1 //
2 // Copyright 2022 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include "src/core/tsi/ssl_transport_security_utils.h"
18
19 #include <gmock/gmock.h>
20 #include <gtest/gtest.h>
21 #include <openssl/bio.h>
22 #include <openssl/crypto.h>
23 #include <openssl/evp.h>
24 #include <openssl/ssl.h>
25 #include <openssl/x509.h>
26
27 #include <array>
28 #include <string>
29 #include <vector>
30
31 #include "absl/status/status.h"
32 #include "absl/status/statusor.h"
33 #include "absl/strings/match.h"
34 #include "absl/strings/str_cat.h"
35 #include "absl/strings/string_view.h"
36 #include "src/core/lib/slice/slice.h"
37 #include "src/core/tsi/transport_security.h"
38 #include "src/core/tsi/transport_security_interface.h"
39 #include "src/core/util/load_file.h"
40 #include "test/core/test_util/test_config.h"
41 #include "test/core/tsi/transport_security_test_lib.h"
42
43 namespace grpc_core {
44 namespace testing {
45
46 using ::testing::ContainerEq;
47 using ::testing::NotNull;
48 using ::testing::TestWithParam;
49 using ::testing::ValuesIn;
50
51 const char* kValidCrl = "test/core/tsi/test_creds/crl_data/crls/current.crl";
52 const char* kCrlIssuer = "test/core/tsi/test_creds/crl_data/ca.pem";
53 const char* kModifiedSignature =
54 "test/core/tsi/test_creds/crl_data/bad_crls/invalid_signature.crl";
55 const char* kModifiedContent =
56 "test/core/tsi/test_creds/crl_data/bad_crls/invalid_content.crl";
57 const char* kIntermediateCrl =
58 "test/core/tsi/test_creds/crl_data/crls/intermediate.crl";
59 const char* kIntermediateCrlIssuer =
60 "test/core/tsi/test_creds/crl_data/intermediate_ca.pem";
61 const char* kLeafCert =
62 "test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.pem";
63 const char* kEvilCa = "test/core/tsi/test_creds/crl_data/evil_ca.pem";
64 const char* kCaWithAkid = "test/core/tsi/test_creds/crl_data/ca_with_akid.pem";
65 const char* kCrlWithAkid =
66 "test/core/tsi/test_creds/crl_data/crl_with_akid.crl";
67
68 constexpr absl::string_view kLeafCertPem =
69 "-----BEGIN CERTIFICATE-----\n"
70 "MIICZzCCAdCgAwIBAgIIN18/ctj3wpAwDQYJKoZIhvcNAQELBQAwKjEXMBUGA1UE\n"
71 "ChMOR29vZ2xlIFRFU1RJTkcxDzANBgNVBAMTBnRlc3RDQTAeFw0xNTAxMDEwMDAw\n"
72 "MDBaFw0yNTAxMDEwMDAwMDBaMC8xFzAVBgNVBAoTDkdvb2dsZSBURVNUSU5HMRQw\n"
73 "EgYDVQQDDAt0ZXN0X2NlcnRfMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA\n"
74 "20oOyI+fNCCeHJ3DNjGooPPP43Q6emhVvuWD8ppta582Rgxq/4j1bl9cPHdoCdyy\n"
75 "HsWFVUZzscj2qhClmlBAMEA595OU2NX2d81nSih5dwZWLMRQkEIzyxUR7Vee3eyo\n"
76 "nQD4HSamaevMSv79WTUBCozEGITqWnjYA152KUbA/IsCAwEAAaOBkDCBjTAOBgNV\n"
77 "HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud\n"
78 "EwEB/wQCMAAwGQYDVR0OBBIEECnFWP/UkDrV+SoXra58k64wGwYDVR0jBBQwEoAQ\n"
79 "p7JSbajiTZaIRUDSV1C81jAWBgNVHREEDzANggt0ZXN0X2NlcnRfMTANBgkqhkiG\n"
80 "9w0BAQsFAAOBgQCpJJssfN62T3G5z+5SBB+9KCzXnGxcTHtaTJkb04KLe+19EwhV\n"
81 "yRY4lZadKHjcNS6GCBogd069wNFUVYOU9VI7uUiEPdcTO+VRV5MYW0wjSi1zlkBZ\n"
82 "e8OAfYVeGUMfvThFpJ41f8vZ6GHgg95Lwv+Zh89SL8g1J3RWll9YVG8HWw==\n"
83 "-----END CERTIFICATE-----";
84 constexpr absl::string_view kPrivateKeyPem =
85 "-----BEGIN RSA PRIVATE KEY-----\n"
86 "MIICXQIBAAKBgQDbSg7Ij580IJ4cncM2Maig88/jdDp6aFW+5YPymm1rnzZGDGr/\n"
87 "iPVuX1w8d2gJ3LIexYVVRnOxyPaqEKWaUEAwQDn3k5TY1fZ3zWdKKHl3BlYsxFCQ\n"
88 "QjPLFRHtV57d7KidAPgdJqZp68xK/v1ZNQEKjMQYhOpaeNgDXnYpRsD8iwIDAQAB\n"
89 "AoGAbq4kZApJeo/z/dGK0/GggQxOIylo0puSm7VQMcTL8YP8asKdxrgj2D99WG+U\n"
90 "LVYc+PcM4wuaHWOnTBL24roaitCNhrpIsJfWDkexzHXMj622SYlUcCuwsfjYOEyw\n"
91 "ntoNAnh0o4S+beYAfzT5VHCh4is9G9u+mwKYiGpJXROrYUECQQD4eq4nuGq3mfYJ\n"
92 "B0+md30paDVVCyBsuZTAtnu3MbRjMXy5LLE+vhno5nocvVSTOv3QC7Wk6yAa8/bG\n"
93 "iPT/MWixAkEA4e0zqPGo8tSimVv/1ei8Chyb+YqdSx+Oj5eZpa6X/KB/C1uS1tm6\n"
94 "DTgHW2GUhV4ypqdGH+t8quprJUtFuzqH+wJBAMRiicSg789eouMt4RjrdYPFdela\n"
