diff options
Diffstat (limited to 'cast/sender/channel/cast_auth_util_unittest.cc')
-rw-r--r-- | cast/sender/channel/cast_auth_util_unittest.cc | 210 |
1 files changed, 102 insertions, 108 deletions
diff --git a/cast/sender/channel/cast_auth_util_unittest.cc b/cast/sender/channel/cast_auth_util_unittest.cc index 5dec424d..93fb913e 100644 --- a/cast/sender/channel/cast_auth_util_unittest.cc +++ b/cast/sender/channel/cast_auth_util_unittest.cc @@ -16,13 +16,13 @@ #include "testing/util/read_file.h" #include "util/logging.h" +namespace openscreen { namespace cast { -namespace channel { namespace { -using ErrorCode = openscreen::Error::Code; +using ::cast::channel::AuthResponse; -bool ConvertTimeSeconds(const certificate::DateTime& time, uint64_t* seconds) { +bool ConvertTimeSeconds(const DateTime& time, uint64_t* seconds) { static constexpr uint64_t kDaysPerYear = 365; static constexpr uint64_t kHoursPerDay = 24; static constexpr uint64_t kMinutesPerHour = 60; @@ -102,7 +102,7 @@ bool ConvertTimeSeconds(const certificate::DateTime& time, uint64_t* seconds) { #define TEST_DATA_PREFIX OPENSCREEN_TEST_DATA_DIR "cast/common/certificate/" -class CastAuthUtilTest : public testing::Test { +class CastAuthUtilTest : public ::testing::Test { public: CastAuthUtilTest() {} ~CastAuthUtilTest() override {} @@ -110,16 +110,15 @@ class CastAuthUtilTest : public testing::Test { void SetUp() override {} protected: - static AuthResponse CreateAuthResponse(std::string* signed_data, - HashAlgorithm digest_algorithm) { - std::vector<std::string> chain = - certificate::testing::ReadCertificatesFromPemFile( - TEST_DATA_PREFIX "certificates/chromecast_gen1.pem"); + static AuthResponse CreateAuthResponse( + std::string* signed_data, + ::cast::channel::HashAlgorithm digest_algorithm) { + std::vector<std::string> chain = testing::ReadCertificatesFromPemFile( + TEST_DATA_PREFIX "certificates/chromecast_gen1.pem"); OSP_CHECK(!chain.empty()); - certificate::testing::SignatureTestData signatures = - certificate::testing::ReadSignatureTestData( - TEST_DATA_PREFIX "signeddata/2ZZBG9_FA8FCA3EF91A.pem"); + testing::SignatureTestData signatures = testing::ReadSignatureTestData( + TEST_DATA_PREFIX "signeddata/2ZZBG9_FA8FCA3EF91A.pem"); AuthResponse response; @@ -130,12 +129,12 @@ class CastAuthUtilTest : public testing::Test { response.set_hash_algorithm(digest_algorithm); switch (digest_algorithm) { - case SHA1: + case ::cast::channel::SHA1: response.set_signature( std::string(reinterpret_cast<const char*>(signatures.sha1.data), signatures.sha1.length)); break; - case SHA256: + case ::cast::channel::SHA256: response.set_signature( std::string(reinterpret_cast<const char*>(signatures.sha256.data), signatures.sha256.length)); @@ -156,96 +155,100 @@ class CastAuthUtilTest : public testing::Test { // being verified doesn't expire until 2032. TEST_F(CastAuthUtilTest, VerifySuccess) { std::string signed_data; - AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256); - certificate::DateTime now = {}; - ASSERT_TRUE(certificate::DateTimeFromSeconds( - openscreen::GetWallTimeSinceUnixEpoch().count(), &now)); - ErrorOr<CastDeviceCertPolicy> result = VerifyCredentialsForTest( - auth_response, signed_data, certificate::CRLPolicy::kCrlOptional, nullptr, - nullptr, now); + AuthResponse auth_response = + CreateAuthResponse(&signed_data, ::cast::channel::SHA256); + DateTime now = {}; + ASSERT_TRUE(DateTimeFromSeconds(GetWallTimeSinceUnixEpoch().count(), &now)); + ErrorOr<CastDeviceCertPolicy> result = + VerifyCredentialsForTest(auth_response, signed_data, + CRLPolicy::kCrlOptional, nullptr, nullptr, now); EXPECT_TRUE(result); - EXPECT_EQ(certificate::CastDeviceCertPolicy::kUnrestricted, result.value()); + EXPECT_EQ(CastDeviceCertPolicy::kUnrestricted, result.value()); } TEST_F(CastAuthUtilTest, VerifyBadCA) { std::string signed_data; - AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256); + AuthResponse auth_response = + CreateAuthResponse(&signed_data, ::cast::channel::SHA256); MangleString(auth_response.mutable_intermediate_certificate(0)); ErrorOr<CastDeviceCertPolicy> result = VerifyCredentials(auth_response, signed_data); EXPECT_FALSE(result); - EXPECT_EQ(ErrorCode::kErrCertsParse, result.error().code()); + EXPECT_EQ(Error::Code::kErrCertsParse, result.error().code()); } TEST_F(CastAuthUtilTest, VerifyBadClientAuthCert) { std::string signed_data; - AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256); + AuthResponse auth_response = + CreateAuthResponse(&signed_data, ::cast::channel::SHA256); MangleString(auth_response.mutable_client_auth_certificate()); ErrorOr<CastDeviceCertPolicy> result = VerifyCredentials(auth_response, signed_data); EXPECT_FALSE(result); - EXPECT_EQ(ErrorCode::kErrCertsParse, result.error().code()); + EXPECT_EQ(Error::Code::kErrCertsParse, result.error().code()); } TEST_F(CastAuthUtilTest, VerifyBadSignature) { std::string signed_data; - AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256); + AuthResponse auth_response = + CreateAuthResponse(&signed_data, ::cast::channel::SHA256); MangleString(auth_response.mutable_signature()); ErrorOr<CastDeviceCertPolicy> result = VerifyCredentials(auth_response, signed_data); EXPECT_FALSE(result); - EXPECT_EQ(ErrorCode::kCastV2SignedBlobsMismatch, result.error().code()); + EXPECT_EQ(Error::Code::kCastV2SignedBlobsMismatch, result.error().code()); } TEST_F(CastAuthUtilTest, VerifyEmptySignature) { std::string signed_data; - AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256); + AuthResponse auth_response = + CreateAuthResponse(&signed_data, ::cast::channel::SHA256); auth_response.mutable_signature()->clear(); ErrorOr<CastDeviceCertPolicy> result = VerifyCredentials(auth_response, signed_data); EXPECT_FALSE(result); - EXPECT_EQ(ErrorCode::kCastV2SignatureEmpty, result.error().code()); + EXPECT_EQ(Error::Code::kCastV2SignatureEmpty, result.error().code()); } TEST_F(CastAuthUtilTest, VerifyUnsupportedDigest) { std::string signed_data; - AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA1); - certificate::DateTime now = {}; - ASSERT_TRUE(certificate::DateTimeFromSeconds( - openscreen::GetWallTimeSinceUnixEpoch().count(), &now)); + AuthResponse auth_response = + CreateAuthResponse(&signed_data, ::cast::channel::SHA1); + DateTime now = {}; + ASSERT_TRUE(DateTimeFromSeconds(GetWallTimeSinceUnixEpoch().count(), &now)); ErrorOr<CastDeviceCertPolicy> result = VerifyCredentialsForTest( - auth_response, signed_data, certificate::CRLPolicy::kCrlOptional, nullptr, - nullptr, now, true); + auth_response, signed_data, CRLPolicy::kCrlOptional, nullptr, nullptr, + now, true); EXPECT_FALSE(result); - EXPECT_EQ(ErrorCode::kCastV2DigestUnsupported, result.error().code()); + EXPECT_EQ(Error::Code::kCastV2DigestUnsupported, result.error().code()); } TEST_F(CastAuthUtilTest, VerifyBackwardsCompatibleDigest) { std::string signed_data; - AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA1); - certificate::DateTime now = {}; - ASSERT_TRUE(certificate::DateTimeFromSeconds( - openscreen::GetWallTimeSinceUnixEpoch().count(), &now)); - ErrorOr<CastDeviceCertPolicy> result = VerifyCredentialsForTest( - auth_response, signed_data, certificate::CRLPolicy::kCrlOptional, nullptr, - nullptr, now); + AuthResponse auth_response = + CreateAuthResponse(&signed_data, ::cast::channel::SHA1); + DateTime