|
Packit |
9bedce |
/* GIO TLS tests
|
|
Packit |
9bedce |
*
|
|
Packit |
9bedce |
* Copyright 2011 Collabora, Ltd.
|
|
Packit |
9bedce |
*
|
|
Packit |
9bedce |
* This library is free software; you can redistribute it and/or
|
|
Packit |
9bedce |
* modify it under the terms of the GNU Lesser General Public
|
|
Packit |
9bedce |
* License as published by the Free Software Foundation; either
|
|
Packit |
9bedce |
* version 2 of the License, or (at your option) any later version.
|
|
Packit |
9bedce |
*
|
|
Packit |
9bedce |
* This library is distributed in the hope that it will be useful,
|
|
Packit |
9bedce |
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
9bedce |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
9bedce |
* Lesser General Public License for more details.
|
|
Packit |
9bedce |
*
|
|
Packit |
9bedce |
* You should have received a copy of the GNU Lesser General
|
|
Packit |
9bedce |
* Public License along with this library; if not, see
|
|
Packit |
9bedce |
* <http://www.gnu.org/licenses/>.
|
|
Packit |
9bedce |
*
|
|
Packit |
9bedce |
* In addition, when the library is used with OpenSSL, a special
|
|
Packit |
9bedce |
* exception applies. Refer to the LICENSE_EXCEPTION file for details.
|
|
Packit |
9bedce |
*
|
|
Packit |
9bedce |
* Author: Stef Walter <stefw@collabora.co.uk>
|
|
Packit |
9bedce |
*/
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
#include "config.h"
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
#include <gio/gio.h>
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
#include "gnutls/gtlscertificate-gnutls.h"
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
#include <sys/types.h>
|
|
Packit |
9bedce |
#include <string.h>
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static const gchar *
|
|
Packit |
9bedce |
tls_test_file_path (const char *name)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
const gchar *const_path;
|
|
Packit |
9bedce |
gchar *path;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
path = g_test_build_filename (G_TEST_DIST, "files", name, NULL);
|
|
Packit |
9bedce |
if (!g_path_is_absolute (path))
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
gchar *cwd, *abs;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
cwd = g_get_current_dir ();
|
|
Packit |
9bedce |
abs = g_build_filename (cwd, path, NULL);
|
|
Packit |
9bedce |
g_free (cwd);
|
|
Packit |
9bedce |
g_free (path);
|
|
Packit |
9bedce |
path = abs;
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
const_path = g_intern_string (path);
|
|
Packit |
9bedce |
g_free (path);
|
|
Packit |
9bedce |
return const_path;
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
/* -----------------------------------------------------------------------------
|
|
Packit |
9bedce |
* CERTIFICATE VERIFY
|
|
Packit |
9bedce |
*/
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
typedef struct {
|
|
Packit |
9bedce |
GTlsCertificate *cert;
|
|
Packit |
9bedce |
GSocketConnectable *identity;
|
|
Packit |
9bedce |
GTlsDatabase *database;
|
|
Packit |
9bedce |
} TestVerify;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
setup_verify (TestVerify *test,
|
|
Packit |
9bedce |
gconstpointer data)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
test->cert = g_tls_certificate_new_from_file (tls_test_file_path ("server.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_CERTIFICATE (test->cert));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
test->identity = g_network_address_new ("server.example.com", 80);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
test->database = g_tls_file_database_new (tls_test_file_path ("ca.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_DATABASE (test->database));
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
teardown_verify (TestVerify *test,
|
|
Packit |
9bedce |
gconstpointer data)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_CERTIFICATE (test->cert));
|
|
Packit |
9bedce |
g_object_add_weak_pointer (G_OBJECT (test->cert),
|
|
Packit |
9bedce |
(gpointer *)&test->cert);
|
|
Packit |
9bedce |
g_object_unref (test->cert);
|
|
Packit |
9bedce |
g_assert (test->cert == NULL);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_DATABASE (test->database));
|
|
Packit |
9bedce |
g_object_add_weak_pointer (G_OBJECT (test->database),
|
|
Packit |
9bedce |
(gpointer *)&test->database);
|
|
Packit |
9bedce |
g_object_unref (test->database);
|
|
Packit |
9bedce |
g_assert (test->database == NULL);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_object_add_weak_pointer (G_OBJECT (test->identity),
|
|
Packit |
9bedce |
(gpointer *)&test->identity);
|
|
Packit |
9bedce |
g_object_unref (test->identity);
|
|
Packit |
9bedce |
g_assert (test->identity == NULL);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_verify_database_good (TestVerify *test,
|
|
Packit |
