[glib/tls-database] Add tests for g_tls_certificate_verify().
- From: Stefan Walter <stefw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib/tls-database] Add tests for g_tls_certificate_verify().
- Date: Tue, 18 Jan 2011 20:16:58 +0000 (UTC)
commit c8c50e3fb1d04a56671b68460fb2e17e22eece24
Author: Stef Walter <stefw collabora co uk>
Date: Tue Jan 18 11:49:10 2011 -0600
Add tests for g_tls_certificate_verify().
gio/tests/tls-tests/client-future.pem | 18 +++
gio/tests/tls-tests/client-past.pem | 18 +++
gio/tests/tls-tests/client.pem | 18 +++
gio/tests/tls.c | 184 +++++++++++++++++++++++++++++++++
4 files changed, 238 insertions(+), 0 deletions(-)
---
diff --git a/gio/tests/tls-tests/client-future.pem b/gio/tests/tls-tests/client-future.pem
new file mode 100644
index 0000000..de1cb75
--- /dev/null
+++ b/gio/tests/tls-tests/client-future.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAkUCAQowDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0yMDAxMTgxNzI3MDNaFw0yMTAxMTcxNzI3
+MDNaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
+UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
+9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
+79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
+C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
+ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
+Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
+mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBvt8v930fQtxR7f7Vcb1Hg
+irq1CtffsBqtKYupYg6IgloiRA6U5wdU0e6faA3Ppsmd4SmNKb9ZavIgnDBfx8MP
+1/IpsNOkg0366bP/zzkAhcXspo7PU8yZIqep//wT4TOFz04N8Lshqm8HUejShFdA
+fB8C0LX5Y/2219ZVMaaEbw==
+-----END CERTIFICATE-----
diff --git a/gio/tests/tls-tests/client-past.pem b/gio/tests/tls-tests/client-past.pem
new file mode 100644
index 0000000..2dbb4d1
--- /dev/null
+++ b/gio/tests/tls-tests/client-past.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAkUCAQswDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0wMDAxMTgxNzI3NDdaFw0wMTAxMTcxNzI3
+NDdaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
+UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
+9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
+79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
+C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
+ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
+Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
+mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBC3BOULAOkRFLKLajHIIB2
+VB0tHOFWuflP/LXso3ogGA8ItqbjacqjRHdTGK79etbxSTdi7k8owMVMPavJnBYk
+TraOkf/xxHo2zWy3XES1lniTUfGgKpjYNlALB6K6DJseZorSOmGA4KllL46MYwNu
+jsLO+5HkS/uNxlKo2l+xGw==
+-----END CERTIFICATE-----
diff --git a/gio/tests/tls-tests/client.pem b/gio/tests/tls-tests/client.pem
new file mode 100644
index 0000000..04bc8ac
--- /dev/null
+++ b/gio/tests/tls-tests/client.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAkUCAQkwDQYJKoZIhvcNAQEFBQAwgYYxEzARBgoJkiaJk/IsZAEZFgND
+T00xFzAVBgoJkiaJk/IsZAEZFgdFWEFNUExFMR4wHAYDVQQLExVDZXJ0aWZpY2F0
+ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5jYUBleGFtcGxlLmNvbTAeFw0xMTAxMTgwNjA0MTFaFw0yMTAxMTUwNjA0
+MTFaMGIxEzARBgoJkiaJk/IsZAEZFgNDT00xFzAVBgoJkiaJk/IsZAEZFgdFWEFN
+UExFMQ8wDQYDVQQDEwZDbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEgNDM/dg3t
+9DHNAPz/b87LSxEaKhoZ8AcNBym3LEOdCnXGEnKf0b9lkT5caXu5GAM84ahTCJ7n
+79RVNrqGKM7jbBdSX+ZUfkqJQPhOXD2+0niYQicH92nz78kxmjlbizvd3fM1BlO+
+C/++NWf2EAhORVAjvJrHNokJp3PTNRJ1WWteHeU9PwfGmWHKVc1IgvRFMH08604I
