mirror of https://github.com/grpc/grpc-go.git
advancedtls: add field names for unit tests (#3570)
* advancedtls: add field names for unit tests
This commit is contained in:
ZhenLian
GitHub
parent
4eb418e5b2
commit
d70354e6e2
|
|
@ -217,7 +217,6 @@ func TestEnd2End(t *testing.T) {
|
||||||
// by serverTrust2.
|
// by serverTrust2.
|
||||||
{
|
{
|
||||||
desc: "TestClientPeerCertReloadServerTrustCertReload",
|
desc: "TestClientPeerCertReloadServerTrustCertReload",
|
||||||
clientCert: nil,
|
|
||||||
clientGetCert: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
clientGetCert: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||||
switch stage.read() {
|
switch stage.read() {
|
||||||
case 0:
|
case 0:
|
||||||
|
|
@ -226,15 +225,12 @@ func TestEnd2End(t *testing.T) {
|
||||||
return &cs.clientPeer2, nil
|
return &cs.clientPeer2, nil
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
clientGetRoot: nil,
|
|
||||||
clientRoot: cs.clientTrust1,
|
clientRoot: cs.clientTrust1,
|
||||||
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
||||||
return &VerificationResults{}, nil
|
return &VerificationResults{}, nil
|
||||||
},
|
},
|
||||||
clientVType: CertVerification,
|
clientVType: CertVerification,
|
||||||
serverCert: []tls.Certificate{cs.serverPeer1},
|
serverCert: []tls.Certificate{cs.serverPeer1},
|
||||||
serverGetCert: nil,
|
|
||||||
serverRoot: nil,
|
|
||||||
serverGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
|
serverGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
|
||||||
switch stage.read() {
|
switch stage.read() {
|
||||||
case 0, 1:
|
case 0, 1:
|
||||||
|
|
@ -263,7 +259,6 @@ func TestEnd2End(t *testing.T) {
|
||||||
{
|
{
|
||||||
desc: "TestServerPeerCertReloadClientTrustCertReload",
|
desc: "TestServerPeerCertReloadClientTrustCertReload",
|
||||||
clientCert: []tls.Certificate{cs.clientPeer1},
|
clientCert: []tls.Certificate{cs.clientPeer1},
|
||||||
clientGetCert: nil,
|
|
||||||
clientGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
|
clientGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
|
||||||
switch stage.read() {
|
switch stage.read() {
|
||||||
case 0, 1:
|
case 0, 1:
|
||||||
|
|
@ -272,12 +267,10 @@ func TestEnd2End(t *testing.T) {
|
||||||
return &GetRootCAsResults{TrustCerts: cs.clientTrust2}, nil
|
return &GetRootCAsResults{TrustCerts: cs.clientTrust2}, nil
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
clientRoot: nil,
|
|
||||||
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
||||||
return &VerificationResults{}, nil
|
return &VerificationResults{}, nil
|
||||||
},
|
},
|
||||||
clientVType: CertVerification,
|
clientVType: CertVerification,
|
||||||
serverCert: nil,
|
|
||||||
serverGetCert: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
|
serverGetCert: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
switch stage.read() {
|
switch stage.read() {
|
||||||
case 0:
|
case 0:
|
||||||
|
|
@ -287,7 +280,6 @@ func TestEnd2End(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
serverRoot: cs.serverTrust1,
|
serverRoot: cs.serverTrust1,
|
||||||
serverGetRoot: nil,
|
|
||||||
serverVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
serverVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
||||||
return &VerificationResults{}, nil
|
return &VerificationResults{}, nil
|
||||||
},
|
},
|
||||||
|
|
@ -309,7 +301,6 @@ func TestEnd2End(t *testing.T) {
|
||||||
{
|
{
|
||||||
desc: "TestClientCustomVerification",
|
desc: "TestClientCustomVerification",
|
||||||
clientCert: []tls.Certificate{cs.clientPeer1},
|
clientCert: []tls.Certificate{cs.clientPeer1},
|
||||||
clientGetCert: nil,
|
|
||||||
clientGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
