add test to verify ssl failure without client certificate

58c3df3b · ale · 4f8da678 · 58c3df3b
Commit 58c3df3b authored 11 years ago by ale
--- a/pam/auth_client_test.cc
+++ b/pam/auth_client_test.cc
@@ -60,6 +60,30 @@ TEST(AuthClient, AuthOK) {
  auth_client_free(ac);
 }

+TEST(AuthClient, SSLFailsWithBadCertificate) {
+  auth_client_t ac;
+  int result;
+
+  ac = auth_client_new("service", server);
+  ASSERT_TRUE(ac != NULL);
+
+  auth_client_set_verbose(ac, 1);
+
+  // We can't tell auth_client to make an https request without a
+  // client certificate, but we can try to force a failure by
+  // providing a bad (unloadable) certificate, for example one where
+  // the private and public keys do not match. In this case,
+  // auth_client_set_certificate() should still succeed, since it
+  // doesn't perform this kind of correctness check.
+  result = auth_client_set_certificate(ac, ssl_ca, ssl_ca, ssl_key);
+  EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
+
+  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+  EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
+
+  auth_client_free(ac);
+}
+
 int main(int argc, char **argv) {
  server = getenv("AUTH_SERVER");
  if (server == NULL) {