9bedce |
gconstpointer data)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GTlsCertificateFlags errors;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
errors = g_tls_database_verify_chain (test->database, test->cert,
|
|
Packit |
9bedce |
G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER,
|
|
Packit |
9bedce |
test->identity, NULL, 0, NULL, &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert_cmpuint (errors, ==, 0);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
errors = g_tls_database_verify_chain (test->database, test->cert,
|
|
Packit |
9bedce |
G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER,
|
|
Packit |
9bedce |
NULL, NULL, 0, NULL, &error);
|
|
Packit |
9bedce |
g_assert_cmpuint (errors, ==, 0);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_verify_database_bad_identity (TestVerify *test,
|
|
Packit |
9bedce |
gconstpointer data)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GSocketConnectable *identity;
|
|
Packit |
9bedce |
GTlsCertificateFlags errors;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
identity = g_network_address_new ("other.example.com", 80);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
errors = g_tls_database_verify_chain (test->database, test->cert,
|
|
Packit |
9bedce |
G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER,
|
|
Packit |
9bedce |
identity, NULL, 0, NULL, &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_BAD_IDENTITY);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_object_unref (identity);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_verify_database_bad_ca (TestVerify *test,
|
|
Packit |
9bedce |
gconstpointer data)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GTlsCertificateFlags errors;
|
|
Packit |
9bedce |
GTlsCertificate *cert;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
/* Use another certificate which isn't in our CA list */
|
|
Packit |
9bedce |
cert = g_tls_certificate_new_from_file (tls_test_file_path ("server-self.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_CERTIFICATE (cert));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
errors = g_tls_database_verify_chain (test->database, cert,
|
|
Packit |
9bedce |
G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER,
|
|
Packit |
9bedce |
test->identity, NULL, 0, NULL, &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_object_unref (cert);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_verify_database_bad_before (TestVerify *test,
|
|
Packit |
9bedce |
gconstpointer data)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GTlsCertificateFlags errors;
|
|
Packit |
9bedce |
GTlsCertificate *cert;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
/* This is a certificate in the future */
|
|
Packit |
9bedce |
cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-future.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_CERTIFICATE (cert));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
errors = g_tls_database_verify_chain (test->database, cert,
|
|
Packit |
9bedce |
G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER,
|
|
Packit |
9bedce |
NULL, NULL, 0, NULL, &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_NOT_ACTIVATED);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_object_unref (cert);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_verify_database_bad_expired (TestVerify *test,
|
|
Packit |
9bedce |
gconstpointer data)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GTlsCertificateFlags errors;
|
|
Packit |
9bedce |
GTlsCertificate *cert;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
/* This is a certificate in the future */
|
|
Packit |
9bedce |
cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-past.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_CERTIFICATE (cert));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
errors = g_tls_database_verify_chain (test->database, cert,
|
|
Packit |
9bedce |
G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER,
|
|
Packit |
9bedce |
NULL, NULL, 0, NULL, &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_EXPIRED);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_object_unref (cert);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_verify_database_bad_combo (TestVerify *test,
|
|
Packit |
9bedce |
gconstpointer data)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GTlsCertificate *cert;
|
|
Packit |
9bedce |
GSocketConnectable *identity;
|
|
Packit |
9bedce |
GTlsCertificateFlags errors;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
cert = g_tls_certificate_new_from_file (tls_test_file_path ("server-self.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_CERTIFICATE (cert));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
/*
|
|
Packit |
9bedce |
* - Use is self signed
|
|
Packit |
9bedce |
* - Use wrong identity.
|
|
Packit |
9bedce |
*/
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
identity = g_network_address_new ("other.example.com", 80);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
errors = g_tls_database_verify_chain (test->database, cert,
|
|
Packit |
9bedce |
G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER,
|
|
Packit |
9bedce |
identity, NULL, 0, NULL, &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA |
|
|
Packit |
9bedce |
G_TLS_CERTIFICATE_BAD_IDENTITY);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_object_unref (cert);
|
|
Packit |
9bedce |
g_object_unref (identity);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static GTlsCertificate *
|
|
Packit |
9bedce |
load_certificate_chain (const char *filename,
|
|
Packit |
9bedce |
GError **error)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GList *certificates;
|
|
Packit |
9bedce |
GTlsCertificate *chain = NULL, *prev_chain = NULL;
|
|
Packit |
9bedce |
GTlsBackend *backend;
|
|
Packit |
9bedce |
GByteArray *der;
|
|
Packit |
9bedce |
GList *l;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
certificates = g_tls_certificate_list_new_from_file (filename, error);
|
|
Packit |
9bedce |
if (certificates == NULL)
|
|
Packit |
9bedce |
return NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
backend = g_tls_backend_get_default ();
|
|
Packit |
9bedce |
certificates = g_list_reverse (certificates);
|
|
Packit |
9bedce |
for (l = certificates; l != NULL; l = g_list_next (l))
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
prev_chain = chain;
|
|
Packit |
9bedce |
g_object_get (l->data, "certificate", &der, NULL);
|
|
Packit |
9bedce |
chain = g_object_new (g_tls_backend_get_certificate_type (backend),
|
|
Packit |
9bedce |
"certificate", der,
|
|
Packit |
9bedce |
"issuer", prev_chain,
|
|
Packit |
9bedce |
NULL);
|
|
Packit |
9bedce |
g_byte_array_unref (der);
|
|
Packit |
9bedce |
g_clear_object (&prev_chain);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_list_free_full (certificates, g_object_unref);
|
|
Packit |
9bedce |
return chain;
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static gboolean
|
|
Packit |
9bedce |
is_certificate_in_chain (GTlsCertificate *chain,
|
|
Packit |
9bedce |
GTlsCertificate *cert)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
while (chain != NULL)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
if (g_tls_certificate_is_same (chain, cert))
|
|
Packit |
9bedce |
return TRUE;
|
|
Packit |
9bedce |
chain = g_tls_certificate_get_issuer (chain);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
return FALSE;
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_verify_with_incorrect_root_in_chain (void)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GTlsCertificate *ca_verisign_sha1;
|
|
Packit |
9bedce |
GTlsDatabase *database;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
GTlsCertificate *chain;
|
|
Packit |
9bedce |
GSocketConnectable *identity;
|
|
Packit |
9bedce |
GTlsCertificateFlags errors;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
/*
|
|
Packit |
9bedce |
* This database contains a single anchor certificate of:
|
|
Packit |
9bedce |
* C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
|
|
Packit |
9bedce |
*/
|
|
Packit |
9bedce |
database = g_tls_file_database_new (tls_test_file_path ("ca-verisign-sha1.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_DATABASE (database));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
ca_verisign_sha1 = g_tls_certificate_new_from_file (tls_test_file_path ("ca-verisign-sha1.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_CERTIFICATE (ca_verisign_sha1));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
/*
|
|
Packit |
9bedce |
* This certificate chain contains a root certificate with that same issuer, public key:
|
|
Packit |
9bedce |
* C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
|
|
Packit |
9bedce |
*
|
|
Packit |
9bedce |
* But it is not the same certificate in our database. However our database should
|
|
Packit |
9bedce |
* verify this chain as valid, since the issuer fields and signatures should chain up
|
|
Packit |
9bedce |
* to the certificate in our database.
|
|
Packit |
9bedce |
*/
|
|
Packit |
9bedce |
chain = load_certificate_chain (tls_test_file_path ("chain-with-verisign-md2.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_CERTIFICATE (chain));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_assert (g_tls_certificate_get_issuer (chain) != NULL);
|
|
Packit |
9bedce |
g_assert (g_tls_certificate_get_issuer (g_tls_certificate_get_issuer (chain)) != NULL);
|
|
Packit |
9bedce |
g_assert (is_certificate_in_chain (chain, chain));
|
|
Packit |
9bedce |
g_assert (!is_certificate_in_chain (chain, ca_verisign_sha1));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
identity = g_network_address_new ("secure-test.streamline-esolutions.com", 443);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
errors = g_tls_database_verify_chain (database, chain,
|
|
Packit |
9bedce |
G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER,
|
|
Packit |
9bedce |
identity, NULL, 0, NULL, &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
errors &= ~G_TLS_CERTIFICATE_EXPIRED; /* so that this test doesn't expire */
|
|
Packit |
9bedce |
g_assert_cmpuint (errors, ==, 0);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_object_unref (chain);
|
|
Packit |
9bedce |
g_object_unref (ca_verisign_sha1);
|
|
Packit |
9bedce |
g_object_unref (identity);
|
|
Packit |
9bedce |
g_object_unref (database);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
/* -----------------------------------------------------------------------------
|
|
Packit |
9bedce |
* FILE DATABASE
|
|
Packit |
9bedce |
*/
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
typedef struct {
|
|
Packit |
9bedce |
GTlsDatabase *database;
|
|
Packit |
9bedce |
const gchar *path;
|
|
Packit |
9bedce |
} TestFileDatabase;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
setup_file_database (TestFileDatabase *test,
|
|
Packit |
9bedce |
gconstpointer data)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
test->path = tls_test_file_path ("ca-roots.pem");
|
|
Packit |
9bedce |
test->database = g_tls_file_database_new (test->path, &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_DATABASE (test->database));
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
teardown_file_database (TestFileDatabase *test,
|
|
Packit |
9bedce |
gconstpointer data)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_DATABASE (test->database));
|
|
Packit |
9bedce |
g_object_add_weak_pointer (G_OBJECT (test->database),
|
|
Packit |
9bedce |
(gpointer *)&test->database);
|
|
Packit |
9bedce |
g_object_unref (test->database);
|
|
Packit |
9bedce |
g_assert (test->database == NULL);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_file_database_handle (TestFileDatabase *test,
|
|
Packit |
9bedce |
gconstpointer unused)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GTlsCertificate *certificate;
|
|
Packit |
9bedce |
GTlsCertificate *check;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
gchar *handle;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
/*
|
|
Packit |
9bedce |
* ca.pem is in the ca-roots.pem that the test->database represents.
|
|
Packit |
9bedce |
* So it should be able to create a handle for it and treat it as if it
|
|
Packit |
9bedce |
* is 'in' the database.
|
|
Packit |
9bedce |
*/
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
certificate = g_tls_certificate_new_from_file (tls_test_file_path ("ca.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_CERTIFICATE (certificate));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
handle = g_tls_database_create_certificate_handle (test->database, certificate);
|
|
Packit |
9bedce |
g_assert (handle != NULL);
|
|
Packit |
9bedce |
g_assert (g_str_has_prefix (handle, "file:///"));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
check = g_tls_database_lookup_certificate_for_handle (test->database, handle,
|
|
Packit |
9bedce |
NULL, G_TLS_DATABASE_LOOKUP_NONE,
|
|
Packit |
9bedce |
NULL, &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_CERTIFICATE (check));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_free (handle);
|
|
Packit |
9bedce |
g_object_unref (check);
|
|
Packit |
9bedce |
g_object_unref (certificate);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_file_database_handle_invalid (TestFileDatabase *test,
|
|
Packit |
9bedce |
gconstpointer unused)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GTlsCertificate *certificate;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
certificate = g_tls_database_lookup_certificate_for_handle (test->database, "blah:blah",
|
|
Packit |
9bedce |
NULL, G_TLS_DATABASE_LOOKUP_NONE,
|
|
Packit |
9bedce |
NULL, &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
g_assert (certificate == NULL);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
/* -----------------------------------------------------------------------------
|
|
Packit |
9bedce |
* DATABASE
|
|
Packit |
9bedce |
*/
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_anchors_property (void)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GTlsDatabase *database;
|
|
Packit |
9bedce |
gchar *anchor_filename = NULL;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
database = g_tls_file_database_new (tls_test_file_path ("ca.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_object_get (database, "anchors", &anchor_filename, NULL);
|
|
Packit |
9bedce |
g_assert_cmpstr (anchor_filename, ==, tls_test_file_path ("ca.pem"));
|
|
Packit |
9bedce |
g_free (anchor_filename);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_object_unref (database);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static gboolean
|
|
Packit |
9bedce |
certificate_is_in_list (GList *certificates,
|
|
Packit |
9bedce |
const gchar *filename)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GTlsCertificate *cert;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
GList *l;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
cert = g_tls_certificate_new_from_file (filename, &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
for (l = certificates; l != NULL; l = g_list_next (l))
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
if (g_tls_certificate_is_same (l->data, cert))
|
|
Packit |
9bedce |
break;
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_object_unref (cert);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
/* Had an early break from loop */
|
|
Packit |
9bedce |
return l != NULL;
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_lookup_certificates_issued_by (void)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
/* This data is generated from the frob-certificate test tool in gcr library.
