2 * Copyright 2017 Facebook, Inc.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include <folly/ssl/OpenSSLCertUtils.h>
19 #include <folly/Range.h>
20 #include <folly/String.h>
21 #include <folly/ssl/OpenSSLPtrTypes.h>
22 #include <folly/portability/GTest.h>
23 #include <folly/portability/OpenSSL.h>
25 using namespace testing;
26 using namespace folly;
28 const char* kTestCertWithoutSan = "folly/io/async/test/certs/tests-cert.pem";
31 // -----BEGIN EC PRIVATE KEY-----
32 // MHcCAQEEIBskFwVZ9miFN+SKCFZPe9WEuFGmP+fsecLUnsTN6bOcoAoGCCqGSM49
33 // AwEHoUQDQgAE7/f4YYOYunAM/VkmjDYDg3AWUgyyTIraWmmQZsnu0bYNV/lLLfNz
34 // CtHggxGSwEtEe40nNb9C8wQmHUvb7VBBlw==
35 // -----END EC PRIVATE KEY-----
36 const std::string kTestCertWithSan = folly::stripLeftMargin(R"(
37 -----BEGIN CERTIFICATE-----
38 MIIDXDCCAkSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJVUzEL
39 MAkGA1UECAwCQ0ExDTALBgNVBAoMBEFzb3gxJTAjBgNVBAMMHEFzb3ggQ2VydGlm
40 aWNhdGlvbiBBdXRob3JpdHkwHhcNMTcwMjEzMjMyMTAzWhcNNDQwNzAxMjMyMTAz
41 WjAwMQswCQYDVQQGEwJVUzENMAsGA1UECgwEQXNveDESMBAGA1UEAwwJMTI3LjAu
42 MC4xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7/f4YYOYunAM/VkmjDYDg3AW
43 UgyyTIraWmmQZsnu0bYNV/lLLfNzCtHggxGSwEtEe40nNb9C8wQmHUvb7VBBl6OC
44 ASowggEmMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh
45 dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRx1kmdZEfXHmWLHpSDI0Lh8hmfwzAf
46 BgNVHSMEGDAWgBQX3ykJKb97nxp/6UZJyDvts7noezAxBgNVHREEKjAoghJhbm90
47 aGVyZXhhbXBsZS5jb22CEioudGhpcmRleGFtcGxlLmNvbTB4BggrBgEFBQcBAQRs
48 MGowaAYIKwYBBQUHMAKGXGh0dHBzOi8vcGhhYnJpY2F0b3IuZmIuY29tL2RpZmZ1
49 c2lvbi9GQkNPREUvYnJvd3NlL21hc3Rlci90aS90ZXN0X2NlcnRzL2NhX2NlcnQu
50 cGVtP3ZpZXc9cmF3MA0GCSqGSIb3DQEBCwUAA4IBAQCj3FLjLMLudaFDiYo9pAPQ
51 NBYNpG27aajQCvnEsYaMAGnNBxUUhv/E4xpnJEhatiCJWlPgGebdjXkpXYkLxnFj
52 38UmpfZbNcvPPKxXmjIlkpYeFwcHTAUpFmMXVHdr8FjkDSN+qWHLllMFNAAqp0U6
53 4VWjDlq9xCjzNw+8fdcEpwylpPrbNyQHqSO1k+DhM2qPuQfiWPmHe2PbJv8JB3no
54 HWGi9SNe0FjtJM3066L0Gj8g/bFDo/pnyKguQyGkS7PaepK5/u5Y2fMMBO/m4+U0
55 b9Yb0TvatsqL688CoZcSn73A0yAjptwbD/4HmcVlG2j/y8eTVpXisugu6Xz+QQGu
56 -----END CERTIFICATE-----
59 static folly::ssl::X509UniquePtr readCertFromFile(const std::string& filename) {
60 folly::ssl::BioUniquePtr bio(BIO_new(BIO_s_file()));
62 throw std::runtime_error("Couldn't create BIO");
65 if (BIO_read_filename(bio.get(), filename.c_str()) != 1) {
66 throw std::runtime_error("Couldn't read cert file: " + filename);
68 return folly::ssl::X509UniquePtr(
69 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
72 static folly::ssl::X509UniquePtr readCertFromData(
73 const folly::StringPiece data) {
74 folly::ssl::BioUniquePtr bio(BIO_new_mem_buf(data.data(), data.size()));
76 throw std::runtime_error("Couldn't create BIO");
78 return folly::ssl::X509UniquePtr(
79 PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
