/* * verify-test.cpp * * This source file is part of the FoundationDB open source project * * Copyright 2013-2018 Apple Inc. and the FoundationDB project authors * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include #include #include #include "ITLSPlugin.h" #include "ReferenceCounted.h" #include "FDBLibTLSPlugin.h" #include "FDBLibTLSPolicy.h" struct FDBLibTLSVerifyTest { FDBLibTLSVerifyTest(std::string input): input(input), valid(false), verify_cert(true), verify_time(true), subject_criteria({}), issuer_criteria({}), root_criteria({}) {}; FDBLibTLSVerifyTest(std::string input, bool verify_cert, bool verify_time, std::map subject, std::map issuer, std::map root): input(input), valid(true), verify_cert(verify_cert), verify_time(verify_time), subject_criteria(subject), issuer_criteria(issuer), root_criteria(root) {}; ~FDBLibTLSVerifyTest() {}; int run(); std::string input; bool valid; bool verify_cert; bool verify_time; std::map subject_criteria; std::map issuer_criteria; std::map root_criteria; }; static std::string printable( std::string const& val ) { static char const digits[] = "0123456789ABCDEF"; std::string s; for ( int i = 0; i < val.size(); i++ ) { uint8_t b = val[i]; if (b >= 32 && b < 127 && b != '\\') s += (char)b; else if (b == '\\') s += "\\\\"; else { s += "\\x"; s += digits[(b >> 4) & 15]; s += digits[b & 15]; } } return s; } static std::string criteriaToString(std::map const& criteria) { std::string s; for (auto &pair: criteria) { s += "{" + std::to_string(pair.first) + ":" + printable(pair.second) + "}"; } return "{" + s + "}"; } static void logf(const char* event, void* uid, int is_error, ...) { } int FDBLibTLSVerifyTest::run() { Reference verify; try { verify = Reference(new FDBLibTLSVerify(input)); } catch ( const std::runtime_error& e ) { if (valid) { std::cerr << "FAIL: Verify test failed, but should have succeeded - '" << input << "'\n"; return 1; } return 0; } if (!valid) { std::cerr << "FAIL: Verify test should have failed, but succeeded - '" << input << "'\n"; return 1; } if (verify->verify_cert != verify_cert) { std::cerr << "FAIL: Got verify cert " << verify->verify_cert << ", want " << verify_cert << "\n"; return 1; } if (verify->verify_time != verify_time) { std::cerr << "FAIL: Got verify time " << verify->verify_time << ", want " << verify_time << "\n"; return 1; } if (verify->subject_criteria != subject_criteria) { std::cerr << "FAIL: Got subject criteria " << criteriaToString(verify->subject_criteria) << ", want " << criteriaToString(subject_criteria) << "\n"; return 1; } if (verify->issuer_criteria != issuer_criteria) { std::cerr << "FAIL: Got issuer criteria " << criteriaToString(verify->issuer_criteria) << ", want " << criteriaToString(issuer_criteria) << "\n"; return 1; } if (verify->root_criteria != root_criteria) { std::cerr << "FAIL: Got root criteria " << criteriaToString(verify->root_criteria) << ", want " << criteriaToString(root_criteria) << "\n"; return 1; } return 0; } static int policy_verify_test() { Reference plugin = Reference(new FDBLibTLSPlugin()); Reference policy = Reference(new FDBLibTLSPolicy(plugin, (ITLSLogFunc)logf)); const char *verify_peers[] = { "S.CN=abc", "I.CN=def", "R.CN=xyz,Check.Unexpired=0", }; int verify_peers_len[] = { (int)strlen(verify_peers[0]), (int)strlen(verify_peers[1]), (int)strlen(verify_peers[2]), }; Reference verify_rules[] = { Reference(new FDBLibTLSVerify(std::string(verify_peers[0], verify_peers_len[0]))), Reference(new FDBLibTLSVerify(std::string(verify_peers[1], verify_peers_len[1]))), Reference(new FDBLibTLSVerify(std::string(verify_peers[2], verify_peers_len[2]))), }; if (!policy->set_verify_peers(3, (const uint8_t **)verify_peers, verify_peers_len)) { std::cerr << "FAIL: Policy verify test failed, but should have succeeded\n"; return 1; } if (policy->verify_rules.size() != 3) { std::cerr << "FAIL: Got " << policy->verify_rules.size() << " verify rule, want 3\n"; return 1; } int i = 0; for (auto &verify_rule: policy->verify_rules) { if (verify_rule->verify_cert != verify_rules[i]->verify_cert) { std::cerr << "FAIL: Got verify cert " << verify_rule->verify_cert << ", want " << verify_rules[i]->verify_cert << "\n"; return 1; } if (verify_rule->verify_time != verify_rules[i]->verify_time) { std::cerr << "FAIL: Got verify time " << verify_rule->verify_time << ", want " << verify_rules[i]->verify_time << "\n"; return 1; } if (verify_rule->subject_criteria != verify_rules[i]->subject_criteria) { std::cerr << "FAIL: Got subject criteria " << criteriaToString(verify_rule->subject_criteria) << ", want " << criteriaToString(verify_rules[i]->subject_criteria) << "\n"; return 1; } if (verify_rule->issuer_criteria != verify_rules[i]->issuer_criteria) { std::cerr << "FAIL: Got issuer criteria " << criteriaToString(verify_rule->issuer_criteria) << ", want " << criteriaToString(verify_rules[i]->issuer_criteria) << "\n"; return 1; } if (verify_rule->root_criteria != verify_rules[i]->root_criteria) { std::cerr << "FAIL: Got root criteria " << criteriaToString(verify_rule->root_criteria) << ", want " << criteriaToString(verify_rules[i]->root_criteria) << "\n"; return 1; } i++; } return 0; } int main(int argc, char **argv) { int failed = 0; std::vector tests = { FDBLibTLSVerifyTest("", true, true, {}, {}, {}), FDBLibTLSVerifyTest("Check.Valid=1", true, true, {}, {}, {}), FDBLibTLSVerifyTest("Check.Valid=0", false, true, {}, {}, {}), FDBLibTLSVerifyTest("Check.Unexpired=1", true, true, {}, {}, {}), FDBLibTLSVerifyTest("Check.Unexpired=0", true, false, {}, {}, {}), FDBLibTLSVerifyTest("Check.Valid=1,Check.Unexpired=0", true, false, {}, {}, {}), FDBLibTLSVerifyTest("Check.Unexpired=0,Check.Valid=0", false, false, {}, {}, {}), FDBLibTLSVerifyTest("Check.Unexpired=0,I.C=US,C=US,S.O=XYZCorp\\, LLC", true, false, {{NID_countryName, "US"}, {NID_organizationName, "XYZCorp, LLC"}}, {{NID_countryName, "US"}}, {}), FDBLibTLSVerifyTest("Check.Unexpired=0,I.C=US,C=US,S.O=XYZCorp\\= LLC", true, false, {{NID_countryName, "US"}, {NID_organizationName, "XYZCorp= LLC"}}, {{NID_countryName, "US"}}, {}), FDBLibTLSVerifyTest("Check.Unexpired=0,R.C=US,C=US,S.O=XYZCorp\\= LLC", true, false, {{NID_countryName, "US"}, {NID_organizationName, "XYZCorp= LLC"}}, {}, {{NID_countryName, "US"}}), FDBLibTLSVerifyTest("Check.Unexpired=0,I.C=US,C=US,S.O=XYZCorp=LLC", true, false, {{NID_countryName, "US"}, {NID_organizationName, "XYZCorp=LLC"}}, {{NID_countryName, "US"}}, {}), FDBLibTLSVerifyTest("I.C=US,C=US,Check.Unexpired=0,S.O=XYZCorp=LLC", true, false, {{NID_countryName, "US"}, {NID_organizationName, "XYZCorp=LLC"}}, {{NID_countryName, "US"}}, {}), FDBLibTLSVerifyTest("I.C=US,C=US,S.O=XYZCorp\\, LLC", true, true, {{NID_countryName, "US"}, {NID_organizationName, "XYZCorp, LLC"}}, {{NID_countryName, "US"}}, {}), FDBLibTLSVerifyTest("I.C=US,C=US,S.O=XYZCorp\\, LLC,R.CN=abc", true, true, {{NID_countryName, "US"}, {NID_organizationName, "XYZCorp, LLC"}}, {{NID_countryName, "US"}}, {{NID_commonName, "abc"}}), FDBLibTLSVerifyTest("C=\\,S=abc", true, true, {{NID_countryName, ",S=abc"}}, {}, {}), FDBLibTLSVerifyTest("CN=\\61\\62\\63", true, true, {{NID_commonName, "abc"}}, {}, {}), FDBLibTLSVerifyTest("CN=a\\62c", true, true, {{NID_commonName, "abc"}}, {}, {}), FDBLibTLSVerifyTest("CN=a\\01c", true, true, {{NID_commonName, "a\001c"}}, {}, {}), // Invalid cases. FDBLibTLSVerifyTest("Check.Invalid=0"), FDBLibTLSVerifyTest("Valid=1"), FDBLibTLSVerifyTest("C= US,S=abc"), FDBLibTLSVerifyTest("C=#US,S=abc"), FDBLibTLSVerifyTest("C=abc,S=\\"), FDBLibTLSVerifyTest("XYZ=abc"), FDBLibTLSVerifyTest("GN=abc"), FDBLibTLSVerifyTest("CN=abc,Check.Expired=1"), }; for (auto &test: tests) failed |= test.run(); failed |= policy_verify_test(); return (failed); }