1 #include <gnutls/gnutls.h>
2 #include <telepathy-glib/telepathy-glib.h>
3 #include <telepathy-glib/telepathy-glib-dbus.h>
5 #include "empathy-tls-verifier.h"
6 #include "mock-pkcs11.h"
7 #include "test-helper.h"
9 #define MOCK_TLS_CERTIFICATE_PATH "/mock/certificate"
12 GType mock_tls_certificate_get_type (void);
14 #define MOCK_TLS_CERTIFICATE(obj) \
15 (G_TYPE_CHECK_INSTANCE_CAST((obj), mock_tls_certificate_get_type (), \
18 typedef struct _MockTLSCertificate {
21 GPtrArray *rejections;
26 typedef struct _MockTLSCertificateClass {
28 TpDBusPropertiesMixinClass dbus_props_class;
29 } MockTLSCertificateClass;
35 PROP_CERTIFICATE_TYPE,
36 PROP_CERTIFICATE_CHAIN_DATA
39 static void mock_tls_certificate_iface_init (gpointer, gpointer);
41 G_DEFINE_TYPE_WITH_CODE(MockTLSCertificate, mock_tls_certificate, G_TYPE_OBJECT,
42 G_IMPLEMENT_INTERFACE (TP_TYPE_SVC_AUTHENTICATION_TLS_CERTIFICATE,
43 mock_tls_certificate_iface_init)
44 G_IMPLEMENT_INTERFACE (TP_TYPE_SVC_DBUS_PROPERTIES,
45 tp_dbus_properties_mixin_iface_init)
49 mock_tls_certificate_init (MockTLSCertificate *self)
51 self->state = TP_TLS_CERTIFICATE_STATE_PENDING;
52 self->cert_type = g_strdup ("x509");
53 self->cert_data = g_ptr_array_new_with_free_func((GDestroyNotify) g_array_unref);
54 self->rejections = g_ptr_array_new ();
58 mock_tls_certificate_get_property (GObject *object,
63 MockTLSCertificate *self = MOCK_TLS_CERTIFICATE (object);
68 g_value_set_uint (value, self->state);
71 g_value_set_boxed (value, self->rejections);
73 case PROP_CERTIFICATE_TYPE:
74 g_value_set_string (value, self->cert_type);
76 case PROP_CERTIFICATE_CHAIN_DATA:
77 g_value_set_boxed (value, self->cert_data);
80 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
86 mock_tls_certificate_finalize (GObject *object)
88 MockTLSCertificate *self = MOCK_TLS_CERTIFICATE (object);
90 tp_clear_boxed (TP_ARRAY_TYPE_TLS_CERTIFICATE_REJECTION_LIST,
92 g_free (self->cert_type);
93 self->cert_type = NULL;
94 g_ptr_array_unref (self->cert_data);
95 self->cert_data = NULL;
97 G_OBJECT_CLASS (mock_tls_certificate_parent_class)->finalize (object);
101 mock_tls_certificate_class_init (MockTLSCertificateClass *klass)
103 GObjectClass *oclass = G_OBJECT_CLASS (klass);
106 static TpDBusPropertiesMixinPropImpl object_props[] = {
107 { "State", "state", NULL },
108 { "Rejections", "rejections", NULL },
109 { "CertificateType", "certificate-type", NULL },
110 { "CertificateChainData", "certificate-chain-data", NULL },
114 static TpDBusPropertiesMixinIfaceImpl prop_interfaces[] = {
115 { TP_IFACE_AUTHENTICATION_TLS_CERTIFICATE,
116 tp_dbus_properties_mixin_getter_gobject_properties,
123 oclass->get_property = mock_tls_certificate_get_property;
124 oclass->finalize = mock_tls_certificate_finalize;
126 pspec = g_param_spec_uint ("state",
127 "State of this certificate",
128 "The state of this TLS certificate.",
129 0, NUM_TP_TLS_CERTIFICATE_STATES - 1,
130 TP_TLS_CERTIFICATE_STATE_PENDING,
131 G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
132 g_object_class_install_property (oclass, PROP_STATE, pspec);
134 pspec = g_param_spec_boxed ("rejections",
135 "The reject reasons",
136 "The reasons why this TLS certificate has been rejected",
137 TP_ARRAY_TYPE_TLS_CERTIFICATE_REJECTION_LIST,
138 G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
139 g_object_class_install_property (oclass, PROP_REJECTIONS, pspec);
141 pspec = g_param_spec_string ("certificate-type",
142 "The certificate type",
143 "The type of this certificate.",
145 G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
146 g_object_class_install_property (oclass, PROP_CERTIFICATE_TYPE, pspec);
148 pspec = g_param_spec_boxed ("certificate-chain-data",
149 "The certificate chain data",
150 "The raw PEM-encoded trust chain of this certificate.",
151 TP_ARRAY_TYPE_UCHAR_ARRAY_LIST,
152 G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