|
|
Packit |
9bedce |
* To regenerate (from e.g. a directory containing gcr and glib-networking):
|
|
Packit |
9bedce |
*
|
|
Packit |
9bedce |
* $ gcr/frob-certificate glib-networking/tls/tests/files/ca.pem
|
|
Packit |
9bedce |
*
|
|
Packit |
9bedce |
* Then copy the hex that is printed after "subject" (not "issuer"!) and add
|
|
Packit |
9bedce |
* the missing 'x's.
|
|
Packit |
9bedce |
*/
|
|
Packit |
9bedce |
const guchar ISSUER[] = "\x30\x81\x86\x31\x13\x30\x11\x06\x0A\x09\x92\x26\x89\x93\xF2"
|
|
Packit |
9bedce |
"\x2C\x64\x01\x19\x16\x03\x43\x4F\x4D\x31\x17\x30\x15\x06\x0A"
|
|
Packit |
9bedce |
"\x09\x92\x26\x89\x93\xF2\x2C\x64\x01\x19\x16\x07\x45\x58\x41"
|
|
Packit |
9bedce |
"\x4D\x50\x4C\x45\x31\x1E\x30\x1C\x06\x03\x55\x04\x0B\x0C\x15"
|
|
Packit |
9bedce |
"\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74"
|
|
Packit |
9bedce |
"\x68\x6F\x72\x69\x74\x79\x31\x17\x30\x15\x06\x03\x55\x04\x03"
|
|
Packit |
9bedce |
"\x0C\x0E\x63\x61\x2E\x65\x78\x61\x6D\x70\x6C\x65\x2E\x63\x6F"
|
|
Packit |
9bedce |
"\x6D\x31\x1D\x30\x1B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09"
|
|
Packit |
9bedce |
"\x01\x16\x0E\x63\x61\x40\x65\x78\x61\x6D\x70\x6C\x65\x2E\x63"
|
|
Packit |
9bedce |
"\x6F\x6D";
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
GList *certificates;
|
|
Packit |
9bedce |
GByteArray *issuer_dn;
|
|
Packit |
9bedce |
GTlsDatabase *database;
|
|
Packit |
9bedce |
GError *error = NULL;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
database = g_tls_file_database_new (tls_test_file_path ("non-ca.pem"), &error);
|
|
Packit |
9bedce |
g_assert_no_error (error);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
issuer_dn = g_byte_array_new ();
|
|
Packit |
9bedce |
/* The null terminator is in the array/string above */
|
|
Packit |
9bedce |
g_byte_array_append (issuer_dn, ISSUER, G_N_ELEMENTS (ISSUER) - 1);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
certificates = g_tls_database_lookup_certificates_issued_by (database, issuer_dn, NULL,
|
|
Packit |
9bedce |
G_TLS_DATABASE_LOOKUP_NONE,
|
|
Packit |
9bedce |
NULL, &error);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_byte_array_unref (issuer_dn);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_assert_cmpuint (g_list_length (certificates), ==, 4);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_assert (certificate_is_in_list (certificates, tls_test_file_path ("client.pem")));
|
|
Packit |
9bedce |
g_assert (certificate_is_in_list (certificates, tls_test_file_path ("client-future.pem")));
|
|
Packit |
9bedce |
g_assert (certificate_is_in_list (certificates, tls_test_file_path ("client-past.pem")));
|
|
Packit |
9bedce |
g_assert (certificate_is_in_list (certificates, tls_test_file_path ("server.pem")));
|
|
Packit |
9bedce |
g_assert (!certificate_is_in_list (certificates, tls_test_file_path ("server-self.pem")));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_list_free_full (certificates, g_object_unref);
|
|
Packit |
9bedce |
g_object_unref (database);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
static void
|
|
Packit |
9bedce |
test_default_database_is_singleton (void)
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
GTlsBackend *backend;
|
|
Packit |
9bedce |
GTlsDatabase *database;
|
|
Packit |
9bedce |
GTlsDatabase *check;