|
clientGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
|
||||||
switch stage.read() {
|
switch stage.read() {
|
||||||
case 0:
|
case 0:
|
||||||
|
|
@ -318,7 +309,6 @@ func TestEnd2End(t *testing.T) {
|
||||||
return &GetRootCAsResults{TrustCerts: cs.clientTrust2}, nil
|
return &GetRootCAsResults{TrustCerts: cs.clientTrust2}, nil
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
clientRoot: nil,
|
|
||||||
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
||||||
if len(params.RawCerts) == 0 {
|
if len(params.RawCerts) == 0 {
|
||||||
return nil, fmt.Errorf("no peer certs")
|
return nil, fmt.Errorf("no peer certs")
|
||||||
|
|
@ -346,7 +336,6 @@ func TestEnd2End(t *testing.T) {
|
||||||
return nil, fmt.Errorf("custom authz check fails")
|
return nil, fmt.Errorf("custom authz check fails")
|
||||||
},
|
},
|
||||||
clientVType: CertVerification,
|
clientVType: CertVerification,
|
||||||
serverCert: nil,
|
|
||||||
serverGetCert: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
|
serverGetCert: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
switch stage.read() {
|
switch stage.read() {
|
||||||
case 0:
|
case 0:
|
||||||
|
|
@ -356,7 +345,6 @@ func TestEnd2End(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
serverRoot: cs.serverTrust1,
|
serverRoot: cs.serverTrust1,
|
||||||
serverGetRoot: nil,
|
|
||||||
serverVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
serverVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
||||||
return &VerificationResults{}, nil
|
return &VerificationResults{}, nil
|
||||||
},
|
},
|
||||||
|
|
@ -376,17 +364,13 @@ func TestEnd2End(t *testing.T) {
|
||||||
{
|
{
|
||||||
desc: "TestServerCustomVerification",
|
desc: "TestServerCustomVerification",
|
||||||
clientCert: []tls.Certificate{cs.clientPeer1},
|
clientCert: []tls.Certificate{cs.clientPeer1},
|
||||||
clientGetCert: nil,
|
|
||||||
clientGetRoot: nil,
|
|
||||||
clientRoot: cs.clientTrust1,
|
clientRoot: cs.clientTrust1,
|
||||||
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
||||||
return &VerificationResults{}, nil
|
return &VerificationResults{}, nil
|
||||||
},
|
},
|
||||||
clientVType: CertVerification,
|
clientVType: CertVerification,
|
||||||
serverCert: []tls.Certificate{cs.serverPeer1},
|
serverCert: []tls.Certificate{cs.serverPeer1},
|
||||||
serverGetCert: nil,
|
|
||||||
serverRoot: cs.serverTrust1,
|
serverRoot: cs.serverTrust1,
|
||||||
serverGetRoot: nil,
|
|
||||||
serverVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
serverVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) {
|
||||||
switch stage.read() {
|
switch stage.read() {
|
||||||
case 0, 2:
|
case 0, 2:
|
||||||
|
|
|
||||||
|
|
@ -73,7 +73,7 @@ func TestClientServerHandshake(t *testing.T) {
|
||||||
for _, test := range []struct {
|
for _, test := range []struct {
|
||||||
desc string
|
desc string
|
||||||
clientCert []tls.Certificate
|
clientCert []tls.Certificate
|
||||||
clientGetClientCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
|
clientGetCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
|
||||||
clientRoot *x509.CertPool
|
clientRoot *x509.CertPool
|
||||||
clientGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
|
clientGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
|
||||||
clientVerifyFunc CustomVerificationFunc
|
clientVerifyFunc CustomVerificationFunc
|
||||||
|
|
@ -97,47 +97,24 @@ func TestClientServerHandshake(t *testing.T) {
|
||||||
// even setting vType to SkipVerification. Clients should at least provide
|
// even setting vType to SkipVerification. Clients should at least provide
|
||||||
// their own verification logic.
|
// their own verification logic.