153 g_object_class_install_property (oclass, PROP_CERTIFICATE_CHAIN_DATA, pspec);
155 klass->dbus_props_class.interfaces = prop_interfaces;
156 tp_dbus_properties_mixin_class_init (oclass,
157 G_STRUCT_OFFSET (MockTLSCertificateClass, dbus_props_class));
161 mock_tls_certificate_accept (TpSvcAuthenticationTLSCertificate *base,
162 DBusGMethodInvocation *context)
164 MockTLSCertificate *self = MOCK_TLS_CERTIFICATE (base);
165 self->state = TP_TLS_CERTIFICATE_STATE_ACCEPTED;
166 tp_svc_authentication_tls_certificate_emit_accepted (self);
167 tp_svc_authentication_tls_certificate_return_from_accept (context);
171 mock_tls_certificate_reject (TpSvcAuthenticationTLSCertificate *base,
172 const GPtrArray *in_Rejections,
173 DBusGMethodInvocation *context)
175 MockTLSCertificate *self = MOCK_TLS_CERTIFICATE (base);
176 self->state = TP_TLS_CERTIFICATE_STATE_REJECTED;
177 tp_svc_authentication_tls_certificate_emit_rejected (self, in_Rejections);
178 tp_svc_authentication_tls_certificate_return_from_reject (context);
182 mock_tls_certificate_iface_init (gpointer g_iface,
185 TpSvcAuthenticationTLSCertificateClass *klass =
186 (TpSvcAuthenticationTLSCertificateClass*)g_iface;
188 tp_svc_authentication_tls_certificate_implement_accept (klass,
189 mock_tls_certificate_accept);
190 tp_svc_authentication_tls_certificate_implement_reject (klass,
191 mock_tls_certificate_reject);
196 mock_tls_certificate_assert_rejected (MockTLSCertificate *self,
197 TpTLSCertificateRejectReason reason)
199 GValueArray *rejection;
200 TpTLSCertificateRejectReason rejection_reason;
201 gchar *rejection_error;
202 GHashTable *rejection_details;
205 g_assert (self->state == TP_TLS_CERTIFICATE_STATE_REJECTED);
206 g_assert (self->rejections);
207 g_assert (self->rejections->len > 0);
209 for (i = 0; i < self->rejections->len; ++i)
211 rejection = g_ptr_array_index (self->rejections, i);
212 tp_value_array_unpack (rejection, 3,
213 G_TYPE_UINT, &rejection_reason,
214 G_TYPE_STRING, &rejection_error,
215 TP_HASH_TYPE_STRING_VARIANT_MAP, &rejection_details,
217 g_free (rejection_error);
218 g_hash_table_unref (rejection_details);
220 if (rejection_reason == reason)
224 g_assert ("Certificate was not rejected for right reason" && 0);
228 static MockTLSCertificate*
229 mock_tls_certificate_new_and_register (TpDBusDaemon *dbus,
233 MockTLSCertificate *cert;
234 GError *error = NULL;
235 gchar *filename, *contents;
240 cert = g_object_new (mock_tls_certificate_get_type (), NULL);
243 while (path != NULL) {
244 filename = g_build_filename (g_getenv ("EMPATHY_SRCDIR"),
245 "tests", "certificates", path, NULL);
246 g_file_get_contents (filename, &contents, &length, &error);
247 g_assert_no_error (error);
249 der = g_array_sized_new (TRUE, TRUE, sizeof (guchar), length);
250 g_array_append_vals (der, contents, length);
251 g_ptr_array_add (cert->cert_data, der);
256 path = va_arg (va, gchar*);
260 tp_dbus_daemon_register_object (dbus, MOCK_TLS_CERTIFICATE_PATH, cert);
264 /* ----------------------------------------------------------------------------
271 const gchar *dbus_name;
272 MockTLSCertificate *mock;
273 TpTLSCertificate *cert;
274 GAsyncResult *result;
278 setup (Test *test, gconstpointer data)
280 GError *error = NULL;
282 const gchar *trust_uris[2] = { MOCK_SLOT_ONE_URI, NULL };
284 test->loop = g_main_loop_new (NULL, FALSE);
286 test->dbus = tp_dbus_daemon_dup (&error);
287 g_assert_no_error (error);
289 test->dbus_name = tp_dbus_daemon_get_unique_name (test->dbus);
294 /* Add our mock module as the only PKCS#11 module */
295 module = gck_module_new (&mock_default_functions);
296 mock_C_Initialize (NULL);
298 gcr_pkcs11_set_modules (NULL);
299 gcr_pkcs11_add_module (module);
300 gcr_pkcs11_set_trust_lookup_uris (trust_uris);
304 teardown (Test *test, gconstpointer data)
306 mock_C_Finalize (NULL);
308 test->dbus_name = NULL;