95 "Gu1zm4rYb10xrqV7Vl0wYoH5U5cMmdSfGvomdLX6mzzWDJDg4ti1JBWRonECQQCD\n"
96 "Umtq0j1QGQUCe5Vz8zoJ7qNDI61WU1t8X7Rxt9CkiW4PXgU2WYxpzp2IImpAM4bh\n"
97 "k+2Q9EKc3nG1VdGMiPMtAkARkQF+pL8SBrUoh8G8glCam0brh3tW/cdW8L4UGTNF\n"
98 "2ZKC/LFH6DQBjYs3UXjvMGJxz4k9LysyY6o2Nf1JG6/L\n"
99 "-----END RSA PRIVATE KEY-----";
100 constexpr absl::string_view kEcPrivateKeyPem =
101 "-----BEGIN PRIVATE KEY-----\n"
102 "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgOM7iHjJw/N6n8HtM\n"
103 "bVVVRhEYXoHFF+MSaTYQxOWM1p+hRANCAASMeWC+pIJAm/1fn0Wz3yyWGQzVPm9v\n"
104 "LCQo5JvK0a2t+Aa6d3AtLRwo6vh1VbJ8zFZxxIwyJNis3n1jRMWal7Vo\n"
105 "-----END PRIVATE KEY-----";
106 constexpr absl::string_view kRsaPrivateKeyPem =
107 "-----BEGIN PRIVATE KEY-----\n"
108 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCqyrzsrS8mWQwz\n"
109 "VFudLgte2kJX/pZ3KqJQBtMrkLxpgyJJU8mVBB+quDwnfH6PnQk+sF9omTlGAAxR\n"
110 "JzSEe8BS1Wnxld6rr6o/381VVW/2b+2kSifCtx/gVwCQQLnf4dbjfGW7ZClu1URG\n"
111 "ks2lK9T9BIh9SMSnYLEKEC8sWW1LibzJxHapFjIP88GrqgpPNGdEK7ABMsqHASuU\n"
112 "MvQ+0w7sdX2Pdu+Gm8ChxawvLiQVSh9ehtJiPl/jWbcZ6K3caTUxMf9tn8ky0DMK\n"
113 "xmHHmmxu19ehegzi7KSzjHmJ4QAtrtDaB/+ud0ZJ5l+pwfk7DL1TRjFYOyPVpExb\n"
114 "nLcQQxzfAgMBAAECggEATc+kFygnzQ7Q0iniu0+Y+pPxmelxX8VawZ76YmTEkkWe\n"
115 "P04fDvcb/kmFjm/XsVJYPelY7mywfUXUVrzH3nwK+TIl3FztX8beh89M203bfqkr\n"
116 "2ae3Sazopuq8ZPw4MtnPb0DjkGZnwgkD3CtR6ah4lvWTwZB/l8ojnnQVKd1sP/c4\n"
117 "LQSlVm2aiD6+D/NxbyJ4AOMWgUFrWBKqnV30mTZ5Lwv8fjznopgWMfsUl+Nx/HzV\n"
118 "J1ZRtLE+Z9euFJOUeMSEG1+YFxXAA3XuRdY/4PpzvK8Rlxb2rtJvt+dHojQCz66U\n"
119 "6PcspPt6MOcUFnpamJ513oKDwmdR8puRg7/bk2VKYQKBgQDVHz/NQaS8czTCkx8p\n"
120 "jXmZcGv1DH+T3SWeNI871BXQbSSKuqrOXDfzfrIFK7uXAWtIAOKLVaZOcSEDk+Rj\n"
121 "kbifkqRZuMy+iLdBLj/Gw3xVfkOb3m4g7OqWc7RBlfTCTCCUTVPiQkKZLGJ/eIJx\n"
122 "sGvdyJP6f12MODqUobgQC2UniQKBgQDNJ0vDHdqRQYI4zz1gAYDaCruRjtwWvRSL\n"
123 "tcBFlcVnMXjfZpxOKnGU1xEO4wDhEXra9yLwi/6IwGFtk0Zi2C9rYptniiURReuX\n"
124 "TkNNf1JmyZhYuSXD9Pg1Ssa/t3ZtauFzK1rHL1R1UB/pnD8xxuB4aAl+kZKi1Ie+\n"
125 "E6IXHuyfJwKBgQDOac+viq503tfww/Fgm2d0lw/YbNx7Z6rxiVJYzda64ZqMyrJ3\n"
126 "35VJPiJJI8wyOuue90xzSuch/ivNfUWssgwwcSTAyV10BJIIjTSz283mN75fjpT3\n"
127 "Sr8CLNoe05AVRwoe2K4v66D5HaXgc+VTG129lnDMIuOF1UfXgLH2yDKWkQKBgQC4\n"
128 "ajqQiqWPLXQB3UkupCtP1ZYGooT1a8KsVBUieB+bQ72EFJktKrovMaUD3MtNhokJ\n"
129 "jF68HRwRkd4CwgDjmbIGtf08ddIcVN4ShSe64lkQTOfF2ak5HVyBi1ZdwG2Urh87\n"
130 "iB1yL/mb+wq01N95v2zIz7y5KeLGvIXJN5zda88IwQKBgFLk68ZMEDMVCLpdvywb\n"
131 "bRC3rOl2CTHfXFD6RY0SIv4De+w7iQkYOn+4NIyG+hMfGfj5ooOO5gbsDyGagZqV\n"
132 "OLc6cW5HnwN+PERByn+hSoyGq8IOk8Vn5DeV7PoqIlbbdfUmTUx69EtzvViZoa+O\n"
133 "O2XDljPcjgc+pobqzebPIR6R\n"
134 "-----END PRIVATE KEY-----";
135
136 constexpr std::size_t kMaxPlaintextBytesPerTlsRecord = 16384;
137 constexpr std::size_t kTlsRecordOverhead = 100;
138 constexpr std::array<std::size_t, 4> kTestPlainTextSizeArray = {
139 1, 1000, kMaxPlaintextBytesPerTlsRecord,
140 kMaxPlaintextBytesPerTlsRecord + 1000};
141
142 struct FrameProtectorUtilTestData {
143 std::size_t plaintext_size;
144 std::size_t expected_encrypted_bytes_size;
145 };
146
147 // Generates the testing data |FrameProtectorUtilTestData|.
GenerateTestData()148 std::vector<FrameProtectorUtilTestData> GenerateTestData() {
149 std::vector<FrameProtectorUtilTestData> data;
150 for (std::size_t plaintext_size : kTestPlainTextSizeArray) {
151 std::size_t expected_size = plaintext_size + kTlsRecordOverhead;
152 if (plaintext_size > kMaxPlaintextBytesPerTlsRecord) {
153 expected_size = kMaxPlaintextBytesPerTlsRecord + kTlsRecordOverhead;
154 }
155 data.push_back({plaintext_size, expected_size});
156 }
157 return data;
158 }
159
160 // TODO(gtcooke94) - Tests current failing with OpenSSL 1.1.1 and 3.0. Fix and
161 // re-enable.
