From abeed0b46e083b04bafb081f8233e61f4507c64e Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sun, 20 Apr 2014 09:33:47 +0100
Subject: [PATCH] increase test coverage of CA validation
---
authserv/test/testca-bad/ca.pem | 12 ++++
authserv/test/testca-bad/certs/client.pem | 13 ++++
authserv/test/testca-bad/crl.pem | 7 +++
authserv/test/testca-bad/private/ca.key | 16 +++++
authserv/test/testca-bad/private/client.key | 16 +++++
authserv/test/testca-bad/serial | 1 +
pam/auth_client_test.cc | 69 ++++++++++++---------
7 files changed, 106 insertions(+), 28 deletions(-)
create mode 100644 authserv/test/testca-bad/ca.pem
create mode 100644 authserv/test/testca-bad/certs/client.pem
create mode 100644 authserv/test/testca-bad/crl.pem
create mode 100644 authserv/test/testca-bad/private/ca.key
create mode 100644 authserv/test/testca-bad/private/client.key
create mode 100644 authserv/test/testca-bad/serial
diff --git a/authserv/test/testca-bad/ca.pem b/authserv/test/testca-bad/ca.pem
new file mode 100644
index 0000000..c3ddc21
--- /dev/null
+++ b/authserv/test/testca-bad/ca.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtzCCASACAQEwDQYJKoZIhvcNAQEFBQAwEDEOMAwGA1UEAxMFQmFkQ0EwHhcN
+MTQwNDIwMDgxMjEwWhcNMjQwNDE3MDgxMjEwWjAQMQ4wDAYDVQQDEwVCYWRDQTCB
+nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArvt8IZ/WZY0htyYfL6o2leLLZBVN
+G7g4QgB/oNgP1mXPf1Ji9rLxl13i+FBC1c/VrHXh3TuVhYWwWFiPNEmwmsT5CFJj
+IiUV6Z299/dRN4Z7H04zr2DTcMrddpQE09RROLXKv4IPMcYk1W1PtNIPWPM/5imG
+SKfV7fjL9BjmvtsCAwEAAaMmMCQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8B
+Af8EBAMCAQYwDQYJKoZIhvcNAQEFBQADgYEAeo7clYAXxX/fCRJECEvQwC4Uadop
+N6oQZLrPdm1V6erGkq2YLmyTw3Y6xk4/XVmK0ler22TUzD6vbj0IkrWDMahK4OTo
+VtuuhUZWMJD1RwVULMFIbFBcCRWwWRrvcEF7iLVhnBZJkNt2tnIqeLLDBb3EdOi1
+vVMaigNbyNFXu9M=
+-----END CERTIFICATE-----
diff --git a/authserv/test/testca-bad/certs/client.pem b/authserv/test/testca-bad/certs/client.pem
new file mode 100644
index 0000000..d752079
--- /dev/null
+++ b/authserv/test/testca-bad/certs/client.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB3TCCAUYCBFNTgX0wDQYJKoZIhvcNAQEFBQAwEDEOMAwGA1UEAxMFQmFkQ0Ew
+HhcNMTQwNDIwMDgxMjQ1WhcNMTQwNDI3MDgxMjQ1WjARMQ8wDQYDVQQDEwZjbGll
+bnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKwDAEW8NU9Odm2YkuAz35fG
+Jrim+neoLetqYn1IWpS2CgtZxoBKwLjDUf5sTSvr0Z5uNLdo/KuP2L1KVyshOYy/
+oaE0OPJ4y3KI6c+HX7MIAv926FMMKyO6bx4q5aNbzg5MFHwaEiQV/nYMWvHWDoSO
+DrKwoesJOAhoWgoRMkdHAgMBAAGjSDBGMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/
+BAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBEGCWCGSAGG+EIBAQQEAwIHgDAN
+BgkqhkiG9w0BAQUFAAOBgQAZXGSA4P8ErYqW9IuF9cXdAeZyW7x0tr9pA2sK3/ab
+OHteYkLZ6zOCxIlzroNnCHTurMNTX7RuZCou6ZmG840pfKHAGcQ7AEpuDJzpG8jl
+iQmBgJ/inyXUaxL5c2fYiy6/HO9FXDBnP4Em/6u8dU5gsz9Z5J6RCBKMvwN6KkPz
+Cg==
+-----END CERTIFICATE-----
diff --git a/authserv/test/testca-bad/crl.pem b/authserv/test/testca-bad/crl.pem
new file mode 100644
index 0000000..e6f6a11
--- /dev/null
+++ b/authserv/test/testca-bad/crl.pem
@@ -0,0 +1,7 @@
+-----BEGIN X509 CRL-----
+MIHUMD8wDQYJKoZIhvcNAQEEBQAwEDEOMAwGA1UEAxMFQmFkQ0EXDTE0MDQyMDA4