|
||||||
{
|
{
|
||||||
"Client_no_trust_cert_Server_peer_cert",
|
desc: "Client has no trust cert; server sends peer cert",
|
||||||
nil,
|
clientVType: SkipVerification,
|
||||||
nil,
|
clientExpectCreateError: true,
|
||||||
nil,
|
serverCert: []tls.Certificate{serverPeerCert},
|
||||||
nil,
|
serverVType: CertAndHostVerification,
|
||||||
nil,
|
serverExpectError: true,
|
||||||
SkipVerification,
|
|
||||||
true,
|
|
||||||
false,
|
|
||||||
false,
|
|
||||||
[]tls.Certificate{serverPeerCert},
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
CertAndHostVerification,
|
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
// Client: nil setting except verifyFuncGood
|
// Client: nil setting except verifyFuncGood
|
||||||
// Server: only set serverCert with mutual TLS off
|
// Server: only set serverCert with mutual TLS off
|
||||||
// Expected Behavior: success
|
// Expected Behavior: success
|
||||||
// Reason: we will use verifyFuncGood to verify the server,
|
// Reason: we will use verifyFuncGood to verify the server,
|
||||||
// if either clientCert or clientGetClientCert is not set
|
// if either clientCert or clientGetCert is not set
|
||||||
{
|
{
|
||||||
"Client_no_trust_cert_verifyFuncGood_Server_peer_cert",
|
desc: "Client has no trust cert with verifyFuncGood; server sends peer cert",
|
||||||
nil,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
nil,
|
clientVType: SkipVerification,
|
||||||
nil,
|
serverCert: []tls.Certificate{serverPeerCert},
|
||||||
nil,
|
serverVType: CertAndHostVerification,
|
||||||
verifyFuncGood,
|
|
||||||
SkipVerification,
|
|
||||||
false,
|
|
||||||
false,
|
|
||||||
false,
|
|
||||||
[]tls.Certificate{serverPeerCert},
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
CertAndHostVerification,
|
|
||||||
false,
|
|
||||||
},
|
},
|
||||||
// Client: only set clientRoot
|
// Client: only set clientRoot
|
||||||
// Server: only set serverCert with mutual TLS off
|
// Server: only set serverCert with mutual TLS off
|
||||||
|
|
@ -146,23 +123,13 @@ func TestClientServerHandshake(t *testing.T) {
|
||||||
// default hostname check. All the default hostname checks will fail in
|
// default hostname check. All the default hostname checks will fail in
|
||||||
// this test suites.
|
// this test suites.
|
||||||
{
|
{
|
||||||
"Client_root_cert_Server_peer_cert",
|
desc: "Client has root cert; server sends peer cert",
|
||||||
nil,
|
clientRoot: clientTrustPool,
|
||||||
nil,
|
clientVType: CertAndHostVerification,
|
||||||
clientTrustPool,
|
clientExpectHandshakeError: true,
|
||||||
nil,
|
serverCert: []tls.Certificate{serverPeerCert},
|
||||||
nil,
|
serverVType: CertAndHostVerification,
|
||||||
CertAndHostVerification,
|
serverExpectError: true,
|
||||||
false,
|
|
||||||
true,
|
|
||||||
false,
|
|
||||||
[]tls.Certificate{serverPeerCert},
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
CertAndHostVerification,
|
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
// Client: only set clientGetRoot
|
// Client: only set clientGetRoot
|
||||||
// Server: only set serverCert with mutual TLS off
|
// Server: only set serverCert with mutual TLS off
|
||||||
|
|
@ -171,113 +138,64 @@ func TestClientServerHandshake(t *testing.T) {
|
||||||
// default hostname check. All the default hostname checks will fail in
|
// default hostname check. All the default hostname checks will fail in
|
||||||
// this test suites.
|
// this test suites.
