1 //
2 //
3 // Copyright 2018 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
20
21 #include <gmock/gmock.h>
22 #include <grpc/credentials.h>
23 #include <grpc/support/alloc.h>
24 #include <grpc/support/string_util.h>
25 #include <gtest/gtest.h>
26 #include <stdlib.h>
27 #include <string.h>
28
29 #include "absl/log/check.h"
30 #include "src/core/config/config_vars.h"
31 #include "src/core/lib/channel/channel_args.h"
32 #include "src/core/lib/security/context/security_context.h"
33 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
34 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
35 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
36 #include "src/core/tsi/transport_security.h"
37 #include "src/core/util/crash.h"
38 #include "src/core/util/unique_type_name.h"
39 #include "test/core/test_util/test_config.h"
40 #include "test/core/test_util/tls_utils.h"
41
42 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
43 #define CLIENT_CERT_PATH "src/core/tsi/test_creds/multi-domain.pem"
44 #define SERVER_CERT_PATH_0 "src/core/tsi/test_creds/server0.pem"
45 #define SERVER_KEY_PATH_0 "src/core/tsi/test_creds/server0.key"
46 #define SERVER_CERT_PATH_1 "src/core/tsi/test_creds/server1.pem"
47 #define SERVER_KEY_PATH_1 "src/core/tsi/test_creds/server1.key"
48
49 namespace grpc_core {
50 namespace testing {
51
52 constexpr const char* kRootCertName = "root_cert_name";
53 constexpr const char* kIdentityCertName = "identity_cert_name";
54 constexpr const char* kErrorMessage = "error_message";
55 constexpr const char* kTargetName = "foo.bar.com:443";
56
57 class TlsSecurityConnectorTest : public ::testing::Test {
58 protected:
TlsSecurityConnectorTest()59 TlsSecurityConnectorTest() {}
60
SetUp()61 void SetUp() override {
62 root_cert_1_ = testing::GetFileContents(CA_CERT_PATH);
63 root_cert_0_ = testing::GetFileContents(CLIENT_CERT_PATH);
64 identity_pairs_1_.emplace_back(
65 testing::GetFileContents(SERVER_KEY_PATH_1),
66 testing::GetFileContents(SERVER_CERT_PATH_1));
67 identity_pairs_0_.emplace_back(
68 testing::GetFileContents(SERVER_KEY_PATH_0),
69 testing::GetFileContents(SERVER_CERT_PATH_0));
70 }
71
VerifyExpectedErrorCallback(void * arg,grpc_error_handle error)72 static void VerifyExpectedErrorCallback(void* arg, grpc_error_handle error) {
73 const char* expected_error_msg = static_cast<const char*>(arg);
74 if (expected_error_msg == nullptr) {
75 EXPECT_EQ(error, absl::OkStatus());
76 } else {
77 EXPECT_EQ(GetErrorMsg(error), expected_error_msg);
78 }
79 }
80
GetErrorMsg(grpc_error_handle error)81 static std::string GetErrorMsg(grpc_error_handle error) {
82 std::string error_str;
83 CHECK(
84 grpc_error_get_str(error, StatusStrProperty::kDescription, &error_str));
85 return error_str;
86 }
87
88 std::string root_cert_1_;
89 std::string root_cert_0_;
90 PemKeyCertPairList identity_pairs_1_;
91 PemKeyCertPairList identity_pairs_0_;
92 HostNameCertificateVerifier hostname_certificate_verifier_;
93 };
94
95 class TlsTestCertificateProvider : public grpc_tls_certificate_provider {
96 public:
TlsTestCertificateProvider(RefCountedPtr<grpc_tls_certificate_distributor> distributor)97 explicit TlsTestCertificateProvider(
98 RefCountedPtr<grpc_tls_certificate_distributor> distributor)
99 : distributor_(std::move(distributor)) {}
~TlsTestCertificateProvider()100 ~TlsTestCertificateProvider() override {}
distributor() const101 RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
102 return distributor_;
103 }
104
type() const105 UniqueTypeName type() const override {
106 static UniqueTypeName::Factory kFactory("tls_test");
107 return kFactory.Create();
108 }
109
110 private:
CompareImpl(const grpc_tls_certificate_provider * other) const111 int CompareImpl(const grpc_tls_certificate_provider* other) const override {
112 // TODO(yashykt): Maybe do something better here.
113 return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
114 other);
115 }
116
117 RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
118 };
119
120 //
121 // Tests for Certificate Providers in ChannelSecurityConnector.
122 //
123
TEST_F(TlsSecurityConnectorTest,RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector)124 TEST_F(TlsSecurityConnectorTest,
125 RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
126 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
127 MakeRefCounted<grpc_tls_certificate_distributor>();
128 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
129 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
130 identity_pairs_0_);
131 RefCountedPtr<grpc_tls_certificate_provider> provider =
132 MakeRefCounted<TlsTestCertificateProvider>(distributor);
133 RefCountedPtr<grpc_tls_credentials_options> options =
134 MakeRefCounted<grpc_tls_credentials_options>();
135 options->set_certificate_provider(provider);
136 options->set_watch_root_cert(true);
137 options->set_watch_identity_pair(true);
138 options->set_root_cert_name(kRootCertName);
139 options->set_identity_cert_name(kIdentityCertName);
140 RefCountedPtr<TlsCredentials> credential =
141 MakeRefCounted<TlsCredentials>(options);
142 ChannelArgs new_args;
143 RefCountedPtr<grpc_channel_security_connector> connector =
144 credential->create_security_connector(nullptr, kTargetName, &new_args);
145 EXPECT_NE(connector, nullptr);
146 TlsChannelSecurityConnector* tls_connector =
147 static_cast<TlsChannelSecurityConnector*>(connector.get());
148 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
149 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
150 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
151 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
152 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
153 identity_pairs_1_);
154 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
155 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
156 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
157 }
158
TEST_F(TlsSecurityConnectorTest,SystemRootsWhenCreateChannelSecurityConnector)159 TEST_F(TlsSecurityConnectorTest,
160 SystemRootsWhenCreateChannelSecurityConnector) {
161 // Create options watching for no certificates.
