f, 0x02, 0x82, 0x01, 0x00,
+  0x3c, 0x97, 0xd5, 0x97, 0xd9, 0xa5, 0xf9, 0xac, 0xa6, 0x8d, 0xf0, 0xf4,
+  0xd3, 0x41, 0x3a, 0x37, 0x67, 0x9d, 0xf8, 0x97, 0xa6, 0x2f, 0xe8, 0x44,
+  0xa3, 0x9e, 0x9c, 0xca, 0xed, 0x56, 0x2c, 0x25, 0x6e, 0x7f, 0xbb, 0x7a,
+  0x30, 0x52, 0x5e, 0x8b, 0xb2, 0x10, 0x22, 0xd6, 0x29, 0x88, 0xc8, 0x3b,
+  0x27, 0xa6, 0xfb, 0x30, 0xdf, 0xa9, 0xd8, 0x02, 0x4e, 0x51, 0xcb, 0xfd,
+  0x38, 0x97, 0x6d, 0x1c, 0x96, 0x4e, 0x4e, 0xd2, 0x0b, 0xba, 0x6b, 0x86,
+  0xfb, 0x58, 0xb9, 0xd0, 0xdd, 0xb7, 0x44, 0xc1, 0x5a, 0xec, 0xd9, 0x8f,
+  0x77, 0x0b, 0xc9, 0xe4, 0xef, 0xed, 0xd6, 0x62, 0x75, 0xc8, 0x99, 0xfd,
+  0x09, 0x20, 0xac, 0x2c, 0xc1, 0xfc, 0xd3, 0x54, 0x13, 0x99, 0x27, 0x6e,
+  0x6c, 0x6d, 0x0c, 0x28, 0x25, 0xe2, 0xa1, 0x4e, 0x6c, 0x47, 0x19, 0x22,
+  0xcf, 0x2a, 0xf9, 0x6b, 0x99, 0x03, 0x88, 0xb5, 0x7f, 0x15, 0x6e, 0x0f,
+  0xe3, 0x86, 0x0a, 0x02, 0x85, 0x29, 0x09, 0xcc, 0xcb, 0xa3, 0xd7, 0x95,
+  0x9b, 0xeb, 0x80, 0x5d, 0x4c, 0x19, 0xa8, 0x3b, 0x2e, 0x3f, 0x0a, 0x04,
+  0x27, 0x5b, 0x04, 0x5c, 0xa1, 0x75, 0xcb, 0x54, 0xcf, 0x3c, 0x0d, 0x42,
+  0x19, 0x62, 0x33, 0x08, 0x70, 0x7b, 0x78, 0x11, 0xcf, 0x6d, 0xb5, 0x8d,
+  0x77, 0x2b, 0xac, 0xbe, 0xde, 0x9e, 0x4a, 0x0b, 0x36, 0xa0, 0x4a, 0x34,
+  0x2c, 0x95, 0x92, 0x49, 0x10, 0x82, 0x4b, 0x9f, 0xe0, 0xf8, 0xb5, 0xd9,
+  0x32, 0x61, 0x47, 0x0f, 0xc4, 0x87, 0xc3, 0x06, 0x33, 0x9f, 0x6b, 0x28,
+  0xee, 0xac, 0x24, 0xbc, 0xfe, 0xba, 0xa3, 0xeb, 0x20, 0x7f, 0x67, 0x42,
+  0x73, 0xb3, 0xe5, 0xf9, 0xc3, 0x2f, 0x6e, 0xef, 0xb3, 0xc5, 0x52, 0x1a,
+  0xfb, 0x96, 0x70, 0x96, 0x47, 0x54, 0x31, 0xd4, 0x25, 0xbd, 0x29, 0x7b,
+  0x19, 0xa5, 0xdc, 0xb9, 0x04, 0x22, 0x02, 0x20, 0x03, 0x82, 0xb9, 0xc8,
+  0x3e, 0xee, 0x73, 0x81, 0x4e, 0x7c, 0xfa, 0x3d, 0xad, 0x10, 0xc4, 0x3a,
+  0xfc, 0x76, 0x7a, 0x1f, 0x8c, 0xf3, 0x6d, 0x40, 0xda, 0x2d, 0x1b, 0x41,
+  0x95, 0xcb, 0x74, 0x1d
+};
+
+// Retrieve a JNI local ref for our test DSA key.