now = {}; + ASSERT_TRUE(DateTimeFromSeconds(GetWallTimeSinceUnixEpoch().count(), &now)); + ErrorOr<CastDeviceCertPolicy> result = + VerifyCredentialsForTest(auth_response, signed_data, + CRLPolicy::kCrlOptional, nullptr, nullptr, now); EXPECT_TRUE(result); } TEST_F(CastAuthUtilTest, VerifyBadPeerCert) { std::string signed_data; - AuthResponse auth_response = CreateAuthResponse(&signed_data, SHA256); + AuthResponse auth_response = + CreateAuthResponse(&signed_data, ::cast::channel::SHA256); MangleString(&signed_data); ErrorOr<CastDeviceCertPolicy> result = VerifyCredentials(auth_response, signed_data); EXPECT_FALSE(result); - EXPECT_EQ(ErrorCode::kCastV2SignedBlobsMismatch, result.error().code()); + EXPECT_EQ(Error::Code::kCastV2SignedBlobsMismatch, result.error().code()); } TEST_F(CastAuthUtilTest, VerifySenderNonceMatch) { AuthContext context = AuthContext::Create(); - const openscreen::Error result = - context.VerifySenderNonce(context.nonce(), true); + const Error result = context.VerifySenderNonce(context.nonce(), true); EXPECT_TRUE(result.ok()); } @@ -256,7 +259,7 @@ TEST_F(CastAuthUtilTest, VerifySenderNonceMismatch) { ErrorOr<CastDeviceCertPolicy> result = context.VerifySenderNonce(received_nonce, true); EXPECT_FALSE(result); - EXPECT_EQ(ErrorCode::kCastV2SenderNonceMismatch, result.error().code()); + EXPECT_EQ(Error::Code::kCastV2SenderNonceMismatch, result.error().code()); } TEST_F(CastAuthUtilTest, VerifySenderNonceMissing) { @@ -266,40 +269,36 @@ TEST_F(CastAuthUtilTest, VerifySenderNonceMissing) { ErrorOr<CastDeviceCertPolicy> result = context.VerifySenderNonce(received_nonce, true); EXPECT_FALSE(result); - EXPECT_EQ(ErrorCode::kCastV2SenderNonceMismatch, result.error().code()); + EXPECT_EQ(Error::Code::kCastV2SenderNonceMismatch, result.error().code()); } TEST_F(CastAuthUtilTest, VerifyTLSCertificateSuccess) { - std::vector<std::string> tls_cert_der = - certificate::testing::ReadCertificatesFromPemFile( - TEST_DATA_PREFIX "certificates/test_tls_cert.pem"); + std::vector<std::string> tls_cert_der = testing::ReadCertificatesFromPemFile( + TEST_DATA_PREFIX "certificates/test_tls_cert.pem"); std::string& der_cert = tls_cert_der[0]; const uint8_t* data = (const uint8_t*)der_cert.data(); X509* tls_cert = d2i_X509(nullptr, &data, der_cert.size()); - certificate::DateTime not_before; - certificate::DateTime not_after; - ASSERT_TRUE( - certificate::GetCertValidTimeRange(tls_cert, ¬_before, ¬_after)); + DateTime not_before; + DateTime not_after; + ASSERT_TRUE(GetCertValidTimeRange(tls_cert, ¬_before, ¬_after)); uint64_t x; ASSERT_TRUE(ConvertTimeSeconds(not_before, &x)); std::chrono::seconds s(x); - const openscreen::Error result = VerifyTLSCertificateValidity(tls_cert, s); + const Error result = VerifyTLSCertificateValidity(tls_cert, s); EXPECT_TRUE(result.ok()); X509_free(tls_cert); } TEST_F(CastAuthUtilTest, VerifyTLSCertificateTooEarly) { - std::vector<std::string> tls_cert_der = - certificate::testing::ReadCertificatesFromPemFile( - TEST_DATA_PREFIX "certificates/test_tls_cert.pem"); + std::vector<std::string> tls_cert_der = testing::ReadCertificatesFromPemFile( + TEST_DATA_PREFIX "certificates/test_tls_cert.pem"); std::string& der_cert = tls_cert_der[0]; const uint8_t* data = (const uint8_t*)der_cert.data(); X509* tls_cert = d2i_X509(nullptr, &data, der_cert.size()); - certificate::DateTime not_before; - certificate::DateTime not_after; - ASSERT_TRUE( - certificate::GetCertValidTimeRange(tls_cert, ¬_before, ¬_after)); + DateTime not_before; + DateTime not_after; + ASSERT_TRUE(GetCertValidTimeRange(tls_cert, ¬_before, ¬_after)); uint64_t x; ASSERT_TRUE(ConvertTimeSeconds(not_before, &x)); std::chrono::seconds