Added unit test for getCertificateWithSNI

grpc · Jun 30, 2020 · d2cc061 · d2cc061
2 parents b76410b + 3519dc6
commit d2cc061
Show file tree

Hide file tree

Showing 3 changed files with 152 additions and 0 deletions.
diff --git a/security/advancedtls/advancedtls_test.go b/security/advancedtls/advancedtls_test.go
@@ -623,3 +623,105 @@ func TestWrapSyscallConn(t *testing.T) {
 			wrapConn)
 	}
 }
+
+const (
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
+)
+
+const (
+	CurveP256 tls.CurveID = 23
+)
+
+const (
+	pointFormatUncompressed uint8 = 0
+)
+
+const (
+	VersionTLS10 uint16 = 0x0301
+)
+
+func TestGetCertificateSNI(t *testing.T) {
+	serverPeerCert1, err := tls.LoadX509KeyPair(testdata.Path("server_cert_1.pem"),
+		testdata.Path("server_key_1.pem"))
+	if err != nil {
+		t.Fatalf("Server is unable to parse peer certificates. Error: %v", err)
+	}
+	serverPeerCert2, err := tls.LoadX509KeyPair(testdata.Path("server_cert_2.pem"),
+		testdata.Path("server_key_2.pem"))
+	if err != nil {
+		t.Fatalf("Server is unable to parse peer certificates. Error: %v", err)
+	}
+	serverPeerCert3, err := tls.LoadX509KeyPair(testdata.Path("server_cert_3.pem"),
+		testdata.Path("server_key_3.pem"))
+	if err != nil {
+		t.Fatalf("Server is unable to parse peer certificates. Error: %v", err)
+	}
+	tests := []struct {
+		desc          string
+		serverGetCert func(*tls.ClientHelloInfo) ([]*tls.Certificate, error)
+	}{
+		{
+			desc: "Select the certificate that matches the server name provided in clientHello",
+			serverGetCert: func(info *tls.ClientHelloInfo) ([]*tls.Certificate, error) {
+				return []*tls.Certificate{&serverPeerCert1, &serverPeerCert2, &serverPeerCert3}, nil
+			},
+		},
+	}
+	for _, test := range tests {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			serverOptions := &ServerOptions{
+				GetCertificate: test.serverGetCert,
+			}
+			serverConfig, err := serverOptions.config()
+			if err != nil {
+				t.Fatalf("Unable to generate serverConfig. Error: %v", err)
+			}
+			// "foo.bar.com" is the common name on server certificate server_cert_1.pem.
+			clientHello1 := &tls.ClientHelloInfo{
+				CipherSuites:      []uint16{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA},
+				ServerName:        "foo.bar.com",
+				SupportedCurves:   []tls.CurveID{CurveP256},
+				SupportedPoints:   []uint8{pointFormatUncompressed},
+				SupportedVersions: []uint16{VersionTLS10},
+			}
+			got1, err := serverConfig.GetCertificate(clientHello1)
+			if err != nil {
+				t.Fatalf("Server is unable to parse peer certificates. Error: %v", err)
+			}
+			if !reflect.DeepEqual(*got1, serverPeerCert1) {
+				t.Errorf("GetCertificate() = %v, want %v", got1, serverPeerCert1)
+			}
+			// "foo.bar.server2.com" is the common name on server certificate server_cert_2.pem.
+			clientHello2 := &tls.ClientHelloInfo{
+				CipherSuites:      []uint16{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA},
+				ServerName:        "foo.bar.server2.com",
+				SupportedCurves:   []tls.CurveID{CurveP256},
+				SupportedPoints:   []uint8{pointFormatUncompressed},
+				SupportedVersions: []uint16{VersionTLS10},
+			}
+			got2, err := serverConfig.GetCertificate(clientHello2)
+			if err != nil {
+				t.Fatalf("Server is unable to parse peer certificates. Error: %v", err)
+			}
+			if !reflect.DeepEqual(*got2, serverPeerCert2) {
+				t.Errorf("GetCertificate() = %v, want %v", got2, serverPeerCert2)
+			}
+			// "localhost" is the common name on server certificate server_cert_3.pem.