+ScopedJavaLocalRef<jobject> GetDSATestKey() {
+  return GetPKCS8PrivateKey(CLIENT_CERT_DSS_SIGN,
+                            test_dsa_key_pkcs8,
+                            sizeof(test_dsa_key_pkcs8));
+}
+
+// Retrieve the OpenSSL object for our test DSA key.
+EVP_PKEY* GetDSATestKeyOpenSSL() {
+  return GetOpenSSLPKCS8PrivateKey(EVP_PKEY_DSA,
+                                   test_dsa_key_pkcs8,
+                                   sizeof(test_dsa_key_pkcs8));
+}
+
+// The DSA public key generated from the previous DSA private one, with:
+// openssl dsa -in key.pem -outform DER -out key_public.der
+// xxd -i key_public.der
+const unsigned char test_dsa_public_der[] = {
+  0x30, 0x82, 0x03, 0x46, 0x30, 0x82, 0x02, 0x39, 0x06, 0x07, 0x2a, 0x86,
+  0x48, 0xce, 0x38, 0x04, 0x01, 0x30, 0x82, 0x02, 0x2c, 0x02, 0x82, 0x01,
+  0x01, 0x00, 0xef, 0xea, 0xa5, 0x9b, 0xd7, 0x39, 0xd4, 0x47, 0x6e, 0x69,
+  0xd5, 0xb2, 0x6c, 0xce, 0xa4, 0xdd, 0x87, 0xd9, 0xc5, 0x6a, 0x6f, 0x9c,
+  0x00, 0x68, 0x6d, 0xa3, 0x7a, 0x5c, 0x6b, 0x88, 0xcb, 0x88, 0xc1, 0x2b,
+  0x3c, 0x2d, 0x2d, 0x37, 0xaf, 0x10, 0x3f, 0xba, 0x62, 0xf2, 0x4f, 0x85,
+  0xc2, 0xb9, 0xe4, 0xaf, 0xbe, 0x3c, 0x7c, 0xcd, 0x44, 0xdf, 0x92, 0xa7,
+  0x73, 0xd7, 0x9d, 0xed, 0x06, 0x1c, 0x42, 0x98, 0xab, 0xc6, 0x0a, 0x4b,
+  0x05, 0x50, 0x44, 0xd1, 0xec, 0xbb, 0xd3, 0x0b, 0x26, 0x45, 0xce, 0xf0,
+  0x71, 0xda, 0xd6, 0xe6, 0x83, 0xa3, 0x7a, 0x8d, 0x76, 0xf5, 0x21, 0xe4,
+  0x5e, 0x0f, 0x32, 0x44, 0x31, 0xc5, 0x2c, 0x50, 0x88, 0xe5, 0x2c, 0xec,
+  0x94, 0x85, 0xa3, 0xdc, 0x69, 0x2a, 0xcd, 0xa1, 0x14, 0xea, 0x9e, 0xac,
+  0x11, 0xd5, 0xda, 0x2c, 0x47, 0x34, 0xdf, 0xd6, 0x0f, 0x30, 0xd5, 0xa6,
+  0x2f, 0xc0, 0x82, 0x31, 0x38, 0xa8, 0x16, 0x68, 0x3d, 0x22, 0x11, 0x11,
+  0x2c, 0x03, 0x3c, 0x4e, 0x01, 0x0a, 0x8a, 0x37, 0x1c, 0x91, 0x2f, 0x11,
+  0x2a, 0x1c, 0x9e, 0xec, 0x25, 0x4b, 0xb7, 0xa5, 0xb5, 0x14, 0x4e, 0xcb,
+  0xa6, 0xfc, 0x10, 0xa0, 0x6c, 0x00, 0x0e, 0x2d, 0x8e, 0xe6, 0x69, 0x8d,
+  0x4e, 0x8e, 0x04, 0x84, 0xbc, 0x83, 0x83, 0xd4, 0x46, 0x07, 0x6c, 0x04,
+  0x96, 0x04, 0xc0, 0x72, 0xfc, 0xee, 0xaf, 0xbe, 0x6c, 0x73, 0x34, 0xd4,