162 #ifdef OPENSSL_IS_BORINGSSL
163 class FlowTest : public TestWithParam<FrameProtectorUtilTestData> {
164 protected:
SetUpTestSuite()165 static void SetUpTestSuite() {
166 #if OPENSSL_VERSION_NUMBER >= 0x10100000
167 OPENSSL_init_ssl(/*opts=*/0, /*settings=*/nullptr);
168 #else
169 SSL_library_init();
170 SSL_load_error_strings();
171 OpenSSL_add_all_algorithms();
172 #endif
173 }
174
175 // Used for debugging.
VerifySucceed(X509_STORE_CTX *,void *)176 static int VerifySucceed(X509_STORE_CTX* /*store_ctx*/, void* /*arg*/) {
177 return 1;
178 }
179
180 // Drives two SSL objects to finish a complete handshake with the hard-coded
181 // credentials and outputs those two SSL objects to `out_client` and
182 // `out_server` respectively.
DoHandshake(SSL ** out_client,SSL ** out_server)183 static absl::Status DoHandshake(SSL** out_client, SSL** out_server) {
184 if (out_client == nullptr || out_server == nullptr) {
185 return absl::InvalidArgumentError(
186 "Client and server SSL object must not be null.");
187 }
188
189 // Create the context objects.
190 SSL_CTX* client_ctx = nullptr;
191 SSL_CTX* server_ctx = nullptr;
192 #if OPENSSL_VERSION_NUMBER >= 0x10100000
193 client_ctx = SSL_CTX_new(TLS_method());
194 server_ctx = SSL_CTX_new(TLS_method());
195 #else
196 client_ctx = SSL_CTX_new(TLSv1_2_method());
197 server_ctx = SSL_CTX_new(TLSv1_2_method());
198 #endif
199
200 BIO* client_cert_bio(
201 BIO_new_mem_buf(kLeafCertPem.data(), kLeafCertPem.size()));
202 X509* client_cert = PEM_read_bio_X509(client_cert_bio, /*x=*/nullptr,
203 /*cb=*/nullptr, /*u=*/nullptr);
204 BIO* client_key_bio(
205 BIO_new_mem_buf(kPrivateKeyPem.data(), kPrivateKeyPem.size()));
206 EVP_PKEY* client_key =
207 PEM_read_bio_PrivateKey(client_key_bio, /*x=*/nullptr,
208 /*cb=*/nullptr, /*u=*/nullptr);
209
210 BIO* server_cert_bio(
211 BIO_new_mem_buf(kLeafCertPem.data(), kLeafCertPem.size()));
212 X509* server_cert = PEM_read_bio_X509(server_cert_bio, /*x=*/nullptr,
213 /*cb=*/nullptr, /*u=*/nullptr);
214 BIO* server_key_bio(
215 BIO_new_mem_buf(kPrivateKeyPem.data(), kPrivateKeyPem.size()));
216 EVP_PKEY* server_key =
217 PEM_read_bio_PrivateKey(server_key_bio, /*x=*/nullptr,
218 /*cb=*/nullptr, /*u=*/nullptr);
219
220 // Set both client and server certificate and private key.
221 SSL_CTX_use_certificate(client_ctx, client_cert);
222 SSL_CTX_use_PrivateKey(client_ctx, client_key);
223 SSL_CTX_use_certificate(server_ctx, server_cert);
224 SSL_CTX_use_PrivateKey(server_ctx, server_key);
225
226 EVP_PKEY_free(client_key);
227 BIO_free(client_key_bio);
228 X509_free(client_cert);
229 BIO_free(client_cert_bio);
230
231 EVP_PKEY_free(server_key);
232 BIO_free(server_key_bio);
233 X509_free(server_cert);
234 BIO_free(server_cert_bio);
235
236 // Configure both client and server to request (and accept any)
237 // certificate but fail if none is sent.
238 SSL_CTX_set_verify(client_ctx,
239 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
240 /*callback=*/nullptr);
241 SSL_CTX_set_cert_verify_callback(client_ctx, VerifySucceed,
242 /*arg=*/nullptr);
243 SSL_CTX_set_verify(server_ctx,
244 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
245 /*callback=*/nullptr);
246 SSL_CTX_set_cert_verify_callback(server_ctx, VerifySucceed,
247 /*arg=*/nullptr);
248
249 // Turns off the session caching.
250 SSL_CTX_set_session_cache_mode(client_ctx, SSL_SESS_CACHE_OFF);
251 SSL_CTX_set_session_cache_mode(server_ctx, SSL_SESS_CACHE_OFF);
252
253 #if OPENSSL_VERSION_NUMBER >= 0x10100000
254 #if defined(TLS1_3_VERSION)
255 // Set both the min and max TLS version to 1.3
256 SSL_CTX_set_min_proto_version(client_ctx, TLS1_3_VERSION);
257 SSL_CTX_set_min_proto_version(server_ctx, TLS1_3_VERSION);
258 SSL_CTX_set_max_proto_version(client_ctx, TLS1_3_VERSION);
259 SSL_CTX_set_max_proto_version(server_ctx, TLS1_3_VERSION);
260 #else
261 SSL_CTX_set_min_proto_version(client_ctx, TLS1_2_VERSION);
262 SSL_CTX_set_min_proto_version(server_ctx, TLS1_2_VERSION);
263 SSL_CTX_set_max_proto_version(client_ctx, TLS1_2_VERSION);
264 SSL_CTX_set_max_proto_version(server_ctx, TLS1_2_VERSION);
265 #endif
266 #endif
267
268 // Create client and server connection objects and configure their BIOs.
269 SSL* client(SSL_new(client_ctx));
270 SSL* server(SSL_new(server_ctx));
271
272 SSL_CTX_free(client_ctx);
273 SSL_CTX_free(server_ctx);
274
275 // Turns off issuance of session tickets by servers.
276 SSL_set_options(client, SSL_OP_NO_TICKET);
277 SSL_set_options(server, SSL_OP_NO_TICKET);
278
279 SSL_set_connect_state(client);
280 SSL_set_accept_state(server);
281 BIO* bio1;
282 BIO* bio2;
283 BIO_new_bio_pair(&bio1, /*writebuf1=*/0, &bio2, /*writebuf2=*/0);
284 SSL_set_bio(client, bio1, bio1);
285 SSL_set_bio(server, bio2, bio2);
286
287 // Drive both the client and server handshake operations to completion.
288 while (true) {
289 int client_ret = SSL_do_handshake(client);
290 int client_err = SSL_get_error(client, client_ret);
291 if (client_err != SSL_ERROR_NONE && client_err != SSL_ERROR_WANT_READ &&
292 client_err != SSL_ERROR_WANT_WRITE) {
293 return absl::InternalError(absl::StrCat("Client error:", client_err));
294 }
295
296 int server_ret = SSL_do_handshake(server);
297 int server_err = SSL_get_error(server, server_ret);
298 if (server_err != SSL_ERROR_NONE && server_err != SSL_ERROR_WANT_READ &&
299 server_err != SSL_ERROR_WANT_WRITE) {
300 return absl::InternalError(absl::StrCat("Server error:", server_err));
301 }
302 if (client_ret == 1 && server_ret == 1) {
303 break;
304 }
305 }
306
307 *out_client = client;
308 *out_server = server;
309
310 return absl::OkStatus();
311 }
312
CalculateRecordSizeFromHeader(uint8_t fourth_header_byte,uint8_t fifth_header_byte)313 static std::size_t CalculateRecordSizeFromHeader(uint8_t fourth_header_byte,
314 uint8_t fifth_header_byte) {
315 return (static_cast<int>(fourth_header_byte & 0xff) << 8) +
316 static_cast<int>(fifth_header_byte & 0xff);
317 }
318
SetUp()319 void SetUp() override {
320 ASSERT_EQ(DoHandshake(&client_ssl, &server_ssl), absl::OkStatus());
321
322 ASSERT_THAT(client_ssl, NotNull());
323 ASSERT_THAT(server_ssl, NotNull());
324
325 BIO* client_ssl_bio = nullptr;
326 ASSERT_EQ(BIO_new_bio_pair(&client_bio, /*writebuf1=*/0, &client_ssl_bio,
327 /*writebuf2=*/0),
328 1);
329 SSL_set_bio(client_ssl, client_ssl_bio, client_ssl_bio);
330
331 BIO* server_ssl_bio = nullptr;
332 ASSERT_EQ(BIO_new_bio_pair(&server_bio, /*writebuf1=*/0, &server_ssl_bio,
333 /*writebuf2=*/0),
334 1);
335 SSL_set_bio(server_ssl, server_ssl_bio, server_ssl_bio);
336
337 client_buffer_offset = 0;
338 client_buffer.resize(kMaxPlaintextBytesPerTlsRecord);
339 server_buffer_offset = 0;
340 server_buffer.resize(kMaxPlaintextBytesPerTlsRecord);
341 }
342
TearDown()343 void TearDown() override {
344 BIO_free(client_bio);
345 SSL_free(client_ssl);
346 BIO_free(server_bio);
347 SSL_free(server_ssl);
348 }
349
350 SSL* client_ssl;
351 BIO* client_bio;
352 std::vector<uint8_t> client_buffer;
353 std::size_t client_buffer_offset;
354
355 SSL* server_ssl;
356 BIO* server_bio;
357 std::vector<uint8_t> server_buffer;
358 std::size_t server_buffer_offset;
359 };
360
361 // This test consists of two tests, namely for each combination of parameters,
362 // we create a message on one side, protect it (encrypt it), and send it to
363 // the other side for unprotecting (decrypting).
TEST_P(FlowTest,ClientMessageToServerCanBeProtectedAndUnprotectedSuccessfully)364 TEST_P(FlowTest,
365 ClientMessageToServerCanBeProtectedAndUnprotectedSuccessfully) {
366 std::vector<uint8_t> unprotected_bytes(GetParam().plaintext_size, 'a');
367 std::size_t unprotected_bytes_size = unprotected_bytes.size();
368
369 std::vector<uint8_t> protected_output_frames(
370 GetParam().expected_encrypted_bytes_size);
371 std::size_t protected_output_frames_size = protected_output_frames.size();
372
373 EXPECT_EQ(SslProtectorProtect(unprotected_bytes.data(), client_buffer.size(),
374 client_buffer_offset, client_buffer.data(),
375 client_ssl, client_bio, &unprotected_bytes_size,
376 protected_output_frames.data(),
377 &protected_output_frames_size),
378 tsi_result::TSI_OK);
379
380 // If |GetParam().plaintext_size| is larger than the inner client_buffer
381 // size (kMaxPlaintextBytesPerTlsRecord), then |Protect| will copy up to
382 // |kMaxPlaintextBytesPerTlsRecord| bytes and output the protected
383 // frame. Otherwise we need to manually flush the copied data in order
384 // to get the protected frame.
385 if (GetParam().plaintext_size >= kMaxPlaintextBytesPerTlsRecord) {
386 EXPECT_EQ(unprotected_bytes_size, kMaxPlaintextBytesPerTlsRecord);
387 } else {
388 EXPECT_EQ(unprotected_bytes_size, GetParam().plaintext_size);
389 EXPECT_EQ(protected_output_frames_size, 0);
390 protected_output_frames_size = protected_output_frames.size();
391
392 std::size_t still_pending_size = 0;
393 EXPECT_EQ(SslProtectorProtectFlush(
394 client_buffer_offset, client_buffer.data(), client_ssl,
395 client_bio, protected_output_frames.data(),
396 &protected_output_frames_size, &still_pending_size),
397 tsi_result::TSI_OK);
398 EXPECT_EQ(still_pending_size, 0);
399 }
400
401 // The first three bytes are always 0x17, 0x03, 0x03.
402 EXPECT_EQ(protected_output_frames[0], '\x17');
403 EXPECT_EQ(protected_output_frames[1], '\x03');
404 EXPECT_EQ(protected_output_frames[2], '\x03');
405 // The next two bytes are the size of the record, which is 5 bytes less
406 // than the size of the whole frame.
407 EXPECT_EQ(CalculateRecordSizeFromHeader(protected_output_frames[3],
408 protected_output_frames[4]),
409 protected_output_frames_size - 5);
410
411 std::vector<uint8_t> unprotected_output_bytes(GetParam().plaintext_size);
412 std::size_t unprotected_output_bytes_size = unprotected_output_bytes.size();
413
414 // This frame should be decrypted by peer correctly.
415 EXPECT_EQ(SslProtectorUnprotect(protected_output_frames.data(), server_ssl,
416 server_bio, &protected_output_frames_size,
417 unprotected_output_bytes.data(),
418 &unprotected_output_bytes_size),
419 tsi_result::TSI_OK);
420 EXPECT_EQ(unprotected_output_bytes_size, unprotected_bytes_size);
421 unprotected_output_bytes.resize(unprotected_output_bytes_size);
422 unprotected_bytes.resize(unprotected_bytes_size);
423 EXPECT_THAT(unprotected_output_bytes, ContainerEq(unprotected_bytes));
424 }
425
TEST_P(FlowTest,ServerMessageToClientCanBeProtectedAndUnprotectedSuccessfully)426 TEST_P(FlowTest,
427 ServerMessageToClientCanBeProtectedAndUnprotectedSuccessfully) {
428 std::vector<uint8_t> unprotected_bytes(GetParam().plaintext_size, 'a');
429 std::size_t unprotected_bytes_size = unprotected_bytes.size();
430
431 std::vector<uint8_t> protected_output_frames(
432 GetParam().expected_encrypted_bytes_size);
433 std::size_t protected_output_frames_size = protected_output_frames.size();
434
435 EXPECT_EQ(SslProtectorProtect(unprotected_bytes.data(), server_buffer.size(),
436 server_buffer_offset, server_buffer.data(),
437 server_ssl, server_bio, &unprotected_bytes_size,
438 protected_output_frames.data(),
439 &protected_output_frames_size),
440 tsi_result::TSI_OK);
441
442 // If |GetParam().plaintext_size| is larger than the inner server_buffer
443 // size (kMaxPlaintextBytesPerTlsRecord), then |Protect| will copy up to
444 // |kMaxPlaintextBytesPerTlsRecord| bytes and output the protected
445 // frame. Otherwise we need to manually flush the copied data in order
446 // to get the protected frame.
447 if (GetParam().plaintext_size >= kMaxPlaintextBytesPerTlsRecord) {
448 EXPECT_EQ(unprotected_bytes_size, kMaxPlaintextBytesPerTlsRecord);
449 } else {
450 EXPECT_EQ(unprotected_bytes_size, GetParam().plaintext_size);
451 EXPECT_EQ(protected_output_frames_size, 0);
452 protected_output_frames_size = protected_output_frames.size();
453
454 std::size_t still_pending_size = 0;
455 EXPECT_EQ(SslProtectorProtectFlush(
456 server_buffer_offset, server_buffer.data(), server_ssl,
457 server_bio, protected_output_frames.data(),
458 &protected_output_frames_size, &still_pending_size),
459 tsi_result::TSI_OK);
460 EXPECT_EQ(still_pending_size, 0);
461 }
462
463 // The first three bytes are always 0x17, 0x03, 0x03.
464 EXPECT_EQ(protected_output_frames[0], '\x17');
465 EXPECT_EQ(protected_output_frames[1], '\x03');
466 EXPECT_EQ(protected_output_frames[2], '\x03');
467 // The next two bytes are the size of the record, which is 5 bytes less
468 // than the size of the whole frame.
469 EXPECT_EQ(CalculateRecordSizeFromHeader(protected_output_frames[3],
470 protected_output_frames[4]),
471 protected_output_frames_size - 5);
472
473 std::vector<uint8_t> unprotected_output_bytes(GetParam().plaintext_size);
474 std::size_t unprotected_output_bytes_size = unprotected_output_bytes.size();
475
476 // This frame should be decrypted by peer correctly.
477 EXPECT_EQ(SslProtectorUnprotect(protected_output_frames.data(), client_ssl,
478 client_bio, &protected_output_frames_size,
479 unprotected_output_bytes.data(),
480 &unprotected_output_bytes_size),
481 tsi_result::TSI_OK);
482 EXPECT_EQ(unprotected_output_bytes_size, unprotected_bytes_size);
483 unprotected_output_bytes.resize(unprotected_output_bytes_size);
484 unprotected_bytes.resize(unprotected_bytes_size);
485 EXPECT_THAT(unprotected_output_bytes, ContainerEq(unprotected_bytes));
486 }
487
488 INSTANTIATE_TEST_SUITE_P(FrameProtectorUtil, FlowTest,
489 ValuesIn(GenerateTestData()));
490
491 #endif // OPENSSL_IS_BORINGSSL
492
493 class CrlUtils : public ::testing::Test {
494 public:
SetUpTestSuite()495 static void SetUpTestSuite() {
496 #if OPENSSL_VERSION_NUMBER >= 0x10100000
497 OPENSSL_init_ssl(/*opts=*/0, /*settings=*/nullptr);
498 #else
499 SSL_library_init();
500 SSL_load_error_strings();
501 OpenSSL_add_all_algorithms();
502 #endif
503 }
504
SetUp()505 void SetUp() override {
506 absl::StatusOr<Slice> root_crl = LoadFile(kValidCrl, false);
507 ASSERT_EQ(root_crl.status(), absl::OkStatus()) << root_crl.status();
508 root_crl_ = ReadCrl(root_crl->as_string_view());
509 absl::StatusOr<Slice> intermediate_crl = LoadFile(kIntermediateCrl, false);
510 ASSERT_EQ(intermediate_crl.status(), absl::OkStatus())
511 << intermediate_crl.status();
512 intermediate_crl_ = ReadCrl(intermediate_crl->as_string_view());
513 absl::StatusOr<Slice> invalid_signature_crl =
514 LoadFile(kModifiedSignature, false);
515 ASSERT_EQ(invalid_signature_crl.status(), absl::OkStatus())
516 << invalid_signature_crl.status();
517 invalid_signature_crl_ = ReadCrl(invalid_signature_crl->as_string_view());