162 RefCountedPtr<grpc_tls_credentials_options> root_options =
163 MakeRefCounted<grpc_tls_credentials_options>();
164 RefCountedPtr<TlsCredentials> root_credential =
165 MakeRefCounted<TlsCredentials>(root_options);
166 ChannelArgs root_new_args;
167 RefCountedPtr<grpc_channel_security_connector> root_connector =
168 root_credential->create_security_connector(nullptr, "some_target",
169 &root_new_args);
170 EXPECT_NE(root_connector, nullptr);
171 TlsChannelSecurityConnector* tls_root_connector =
172 static_cast<TlsChannelSecurityConnector*>(root_connector.get());
173 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
174 }
175
TEST_F(TlsSecurityConnectorTest,SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector)176 TEST_F(TlsSecurityConnectorTest,
177 SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
178 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
179 MakeRefCounted<grpc_tls_certificate_distributor>();
180 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
181 identity_pairs_0_);
182 RefCountedPtr<grpc_tls_certificate_provider> provider =
183 MakeRefCounted<TlsTestCertificateProvider>(distributor);
184 // Create options only watching for identity certificates.
185 RefCountedPtr<grpc_tls_credentials_options> root_options =
186 MakeRefCounted<grpc_tls_credentials_options>();
187 root_options->set_certificate_provider(provider);
188 root_options->set_watch_identity_pair(true);
189 root_options->set_identity_cert_name(kIdentityCertName);
190 RefCountedPtr<TlsCredentials> root_credential =
191 MakeRefCounted<TlsCredentials>(root_options);
192 ChannelArgs root_new_args;
193 RefCountedPtr<grpc_channel_security_connector> root_connector =
194 root_credential->create_security_connector(nullptr, "some_target",
195 &root_new_args);
196 EXPECT_NE(root_connector, nullptr);
197 TlsChannelSecurityConnector* tls_root_connector =
198 static_cast<TlsChannelSecurityConnector*>(root_connector.get());
199 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
200 EXPECT_EQ(tls_root_connector->KeyCertPairListForTesting(), identity_pairs_0_);
201 // If we have a root update, we shouldn't receive them in security connector,
202 // since we claimed to use default system roots.
203 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
204 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
205 EXPECT_NE(tls_root_connector->RootCertsForTesting(), root_cert_1_);
206 }
207
TEST_F(TlsSecurityConnectorTest,RootCertsObtainedWhenCreateChannelSecurityConnector)208 TEST_F(TlsSecurityConnectorTest,
209 RootCertsObtainedWhenCreateChannelSecurityConnector) {
210 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
211 MakeRefCounted<grpc_tls_certificate_distributor>();
212 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
213 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
214 identity_pairs_0_);
215 RefCountedPtr<grpc_tls_certificate_provider> provider =
216 MakeRefCounted<TlsTestCertificateProvider>(distributor);
217 // Create options only watching for root certificates.
218 RefCountedPtr<grpc_tls_credentials_options> root_options =
219 MakeRefCounted<grpc_tls_credentials_options>();
220 root_options->set_certificate_provider(provider);
221 root_options->set_watch_root_cert(true);
222 root_options->set_root_cert_name(kRootCertName);
223 RefCountedPtr<TlsCredentials> root_credential =
224 MakeRefCounted<TlsCredentials>(root_options);
225 ChannelArgs root_new_args;
226 RefCountedPtr<grpc_channel_security_connector> root_connector =
227 root_credential->create_security_connector(nullptr, "some_target",
228 &root_new_args);
229 EXPECT_NE(root_connector, nullptr);
230 TlsChannelSecurityConnector* tls_root_connector =
231 static_cast<TlsChannelSecurityConnector*>(root_connector.get());
232 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
233 EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_0_);
234 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
235 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
236 EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_1_);
237 }
238
TEST_F(TlsSecurityConnectorTest,CertPartiallyObtainedWhenCreateChannelSecurityConnector)239 TEST_F(TlsSecurityConnectorTest,
240 CertPartiallyObtainedWhenCreateChannelSecurityConnector) {
241 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
242 MakeRefCounted<grpc_tls_certificate_distributor>();
243 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
244 RefCountedPtr<grpc_tls_certificate_provider> provider =
245 MakeRefCounted<TlsTestCertificateProvider>(distributor);
246 // Registered the options watching both certs, but only root certs are
247 // available at distributor right now.
248 RefCountedPtr<grpc_tls_credentials_options> options =
249 MakeRefCounted<grpc_tls_credentials_options>();
250 options->set_certificate_provider(provider);
251 options->set_watch_root_cert(true);
252 options->set_watch_identity_pair(true);
253 options->set_root_cert_name(kRootCertName);
254 options->set_identity_cert_name(kIdentityCertName);
255 RefCountedPtr<TlsCredentials> credential =
256 MakeRefCounted<TlsCredentials>(options);
257 ChannelArgs new_args;
258 RefCountedPtr<grpc_channel_security_connector> connector =
259 credential->create_security_connector(nullptr, kTargetName, &new_args);
260 EXPECT_NE(connector, nullptr);
261 TlsChannelSecurityConnector* tls_connector =
262 static_cast<TlsChannelSecurityConnector*>(connector.get());
263 // The client_handshaker_factory_ shouldn't be updated.
264 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
265 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
266 // After updating the root certs, the client_handshaker_factory_ should be
267 // updated.
268 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
269 identity_pairs_0_);
270 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
271 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
272 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
273 }
274
TEST_F(TlsSecurityConnectorTest,DistributorHasErrorForChannelSecurityConnector)275 TEST_F(TlsSecurityConnectorTest,
276 DistributorHasErrorForChannelSecurityConnector) {
277 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
278 MakeRefCounted<grpc_tls_certificate_distributor>();
279 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
280 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
281 identity_pairs_0_);
282 RefCountedPtr<grpc_tls_certificate_provider> provider =
283 MakeRefCounted<TlsTestCertificateProvider>(distributor);
284 RefCountedPtr<grpc_tls_credentials_options> options =
285 MakeRefCounted<grpc_tls_credentials_options>();
286 options->set_certificate_provider(provider);
287 options->set_watch_root_cert(true);
288 options->set_watch_identity_pair(true);
289 options->set_root_cert_name(kRootCertName);
290 options->set_identity_cert_name(kIdentityCertName);
291 RefCountedPtr<TlsCredentials> credential =
292 MakeRefCounted<TlsCredentials>(options);
293 ChannelArgs new_args;
294 RefCountedPtr<grpc_channel_security_connector> connector =
295 credential->create_security_connector(nullptr, kTargetName, &new_args);
296 EXPECT_NE(connector, nullptr);
297 TlsChannelSecurityConnector* tls_connector =
298 static_cast<TlsChannelSecurityConnector*>(connector.get());
299 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
300 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
301 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
302 // Calling SetErrorForCert on distributor shouldn't invalidate the previous
303 // valid credentials.
