forked from petabridge/TurboMqtt
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add TLS end to end unit test * Make TLS spec inherit TCP spec
- Loading branch information
Showing
18 changed files
with
451 additions
and
113 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
137 changes: 137 additions & 0 deletions
137
tests/TurboMqtt.Tests/End2End/MQTT_311/TlsMqtt311End2EndSpecs.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
// ----------------------------------------------------------------------- | ||
// <copyright file="TlsMqtt311End2EndSpecs.cs" company="Petabridge, LLC"> | ||
// Copyright (C) 2024 - 2024 Petabridge, LLC <https://petabridge.com> | ||
// </copyright> | ||
// ----------------------------------------------------------------------- | ||
|
||
using System.Net.Security; | ||
using System.Security.Cryptography.X509Certificates; | ||
using Akka.Event; | ||
using TurboMqtt.Client; | ||
using TurboMqtt.IO.Tcp; | ||
using Xunit.Abstractions; | ||
|
||
namespace TurboMqtt.Tests.End2End; | ||
|
||
[Collection(nameof(TcpEnd2EndCollection))] | ||
public class TlsMqtt311End2EndSpecs : TcpMqtt311End2EndSpecs | ||
{ | ||
// This is a workaround for this issue: | ||
// https://github.com/dotnet/runtime/issues/23749 | ||
private static readonly X509Certificate2 RootCert = new ( | ||
X509Certificate2.CreateFromEncryptedPemFile("./certs/root_cert.pem", "password") | ||
.Export(X509ContentType.Pkcs12)); | ||
|
||
private static readonly X509ChainPolicy RootChainPolicy = new() | ||
{ | ||
CustomTrustStore = { RootCert }, | ||
TrustMode = X509ChainTrustMode.CustomRootTrust, | ||
RevocationMode = X509RevocationMode.NoCheck | ||
}; | ||
|
||
private static readonly X509Chain RootChain = new () | ||
{ | ||
ChainPolicy = RootChainPolicy | ||
}; | ||
|
||
public TlsMqtt311End2EndSpecs(ITestOutputHelper output) : base(output) | ||
{ | ||
} | ||
|
||
// This is a workaround for this issue: | ||
// https://github.com/dotnet/runtime/issues/23749 | ||
private static readonly X509Certificate2 ServerCert = new X509Certificate2( | ||
X509Certificate2.CreateFromEncryptedPemFile("./certs/server_cert.pem", "password") | ||
.Export(X509ContentType.Pkcs12)); | ||
|
||
protected override MqttTcpServerOptions DefaultTcpServerOptions => new ("localhost", 21883) | ||
{ | ||
SslOptions = new SslServerAuthenticationOptions | ||
{ | ||
ServerCertificate = ServerCert, | ||
ClientCertificateRequired = false, | ||
RemoteCertificateValidationCallback = ValidateClientCertificate | ||
} | ||
}; | ||
|
||
private bool ValidateClientCertificate( | ||
object sender, | ||
X509Certificate? certificate, | ||
X509Chain? chain, | ||
SslPolicyErrors sslPolicyErrors) | ||
{ | ||
if (sslPolicyErrors == SslPolicyErrors.None) | ||
return true; | ||
|
||
// Return true if client certificate is not required | ||
if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateNotAvailable) | ||
return true; | ||
|
||
// Validate client certificate with a custom chain | ||
if (certificate is not null) | ||
{ | ||
var isValid = RootChain.Build(new X509Certificate2(certificate)); | ||
if (!isValid) | ||
{ | ||
foreach (var status in RootChain.ChainStatus) | ||
{ | ||
Log.Error("[Server] Chain error: {0}", status.StatusInformation); | ||
} | ||
} | ||
|
||
return isValid; | ||
} | ||
|
||
// Refuse everything else | ||
Log.Error("[Server] Certificate error: {0}", sslPolicyErrors); | ||
return false; | ||
} | ||
|
||
private bool ValidateServerCertificate( | ||
object sender, | ||
X509Certificate? certificate, | ||
X509Chain? chain, | ||
SslPolicyErrors errors) | ||
{ | ||
if (errors == SslPolicyErrors.None) | ||
return true; | ||
|
||
// Missing cert or the destination hostname wasn't valid for the cert. | ||
if ((errors & ~SslPolicyErrors.RemoteCertificateChainErrors) != 0) | ||
return false; | ||
|
||
// Validate client certificate with a custom chain | ||
if (certificate is not null) | ||
{ | ||
chain ??= RootChain; | ||
var isValid = chain.Build(new X509Certificate2(certificate)); | ||
if (!isValid) | ||
{ | ||
foreach (var status in chain.ChainStatus) | ||
{ | ||
Log.Error("[Client] Chain error: [{0}] {1}", status.Status, status.StatusInformation); | ||
} | ||
} | ||
|
||
return isValid; | ||
} | ||
|
||
// Refuse everything else | ||
Log.Error("[Client] Certificate error: {0}", errors); | ||
return false; | ||
} | ||
|
||
protected override MqttClientTcpOptions DefaultTcpOptions => new("localhost", 21883) | ||
{ | ||
TlsOptions = new ClientTlsOptions | ||
{ | ||
UseTls = true, | ||
SslOptions = new SslClientAuthenticationOptions | ||
{ | ||
TargetHost = "localhost", | ||
CertificateChainPolicy = RootChainPolicy, | ||
RemoteCertificateValidationCallback = ValidateServerCertificate | ||
} | ||
} | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# Generating Test Certificates | ||
|
||
* Use WSL to access OpenSSL (the keys in this folder was generated using Ubuntu) | ||
* All private key files uses the password "password" | ||
|
||
## 1. Generate Root CA | ||
|
||
``` | ||
openssl req -x509 -new -nodes -key root_private_key.pem -sha256 -days 3650 -out root_cert.pem -config root_cert_config.cnf | ||
``` | ||
|
||
* This will generate the **"root_cert.pem"** that is valid for 10 years. | ||
* Open the **"root_private_key.pem"** and copy-paste its content to the end of the **"root_cert.pem"** file. | ||
|
||
## 2. Generate CSR | ||
|
||
``` | ||
openssl req -new -key server_private_key.pem -out server.csr -config server_cert_config.cnf | ||
``` | ||
|
||
* This generates the **"server.csr"** file. | ||
|
||
## 3. Generate The Server Certificate | ||
|
||
``` | ||
openssl x509 -req -in server.csr -CA root_cert.pem -CAkey root_private_key.pem -CAcreateserial -out server_cert.pem -days 365 -sha256 -extfile v3_ext.cnf | ||
``` | ||
|
||
* This generates the **"server_cert.pem"** file. | ||
* Open the **"server_private_key.pem"** and copy-paste its content to the end of the **"server_cert.pem"** file. |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.