518 absl::StatusOr<Slice> akid_crl = LoadFile(kCrlWithAkid, false);
519 ASSERT_EQ(akid_crl.status(), absl::OkStatus()) << akid_crl.status();
520 akid_crl_ = ReadCrl(akid_crl->as_string_view());
521
522 absl::StatusOr<Slice> root_ca = LoadFile(kCrlIssuer, false);
523 ASSERT_EQ(root_ca.status(), absl::OkStatus());
524 root_ca_ = ReadPemCert(root_ca->as_string_view());
525 absl::StatusOr<Slice> intermediate_ca =
526 LoadFile(kIntermediateCrlIssuer, false);
527 ASSERT_EQ(intermediate_ca.status(), absl::OkStatus());
528 intermediate_ca_ = ReadPemCert(intermediate_ca->as_string_view());
529 absl::StatusOr<Slice> leaf_cert = LoadFile(kLeafCert, false);
530 ASSERT_EQ(leaf_cert.status(), absl::OkStatus());
531 leaf_cert_ = ReadPemCert(leaf_cert->as_string_view());
532 absl::StatusOr<Slice> evil_ca = LoadFile(kEvilCa, false);
533 ASSERT_EQ(evil_ca.status(), absl::OkStatus());
534 evil_ca_ = ReadPemCert(evil_ca->as_string_view());
535 absl::StatusOr<Slice> ca_with_akid = LoadFile(kCaWithAkid, false);
536 ASSERT_EQ(ca_with_akid.status(), absl::OkStatus());
537 ca_with_akid_ = ReadPemCert(ca_with_akid->as_string_view());
538 }
539
TearDown()540 void TearDown() override {
541 X509_CRL_free(root_crl_);
542 X509_CRL_free(intermediate_crl_);
543 X509_CRL_free(invalid_signature_crl_);
544 X509_CRL_free(akid_crl_);
545 X509_free(root_ca_);
546 X509_free(intermediate_ca_);
547 X509_free(leaf_cert_);
548 X509_free(evil_ca_);
549 X509_free(ca_with_akid_);
550 }
551
552 protected:
553 X509_CRL* root_crl_;
554 X509_CRL* intermediate_crl_;
555 X509_CRL* invalid_signature_crl_;
556 X509_CRL* akid_crl_;
557 X509* root_ca_;
558 X509* intermediate_ca_;
559 X509* leaf_cert_;
560 X509* evil_ca_;
561 X509* ca_with_akid_;
562 };
563
TEST_F(CrlUtils,VerifySignatureValid)564 TEST_F(CrlUtils, VerifySignatureValid) {
565 EXPECT_TRUE(VerifyCrlSignature(root_crl_, root_ca_));
566 }
567
TEST_F(CrlUtils,VerifySignatureIntermediateValid)568 TEST_F(CrlUtils, VerifySignatureIntermediateValid) {
569 EXPECT_TRUE(VerifyCrlSignature(intermediate_crl_, intermediate_ca_));
570 }
571
TEST_F(CrlUtils,VerifySignatureModifiedSignature)572 TEST_F(CrlUtils, VerifySignatureModifiedSignature) {
573 EXPECT_FALSE(VerifyCrlSignature(invalid_signature_crl_, root_ca_));
574 }
575
TEST_F(CrlUtils,VerifySignatureModifiedContent)576 TEST_F(CrlUtils, VerifySignatureModifiedContent) {
577 absl::StatusOr<Slice> crl_slice = LoadFile(kModifiedContent, false);
578 ASSERT_EQ(crl_slice.status(), absl::OkStatus()) << crl_slice.status();
579 X509_CRL* crl = ReadCrl(crl_slice->as_string_view());
580 EXPECT_EQ(crl, nullptr);
581 }
582
TEST_F(CrlUtils,VerifySignatureWrongIssuer)583 TEST_F(CrlUtils, VerifySignatureWrongIssuer) {
584 EXPECT_FALSE(VerifyCrlSignature(root_crl_, intermediate_ca_));
585 }
586
TEST_F(CrlUtils,VerifySignatureWrongIssuer2)587 TEST_F(CrlUtils, VerifySignatureWrongIssuer2) {
588 EXPECT_FALSE(VerifyCrlSignature(intermediate_crl_, root_ca_));
589 }
590
TEST_F(CrlUtils,VerifySignatureNullCrl)591 TEST_F(CrlUtils, VerifySignatureNullCrl) {
592 EXPECT_FALSE(VerifyCrlSignature(nullptr, root_ca_));
593 }
594
TEST_F(CrlUtils,VerifySignatureNullCert)595 TEST_F(CrlUtils, VerifySignatureNullCert) {
596 EXPECT_FALSE(VerifyCrlSignature(intermediate_crl_, nullptr));
597 }
598
TEST_F(CrlUtils,VerifySignatureNullCrlAndCert)599 TEST_F(CrlUtils, VerifySignatureNullCrlAndCert) {
600 EXPECT_FALSE(VerifyCrlSignature(nullptr, nullptr));
601 }
602
TEST_F(CrlUtils,VerifyIssuerNamesMatch)603 TEST_F(CrlUtils, VerifyIssuerNamesMatch) {
604 EXPECT_TRUE(VerifyCrlCertIssuerNamesMatch(root_crl_, root_ca_));
605 }
606
TEST_F(CrlUtils,VerifyIssuerNamesDontMatch)607 TEST_F(CrlUtils, VerifyIssuerNamesDontMatch) {
608 EXPECT_FALSE(VerifyCrlCertIssuerNamesMatch(root_crl_, leaf_cert_));
609 }
610
TEST_F(CrlUtils,DuplicatedIssuerNamePassesButSignatureCheckFails)611 TEST_F(CrlUtils, DuplicatedIssuerNamePassesButSignatureCheckFails) {
612 // The issuer names will match, but it should fail a signature check
613 EXPECT_TRUE(VerifyCrlCertIssuerNamesMatch(root_crl_, evil_ca_));
614 EXPECT_FALSE(VerifyCrlSignature(root_crl_, evil_ca_));
615 }
616
TEST_F(CrlUtils,VerifyIssuerNameNullCrl)617 TEST_F(CrlUtils, VerifyIssuerNameNullCrl) {
618 EXPECT_FALSE(VerifyCrlCertIssuerNamesMatch(nullptr, root_ca_));
619 }
620
TEST_F(CrlUtils,VerifyIssuerNameNullCert)621 TEST_F(CrlUtils, VerifyIssuerNameNullCert) {
622 EXPECT_FALSE(VerifyCrlCertIssuerNamesMatch(intermediate_crl_, nullptr));
623 }
624
TEST_F(CrlUtils,VerifyIssuerNameNullCrlAndCert)625 TEST_F(CrlUtils, VerifyIssuerNameNullCrlAndCert) {
626 EXPECT_FALSE(VerifyCrlCertIssuerNamesMatch(nullptr, nullptr));
627 }
628
TEST_F(CrlUtils,HasCrlSignBitExists)629 TEST_F(CrlUtils, HasCrlSignBitExists) { EXPECT_TRUE(HasCrlSignBit(root_ca_)); }