+MTIxMFoXDTE0MDUyMDA4MTIxMFowDQYJKoZIhvcNAQEEBQADgYEAU4hEB7PILJfP
+c7kXdsox6J9iI9ALSbX7VLrccNL1/dY+E9PESHgDBTTnlK1mh8hvdaPdImxGnoQU
+fTCP1G5ybKeFS+Enj1ErbEcihjne2T0RQzaTYS4UxrQQQoAcWM+AACrVgiULqvxv
+NTKKI8WkmhB2WDzyE6zZ1AOx1SHLE0E=
+-----END X509 CRL-----
diff --git a/authserv/test/testca-bad/private/ca.key b/authserv/test/testca-bad/private/ca.key
new file mode 100644
index 0000000..a9ac8bf
--- /dev/null
+++ b/authserv/test/testca-bad/private/ca.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAK77fCGf1mWNIbcm
+Hy+qNpXiy2QVTRu4OEIAf6DYD9Zlz39SYvay8Zdd4vhQQtXP1ax14d07lYWFsFhY
+jzRJsJrE+QhSYyIlFemdvff3UTeGex9OM69g03DK3XaUBNPUUTi1yr+CDzHGJNVt
+T7TSD1jzP+Yphkin1e34y/QY5r7bAgMBAAECgYAePtn19erZIsvxHGXHl2RYBBuj
+8Qqi//S5c9ybsL0MEg0LtPHmMogP4eqZgUYMLyB/7uBbnTD7I2CX5LbcEuCzlpr6
+BlqgOf5FJe5R+bw4qAIAXbeSgtwz31NT4bGIfYFNcXNtkB+Fl8P8Dm8b+SWPeN4m
++A5YEU9JcOj+3vi+AQJBAN1E2TP1oSXu2aBmRIk42e7zsL4hYfb99lcrCDelsbID
+tN+/72ov01n6jgbtaoXEy/VaxOwy+QHQqZUkC7+6bt8CQQDKcrk2jHODhoob/6hm
+iu7aLksiVTCc2JSWPwOUp/FXmHoC29RaG5+0Q91m2tLKFknF502S5njgbj6Zef3c
++nuFAkBasw4VrmoQEohCp6kQVq1+tYWNakGt7Qw9TvZfWRwtzDcoQJTzAgewqnPt
+gwRXMQQp3rs51usbQ11ANTZbsSAhAkEAg6sZyuCOQHzAVnVwkUDLGBwDwdCmTVyP
+Ryi0q3qO/OmucS2IbxKITDXXSY4Iimb0lEJbsa8z7sPE8wzkj1RaAQJAH6huBj5Q
+LppCwBdnlgC/vlNOK78JnvQ5mJ6t8bG7AFKhyaVSBBS5fxO5KjizXCUMrE+4kmuL
+g0CaIT+SDVd3TA==
+-----END PRIVATE KEY-----
diff --git a/authserv/test/testca-bad/private/client.key b/authserv/test/testca-bad/private/client.key
new file mode 100644
index 0000000..c758841
--- /dev/null
+++ b/authserv/test/testca-bad/private/client.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKwDAEW8NU9Odm2Y
+kuAz35fGJrim+neoLetqYn1IWpS2CgtZxoBKwLjDUf5sTSvr0Z5uNLdo/KuP2L1K
+VyshOYy/oaE0OPJ4y3KI6c+HX7MIAv926FMMKyO6bx4q5aNbzg5MFHwaEiQV/nYM
+WvHWDoSODrKwoesJOAhoWgoRMkdHAgMBAAECgYAsvg8ZFI6tVVR6x4AU74lOek1i
+JJTsAQQIw0BhJCvjmMJeF3kJr+gXZz7xtgwQy6NX2YS+3IE0wxL2kdrArkDAjXw6
+tDLkQtXQjifWqGkn4tf1PC0CFR+KwWTb5z/eWIBe1WlBMkrSMakFczlt1PfHZ9/V
+L88zU9k8odPfc51A2QJBANXFybmEPyENVyL2N2HpdJvKfNMdICoMIp33I3pM6Qjs
+0VxdTrKPqS66pZikTvi83Buwxwch4PqAqXNWMFJe50UCQQDN/Wrl1JNMx2HBOIbM
+L9K/qMNz1v+cu1YYWD5EHXEb3FZdLOOOWBvljLi8afytVFsB+UnmrMI+dn0rwrOI
+uQcbAkEAum9Y0tanR+geins5Kcc0z3n1Cxlnp8QVnLag1lSlGAeRP4CQ1eG8puhY
+65rA1OXBANVXfrzpPQ9guRn94piqEQJAHiOnIWuiBcjid7gCmRuiNWLG/ksF6XPL
+nBJFQgggxZfOlyF7RheENWkKmp7TVrUR/87uzi6W2TbTB7UcObQA4wJBAJZZNG2Q
+7m7VFZB/6tBvaKMBp7wgQsVpMVDUh1+cvW8Jo9ijDSeG5GaZoCnw/t89LT+jPVFk
+1byGkcPE5/EQaIY=
+-----END PRIVATE KEY-----
diff --git a/authserv/test/testca-bad/serial b/authserv/test/testca-bad/serial
new file mode 100644
index 0000000..611ad8a
--- /dev/null
+++ b/authserv/test/testca-bad/serial
@@ -0,0 +1 @@
+1397981565
diff --git a/pam/auth_client_test.cc b/pam/auth_client_test.cc
index 7693517..818939a 100644
--- a/pam/auth_client_test.cc
+++ b/pam/auth_client_test.cc
@@ -11,6 +11,9 @@ static const char *server = NULL;
static const char *ssl_ca = "../authserv/test/testca/ca.pem";
static const char *ssl_cert = "../authserv/test/testca/certs/client.pem";
static const char *ssl_key = "../authserv/test/testca/private/client.key";