312 tp_dbus_daemon_unregister_object (test->dbus, test->mock);
313 g_object_unref (test->mock);
318 g_object_unref (test->result);
322 g_object_unref (test->cert);
325 g_main_loop_unref (test->loop);
328 g_object_unref (test->dbus);
333 add_certificate_to_mock (Test *test,
334 const gchar *certificate,
337 GError *error = NULL;
338 GcrCertificate *cert;
343 path = g_build_filename (g_getenv ("EMPATHY_SRCDIR"),
344 "tests", "certificates", certificate, NULL);
346 g_file_get_contents (path, &contents, &length, &error);
347 g_assert_no_error (error);
349 cert = gcr_simple_certificate_new ((const guchar *)contents, length);
350 mock_module_add_certificate (cert);
351 mock_module_add_assertion (cert,
352 peer ? CKT_X_PINNED_CERTIFICATE : CKT_X_ANCHORED_CERTIFICATE,
353 GCR_PURPOSE_SERVER_AUTH, peer);
354 g_object_unref (cert);
361 fetch_callback_result (GObject *object,
365 Test *test = user_data;
366 g_assert (!test->result);
367 test->result = g_object_ref (res);
368 g_main_loop_quit (test->loop);
372 ensure_certificate_proxy (Test *test)
374 GError *error = NULL;
375 GQuark features[] = { TP_TLS_CERTIFICATE_FEATURE_CORE, 0 };
380 /* Create and prepare a certificate */
381 /* We don't use tp_tls_certificate_new() as we don't pass a parent */
382 test->cert = g_object_new (TP_TYPE_TLS_CERTIFICATE,
383 "dbus-daemon", test->dbus,
384 "bus-name", test->dbus_name,
385 "object-path", MOCK_TLS_CERTIFICATE_PATH,
388 tp_proxy_prepare_async (test->cert, features, fetch_callback_result, test);
389 g_main_loop_run (test->loop);
390 tp_proxy_prepare_finish (test->cert, test->result, &error);
391 g_assert_no_error (error);
393 /* Clear for any future async stuff */
394 g_object_unref (test->result);
398 /* A simple test to make sure the test infrastructure is working */
400 test_certificate_mock_basics (Test *test,
401 gconstpointer data G_GNUC_UNUSED)
403 GError *error = NULL;
405 test->mock = mock_tls_certificate_new_and_register (test->dbus,
406 "server-cert.cer", NULL);
408 ensure_certificate_proxy (test);
410 tp_tls_certificate_accept_async (test->cert, fetch_callback_result, test);
411 g_main_loop_run (test->loop);
412 tp_tls_certificate_accept_finish (test->cert, test->result, &error);
413 g_assert_no_error (error);
415 g_assert (test->mock->state == TP_TLS_CERTIFICATE_STATE_ACCEPTED);
419 test_certificate_verify_success_with_pkcs11_lookup (Test *test,
420 gconstpointer data G_GNUC_UNUSED)
422 TpTLSCertificateRejectReason reason = 0;
423 GError *error = NULL;
424 EmpathyTLSVerifier *verifier;
425 const gchar *reference_identities[] = {
426 "test-server.empathy.gnome.org",
431 * In this test the mock TLS connection only has one certificate
432 * not a full certificat echain. The root anchor certificate is
433 * retrieved from PKCS#11 storage.
436 test->mock = mock_tls_certificate_new_and_register (test->dbus,
437 "server-cert.cer", NULL);
439 /* We add the collabora directory with the collabora root */
440 add_certificate_to_mock (test, "certificate-authority.cer", NULL);
442 ensure_certificate_proxy (test);
444 verifier = empathy_tls_verifier_new (test->cert, "test-server.empathy.gnome.org",
445 reference_identities);
446 empathy_tls_verifier_verify_async (verifier, fetch_callback_result, test);
447 g_main_loop_run (test->loop);
449 empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
451 g_assert_no_error (error);
453 /* Yay the verification was a success! */
455 g_clear_error (&error);
456 g_object_unref (verifier);
460 test_certificate_verify_success_with_full_chain (Test *test,
461 gconstpointer data G_GNUC_UNUSED)
463 TpTLSCertificateRejectReason reason = 0;
464 GError *error = NULL;
465 EmpathyTLSVerifier *verifier;
466 const gchar *reference_identities[] = {
467 "test-server.empathy.gnome.org",
472 * In this test the mock TLS connection has a full certificate
473 * chain. We look for an anchor certificate in the chain.