630
TEST_F(CrlUtils,HasCrlSignBitMissing)631 TEST_F(CrlUtils, HasCrlSignBitMissing) {
632 EXPECT_FALSE(HasCrlSignBit(leaf_cert_));
633 }
634
TEST_F(CrlUtils,HasCrlSignBitNullCert)635 TEST_F(CrlUtils, HasCrlSignBitNullCert) {
636 EXPECT_FALSE(HasCrlSignBit(nullptr));
637 }
638
TEST_F(CrlUtils,IssuerFromIntermediateCert)639 TEST_F(CrlUtils, IssuerFromIntermediateCert) {
640 auto issuer = IssuerFromCert(intermediate_ca_);
641 // Build the known name for comparison
642 unsigned char* buf = nullptr;
643 X509_NAME* expected_issuer_name = X509_NAME_new();
644 ASSERT_TRUE(
645 X509_NAME_add_entry_by_txt(expected_issuer_name, "C", MBSTRING_ASC,
646 (const unsigned char*)"AU", -1, -1, 0));
647 ASSERT_TRUE(X509_NAME_add_entry_by_txt(
648 expected_issuer_name, "ST", MBSTRING_ASC,
649 (const unsigned char*)"Some-State", -1, -1, 0));
650 ASSERT_TRUE(X509_NAME_add_entry_by_txt(
651 expected_issuer_name, "O", MBSTRING_ASC,
652 (const unsigned char*)"Internet Widgits Pty Ltd", -1, -1, 0));
653 ASSERT_TRUE(
654 X509_NAME_add_entry_by_txt(expected_issuer_name, "CN", MBSTRING_ASC,
655 (const unsigned char*)"testca", -1, -1, 0));
656 int len = i2d_X509_NAME(expected_issuer_name, &buf);
657 std::string expected_issuer_name_der(reinterpret_cast<char const*>(buf), len);
658 OPENSSL_free(buf);
659 X509_NAME_free(expected_issuer_name);
660 ASSERT_EQ(issuer.status(), absl::OkStatus());
661 EXPECT_EQ(*issuer, expected_issuer_name_der);
662 }
663
TEST_F(CrlUtils,IssuerFromLeaf)664 TEST_F(CrlUtils, IssuerFromLeaf) {
665 auto issuer = IssuerFromCert(leaf_cert_);
666 // Build the known name for comparison
667 unsigned char* buf = nullptr;
668 X509_NAME* expected_issuer_name = X509_NAME_new();
669 ASSERT_TRUE(X509_NAME_add_entry_by_txt(
670 expected_issuer_name, "CN", MBSTRING_ASC,
671 (const unsigned char*)"intermediatecert.example.com", -1, -1, 0));
672 int len = i2d_X509_NAME(expected_issuer_name, &buf);
673 std::string expected_issuer_name_der(reinterpret_cast<char const*>(buf), len);
674 OPENSSL_free(buf);
675 X509_NAME_free(expected_issuer_name);
676 ASSERT_EQ(issuer.status(), absl::OkStatus());
677 EXPECT_EQ(*issuer, expected_issuer_name_der);
678 }
679
TEST_F(CrlUtils,IssuerFromCertNull)680 TEST_F(CrlUtils, IssuerFromCertNull) {
681 auto issuer = IssuerFromCert(nullptr);
682 EXPECT_EQ(issuer.status().code(), absl::StatusCode::kInvalidArgument);
683 }
684
TEST_F(CrlUtils,CertCrlAkidValid)685 TEST_F(CrlUtils, CertCrlAkidValid) {
686 auto akid = AkidFromCertificate(ca_with_akid_);
687 EXPECT_EQ(akid.status(), absl::OkStatus());
688 auto crl_akid = AkidFromCrl(akid_crl_);
689 EXPECT_EQ(crl_akid.status(), absl::OkStatus());
690 EXPECT_NE(*akid, "");
691 // It's easiest to compare that these two pull the same value, it's very
692 // difficult to create the known AKID value as a test constant, so we just
693 // check that they are not empty and that they are the same.
694 EXPECT_EQ(*akid, *crl_akid);
695 }
696
TEST_F(CrlUtils,CertNoAkid)697 TEST_F(CrlUtils, CertNoAkid) {
698 auto akid = AkidFromCertificate(root_ca_);
699 EXPECT_EQ(akid.status().code(), absl::StatusCode::kInvalidArgument);
700 }
701
TEST_F(CrlUtils,CrlNoAkid)702 TEST_F(CrlUtils, CrlNoAkid) {
703 auto akid = AkidFromCrl(root_crl_);
704 EXPECT_EQ(akid.status().code(), absl::StatusCode::kInvalidArgument);
705 }
706
TEST_F(CrlUtils,CertAkidNullptr)707 TEST_F(CrlUtils, CertAkidNullptr) {
708 auto akid = AkidFromCertificate(nullptr);
709 EXPECT_EQ(akid.status().code(), absl::StatusCode::kInvalidArgument);
710 }
711
TEST_F(CrlUtils,CrlAkidNullptr)712 TEST_F(CrlUtils, CrlAkidNullptr) {
713 auto akid = AkidFromCrl(nullptr);
714 EXPECT_EQ(akid.status().code(), absl::StatusCode::kInvalidArgument);
715 }
716
TEST(ParsePemCertificateChainTest,EmptyPem)717 TEST(ParsePemCertificateChainTest, EmptyPem) {
718 EXPECT_EQ(ParsePemCertificateChain(/*cert_chain_pem=*/"").status(),
719 absl::InvalidArgumentError("Cert chain PEM is empty."));
720 }
721
TEST(ParsePemCertificateChainTest,InvalidPem)722 TEST(ParsePemCertificateChainTest, InvalidPem) {
723 EXPECT_EQ(ParsePemCertificateChain("invalid-pem").status(),
724 absl::NotFoundError("No certificates found."));
725 }
726
TEST(ParsePemCertificateChainTest,PartialPem)727 TEST(ParsePemCertificateChainTest, PartialPem) {
728 std::string pem(kLeafCertPem);
729 EXPECT_EQ(ParsePemCertificateChain(pem.substr(0, pem.length() / 2)).status(),
730 absl::FailedPreconditionError("Invalid PEM."));
731 }
732
TEST(ParsePemCertificateChainTest,SingleCertSuccess)733 TEST(ParsePemCertificateChainTest, SingleCertSuccess) {
734 absl::StatusOr<std::vector<X509*>> certs =
735 ParsePemCertificateChain(kLeafCertPem);
736 EXPECT_EQ(certs.status(), absl::OkStatus());
