Skip to content
Snippets Groups Projects
Commit abeed0b4 authored by ale's avatar ale
Browse files

increase test coverage of CA validation

parent c665dc7e
No related branches found
No related tags found
No related merge requests found
-----BEGIN CERTIFICATE-----
MIIBtzCCASACAQEwDQYJKoZIhvcNAQEFBQAwEDEOMAwGA1UEAxMFQmFkQ0EwHhcN
MTQwNDIwMDgxMjEwWhcNMjQwNDE3MDgxMjEwWjAQMQ4wDAYDVQQDEwVCYWRDQTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArvt8IZ/WZY0htyYfL6o2leLLZBVN
G7g4QgB/oNgP1mXPf1Ji9rLxl13i+FBC1c/VrHXh3TuVhYWwWFiPNEmwmsT5CFJj
IiUV6Z299/dRN4Z7H04zr2DTcMrddpQE09RROLXKv4IPMcYk1W1PtNIPWPM/5imG
SKfV7fjL9BjmvtsCAwEAAaMmMCQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8B
Af8EBAMCAQYwDQYJKoZIhvcNAQEFBQADgYEAeo7clYAXxX/fCRJECEvQwC4Uadop
N6oQZLrPdm1V6erGkq2YLmyTw3Y6xk4/XVmK0ler22TUzD6vbj0IkrWDMahK4OTo
VtuuhUZWMJD1RwVULMFIbFBcCRWwWRrvcEF7iLVhnBZJkNt2tnIqeLLDBb3EdOi1
vVMaigNbyNFXu9M=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB3TCCAUYCBFNTgX0wDQYJKoZIhvcNAQEFBQAwEDEOMAwGA1UEAxMFQmFkQ0Ew
HhcNMTQwNDIwMDgxMjQ1WhcNMTQwNDI3MDgxMjQ1WjARMQ8wDQYDVQQDEwZjbGll
bnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKwDAEW8NU9Odm2YkuAz35fG
Jrim+neoLetqYn1IWpS2CgtZxoBKwLjDUf5sTSvr0Z5uNLdo/KuP2L1KVyshOYy/
oaE0OPJ4y3KI6c+HX7MIAv926FMMKyO6bx4q5aNbzg5MFHwaEiQV/nYMWvHWDoSO
DrKwoesJOAhoWgoRMkdHAgMBAAGjSDBGMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/
BAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBEGCWCGSAGG+EIBAQQEAwIHgDAN
BgkqhkiG9w0BAQUFAAOBgQAZXGSA4P8ErYqW9IuF9cXdAeZyW7x0tr9pA2sK3/ab
OHteYkLZ6zOCxIlzroNnCHTurMNTX7RuZCou6ZmG840pfKHAGcQ7AEpuDJzpG8jl
iQmBgJ/inyXUaxL5c2fYiy6/HO9FXDBnP4Em/6u8dU5gsz9Z5J6RCBKMvwN6KkPz
Cg==
-----END CERTIFICATE-----
-----BEGIN X509 CRL-----
MIHUMD8wDQYJKoZIhvcNAQEEBQAwEDEOMAwGA1UEAxMFQmFkQ0EXDTE0MDQyMDA4
MTIxMFoXDTE0MDUyMDA4MTIxMFowDQYJKoZIhvcNAQEEBQADgYEAU4hEB7PILJfP
c7kXdsox6J9iI9ALSbX7VLrccNL1/dY+E9PESHgDBTTnlK1mh8hvdaPdImxGnoQU
fTCP1G5ybKeFS+Enj1ErbEcihjne2T0RQzaTYS4UxrQQQoAcWM+AACrVgiULqvxv
NTKKI8WkmhB2WDzyE6zZ1AOx1SHLE0E=
-----END X509 CRL-----
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAK77fCGf1mWNIbcm
Hy+qNpXiy2QVTRu4OEIAf6DYD9Zlz39SYvay8Zdd4vhQQtXP1ax14d07lYWFsFhY
jzRJsJrE+QhSYyIlFemdvff3UTeGex9OM69g03DK3XaUBNPUUTi1yr+CDzHGJNVt
T7TSD1jzP+Yphkin1e34y/QY5r7bAgMBAAECgYAePtn19erZIsvxHGXHl2RYBBuj
8Qqi//S5c9ybsL0MEg0LtPHmMogP4eqZgUYMLyB/7uBbnTD7I2CX5LbcEuCzlpr6
BlqgOf5FJe5R+bw4qAIAXbeSgtwz31NT4bGIfYFNcXNtkB+Fl8P8Dm8b+SWPeN4m
+A5YEU9JcOj+3vi+AQJBAN1E2TP1oSXu2aBmRIk42e7zsL4hYfb99lcrCDelsbID
tN+/72ov01n6jgbtaoXEy/VaxOwy+QHQqZUkC7+6bt8CQQDKcrk2jHODhoob/6hm
iu7aLksiVTCc2JSWPwOUp/FXmHoC29RaG5+0Q91m2tLKFknF502S5njgbj6Zef3c
+nuFAkBasw4VrmoQEohCp6kQVq1+tYWNakGt7Qw9TvZfWRwtzDcoQJTzAgewqnPt
gwRXMQQp3rs51usbQ11ANTZbsSAhAkEAg6sZyuCOQHzAVnVwkUDLGBwDwdCmTVyP
Ryi0q3qO/OmucS2IbxKITDXXSY4Iimb0lEJbsa8z7sPE8wzkj1RaAQJAH6huBj5Q
LppCwBdnlgC/vlNOK78JnvQ5mJ6t8bG7AFKhyaVSBBS5fxO5KjizXCUMrE+4kmuL
g0CaIT+SDVd3TA==
-----END PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKwDAEW8NU9Odm2Y
kuAz35fGJrim+neoLetqYn1IWpS2CgtZxoBKwLjDUf5sTSvr0Z5uNLdo/KuP2L1K
VyshOYy/oaE0OPJ4y3KI6c+HX7MIAv926FMMKyO6bx4q5aNbzg5MFHwaEiQV/nYM
WvHWDoSODrKwoesJOAhoWgoRMkdHAgMBAAECgYAsvg8ZFI6tVVR6x4AU74lOek1i
JJTsAQQIw0BhJCvjmMJeF3kJr+gXZz7xtgwQy6NX2YS+3IE0wxL2kdrArkDAjXw6
tDLkQtXQjifWqGkn4tf1PC0CFR+KwWTb5z/eWIBe1WlBMkrSMakFczlt1PfHZ9/V
L88zU9k8odPfc51A2QJBANXFybmEPyENVyL2N2HpdJvKfNMdICoMIp33I3pM6Qjs
0VxdTrKPqS66pZikTvi83Buwxwch4PqAqXNWMFJe50UCQQDN/Wrl1JNMx2HBOIbM