82 TEST(OpenSSLCertUtilsTest, TestX509CN) {
83 OpenSSL_add_all_algorithms();
85 auto x509 = readCertFromFile(kTestCertWithoutSan);
86 EXPECT_NE(x509, nullptr);
87 auto identity = folly::ssl::OpenSSLCertUtils::getCommonName(*x509);
88 EXPECT_EQ(identity.value(), "Asox Company");
89 auto sans = folly::ssl::OpenSSLCertUtils::getSubjectAltNames(*x509);
90 EXPECT_EQ(sans.size(), 0);
93 TEST(OpenSSLCertUtilsTest, TestX509Sans) {
94 OpenSSL_add_all_algorithms();
96 auto x509 = readCertFromData(kTestCertWithSan);
97 EXPECT_NE(x509, nullptr);
98 auto identity = folly::ssl::OpenSSLCertUtils::getCommonName(*x509);
99 EXPECT_EQ(identity.value(), "127.0.0.1");
100 auto altNames = folly::ssl::OpenSSLCertUtils::getSubjectAltNames(*x509);
101 EXPECT_EQ(altNames.size(), 2);
102 EXPECT_EQ(altNames[0], "anotherexample.com");
103 EXPECT_EQ(altNames[1], "*.thirdexample.com");
106 TEST(OpenSSLCertUtilsTest, TestX509IssuerAndSubject) {
107 OpenSSL_add_all_algorithms();
109 auto x509 = readCertFromData(kTestCertWithSan);
110 EXPECT_NE(x509, nullptr);
111 auto issuer = folly::ssl::OpenSSLCertUtils::getIssuer(*x509);
114 "C = US, ST = CA, O = Asox, CN = Asox Certification Authority");
115 auto subj = folly::ssl::OpenSSLCertUtils::getSubject(*x509);
116 EXPECT_EQ(subj.value(), "C = US, O = Asox, CN = 127.0.0.1");
119 TEST(OpenSSLCertUtilsTest, TestX509Dates) {
120 OpenSSL_add_all_algorithms();
122 auto x509 = readCertFromData(kTestCertWithSan);
123 EXPECT_NE(x509, nullptr);
124 auto notBefore = folly::ssl::OpenSSLCertUtils::getNotBeforeTime(*x509);
125 EXPECT_EQ(notBefore, "Feb 13 23:21:03 2017 GMT");
126 auto notAfter = folly::ssl::OpenSSLCertUtils::getNotAfterTime(*x509);
127 EXPECT_EQ(notAfter, "Jul 1 23:21:03 2044 GMT");
130 TEST(OpenSSLCertUtilsTest, TestX509Summary) {
131 OpenSSL_add_all_algorithms();
133 auto x509 = readCertFromData(kTestCertWithSan);
134 EXPECT_NE(x509, nullptr);
135 auto summary = folly::ssl::OpenSSLCertUtils::toString(*x509);
138 " Version: 3 (0x2)\n Serial Number: 2 (0x2)\n"
139 " Issuer: C = US, ST = CA, O = Asox, CN = Asox Certification Authority\n"
140 " Validity\n Not Before: Feb 13 23:21:03 2017 GMT\n"
141 " Not After : Jul 1 23:21:03 2044 GMT\n"
142 " Subject: C = US, O = Asox, CN = 127.0.0.1\n"
143 " X509v3 extensions:\n"
144 " X509v3 Basic Constraints: \n"
146 " Netscape Comment: \n"
147 " OpenSSL Generated Certificate\n"
148 " X509v3 Subject Key Identifier: \n"
149 " 71:D6:49:9D:64:47:D7:1E:65:8B:1E:94:83:23:42:E1:F2:19:9F:C3\n"
150 " X509v3 Authority Key Identifier: \n"
151 " keyid:17:DF:29:09:29:BF:7B:9F:1A:7F:E9:46:49:C8:3B:ED:B3:B9:E8:7B\n\n"
152 " X509v3 Subject Alternative Name: \n"
153 " DNS:anotherexample.com, DNS:*.thirdexample.com\n"
154 " Authority Information Access: \n"
155 " CA Issuers - URI:https://phabricator.fb.com/diffusion/FBCODE/browse/master/ti/test_certs/ca_cert.pem?view=raw\n\n");