[glib/tls-database] Add tests for g_tls_certificate_verify().

From: Stefan Walter <stefw src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib/tls-database] Add tests for g_tls_certificate_verify().
Date: Tue, 18 Jan 2011 20:16:58 +0000 (UTC)
commit c8c50e3fb1d04a56671b68460fb2e17e22eece24
Author: Stef Walter <stefw collabora co uk>
Date:   Tue Jan 18 11:49:10 2011 -0600

    Add tests for g_tls_certificate_verify().

 gio/tests/tls-tests/client-future.pem |   18 +++
 gio/tests/tls-tests/client-past.pem   |   18 +++
 gio/tests/tls-tests/client.pem        |   18 +++
 gio/tests/tls.c                       |  184 +++++++++++++++++++++++++++++++++
 4 files changed, 238 insertions(+), 0 deletions(-)
---
diff --git a/gio/tests/tls-tests/client-future.pem b/gio/tests/tls-tests/client-future.pem
new file mode 100644
index 0000000..de1cb75
--- /dev/null
+++ b/gio/tests/tls-tests/client-future.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAkUCAQowDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0yMDAxMTgxNzI3MDNaFw0yMTAxMTcxNzI3
+MDNaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
+UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
+9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
+79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
+C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
+ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
+Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
+mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBvt8v930fQtxR7f7Vcb1Hg
+irq1CtffsBqtKYupYg6IgloiRA6U5wdU0e6faA3Ppsmd4SmNKb9ZavIgnDBfx8MP
+1/IpsNOkg0366bP/zzkAhcXspo7PU8yZIqep//wT4TOFz04N8Lshqm8HUejShFdA
+fB8C0LX5Y/2219ZVMaaEbw==
+-----END CERTIFICATE-----
diff --git a/gio/tests/tls-tests/client-past.pem b/gio/tests/tls-tests/client-past.pem
new file mode 100644
index 0000000..2dbb4d1
--- /dev/null
+++ b/gio/tests/tls-tests/client-past.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAkUCAQswDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0wMDAxMTgxNzI3NDdaFw0wMTAxMTcxNzI3
+NDdaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
+UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
+9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
+79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
+C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
+ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
+Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
+mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBC3BOULAOkRFLKLajHIIB2
+VB0tHOFWuflP/LXso3ogGA8ItqbjacqjRHdTGK79etbxSTdi7k8owMVMPavJnBYk
+TraOkf/xxHo2zWy3XES1lniTUfGgKpjYNlALB6K6DJseZorSOmGA4KllL46MYwNu
+jsLO+5HkS/uNxlKo2l+xGw==
+-----END CERTIFICATE-----
diff --git a/gio/tests/tls-tests/client.pem b/gio/tests/tls-tests/client.pem
new file mode 100644
index 0000000..04bc8ac
--- /dev/null
+++ b/gio/tests/tls-tests/client.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAkUCAQkwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0xMTAxMTgwNjA0MTFaFw0yMTAxMTUwNjA0
+MTFaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
+UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
+9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
+79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
+C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
+ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
+Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
+mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQA3LuElj2QB9wQvmIxk2Jmb
+IPP2/WS8dwPoCv/N3+6nTx8yRsrILf4QsnEbbsxoYO5jW4r9Kt8m8B/M7YgnBDE9
+zlm7JbXKZf2isSm5TyT627Ymzxrzs5d+7o2eS7SN1DB6PyvRh2ye7EMbyEYD8ULi
+itDUkYkssNCVivYwVvJoMg==
+-----END CERTIFICATE-----
diff --git a/gio/tests/tls.c b/gio/tests/tls.c
index a608da1..b65a180 100644
--- a/gio/tests/tls.c
+++ b/gio/tests/tls.c
@@ -406,6 +406,177 @@ test_create_destroy_certificate_der (TestCertificate *test, gconstpointer data)
 }
 