+  0x57, 0xcf, 0xc6, 0xed, 0x01, 0xd1, 0x9f, 0xe7, 0x69, 0x7f, 0x92, 0x80,
+  0xf3, 0xdf, 0x96, 0xda, 0x78, 0x2c, 0x16, 0xb9, 0x4c, 0x62, 0x79, 0x37,
+  0x1d, 0x97, 0xb4, 0xaa, 0x77, 0xa6, 0x56, 0x6f, 0xb1, 0x36, 0xab, 0xb1,
+  0xd4, 0x56, 0x16, 0xc6, 0x86, 0x51, 0xe0, 0xe4, 0x22, 0x9b, 0xae, 0x99,
+  0xbd, 0x60, 0x0d, 0xbd, 0x9e, 0x13, 0x02, 0x21, 0x00, 0x89, 0xe8, 0x1a,
+  0xac, 0xbf, 0x62, 0xc5, 0x57, 0x24, 0x90, 0x83, 0xfc, 0x2f, 0xf1, 0x57,
+  0x2e, 0x16, 0xa5, 0x99, 0xea, 0x13, 0xc7, 0xb4, 0xe5, 0xc0, 0xf2, 0x3a,
+  0x38, 0x07, 0x88, 0xcc, 0x8f, 0x02, 0x82, 0x01, 0x00, 0x3c, 0x97, 0xd5,
+  0x97, 0xd9, 0xa5, 0xf9, 0xac, 0xa6, 0x8d, 0xf0, 0xf4, 0xd3, 0x41, 0x3a,
+  0x37, 0x67, 0x9d, 0xf8, 0x97, 0xa6, 0x2f, 0xe8, 0x44, 0xa3, 0x9e, 0x9c,
+  0xca, 0xed, 0x56, 0x2c, 0x25, 0x6e, 0x7f, 0xbb, 0x7a, 0x30, 0x52, 0x5e,
+  0x8b, 0xb2, 0x10, 0x22, 0xd6, 0x29, 0x88, 0xc8, 0x3b, 0x27, 0xa6, 0xfb,
+  0x30, 0xdf, 0xa9, 0xd8, 0x02, 0x4e, 0x51, 0xcb, 0xfd, 0x38, 0x97, 0x6d,
+  0x1c, 0x96, 0x4e, 0x4e, 0xd2, 0x0b, 0xba, 0x6b, 0x86, 0xfb, 0x58, 0xb9,
+  0xd0, 0xdd, 0xb7, 0x44, 0xc1, 0x5a, 0xec, 0xd9, 0x8f, 0x77, 0x0b, 0xc9,
+  0xe4, 0xef, 0xed, 0xd6, 0x62, 0x75, 0xc8, 0x99, 0xfd, 0x09, 0x20, 0xac,
+  0x2c, 0xc1, 0xfc, 0xd3, 0x54, 0x13, 0x99, 0x27, 0x6e, 0x6c, 0x6d, 0x0c,
+  0x28, 0x25, 0xe2, 0xa1, 0x4e, 0x6c, 0x47, 0x19, 0x22, 0xcf, 0x2a, 0xf9,
+  0x6b, 0x99, 0x03, 0x88, 0xb5, 0x7f, 0x15, 0x6e, 0x0f, 0xe3, 0x86, 0x0a,
+  0x02, 0x85, 0x29, 0x09, 0xcc, 0xcb, 0xa3, 0xd7, 0x95, 0x9b, 0xeb, 0x80,
+  0x5d, 0x4c, 0x19, 0xa8, 0x3b, 0x2e, 0x3f, 0x0a, 0x04, 0x27, 0x5b, 0x04,
+  0x5c, 0xa1, 0x75, 0xcb, 0x54, 0xcf, 0x3c, 0x0d, 0x42, 0x19, 0x62, 0x33,
+  0x08, 0x70, 0x7b, 0x78, 0x11, 0xcf, 0x6d, 0xb5, 0x8d, 0x77, 0x2b, 0xac,
+  0xbe, 0xde, 0x9e, 0x4a, 0x0b, 0x36, 0xa0, 0x4a, 0x34, 0x2c, 0x95, 0x92,
+  0x49, 0x10, 0x82, 0x4b, 0x9f, 0xe0, 0xf8, 0xb5, 0xd9, 0x32, 0x61, 0x47,
+  0x0f, 0xc4, 0x87, 0xc3, 0x06, 0x33, 0x9f, 0x6b, 0x28, 0xee, 0xac, 0x24,
+  0xbc, 0xfe, 0xba, 0xa3, 0xeb, 0x20, 0x7f, 0x67, 0x42, 0x73, 0xb3, 0xe5,