L9K/qMNz1v+cu1YYWD5EHXEb3FZdLOOOWBvljLi8afytVFsB+UnmrMI+dn0rwrOI
uQcbAkEAum9Y0tanR+geins5Kcc0z3n1Cxlnp8QVnLag1lSlGAeRP4CQ1eG8puhY
65rA1OXBANVXfrzpPQ9guRn94piqEQJAHiOnIWuiBcjid7gCmRuiNWLG/ksF6XPL
nBJFQgggxZfOlyF7RheENWkKmp7TVrUR/87uzi6W2TbTB7UcObQA4wJBAJZZNG2Q
7m7VFZB/6tBvaKMBp7wgQsVpMVDUh1+cvW8Jo9ijDSeG5GaZoCnw/t89LT+jPVFk
1byGkcPE5/EQaIY=
-----END PRIVATE KEY-----
1397981565
......@@ -11,6 +11,9 @@ static const char *server = NULL;
static const char *ssl_ca = "../authserv/test/testca/ca.pem";
static const char *ssl_cert = "../authserv/test/testca/certs/client.pem";
static const char *ssl_key = "../authserv/test/testca/private/client.key";
static const char *ssl_bad_ca = "../authserv/test/testca-bad/ca.pem";
static const char *ssl_bad_cert = "../authserv/test/testca-bad/certs/client.pem";
static const char *ssl_bad_key = "../authserv/test/testca-bad/private/client.key";
TEST(AuthClientCurlInterface, ErrorConversion) {
int curl_err = 35;
......@@ -19,56 +22,46 @@ TEST(AuthClientCurlInterface, ErrorConversion) {
EXPECT_EQ(curl_err, translated);
}
TEST(AuthClient, NewAndFree) {
auth_client_t ac;
ac = auth_client_new("service", server);
ASSERT_TRUE(ac != NULL);
class AuthClientTest
: public ::testing::Test
{
public:
AuthClientTest() {
ac = auth_client_new("service", server);
assert(ac != NULL);
auth_client_set_verbose(ac, 1);
}
auth_client_free(ac);
}
virtual ~AuthClientTest() {
auth_client_free(ac);
}
TEST(AuthClient, CertSetupFailsWithoutCA) {
auth_client_t ac = auth_client_new("service", server);
ASSERT_TRUE(ac != NULL);
auth_client_t ac;
};
TEST_F(AuthClientTest, CertSetupFailsWithoutCA) {
EXPECT_NE(AC_OK,
auth_client_set_certificate(ac, "nonexisting.pem", ssl_cert, ssl_key));
EXPECT_NE(AC_OK,
auth_client_set_certificate(ac, ssl_ca, "nonexisting.pem", ssl_key));
EXPECT_NE(AC_OK,
auth_client_set_certificate(ac, ssl_ca, ssl_cert, "nonexisting.key"));
auth_client_free(ac);
}
TEST(AuthClient, AuthOK) {
auth_client_t ac;
TEST_F(AuthClientTest, AuthOK) {
int result;
ac = auth_client_new("service", server);
ASSERT_TRUE(ac != NULL);
auth_client_set_verbose(ac, 1);
result = auth_client_set_certificate(ac, ssl_ca, ssl_cert, ssl_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
EXPECT_EQ(AC_OK, result) << "authenticate() error: " << auth_client_strerror(result)
<< ", server=" << server;
auth_client_free(ac);
}
TEST(AuthClient, SSLFailsWithBadCertificate) {
auth_client_t ac;
TEST_F(AuthClientTest, SSLFailsWithBadCertificate) {
int result;
ac = auth_client_new("service", server);
ASSERT_TRUE(ac != NULL);
auth_client_set_verbose(ac, 1);
// We can't tell auth_client to make an https request without a
// client certificate, but we can try to force a failure by
// providing a bad (unloadable) certificate, for example one where
......@@ -80,8 +73,28 @@ TEST(AuthClient, SSLFailsWithBadCertificate) {
result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}
// Test CA validation on the client.
TEST_F(AuthClientTest, SSLFailsWithBadCAClientSide) {
int result;
result = auth_client_set_certificate(ac, ssl_bad_ca, ssl_cert, ssl_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}
// Test CA validation on the server.
TEST_F(AuthClientTest, SSLFailsWithBadCAServerSide) {
int result;
auth_client_free(ac);
result = auth_client_set_certificate(ac, ssl_ca, ssl_bad_cert, ssl_bad_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}
int main(int argc, char **argv) {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment