-/* GIO TLS tests
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO TLS tests
*
* Copyright 2011 Collabora, Ltd.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
- * version 2 of the License, or (at your option) any later version.
+ * version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
g_assert_no_error (error);
g_file_get_contents (tls_test_file_path ("server.der"),
- &contents, &length, &error);
+ &contents, &length, &error);
g_assert_no_error (error);
test->cert_der = g_byte_array_new ();
cert = g_tls_certificate_new_from_pem (test->cert_pem, test->cert_pem_length, &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
g_object_get (cert, "certificate-pem", &pem, NULL);
g_assert_cmpstr (pem, ==, test->cert_pem);
g_object_add_weak_pointer (G_OBJECT (cert), (gpointer *)&cert);
g_object_unref (cert);
- g_assert (cert == NULL);
+ g_assert_null (cert);
}
static void
"private-key-pem", test->key_pem,
NULL);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
g_object_add_weak_pointer (G_OBJECT (cert), (gpointer *)&cert);
g_object_unref (cert);
- g_assert (cert == NULL);
+ g_assert_null (cert);
}
static void
"certificate", test->cert_der,
NULL);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
g_object_get (cert, "certificate", &der, NULL);
- g_assert (der);
+ g_assert_nonnull (der);
g_assert_cmpuint (der->len, ==, test->cert_der->len);
- g_assert (memcmp (der->data, test->cert_der->data, der->len) == 0);
+ g_assert_cmpint (memcmp (der->data, test->cert_der->data, der->len), ==, 0);
g_byte_array_unref (der);
g_object_add_weak_pointer (G_OBJECT (cert), (gpointer *)&cert);
g_object_unref (cert);
- g_assert (cert == NULL);
+ g_assert_null (cert);
}
static void
"private-key", test->key_der,
NULL);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
g_object_add_weak_pointer (G_OBJECT (cert), (gpointer *)&cert);
g_object_unref (cert);
- g_assert (cert == NULL);
+ g_assert_null (cert);
}
static void
issuer = g_tls_certificate_new_from_file (tls_test_file_path ("ca.pem"), &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (issuer));
+ g_assert_true (G_IS_TLS_CERTIFICATE (issuer));
cert = g_initable_new (test->cert_gtype, NULL, &error,
"certificate-pem", test->cert_pem,
"issuer", issuer,
NULL);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
g_object_add_weak_pointer (G_OBJECT (issuer), (gpointer *)&issuer);
g_object_unref (issuer);
- g_assert (issuer != NULL);
+ g_assert_nonnull (issuer);
check = g_tls_certificate_get_issuer (cert);
- g_assert (check == issuer);
+ g_assert_true (check == issuer);
g_object_add_weak_pointer (G_OBJECT (cert), (gpointer *)&cert);
g_object_unref (cert);
- g_assert (cert == NULL);
- g_assert (issuer == NULL);
+ g_assert_null (cert);
+ g_assert_null (issuer);
+}
+
+static void
+test_create_certificate_with_garbage_input (TestCertificate *test,
+ gconstpointer data)
+{
+ GTlsCertificate *cert;
+ GError *error = NULL;
+
+ cert = g_tls_certificate_new_from_file (tls_test_file_path ("garbage.pem"), &error);
+ g_assert_null (cert);
+ g_assert_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE);
+ g_clear_error (&error);
+
+ cert = g_tls_certificate_new_from_pem ("I am not a very good certificate.", -1, &error);
+ g_assert_null (cert);
+ g_assert_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE);
+ g_clear_error (&error);
}
static void
GTlsCertificate *cert, *intermediate, *root;
GError *error = NULL;
- if (glib_check_version (2, 43, 0))
- {
- g_test_skip ("This test requires glib 2.43");
- return;
- }
-
cert = g_tls_certificate_new_from_file (tls_test_file_path ("chain.pem"), &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
intermediate = g_tls_certificate_get_issuer (cert);
- g_assert (G_IS_TLS_CERTIFICATE (intermediate));
+ g_assert_true (G_IS_TLS_CERTIFICATE (intermediate));
root = g_tls_certificate_get_issuer (intermediate);
- g_assert (G_IS_TLS_CERTIFICATE (root));
+ g_assert_true (G_IS_TLS_CERTIFICATE (root));
- g_assert (g_tls_certificate_get_issuer (root) == NULL);
+ g_assert_null (g_tls_certificate_get_issuer (root));
g_object_unref (cert);
}
cert = g_tls_certificate_new_from_file (tls_test_file_path ("non-ca.pem"), &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
issuer = g_tls_certificate_get_issuer (cert);
- g_assert (issuer == NULL);
+ g_assert_null (issuer);
g_object_unref (cert);
/* Truncate a valid chain certificate file. We should only get the
cert = g_tls_certificate_new_from_pem (cert_pem, cert_pem_length - 100, &error);
g_free (cert_pem);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
issuer = g_tls_certificate_get_issuer (cert);
- g_assert (issuer == NULL);
+ g_assert_null (issuer);
g_object_unref (cert);
}
test->cert = g_tls_certificate_new_from_file (tls_test_file_path ("server.pem"), &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (test->cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (test->cert));
test->identity = g_network_address_new ("server.example.com", 80);
test->anchor = g_tls_certificate_new_from_file (tls_test_file_path ("ca.pem"), &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (test->anchor));
+ g_assert_true (G_IS_TLS_CERTIFICATE (test->anchor));
test->database = g_tls_file_database_new (tls_test_file_path ("ca.pem"), &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_DATABASE (test->database));
+ g_assert_true (G_IS_TLS_DATABASE (test->database));
}
static void
teardown_verify (TestVerify *test,
gconstpointer data)
{
- g_assert (G_IS_TLS_CERTIFICATE (test->cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (test->cert));
g_object_add_weak_pointer (G_OBJECT (test->cert),
- (gpointer *)&test->cert);
+ (gpointer *)&test->cert);
g_object_unref (test->cert);
- g_assert (test->cert == NULL);
+ g_assert_null (test->cert);
- g_assert (G_IS_TLS_CERTIFICATE (test->anchor));
+ g_assert_true (G_IS_TLS_CERTIFICATE (test->anchor));
g_object_add_weak_pointer (G_OBJECT (test->anchor),
- (gpointer *)&test->anchor);
+ (gpointer *)&test->anchor);
g_object_unref (test->anchor);
- g_assert (test->anchor == NULL);
+ g_assert_null (test->anchor);
- g_assert (G_IS_TLS_DATABASE (test->database));
+ g_assert_true (G_IS_TLS_DATABASE (test->database));
g_object_add_weak_pointer (G_OBJECT (test->database),
- (gpointer *)&test->database);
+ (gpointer *)&test->database);
g_object_unref (test->database);
- g_assert (test->database == NULL);
+ g_assert_null (test->database);
g_object_add_weak_pointer (G_OBJECT (test->identity),
- (gpointer *)&test->identity);
+ (gpointer *)&test->identity);
g_object_unref (test->identity);
- g_assert (test->identity == NULL);
+ g_assert_null (test->identity);
}
static void
/* Use a client certificate as the CA, which is wrong */
cert = g_tls_certificate_new_from_file (tls_test_file_path ("client.pem"), &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
errors = g_tls_certificate_verify (test->cert, test->identity, cert);
g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA);
/* This is a certificate in the future */
cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-future.pem"), &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
errors = g_tls_certificate_verify (cert, NULL, test->anchor);
g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_NOT_ACTIVATED);
/* This is a certificate in the future */
cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-past.pem"), &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
errors = g_tls_certificate_verify (cert, NULL, test->anchor);
g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_EXPIRED);
cert = g_tls_certificate_new_from_file (tls_test_file_path ("client-past.pem"), &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
/* Unrelated cert used as certificate authority */
cacert = g_tls_certificate_new_from_file (tls_test_file_path ("server-self.pem"), &error);
g_assert_no_error (error);
- g_assert (G_IS_TLS_CERTIFICATE (cacert));
+ g_assert_true (G_IS_TLS_CERTIFICATE (cacert));
/*
* - Use unrelated cert as CA
* - Use wrong identity.
* - Use expired certificate.
+ *
+ * Once upon a time, we might have asserted to see that all of these errors
+ * are set. But this is impossible to do correctly, so nowadays we only
+ * guarantee that at least one error will be set. See glib-networking#179 and
+ * glib!2214 for rationale.
*/
identity = g_network_address_new ("other.example.com", 80);
errors = g_tls_certificate_verify (cert, identity, cacert);
- g_assert_cmpuint (errors, ==, G_TLS_CERTIFICATE_UNKNOWN_CA |
- G_TLS_CERTIFICATE_BAD_IDENTITY | G_TLS_CERTIFICATE_EXPIRED);
+ g_assert_cmpuint (errors, !=, 0);
g_object_unref (cert);
g_object_unref (cacert);
three = g_tls_certificate_new_from_file (tls_test_file_path ("server.pem"), &error);
g_assert_no_error (error);
- g_assert (g_tls_certificate_is_same (one, two) == TRUE);
- g_assert (g_tls_certificate_is_same (two, one) == TRUE);
- g_assert (g_tls_certificate_is_same (three, one) == FALSE);
- g_assert (g_tls_certificate_is_same (one, three) == FALSE);
- g_assert (g_tls_certificate_is_same (two, three) == FALSE);
- g_assert (g_tls_certificate_is_same (three, two) == FALSE);
+ g_assert_true (g_tls_certificate_is_same (one, two));
+ g_assert_true (g_tls_certificate_is_same (two, one));
+ g_assert_false (g_tls_certificate_is_same (three, one));
+ g_assert_false (g_tls_certificate_is_same (one, three));
+ g_assert_false (g_tls_certificate_is_same (two, three));
+ g_assert_false (g_tls_certificate_is_same (three, two));
g_object_unref (one);
g_object_unref (two);
g_test_init (&argc, &argv, NULL);
g_setenv ("GSETTINGS_BACKEND", "memory", TRUE);
- g_setenv ("GIO_EXTRA_MODULES", TOP_BUILDDIR "/tls/gnutls/.libs", TRUE);
- g_setenv ("GIO_USE_TLS", "gnutls", TRUE);
+ g_setenv ("GIO_USE_TLS", BACKEND, TRUE);
+ g_assert (g_ascii_strcasecmp (G_OBJECT_TYPE_NAME (g_tls_backend_get_default ()), "GTlsBackend" BACKEND) == 0);
g_test_add ("/tls/certificate/create-pem", TestCertificate, NULL,
setup_certificate, test_create_pem, teardown_certificate);
setup_certificate, test_create_with_key_der, teardown_certificate);
g_test_add ("/tls/certificate/create-with-issuer", TestCertificate, NULL,
setup_certificate, test_create_certificate_with_issuer, teardown_certificate);
+ g_test_add ("/tls/certificate/create-with-garbage-input", TestCertificate, NULL,
+ setup_certificate, test_create_certificate_with_garbage_input, teardown_certificate);
+
g_test_add_func ("/tls/certificate/create-chain", test_create_certificate_chain);
g_test_add_func ("/tls/certificate/create-no-chain", test_create_certificate_no_chain);
g_test_add_func ("/tls/certificate/create-list", test_create_list);