+  0xf9, 0xc3, 0x2f, 0x6e, 0xef, 0xb3, 0xc5, 0x52, 0x1a, 0xfb, 0x96, 0x70,
+  0x96, 0x47, 0x54, 0x31, 0xd4, 0x25, 0xbd, 0x29, 0x7b, 0x19, 0xa5, 0xdc,
+  0xb9, 0x03, 0x82, 0x01, 0x05, 0x00, 0x02, 0x82, 0x01, 0x00, 0x7e, 0x8c,
+  0x72, 0x95, 0xc6, 0x27, 0xef, 0x1a, 0xd1, 0x5c, 0xfd, 0xe1, 0xc7, 0xdf,
+  0x92, 0xdd, 0xaf, 0x59, 0x1b, 0x9a, 0xec, 0x9f, 0x87, 0x09, 0xe8, 0x9f,
+  0x4e, 0x89, 0x42, 0xcc, 0x40, 0x80, 0x1d, 0x73, 0x4b, 0x05, 0xfe, 0x68,
+  0x41, 0xdb, 0xda, 0x7a, 0x37, 0xd1, 0xdc, 0x99, 0xc1, 0xdb, 0x95, 0x63,
+  0x37, 0x3d, 0xef, 0x7a, 0x21, 0x20, 0x06, 0x69, 0xa2, 0xfa, 0x36, 0xf5,
+  0xbd, 0xee, 0x3f, 0x13, 0xc1, 0x49, 0xb8, 0xbb, 0x85, 0x3e, 0x80, 0x63,
+  0xe3, 0xf1, 0xba, 0x5f, 0xad, 0x9a, 0xf6, 0x22, 0xb0, 0xd2, 0x4c, 0x7e,
+  0xc0, 0x8a, 0x81, 0x8f, 0xa5, 0x71, 0x03, 0xde, 0xf4, 0x73, 0x7e, 0xf9,
+  0x05, 0x91, 0x36, 0x5f, 0x3c, 0x79, 0x7f, 0x3f, 0xeb, 0xb9, 0x36, 0xca,
+  0xb8, 0x40, 0x9b, 0x1d, 0xce, 0xce, 0x04, 0x89, 0xc8, 0xc4, 0xa0, 0xc9,
+  0x63, 0x42, 0x81, 0xdc, 0x80, 0xe1, 0xa5, 0x58, 0xd4, 0x10, 0xd4, 0x2c,
+  0x6c, 0xae, 0xdd, 0xb8, 0x17, 0xdc, 0xcb, 0x7f, 0x62, 0x4f, 0x51, 0xcf,
+  0x0a, 0x10, 0x44, 0x0b, 0xe9, 0xf4, 0x5d, 0x3d, 0x78, 0xd0, 0xe3, 0xf9,
+  0xc5, 0x0f, 0xde, 0x09, 0x72, 0xa1, 0xaf, 0xaf, 0xd7, 0x30, 0x57, 0xca,
+  0xb7, 0xb1, 0xa6, 0x8a, 0x04, 0x71, 0x63, 0x30, 0xf8, 0xa9, 0x44, 0x2f,
+  0x8f, 0xc4, 0x37, 0x0c, 0xc9, 0x9d, 0x72, 0x12, 0x7c, 0x7b, 0xd9, 0x2a,
+  0x52, 0x34, 0x47, 0xf1, 0x98, 0xc4, 0xbc, 0xa7, 0x74, 0x1c, 0x0a, 0xd3,
+  0x6d, 0x7f, 0x8c, 0xce, 0x28, 0x78, 0x59, 0xc9, 0x50, 0x38, 0xc6, 0xf7,
+  0x4c, 0x74, 0x83, 0x04, 0x60, 0x34, 0x64, 0x4f, 0xc1, 0x99, 0x8e, 0x6a,
+  0x7e, 0x30, 0x59, 0x3b, 0xd5, 0x65, 0xb3, 0x56, 0x68, 0x7d, 0xa4, 0xec,
+  0xf0, 0x3c, 0xb2, 0x5a, 0x09, 0xf3, 0xc7, 0xeb, 0x8d, 0x09, 0xab, 0x1d,
+  0x6f, 0x5c
+};
+
+// Call this function to verify that one message signed with our
+// test DSA private key is correct. Since DSA signing introduces
+// random elements in the signature, it is not possible to compare
+// signature bits directly. However, one can use the public key
+// to do the check.