 /* -----------------------------------------------------------------------------
+ * CERTIFICATE VERIFY
+ */
+
+typedef struct {
+  GTlsCertificate *cert;
+  GTlsCertificate *anchor;
+  GSocketConnectable *identity;
+} TestCertificateVerify;
+
+static void
+setup_certificate_verify (TestCertificateVerify *test,
+                          gconstpointer          data)
+{
+  GError *error = NULL;
+  gchar *path;
+
+  path = g_build_filename (SRCDIR, "tls-tests", "server.pem", NULL);
+  test->cert = g_tls_certificate_new_from_file (path, &error);
+  g_assert_no_error (error);
+  g_assert (G_IS_TLS_CERTIFICATE (test->cert));
+  g_free (path);
+
+  path = g_build_filename (SRCDIR, "tls-tests", "ca.pem", NULL);
+  test->anchor = g_tls_certificate_new_from_file (path, &error);
+  g_assert_no_error (error);
+  g_assert (G_IS_TLS_CERTIFICATE (test->anchor));
+  g_free (path);
+
+  test->identity = g_network_address_new ("server.example.com", 80);
+}
+
+static void
+teardown_certificate_verify (TestCertificateVerify   *test,
+                             gconstpointer            data)
+{
+  g_assert (G_IS_TLS_CERTIFICATE (test->cert));
+  g_object_unref (test->cert);
+  g_assert (!G_IS_TLS_CERTIFICATE (test->cert));
+
+  g_assert (G_IS_TLS_CERTIFICATE (test->anchor));
+  g_object_unref (test->anchor);
+  g_assert (!G_IS_TLS_CERTIFICATE (test->anchor));
+}
+
+static void
+test_verify_certificate_good (TestCertificateVerify  *test,
+                              gconstpointer           data)
+{
+  GTlsCertificateFlags errors;
+
+  errors = g_tls_certificate_verify (test->cert, test->identity, test->anchor);
+  g_assert_cmpuint (errors, ==, 0);
+
+  errors = g_tls_certificate_verify (test->cert, NULL, test->anchor);
+  g_assert_cmpuint (errors, ==, 0);
+}
+
+static void
+test_verify_certificate_bad_identity (TestCertificateVerify *test,
+                                      gconstpointer          data)
+{
+  GSocketConnectable *identity;
+  GTlsCertificateFlags errors;
+
+  identity = g_network_address_new ("other.example.com", 80);
+
+  errors = g_tls_certificate_verify (test->cert, identity, test->anchor);
+  g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_BAD_IDENTITY);
+
+  g_object_unref (identity);
+}
+
+static void
+test_verify_certificate_bad_ca (TestCertificateVerify *test,
+                                gconstpointer          data)
+{
+  GTlsCertificateFlags errors;
+  GTlsCertificate *cert;
+  GError *error = NULL;
+  gchar *path;
+
+  /* Use a client certificate as the CA, which is wrong */
+  path = g_build_filename (SRCDIR, "tls-tests", "client.pem", NULL);
+  cert = g_tls_certificate_new_from_file (path, &error);
+  g_assert_no_error (error);
+  g_assert (G_IS_TLS_CERTIFICATE (cert));
+  g_free (path);
+
+  errors = g_tls_certificate_verify (test->cert, test->identity, cert);
+  g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA);
+
+  g_object_unref (cert);
+}
+
+static void
+test_verify_certificate_bad_before (TestCertificateVerify *test,
+                                    gconstpointer          data)
+{
+  GTlsCertificateFlags errors;
+  GTlsCertificate *cert;
+  GError *error = NULL;
+  gchar *path;
+
+  /* This is a certificate in the future */
+  path = g_build_filename (SRCDIR, "tls-tests", "client-future.pem", NULL);
+  cert = g_tls_certificate_new_from_file (path, &error);
+  g_assert_no_error (error);
+  g_assert (G_IS_TLS_CERTIFICATE (cert));
+  g_free (path);
+
+  errors = g_tls_certificate_verify (cert, NULL, test->anchor);
+  g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_NOT_ACTIVATED);
+
+  g_object_unref (cert);
+}
+
+static void
+test_verify_certificate_bad_expired (TestCertificateVerify *test,
+                                     gconstpointer          data)
+{
+  GTlsCertificateFlags errors;
+  GTlsCertificate *cert;
+  GError *error = NULL;
+  gchar *path;
+
+  /* This is a certificate in the future */
+  path = g_build_filename (SRCDIR, "tls-tests", "client-past.pem", NULL);
+  cert = g_tls_certificate_new_from_file (path, &error);
+  g_assert_no_error (error);
+  g_assert (G_IS_TLS_CERTIFICATE (cert));
+  g_free (path);
+
+  errors = g_tls_certificate_verify (cert, NULL, test->anchor);
+  g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_EXPIRED);
+
+  g_object_unref (cert);
+}
+
+static void
+test_verify_certificate_bad_combo (TestCertificateVerify *test,
+                                   gconstpointer          data)
+{
+  GTlsCertificate *cert;
+  GSocketConnectable *identity;
+  GTlsCertificateFlags errors;
+  GError *error = NULL;
+  gchar *path;
+
+  path = g_build_filename (SRCDIR, "tls-tests", "client-past.pem", NULL);
+  cert = g_tls_certificate_new_from_file (path, &error);
+  g_assert_no_error (error);
+  g_assert (G_IS_TLS_CERTIFICATE (cert));
+  g_free (path);
+
+  /*
+   * - Use certificate as its own CA, not selfsigned, so unknown CA
+   * - Use wrong identity.
+   * - Use expired certificate.
+   */
+
+  identity = g_network_address_new ("other.example.com", 80);
+
+  errors = g_tls_certificate_verify (cert, identity, cert);
+  g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA |
+                    G_TLS_CERTIFICATE_BAD_IDENTITY | G_TLS_CERTIFICATE_EXPIRED);
+
+  g_object_unref (cert);
+}
+
+
+/* -----------------------------------------------------------------------------
  * BACKEND
  */
 
@@ -451,5 +622,18 @@ main (int   argc,
   g_test_add ("/tls/certificate/create-destroy-der", TestCertificate, NULL,
               setup_certificate, test_create_destroy_certificate_der, teardown_certificate);
 
+  g_test_add ("/tls/certificate/verify-good", TestCertificateVerify, NULL,
+              setup_certificate_verify, test_verify_certificate_good, teardown_certificate_verify);
+  g_test_add ("/tls/certificate/verify-bad-identity", TestCertificateVerify, NULL,
+              setup_certificate_verify, test_verify_certificate_bad_identity, teardown_certificate_verify);
+  g_test_add ("/tls/certificate/verify-bad-ca", TestCertificateVerify, NULL,
+              setup_certificate_verify, test_verify_certificate_bad_ca, teardown_certificate_verify);
+  g_test_add ("/tls/certificate/verify-bad-before", TestCertificateVerify, NULL,
+              setup_certificate_verify, test_verify_certificate_bad_before, teardown_certificate_verify);
+  g_test_add ("/tls/certificate/verify-bad-expired", TestCertificateVerify, NULL,
+              setup_certificate_verify, test_verify_certificate_bad_expired, teardown_certificate_verify);
+  g_test_add ("/tls/certificate/verify-bad-combo", TestCertificateVerify, NULL,
+              setup_certificate_verify, test_verify_certificate_bad_combo, teardown_certificate_verify);
+
   return g_test_run();
 }
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]