|
||||||
{
|
{
|
||||||
"Client_reload_root_Server_peer_cert",
|
desc: "Client sets reload root function; server sends peer cert",
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
nil,
|
clientVType: CertAndHostVerification,
|
||||||
nil,
|
clientExpectHandshakeError: true,
|
||||||
getRootCAsForClient,
|
serverCert: []tls.Certificate{serverPeerCert},
|
||||||
nil,
|
serverVType: CertAndHostVerification,
|
||||||
CertAndHostVerification,
|
serverExpectError: true,
|
||||||
false,
|
|
||||||
true,
|
|
||||||
false,
|
|
||||||
[]tls.Certificate{serverPeerCert},
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
CertAndHostVerification,
|
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
// Client: set clientGetRoot and clientVerifyFunc
|
// Client: set clientGetRoot and clientVerifyFunc
|
||||||
// Server: only set serverCert with mutual TLS off
|
// Server: only set serverCert with mutual TLS off
|
||||||
// Expected Behavior: success
|
// Expected Behavior: success
|
||||||
{
|
{
|
||||||
"Client_reload_root_verifyFuncGood_Server_peer_cert",
|
desc: "Client sets reload root function with verifyFuncGood; server sends peer cert",
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
nil,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
nil,
|
clientVType: CertVerification,
|
||||||
getRootCAsForClient,
|
serverCert: []tls.Certificate{serverPeerCert},
|
||||||
verifyFuncGood,
|
serverVType: CertAndHostVerification,
|
||||||
CertVerification,
|
|
||||||
false,
|
|
||||||
false,
|
|
||||||
false,
|
|
||||||
[]tls.Certificate{serverPeerCert},
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
CertAndHostVerification,
|
|
||||||
false,
|
|
||||||
},
|
},
|
||||||
// Client: set clientGetRoot and bad clientVerifyFunc function
|
// Client: set clientGetRoot and bad clientVerifyFunc function
|
||||||
// Server: only set serverCert with mutual TLS off
|
// Server: only set serverCert with mutual TLS off
|
||||||
// Expected Behavior: server side failure and client handshake failure
|
// Expected Behavior: server side failure and client handshake failure
|
||||||
// Reason: custom verification function is bad
|
// Reason: custom verification function is bad
|
||||||
{
|
{
|
||||||
"Client_reload_root_verifyFuncBad_Server_peer_cert",
|
desc: "Client sets reload root function with verifyFuncBad; server sends peer cert",
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
nil,
|
clientVerifyFunc: verifyFuncBad,
|
||||||
nil,
|
clientVType: CertVerification,
|
||||||
getRootCAsForClient,
|
clientExpectHandshakeError: true,
|
||||||
verifyFuncBad,
|
serverCert: []tls.Certificate{serverPeerCert},
|
||||||
CertVerification,
|
serverVType: CertVerification,
|
||||||
false,
|
serverExpectError: true,
|
||||||
true,
|
|
||||||
false,
|
|
||||||
[]tls.Certificate{serverPeerCert},
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
CertVerification,
|
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
// Client: set clientGetRoot and clientVerifyFunc
|
// Client: set clientGetRoot and clientVerifyFunc
|
||||||
// Server: nil setting
|
// Server: nil setting
|
||||||
// Expected Behavior: server side failure
|
// Expected Behavior: server side failure
|
||||||
// Reason: server side must either set serverCert or serverGetCert
|
// Reason: server side must either set serverCert or serverGetCert
|
||||||
{
|
{
|
||||||
"Client_reload_root_verifyFuncGood_Server_nil",
|
desc: "Client sets reload root function with verifyFuncGood; server sets nil",
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
nil,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
nil,
|
clientVType: CertVerification,
|
||||||
getRootCAsForClient,
|
serverVType: CertVerification,
|
||||||
verifyFuncGood,
|
serverExpectError: true,
|
||||||
CertVerification,
|
|
||||||
false,
|
|
||||||
false,
|
|
||||||
false,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
CertVerification,
|
