[glib-openssl/wip/new-tests] tests: new tests taken from glib-networking
- From: Ignacio Casal Quinteiro <icq src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-openssl/wip/new-tests] tests: new tests taken from glib-networking
- Date: Wed, 18 Oct 2017 20:46:20 +0000 (UTC)
commit 5c182ba8aea49a7da1982e3ab478bf40c68d1f59
Author: Ignacio Casal Quinteiro <icq gnome org>
Date: Wed Oct 18 22:44:17 2017 +0200
tests: new tests taken from glib-networking
tls/tests/connection.c | 83 +++++++++++++++++++++++++++++++++++++-
tls/tests/files/create-files.sh | 8 ++++
2 files changed, 88 insertions(+), 3 deletions(-)
---
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index befc8d4..1958890 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -917,6 +917,7 @@ test_client_auth_connection (TestConnection *test,
GTlsCertificate *cert;
GTlsCertificate *peer;
gboolean cas_changed;
+ GSocketClient *client;
test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
g_assert_no_error (error);
@@ -955,15 +956,42 @@ test_client_auth_connection (TestConnection *test,
g_assert (cas_changed == TRUE);
g_object_unref (cert);
+ g_object_unref (test->database);
+ g_object_unref (test->client_connection);
+
+ /* Now start a new connection to the same server with a different client cert */
+ client = g_socket_client_new ();
+ connection = G_IO_STREAM (g_socket_client_connect (client, G_SOCKET_CONNECTABLE (test->address),
+ NULL, &error));
+ g_assert_no_error (error);
+ g_object_unref (client);
+ test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
+ g_object_unref (connection);
+
+ g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
+ 0);
+ cert = g_tls_certificate_new_from_file (tls_test_file_path ("client2-and-key.pem"), &error);
+ g_assert_no_error (error);
+ g_tls_connection_set_certificate (G_TLS_CONNECTION (test->client_connection), cert);
+ g_object_unref (cert);
+ g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), test->database);
+
+ read_test_data_async (test);
+ g_main_loop_run (test->loop);
+
+ g_assert_no_error (test->read_error);
+ g_assert_no_error (test->server_error);
+
+ /* peer should see the second client cert */
+ peer = g_tls_connection_get_peer_certificate (G_TLS_CONNECTION (test->server_connection));
+ g_assert (peer != NULL);
+ g_assert (g_tls_certificate_is_same (peer, cert));
}
static void
test_client_auth_rehandshake (TestConnection *test,
gconstpointer data)
{
- g_test_skip ("the server avoids rehandshake to avoid the security problem CVE-2009-3555");
- return;
-
test->rehandshake = TRUE;
test_client_auth_connection (test, data);
}
@@ -975,6 +1003,10 @@ test_client_auth_failure (TestConnection *test,
GIOStream *connection;
GError *error = NULL;
gboolean accepted_changed;
+ GSocketClient *client;
+ GTlsCertificate *cert;
+ GTlsCertificate *peer;
+ GTlsInteraction *interaction;
test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
g_assert_no_error (error);
@@ -1005,6 +1037,51 @@ test_client_auth_failure (TestConnection *test,
g_assert_error (test->server_error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED);
g_assert (accepted_changed == TRUE);
+
+ g_object_unref (test->client_connection);
+ g_object_unref (test->database);
+ g_clear_error (&test->read_error);
+ g_clear_error (&test->server_error);
+
+ /* Now start a new connection to the same server with a valid client cert;
+ * this should succeed, and not use the cached failed session from above */
+ client = g_socket_client_new ();
+ connection = G_IO_STREAM (g_socket_client_connect (client, G_SOCKET_CONNECTABLE (test->address),
+ NULL, &error));
+ g_assert_no_error (error);
+ g_object_unref (client);
+ test->client_connection = g_tls_client_connection_new (connection, test->identity, &error);
+ g_object_unref (connection);
+
+ g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection), test->database);
+
+ /* Have the interaction return a certificate */
+ cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-and-key.pem"), &error);
+ g_assert_no_error (error);
+ interaction = mock_interaction_new_static_certificate (cert);
+ g_tls_connection_set_interaction (G_TLS_CONNECTION (test->client_connection), interaction);
+ g_object_unref (interaction);
+
+ /* All validation in this test */
+ g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION (test->client_connection),
+ G_TLS_CERTIFICATE_VALIDATE_ALL);
+
+ accepted_changed = FALSE;
+ g_signal_connect (test->client_connection, "notify::accepted-cas",
+ G_CALLBACK (on_notify_accepted_cas), &accepted_changed);
+
+ read_test_data_async (test);
+ g_main_loop_run (test->loop);
+
+ g_assert_no_error (test->read_error);
+ g_assert_no_error (test->server_error);
+
+ peer = g_tls_connection_get_peer_certificate (G_TLS_CONNECTION (test->server_connection));
+ g_assert (peer != NULL);
+ g_assert (g_tls_certificate_is_same (peer, cert));
+ g_assert (accepted_changed == TRUE);
+
+ g_object_unref (cert);
}
static void
diff --git a/tls/tests/files/create-files.sh b/tls/tests/files/create-files.sh
index 0a7140f..a887562 100755
--- a/tls/tests/files/create-files.sh
+++ b/tls/tests/files/create-files.sh
@@ -124,6 +124,14 @@ openssl x509 -req -in client-csr.pem -days 365 -startdate -enddate -CA ca.pem -C
sudo hwclock -s
touch client-future.pem
+msg "Creating second client key pair"
+openssl genrsa -out client2-key.pem 2048
+openssl req -config ssl/client.conf -key client2-key.pem -new -out client2-csr.pem
+openssl x509 -req -in client2-csr.pem -days 9125 -CA ca.pem -CAkey ca-key.pem -CAserial serial -out
client2.pem
+
+msg "Concatenating second client certificate and private key into a single file"
+cat client2.pem client2-key.pem > client2-and-key.pem
+
#######################################################################
### Concatenate all non-CA certificates
#######################################################################
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
