[glib/tls-database] Add some tests of g_tls_database_verify_chain()
- From: Stefan Walter <stefw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib/tls-database] Add some tests of g_tls_database_verify_chain()
- Date: Wed, 9 Feb 2011 19:57:58 +0000 (UTC)
commit 47653a63087e8fb04b28ee046b873d8203546447
Author: Stef Walter <stefw collabora co uk>
Date: Tue Jan 18 21:19:04 2011 -0600
Add some tests of g_tls_database_verify_chain()
gio/tests/tls-tests/server-self.pem | 11 ++
gio/tests/tls.c | 229 ++++++++++++++++++++++++++++++-----
2 files changed, 209 insertions(+), 31 deletions(-)
---
diff --git a/gio/tests/tls-tests/server-self.pem b/gio/tests/tls-tests/server-self.pem
new file mode 100644
index 0000000..20b3500
--- /dev/null
+++ b/gio/tests/tls-tests/server-self.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBiDCCATICCQDJ4QeFpYPYljANBgkqhkiG9w0BAQUFADBLMRMwEQYKCZImiZPy
+LGQBGRYDQ09NMRcwFQYKCZImiZPyLGQBGRYHRVhBTVBMRTEbMBkGA1UEAxMSc2Vy
+dmVyLmV4YW1wbGUuY29tMB4XDTExMDExOTAzMTYzOFoXDTIxMDExNjAzMTYzOFow
+SzETMBEGCgmSJomT8ixkARkWA0NPTTEXMBUGCgmSJomT8ixkARkWB0VYQU1QTEUx
+GzAZBgNVBAMTEnNlcnZlci5leGFtcGxlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
+MEgCQQDYScTxk55XBmbDM9zzwO+grVySE4rudWuzH2PpObIonqbfhRoAalKVluG9
+jvbHI81eXxCdSObv1KBP1sbN5RzpAgMBAAEwDQYJKoZIhvcNAQEFBQADQQAagc2P
+/lCfDwT3max+D2M7++KMDfGqiO3gI+hMarf/jAaQpcKO/9G95AnNo4lTd6W6/7yj
+YYvUupv+0vi4CtQG
+-----END CERTIFICATE-----
diff --git a/gio/tests/tls.c b/gio/tests/tls.c
index cac9742..696a9e8 100644
--- a/gio/tests/tls.c
+++ b/gio/tests/tls.c
@@ -477,11 +477,12 @@ typedef struct {
GTlsCertificate *cert;
GTlsCertificate *anchor;
GSocketConnectable *identity;
-} TestCertificateVerify;
+ GTlsDatabase *database;
+} TestVerify;
static void
-setup_certificate_verify (TestCertificateVerify *test,
- gconstpointer data)
+setup_verify (TestVerify *test,
+ gconstpointer data)
{
GError *error = NULL;
gchar *path;
@@ -492,18 +493,21 @@ setup_certificate_verify (TestCertificateVerify *test,
g_assert (G_IS_TLS_CERTIFICATE (test->cert));
g_free (path);
+ test->identity = g_network_address_new ("server.example.com", 80);
+
path = g_build_filename (SRCDIR, "tls-tests", "ca.pem", NULL);
test->anchor = g_tls_certificate_new_from_file (path, &error);
g_assert_no_error (error);
g_assert (G_IS_TLS_CERTIFICATE (test->anchor));
+ test->database = g_tls_file_database_new (path, &error);
+ g_assert_no_error (error);
+ g_assert (G_IS_TLS_DATABASE (test->database));
g_free (path);
-
- test->identity = g_network_address_new ("server.example.com", 80);
}
static void
-teardown_certificate_verify (TestCertificateVerify *test,
- gconstpointer data)
+teardown_verify (TestVerify *test,
+ gconstpointer data)
{
g_assert (G_IS_TLS_CERTIFICATE (test->cert));
g_object_unref (test->cert);
@@ -512,11 +516,15 @@ teardown_certificate_verify (TestCertificateVerify *test,
g_assert (G_IS_TLS_CERTIFICATE (test->anchor));
g_object_unref (test->anchor);
g_assert (!G_IS_TLS_CERTIFICATE (test->anchor));
+
+ g_assert (G_IS_TLS_DATABASE (test->database));
+ g_object_unref (test->database);
+ g_assert (!G_IS_TLS_DATABASE (test->database));
}
static void
-test_verify_certificate_good (TestCertificateVerify *test,
- gconstpointer data)
+test_verify_certificate_good (TestVerify *test,
+ gconstpointer data)
{
GTlsCertificateFlags errors;
@@ -528,8 +536,8 @@ test_verify_certificate_good (TestCertificateVerify *test,
}
static void
-test_verify_certificate_bad_identity (TestCertificateVerify *test,
- gconstpointer data)
+test_verify_certificate_bad_identity (TestVerify *test,
+ gconstpointer data)
{
GSocketConnectable *identity;
GTlsCertificateFlags errors;
@@ -543,8 +551,8 @@ test_verify_certificate_bad_identity (TestCertificateVerify *test,
}
static void
-test_verify_certificate_bad_ca (TestCertificateVerify *test,
- gconstpointer data)
+test_verify_certificate_bad_ca (TestVerify *test,
+ gconstpointer data)
{
GTlsCertificateFlags errors;
GTlsCertificate *cert;
@@ -565,8 +573,8 @@ test_verify_certificate_bad_ca (TestCertificateVerify *test,
}
static void
-test_verify_certificate_bad_before (TestCertificateVerify *test,
- gconstpointer data)
+test_verify_certificate_bad_before (TestVerify *test,
+ gconstpointer data)
{
GTlsCertificateFlags errors;
GTlsCertificate *cert;
@@ -587,8 +595,8 @@ test_verify_certificate_bad_before (TestCertificateVerify *test,
}
static void
-test_verify_certificate_bad_expired (TestCertificateVerify *test,