+void VerifyTestDSASignature(const base::StringPiece& message,
+                            const base::StringPiece& signature) {
+  const unsigned char* p = test_dsa_public_der;
+  long length = static_cast<long>(sizeof(test_dsa_public_der));
+  DSA* pub_key = d2i_DSA_PUBKEY(NULL, &p, length);
+  ASSERT_TRUE(pub_key != NULL);
+
+  const unsigned char* digest =
+      reinterpret_cast<const unsigned char*>(message.data());
+  int digest_len = static_cast<int>(message.size());
+  const unsigned char* sigbuf =
+      reinterpret_cast<const unsigned char*>(signature.data());
+  int siglen = static_cast<int>(signature.size());
+
+  ASSERT_EQ(1, DSA_verify(0, digest, digest_len, sigbuf, siglen, pub_key));
+  DSA_free(pub_key);
+}
+
+// A simple ECDSA test key.
+//
+// openssl ecparam -genkey -name prime256v1 -out key.pem
+// openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem
+//     -out key.pkcs8 -nocrypt
+// xxd -i key.pkcs8
+const unsigned char test_ecdsa_key_pkcs8[] = {
+  0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
+  0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+  0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20,
+  0xd8, 0x57, 0x0f, 0xee, 0x4c, 0x93, 0xbe, 0x42, 0x2e, 0x2b, 0x2e, 0xf2,
+  0x7d, 0x56, 0xd9, 0x7b, 0x41, 0xc2, 0xc5, 0xd8, 0xbc, 0x77, 0x90, 0x0c,
+  0x38, 0xf4, 0xc2, 0x01, 0xc3, 0xd1, 0x6c, 0x24, 0xa1, 0x44, 0x03, 0x42,
+  0x00, 0x04, 0x97, 0x7a, 0x0e, 0x39, 0x93, 0xc7, 0x21, 0xc9, 0x3f, 0x68,
+  0xf5, 0x77, 0x56, 0xc5, 0xbb, 0xb2, 0x28, 0x64, 0x73, 0x90, 0x73, 0xbd,
+  0xaa, 0x4d, 0x98, 0x27, 0x47, 0xa1, 0x30, 0x55, 0x2e, 0x36, 0x91, 0x4e,
+  0x25, 0xea, 0x83, 0x13, 0x97, 0xc8, 0x0a, 0xc8, 0xcf, 0xaa, 0xb4, 0x55,
+  0x34, 0x6b, 0x11, 0x4b, 0xbd, 0x7e, 0x94, 0xe4, 0x77, 0x98, 0xa8, 0x10,
+  0x7b, 0x63, 0x21, 0x7f, 0xa9, 0xcf
+};
+
+// Retrieve a JNI local ref for our test ECDSA key.
+ScopedJavaLocalRef<jobject> GetECDSATestKey() {
+  return GetPKCS8PrivateKey(CLIENT_CERT_ECDSA_SIGN,
+                            test_ecdsa_key_pkcs8,
+                            sizeof(test_ecdsa_key_pkcs8));
+}
+
+// Retrieve the OpenSSL object for our test ECDSA key.
+EVP_PKEY* GetECDSATestKeyOpenSSL() {
+  return GetOpenSSLPKCS8PrivateKey(EVP_PKEY_EC,
+                                   test_ecdsa_key_pkcs8,
+                                   sizeof(test_ecdsa_key_pkcs8));
+}
+
+// The DSA public key generated from the previous ECDSA private one, with:
+// openssl ec -in key.pem -outform DER -out key_public.der -pubout
+// xxd -i key_public.der
+const unsigned char test_ecdsa_public_der[] = {
+  0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+  0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
+  0x42, 0x00, 0x04, 0x97, 0x7a, 0x0e, 0x39, 0x93, 0xc7, 0x21, 0xc9, 0x3f,
+  0x68, 0xf5, 0x77, 0x56, 0xc5, 0xbb, 0xb2, 0x28, 0x64, 0x73, 0x90, 0x73,
+  0xbd, 0xaa, 0x4d, 0x98, 0x27, 0x47, 0xa1, 0x30, 0x55, 0x2e, 0x36, 0x91,
+  0x4e, 0x25, 0xea, 0x83, 0x13, 0x97, 0xc8, 0x0a, 0xc8, 0xcf, 0xaa, 0xb4,
+  0x55, 0x34, 0x6b, 0x11, 0x4b, 0xbd, 0x7e, 0x94, 0xe4, 0x77, 0x98, 0xa8,
+  0x10, 0x7b, 0x63, 0x21, 0x7f, 0xa9, 0xcf
+};
+
+// Call this function to verify that one message signed with our
+// test DSA private key is correct. Since DSA signing introduces
+// random elements in the signature, it is not possible to compare
+// signature bits directly. However, one can use the public key
+// to do the check.
