#include <folly/ssl/OpenSSLCertUtils.h>
-#include <openssl/bio.h>
-#include <openssl/evp.h>
-
+#include <folly/Format.h>
#include <folly/Range.h>
#include <folly/String.h>
-#include <folly/io/async/ssl/OpenSSLPtrTypes.h>
+#include <folly/container/Enumerate.h>
#include <folly/portability/GTest.h>
#include <folly/portability/OpenSSL.h>
+#include <folly/ssl/Init.h>
+#include <folly/ssl/OpenSSLPtrTypes.h>
using namespace testing;
using namespace folly;
-----END CERTIFICATE-----
)");
+const std::string kTestCertBundle = folly::stripLeftMargin(R"(
+ -----BEGIN CERTIFICATE-----
+ MIIDgzCCAmugAwIBAgIJAIkcS3PQcCm+MA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
+ BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
+ Q29tcGFueSBMdGQxFDASBgNVBAMMC3Rlc3QgY2VydCAxMB4XDTE3MTAyMzIwNTcw
+ M1oXDTE4MTAyMzIwNTcwM1owWDELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1
+ bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEUMBIGA1UEAwwL
+ dGVzdCBjZXJ0IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCplTzR
+ 6shdhVNbx5HFViiYDBjRYXCWiUeR0/0+XPkyI+DPIGAQ6Mre8WD03GPebYn7j3Lr
+ JwgV06BJNvVCLDy0SJbf6ToxGfKWSLEWOoip32nIpb9qxURtx44NUvhChP54hhKI
+ zAf8nNlS+qKUYbmixJHeUWO//8wNpsMKDkvtfVUZ6oVV3JPOOihJ+sQ0sIc5x+xk
+ 3eWfa0cNoZnxu4plQg2O4RlHOv8ruMW6BttpcqQ8I+Rxq+/YOhNQhX+6GZ1+Rs+f
+ ddWXYNH6tFxsLIEbgCqHhLGw7g+JRms9R+CxLCpjmhYhR2xgl6KQu/Racr2T/17z
+ 897VfY7X94PmamidAgMBAAGjUDBOMB0GA1UdDgQWBBRHQvRr2p3/83y1yXiiVnnS
+ zObpzTAfBgNVHSMEGDAWgBRHQvRr2p3/83y1yXiiVnnSzObpzTAMBgNVHRMEBTAD
+ AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAk61K1sjrS7rrLnGND1o1Q6D2ebgb1wcfU
+ WX+ZnhlkUxjSS1nHmaulMftpvzbgrOt7HWZKMXIpetnDSfksrGpw6QJ3VWFIJlH5
+ P4x8//pVeI5jQd4W7gIl65tZOc5cEH8aqnzkaGP8YBx6BI6N8px1gZVgePVu3ebR
+ eLdrWH2l4VishWOf6rO/ltQdTwRIqj08QNsWmSrRK2d7J/DGA6R9JkdyxeLdxqmB
+ 2BMwJ7IVR+bWuTzD9Zk5lZseIVFcIksxmQ8jJuZXUdN8WOT/65p9UnN+Cc6+Q7F4
+ rlVz+ytcdvaf5mDeqFILDK6btWcUP2Vr1EfRDt/QBrU6OjAVQD+U
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIDgzCCAmugAwIBAgIJAPzrfjTkvHezMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
+ BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
+ Q29tcGFueSBMdGQxFDASBgNVBAMMC3Rlc3QgY2VydCAyMB4XDTE3MTAyMzIwNTcx
+ NloXDTE4MTAyMzIwNTcxNlowWDELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1
+ bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEUMBIGA1UEAwwL
+ dGVzdCBjZXJ0IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzy9G/
+ NM7Llp+foYxug2Dqc3r9zWtb4PvbRqoz8W0ZRy0GkL3JtOfLWtlz+RCGa//mlGMA
+ HLa+Qg77nnjuhO/KCCgQS9fxHY+zcv1VBwzsKmKcju4BCscsTLPsy0SJCXBXSgnH
+ S4NMR/K+YozwdikEZRbU4VLJiw44CeJ1h74r2ElHYuOL0SpL8PSlv7kJu3/xWUiV
+ L2iWk+y8yKIpCRQ9I7+L0kuhylZAmVBTKtgbdcLfERqQNNWAT7D+p/6CwNmpT9ei
+ G2xJ0N4bt3w8kwcZ+IkGwei8Nadix+POe3WVU9K1VXVfoLZ9nNWKRnwIFP4Bsmld
+ rP4Uy2IZuhrKE4BPAgMBAAGjUDBOMB0GA1UdDgQWBBQkmeMfPQaax9wCZL16jSSG
+ XigBWjAfBgNVHSMEGDAWgBQkmeMfPQaax9wCZL16jSSGXigBWjAMBgNVHRMEBTAD
+ AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCXzqxYp1FqMS2M+opCSPezgPDBdE2S9g6d
+ HJHV5CLptGnu1vQIlyCXy/7X9b6Qq8UzuYyFacN/37tbNw6sGyTRfL8sEeFYfFoT
+ GvgSrRqSM47ZBYx5jW/Uslkc5qbq+v4zeGCq5611stQKsJYIudu0+PjJmgtNF6en