+ZzX5CcxIg/b56g27A7CBPh/KO/qKTDLFFNGc1T2asvY/P3+PeN6y+leFHStCTu7R
+Bi/l4hczZdnwq3BGT6mnjEN7wau2s7pA067SXimNOkYi5fgwspMHi8fJWmYyBypU
+mQBRzwfm77ECAwEAATANBgkqhkiG9w0BAQUFAAOBgQA3LuElj2QB9wQvmIxk2Jmb
+IPP2/WS8dwPoCv/N3+6nTx8yRsrILf4QsnEbbsxoYO5jW4r9Kt8m8B/M7YgnBDE9
+zlm7JbXKZf2isSm5TyT627Ymzxrzs5d+7o2eS7SN1DB6PyvRh2ye7EMbyEYD8ULi
+itDUkYkssNCVivYwVvJoMg==
+-----END CERTIFICATE-----
diff --git a/gio/tests/tls.c b/gio/tests/tls.c
index a608da1..b65a180 100644
--- a/gio/tests/tls.c
+++ b/gio/tests/tls.c
@@ -406,6 +406,177 @@ test_create_destroy_certificate_der (TestCertificate *test, gconstpointer data)
}
/* -----------------------------------------------------------------------------
+ * CERTIFICATE VERIFY
+ */
+
+typedef struct {
+ GTlsCertificate *cert;
+ GTlsCertificate *anchor;
+ GSocketConnectable *identity;
+} TestCertificateVerify;
+
+static void
+setup_certificate_verify (TestCertificateVerify *test,
+ gconstpointer data)
+{
+ GError *error = NULL;
+ gchar *path;
+
+ path = g_build_filename (SRCDIR, "tls-tests", "server.pem", NULL);
+ test->cert = g_tls_certificate_new_from_file (path, &error);
+ g_assert_no_error (error);
+ g_assert (G_IS_TLS_CERTIFICATE (test->cert));
+ g_free (path);
+
+ path = g_build_filename (SRCDIR, "tls-tests", "ca.pem", NULL);
+ test->anchor = g_tls_certificate_new_from_file (path, &error);
+ g_assert_no_error (error);
+ g_assert (G_IS_TLS_CERTIFICATE (test->anchor));
+ g_free (path);
+
+ test->identity = g_network_address_new ("server.example.com", 80);
+}
+
+static void
+teardown_certificate_verify (TestCertificateVerify *test,
+ gconstpointer data)
+{
+ g_assert (G_IS_TLS_CERTIFICATE (test->cert));
+ g_object_unref (test->cert);
+ g_assert (!G_IS_TLS_CERTIFICATE (test->cert));
+
+ g_assert (G_IS_TLS_CERTIFICATE (test->anchor));
+ g_object_unref (test->anchor);
+ g_assert (!G_IS_TLS_CERTIFICATE (test->anchor));
+}
+
+static void
+test_verify_certificate_good (TestCertificateVerify *test,
+ gconstpointer data)
+{
+ GTlsCertificateFlags errors;
+
+ errors = g_tls_certificate_verify (test->cert, test->identity, test->anchor);
+ g_assert_cmpuint (errors, ==, 0);
+
+ errors = g_tls_certificate_verify (test->cert, NULL, test->anchor);
+ g_assert_cmpuint (errors, ==, 0);
+}
+
+static void
+test_verify_certificate_bad_identity (TestCertificateVerify *test,
+ gconstpointer data)
+{
+ GSocketConnectable *identity;
+ GTlsCertificateFlags errors;
+
+ identity = g_network_address_new ("other.example.com", 80);
+
+ errors = g_tls_certificate_verify (test->cert, identity, test->anchor);
+ g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_BAD_IDENTITY);
+
+ g_object_unref (identity);
+}
+
+static void
+test_verify_certificate_bad_ca (TestCertificateVerify *test,
+ gconstpointer data)
+{
+ GTlsCertificateFlags errors;
+ GTlsCertificate *cert;
+ GError *error = NULL;
+ gchar *path;
+
+ /* Use a client certificate as the CA, which is wrong */
+ path = g_build_filename (SRCDIR, "tls-tests", "client.pem", NULL);
+ cert = g_tls_certificate_new_from_file (path, &error);
+ g_assert_no_error (error);
+ g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_free (path);
+
+ errors = g_tls_certificate_verify (test->cert, test->identity, cert);
+ g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA);
+
+ g_object_unref (cert);
+}
+
+static void
+test_verify_certificate_bad_before (TestCertificateVerify *test,
+ gconstpointer data)
+{
+ GTlsCertificateFlags errors;
+ GTlsCertificate *cert;
+ GError *error = NULL;
+ gchar *path;
+
+ /* This is a certificate in the future */
+ path = g_build_filename (SRCDIR, "tls-tests", "client-future.pem", NULL);
+ cert = g_tls_certificate_new_from_file (path, &error);
+ g_assert_no_error (error);
+ g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_free (path);
+
+ errors = g_tls_certificate_verify (cert, NULL, test->anchor);
+ g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_NOT_ACTIVATED);
+
+ g_object_unref (cert);
+}
+
+static void
+test_verify_certificate_bad_expired (TestCertificateVerify *test,
+ gconstpointer data)
+{
+ GTlsCertificateFlags errors;
+ GTlsCertificate *cert;
+ GError *error = NULL;
+ gchar *path;
+
+ /* This is a certificate in the future */
+ path = g_build_filename (SRCDIR, "tls-tests", "client-past.pem", NULL);
+ cert = g_tls_certificate_new_from_file (path, &error);
+ g_assert_no_error (error);
+ g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_free (path);
+
+ errors = g_tls_certificate_verify (cert, NULL, test->anchor);
+ g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_EXPIRED);
+
+ g_object_unref (cert);
+}
+
+static void
+test_verify_certificate_bad_combo (TestCertificateVerify *test,
+ gconstpointer data)
+{
+ GTlsCertificate *cert;
+ GSocketConnectable *identity;
+ GTlsCertificateFlags errors;
+ GError *error = NULL;
+ gchar *path;
+
+ path = g_build_filename (SRCDIR, "tls-tests", "client-past.pem", NULL);
+ cert = g_tls_certificate_new_from_file (path, &error);
+ g_assert_no_error (error);
+ g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_free (path);
+
+ /*
+ * - Use certificate as its own CA, not selfsigned, so unknown CA
+ * - Use wrong identity.
+ * - Use expired certificate.
+ */
+
+ identity = g_network_address_new ("other.example.com", 80);
+
+ errors = g_tls_certificate_verify (cert, identity, cert);
+ g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA |
+ G_TLS_CERTIFICATE_BAD_IDENTITY | G_TLS_CERTIFICATE_EXPIRED);
+
+ g_object_unref (cert);
+}
+
+
+/* -----------------------------------------------------------------------------
* BACKEND
*/
@@ -451,5 +622,18 @@ main (int argc,
g_test_add ("/tls/certificate/create-destroy-der", TestCertificate, NULL,
setup_certificate, test_create_destroy_certificate_der, teardown_certificate);
+ g_test_add ("/tls/certificate/verify-good", TestCertificateVerify, NULL,
+ setup_certificate_verify, test_verify_certificate_good, teardown_certificate_verify);
+ g_test_add ("/tls/certificate/verify-bad-identity", TestCertificateVerify, NULL,
+ setup_certificate_verify, test_verify_certificate_bad_identity, teardown_certificate_verify);
+ g_test_add ("/tls/certificate/verify-bad-ca", TestCertificateVerify, NULL,
+ setup_certificate_verify, test_verify_certificate_bad_ca, teardown_certificate_verify);
+ g_test_add ("/tls/certificate/verify-bad-before", TestCertificateVerify, NULL,
+ setup_certificate_verify, test_verify_certificate_bad_before, teardown_certificate_verify);
+ g_test_add ("/tls/certificate/verify-bad-expired", TestCertificateVerify, NULL,
+ setup_certificate_verify, test_verify_certificate_bad_expired, teardown_certificate_verify);
+ g_test_add ("/tls/certificate/verify-bad-combo", TestCertificateVerify, NULL,
+ setup_certificate_verify, test_verify_certificate_bad_combo, teardown_certificate_verify);
+
return g_test_run();
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]