Add net/android/keystore.h

net/android/keystore_unittest.cc

+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <openssl/dsa.h>
+#include <openssl/ecdsa.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+
+#include "base/android/build_info.h"
+#include "base/android/jni_android.h"
+#include "base/android/jni_array.h"
+#include "base/android/scoped_java_ref.h"
+#include "base/basictypes.h"
+#include "base/bind.h"
+#include "base/callback.h"
+#include "base/compiler_specific.h"
+#include "base/file_path.h"
+#include "base/file_util.h"
+#include "crypto/openssl_util.h"
+#include "jni/AndroidKeyStoreTestUtil_jni.h"
+#include "net/android/keystore.h"
+#include "net/android/keystore_openssl.h"
+#include "net/base/test_data_directory.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+using base::android::AttachCurrentThread;
+using base::android::ScopedJavaLocalRef;
+using base::android::ToJavaByteArray;
+
+// Technical note:
+//
+// This source file not only checks that signing with SignWithPrivateKey()
+// works correctly, it also verifies that the generated signature matches
+// 100% of what OpenSSL generates when calling RSA_sign(NID_md5_sha1,...),
+// DSA_sign(0, ...) or ECDSA_sign(0, ...).
+//
+// That's crucial to ensure that this function can later be used to
+// implement client certificate support. More specifically, that it is
+// possible to create a custom EVP_PKEY that uses SignWithPrivateKey()
+// internally to perform RSA/DSA/ECDSA signing, as invoked by the
+// OpenSSL code at ssl/s3_clnt.c:ssl3_send_client_verify().
+//
+// Finally, it also checks that using the EVP_PKEY generated with
+// GetOpenSSLPrivateKeyWrapper() works correctly.
+//
+
+namespace net {
+namespace android {
+
+namespace {
+
+JNIEnv* InitEnv() {
+  JNIEnv* env = AttachCurrentThread();
+  static bool inited = false;
+  if (!inited) {
+    RegisterNativesImpl(env);
+    inited = true;
+  }
+  return env;
+}
+
+// Returns true if running on an Android version older than 4.2
+bool IsOnAndroidOlderThan_4_2(void) {
+  const int kAndroid42ApiLevel = 17;
+  int level = base::android::BuildInfo::GetInstance()->sdk_int();
+  return level < kAndroid42ApiLevel;
+}
+
+// Implements the callback expected by ERR_print_errors_cb().
+// used by GetOpenSSLErrorString below.
+int openssl_print_error_callback(const char* msg, size_t msglen, void* u) {
+  std::string* result = reinterpret_cast<std::string*>(u);
+  result->append(msg, msglen);
+  return 1;
+}
+
+// Retrieves the OpenSSL error as a string
+std::string GetOpenSSLErrorString(void) {
+  std::string result;
+  ERR_print_errors_cb(openssl_print_error_callback, &result);
+  return result;
+}
+
+// Retrieve a JNI local ref from encoded PKCS#8 data.
+ScopedJavaLocalRef<jobject> GetPKCS8PrivateKey(
+    PrivateKeyType key_type,
+    const std::string& pkcs8_key) {
+  JNIEnv* env = InitEnv();
+  ScopedJavaLocalRef<jbyteArray> bytes(
+      ToJavaByteArray(env,
+                      reinterpret_cast<const uint8*>(pkcs8_key.data()),
+                      pkcs8_key.size()));
+
+    ScopedJavaLocalRef<jobject> key(
+        Java_AndroidKeyStoreTestUtil_createPrivateKeyFromPKCS8(
+            env, key_type, bytes.obj()));
+
+    return key;
+}
+
+// Create an OpenSSL EVP_PKEY object from a PKCS#8 in-memory content.
+EVP_PKEY* GetOpenSSLPKCS8PrivateKey(int type, const std::string& key) {
+  const unsigned char* p =
+      reinterpret_cast<const unsigned char*>(key.data());
+  long p_length = static_cast<long>(key.size());
+  return d2i_PrivateKey(type, NULL, &p, p_length);
+}
+
+// Load a given key file into a string. Assert on error.
+// |filename| is the key file name.
+// |bytes| will receive the raw key data.
+void ImportKeyFile(const char* filename,
+                   std::string& bytes) {
+  FilePath certs_dir = GetTestCertsDirectory();
+  FilePath file_path = certs_dir.AppendASCII(filename);
+  ASSERT_TRUE(file_util::ReadFileToString(file_path, &bytes)) <<