304 distributor->SetErrorForCert(kRootCertName, GRPC_ERROR_CREATE(kErrorMessage),
305 absl::nullopt);
306 distributor->SetErrorForCert(kIdentityCertName, absl::nullopt,
307 GRPC_ERROR_CREATE(kErrorMessage));
308 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
309 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
310 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
311 }
312
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoTargetName)313 TEST_F(TlsSecurityConnectorTest,
314 CreateChannelSecurityConnectorFailNoTargetName) {
315 RefCountedPtr<grpc_tls_credentials_options> options =
316 MakeRefCounted<grpc_tls_credentials_options>();
317 RefCountedPtr<TlsCredentials> credential =
318 MakeRefCounted<TlsCredentials>(options);
319 ChannelArgs new_args;
320 RefCountedPtr<grpc_channel_security_connector> connector =
321 credential->create_security_connector(nullptr, nullptr, &new_args);
322 EXPECT_EQ(connector, nullptr);
323 }
324
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoCredentials)325 TEST_F(TlsSecurityConnectorTest,
326 CreateChannelSecurityConnectorFailNoCredentials) {
327 auto connector =
328 TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
329 nullptr, MakeRefCounted<grpc_tls_credentials_options>(), nullptr,
330 kTargetName, nullptr, nullptr);
331 EXPECT_EQ(connector, nullptr);
332 }
333
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoOptions)334 TEST_F(TlsSecurityConnectorTest, CreateChannelSecurityConnectorFailNoOptions) {
335 RefCountedPtr<grpc_tls_credentials_options> options =
336 MakeRefCounted<grpc_tls_credentials_options>();
337 RefCountedPtr<TlsCredentials> credential =
338 MakeRefCounted<TlsCredentials>(options);
339 auto connector =
340 TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
341 credential, nullptr, nullptr, kTargetName, nullptr, nullptr);
342 EXPECT_EQ(connector, nullptr);
343 }
344
345 //
346 // Tests for Certificate Verifier in ChannelSecurityConnector.
347 //
348
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithSyncExternalVerifierSucceeds)349 TEST_F(TlsSecurityConnectorTest,
350 ChannelSecurityConnectorWithSyncExternalVerifierSucceeds) {
351 auto* sync_verifier_ = new SyncExternalVerifier(true);
352 ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
353 RefCountedPtr<grpc_tls_credentials_options> options =
354 MakeRefCounted<grpc_tls_credentials_options>();
355 options->set_verify_server_cert(true);
356 options->set_certificate_verifier(core_external_verifier.Ref());
357 options->set_check_call_host(false);
358 RefCountedPtr<TlsCredentials> credential =
359 MakeRefCounted<TlsCredentials>(options);
360 ChannelArgs new_args;
361 RefCountedPtr<grpc_channel_security_connector> connector =
362 credential->create_security_connector(nullptr, kTargetName, &new_args);
363 EXPECT_NE(connector, nullptr);
364 TlsChannelSecurityConnector* tls_connector =
365 static_cast<TlsChannelSecurityConnector*>(connector.get());
366 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
367 // Construct a basic TSI Peer.
368 tsi_peer peer;
369 CHECK(tsi_construct_peer(2, &peer) == TSI_OK);
370 CHECK(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
371 strlen("h2"),
372 &peer.properties[0]) == TSI_OK);
373 CHECK(tsi_construct_string_peer_property_from_cstring(
374 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
375 &peer.properties[1]) == TSI_OK);
376 RefCountedPtr<grpc_auth_context> auth_context;
377 ExecCtx exec_ctx;
378 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
379 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
380 ChannelArgs args;
381 tls_connector->check_peer(peer, nullptr, args, &auth_context,
382 on_peer_checked);
383 }
384
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithSyncExternalVerifierFails)385 TEST_F(TlsSecurityConnectorTest,
386 ChannelSecurityConnectorWithSyncExternalVerifierFails) {
387 auto* sync_verifier_ = new SyncExternalVerifier(false);
388 ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
389 RefCountedPtr<grpc_tls_credentials_options> options =
390 MakeRefCounted<grpc_tls_credentials_options>();
391 options->set_verify_server_cert(true);
392 options->set_certificate_verifier(core_external_verifier.Ref());
393 options->set_check_call_host(false);
394 RefCountedPtr<TlsCredentials> credential =
395 MakeRefCounted<TlsCredentials>(options);
396 ChannelArgs new_args;
397 RefCountedPtr<grpc_channel_security_connector> connector =
398 credential->create_security_connector(nullptr, kTargetName, &new_args);
399 EXPECT_NE(connector, nullptr);
400 TlsChannelSecurityConnector* tls_connector =
401 static_cast<TlsChannelSecurityConnector*>(connector.get());
402 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
403 // Construct a basic TSI Peer.
404 tsi_peer peer;
405 CHECK(tsi_construct_peer(2, &peer) == TSI_OK);
406 CHECK(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
407 strlen("h2"),
408 &peer.properties[0]) == TSI_OK);
409 CHECK(tsi_construct_string_peer_property_from_cstring(
410 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
411 &peer.properties[1]) == TSI_OK);
412 RefCountedPtr<grpc_auth_context> auth_context;
413 const char* expected_error_msg =
414 "Custom verification check failed with error: UNAUTHENTICATED: "
415 "SyncExternalVerifier failed";
416 ExecCtx exec_ctx;
417 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
418 VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
419 grpc_schedule_on_exec_ctx);
420 tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
421 on_peer_checked);
422 }
423
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorSucceedsOnSameCredentials)424 TEST_F(TlsSecurityConnectorTest,
425 CompareChannelSecurityConnectorSucceedsOnSameCredentials) {
426 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
427 MakeRefCounted<grpc_tls_certificate_distributor>();
428 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
429 RefCountedPtr<grpc_tls_certificate_provider> provider =
430 MakeRefCounted<TlsTestCertificateProvider>(distributor);
431 auto options = MakeRefCounted<grpc_tls_credentials_options>();
432 options->set_certificate_provider(provider);
433 options->set_watch_root_cert(true);
434 options->set_root_cert_name(kRootCertName);
435 RefCountedPtr<TlsCredentials> credential =
436 MakeRefCounted<TlsCredentials>(options);
437 ChannelArgs connector_args;
438 ChannelArgs other_connector_args;
439 RefCountedPtr<grpc_channel_security_connector> connector =
440 credential->create_security_connector(nullptr, kTargetName,
441 &connector_args);
442 RefCountedPtr<grpc_channel_security_connector> other_connector =
443 credential->create_security_connector(nullptr, kTargetName,
444 &other_connector_args);
445 // Comparing the equality of security connectors generated from the same
446 // channel credentials with same settings should succeed.