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
backend = g_tls_backend_get_default ();
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_BACKEND (backend));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
database = g_tls_backend_get_default_database (backend);
|
|
Packit |
9bedce |
g_assert (G_IS_TLS_DATABASE (database));
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
check = g_tls_backend_get_default_database (backend);
|
|
Packit |
9bedce |
g_assert (database == check);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_object_unref (database);
|
|
Packit |
9bedce |
g_object_unref (check);
|
|
Packit |
9bedce |
}
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
int
|
|
Packit |
9bedce |
main (int argc,
|
|
Packit |
9bedce |
char *argv[])
|
|
Packit |
9bedce |
{
|
|
Packit |
9bedce |
g_test_init (&argc, &argv, NULL);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_setenv ("GSETTINGS_BACKEND", "memory", TRUE);
|
|
Packit |
9bedce |
g_setenv ("GIO_EXTRA_MODULES", TOP_BUILDDIR "/tls/gnutls/.libs", TRUE);
|
|
Packit |
9bedce |
g_setenv ("GIO_USE_TLS", "gnutls", TRUE);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_test_add_func ("/tls/backend/default-database-is-singleton",
|
|
Packit |
9bedce |
test_default_database_is_singleton);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_test_add ("/tls/database/verify-good", TestVerify, NULL,
|
|
Packit |
9bedce |
setup_verify, test_verify_database_good, teardown_verify);
|
|
Packit |
9bedce |
g_test_add ("/tls/database/verify-bad-identity", TestVerify, NULL,
|
|
Packit |
9bedce |
setup_verify, test_verify_database_bad_identity, teardown_verify);
|
|
Packit |
9bedce |
g_test_add ("/tls/database/verify-bad-ca", TestVerify, NULL,
|
|
Packit |
9bedce |
setup_verify, test_verify_database_bad_ca, teardown_verify);
|
|
Packit |
9bedce |
g_test_add ("/tls/database/verify-bad-before", TestVerify, NULL,
|
|
Packit |
9bedce |
setup_verify, test_verify_database_bad_before, teardown_verify);
|
|
Packit |
9bedce |
g_test_add ("/tls/database/verify-bad-expired", TestVerify, NULL,
|
|
Packit |
9bedce |
setup_verify, test_verify_database_bad_expired, teardown_verify);
|
|
Packit |
9bedce |
g_test_add ("/tls/database/verify-bad-combo", TestVerify, NULL,
|
|
Packit |
9bedce |
setup_verify, test_verify_database_bad_combo, teardown_verify);
|
|
Packit |
9bedce |
g_test_add_func ("/tls/database/verify-with-incorrect-root-in-chain",
|
|
Packit |
9bedce |
test_verify_with_incorrect_root_in_chain);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_test_add_func ("/tls/file-database/anchors-property",
|
|
Packit |
9bedce |
test_anchors_property);
|
|
Packit |
9bedce |
g_test_add_func ("/tls/file-database/lookup-certificates-issued-by",
|
|
Packit |
9bedce |
test_lookup_certificates_issued_by);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
g_test_add ("/tls/file-database/test-handle", TestFileDatabase, NULL,
|
|
Packit |
9bedce |
setup_file_database, test_file_database_handle, teardown_file_database);
|
|
Packit |
9bedce |
g_test_add ("/tls/file-database/test-handle-invalid", TestFileDatabase, NULL,
|
|
Packit |
9bedce |
setup_file_database, test_file_database_handle_invalid, teardown_file_database);
|
|
Packit |
9bedce |
|
|
Packit |
9bedce |
return g_test_run();
|
|
Packit |
9bedce |
}
|