+      "Could not load key file: " << filename;
+}
+
+const char kTestRsaKeyFile[] = "android-test-key-rsa.pkcs8";
+
+// Retrieve a JNI local ref for our test RSA key.
+ScopedJavaLocalRef<jobject> GetRSATestKey() {
+  std::string key;
+  ImportKeyFile(kTestRsaKeyFile, key);
+  return GetPKCS8PrivateKey(PRIVATE_KEY_TYPE_RSA, key);
+}
+
+// Retrieve the OpenSSL object for our test RSA key.
+EVP_PKEY* GetRSATestKeyOpenSSL() {
+  std::string key;
+  ImportKeyFile(kTestRsaKeyFile, key);
+  return GetOpenSSLPKCS8PrivateKey(EVP_PKEY_RSA, key);
+}
+
+const char kTestDsaKeyFile[] = "android-test-key-dsa.pkcs8";
+const char kTestDsaPublicKeyFile[] = "android-test-key-dsa-public.der";
+
+// Retrieve a JNI local ref for our test DSA key.
+ScopedJavaLocalRef<jobject> GetDSATestKey() {
+  std::string key;
+  ImportKeyFile(kTestDsaKeyFile, key);
+  return GetPKCS8PrivateKey(PRIVATE_KEY_TYPE_DSA, key);
+}
+
+// Retrieve the OpenSSL object for our test DSA key.
+EVP_PKEY* GetDSATestKeyOpenSSL() {
+  std::string key;
+  ImportKeyFile(kTestDsaKeyFile, key);
+  return GetOpenSSLPKCS8PrivateKey(EVP_PKEY_DSA, key);
+}
+
+// Call this function to verify that one message signed with our
+// test DSA private key is correct. Since DSA signing introduces
+// random elements in the signature, it is not possible to compare
+// signature bits directly. However, one can use the public key
+// to do the check.
+void VerifyTestDSASignature(const base::StringPiece& message,
+                            const base::StringPiece& signature) {
+  std::string public_key;
+  ImportKeyFile(kTestDsaPublicKeyFile, public_key);
+  const unsigned char* p =
+      reinterpret_cast<const unsigned char*>(public_key.data());
+  long length = static_cast<long>(public_key.size());
+  DSA* pub_key = d2i_DSA_PUBKEY(NULL, &p, length);
+  ASSERT_TRUE(pub_key != NULL);
+
+  const unsigned char* digest =
+      reinterpret_cast<const unsigned char*>(message.data());
+  int digest_len = static_cast<int>(message.size());
+  const unsigned char* sigbuf =
+      reinterpret_cast<const unsigned char*>(signature.data());
+  int siglen = static_cast<int>(signature.size());
+
+  ASSERT_EQ(1, DSA_verify(0, digest, digest_len, sigbuf, siglen, pub_key));
+  DSA_free(pub_key);
+}
+
+const char kTestEcdsaKeyFile[] = "android-test-key-ecdsa.pkcs8";
+const char kTestEcdsaPublicKeyFile[] = "android-test-key-ecdsa-public.der";
+
+// Retrieve a JNI local ref for our test ECDSA key.
+ScopedJavaLocalRef<jobject> GetECDSATestKey() {
+  std::string key;
+  ImportKeyFile(kTestEcdsaKeyFile, key);
+  return GetPKCS8PrivateKey(PRIVATE_KEY_TYPE_ECDSA, key);
+}
+
+// Retrieve the OpenSSL object for our test ECDSA key.
+EVP_PKEY* GetECDSATestKeyOpenSSL() {
+  std::string key;
+  ImportKeyFile(kTestEcdsaKeyFile, key);
+  return GetOpenSSLPKCS8PrivateKey(EVP_PKEY_EC, key);
+}
+
+// Call this function to verify that one message signed with our
+// test DSA private key is correct. Since DSA signing introduces
+// random elements in the signature, it is not possible to compare
+// signature bits directly. However, one can use the public key
+// to do the check.
+void VerifyTestECDSASignature(const base::StringPiece& message,
+                              const base::StringPiece& signature) {
+  std::string public_key;
+  ImportKeyFile(kTestEcdsaPublicKeyFile, public_key);
+  const unsigned char* p =
+      reinterpret_cast<const unsigned char*>(public_key.data());
+  long length = static_cast<long>(public_key.size());
+  EC_KEY* pub_key = d2i_EC_PUBKEY(NULL, &p, length);
+  ASSERT_TRUE(pub_key != NULL);
+
+  const unsigned char* digest =
+      reinterpret_cast<const unsigned char*>(message.data());
+  int digest_len = static_cast<int>(message.size());
+  const unsigned char* sigbuf =
+      reinterpret_cast<const unsigned char*>(signature.data());
+  int siglen = static_cast<int>(signature.size());
+
+  ASSERT_EQ(
+    1, ECDSA_verify(0, digest, digest_len, sigbuf, siglen, pub_key));