737 EXPECT_EQ(certs->size(), 1);
738 EXPECT_NE(certs->at(0), nullptr);
739 X509_free(certs->at(0));
740 }
741
TEST(ParsePemCertificateChainTest,MultipleCertFailure)742 TEST(ParsePemCertificateChainTest, MultipleCertFailure) {
743 EXPECT_EQ(ParsePemCertificateChain(absl::StrCat(kLeafCertPem, kLeafCertPem))
744 .status(),
745 absl::FailedPreconditionError("Invalid PEM."));
746 }
747
TEST(ParsePemCertificateChainTest,MultipleCertSuccess)748 TEST(ParsePemCertificateChainTest, MultipleCertSuccess) {
749 absl::StatusOr<std::vector<X509*>> certs =
750 ParsePemCertificateChain(absl::StrCat(kLeafCertPem, "\n", kLeafCertPem));
751 EXPECT_EQ(certs.status(), absl::OkStatus());
752 EXPECT_EQ(certs->size(), 2);
753 EXPECT_NE(certs->at(0), nullptr);
754 EXPECT_NE(certs->at(1), nullptr);
755 X509_free(certs->at(0));
756 X509_free(certs->at(1));
757 }
758
TEST(ParsePemCertificateChainTest,MultipleCertWithExtraMiddleLinesSuccess)759 TEST(ParsePemCertificateChainTest, MultipleCertWithExtraMiddleLinesSuccess) {
760 absl::StatusOr<std::vector<X509*>> certs = ParsePemCertificateChain(
761 absl::StrCat(kLeafCertPem, "\nGarbage\n", kLeafCertPem));
762 EXPECT_EQ(certs.status(), absl::OkStatus());
763 EXPECT_EQ(certs->size(), 2);
764 EXPECT_NE(certs->at(0), nullptr);
765 EXPECT_NE(certs->at(1), nullptr);
766 X509_free(certs->at(0));
767 X509_free(certs->at(1));
768 }
769
TEST(ParsePemCertificateChainTest,MultipleCertWitManyMiddleLinesSuccess)770 TEST(ParsePemCertificateChainTest, MultipleCertWitManyMiddleLinesSuccess) {
771 absl::StatusOr<std::vector<X509*>> certs = ParsePemCertificateChain(
772 absl::StrCat(kLeafCertPem, "\n\n\n\n\n\n\n", kLeafCertPem));
773 EXPECT_EQ(certs.status(), absl::OkStatus());
774 EXPECT_EQ(certs->size(), 2);
775 EXPECT_NE(certs->at(0), nullptr);
776 EXPECT_NE(certs->at(1), nullptr);
777 X509_free(certs->at(0));
778 X509_free(certs->at(1));
779 }
780
TEST(ParsePemCertificateChainTest,ValidCertWithInvalidSuffix)781 TEST(ParsePemCertificateChainTest, ValidCertWithInvalidSuffix) {
782 EXPECT_EQ(ParsePemCertificateChain(absl::StrCat(kLeafCertPem, "invalid-pem"))
783 .status(),
784 absl::FailedPreconditionError("Invalid PEM."));
785 }
786
TEST(ParsePemCertificateChainTest,ValidCertWithInvalidPrefix)787 TEST(ParsePemCertificateChainTest, ValidCertWithInvalidPrefix) {
788 EXPECT_EQ(ParsePemCertificateChain(absl::StrCat("invalid-pem", kLeafCertPem))
789 .status(),
790 absl::NotFoundError("No certificates found."));
791 }
792
TEST(ParsePemCertificateChainTest,ValidCertWithInvalidLeadingLine)793 TEST(ParsePemCertificateChainTest, ValidCertWithInvalidLeadingLine) {
794 absl::StatusOr<std::vector<X509*>> certs =
795 ParsePemCertificateChain(absl::StrCat("invalid-pem\n", kLeafCertPem));
796 EXPECT_EQ(certs.status(), absl::OkStatus());
797 EXPECT_EQ(certs->size(), 1);
798 EXPECT_NE(certs->at(0), nullptr);
799 X509_free(certs->at(0));
800 }
801
TEST(ParsePemPrivateKeyTest,EmptyPem)802 TEST(ParsePemPrivateKeyTest, EmptyPem) {
803 EXPECT_EQ(ParsePemPrivateKey(/*private_key_pem=*/"").status(),
804 absl::NotFoundError("No private key found."));
805 }
806
TEST(ParsePemPrivateKeyTest,InvalidPem)807 TEST(ParsePemPrivateKeyTest, InvalidPem) {
808 EXPECT_EQ(ParsePemPrivateKey("invalid-pem").status(),
809 absl::NotFoundError("No private key found."));
810 }
811
TEST(ParsePemPrivateKeyTest,PartialPem)812 TEST(ParsePemPrivateKeyTest, PartialPem) {
813 std::string pem(kPrivateKeyPem);
814 EXPECT_EQ(ParsePemPrivateKey(pem.substr(0, pem.length() / 2)).status(),
815 absl::NotFoundError("No private key found."));
816 }
817
TEST(ParsePemPrivateKeyTest,RsaSuccess1)818 TEST(ParsePemPrivateKeyTest, RsaSuccess1) {
819 absl::StatusOr<EVP_PKEY*> pkey = ParsePemPrivateKey(kPrivateKeyPem);
820 EXPECT_EQ(pkey.status(), absl::OkStatus());
821 EXPECT_NE(*pkey, nullptr);
822 EVP_PKEY_free(*pkey);
823 }
824
TEST(ParsePemPrivateKeyTest,RsaSuccess2)825 TEST(ParsePemPrivateKeyTest, RsaSuccess2) {
826 absl::StatusOr<EVP_PKEY*> pkey = ParsePemPrivateKey(kRsaPrivateKeyPem);
827 EXPECT_EQ(pkey.status(), absl::OkStatus());
828 EXPECT_NE(*pkey, nullptr);
829 EVP_PKEY_free(*pkey);
830 }
831
TEST(ParsePemPrivateKeyTest,EcSuccess)832 TEST(ParsePemPrivateKeyTest, EcSuccess) {
833 absl::StatusOr<EVP_PKEY*> pkey = ParsePemPrivateKey(kEcPrivateKeyPem);
834 EXPECT_EQ(pkey.status(), absl::OkStatus());
835 EXPECT_NE(*pkey, nullptr);
836 EVP_PKEY_free(*pkey);
837 }
838 } // namespace testing
839 } // namespace grpc_core
840
main(int argc,char ** argv)841 int main(int argc, char** argv) {
842 grpc::testing::TestEnvironment env(&argc, argv);
843 ::testing::InitGoogleTest(&argc, argv);
844 grpc_init();
845 int ret = RUN_ALL_TESTS();
846 grpc_shutdown();
847 return ret;
848 }
849