+static const char *ssl_bad_ca = "../authserv/test/testca-bad/ca.pem";
+static const char *ssl_bad_cert = "../authserv/test/testca-bad/certs/client.pem";
+static const char *ssl_bad_key = "../authserv/test/testca-bad/private/client.key";
TEST(AuthClientCurlInterface, ErrorConversion) {
int curl_err = 35;
@@ -19,56 +22,46 @@ TEST(AuthClientCurlInterface, ErrorConversion) {
EXPECT_EQ(curl_err, translated);
}
-TEST(AuthClient, NewAndFree) {
- auth_client_t ac;
- ac = auth_client_new("service", server);
- ASSERT_TRUE(ac != NULL);
+class AuthClientTest
+ : public ::testing::Test
+{
+public:
+ AuthClientTest() {
+ ac = auth_client_new("service", server);
+ assert(ac != NULL);
+ auth_client_set_verbose(ac, 1);
+ }
- auth_client_free(ac);
-}
+ virtual ~AuthClientTest() {
+ auth_client_free(ac);
+ }
-TEST(AuthClient, CertSetupFailsWithoutCA) {
- auth_client_t ac = auth_client_new("service", server);
- ASSERT_TRUE(ac != NULL);
+ auth_client_t ac;
+};
+TEST_F(AuthClientTest, CertSetupFailsWithoutCA) {
EXPECT_NE(AC_OK,
auth_client_set_certificate(ac, "nonexisting.pem", ssl_cert, ssl_key));
EXPECT_NE(AC_OK,
auth_client_set_certificate(ac, ssl_ca, "nonexisting.pem", ssl_key));
EXPECT_NE(AC_OK,
auth_client_set_certificate(ac, ssl_ca, ssl_cert, "nonexisting.key"));
-
- auth_client_free(ac);
}
-TEST(AuthClient, AuthOK) {
- auth_client_t ac;
+TEST_F(AuthClientTest, AuthOK) {
int result;
- ac = auth_client_new("service", server);
- ASSERT_TRUE(ac != NULL);
-
- auth_client_set_verbose(ac, 1);
-
result = auth_client_set_certificate(ac, ssl_ca, ssl_cert, ssl_key);
EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
EXPECT_EQ(AC_OK, result) << "authenticate() error: " << auth_client_strerror(result)
<< ", server=" << server;
-
- auth_client_free(ac);
}
-TEST(AuthClient, SSLFailsWithBadCertificate) {
- auth_client_t ac;
+TEST_F(AuthClientTest, SSLFailsWithBadCertificate) {
int result;
- ac = auth_client_new("service", server);
- ASSERT_TRUE(ac != NULL);
-
- auth_client_set_verbose(ac, 1);
-
// We can't tell auth_client to make an https request without a
// client certificate, but we can try to force a failure by
// providing a bad (unloadable) certificate, for example one where
@@ -80,8 +73,28 @@ TEST(AuthClient, SSLFailsWithBadCertificate) {
result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
+}
+
+// Test CA validation on the client.
+TEST_F(AuthClientTest, SSLFailsWithBadCAClientSide) {
+ int result;
+
+ result = auth_client_set_certificate(ac, ssl_bad_ca, ssl_cert, ssl_key);
+ EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
+
+ result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+ EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
+}
+
+// Test CA validation on the server.
+TEST_F(AuthClientTest, SSLFailsWithBadCAServerSide) {
+ int result;
- auth_client_free(ac);
+ result = auth_client_set_certificate(ac, ssl_ca, ssl_bad_cert, ssl_bad_key);
+ EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
+
+ result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+ EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
}
int main(int argc, char **argv) {
--
GitLab