[Ryan Sleevi, 2013/01/31 03:09:53]

BUG: If this ASSERT fails, you end up leaking pub_key

Same throughout this file where you end up using ASSERTs

[digit1, 2013/01/31 17:44:30]

Ah, I didn't realize we didn't want memory leaks, even when the unit tests are
failing. I've cleaned up the whole source file then.

+  EC_KEY_free(pub_key);
+}
+
+// Sign a message with OpenSSL, return the result as a string.
+// |message| is the message to be signed.
+// |openssl_key| is an OpenSSL EVP_PKEY to use.
+// |result| receives the result.
+void SignWithOpenSSL(const base::StringPiece& message,
+                     EVP_PKEY* openssl_key,
+                     std::string* result) {
+  const unsigned char* digest =
+      reinterpret_cast<const unsigned char*>(message.data());
+  unsigned int digest_len = static_cast<unsigned int>(message.size());
+  // Calling size functions like "RSA_size()" doesn't work at all
+  // with custom RSA_METHOD implementations. That's probably a bug
+  // in OpenSSL, so instead just use a very large buffer.
+  // Note that the code in ssl/s3_clnt.c does something similar.

[Ryan Sleevi, 2013/01/31 03:09:53]

This does not seem like something we should rely on.

I expect it works for the engines because RSA_size just works based on knowing
the public modulus, and that's not seen as secret data in any (external) OpenSSL
engine or PKCS#11 card that I'm aware of.

[digit1, 2013/01/31 17:44:30]

I've update the code appropriately.

+  unsigned char openssl_signature[8192];
+  unsigned int openssl_signature_len = 0;
+  int key_type = EVP_PKEY_id(openssl_key);
+  switch (key_type) {
+    case EVP_PKEY_RSA:
+      {
+        RSA* rsa = EVP_PKEY_get1_RSA(openssl_key);
+        ASSERT_TRUE(rsa != NULL);

[Ryan Sleevi, 2013/01/31 03:09:53]

nit: ASSERT_TRUE(rsa) (and same throughout this file)

