folly/ssl/test/OpenSSLCertUtilsTest.cpp

   1 /*
   2  * Copyright 2017 Facebook, Inc.
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *   http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 #include <folly/ssl/OpenSSLCertUtils.h>
  18
  19 #include <folly/Range.h>
  20 #include <folly/String.h>
  21 #include <folly/portability/GTest.h>
  22 #include <folly/portability/OpenSSL.h>
  23 #include <folly/ssl/OpenSSLPtrTypes.h>
  24 #include <folly/ssl/Init.H>
  25
  26 using namespace testing;
  27 using namespace folly;
  28
  29 const char* kTestCertWithoutSan = "folly/io/async/test/certs/tests-cert.pem";
  30
  31 // Test key
  32 // -----BEGIN EC PRIVATE KEY-----
  33 // MHcCAQEEIBskFwVZ9miFN+SKCFZPe9WEuFGmP+fsecLUnsTN6bOcoAoGCCqGSM49
  34 // AwEHoUQDQgAE7/f4YYOYunAM/VkmjDYDg3AWUgyyTIraWmmQZsnu0bYNV/lLLfNz
  35 // CtHggxGSwEtEe40nNb9C8wQmHUvb7VBBlw==
  36 // -----END EC PRIVATE KEY-----
  37 const std::string kTestCertWithSan = folly::stripLeftMargin(R"(
  38   -----BEGIN CERTIFICATE-----
  39   MIIDXDCCAkSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJVUzEL
  40   MAkGA1UECAwCQ0ExDTALBgNVBAoMBEFzb3gxJTAjBgNVBAMMHEFzb3ggQ2VydGlm
  41   aWNhdGlvbiBBdXRob3JpdHkwHhcNMTcwMjEzMjMyMTAzWhcNNDQwNzAxMjMyMTAz
  42   WjAwMQswCQYDVQQGEwJVUzENMAsGA1UECgwEQXNveDESMBAGA1UEAwwJMTI3LjAu
  43   MC4xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7/f4YYOYunAM/VkmjDYDg3AW
  44   UgyyTIraWmmQZsnu0bYNV/lLLfNzCtHggxGSwEtEe40nNb9C8wQmHUvb7VBBl6OC
  45   ASowggEmMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh
  46   dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRx1kmdZEfXHmWLHpSDI0Lh8hmfwzAf
  47   BgNVHSMEGDAWgBQX3ykJKb97nxp/6UZJyDvts7noezAxBgNVHREEKjAoghJhbm90
  48   aGVyZXhhbXBsZS5jb22CEioudGhpcmRleGFtcGxlLmNvbTB4BggrBgEFBQcBAQRs
  49   MGowaAYIKwYBBQUHMAKGXGh0dHBzOi8vcGhhYnJpY2F0b3IuZmIuY29tL2RpZmZ1
  50   c2lvbi9GQkNPREUvYnJvd3NlL21hc3Rlci90aS90ZXN0X2NlcnRzL2NhX2NlcnQu
  51   cGVtP3ZpZXc9cmF3MA0GCSqGSIb3DQEBCwUAA4IBAQCj3FLjLMLudaFDiYo9pAPQ
  52   NBYNpG27aajQCvnEsYaMAGnNBxUUhv/E4xpnJEhatiCJWlPgGebdjXkpXYkLxnFj
  53   38UmpfZbNcvPPKxXmjIlkpYeFwcHTAUpFmMXVHdr8FjkDSN+qWHLllMFNAAqp0U6
  54   4VWjDlq9xCjzNw+8fdcEpwylpPrbNyQHqSO1k+DhM2qPuQfiWPmHe2PbJv8JB3no
  55   HWGi9SNe0FjtJM3066L0Gj8g/bFDo/pnyKguQyGkS7PaepK5/u5Y2fMMBO/m4+U0
  56   b9Yb0TvatsqL688CoZcSn73A0yAjptwbD/4HmcVlG2j/y8eTVpXisugu6Xz+QQGu
  57   -----END CERTIFICATE-----
  58 )");
  59
  60 class OpenSSLCertUtilsTest : public Test {
  61  public:
  62   void SetUp() override {
  63     folly::ssl::init();
  64   }
  65 };
  66
  67 static folly::ssl::X509UniquePtr readCertFromFile(const std::string& filename) {
  68   folly::ssl::BioUniquePtr bio(BIO_new(BIO_s_file()));
  69   if (!bio) {
  70     throw std::runtime_error("Couldn't create BIO");
  71   }
  72
  73   if (BIO_read_filename(bio.get(), filename.c_str()) != 1) {
  74     throw std::runtime_error("Couldn't read cert file: " + filename);
  75   }
  76   return folly::ssl::X509UniquePtr(
  77       PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
  78 }
  79
  80 static folly::ssl::X509UniquePtr readCertFromData(
  81     const folly::StringPiece data) {
  82   folly::ssl::BioUniquePtr bio(BIO_new_mem_buf(data.data(), data.size()));
  83   if (!bio) {
  84     throw std::runtime_error("Couldn't create BIO");
  85   }
  86   return folly::ssl::X509UniquePtr(
  87       PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
  88 }
  89
  90 TEST_F(OpenSSLCertUtilsTest, TestX509CN) {
  91   auto x509 = readCertFromFile(kTestCertWithoutSan);
  92   EXPECT_NE(x509, nullptr);
  93   auto identity = folly::ssl::OpenSSLCertUtils::getCommonName(*x509);
  94   EXPECT_EQ(identity.value(), "Asox Company");
  95   auto sans = folly::ssl::OpenSSLCertUtils::getSubjectAltNames(*x509);
  96   EXPECT_EQ(sans.size(), 0);
  97 }
  98
  99 TEST_F(OpenSSLCertUtilsTest, TestX509Sans) {