+ zTx8B6eS79GRN3/M7/kFLlxeZNCQpmKwvPp8P7JE4ZHUtuzQoKtjdt/etWpS76fV
+ Akx7VhCFg/lw80tmgSclq885hYRYc6DOKfUubWOacKVfmHwL4oDiSffBonI7MoH8
+ SJbzsCBpVd/tkDADZpxBQplGV7AaDBoNS0qvZHfH5x9R9R5lx9M+
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIDgzCCAmugAwIBAgIJAOzqPJDDfSKDMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
+ BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
+ Q29tcGFueSBMdGQxFDASBgNVBAMMC3Rlc3QgY2VydCAzMB4XDTE3MTAyMzIwNTcy
+ NVoXDTE4MTAyMzIwNTcyNVowWDELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1
+ bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEUMBIGA1UEAwwL
+ dGVzdCBjZXJ0IDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWqU2b
+ eBzaOAja6od84hFfgvitOGrCYqLXMUXe0X7AlldzXV4zHaVyTKdEwDwvKDi5p9OF
+ uTxSZkZ0JSPHZeH2/rHXidNMWdtiy5x/5ra1u9ctN7jHeboIxmdpfxoGq7s6cRA5
+ oRh0bCNmw+Y7K+1RITmPloB7155RbrJYZR5MOFIaCnZV3j/icKjASTOg3ivXX4lx
+ BoHGMYF8rl+51FIJsuXvnBgF+GhadMVSWl4Qy6gLliml1MgujlmFg9/1y/xzdWZg
+ yyLI3tvw7fo/NN62u41VQBdCGdpvnVxU4ADu2/T0vhAS+Bh2CMK1OAAw61x1507S
+ f68mab9s8at49qefAgMBAAGjUDBOMB0GA1UdDgQWBBQnn76Swsnld6Q1weLgpo/S
+ tt0KeTAfBgNVHSMEGDAWgBQnn76Swsnld6Q1weLgpo/Stt0KeTAMBgNVHRMEBTAD
+ AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCB0XANIWyP7DYROh6MFQLqeylngd9iUGNe
+ BMT4pWu60p5ZX13kK/gbV/P2cayUkkWEMWpzKcIX70IkaB5y/OxVMXUXo94UupsM
+ b1T736wHA0TLeL7yDj9OnMYj/qa2r8pAyEObI84KoWRGMHH9UPSRbVMVrhg/agBA
+ LA6eZhwiGctkCy09kp+SFbUpv+SMyVp60UrPub6j68Hzd0FioGY01Os7nScuPNo0
+ rl2S+G36bcem8Z5MOkJ0LEFi6ctK9JdLcHkr1SVavo3fsYZaIZraJxFGcYUVyLT+
+ Rw7ydBokxHWsmVJczuRmEovXcTmgIphti234e7usKjw8M5mGwYfa
+ -----END CERTIFICATE-----
+)");
+
+class OpenSSLCertUtilsTest : public Test {
+ public:
+ void SetUp() override {
+ folly::ssl::init();
+ }
+};
+
static folly::ssl::X509UniquePtr readCertFromFile(const std::string& filename) {
folly::ssl::BioUniquePtr bio(BIO_new(BIO_s_file()));
if (!bio) {
PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
}
-TEST(OpenSSLCertUtilsTest, TestX509CN) {
- OpenSSL_add_all_algorithms();
-
+TEST_F(OpenSSLCertUtilsTest, TestX509CN) {
auto x509 = readCertFromFile(kTestCertWithoutSan);
EXPECT_NE(x509, nullptr);
auto identity = folly::ssl::OpenSSLCertUtils::getCommonName(*x509);
EXPECT_EQ(sans.size(), 0);
}
-TEST(OpenSSLCertUtilsTest, TestX509Sans) {
- OpenSSL_add_all_algorithms();
-
+TEST_F(OpenSSLCertUtilsTest, TestX509Sans) {
auto x509 = readCertFromData(kTestCertWithSan);
EXPECT_NE(x509, nullptr);
auto identity = folly::ssl::OpenSSLCertUtils::getCommonName(*x509);
EXPECT_EQ(altNames[0], "anotherexample.com");
EXPECT_EQ(altNames[1], "*.thirdexample.com");
}
+
+TEST_F(OpenSSLCertUtilsTest, TestX509IssuerAndSubject) {
+ auto x509 = readCertFromData(kTestCertWithSan);
+ EXPECT_NE(x509, nullptr);
+ auto issuer = folly::ssl::OpenSSLCertUtils::getIssuer(*x509);
+ EXPECT_EQ(
+ issuer.value(),
+ "C = US, ST = CA, O = Asox, CN = Asox Certification Authority");
+ auto subj = folly::ssl::OpenSSLCertUtils::getSubject(*x509);
+ EXPECT_EQ(subj.value(), "C = US, O = Asox, CN = 127.0.0.1");
+}
+
+TEST_F(OpenSSLCertUtilsTest, TestX509Dates) {
+ auto x509 = readCertFromData(kTestCertWithSan);
+ EXPECT_NE(x509, nullptr);