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
||||||
// Server: set serverRoot and serverCert with mutual TLS on
|
// Server: set serverRoot and serverCert with mutual TLS on
|
||||||
// Expected Behavior: success
|
// Expected Behavior: success
|
||||||
{
|
{
|
||||||
"Client_peer_cert_reload_root_verifyFuncGood_Server_peer_cert_root_cert_mutualTLS",
|
desc: "Client sets peer cert, reload root function with verifyFuncGood; server sets peer cert and root cert; mutualTLS",
|
||||||
[]tls.Certificate{clientPeerCert},
|
clientCert: []tls.Certificate{clientPeerCert},
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
nil,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
getRootCAsForClient,
|
clientVType: CertVerification,
|
||||||
verifyFuncGood,
|
serverMutualTLS: true,
|
||||||
CertVerification,
|
serverCert: []tls.Certificate{serverPeerCert},
|
||||||
false,
|
serverRoot: serverTrustPool,
|
||||||
false,
|
serverVType: CertVerification,
|
||||||
true,
|
|
||||||
[]tls.Certificate{serverPeerCert},
|
|
||||||
nil,
|
|
||||||
serverTrustPool,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
CertVerification,
|
|
||||||
false,
|
|
||||||
},
|
},
|
||||||
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
||||||
// Server: set serverCert, but not setting any of serverRoot, serverGetRoot
|
// Server: set serverCert, but not setting any of serverRoot, serverGetRoot
|
||||||
|
|
@ -287,45 +205,30 @@ func TestClientServerHandshake(t *testing.T) {
|
||||||
// mTLS in on, even setting vType to SkipVerification. Servers should at
|
// mTLS in on, even setting vType to SkipVerification. Servers should at
|
||||||
// least provide their own verification logic.
|
// least provide their own verification logic.
|
||||||
{
|
{
|
||||||
"Client_peer_cert_reload_root_verifyFuncGood_Server_no_verification_mutualTLS",
|
desc: "Client sets peer cert, reload root function with verifyFuncGood; server sets no verification; mutualTLS",
|
||||||
[]tls.Certificate{clientPeerCert},
|
clientCert: []tls.Certificate{clientPeerCert},
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
nil,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
getRootCAsForClient,
|
clientVType: CertVerification,
|
||||||
verifyFuncGood,
|
clientExpectHandshakeError: true,
|
||||||
CertVerification,
|
serverMutualTLS: true,
|
||||||
false,
|
serverCert: []tls.Certificate{serverPeerCert},
|
||||||
true,
|
serverVType: SkipVerification,
|
||||||
true,
|
serverExpectError: true,
|
||||||
[]tls.Certificate{serverPeerCert},
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
SkipVerification,
|
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
||||||
// Server: set serverGetRoot and serverCert with mutual TLS on
|
// Server: set serverGetRoot and serverCert with mutual TLS on
|
||||||
// Expected Behavior: success
|
// Expected Behavior: success
|
||||||
{
|
{
|
||||||
"Client_peer_cert_reload_root_verifyFuncGood_Server_peer_cert_reload_root_mutualTLS",
|
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; mutualTLS",
|
||||||
[]tls.Certificate{clientPeerCert},
|
clientCert: []tls.Certificate{clientPeerCert},
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
nil,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
getRootCAsForClient,
|
clientVType: CertVerification,
|
||||||
verifyFuncGood,
|
serverMutualTLS: true,
|
||||||
CertVerification,
|
serverCert: []tls.Certificate{serverPeerCert},
|
||||||
false,
|
serverGetRoot: getRootCAsForServer,
|
||||||
false,
|
serverVType: CertVerification,
|
||||||
true,
|
|
||||||
[]tls.Certificate{serverPeerCert},
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
getRootCAsForServer,
|
|
||||||
nil,
|
|
||||||
CertVerification,
|
|
||||||
false,
|
|
||||||
},
|
},
|
||||||
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
||||||
// Server: set serverGetRoot returning error and serverCert with mutual
|
// Server: set serverGetRoot returning error and serverCert with mutual