+        int ret = RSA_sign(NID_md5_sha1,
+                           digest,
+                           digest_len,
+                           openssl_signature,
+                           &openssl_signature_len,
+                           rsa);
+        ASSERT_EQ(1, ret) << GetOpenSSLErrorString();
+        RSA_free(rsa);
+      }
+      break;
+    case EVP_PKEY_DSA:
+      {
+        DSA* dsa = EVP_PKEY_get1_DSA(openssl_key);
+        ASSERT_TRUE(dsa != NULL);
+        int ret = DSA_sign(0,  // ignored by the function
+                           digest,
+                           digest_len,
+                           openssl_signature,
+                           &openssl_signature_len,
+                           dsa);
+        ASSERT_EQ(1, ret) << GetOpenSSLErrorString();
+        DSA_free(dsa);
+      }
+      break;
+    case EVP_PKEY_EC:
+      {
+        EC_KEY* ecdsa = EVP_PKEY_get1_EC_KEY(openssl_key);
+        ASSERT_TRUE(ecdsa != NULL);
+        int ret = ECDSA_sign(0,  // ignored by the function
+                             digest,
+                             digest_len,
+                             openssl_signature,
+                             &openssl_signature_len,
+                             ecdsa);
+        ASSERT_EQ(1, ret) << GetOpenSSLErrorString();
+        EC_KEY_free(ecdsa);
+      }
+      break;
+    default:
+      LOG(WARNING) << "Invalid OpenSSL key type: " + key_type;
+      return;
+  }
+  result->assign(reinterpret_cast<const char*>(openssl_signature),
+                 static_cast<size_t>(openssl_signature_len));
+}
+
+// Check that a generated signature for a given message matches
+// OpenSSL output byte-by-byte.
+// |message| is the input message.
+// |signature| is the generated signature for the message.
+// |openssl_key| is a raw EVP_PKEY for the same private key than the
+// one which was used to generate the signature.
+void CompareSignatureWithOpenSSL(const base::StringPiece& message,
+                                 const base::StringPiece& signature,
+                                 EVP_PKEY* openssl_key) {
+  std::string openssl_signature;
+  SignWithOpenSSL(message, openssl_key, &openssl_signature);
+
+  ASSERT_EQ(signature.size(), openssl_signature.size());
+  for (size_t n = 0; n < signature.size(); ++n)
+    ASSERT_EQ(openssl_signature[n], signature[n]);
+
+  // All good, just exit.
+}
+
+// Sign a message with our platform API.
+//
+// |android_key| is a JNI reference to the platform PrivateKey object.
+// |openssl_key| is a pointer to an OpenSSL key object for the exact
+// same key content.
+// |message| is a message.
+// |result| will receive the result.
+void DoKeySigning(jobject android_key,
+                  EVP_PKEY* openssl_key,
+                  const base::StringPiece& message,
+                  std::string* result) {
+  // First, get the platform signature.
+  std::vector<uint8> android_signature;
+  ASSERT_TRUE(
+      SignWithPrivateKey(android_key,
+                         message,
+                         &android_signature));
+
+  result->assign(
+      reinterpret_cast<const char*>(&android_signature[0]),
+      android_signature.size());
+}
+
+// Sign a message with our OpenSSL EVP_PKEY wrapper around platform
+// APIS.
+//
+// |android_key| is a JNI reference to the platform PrivateKey object.
+// |openssl_key| is a pointer to an OpenSSL key object for the exact
+// same key content.
+// |message| is a message.
+// |result| will receive the result.
+void DoKeySigningWithWrapper(EVP_PKEY* wrapper_key,
+                             EVP_PKEY* openssl_key,
+                             const base::StringPiece& message,
+                             std::string* result) {
+  // First, get the platform signature.
+  std::string wrapper_signature;
+  SignWithOpenSSL(message, wrapper_key, &wrapper_signature);
+  ASSERT_NE(0U, wrapper_signature.size());
+
+  result->assign(
+      reinterpret_cast<const char*>(&wrapper_signature[0]),
+      wrapper_signature.size());
+}
+
+}  // namespace
+
+TEST(AndroidKeyStore,GetPrivateKeyTypeRSA) {
+    crypto::OpenSSLErrStackTracer err_trace(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> rsa_key = GetRSATestKey();
+    ASSERT_FALSE(rsa_key.is_null());
+    EXPECT_EQ(PRIVATE_KEY_TYPE_RSA,
+              GetPrivateKeyType(rsa_key.obj()));
+}
+
+TEST(AndroidKeyStore,SignWithPrivateKeyRSA) {
+    ScopedJavaLocalRef<jobject> rsa_key = GetRSATestKey();
+    ASSERT_FALSE(rsa_key.is_null());
+
+    if (IsOnAndroidOlderThan_4_2()) {
+      LOG(INFO) << "This test can't run on Android < 4.2";
+      return;
+    }
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetRSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);

[Ryan Sleevi, 2013/01/31 03:09:53]

Drop the != NULL (same as before and same throughout)

[digit1, 2013/01/31 17:44:30]

I was just using the recommendations from the GTest FAQ [1]. I've updated all
the code though.

[1]
https://code.google.com/p/googletest/wiki/FAQ#Why_does_Google_Test_support_EX...