+			clientHello3 := &tls.ClientHelloInfo{
+				CipherSuites:      []uint16{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA},
+				ServerName:        "localhost",
+				SupportedCurves:   []tls.CurveID{CurveP256},
+				SupportedPoints:   []uint8{pointFormatUncompressed},
+				SupportedVersions: []uint16{VersionTLS10},
+			}
+			got3, err := serverConfig.GetCertificate(clientHello3)
+			if err != nil {
+				t.Fatalf("Server is unable to parse peer certificates. Error: %v", err)
+			}
+			if !reflect.DeepEqual(*got3, serverPeerCert3) {
+				t.Errorf("GetCertificate() = %v, want %v", got3, serverPeerCert3)
+			}
+		})
+	}
+}
diff --git a/security/advancedtls/testdata/server_cert_3.pem b/security/advancedtls/testdata/server_cert_3.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjzCCAncCFHFDpmSYUQBXce6Fz6xsA1+t00l7MA0GCSqGSIb3DQEBCwUAMIGD
+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCFNhbiBKb3NlMQ8w
+DQYDVQQKDAZHb29nbGUxCzAJBgNVBAsMAklUMRIwEAYDVQQDDAlsb2NhbGhvc3Qx
+IjAgBgkqhkiG9w0BCQEWE2NpbmR5eHVlQGdvb2dsZS5jb20wHhcNMjAwNjI5MDA0
+NDU2WhcNMjEwNjI5MDA0NDU2WjCBgzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
+MREwDwYDVQQHDAhTYW4gSm9zZTEPMA0GA1UECgwGR29vZ2xlMQswCQYDVQQLDAJJ
+VDESMBAGA1UEAwwJbG9jYWxob3N0MSIwIAYJKoZIhvcNAQkBFhNjaW5keXh1ZUBn
+b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsFT6w0At
+sk90S5Scu+jvScOHlGyKQJxU8P0r6roLPVEDZtjMoozBJ318LQNIzX123kTRixii
+dIGeiGteb9AeY0rivbmU/UbaAtoobLVbd4M1BqhSZzgpu1IDvs3OIlU1//E2UQxc
+n9JxumyWrDfXu+i0qIRCiABKcUrnyfZ5pmY6M4KAtzMkOrVreUD0Egf6ateEYeok
+yE8UOOQfgIc5Ak97GIlMnE4fIuY3rIXcVkfFgG5vBH63Bhz2JnOT+3aPvM7Ft0wP
+eij515dlMpuusLcluDUZAAD1T5Zi36lA/X+1JAZiAa3zzU3rCjD2kWZ2C6OPN39t
+l5ghHerEwvloJwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBG3A0L3Wl7yymPOFiq
+rDCNdqb1NRNFVr3WkjJaVd6bTk+7L0MIT81aTydv8w3s5CJ07GA7EQzTT1w3KNld
+mJq7/xLBNRX1DWMLFTzwx+ig93WrwiQLscWRf26SPKzB8x5eVY/LNJaS3zObDcOv
+LULfgIyiTAOfFBoYbzpNVWUW7swD2aBB0f0Zk8ZfmuCvyKy9sxRK6oyV1ot64tFy
+YSUpJxSBcaeTt5HXLA7QgTpHMYOUttZCaVs1/4WcrOC9wh24r1mXlPvWWMp5dAZq
+aVz8ZXd00OLz6v8ag4QEq/wxTeLdf1U7kJkJ0cj9/nPMLXBERQ54hVvuj5ea3oOv
+FY7W
+-----END CERTIFICATE-----
diff --git a/security/advancedtls/testdata/server_key_3.pem b/security/advancedtls/testdata/server_key_3.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCwVPrDQC2yT3RL
+lJy76O9Jw4eUbIpAnFTw/Svqugs9UQNm2MyijMEnfXwtA0jNfXbeRNGLGKJ0gZ6I
+a15v0B5jSuK9uZT9RtoC2ihstVt3gzUGqFJnOCm7UgO+zc4iVTX/8TZRDFyf0nG6
+bJasN9e76LSohEKIAEpxSufJ9nmmZjozgoC3MyQ6tWt5QPQSB/pq14Rh6iTITxQ4
+5B+AhzkCT3sYiUycTh8i5jeshdxWR8WAbm8EfrcGHPYmc5P7do+8zsW3TA96KPnX
+l2Uym66wtyW4NRkAAPVPlmLfqUD9f7UkBmIBrfPNTesKMPaRZnYLo483f22XmCEd
+6sTC+WgnAgMBAAECggEBAKAaOKlpr1QUYmJxqDHR2Nqf541zU8BAcbtyFBsHG0ds
+NGuAc6Uvqf1iKYpxTfwObAx6bcwe7Ppd6oSxAEkDrWO4TdG4HDgvyakHTecOb+M+
+xbmqwU8pJnMHj5ECKqTvu50M9aV3VO5kVJDRIaly9rWOH+JWXFZB9VWSjozI90GG
+U11E5iSZI/ngUZL72eVqr5gOOD8lTaaLy8jHPnxOMpjZFAscPp1zy8y5DIf+Fgxc
+kPzbhckxX8cpk2ATcdRK/UWNi3e/cyMxfeJvst6NwCgmXmDmfkyXMbU8wcEzEWPT
+n4uf8gAaCR7fEJQa6Xo3s7q9WP86xnntaoer7V27KtkCgYEA5Y7uL2p2YcjrKfZ9
+6VMPmJyDTH6G08/zyOjFu1P4UYOIS6L5CeEdQj7rw2em313dZOtVQN/uhE7CzqS1
+0wpZ1Qbl1oVFd5On6r8Qz9Dhf+bRVbikPAtvwdETWpqHqXtYD++BIYpfyJXi2nnR
+6TrWBWl/QT/uDYEKlZNdRWm8qu0CgYEAxKSLN3wSoepxXxC5A5/vrtvXxdLRZpxT
+w5Tn4/Ihx8nB64XkrcdivsyLjVDmyseKVQvnk+/8Y5G5VT6bV1MweDJl4cNHqOMJ
+xubNm0dnbGITYyXxEknyGyNHO3l7DGPTF+iENln5GwYHVIHZci87rLyn22yDszYe
+Sg2p0p0yOOMCgYEAhMZA+efoBPMDIchSV2wVbz3Hq6zbKxPye1g3VfxhejRL1wOy
+a4ZrN+/QybrgB/3wmfiL3PQorxonDwKxsBkikFZnBccbwOgEjYBppum4JBRLK/uZ
+8qjiwQW+3f7XTK3s53quA8pXUFtxVNB1GyNOut6kHgduFx12E8Gihw17dJkCgYAJ
+Jsc729BaLLj9/Z8+pfDXqG+QS1Fnfxr+3S01lI0x6RfXSDHuTHsx+f78oqk7ArJT
+ZuxuHBsY3y1K5FECbWKyFVZcfWQWXgqUcSVcdqQ/jQjt8lQXz80uqiOkhvDNENBA
+KpgMl39aXJt2uVxPThdu4JDHS3ONoZUjSSOAI8S0lQKBgQC1llqqsrVR88XWwrCj
+BucenaOL0ej0ShBrY/mphRSXO8X20pn/sh7vAWrAltwGLjWkBalpmYLoRigPdZft
+CwlIPnmwNeEOW83eAgc6uToUdagUjolO7Dc+vDLBVXj6DulYfsEhwH/2Y66V2Kd5
+8TLhmj77CVDskX6lhRhYGS0FBA==
+-----END PRIVATE KEY-----