|
||||||
|
|
@ -333,49 +236,35 @@ func TestClientServerHandshake(t *testing.T) {
|
||||||
// Expected Behavior: server side failure
|
// Expected Behavior: server side failure
|
||||||
// Reason: server side reloading returns failure
|
// Reason: server side reloading returns failure
|
||||||
{
|
{
|
||||||
"Client_peer_cert_reload_root_verifyFuncGood_Server_peer_cert_bad_reload_root_mutualTLS",
|
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, bad reload root function; mutualTLS",
|
||||||
[]tls.Certificate{clientPeerCert},
|
clientCert: []tls.Certificate{clientPeerCert},
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
nil,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
getRootCAsForClient,
|
clientVType: CertVerification,
|
||||||
verifyFuncGood,
|
serverMutualTLS: true,
|
||||||
CertVerification,
|
serverCert: []tls.Certificate{serverPeerCert},
|
||||||
false,
|
serverGetRoot: getRootCAsForServerBad,
|
||||||
false,
|
serverVType: CertVerification,
|
||||||
true,
|
serverExpectError: true,
|
||||||
[]tls.Certificate{serverPeerCert},
|
|
||||||
nil,
|
|
||||||
nil,
|
|
||||||
getRootCAsForServerBad,
|
|
||||||
nil,
|
|
||||||
CertVerification,
|
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
// Client: set clientGetRoot, clientVerifyFunc and clientGetClientCert
|
// Client: set clientGetRoot, clientVerifyFunc and clientGetCert
|
||||||
// Server: set serverGetRoot and serverGetCert with mutual TLS on
|
// Server: set serverGetRoot and serverGetCert with mutual TLS on
|
||||||
// Expected Behavior: success
|
// Expected Behavior: success
|
||||||
{
|
{
|
||||||
"Client_reload_both_certs_verifyFuncGood_Server_reload_both_certs_mutualTLS",
|
desc: "Client sets reload peer/root function with verifyFuncGood; Server sets reload peer/root function with verifyFuncGood; mutualTLS",
|
||||||
nil,
|
clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||||
func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
|
||||||
return &clientPeerCert, nil
|
return &clientPeerCert, nil
|
||||||
},
|
},
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
getRootCAsForClient,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
verifyFuncGood,
|
clientVType: CertVerification,
|
||||||
CertVerification,
|
serverMutualTLS: true,
|
||||||
false,
|
serverGetCert: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
false,
|
|
||||||
true,
|
|
||||||
nil,
|
|
||||||
func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
||||||
return &serverPeerCert, nil
|
return &serverPeerCert, nil
|
||||||
},
|
},
|
||||||
nil,
|
serverGetRoot: getRootCAsForServer,
|
||||||
getRootCAsForServer,
|
serverVerifyFunc: verifyFuncGood,
|
||||||
verifyFuncGood,
|
serverVType: CertVerification,
|
||||||
CertVerification,
|
|
||||||
false,
|
|
||||||
},
|
},
|
||||||
// Client: set everything but with the wrong peer cert not trusted by
|
// Client: set everything but with the wrong peer cert not trusted by
|
||||||
// server
|
// server
|
||||||
|
|
@ -383,54 +272,43 @@ func TestClientServerHandshake(t *testing.T) {
|
||||||
// Expected Behavior: server side returns failure because of
|
// Expected Behavior: server side returns failure because of
|
||||||
// certificate mismatch
|
// certificate mismatch
|
||||||
{
|
{
|
||||||
"Client_wrong_peer_cert_Server_reload_both_certs_mutualTLS",
|
desc: "Client sends wrong peer cert; Server sets reload peer/root function with verifyFuncGood; mutualTLS",
|
||||||
nil,
|
clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||||
func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
|
||||||
return &serverPeerCert, nil
|
return &serverPeerCert, nil
|
||||||
},
|
},
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
getRootCAsForClient,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
verifyFuncGood,
|
clientVType: CertVerification,
|
||||||
CertVerification,
|
serverMutualTLS: true,
|
||||||
false,
|