- gconstpointer data)
+test_verify_certificate_bad_expired (TestVerify *test,
+ gconstpointer data)
{
GTlsCertificateFlags errors;
GTlsCertificate *cert;
@@ -609,8 +617,8 @@ test_verify_certificate_bad_expired (TestCertificateVerify *test,
}
static void
-test_verify_certificate_bad_combo (TestCertificateVerify *test,
- gconstpointer data)
+test_verify_certificate_bad_combo (TestVerify *test,
+ gconstpointer data)
{
GTlsCertificate *cert;
GSocketConnectable *identity;
@@ -637,8 +645,155 @@ test_verify_certificate_bad_combo (TestCertificateVerify *test,
G_TLS_CERTIFICATE_BAD_IDENTITY | G_TLS_CERTIFICATE_EXPIRED);
g_object_unref (cert);
+ g_object_unref (identity);
+}
+
+static void
+test_verify_database_good (TestVerify *test,
+ gconstpointer data)
+{
+ GTlsCertificateFlags errors;
+ GError *error = NULL;
+
+ errors = g_tls_database_verify_chain (test->database, test->cert,
+ G_TLS_DATABASE_PURPOSE_SERVER_AUTH,
+ test->identity, 0, NULL, &error);
+ g_assert_no_error (error);
+ g_assert_cmpuint (errors, ==, 0);
+
+ errors = g_tls_database_verify_chain (test->database, test->cert,
+ G_TLS_DATABASE_PURPOSE_SERVER_AUTH,
+ NULL, 0, NULL, &error);
+ g_assert_cmpuint (errors, ==, 0);
}
+static void
+test_verify_database_bad_identity (TestVerify *test,
+ gconstpointer data)
+{
+ GSocketConnectable *identity;
+ GTlsCertificateFlags errors;
+ GError *error = NULL;
+
+ identity = g_network_address_new ("other.example.com", 80);
+
+ errors = g_tls_database_verify_chain (test->database, test->cert,
+ G_TLS_DATABASE_PURPOSE_SERVER_AUTH,
+ identity, 0, NULL, &error);
+ g_assert_no_error (error);
+ g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_BAD_IDENTITY);
+
+ g_object_unref (identity);
+}
+
+static void
+test_verify_database_bad_ca (TestVerify *test,
+ gconstpointer data)
+{
+ GTlsCertificateFlags errors;
+ GTlsCertificate *cert;
+ GError *error = NULL;
+ gchar *path;
+
+ /* Use another certificate which isn't in our CA list */
+ path = g_build_filename (SRCDIR, "tls-tests", "server-self.pem", NULL);
+ cert = g_tls_certificate_new_from_file (path, &error);
+ g_assert_no_error (error);
+ g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_free (path);
+
+ errors = g_tls_database_verify_chain (test->database, cert,
+ G_TLS_DATABASE_PURPOSE_SERVER_AUTH,
+ test->identity, 0, NULL, &error);
+ g_assert_no_error (error);
+ g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA);
+
+ g_object_unref (cert);
+}
+
+static void
+test_verify_database_bad_before (TestVerify *test,
+ gconstpointer data)
+{
+ GTlsCertificateFlags errors;
+ GTlsCertificate *cert;
+ GError *error = NULL;
+ gchar *path;
+
+ /* This is a certificate in the future */
+ path = g_build_filename (SRCDIR, "tls-tests", "client-future.pem", NULL);
+ cert = g_tls_certificate_new_from_file (path, &error);
+ g_assert_no_error (error);
+ g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_free (path);
+
+ errors = g_tls_database_verify_chain (test->database, cert,
+ G_TLS_DATABASE_PURPOSE_SERVER_AUTH,
+ NULL, 0, NULL, &error);
+ g_assert_no_error (error);
+ g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_NOT_ACTIVATED);
+
+ g_object_unref (cert);
+}
+
+static void
+test_verify_database_bad_expired (TestVerify *test,
+ gconstpointer data)
+{
+ GTlsCertificateFlags errors;
+ GTlsCertificate *cert;
+ GError *error = NULL;
+ gchar *path;
+
+ /* This is a certificate in the future */
+ path = g_build_filename (SRCDIR, "tls-tests", "client-past.pem", NULL);
+ cert = g_tls_certificate_new_from_file (path, &error);
+ g_assert_no_error (error);
+ g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_free (path);
+
+ errors = g_tls_database_verify_chain (test->database, cert,
+ G_TLS_DATABASE_PURPOSE_SERVER_AUTH,
+ NULL, 0, NULL, &error);
+ g_assert_no_error (error);
+ g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_EXPIRED);
+
+ g_object_unref (cert);
+}
+
+static void
+test_verify_database_bad_combo (TestVerify *test,
+ gconstpointer data)
+{
+ GTlsCertificate *cert;
+ GSocketConnectable *identity;
+ GTlsCertificateFlags errors;
+ GError *error = NULL;
+ gchar *path;
+
+ path = g_build_filename (SRCDIR, "tls-tests", "server-self.pem", NULL);
+ cert = g_tls_certificate_new_from_file (path, &error);
+ g_assert_no_error (error);
+ g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_free (path);
+
+ /*
+ * - Use is self signed
+ * - Use wrong identity.