+void VerifyTestECDSASignature(const base::StringPiece& message,
+                              const base::StringPiece& signature) {
+  const unsigned char* p = test_ecdsa_public_der;
+  long length = static_cast<long>(sizeof(test_ecdsa_public_der));
+  EC_KEY* pub_key = d2i_EC_PUBKEY(NULL, &p, length);
+  ASSERT_TRUE(pub_key != NULL);
+
+  const unsigned char* digest =
+      reinterpret_cast<const unsigned char*>(message.data());
+  int digest_len = static_cast<int>(message.size());
+  const unsigned char* sigbuf =
+      reinterpret_cast<const unsigned char*>(signature.data());
+  int siglen = static_cast<int>(signature.size());
+
+  ASSERT_EQ(
+    1, ECDSA_verify(0, digest, digest_len, sigbuf, siglen, pub_key));
+  EC_KEY_free(pub_key);
+}
+
+// Sign a message with OpenSSL, return the result as a string.
+// |message| is the message to be signed.
+// |openssl_key| is an OpenSSL EVP_PKEY to use.
+// |result| receives the result.
+void SignWithOpenSSL(const base::StringPiece& message,
+                     EVP_PKEY* openssl_key,
+                     std::string* result) {
+  const unsigned char* digest =
+      reinterpret_cast<const unsigned char*>(message.data());
+  unsigned int digest_len = static_cast<unsigned int>(message.size());
+  // Calling size functions like "RSA_size()" doesn't work at all
+  // with custom RSA_METHOD implementations. That's probably a bug
+  // in OpenSSL, so instead just use a very large buffer.
+  // Note that the code in ssl/s3_clnt.c does something similar.
+  unsigned char openssl_signature[8192];
+  unsigned int openssl_signature_len = 0;
+  int key_type = EVP_PKEY_id(openssl_key);
+  switch (key_type) {
+    case EVP_PKEY_RSA:
+      {
+        RSA* rsa = EVP_PKEY_get1_RSA(openssl_key);
+        ASSERT_TRUE(rsa != NULL);
+        int ret = RSA_sign(NID_md5_sha1,
+                           digest,
+                           digest_len,
+                           openssl_signature,
+                           &openssl_signature_len,
+                           rsa);
+        ASSERT_EQ(1, ret) << GetOpenSSLErrorString();
+        RSA_free(rsa);
+      }
+      break;
+    case EVP_PKEY_DSA:
+      {
+        DSA* dsa = EVP_PKEY_get1_DSA(openssl_key);
+        ASSERT_TRUE(dsa != NULL);
+        int ret = DSA_sign(0,  // ignored by the function
+                           digest,
+                           digest_len,
+                           openssl_signature,
+                           &openssl_signature_len,
+                           dsa);
+        ASSERT_EQ(1, ret) << GetOpenSSLErrorString();
+        DSA_free(dsa);
+      }
+      break;
+    case EVP_PKEY_EC:
+      {
+        EC_KEY* ecdsa = EVP_PKEY_get1_EC_KEY(openssl_key);
+        ASSERT_TRUE(ecdsa != NULL);
+        LOG(INFO) << "Calling ECDSA_sign";
+        int ret = ECDSA_sign(0,  // ignored by the function
+                             digest,
+                             digest_len,
+                             openssl_signature,
+                             &openssl_signature_len,
+                             ecdsa);
+        ASSERT_EQ(1, ret) << GetOpenSSLErrorString();
+        EC_KEY_free(ecdsa);
+      }
+      break;
+    default:
+      LOG(WARNING) << "Invalid OpenSSL key type: " + key_type;
+      return;
+  }
+  result->assign(reinterpret_cast<const char*>(openssl_signature),
+                 static_cast<size_t>(openssl_signature_len));
+}
+
+// Check that a generated signature for a given message matches
+// OpenSSL output byte-by-byte.
+// |message| is the input message.
+// |signature| is the generated signature for the message.
+// |openssl_key| is a raw EVP_PKEY for the same private key than the
+// one which was used to generate the signature.