serverGetCert: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
false,
|
|
||||||
true,
|
|
||||||
nil,
|
|
||||||
func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
||||||
return &serverPeerCert, nil
|
return &serverPeerCert, nil
|
||||||
},
|
},
|
||||||
nil,
|
serverGetRoot: getRootCAsForServer,
|
||||||
getRootCAsForServer,
|
serverVerifyFunc: verifyFuncGood,
|
||||||
verifyFuncGood,
|
serverVType: CertVerification,
|
||||||
CertVerification,
|
serverExpectError: true,
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
// Client: set everything but with the wrong trust cert not trusting server
|
// Client: set everything but with the wrong trust cert not trusting server
|
||||||
// Server: set serverGetRoot and serverGetCert with mutual TLS on
|
// Server: set serverGetRoot and serverGetCert with mutual TLS on
|
||||||
// Expected Behavior: server side and client side return failure due to
|
// Expected Behavior: server side and client side return failure due to
|
||||||
// certificate mismatch and handshake failure
|
// certificate mismatch and handshake failure
|
||||||
{
|
{
|
||||||
"Client_wrong_trust_cert_Server_reload_both_certs_mutualTLS",
|
desc: "Client has wrong trust cert; Server sets reload peer/root function with verifyFuncGood; mutualTLS",
|
||||||
nil,
|
clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||||
func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
|
||||||
return &clientPeerCert, nil
|
return &clientPeerCert, nil
|
||||||
},
|
},
|
||||||
nil,
|
clientGetRoot: getRootCAsForServer,
|
||||||
getRootCAsForServer,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
verifyFuncGood,
|
clientVType: CertVerification,
|
||||||
CertVerification,
|
clientExpectHandshakeError: true,
|
||||||
false,
|
serverMutualTLS: true,
|
||||||
true,
|
serverGetCert: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
true,
|
|
||||||
nil,
|
|
||||||
func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
||||||
return &serverPeerCert, nil
|
return &serverPeerCert, nil
|
||||||
},
|
},
|
||||||
nil,
|
serverGetRoot: getRootCAsForServer,
|
||||||
getRootCAsForServer,
|
serverVerifyFunc: verifyFuncGood,
|
||||||
verifyFuncGood,
|
serverVType: CertVerification,
|
||||||
CertVerification,
|
serverExpectError: true,
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
||||||
// Server: set everything but with the wrong peer cert not trusted by
|
// Server: set everything but with the wrong peer cert not trusted by
|
||||||
|
|
@ -438,77 +316,61 @@ func TestClientServerHandshake(t *testing.T) {
|
||||||
// Expected Behavior: server side and client side return failure due to
|
// Expected Behavior: server side and client side return failure due to
|
||||||
// certificate mismatch and handshake failure
|
// certificate mismatch and handshake failure
|
||||||
{
|
{
|
||||||
"Client_reload_both_certs_verifyFuncGood_Server_wrong_peer_cert",
|
desc: "Client sets reload peer/root function with verifyFuncGood; Server sends wrong peer cert; mutualTLS",
|
||||||
nil,
|
clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||||
func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
|
||||||
return &clientPeerCert, nil
|
return &clientPeerCert, nil
|
||||||
},
|
},
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
getRootCAsForClient,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
verifyFuncGood,
|
clientVType: CertVerification,
|
||||||
CertVerification,
|
serverMutualTLS: true,
|
||||||
false,
|
serverGetCert: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
false,
|
|
||||||
true,
|
|
||||||
nil,
|
|
||||||
func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
||||||
return &clientPeerCert, nil
|
return &clientPeerCert, nil
|
||||||
},
|
},
|
||||||
nil,
|
serverGetRoot: getRootCAsForServer,
|
||||||
getRootCAsForServer,
|
serverVerifyFunc: verifyFuncGood,
|
||||||
verifyFuncGood,
|
serverVType: CertVerification,
|
||||||
