3 * Copyright 2011 Collabora, Ltd.
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2 of the License, or (at your option) any later version.
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
15 * You should have received a copy of the GNU Lesser General
16 * Public License along with this library; if not, see
17 * <http://www.gnu.org/licenses/>.
19 * Author: Stef Walter <stefw@collabora.co.uk>
24 #include <sys/types.h>
27 #define TEST_FILE(name) (SRCDIR "/files/" name)
33 gsize cert_pem_length;
41 setup_certificate (TestCertificate *test, gconstpointer data)
47 test->backend = g_tls_backend_get_default ();
48 test->cert_gtype = g_tls_backend_get_certificate_type (test->backend);
50 g_file_get_contents (TEST_FILE ("server.pem"), &test->cert_pem,
51 &test->cert_pem_length, &error);
52 g_assert_no_error (error);
54 g_file_get_contents (TEST_FILE ("server.der"),
55 &contents, &length, &error);
56 g_assert_no_error (error);
58 test->cert_der = g_byte_array_new ();
59 g_byte_array_append (test->cert_der, (guint8 *)contents, length);
62 g_file_get_contents (TEST_FILE ("server-key.pem"), &test->key_pem,
63 &test->key_pem_length, &error);
64 g_assert_no_error (error);
66 g_file_get_contents (TEST_FILE ("server-key.der"),
67 &contents, &length, &error);
68 g_assert_no_error (error);
70 test->key_der = g_byte_array_new ();
71 g_byte_array_append (test->key_der, (guint8 *)contents, length);
76 teardown_certificate (TestCertificate *test,
79 g_free (test->cert_pem);
80 g_byte_array_free (test->cert_der, TRUE);
82 g_free (test->key_pem);
83 g_byte_array_free (test->key_der, TRUE);
87 test_create_pem (TestCertificate *test,
90 GTlsCertificate *cert;
94 cert = g_tls_certificate_new_from_pem (test->cert_pem, test->cert_pem_length, &error);
95 g_assert_no_error (error);
96 g_assert (G_IS_TLS_CERTIFICATE (cert));
98 g_object_get (cert, "certificate-pem", &pem, NULL);
99 g_assert_cmpstr (pem, ==, test->cert_pem);
102 g_object_add_weak_pointer (G_OBJECT (cert), (gpointer *)&cert);
103 g_object_unref (cert);
104 g_assert (cert == NULL);
108 test_create_with_key_pem (TestCertificate *test,
111 GTlsCertificate *cert;
112 GError *error = NULL;
114 cert = g_initable_new (test->cert_gtype, NULL, &error,
115 "certificate-pem", test->cert_pem,
116 "private-key-pem", test->key_pem,
118 g_assert_no_error (error);
119 g_assert (G_IS_TLS_CERTIFICATE (cert));
121 g_object_add_weak_pointer (G_OBJECT (cert), (gpointer *)&cert);
122 g_object_unref (cert);
123 g_assert (cert == NULL);
127 test_create_der (TestCertificate *test,
130 GTlsCertificate *cert;
131 GByteArray *der = NULL;
132 GError *error = NULL;
134 cert = g_initable_new (test->cert_gtype, NULL, &error,
135 "certificate", test->cert_der,
137 g_assert_no_error (error);
138 g_assert (G_IS_TLS_CERTIFICATE (cert));
140 g_object_get (cert, "certificate", &der, NULL);
142 g_assert_cmpuint (der->len, ==, test->cert_der->len);
143 g_assert (memcmp (der->data, test->cert_der->data, der->len) == 0);
145 g_byte_array_unref (der);
147 g_object_add_weak_pointer (G_OBJECT (cert), (gpointer *)&cert);
148 g_object_unref (cert);
149 g_assert (cert == NULL);
153 test_create_with_key_der (TestCertificate *test,
156 GTlsCertificate *cert;
157 GError *error = NULL;
159 cert = g_initable_new (test->cert_gtype, NULL, &error,
160 "certificate", test->cert_der,
161 "private-key", test->key_der,
163 g_assert_no_error (error);
164 g_assert (G_IS_TLS_CERTIFICATE (cert));
166 g_object_add_weak_pointer (G_OBJECT (cert), (gpointer *)&cert);
167 g_object_unref (cert);
168 g_assert (cert == NULL);
172 test_create_certificate_with_issuer (TestCertificate *test,
175 GTlsCertificate *cert, *issuer, *check;
176 GError *error = NULL;
178 issuer = g_tls_certificate_new_from_file (TEST_FILE ("ca.pem"), &error);
179 g_assert_no_error (error);
180 g_assert (G_IS_TLS_CERTIFICATE (issuer));
182 cert = g_initable_new (test->cert_gtype, NULL, &error,
183 "certificate-pem", test->cert_pem,
186 g_assert_no_error (error);
187 g_assert (G_IS_TLS_CERTIFICATE (cert));
189 g_object_add_weak_pointer (G_OBJECT (issuer), (gpointer *)&issuer);
190 g_object_unref (issuer);
191 g_assert (issuer != NULL);
193 check = g_tls_certificate_get_issuer (cert);
194 g_assert (check == issuer);
196 g_object_add_weak_pointer (G_OBJECT (cert), (gpointer *)&cert);
197 g_object_unref (cert);
198 g_assert (cert == NULL);
199 g_assert (issuer == NULL);
202 /* -----------------------------------------------------------------------------