s(x - 1); @@ -307,22 +306,20 @@ TEST_F(CastAuthUtilTest, VerifyTLSCertificateTooEarly) { ErrorOr<CastDeviceCertPolicy> result = VerifyTLSCertificateValidity(tls_cert, s); EXPECT_FALSE(result); - EXPECT_EQ(ErrorCode::kCastV2TlsCertValidStartDateInFuture, + EXPECT_EQ(Error::Code::kCastV2TlsCertValidStartDateInFuture, result.error().code()); X509_free(tls_cert); } TEST_F(CastAuthUtilTest, VerifyTLSCertificateTooLate) { - std::vector<std::string> tls_cert_der = - certificate::testing::ReadCertificatesFromPemFile( - TEST_DATA_PREFIX "certificates/test_tls_cert.pem"); + std::vector<std::string> tls_cert_der = testing::ReadCertificatesFromPemFile( + TEST_DATA_PREFIX "certificates/test_tls_cert.pem"); std::string& der_cert = tls_cert_der[0]; const uint8_t* data = (const uint8_t*)der_cert.data(); X509* tls_cert = d2i_X509(nullptr, &data, der_cert.size()); - certificate::DateTime not_before; - certificate::DateTime not_after; - ASSERT_TRUE( - certificate::GetCertValidTimeRange(tls_cert, ¬_before, ¬_after)); + DateTime not_before; + DateTime not_after; + ASSERT_TRUE(GetCertValidTimeRange(tls_cert, ¬_before, ¬_after)); uint64_t x; ASSERT_TRUE(ConvertTimeSeconds(not_after, &x)); std::chrono::seconds s(x + 2); @@ -330,7 +327,7 @@ TEST_F(CastAuthUtilTest, VerifyTLSCertificateTooLate) { ErrorOr<CastDeviceCertPolicy> result = VerifyTLSCertificateValidity(tls_cert, s); EXPECT_FALSE(result); - EXPECT_EQ(ErrorCode::kCastV2TlsCertExpired, result.error().code()); + EXPECT_EQ(Error::Code::kCastV2TlsCertExpired, result.error().code()); X509_free(tls_cert); } @@ -348,10 +345,10 @@ enum TestStepResult { ErrorOr<CastDeviceCertPolicy> TestVerifyRevocation( const std::vector<std::string>& certificate_chain, const std::string& crl_bundle, - const certificate::DateTime& verification_time, + const DateTime& verification_time, bool crl_required, - certificate::TrustStore* cast_trust_store, - certificate::TrustStore* crl_trust_store) { + TrustStore* cast_trust_store, + TrustStore* crl_trust_store) { AuthResponse response; if (certificate_chain.size() > 0) { @@ -363,9 +360,9 @@ ErrorOr<CastDeviceCertPolicy> TestVerifyRevocation( response.set_crl(crl_bundle); - certificate::CRLPolicy crl_policy = certificate::CRLPolicy::kCrlRequired; + CRLPolicy crl_policy = CRLPolicy::kCrlRequired; if (!crl_required && crl_bundle.empty()) - crl_policy = certificate::CRLPolicy::kCrlOptional; + crl_policy = CRLPolicy::kCrlOptional; ErrorOr<CastDeviceCertPolicy> result = VerifyCredentialsForTest(response, "", crl_policy, cast_trust_store, crl_trust_store, verification_time); @@ -375,13 +372,13 @@ ErrorOr<CastDeviceCertPolicy> TestVerifyRevocation( } // Runs a single test case. -bool RunTest(const certificate::DeviceCertTest& test_case) { - std::unique_ptr<certificate::TrustStore> crl_trust_store; - std::unique_ptr<certificate::TrustStore> cast_trust_store; +bool RunTest(const DeviceCertTest& test_case) { + std::unique_ptr<TrustStore> crl_trust_store; + std::unique_ptr<TrustStore> cast_trust_store; if (test_case.use_test_trust_anchors()) { - crl_trust_store = certificate::testing::CreateTrustStoreFromPemFile( + crl_trust_store = testing::CreateTrustStoreFromPemFile( TEST_DATA_PREFIX "certificates/cast_crl_test_root_ca.pem"); - cast_trust_store = certificate::testing::CreateTrustStoreFromPemFile( + cast_trust_store = testing::CreateTrustStoreFromPemFile( TEST_DATA_PREFIX "certificates/cast_test_root_ca.pem"); EXPECT_FALSE(crl_trust_store->certs.empty()); @@ -394,51 +391,49 @@ bool RunTest(const certificate::DeviceCertTest& test_case) { } // CastAuthUtil verifies the CRL at the same time as the certificate. - certificate::DateTime