Hrm. For testing ECDSA keys on NSS, I bet the part where NSS refuses to import un"encrypted" EC keys will be a problem. Maybe we could generate and check in empty-password-encrypted versions of them to get a SECKEYPrivateKey out of it.

Keychain is still platform-wide side-effects

For CryptoAPI, I'm not sure there's benefits to this - if we created our own KSP, we're no longer testing CryptoAPI - we're testing the SPI, and that's OS-stable.

I'm interested in having unit tests for whether our translation between SSLPrivateKey and the OS APIs is correct. If the OS APIs we're calling suddenly stopped working when secretly backed by a smartcard, then, well, we're kind of out of luck.

(Ideally the OS APIs would be sufficiently stable and uniform that we primarily need to be worried about correctness north of them. This is, of course, completely false.)

But, e.g., for Android, the first couple of iterations when I tried to convert away from RSA_METHOD had mistakes. That there were unit tests I could adapt saved me a ton of error-prone and time-consuming manual testing.

I'm not sure the claim about Keychain still having platform-wide side effects is true anymore. But I'll leave the burden of proof on me to get it working. :-)

It's still true in 10.12 that adding/removing a keychain triggers the global systemwide mutex.

This seems to do the trick for Mac:
https://codereview.chromium.org/2566273008/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29

commit ebe0803de7a569dee0c7b0ab6b4685dc749b8f29
Author: davidben <davidben@chromium.org>
Date: Wed Dec 14 02:22:07 2016

Use SecKeyCreateSignature on macOS 10.12 and later.

macOS 10.12 breaks the CSSM code for smartcards. Switch to the new APIs.
In the process, refactor the Android unit tests to be common on all
platforms and unit test this stuff. SecKeychainCreate finally works, so
we can unit test the entire path from certificate to key and compare
signatures against OpenSSL.

That second part probably bears repeating. Eight years into the project's
lifetime, we FINALLY have unit tests for this code!

BUG= 666796 , 673058 

Review-Url: https://codereview.chromium.org/2566273008
Cr-Commit-Position: refs/heads/master@{#438392}

[modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/net.gypi
[modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key.h
[modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_android.cc
[modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_android_unittest.cc
[modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_chromecast.cc
[modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_mac.cc
[add] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_mac.h
[add] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_mac_unittest.cc
[modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_nss.cc
[modify] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_platform_key_win.cc
[add] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_private_key_test_util.cc
[add] https://crrev.com/ebe0803de7a569dee0c7b0ab6b4685dc749b8f29/net/ssl/ssl_private_key_test_util.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/983d610b007a9e5dd5d59fa64fae830f8db8bdd0

commit 983d610b007a9e5dd5d59fa64fae830f8db8bdd0
Author: davidben <davidben@chromium.org>
Date: Wed Dec 14 19:35:40 2016

Add unit tests for NSS-backed SSLPrivateKeys.

BUG= 673058 

Review-Url: https://codereview.chromium.org/2577683002
Cr-Commit-Position: refs/heads/master@{#438593}

[modify] https://crrev.com/983d610b007a9e5dd5d59fa64fae830f8db8bdd0/net/BUILD.gn
[modify] https://crrev.com/983d610b007a9e5dd5d59fa64fae830f8db8bdd0/net/net.gypi
[modify] https://crrev.com/983d610b007a9e5dd5d59fa64fae830f8db8bdd0/net/ssl/ssl_platform_key_chromecast.cc
[add] https://crrev.com/983d610b007a9e5dd5d59fa64fae830f8db8bdd0/net/ssl/ssl_platform_key_chromecast_unittest.cc
[add] https://crrev.com/983d610b007a9e5dd5d59fa64fae830f8db8bdd0/net/ssl/ssl_platform_key_nss_unittest.cc

With that, all that's left is Windows. I'll move this back to Available since I don't know enough about those APIs.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d6d1e4d17563f475169ea8564be5e581759eb8fd

commit d6d1e4d17563f475169ea8564be5e581759eb8fd
Author: davidben <davidben@chromium.org>
Date: Wed May 10 16:49:01 2017

Unit-test CAPI and CNG SSLPrivateKey implementations.

This does not cover the CryptAcquireCertificatePrivateKey call (from my
manual testing, it didn't appear that the imported keys showed up
via CryptAcquireCertificatePrivateKey at all), but it tests that we are calling
CAPI and CNG correctly for the algorithms we are trying to implement. This
will be useful when we revise the interface for RSA-PSS and add support for
it. Also, it means we actually have some test for this stuff!

BUG= 673058 

Review-Url: https://codereview.chromium.org/2865883002
Cr-Commit-Position: refs/heads/master@{#470612}

[modify] https://crrev.com/d6d1e4d17563f475169ea8564be5e581759eb8fd/net/BUILD.gn
[modify] https://crrev.com/d6d1e4d17563f475169ea8564be5e581759eb8fd/net/ssl/ssl_platform_key_win.cc
[add] https://crrev.com/d6d1e4d17563f475169ea8564be5e581759eb8fd/net/ssl/ssl_platform_key_win.h
[add] https://crrev.com/d6d1e4d17563f475169ea8564be5e581759eb8fd/net/ssl/ssl_platform_key_win_unittest.cc

FINALLY!!!!