207 GTlsCertificate *cert;
208 GTlsCertificate *anchor;
209 GSocketConnectable *identity;
210 GTlsDatabase *database;
214 setup_verify (TestVerify *test,
217 GError *error = NULL;
219 test->cert = g_tls_certificate_new_from_file (TEST_FILE ("server.pem"), &error);
220 g_assert_no_error (error);
221 g_assert (G_IS_TLS_CERTIFICATE (test->cert));
223 test->identity = g_network_address_new ("server.example.com", 80);
225 test->anchor = g_tls_certificate_new_from_file (TEST_FILE ("ca.pem"), &error);
226 g_assert_no_error (error);
227 g_assert (G_IS_TLS_CERTIFICATE (test->anchor));
228 test->database = g_tls_file_database_new (TEST_FILE ("ca.pem"), &error);
229 g_assert_no_error (error);
230 g_assert (G_IS_TLS_DATABASE (test->database));
234 teardown_verify (TestVerify *test,
237 g_assert (G_IS_TLS_CERTIFICATE (test->cert));
238 g_object_add_weak_pointer (G_OBJECT (test->cert),
239 (gpointer *)&test->cert);
240 g_object_unref (test->cert);
241 g_assert (test->cert == NULL);
243 g_assert (G_IS_TLS_CERTIFICATE (test->anchor));
244 g_object_add_weak_pointer (G_OBJECT (test->anchor),
245 (gpointer *)&test->anchor);
246 g_object_unref (test->anchor);
247 g_assert (test->anchor == NULL);
249 g_assert (G_IS_TLS_DATABASE (test->database));
250 g_object_add_weak_pointer (G_OBJECT (test->database),
251 (gpointer *)&test->database);
252 g_object_unref (test->database);
253 g_assert (test->database == NULL);
255 g_object_add_weak_pointer (G_OBJECT (test->identity),
256 (gpointer *)&test->identity);
257 g_object_unref (test->identity);
258 g_assert (test->identity == NULL);
262 test_verify_certificate_good (TestVerify *test,
265 GTlsCertificateFlags errors;
267 errors = g_tls_certificate_verify (test->cert, test->identity, test->anchor);
268 g_assert_cmpuint (errors, ==, 0);
270 errors = g_tls_certificate_verify (test->cert, NULL, test->anchor);
271 g_assert_cmpuint (errors, ==, 0);
275 test_verify_certificate_bad_identity (TestVerify *test,
278 GSocketConnectable *identity;
279 GTlsCertificateFlags errors;
281 identity = g_network_address_new ("other.example.com", 80);
283 errors = g_tls_certificate_verify (test->cert, identity, test->anchor);
284 g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_BAD_IDENTITY);
286 g_object_unref (identity);
290 test_verify_certificate_bad_ca (TestVerify *test,
293 GTlsCertificateFlags errors;
294 GTlsCertificate *cert;
295 GError *error = NULL;
297 /* Use a client certificate as the CA, which is wrong */
298 cert = g_tls_certificate_new_from_file (TEST_FILE ("client.pem"), &error);
299 g_assert_no_error (error);
300 g_assert (G_IS_TLS_CERTIFICATE (cert));
302 errors = g_tls_certificate_verify (test->cert, test->identity, cert);
303 g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA);
305 g_object_unref (cert);
309 test_verify_certificate_bad_before (TestVerify *test,
312 GTlsCertificateFlags errors;
313 GTlsCertificate *cert;
314 GError *error = NULL;
316 /* This is a certificate in the future */
317 cert = g_tls_certificate_new_from_file (TEST_FILE ("client-future.pem"), &error);
318 g_assert_no_error (error);
319 g_assert (G_IS_TLS_CERTIFICATE (cert));
321 errors = g_tls_certificate_verify (cert, NULL, test->anchor);
322 g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_NOT_ACTIVATED);
324 g_object_unref (cert);
328 test_verify_certificate_bad_expired (TestVerify *test,
331 GTlsCertificateFlags errors;
332 GTlsCertificate *cert;
333 GError *error = NULL;
335 /* This is a certificate in the future */
336 cert = g_tls_certificate_new_from_file (TEST_FILE ("client-past.pem"), &error);
337 g_assert_no_error (error);
338 g_assert (G_IS_TLS_CERTIFICATE (cert));
340 errors = g_tls_certificate_verify (cert, NULL, test->anchor);
341 g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_EXPIRED);
343 g_object_unref (cert);
347 test_verify_certificate_bad_combo (TestVerify *test,
350 GTlsCertificate *cert;
351 GTlsCertificate *cacert;
352 GSocketConnectable *identity;
353 GTlsCertificateFlags errors;
354 GError *error = NULL;
356 cert = g_tls_certificate_new_from_file (TEST_FILE ("client-past.pem"), &error);
357 g_assert_no_error (error);
358 g_assert (G_IS_TLS_CERTIFICATE (cert));
360 /* Unrelated cert used as certificate authority */
361 cacert = g_tls_certificate_new_from_file (TEST_FILE ("server-self.pem"), &error);
362 g_assert_no_error (error);
363 g_assert (G_IS_TLS_CERTIFICATE (cacert));
366 * - Use unrelated cert as CA
367 * - Use wrong identity.
368 * - Use expired certificate.
371 identity = g_network_address_new ("other.example.com", 80);
373 errors = g_tls_certificate_verify (cert, identity, cacert);
374 g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA |
375 G_TLS_CERTIFICATE_BAD_IDENTITY | G_TLS_CERTIFICATE_EXPIRED);
377 g_object_unref (cert);
378 g_object_unref (cacert);
379 g_object_unref (identity);
383 test_certificate_is_same (void)
385 GTlsCertificate *one;
386 GTlsCertificate *two;
387 GTlsCertificate *three;
388 GError *error = NULL;
390 one = g_tls_certificate_new_from_file (TEST_FILE ("client.pem"), &error);
391 g_assert_no_error (error);
393 two = g_tls_certificate_new_from_file (TEST_FILE ("client-and-key.pem"), &error);
394 g_assert_no_error (error);
396 three = g_tls_certificate_new_from_file (TEST_FILE ("server.pem"), &error);
397 g_assert_no_error (error);
399 g_assert (g_tls_certificate_is_same (one, two) == TRUE);
400 g_assert (g_tls_certificate_is_same (two, one) == TRUE);
401 g_assert (g_tls_certificate_is_same (three, one) == FALSE);
402 g_assert (g_tls_certificate_is_same (one, three) == FALSE);
403 g_assert (g_tls_certificate_is_same (two, three) == FALSE);
404 g_assert (g_tls_certificate_is_same (three, two) == FALSE);
406 g_object_unref (one);
407 g_object_unref (two);
408 g_object_unref (three);
416 g_test_init (&argc, &argv, NULL);
418 g_setenv ("GSETTINGS_BACKEND", "memory", TRUE);
419 g_setenv ("GIO_EXTRA_MODULES", TOP_BUILDDIR "/tls/gnutls/.libs", TRUE);
420 g_setenv ("GIO_USE_TLS", "gnutls", TRUE);
422 g_test_add ("/tls/certificate/create-pem", TestCertificate, NULL,
423 setup_certificate, test_create_pem, teardown_certificate);
424 g_test_add ("/tls/certificate/create-der", TestCertificate, NULL,
425 setup_certificate, test_create_der, teardown_certificate);
426 g_test_add ("/tls/certificate/create-with-key-pem", TestCertificate, NULL,
427 setup_certificate, test_create_with_key_pem, teardown_certificate);
428 g_test_add ("/tls/certificate/create-with-key-der", TestCertificate, NULL,
429 setup_certificate, test_create_with_key_der, teardown_certificate);
430 g_test_add ("/tls/certificate/create-with-issuer", TestCertificate, NULL,
431 setup_certificate, test_create_certificate_with_issuer, teardown_certificate);
433 g_test_add ("/tls/certificate/verify-good", TestVerify, NULL,
434 setup_verify, test_verify_certificate_good, teardown_verify);
435 g_test_add ("/tls/certificate/verify-bad-identity", TestVerify, NULL,
436 setup_verify, test_verify_certificate_bad_identity, teardown_verify);
437 g_test_add ("/tls/certificate/verify-bad-ca", TestVerify, NULL,
438 setup_verify, test_verify_certificate_bad_ca, teardown_verify);
439 g_test_add ("/tls/certificate/verify-bad-before", TestVerify, NULL,
440 setup_verify, test_verify_certificate_bad_before, teardown_verify);
441 g_test_add ("/tls/certificate/verify-bad-expired", TestVerify, NULL,
442 setup_verify, test_verify_certificate_bad_expired, teardown_verify);
443 g_test_add ("/tls/certificate/verify-bad-combo", TestVerify, NULL,
444 setup_verify, test_verify_certificate_bad_combo, teardown_verify);
446 g_test_add_func ("/tls/certificate/is-same", test_certificate_is_same);