verification_time; + DateTime verification_time; uint64_t cert_verify_time = test_case.cert_verification_time_seconds(); if (!cert_verify_time) { cert_verify_time = test_case.crl_verification_time_seconds(); } - OSP_DCHECK( - certificate::DateTimeFromSeconds(cert_verify_time, &verification_time)); + OSP_DCHECK(DateTimeFromSeconds(cert_verify_time, &verification_time)); std::string crl_bundle = test_case.crl_bundle(); - ErrorOr<CastDeviceCertPolicy> result( - certificate::CastDeviceCertPolicy::kUnrestricted); + ErrorOr<CastDeviceCertPolicy> result(CastDeviceCertPolicy::kUnrestricted); switch (test_case.expected_result()) { - case certificate::PATH_VERIFICATION_FAILED: + case PATH_VERIFICATION_FAILED: result = TestVerifyRevocation( certificate_chain, crl_bundle, verification_time, false, cast_trust_store.get(), crl_trust_store.get()); EXPECT_EQ(result.error().code(), - ErrorCode::kCastV2CertNotSignedByTrustedCa); + Error::Code::kCastV2CertNotSignedByTrustedCa); return result.error().code() == - ErrorCode::kCastV2CertNotSignedByTrustedCa; - case certificate::CRL_VERIFICATION_FAILED: + Error::Code::kCastV2CertNotSignedByTrustedCa; + case CRL_VERIFICATION_FAILED: // Fall-through intended. - case certificate::REVOCATION_CHECK_FAILED_WITHOUT_CRL: + case REVOCATION_CHECK_FAILED_WITHOUT_CRL: result = TestVerifyRevocation( certificate_chain, crl_bundle, verification_time, true, cast_trust_store.get(), crl_trust_store.get()); - EXPECT_EQ(result.error().code(), ErrorCode::kErrCrlInvalid); - return result.error().code() == ErrorCode::kErrCrlInvalid; - case certificate::CRL_EXPIRED_AFTER_INITIAL_VERIFICATION: + EXPECT_EQ(result.error().code(), Error::Code::kErrCrlInvalid); + return result.error().code() == Error::Code::kErrCrlInvalid; + case CRL_EXPIRED_AFTER_INITIAL_VERIFICATION: // By-pass this test because CRL is always verified at the time the // certificate is verified. return true; - case certificate::REVOCATION_CHECK_FAILED: + case REVOCATION_CHECK_FAILED: result = TestVerifyRevocation( certificate_chain, crl_bundle, verification_time, true, cast_trust_store.get(), crl_trust_store.get()); - EXPECT_EQ(result.error().code(), ErrorCode::kErrCertsRevoked); - return result.error().code() == ErrorCode::kErrCertsRevoked; - case certificate::SUCCESS: + EXPECT_EQ(result.error().code(), Error::Code::kErrCertsRevoked); + return result.error().code() == Error::Code::kErrCertsRevoked; + case SUCCESS: result = TestVerifyRevocation( certificate_chain, crl_bundle, verification_time, false, cast_trust_store.get(), crl_trust_store.get()); - EXPECT_EQ(result.error().code(), ErrorCode::kCastV2SignedBlobsMismatch); - return result.error().code() == ErrorCode::kCastV2SignedBlobsMismatch; - case certificate::UNSPECIFIED: + EXPECT_EQ(result.error().code(), Error::Code::kCastV2SignedBlobsMismatch); + return result.error().code() == Error::Code::kCastV2SignedBlobsMismatch; + case UNSPECIFIED: return false; } return false; @@ -449,9 +444,8 @@ bool RunTest(const certificate::DeviceCertTest& test_case) { // To see the description of the test, execute the test. // These tests are generated by a test generator in google3. void RunTestSuite(const std::string& test_suite_file_name) { - std::string testsuite_raw = - openscreen::ReadEntireFileToString(test_suite_file_name); - certificate::DeviceCertTestSuite test_suite; + std::string testsuite_raw = ReadEntireFileToString(test_suite_file_name); + DeviceCertTestSuite test_suite; EXPECT_TRUE(test_suite.ParseFromString(testsuite_raw)); uint16_t successes = 0; @@ -470,5 +464,5 @@ TEST_F(CastAuthUtilTest, CRLTestSuite) { } } // namespace -} // namespace channel } // namespace cast +} // namespace openscreen |