+void CompareSignatureWithOpenSSL(const base::StringPiece& message,
+                                 const base::StringPiece& signature,
+                                 EVP_PKEY* openssl_key) {
+  std::string openssl_signature;
+  SignWithOpenSSL(message, openssl_key, &openssl_signature);
+
+  ASSERT_EQ(signature.size(), openssl_signature.size());
+  for (size_t n = 0; n < signature.size(); ++n)
+    ASSERT_EQ(openssl_signature[n], signature[n]);
+
+  // All good, just exit.
+}
+
+// Sign a message with our platform API.
+//
+// |android_key| is a JNI reference to the platform PrivateKey object.
+// |openssl_key| is a pointer to an OpenSSL key object for the exact
+// same key content.
+// |message| is a message.
+// |result| will receive the result.
+void DoKeySigning(jobject android_key,
+                  EVP_PKEY* openssl_key,
+                  const base::StringPiece& message,
+                  std::string* result) {
+  // First, get the platform signature.
+  std::vector<uint8> android_signature;
+  ASSERT_TRUE(
+      SignWithPrivateKey(android_key,
+                         message,
+                         &android_signature));
+
+  result->assign(
+      reinterpret_cast<const char*>(&android_signature[0]),
+      android_signature.size());
+}
+
+// Sign a message with our OpenSSL EVP_PKEY wrapper around platform
+// APIS.
+//
+// |android_key| is a JNI reference to the platform PrivateKey object.
+// |openssl_key| is a pointer to an OpenSSL key object for the exact
+// same key content.
+// |message| is a message.
+// |result| will receive the result.
+void DoKeySigningWithWrapper(EVP_PKEY* wrapper_key,
+                             EVP_PKEY* openssl_key,
+                             const base::StringPiece& message,
+                             std::string* result) {
+  // First, get the signature platform signature.

[ppi, 2013/01/29 17:57:10]

nit: double "signature".

+  std::string wrapper_signature;
+  SignWithOpenSSL(message, wrapper_key, &wrapper_signature);
+  ASSERT_NE(0U, wrapper_signature.size());
+
+  result->assign(
+      reinterpret_cast<const char*>(&wrapper_signature[0]),
+      wrapper_signature.size());
+}
+
+}  // namespace
+
+TEST(AndroidKeyStore,GetPrivateKeySigningTypeRSA) {
+    crypto::OpenSSLErrStackTracer err_trace(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> rsa_key = GetRSATestKey();
+    ASSERT_FALSE(rsa_key.is_null());
+    EXPECT_EQ(CLIENT_CERT_RSA_SIGN,
+              GetPrivateKeySigningType(rsa_key.obj()));
+}
+
+TEST(AndroidKeyStore,SignWithPrivateKeyRSA) {
+
+    ScopedJavaLocalRef<jobject> rsa_key = GetRSATestKey();
+    ASSERT_FALSE(rsa_key.is_null());
+
+    if (IsOnAndroidOlderThan_4_2()) {
+        LOG(INFO) << "This test can't run on Android < 4.2";

[ppi, 2013/01/29 17:57:10]

nit: should this be indented with two spaces?

[digit1, 2013/01/29 23:17:39]

Done.

+        return;
+    }
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetRSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);
+
+    // Message size must be 36 for RSA_sign(NID_md5_sha1,...) to return
+    // without an error.
+    // See third_party/openssl/openssl/crypto/rsa/rsa_sign.c
+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    ASSERT_EQ(36U, message.size());
+
+    std::string signature;
+    DoKeySigning(rsa_key.obj(), openssl_key.get(), message, &signature);
+    CompareSignatureWithOpenSSL(message, signature, openssl_key.get());
+    // All good.
+}
+
+TEST(AndroidKeyStore,SignWithWrapperKeyRSA) {
+    crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> rsa_key = GetRSATestKey();
+    ASSERT_FALSE(rsa_key.is_null());
+
+    if (IsOnAndroidOlderThan_4_2()) {
+        LOG(INFO) << "This test can't run on Android < 4.2";

[ppi, 2013/01/29 17:57:11]

nit: should this be indented with two spaces?

[digit1, 2013/01/29 23:17:39]

Yes, I probably forgot to change my editor's setting while switching between
Java and C++ sources :-) Done.

+        return;
+    }
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> wrapper_key(
+        GetOpenSSLPrivateKeyWrapper(rsa_key.obj()));
+    ASSERT_TRUE(wrapper_key.get() != NULL);
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetRSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);
+
+    // Message size must be 36 for RSA_sign(NID_md5_sha1,...) to return
+    // without an error.