476 test->mock = mock_tls_certificate_new_and_register (test->dbus,
477 "server-cert.cer", "certificate-authority.cer", NULL);
479 /* We add the collabora directory with the collabora root */
480 add_certificate_to_mock (test, "certificate-authority.cer", NULL);
482 ensure_certificate_proxy (test);
484 verifier = empathy_tls_verifier_new (test->cert, "test-server.empathy.gnome.org",
485 reference_identities);
486 empathy_tls_verifier_verify_async (verifier, fetch_callback_result, test);
487 g_main_loop_run (test->loop);
488 empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
490 g_assert_no_error (error);
492 /* Yay the verification was a success! */
494 g_clear_error (&error);
495 g_object_unref (verifier);
499 test_certificate_verify_root_not_found (Test *test,
500 gconstpointer data G_GNUC_UNUSED)
502 TpTLSCertificateRejectReason reason = 0;
503 GError *error = NULL;
504 EmpathyTLSVerifier *verifier;
505 const gchar *reference_identities[] = {
506 "test-server.empathy.gnome.org",
510 test->mock = mock_tls_certificate_new_and_register (test->dbus,
511 "server-cert.cer", NULL);
513 /* Note that we're not adding any place to find root certs */
515 ensure_certificate_proxy (test);
517 verifier = empathy_tls_verifier_new (test->cert, "test-server.empathy.gnome.org",
518 reference_identities);
519 empathy_tls_verifier_verify_async (verifier, fetch_callback_result, test);
520 g_main_loop_run (test->loop);
522 empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
525 /* And it should say we're self-signed (oddly enough) */
526 g_assert_error (error, G_IO_ERROR,
527 TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED);
529 g_clear_error (&error);
530 g_object_unref (verifier);
534 test_certificate_verify_root_not_anchored (Test *test,
535 gconstpointer data G_GNUC_UNUSED)
537 TpTLSCertificateRejectReason reason = 0;
538 GError *error = NULL;
539 EmpathyTLSVerifier *verifier;
540 const gchar *reference_identities[] = {
541 "test-server.empathy.gnome.org",
545 test->mock = mock_tls_certificate_new_and_register (test->dbus,
546 "server-cert.cer", "certificate-authority.cer", NULL);
548 /* Note that we're not adding any place to find root certs */
550 ensure_certificate_proxy (test);
552 verifier = empathy_tls_verifier_new (test->cert, "test-server.empathy.gnome.org",
553 reference_identities);
554 empathy_tls_verifier_verify_async (verifier, fetch_callback_result, test);
555 g_main_loop_run (test->loop);
557 empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
560 /* And it should say we're self-signed (oddly enough) */
561 g_assert_error (error, G_IO_ERROR,
562 TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED);
564 g_clear_error (&error);
565 g_object_unref (verifier);
569 test_certificate_verify_identities_invalid (Test *test,
570 gconstpointer data G_GNUC_UNUSED)
572 TpTLSCertificateRejectReason reason = 0;
573 GError *error = NULL;
574 EmpathyTLSVerifier *verifier;
575 const gchar *reference_identities[] = {
580 test->mock = mock_tls_certificate_new_and_register (test->dbus,
581 "server-cert.cer", "certificate-authority.cer", NULL);
583 /* We add the collabora directory with the collabora root */
584 add_certificate_to_mock (test, "certificate-authority.cer", NULL);
586 ensure_certificate_proxy (test);
588 verifier = empathy_tls_verifier_new (test->cert, "invalid.host.name",
589 reference_identities);
590 empathy_tls_verifier_verify_async (verifier, fetch_callback_result, test);
591 g_main_loop_run (test->loop);
593 empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
596 /* And it should say we're self-signed (oddly enough) */
597 g_assert_error (error, G_IO_ERROR,
598 TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH);
600 g_clear_error (&error);
601 g_object_unref (verifier);
605 test_certificate_verify_uses_reference_identities (Test *test,
606 gconstpointer data G_GNUC_UNUSED)
608 TpTLSCertificateRejectReason reason = 0;
609 GError *error = NULL;
610 EmpathyTLSVerifier *verifier;
611 const gchar *reference_identities[] = {
616 test->mock = mock_tls_certificate_new_and_register (test->dbus,
617 "server-cert.cer", "certificate-authority.cer", NULL);
619 /* We add the collabora directory with the collabora root */
620 add_certificate_to_mock (test, "certificate-authority.cer", NULL);
622 ensure_certificate_proxy (test);
624 /* Should be using the reference_identities and not host name for checks */
625 verifier = empathy_tls_verifier_new (test->cert, "test-server.empathy.gnome.org",
626 reference_identities);
627 empathy_tls_verifier_verify_async (verifier, fetch_callback_result, test);
628 g_main_loop_run (test->loop);
630 empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
633 /* And it should say we're self-signed (oddly enough) */
634 g_assert_error (error, G_IO_ERROR,
635 TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH);
637 g_clear_error (&error);
638 g_object_unref (verifier);
642 test_certificate_verify_success_with_pinned (Test *test,
643 gconstpointer data G_GNUC_UNUSED)
645 TpTLSCertificateRejectReason reason = 0;
646 GError *error = NULL;
647 EmpathyTLSVerifier *verifier;
648 const gchar *reference_identities[] = {
649 "test-server.empathy.gnome.org",
654 * In this test the mock TLS connection has a full certificate
655 * chain. We look for an anchor certificate in the chain.