+ auto notBefore = folly::ssl::OpenSSLCertUtils::getNotBeforeTime(*x509);
+ EXPECT_EQ(notBefore, "Feb 13 23:21:03 2017 GMT");
+ auto notAfter = folly::ssl::OpenSSLCertUtils::getNotAfterTime(*x509);
+ EXPECT_EQ(notAfter, "Jul 1 23:21:03 2044 GMT");
+}
+
+TEST_F(OpenSSLCertUtilsTest, TestX509Summary) {
+ auto x509 = readCertFromData(kTestCertWithSan);
+ EXPECT_NE(x509, nullptr);
+ auto summary = folly::ssl::OpenSSLCertUtils::toString(*x509);
+ EXPECT_EQ(
+ summary.value(),
+ " Version: 3 (0x2)\n Serial Number: 2 (0x2)\n"
+ " Issuer: C = US, ST = CA, O = Asox, CN = Asox Certification Authority\n"
+ " Validity\n Not Before: Feb 13 23:21:03 2017 GMT\n"
+ " Not After : Jul 1 23:21:03 2044 GMT\n"
+ " Subject: C = US, O = Asox, CN = 127.0.0.1\n"
+ " X509v3 extensions:\n"
+ " X509v3 Basic Constraints: \n"
+ " CA:FALSE\n"
+ " Netscape Comment: \n"
+ " OpenSSL Generated Certificate\n"
+ " X509v3 Subject Key Identifier: \n"
+ " 71:D6:49:9D:64:47:D7:1E:65:8B:1E:94:83:23:42:E1:F2:19:9F:C3\n"
+ " X509v3 Authority Key Identifier: \n"
+ " keyid:17:DF:29:09:29:BF:7B:9F:1A:7F:E9:46:49:C8:3B:ED:B3:B9:E8:7B\n\n"
+ " X509v3 Subject Alternative Name: \n"
+ " DNS:anotherexample.com, DNS:*.thirdexample.com\n"
+ " Authority Information Access: \n"
+ " CA Issuers - URI:https://phabricator.fb.com/diffusion/FBCODE/browse/master/ti/test_certs/ca_cert.pem?view=raw\n\n");
+}
+
+TEST_F(OpenSSLCertUtilsTest, TestDerEncodeDecode) {
+ auto x509 = readCertFromData(kTestCertWithSan);
+
+ auto der = folly::ssl::OpenSSLCertUtils::derEncode(*x509);
+ auto decoded = folly::ssl::OpenSSLCertUtils::derDecode(der->coalesce());
+
+ EXPECT_EQ(
+ folly::ssl::OpenSSLCertUtils::toString(*x509),
+ folly::ssl::OpenSSLCertUtils::toString(*decoded));
+}
+
+TEST_F(OpenSSLCertUtilsTest, TestDerDecodeJunkData) {
+ StringPiece junk{"MyFakeCertificate"};
+ EXPECT_THROW(
+ folly::ssl::OpenSSLCertUtils::derDecode(junk), std::runtime_error);
+}
+
+TEST_F(OpenSSLCertUtilsTest, TestDerDecodeTooShort) {
+ auto x509 = readCertFromData(kTestCertWithSan);
+
+ auto der = folly::ssl::OpenSSLCertUtils::derEncode(*x509);
+ der->trimEnd(1);
+ EXPECT_THROW(
+ folly::ssl::OpenSSLCertUtils::derDecode(der->coalesce()),
+ std::runtime_error);
+}
+
+TEST_F(OpenSSLCertUtilsTest, TestReadCertsFromBuffer) {
+ auto certs = folly::ssl::OpenSSLCertUtils::readCertsFromBuffer(
+ StringPiece(kTestCertBundle));
+ EXPECT_EQ(certs.size(), 3);
+ for (auto i : folly::enumerate(certs)) {
+ auto identity = folly::ssl::OpenSSLCertUtils::getCommonName(**i);
+ EXPECT_TRUE(identity);
+ EXPECT_EQ(*identity, folly::sformat("test cert {}", i.index + 1));
+ }
+}
+
+TEST_F(OpenSSLCertUtilsTest, TestX509Digest) {
+ auto x509 = readCertFromFile(kTestCertWithoutSan);
+ EXPECT_NE(x509, nullptr);
+
+ auto sha1Digest = folly::ssl::OpenSSLCertUtils::getDigestSha1(*x509);
+ EXPECT_EQ(
+ folly::hexlify(folly::range(sha1Digest)),
+ "b84e951d6c4e6cc70346357fab43d7ed73a07b0f");
+
+ auto sha2Digest = folly::ssl::OpenSSLCertUtils::getDigestSha256(*x509);
+ EXPECT_EQ(
+ folly::hexlify(folly::range(sha2Digest)),
+ "364d3a6a0b10d0635ce59b40c0b7f505ab2cd9fd0a06661cdc61d9cb8c9c9821");
+}