447 EXPECT_EQ(connector->cmp(other_connector.get()), 0);
448 }
449
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorFailsOnDifferentChannelCredentials)450 TEST_F(TlsSecurityConnectorTest,
451 CompareChannelSecurityConnectorFailsOnDifferentChannelCredentials) {
452 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
453 MakeRefCounted<grpc_tls_certificate_distributor>();
454 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
455 RefCountedPtr<grpc_tls_certificate_provider> provider =
456 MakeRefCounted<TlsTestCertificateProvider>(distributor);
457 auto options = MakeRefCounted<grpc_tls_credentials_options>();
458 options->set_certificate_provider(provider);
459 options->set_watch_root_cert(true);
460 options->set_root_cert_name(kRootCertName);
461 RefCountedPtr<TlsCredentials> credential =
462 MakeRefCounted<TlsCredentials>(options);
463 ChannelArgs connector_args;
464 RefCountedPtr<grpc_channel_security_connector> connector =
465 credential->create_security_connector(nullptr, kTargetName,
466 &connector_args);
467 auto other_options = MakeRefCounted<grpc_tls_credentials_options>();
468 other_options->set_certificate_provider(provider);
469 other_options->set_watch_root_cert(true);
470 other_options->set_root_cert_name(kRootCertName);
471 other_options->set_watch_identity_pair(true);
472 RefCountedPtr<TlsCredentials> other_credential =
473 MakeRefCounted<TlsCredentials>(other_options);
474 ChannelArgs other_connector_args;
475 RefCountedPtr<grpc_channel_security_connector> other_connector =
476 other_credential->create_security_connector(nullptr, kTargetName,
477 &other_connector_args);
478 // Comparing the equality of security connectors generated from different
479 // channel credentials should fail.
480 EXPECT_NE(connector->cmp(other_connector.get()), 0);
481 }
482
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorFailsOnDifferentCallCredentials)483 TEST_F(TlsSecurityConnectorTest,
484 CompareChannelSecurityConnectorFailsOnDifferentCallCredentials) {
485 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
486 MakeRefCounted<grpc_tls_certificate_distributor>();
487 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
488 RefCountedPtr<grpc_tls_certificate_provider> provider =
489 MakeRefCounted<TlsTestCertificateProvider>(distributor);
490 auto options = MakeRefCounted<grpc_tls_credentials_options>();
491 options->set_certificate_provider(provider);
492 options->set_watch_root_cert(true);
493 options->set_root_cert_name(kRootCertName);
494 RefCountedPtr<TlsCredentials> credential =
495 MakeRefCounted<TlsCredentials>(options);
496 ChannelArgs connector_args;
497 RefCountedPtr<grpc_channel_security_connector> connector =
498 credential->create_security_connector(nullptr, kTargetName,
499 &connector_args);
500 grpc_call_credentials* call_creds =
501 grpc_md_only_test_credentials_create("", "");
502 ChannelArgs other_connector_args;
503 RefCountedPtr<grpc_channel_security_connector> other_connector =
504 credential->create_security_connector(
505 RefCountedPtr<grpc_call_credentials>(call_creds), kTargetName,
506 &other_connector_args);
507 // Comparing the equality of security connectors generated with different call
508 // credentials should fail.
509 EXPECT_NE(connector->cmp(other_connector.get()), 0);
510 }
511
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorFailsOnDifferentTargetNames)512 TEST_F(TlsSecurityConnectorTest,
513 CompareChannelSecurityConnectorFailsOnDifferentTargetNames) {
514 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
515 MakeRefCounted<grpc_tls_certificate_distributor>();
516 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
517 RefCountedPtr<grpc_tls_certificate_provider> provider =
518 MakeRefCounted<TlsTestCertificateProvider>(distributor);
519 auto options = MakeRefCounted<grpc_tls_credentials_options>();
520 options->set_certificate_provider(provider);
521 options->set_watch_root_cert(true);
522 options->set_root_cert_name(kRootCertName);
523 RefCountedPtr<TlsCredentials> credential =
524 MakeRefCounted<TlsCredentials>(options);
525 ChannelArgs connector_args;
526 ChannelArgs other_connector_args;
527 RefCountedPtr<grpc_channel_security_connector> connector =
528 credential->create_security_connector(nullptr, kTargetName,
529 &connector_args);
530 RefCountedPtr<grpc_channel_security_connector> other_connector =
531 credential->create_security_connector(nullptr, "", &other_connector_args);
532 // Comparing the equality of security connectors generated with different
533 // target names should fail.
534 EXPECT_NE(connector->cmp(other_connector.get()), 0);
535 }
536
537 // Tests for ServerSecurityConnector.
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithAsyncExternalVerifierSucceeds)538 TEST_F(TlsSecurityConnectorTest,
539 ChannelSecurityConnectorWithAsyncExternalVerifierSucceeds) {
540 auto* async_verifier = new AsyncExternalVerifier(true);
541 auto* core_external_verifier =
542 new ExternalCertificateVerifier(async_verifier->base());
543 auto options = MakeRefCounted<grpc_tls_credentials_options>();
544 options->set_verify_server_cert(true);
545 options->set_certificate_verifier(core_external_verifier->Ref());
546 options->set_check_call_host(false);
547 RefCountedPtr<TlsCredentials> credential =
548 MakeRefCounted<TlsCredentials>(options);
549 ChannelArgs new_args;
550 RefCountedPtr<grpc_channel_security_connector> connector =
551 credential->create_security_connector(nullptr, kTargetName, &new_args);
552 EXPECT_NE(connector, nullptr);
553 TlsChannelSecurityConnector* tls_connector =
554 static_cast<TlsChannelSecurityConnector*>(connector.get());
555 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
556 // Construct a basic TSI Peer.
557 tsi_peer peer;
558 CHECK(tsi_construct_peer(2, &peer) == TSI_OK);
559 CHECK(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
560 strlen("h2"),
561 &peer.properties[0]) == TSI_OK);
562 CHECK(tsi_construct_string_peer_property_from_cstring(
563 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
564 &peer.properties[1]) == TSI_OK);
565 RefCountedPtr<grpc_auth_context> auth_context;
566 ExecCtx exec_ctx;
567 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
568 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
569 tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
570 on_peer_checked);
571 core_external_verifier->Unref();
572 }
573
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithAsyncExternalVerifierFails)574 TEST_F(TlsSecurityConnectorTest,
575 ChannelSecurityConnectorWithAsyncExternalVerifierFails) {
576 auto* async_verifier = new AsyncExternalVerifier(false);
577 auto* core_external_verifier =
578 new ExternalCertificateVerifier(async_verifier->base());
579 auto options = MakeRefCounted<grpc_tls_credentials_options>();
580 options->set_verify_server_cert(true);
581 options->set_certificate_verifier(core_external_verifier->Ref());
582 options->set_check_call_host(false);
583 RefCountedPtr<TlsCredentials> credential =
584 MakeRefCounted<TlsCredentials>(options);
585 ChannelArgs new_args;
586 RefCountedPtr<grpc_channel_security_connector> connector =
587 credential->create_security_connector(nullptr, kTargetName, &new_args);
588 EXPECT_NE(connector, nullptr);
589 TlsChannelSecurityConnector* tls_connector =
590 static_cast<TlsChannelSecurityConnector*>(connector.get());
591 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
592 // Construct a basic TSI Peer.
593 tsi_peer peer;
594 CHECK(tsi_construct_peer(2, &peer) == TSI_OK);
595 CHECK(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
596 strlen("h2"),
597 &peer.properties[0]) == TSI_OK);
598 CHECK(tsi_construct_string_peer_property_from_cstring(
599 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
600 &peer.properties[1]) == TSI_OK);
601 RefCountedPtr<grpc_auth_context> auth_context;
602 const char* expected_error_msg =
603 "Custom verification check failed with error: UNAUTHENTICATED: "
604 "AsyncExternalVerifier failed";
605 ExecCtx exec_ctx;
606 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
607 VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
608 grpc_schedule_on_exec_ctx);
609 tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
610 on_peer_checked);
611 core_external_verifier->Unref();
612 }
613
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorHostnameVerifierSucceeds)614 TEST_F(TlsSecurityConnectorTest,
615 ChannelSecurityConnectorHostnameVerifierSucceeds) {
616 RefCountedPtr<grpc_tls_credentials_options> options =
617 MakeRefCounted<grpc_tls_credentials_options>();
618 options->set_verify_server_cert(true);
619 options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
620 options->set_check_call_host(false);
621 RefCountedPtr<TlsCredentials> credential =
622 MakeRefCounted<TlsCredentials>(options);
623 ChannelArgs new_args;
624 RefCountedPtr<grpc_channel_security_connector> connector =
625 credential->create_security_connector(nullptr, kTargetName, &new_args);
626 EXPECT_NE(connector, nullptr);
627 TlsChannelSecurityConnector* tls_connector =
628 static_cast<TlsChannelSecurityConnector*>(connector.get());
629 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
630 // Construct a full TSI Peer.
631 tsi_peer peer;
632 CHECK(tsi_construct_peer(7, &peer) == TSI_OK);
633 CHECK(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
634 strlen("h2"),
635 &peer.properties[0]) == TSI_OK);
636 CHECK(tsi_construct_string_peer_property_from_cstring(
637 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
638 &peer.properties[1]) == TSI_OK);
639 CHECK(tsi_construct_string_peer_property_from_cstring(
640 TSI_X509_PEM_CERT_PROPERTY, "pem_cert", &peer.properties[2]) ==
641 TSI_OK);
642 CHECK(tsi_construct_string_peer_property_from_cstring(
643 TSI_SECURITY_LEVEL_PEER_PROPERTY,
644 tsi_security_level_to_string(TSI_PRIVACY_AND_INTEGRITY),
645 &peer.properties[3]) == TSI_OK);
646 CHECK(tsi_construct_string_peer_property_from_cstring(
647 TSI_X509_PEM_CERT_CHAIN_PROPERTY, "pem_cert_chain",
648 &peer.properties[4]) == TSI_OK);
649 CHECK(tsi_construct_string_peer_property_from_cstring(
650 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.bar.com",
651 &peer.properties[5]) == TSI_OK);
652 CHECK(tsi_construct_string_peer_property_from_cstring(
653 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.baz.com",
654 &peer.properties[6]) == TSI_OK);
655 RefCountedPtr<grpc_auth_context> auth_context;
656 ExecCtx exec_ctx;
657 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
658 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
659 tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
660 on_peer_checked);
661 }
662
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorHostnameVerifierFails)663 TEST_F(TlsSecurityConnectorTest,
664 ChannelSecurityConnectorHostnameVerifierFails) {
665 RefCountedPtr<grpc_tls_credentials_options> options =
666 MakeRefCounted<grpc_tls_credentials_options>();
667 options->set_verify_server_cert(true);
668 options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
669 RefCountedPtr<TlsCredentials> credential =
670 MakeRefCounted<TlsCredentials>(options);
671 ChannelArgs new_args;
672 RefCountedPtr<grpc_channel_security_connector> connector =
673 credential->create_security_connector(nullptr, kTargetName, &new_args);
674 EXPECT_NE(connector, nullptr);
675 TlsChannelSecurityConnector* tls_connector =
676 static_cast<TlsChannelSecurityConnector*>(connector.get());
677 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
678 // Construct a full TSI Peer.
679 tsi_peer peer;
680 CHECK(tsi_construct_peer(7, &peer) == TSI_OK);
681 CHECK(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
682 strlen("h2"),
683 &peer.properties[0]) == TSI_OK);
684 CHECK(tsi_construct_string_peer_property_from_cstring(
685 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.com",
686 &peer.properties[1]) == TSI_OK);
687 CHECK(tsi_construct_string_peer_property_from_cstring(
688 TSI_X509_PEM_CERT_PROPERTY, "pem_cert", &peer.properties[2]) ==
689 TSI_OK);
690 CHECK(tsi_construct_string_peer_property_from_cstring(
691 TSI_SECURITY_LEVEL_PEER_PROPERTY,
692 tsi_security_level_to_string(TSI_PRIVACY_AND_INTEGRITY),
693 &peer.properties[3]) == TSI_OK);
694 CHECK(tsi_construct_string_peer_property_from_cstring(
695 TSI_X509_PEM_CERT_CHAIN_PROPERTY, "pem_cert_chain",
696 &peer.properties[4]) == TSI_OK);
697 CHECK(tsi_construct_string_peer_property_from_cstring(
698 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "*.com",
699 &peer.properties[5]) == TSI_OK);
700 CHECK(tsi_construct_string_peer_property_from_cstring(
701 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.baz.com",
702 &peer.properties[6]) == TSI_OK);
703 RefCountedPtr<grpc_auth_context> auth_context;
704 const char* expected_error_msg =
705 "Custom verification check failed with error: UNAUTHENTICATED: Hostname "
706 "Verification "
707 "Check failed.";
708 ExecCtx exec_ctx;
709 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
710 VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
711 grpc_schedule_on_exec_ctx);
712 tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
713 on_peer_checked);
714 }
715
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithVerifiedRootCertSubjectSucceeds)716 TEST_F(TlsSecurityConnectorTest,
717 ChannelSecurityConnectorWithVerifiedRootCertSubjectSucceeds) {
718 auto* sync_verifier = new SyncExternalVerifier(true);
719 ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
720 RefCountedPtr<grpc_tls_credentials_options> options =
721 MakeRefCounted<grpc_tls_credentials_options>();
722 options->set_verify_server_cert(true);
723 options->set_certificate_verifier(core_external_verifier.Ref());
724 options->set_check_call_host(false);
725 RefCountedPtr<TlsCredentials> credential =
726 MakeRefCounted<TlsCredentials>(options);
727 ChannelArgs new_args;
728 RefCountedPtr<grpc_channel_security_connector> connector =
729 credential->create_security_connector(nullptr, kTargetName, &new_args);
730 EXPECT_NE(connector, nullptr);
731 TlsChannelSecurityConnector* tls_connector =
732 static_cast<TlsChannelSecurityConnector*>(connector.get());
733 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
734 // Construct a basic TSI Peer.