658 test->mock = mock_tls_certificate_new_and_register (test->dbus,
659 "server-cert.cer", NULL);
661 /* We add the collabora directory with the collabora root */
662 add_certificate_to_mock (test, "server-cert.cer", "test-server.empathy.gnome.org");
664 ensure_certificate_proxy (test);
666 verifier = empathy_tls_verifier_new (test->cert, "test-server.empathy.gnome.org",
667 reference_identities);
668 empathy_tls_verifier_verify_async (verifier, fetch_callback_result, test);
669 g_main_loop_run (test->loop);
670 empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
672 g_assert_no_error (error);
674 /* Yay the verification was a success! */
676 g_clear_error (&error);
677 g_object_unref (verifier);
681 test_certificate_verify_pinned_wrong_host (Test *test,
682 gconstpointer data G_GNUC_UNUSED)
684 TpTLSCertificateRejectReason reason = 0;
685 GError *error = NULL;
686 EmpathyTLSVerifier *verifier;
687 const gchar *reference_identities[] = {
688 "test-server.empathy.gnome.org",
692 test->mock = mock_tls_certificate_new_and_register (test->dbus,
693 "server-cert.cer", NULL);
695 /* Note that we're not adding any place to find root certs */
697 ensure_certificate_proxy (test);
699 verifier = empathy_tls_verifier_new (test->cert, "another.gnome.org",
700 reference_identities);
701 empathy_tls_verifier_verify_async (verifier, fetch_callback_result, test);
702 g_main_loop_run (test->loop);
704 empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
707 /* And it should say we're self-signed */
708 g_assert_error (error, G_IO_ERROR,
709 TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED);
711 g_clear_error (&error);
712 g_object_unref (verifier);
721 test_init (argc, argv);
722 gnutls_global_init ();
724 g_test_add ("/tls/certificate_basics", Test, NULL,
725 setup, test_certificate_mock_basics, teardown);
726 g_test_add ("/tls/certificate_verify_success_with_pkcs11_lookup", Test, NULL,
727 setup, test_certificate_verify_success_with_pkcs11_lookup, teardown);
728 g_test_add ("/tls/certificate_verify_success_with_full_chain", Test, NULL,
729 setup, test_certificate_verify_success_with_full_chain, teardown);
730 g_test_add ("/tls/certificate_verify_root_not_found", Test, NULL,
731 setup, test_certificate_verify_root_not_found, teardown);
732 g_test_add ("/tls/certificate_verify_root_not_anchored", Test, NULL,
733 setup, test_certificate_verify_root_not_anchored, teardown);
734 g_test_add ("/tls/certificate_verify_identities_invalid", Test, NULL,
735 setup, test_certificate_verify_identities_invalid, teardown);
736 g_test_add ("/tls/certificate_verify_uses_reference_identities", Test, NULL,
737 setup, test_certificate_verify_uses_reference_identities, teardown);
738 g_test_add ("/tls/certificate_verify_success_with_pinned", Test, NULL,
739 setup, test_certificate_verify_success_with_pinned, teardown);
740 g_test_add ("/tls/certificate_verify_pinned_wrong_host", Test, NULL,
741 setup, test_certificate_verify_pinned_wrong_host, teardown);
743 result = g_test_run ();
projects / empathy.git / blob