+ */
+
+ identity = g_network_address_new ("other.example.com", 80);
+
+ errors = g_tls_database_verify_chain (test->database, cert,
+ G_TLS_DATABASE_PURPOSE_SERVER_AUTH,
+ identity, 0, NULL, &error);
+ g_assert_no_error (error);
+ g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA |
+ G_TLS_CERTIFICATE_BAD_IDENTITY);
+
+ g_object_unref (cert);
+ g_object_unref (identity);
+}
/* -----------------------------------------------------------------------------
* BACKEND
@@ -690,18 +845,30 @@ main (int argc,
g_test_add ("/tls/certificate/create-with-issuer", TestCertificate, NULL,
setup_certificate, test_create_certificate_with_issuer, teardown_certificate);
- g_test_add ("/tls/certificate/verify-good", TestCertificateVerify, NULL,
- setup_certificate_verify, test_verify_certificate_good, teardown_certificate_verify);
- g_test_add ("/tls/certificate/verify-bad-identity", TestCertificateVerify, NULL,
- setup_certificate_verify, test_verify_certificate_bad_identity, teardown_certificate_verify);
- g_test_add ("/tls/certificate/verify-bad-ca", TestCertificateVerify, NULL,
- setup_certificate_verify, test_verify_certificate_bad_ca, teardown_certificate_verify);
- g_test_add ("/tls/certificate/verify-bad-before", TestCertificateVerify, NULL,
- setup_certificate_verify, test_verify_certificate_bad_before, teardown_certificate_verify);
- g_test_add ("/tls/certificate/verify-bad-expired", TestCertificateVerify, NULL,
- setup_certificate_verify, test_verify_certificate_bad_expired, teardown_certificate_verify);
- g_test_add ("/tls/certificate/verify-bad-combo", TestCertificateVerify, NULL,
- setup_certificate_verify, test_verify_certificate_bad_combo, teardown_certificate_verify);
+ g_test_add ("/tls/certificate/verify-good", TestVerify, NULL,
+ setup_verify, test_verify_certificate_good, teardown_verify);
+ g_test_add ("/tls/certificate/verify-bad-identity", TestVerify, NULL,
+ setup_verify, test_verify_certificate_bad_identity, teardown_verify);
+ g_test_add ("/tls/certificate/verify-bad-ca", TestVerify, NULL,
+ setup_verify, test_verify_certificate_bad_ca, teardown_verify);
+ g_test_add ("/tls/certificate/verify-bad-before", TestVerify, NULL,
+ setup_verify, test_verify_certificate_bad_before, teardown_verify);
+ g_test_add ("/tls/certificate/verify-bad-expired", TestVerify, NULL,
+ setup_verify, test_verify_certificate_bad_expired, teardown_verify);
+ g_test_add ("/tls/certificate/verify-bad-combo", TestVerify, NULL,
+ setup_verify, test_verify_certificate_bad_combo, teardown_verify);
+ g_test_add ("/tls/database/verify-good", TestVerify, NULL,
+ setup_verify, test_verify_database_good, teardown_verify);
+ g_test_add ("/tls/database/verify-bad-identity", TestVerify, NULL,
+ setup_verify, test_verify_database_bad_identity, teardown_verify);
+ g_test_add ("/tls/database/verify-bad-ca", TestVerify, NULL,
+ setup_verify, test_verify_database_bad_ca, teardown_verify);
+ g_test_add ("/tls/database/verify-bad-before", TestVerify, NULL,
+ setup_verify, test_verify_database_bad_before, teardown_verify);
+ g_test_add ("/tls/database/verify-bad-expired", TestVerify, NULL,
+ setup_verify, test_verify_database_bad_expired, teardown_verify);
+ g_test_add ("/tls/database/verify-bad-combo", TestVerify, NULL,
+ setup_verify, test_verify_database_bad_combo, teardown_verify);
return g_test_run();
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