CertVerification,
|
serverExpectError: true,
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
||||||
// Server: set everything but with the wrong trust cert not trusting client
|
// Server: set everything but with the wrong trust cert not trusting client
|
||||||
// Expected Behavior: server side and client side return failure due to
|
// Expected Behavior: server side and client side return failure due to
|
||||||
// certificate mismatch and handshake failure
|
// certificate mismatch and handshake failure
|
||||||
{
|
{
|
||||||
"Client_reload_both_certs_verifyFuncGood_Server_wrong_trust_cert",
|
desc: "Client sets reload peer/root function with verifyFuncGood; Server has wrong trust cert; mutualTLS",
|
||||||
nil,
|
clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||||
func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
|
||||||
return &clientPeerCert, nil
|
return &clientPeerCert, nil
|
||||||
},
|
},
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
getRootCAsForClient,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
verifyFuncGood,
|
clientVType: CertVerification,
|
||||||
CertVerification,
|
clientExpectHandshakeError: true,
|
||||||
false,
|
serverMutualTLS: true,
|
||||||
true,
|
serverGetCert: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
true,
|
|
||||||
nil,
|
|
||||||
func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
||||||
return &serverPeerCert, nil
|
return &serverPeerCert, nil
|
||||||
},
|
},
|
||||||
nil,
|
serverGetRoot: getRootCAsForClient,
|
||||||
getRootCAsForClient,
|
serverVerifyFunc: verifyFuncGood,
|
||||||
verifyFuncGood,
|
serverVType: CertVerification,
|
||||||
CertVerification,
|
serverExpectError: true,
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
// Client: set clientGetRoot, clientVerifyFunc and clientCert
|
||||||
// Server: set serverGetRoot and serverCert, but with bad verifyFunc
|
// Server: set serverGetRoot and serverCert, but with bad verifyFunc
|
||||||
// Expected Behavior: server side and client side return failure due to
|
// Expected Behavior: server side and client side return failure due to
|
||||||
// server custom check fails
|
// server custom check fails
|
||||||
{
|
{
|
||||||
"Client_peer_cert_reload_root_verifyFuncGood_Server_bad_custom_verification_mutualTLS",
|
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets bad custom check; mutualTLS",
|
||||||
[]tls.Certificate{clientPeerCert},
|
clientCert: []tls.Certificate{clientPeerCert},
|
||||||
nil,
|
clientGetRoot: getRootCAsForClient,
|
||||||
nil,
|
clientVerifyFunc: verifyFuncGood,
|
||||||
getRootCAsForClient,
|
clientVType: CertVerification,
|
||||||
verifyFuncGood,
|
clientExpectHandshakeError: true,
|
||||||
CertVerification,
|
serverMutualTLS: true,
|
||||||
false,
|
serverCert: []tls.Certificate{serverPeerCert},
|
||||||
true,
|
serverGetRoot: getRootCAsForServer,
|
||||||
true,
|
serverVerifyFunc: verifyFuncBad,
|
||||||
[]tls.Certificate{serverPeerCert},
|
serverVType: CertVerification,
|
||||||
nil,
|
serverExpectError: true,
|
||||||
nil,
|
|
||||||
getRootCAsForServer,
|
|
||||||
verifyFuncBad,
|
|
||||||
CertVerification,
|
|
||||||
true,
|
|
||||||
},
|
},
|
||||||
} {
|
} {
|
||||||
test := test
|
test := test
|
||||||
|
|
@ -560,7 +422,7 @@ func TestClientServerHandshake(t *testing.T) {
|
||||||
defer conn.Close()
|
defer conn.Close()
|
||||||
clientOptions := &ClientOptions{
|
clientOptions := &ClientOptions{
|
||||||
Certificates: test.clientCert,
|
Certificates: test.clientCert,
|
||||||
GetClientCertificate: test.clientGetClientCert,
|
GetClientCertificate: test.clientGetCert,
|
||||||
VerifyPeer: test.clientVerifyFunc,
|
VerifyPeer: test.clientVerifyFunc,
|
||||||
RootCertificateOptions: RootCertificateOptions{
|
RootCertificateOptions: RootCertificateOptions{
|
||||||
RootCACerts: test.clientRoot,
|
RootCACerts: test.clientRoot,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue