summaryrefslogtreecommitdiff
path: root/test/http/mutual_tls.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'test/http/mutual_tls.cpp')
-rw-r--r--test/http/mutual_tls.cpp86
1 files changed, 34 insertions, 52 deletions
diff --git a/test/http/mutual_tls.cpp b/test/http/mutual_tls.cpp
index b1b7878586..7b5cb25acd 100644
--- a/test/http/mutual_tls.cpp
+++ b/test/http/mutual_tls.cpp
@@ -25,6 +25,32 @@ class OSSLX509
OSSLX509(OSSLX509&&) = delete;
OSSLX509() = default;
+
+ void setSubjectName()
+ {
+ X509_NAME* name = X509_get_subject_name(ptr);
+ std::array<unsigned char, 5> user = {'u', 's', 'e', 'r', '\0'};
+ X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, user.data(), -1,
+ -1, 0);
+ }
+ void sign()
+ {
+ // Generate test key
+ EVP_PKEY* pkey = nullptr;
+ EVP_PKEY_CTX* pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, nullptr);
+ ASSERT_EQ(EVP_PKEY_keygen_init(pctx), 1);
+ ASSERT_EQ(
+ EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1),
+ 1);
+ ASSERT_EQ(EVP_PKEY_keygen(pctx, &pkey), 1);
+ EVP_PKEY_CTX_free(pctx);
+
+ // Sign cert with key
+ ASSERT_EQ(X509_set_pubkey(ptr, pkey), 1);
+ ASSERT_GT(X509_sign(ptr, pkey, EVP_sha256()), 0);
+ EVP_PKEY_free(pkey);
+ }
+
X509* get()
{
return ptr;
@@ -61,11 +87,7 @@ TEST(MutualTLS, GoodCert)
{
OSSLX509 x509;
- X509_NAME* name = X509_get_subject_name(x509.get());
- std::array<unsigned char, 5> user = {'u', 's', 'e', 'r', '\0'};
- X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, user.data(), -1, -1,
- 0);
-
+ x509.setSubjectName();
X509_EXTENSION* ex = X509V3_EXT_conf_nid(nullptr, nullptr, NID_key_usage,
"digitalSignature, keyAgreement");
ASSERT_THAT(ex, NotNull());
@@ -76,6 +98,8 @@ TEST(MutualTLS, GoodCert)
ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
X509_EXTENSION_free(ex);
+ x509.sign();
+
OSSLX509StoreCTX x509Store;
X509_STORE_CTX_set_current_cert(x509Store.get(), x509.get());
@@ -87,35 +111,13 @@ TEST(MutualTLS, GoodCert)
EXPECT_THAT(session->username, "user");
}
-TEST(MutualTLS, MissingSubject)
-{
- OSSLX509 x509;
-
- X509_EXTENSION* ex = X509V3_EXT_conf_nid(nullptr, nullptr, NID_key_usage,
- "digitalSignature, keyAgreement");
- ASSERT_THAT(ex, NotNull());
- ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
- X509_EXTENSION_free(ex);
- ex = X509V3_EXT_conf_nid(nullptr, nullptr, NID_ext_key_usage, "clientAuth");
- ASSERT_THAT(ex, NotNull());
- ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
- X509_EXTENSION_free(ex);
-
- OSSLX509StoreCTX x509Store;
- X509_STORE_CTX_set_current_cert(x509Store.get(), x509.get());
-
- boost::asio::ip::address ip;
- boost::asio::ssl::verify_context ctx(x509Store.get());
- std::shared_ptr<persistent_data::UserSession> session = verifyMtlsUser(ip,
- ctx);
- ASSERT_THAT(session, IsNull());
-}
-
TEST(MutualTLS, MissingKeyUsage)
{
- for (const char* usageString : {"digitalSignature", "keyAgreement"})
+ for (const char* usageString :
+ {"digitalSignature", "keyAgreement", "digitalSignature, keyAgreement"})
{
OSSLX509 x509;
+ x509.setSubjectName();
X509_EXTENSION* ex = X509V3_EXT_conf_nid(nullptr, nullptr,
NID_key_usage, usageString);
@@ -128,6 +130,7 @@ TEST(MutualTLS, MissingKeyUsage)
ASSERT_THAT(ex, NotNull());
ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
X509_EXTENSION_free(ex);
+ x509.sign();
OSSLX509StoreCTX x509Store;
X509_STORE_CTX_set_current_cert(x509Store.get(), x509.get());
@@ -136,31 +139,10 @@ TEST(MutualTLS, MissingKeyUsage)
boost::asio::ssl::verify_context ctx(x509Store.get());
std::shared_ptr<persistent_data::UserSession> session =
verifyMtlsUser(ip, ctx);
- ASSERT_THAT(session, IsNull());
+ ASSERT_THAT(session, NotNull());
}
}
-TEST(MutualTLS, MissingExtKeyUsage)
-{
- OSSLX509 x509;
-
- X509_EXTENSION* ex = X509V3_EXT_conf_nid(nullptr, nullptr, NID_key_usage,
- "digitalSignature, keyAgreement");
-
- ASSERT_THAT(ex, NotNull());
- ASSERT_EQ(X509_add_ext(x509.get(), ex, -1), 1);
- X509_EXTENSION_free(ex);
-
- OSSLX509StoreCTX x509Store;
- X509_STORE_CTX_set_current_cert(x509Store.get(), x509.get());
-
- boost::asio::ip::address ip;
- boost::asio::ssl::verify_context ctx(x509Store.get());
- std::shared_ptr<persistent_data::UserSession> session = verifyMtlsUser(ip,
- ctx);
- ASSERT_THAT(session, IsNull());
-}
-
TEST(MutualTLS, MissingCert)
{
OSSLX509StoreCTX x509Store;
generated by cgit v1.2.3 (git 2.39.0) at 2024-06-01 16:59:09 +0300