735 std::string expected_subject =
736 "CN=testca,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU";
737 tsi_peer peer;
738 EXPECT_EQ(tsi_construct_peer(2, &peer), TSI_OK);
739 EXPECT_EQ(
740 tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
741 strlen("h2"), &peer.properties[0]),
742 TSI_OK);
743 EXPECT_EQ(tsi_construct_string_peer_property_from_cstring(
744 TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY,
745 expected_subject.c_str(), &peer.properties[1]),
746 TSI_OK);
747 RefCountedPtr<grpc_auth_context> auth_context;
748 ExecCtx exec_ctx;
749 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
750 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
751 ChannelArgs args;
752 tls_connector->check_peer(peer, nullptr, args, &auth_context,
753 on_peer_checked);
754 }
755
756 //
757 // Tests for Certificate Providers in ServerSecurityConnector.
758 //
759
TEST_F(TlsSecurityConnectorTest,RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector)760 TEST_F(TlsSecurityConnectorTest,
761 RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector) {
762 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
763 MakeRefCounted<grpc_tls_certificate_distributor>();
764 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
765 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
766 identity_pairs_0_);
767 RefCountedPtr<grpc_tls_certificate_provider> provider =
768 MakeRefCounted<TlsTestCertificateProvider>(distributor);
769 RefCountedPtr<grpc_tls_credentials_options> options =
770 MakeRefCounted<grpc_tls_credentials_options>();
771 options->set_certificate_provider(provider);
772 options->set_watch_root_cert(true);
773 options->set_watch_identity_pair(true);
774 options->set_root_cert_name(kRootCertName);
775 options->set_identity_cert_name(kIdentityCertName);
776 RefCountedPtr<TlsServerCredentials> credential =
777 MakeRefCounted<TlsServerCredentials>(options);
778 RefCountedPtr<grpc_server_security_connector> connector =
779 credential->create_security_connector(ChannelArgs());
780 EXPECT_NE(connector, nullptr);
781 TlsServerSecurityConnector* tls_connector =
782 static_cast<TlsServerSecurityConnector*>(connector.get());
783 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
784 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
785 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
786 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
787 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
788 identity_pairs_1_);
789 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
790 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
791 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
792 }
793
794 // Note that on server side, we don't have tests watching root certs only,
795 // because in TLS, the identity certs should always be presented. If we don't
796 // provide, it will try to load certs from some default system locations, and
797 // will hence fail on some systems.
TEST_F(TlsSecurityConnectorTest,IdentityCertsObtainedWhenCreateServerSecurityConnector)798 TEST_F(TlsSecurityConnectorTest,
799 IdentityCertsObtainedWhenCreateServerSecurityConnector) {
800 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
801 MakeRefCounted<grpc_tls_certificate_distributor>();
802 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
803 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
804 identity_pairs_0_);
805 RefCountedPtr<grpc_tls_certificate_provider> provider =
806 MakeRefCounted<TlsTestCertificateProvider>(distributor);
807 // Create options only watching for identity certificates.
808 RefCountedPtr<grpc_tls_credentials_options> identity_options =
809 MakeRefCounted<grpc_tls_credentials_options>();
810 identity_options->set_certificate_provider(provider);
811 identity_options->set_watch_identity_pair(true);
812 identity_options->set_identity_cert_name(kIdentityCertName);
813 RefCountedPtr<TlsServerCredentials> identity_credential =
814 MakeRefCounted<TlsServerCredentials>(identity_options);
815 RefCountedPtr<grpc_server_security_connector> identity_connector =
816 identity_credential->create_security_connector(ChannelArgs());
817 EXPECT_NE(identity_connector, nullptr);
818 TlsServerSecurityConnector* tls_identity_connector =
819 static_cast<TlsServerSecurityConnector*>(identity_connector.get());
820 EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
821 nullptr);
822 EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
823 identity_pairs_0_);
824 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
825 identity_pairs_1_);
826 EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
827 nullptr);
828 EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
829 identity_pairs_1_);
830 }
831
TEST_F(TlsSecurityConnectorTest,CertPartiallyObtainedWhenCreateServerSecurityConnector)832 TEST_F(TlsSecurityConnectorTest,
833 CertPartiallyObtainedWhenCreateServerSecurityConnector) {
834 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
835 MakeRefCounted<grpc_tls_certificate_distributor>();
836 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
837 identity_pairs_0_);
838 RefCountedPtr<grpc_tls_certificate_provider> provider =
839 MakeRefCounted<TlsTestCertificateProvider>(distributor);
840 // Registered the options watching both certs, but only root certs are
841 // available at distributor right now.
842 RefCountedPtr<grpc_tls_credentials_options> options =
843 MakeRefCounted<grpc_tls_credentials_options>();
844 options->set_certificate_provider(provider);
845 options->set_watch_root_cert(true);
846 options->set_watch_identity_pair(true);
847 options->set_root_cert_name(kRootCertName);
848 options->set_identity_cert_name(kIdentityCertName);
849 RefCountedPtr<TlsServerCredentials> credential =
850 MakeRefCounted<TlsServerCredentials>(options);
851 RefCountedPtr<grpc_server_security_connector> connector =
852 credential->create_security_connector(ChannelArgs());
853 EXPECT_NE(connector, nullptr);
854 TlsServerSecurityConnector* tls_connector =
855 static_cast<TlsServerSecurityConnector*>(connector.get());
856 // The server_handshaker_factory_ shouldn't be updated.
857 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
858 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
859 // After updating the root certs, the server_handshaker_factory_ should be
860 // updated.
861 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
862 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
863 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
864 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
865 }
866
TEST_F(TlsSecurityConnectorTest,DistributorHasErrorForServerSecurityConnector)867 TEST_F(TlsSecurityConnectorTest,
868 DistributorHasErrorForServerSecurityConnector) {
869 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
870 MakeRefCounted<grpc_tls_certificate_distributor>();
871 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
872 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
873 identity_pairs_0_);
874 RefCountedPtr<grpc_tls_certificate_provider> provider =
875 MakeRefCounted<TlsTestCertificateProvider>(distributor);
876 RefCountedPtr<grpc_tls_credentials_options> options =
877 MakeRefCounted<grpc_tls_credentials_options>();
878 options->set_certificate_provider(provider);
879 options->set_watch_root_cert(true);
880 options->set_watch_identity_pair(true);
881 options->set_root_cert_name(kRootCertName);
882 options->set_identity_cert_name(kIdentityCertName);
883 RefCountedPtr<TlsServerCredentials> credential =
884 MakeRefCounted<TlsServerCredentials>(options);
885 RefCountedPtr<grpc_server_security_connector> connector =
886 credential->create_security_connector(ChannelArgs());
887 EXPECT_NE(connector, nullptr);
888 TlsServerSecurityConnector* tls_connector =
889 static_cast<TlsServerSecurityConnector*>(connector.get());
890 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
891 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
892 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
893 // Calling SetErrorForCert on distributor shouldn't invalidate the previous
894 // valid credentials.
895 distributor->SetErrorForCert(kRootCertName, GRPC_ERROR_CREATE(kErrorMessage),
896 absl::nullopt);
897 distributor->SetErrorForCert(kIdentityCertName, absl::nullopt,
898 GRPC_ERROR_CREATE(kErrorMessage));
899 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
900 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
901 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
902 }
903
TEST_F(TlsSecurityConnectorTest,CreateServerSecurityConnectorFailNoCredentials)904 TEST_F(TlsSecurityConnectorTest,
905 CreateServerSecurityConnectorFailNoCredentials) {
906 auto connector = TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
907 nullptr, MakeRefCounted<grpc_tls_credentials_options>());
908 EXPECT_EQ(connector, nullptr);
909 }
910
TEST_F(TlsSecurityConnectorTest,CreateServerSecurityConnectorFailNoOptions)911 TEST_F(TlsSecurityConnectorTest, CreateServerSecurityConnectorFailNoOptions) {
912 RefCountedPtr<grpc_tls_credentials_options> options =
913 MakeRefCounted<grpc_tls_credentials_options>();
914 RefCountedPtr<TlsServerCredentials> credential =
915 MakeRefCounted<TlsServerCredentials>(options);
916 auto connector = TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
917 credential, nullptr);
918 EXPECT_EQ(connector, nullptr);
919 }
920
TEST_F(TlsSecurityConnectorTest,CompareServerSecurityConnectorSucceedsOnSameCredentials)921 TEST_F(TlsSecurityConnectorTest,
922 CompareServerSecurityConnectorSucceedsOnSameCredentials) {
923 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
924 MakeRefCounted<grpc_tls_certificate_distributor>();
925 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
926 identity_pairs_0_);
927 RefCountedPtr<grpc_tls_certificate_provider> provider =
928 MakeRefCounted<TlsTestCertificateProvider>(distributor);
929 auto options = MakeRefCounted<grpc_tls_credentials_options>();
930 options->set_certificate_provider(provider);
931 options->set_watch_identity_pair(true);
932 options->set_identity_cert_name(kIdentityCertName);
933 RefCountedPtr<TlsServerCredentials> credential =
934 MakeRefCounted<TlsServerCredentials>(options);
935 RefCountedPtr<grpc_server_security_connector> connector =
936 credential->create_security_connector(ChannelArgs());
937 RefCountedPtr<grpc_server_security_connector> other_connector =
938 credential->create_security_connector(ChannelArgs());
939 // Comparing the equality of security connectors generated from the same
940 // server credentials with same settings should succeed.
941 EXPECT_EQ(connector->cmp(other_connector.get()), 0);
942 }
943
TEST_F(TlsSecurityConnectorTest,CompareServerSecurityConnectorFailsOnDifferentServerCredentials)944 TEST_F(TlsSecurityConnectorTest,
945 CompareServerSecurityConnectorFailsOnDifferentServerCredentials) {
946 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
947 MakeRefCounted<grpc_tls_certificate_distributor>();
948 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
949 identity_pairs_0_);
950 RefCountedPtr<grpc_tls_certificate_provider> provider =
951 MakeRefCounted<TlsTestCertificateProvider>(distributor);
952 auto options = MakeRefCounted<grpc_tls_credentials_options>();
953 options->set_certificate_provider(provider);
954 options->set_watch_identity_pair(true);
955 options->set_identity_cert_name(kIdentityCertName);
956 RefCountedPtr<TlsServerCredentials> credential =
957 MakeRefCounted<TlsServerCredentials>(options);
958 RefCountedPtr<grpc_server_security_connector> connector =
959 credential->create_security_connector(ChannelArgs());
960 RefCountedPtr<TlsServerCredentials> other_credential =
961 MakeRefCounted<TlsServerCredentials>(options);
962 RefCountedPtr<grpc_server_security_connector> other_connector =
963 other_credential->create_security_connector(ChannelArgs());
964 // Comparing the equality of security connectors generated from different
965 // server credentials should fail.
966 EXPECT_NE(connector->cmp(other_connector.get()), 0);
967 }
968
969 //
970 // Tests for Certificate Verifier in ServerSecurityConnector.
971 //
972
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithSyncExternalVerifierSucceeds)973 TEST_F(TlsSecurityConnectorTest,
974 ServerSecurityConnectorWithSyncExternalVerifierSucceeds) {
975 auto* sync_verifier = new SyncExternalVerifier(true);
976 ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
977 RefCountedPtr<grpc_tls_credentials_options> options =
978 MakeRefCounted<grpc_tls_credentials_options>();
979 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
980 options->set_certificate_verifier(core_external_verifier.Ref());
981 auto provider =
982 MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
983 options->set_certificate_provider(std::move(provider));
984 options->set_watch_identity_pair(true);
985 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
986 auto connector = credentials->create_security_connector(ChannelArgs());
987 // Construct a basic TSI Peer.