 100   auto x509 = readCertFromData(kTestCertWithSan);
 101   EXPECT_NE(x509, nullptr);
 102   auto identity = folly::ssl::OpenSSLCertUtils::getCommonName(*x509);
 103   EXPECT_EQ(identity.value(), "127.0.0.1");
 104   auto altNames = folly::ssl::OpenSSLCertUtils::getSubjectAltNames(*x509);
 105   EXPECT_EQ(altNames.size(), 2);
 106   EXPECT_EQ(altNames[0], "anotherexample.com");
 107   EXPECT_EQ(altNames[1], "*.thirdexample.com");
 108 }
 109
 110 TEST_F(OpenSSLCertUtilsTest, TestX509IssuerAndSubject) {
 111   auto x509 = readCertFromData(kTestCertWithSan);
 112   EXPECT_NE(x509, nullptr);
 113   auto issuer = folly::ssl::OpenSSLCertUtils::getIssuer(*x509);
 114   EXPECT_EQ(
 115       issuer.value(),
 116       "C = US, ST = CA, O = Asox, CN = Asox Certification Authority");
 117   auto subj = folly::ssl::OpenSSLCertUtils::getSubject(*x509);
 118   EXPECT_EQ(subj.value(), "C = US, O = Asox, CN = 127.0.0.1");
 119 }
 120
 121 TEST_F(OpenSSLCertUtilsTest, TestX509Dates) {
 122   auto x509 = readCertFromData(kTestCertWithSan);
 123   EXPECT_NE(x509, nullptr);
 124   auto notBefore = folly::ssl::OpenSSLCertUtils::getNotBeforeTime(*x509);
 125   EXPECT_EQ(notBefore, "Feb 13 23:21:03 2017 GMT");
 126   auto notAfter = folly::ssl::OpenSSLCertUtils::getNotAfterTime(*x509);
 127   EXPECT_EQ(notAfter, "Jul  1 23:21:03 2044 GMT");
 128 }
 129
 130 TEST_F(OpenSSLCertUtilsTest, TestX509Summary) {
 131   auto x509 = readCertFromData(kTestCertWithSan);
 132   EXPECT_NE(x509, nullptr);
 133   auto summary = folly::ssl::OpenSSLCertUtils::toString(*x509);
 134   EXPECT_EQ(
 135       summary.value(),
 136       "        Version: 3 (0x2)\n        Serial Number: 2 (0x2)\n"
 137       "        Issuer: C = US, ST = CA, O = Asox, CN = Asox Certification Authority\n"
 138       "        Validity\n            Not Before: Feb 13 23:21:03 2017 GMT\n"
 139       "            Not After : Jul  1 23:21:03 2044 GMT\n"
 140       "        Subject: C = US, O = Asox, CN = 127.0.0.1\n"
 141       "        X509v3 extensions:\n"
 142       "            X509v3 Basic Constraints: \n"
 143       "                CA:FALSE\n"
 144       "            Netscape Comment: \n"
 145       "                OpenSSL Generated Certificate\n"
 146       "            X509v3 Subject Key Identifier: \n"
 147       "                71:D6:49:9D:64:47:D7:1E:65:8B:1E:94:83:23:42:E1:F2:19:9F:C3\n"
 148       "            X509v3 Authority Key Identifier: \n"
 149       "                keyid:17:DF:29:09:29:BF:7B:9F:1A:7F:E9:46:49:C8:3B:ED:B3:B9:E8:7B\n\n"
 150       "            X509v3 Subject Alternative Name: \n"
 151       "                DNS:anotherexample.com, DNS:*.thirdexample.com\n"
 152       "            Authority Information Access: \n"
 153       "                CA Issuers - URI:https://phabricator.fb.com/diffusion/FBCODE/browse/master/ti/test_certs/ca_cert.pem?view=raw\n\n");
 154 }
 155
 156 TEST_F(OpenSSLCertUtilsTest, TestDerEncodeDecode) {
 157   auto x509 = readCertFromData(kTestCertWithSan);
 158
 159   auto der = folly::ssl::OpenSSLCertUtils::derEncode(*x509);
 160   auto decoded = folly::ssl::OpenSSLCertUtils::derDecode(der->coalesce());
 161
 162   EXPECT_EQ(
 163       folly::ssl::OpenSSLCertUtils::toString(*x509),
 164       folly::ssl::OpenSSLCertUtils::toString(*decoded));
 165 }
 166
 167 TEST_F(OpenSSLCertUtilsTest, TestDerDecodeJunkData) {
 168   StringPiece junk{"MyFakeCertificate"};
 169   EXPECT_THROW(
 170       folly::ssl::OpenSSLCertUtils::derDecode(junk), std::runtime_error);
 171 }
 172
 173 TEST_F(OpenSSLCertUtilsTest, TestDerDecodeTooShort) {
 174   auto x509 = readCertFromData(kTestCertWithSan);
 175
 176   auto der = folly::ssl::OpenSSLCertUtils::derEncode(*x509);
 177   der->trimEnd(1);
 178   EXPECT_THROW(
 179       folly::ssl::OpenSSLCertUtils::derDecode(der->coalesce()),
 180       std::runtime_error);
 181 }