+
+    // Message size must be 36 for RSA_sign(NID_md5_sha1,...) to return
+    // without an error.
+    // See third_party/openssl/openssl/crypto/rsa/rsa_sign.c

[Ryan Sleevi, 2013/01/31 03:09:53]

You don't need to cross-reference this. The 36 bytes = size of MD5 + size of
SHA1, same as the NID claims :)

+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    ASSERT_EQ(36U, message.size());
+
+    std::string signature;
+    DoKeySigning(rsa_key.obj(), openssl_key.get(), message, &signature);
+    CompareSignatureWithOpenSSL(message, signature, openssl_key.get());
+    // All good.
+}
+
+TEST(AndroidKeyStore,SignWithWrapperKeyRSA) {
+    crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> rsa_key = GetRSATestKey();
+    ASSERT_FALSE(rsa_key.is_null());
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> wrapper_key(
+        GetOpenSSLPrivateKeyWrapper(rsa_key.obj()));
+    ASSERT_TRUE(wrapper_key.get() != NULL);
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetRSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);
+
+    // Message size must be 36 for RSA_sign(NID_md5_sha1,...) to return
+    // without an error.
+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    ASSERT_EQ(36U, message.size());
+
+    std::string signature;
+    DoKeySigningWithWrapper(wrapper_key.get(),
+                            openssl_key.get(),
+                            message,
+                            &signature);
+    CompareSignatureWithOpenSSL(message, signature, openssl_key.get());
+    // All good.
+}
+
+TEST(AndroidKeyStore,GetPrivateKeyTypeDSA) {
+    crypto::OpenSSLErrStackTracer err_trace(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> dsa_key = GetDSATestKey();
+    ASSERT_FALSE(dsa_key.is_null());
+    EXPECT_EQ(PRIVATE_KEY_TYPE_DSA,
+              GetPrivateKeyType(dsa_key.obj()));
+}
+
+TEST(AndroidKeyStore,SignWithPrivateKeyDSA) {
+    ScopedJavaLocalRef<jobject> dsa_key = GetDSATestKey();
+    ASSERT_FALSE(dsa_key.is_null());
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetDSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);
+
+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    ASSERT_EQ(36U, message.size());
+
+    std::string signature;
+    DoKeySigning(dsa_key.obj(), openssl_key.get(), message, &signature);
+    VerifyTestDSASignature(message, signature);
+    // All good.
+}
+
+TEST(AndroidKeyStore,SignWithWrapperKeyDSA) {
+    crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> dsa_key = GetDSATestKey();
+    ASSERT_FALSE(dsa_key.is_null());
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> wrapper_key(
+        GetOpenSSLPrivateKeyWrapper(dsa_key.obj()));
+    ASSERT_TRUE(wrapper_key.get() != NULL);
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetDSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);
+
+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    std::string signature;
+    DoKeySigningWithWrapper(wrapper_key.get(),
+                            openssl_key.get(),
+                            message,
+                            &signature);
+    VerifyTestDSASignature(message, signature);
+    // All good.
+}
+
+TEST(AndroidKeyStore,GetPrivateKeyTypeECDSA) {
+    crypto::OpenSSLErrStackTracer err_trace(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> ecdsa_key = GetECDSATestKey();
+    ASSERT_FALSE(ecdsa_key.is_null());
+    EXPECT_EQ(PRIVATE_KEY_TYPE_ECDSA,
+              GetPrivateKeyType(ecdsa_key.obj()));
+}
+
+TEST(AndroidKeyStore,SignWithPrivateKeyECDSA) {
+    ScopedJavaLocalRef<jobject> ecdsa_key = GetECDSATestKey();
+    ASSERT_FALSE(ecdsa_key.is_null());
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetECDSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);
+
+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    std::string signature;
+    DoKeySigning(ecdsa_key.obj(), openssl_key.get(), message, &signature);
+    VerifyTestECDSASignature(message, signature);
+    // All good.
+}
+
+TEST(AndroidKeyStore, SignWithWrapperKeyECDSA) {
+    crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+
+    ScopedJavaLocalRef<jobject> ecdsa_key = GetECDSATestKey();
+    ASSERT_FALSE(ecdsa_key.is_null());
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> wrapper_key(
+        GetOpenSSLPrivateKeyWrapper(ecdsa_key.obj()));
+    ASSERT_TRUE(wrapper_key.get() != NULL);
+
+    crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> openssl_key(
+        GetECDSATestKeyOpenSSL());
+    ASSERT_TRUE(openssl_key.get() != NULL);
+
+    std::string message = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    std::string signature;
+    DoKeySigningWithWrapper(wrapper_key.get(),
+                            openssl_key.get(),
+                            message,
+                            &signature);
+    VerifyTestECDSASignature(message, signature);
+    // All good.
+}
+
+}  // namespace android
+}  // namespace net