+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    ASSERT_EQ(36U, message.size());
+
+    std::string signature;
+    DoKeySigningWithWrapper(wrapper_key.get(),
+                            openssl_key.get(),
+                            message,
+                            &signature);
+    CompareSignatureWithOpenSSL(message, signature, openssl_key.get());
+    // All good.
+}
+
+TEST(AndroidKeyStore,GetPrivateKeySigningTypeDSA) {
+    crypto::OpenSSLErrStackTracer err_trace(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> dsa_key = GetDSATestKey();
+    ASSERT_FALSE(dsa_key.is_null());
+    EXPECT_EQ(CLIENT_CERT_DSS_SIGN,
+              GetPrivateKeySigningType(dsa_key.obj()));
+}
+
+TEST(AndroidKeyStore,SignWithPrivateKeyDSA) {
+    ScopedJavaLocalRef<jobject> dsa_key = GetDSATestKey();
+    ASSERT_FALSE(dsa_key.is_null());
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetDSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);
+
+    // Message size must be 36 for DSA_sign(NID_md5_sha1,...) to return
+    // without an error.
+    // See third_party/openssl/openssl/crypto/dsa/dsa_sign.c
+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    ASSERT_EQ(36U, message.size());
+
+    std::string signature;
+    DoKeySigning(dsa_key.obj(), openssl_key.get(), message, &signature);
+    VerifyTestDSASignature(message, signature);
+    // All good.
+}
+
+// TODO(digit): Enable by implementing DSA_METHOD wrapper.
+TEST(AndroidKeyStore,DISABLED_SignWithWrapperKeyDSA) {
+    crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> dsa_key = GetDSATestKey();
+    ASSERT_FALSE(dsa_key.is_null());
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> wrapper_key(
+        GetOpenSSLPrivateKeyWrapper(dsa_key.obj()));
+    ASSERT_TRUE(wrapper_key.get() != NULL);
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetDSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);
+
+    // Message size must be 36 for DSA_sign(NID_md5_sha1,...) to return
+    // without an error.
+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    ASSERT_EQ(36U, message.size());
+
+    std::string signature;
+    DoKeySigningWithWrapper(wrapper_key.get(),
+                            openssl_key.get(),
+                            message,
+                            &signature);
+    VerifyTestDSASignature(message, signature);
+    // All good.
+}
+
+TEST(AndroidKeyStore,GetPrivateKeySigningTypeECDSA) {
+    crypto::OpenSSLErrStackTracer err_trace(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> ecdsa_key = GetECDSATestKey();
+    ASSERT_FALSE(ecdsa_key.is_null());
+    EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN,
+              GetPrivateKeySigningType(ecdsa_key.obj()));
+}
+
+TEST(AndroidKeyStore,SignWithPrivateKeyECDSA) {
+    ScopedJavaLocalRef<jobject> ecdsa_key = GetECDSATestKey();
+    ASSERT_FALSE(ecdsa_key.is_null());
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetECDSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);
+
+    // Message size must be 36 for ECDSA_sign(NID_md5_sha1,...) to return
+    // without an error.
+    // See third_party/openssl/openssl/crypto/dsa/ecdsa_sign.c
+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    ASSERT_EQ(36U, message.size());
+
+    std::string signature;
+    DoKeySigning(ecdsa_key.obj(), openssl_key.get(), message, &signature);
+    VerifyTestECDSASignature(message, signature);
+    // All good.
+}
+
+// TODO(digit): Enable by implement ECDSA_METHOD wrapper.
+TEST(AndroidKeyStore,DISABLED_SignWithWrapperKeyECDSA) {
+    crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> ecdsa_key = GetECDSATestKey();
+    ASSERT_FALSE(ecdsa_key.is_null());
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> wrapper_key(
+        GetOpenSSLPrivateKeyWrapper(ecdsa_key.obj()));
+    ASSERT_TRUE(wrapper_key.get() != NULL);
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetECDSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);
+
+    // Message size must be 36 for ECDSA_sign(NID_md5_sha1,...) to return
+    // without an error.
+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    ASSERT_EQ(36U, message.size());
+
+    std::string signature;
+    DoKeySigningWithWrapper(wrapper_key.get(),
+                            openssl_key.get(),
+                            message,
+                            &signature);
+    VerifyTestECDSASignature(message, signature);
+    // All good.
+}
+
+}  // namespace android
+}  // namespace net