988 tsi_peer peer;
989 CHECK(tsi_construct_peer(2, &peer) == TSI_OK);
990 CHECK(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
991 strlen("h2"),
992 &peer.properties[0]) == TSI_OK);
993 CHECK(tsi_construct_string_peer_property_from_cstring(
994 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
995 &peer.properties[1]) == TSI_OK);
996 RefCountedPtr<grpc_auth_context> auth_context;
997 ExecCtx exec_ctx;
998 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
999 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
1000 ChannelArgs args;
1001 connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1002 }
1003
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithSyncExternalVerifierFails)1004 TEST_F(TlsSecurityConnectorTest,
1005 ServerSecurityConnectorWithSyncExternalVerifierFails) {
1006 auto* sync_verifier = new SyncExternalVerifier(false);
1007 ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
1008 RefCountedPtr<grpc_tls_credentials_options> options =
1009 MakeRefCounted<grpc_tls_credentials_options>();
1010 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1011 options->set_certificate_verifier(core_external_verifier.Ref());
1012 auto provider =
1013 MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1014 options->set_certificate_provider(std::move(provider));
1015 options->set_watch_identity_pair(true);
1016 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1017 auto connector = credentials->create_security_connector(ChannelArgs());
1018 // Construct a basic TSI Peer.
1019 tsi_peer peer;
1020 CHECK(tsi_construct_peer(2, &peer) == TSI_OK);
1021 CHECK(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
1022 strlen("h2"),
1023 &peer.properties[0]) == TSI_OK);
1024 CHECK(tsi_construct_string_peer_property_from_cstring(
1025 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1026 &peer.properties[1]) == TSI_OK);
1027 RefCountedPtr<grpc_auth_context> auth_context;
1028 const char* expected_error_msg =
1029 "Custom verification check failed with error: UNAUTHENTICATED: "
1030 "SyncExternalVerifier failed";
1031 ExecCtx exec_ctx;
1032 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1033 VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
1034 grpc_schedule_on_exec_ctx);
1035 ChannelArgs args;
1036 connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1037 }
1038
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithAsyncExternalVerifierSucceeds)1039 TEST_F(TlsSecurityConnectorTest,
1040 ServerSecurityConnectorWithAsyncExternalVerifierSucceeds) {
1041 auto* async_verifier = new AsyncExternalVerifier(true);
1042 auto* core_external_verifier =
1043 new ExternalCertificateVerifier(async_verifier->base());
1044 auto options = MakeRefCounted<grpc_tls_credentials_options>();
1045 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1046 options->set_certificate_verifier(core_external_verifier->Ref());
1047 auto provider =
1048 MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1049 options->set_certificate_provider(std::move(provider));
1050 options->set_watch_identity_pair(true);
1051 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1052 auto connector = credentials->create_security_connector(ChannelArgs());
1053 // Construct a basic TSI Peer.
1054 tsi_peer peer;
1055 CHECK(tsi_construct_peer(2, &peer) == TSI_OK);
1056 CHECK(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
1057 strlen("h2"),
1058 &peer.properties[0]) == TSI_OK);
1059 CHECK(tsi_construct_string_peer_property_from_cstring(
1060 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1061 &peer.properties[1]) == TSI_OK);
1062 RefCountedPtr<grpc_auth_context> auth_context;
1063 ExecCtx exec_ctx;
1064 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1065 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
1066 ChannelArgs args;
1067 connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1068 core_external_verifier->Unref();
1069 }
1070
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithAsyncExternalVerifierFails)1071 TEST_F(TlsSecurityConnectorTest,
1072 ServerSecurityConnectorWithAsyncExternalVerifierFails) {
1073 auto* async_verifier = new AsyncExternalVerifier(false);
1074 auto* core_external_verifier =
1075 new ExternalCertificateVerifier(async_verifier->base());
1076 RefCountedPtr<grpc_tls_credentials_options> options =
1077 MakeRefCounted<grpc_tls_credentials_options>();
1078 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1079 options->set_certificate_verifier(core_external_verifier->Ref());
1080 auto provider =
1081 MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1082 options->set_certificate_provider(std::move(provider));
1083 options->set_watch_identity_pair(true);
1084 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1085 auto connector = credentials->create_security_connector(ChannelArgs());
1086 // Construct a basic TSI Peer.
1087 tsi_peer peer;
1088 CHECK(tsi_construct_peer(2, &peer) == TSI_OK);
1089 CHECK(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
1090 strlen("h2"),
1091 &peer.properties[0]) == TSI_OK);
1092 CHECK(tsi_construct_string_peer_property_from_cstring(
1093 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1094 &peer.properties[1]) == TSI_OK);
1095 RefCountedPtr<grpc_auth_context> auth_context;
1096 const char* expected_error_msg =
1097 "Custom verification check failed with error: UNAUTHENTICATED: "
1098 "AsyncExternalVerifier failed";
1099 ExecCtx exec_ctx;
1100 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1101 VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
1102 grpc_schedule_on_exec_ctx);
1103 ChannelArgs args;
1104 connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1105 core_external_verifier->Unref();
1106 }
1107
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithVerifiedRootSubjectCertSucceeds)1108 TEST_F(TlsSecurityConnectorTest,
1109 ServerSecurityConnectorWithVerifiedRootSubjectCertSucceeds) {
1110 auto* sync_verifier = new SyncExternalVerifier(true);
1111 ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
1112 RefCountedPtr<grpc_tls_credentials_options> options =
1113 MakeRefCounted<grpc_tls_credentials_options>();
1114 options->set_cert_request_type(
1115 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
1116 options->set_certificate_verifier(core_external_verifier.Ref());
1117 auto provider =
1118 MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1119 options->set_certificate_provider(std::move(provider));
1120 options->set_watch_identity_pair(true);
1121 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1122 auto connector = credentials->create_security_connector(ChannelArgs());
1123 // Construct a basic TSI Peer.
1124 std::string expected_subject =
1125 "CN=testca,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU";
1126 tsi_peer peer;
1127 EXPECT_EQ(tsi_construct_peer(2, &peer), TSI_OK);
1128 EXPECT_EQ(
1129 tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
1130 strlen("h2"), &peer.properties[0]),
1131 TSI_OK);
1132 EXPECT_EQ(tsi_construct_string_peer_property_from_cstring(
1133 TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY,
1134 expected_subject.c_str(), &peer.properties[1]),
1135 TSI_OK);
1136 RefCountedPtr<grpc_auth_context> auth_context;
1137 ExecCtx exec_ctx;
1138 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1139 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
1140 ChannelArgs args;
1141 connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1142 }
1143 } // namespace testing
1144 } // namespace grpc_core
1145
main(int argc,char ** argv)1146 int main(int argc, char** argv) {
1147 grpc::testing::TestEnvironment env(&argc, argv);
1148 grpc_core::ConfigVars::Overrides overrides;
1149 overrides.default_ssl_roots_file_path = CA_CERT_PATH;
1150 grpc_core::ConfigVars::SetOverrides(overrides);
1151 ::testing::InitGoogleTest(&argc, argv);
1152 grpc_init();
1153 int ret = RUN_ALL_TESTS();
1154 grpc_shutdown();
1155 return ret;
1156 }
1157