test: ✅ add server cert verification test

dergecko · Dec 16, 2024 · 543dcfb · 543dcfb
1 parent 5a5f923
commit 543dcfb
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 2 deletions.
diff --git a/test-certs/src/configuration/certificates.rs b/test-certs/src/configuration/certificates.rs
@@ -169,6 +169,23 @@ pub mod fixtures {
         certs
     }
 
+    /// Provides a [`CertificateRoot`] with a root ca, an intermediate ca, and a server cert.
+    pub fn ca_with_intermediate_and_server_certificate() -> CertificateRoot {
+        let certs = CertificateRoot {
+            certificates: HashMap::from([(
+                "root-ca".to_string(),
+                CertificateType::CertificateAuthority(CertificateAuthorityConfiguration {
+                    export_key: false,
+                    certificates: HashMap::from_iter([(
+                        "intermediate-ca".to_string(),
+                        ca_with_server_certificate_type(),
+                    )]),
+                }),
+            )]),
+        };
+        certs
+    }
+
     /// Provides a [`CertificateRoot`] with only one ca certificate.
     pub fn ca_certificate() -> CertificateRoot {
         let certs = CertificateRoot {
@@ -223,6 +240,14 @@ pub mod fixtures {
         })
     }
 
+    /// Provides a [`CertificateType`] that is a ca certificate that issues one server certificate.
+    pub fn ca_with_server_certificate_type() -> CertificateType {
+        CertificateType::CertificateAuthority(CertificateAuthorityConfiguration {
+            certificates: HashMap::from([("server".to_string(), server_certificate_type())]),
+            ..Default::default()
+        })
+    }
+
     /// Provides a [`CertificateType`] that is a server certificate.
     pub fn server_certificate_type() -> CertificateType {
         CertificateType::Server(ServerConfiguration {

diff --git a/test-certs/src/generation.rs b/test-certs/src/generation.rs
@@ -163,12 +163,18 @@ fn certificate_params(
 mod tests {
     use std::net::{IpAddr, Ipv4Addr};
 
-    use rustls::{RootCertStore, pki_types::UnixTime, server::WebPkiClientVerifier};
+    use rustls::{
+        RootCertStore,
+        client::{WebPkiServerVerifier, danger::ServerCertVerifier},
+        pki_types::{ServerName, UnixTime},
+        server::WebPkiClientVerifier,
+    };
 
     use crate::{
         configuration::certificates::fixtures::{
             ca_certificate_type, ca_with_client_certificates,
-            ca_with_intermediate_and_client_certificate, client_certificate_type,
+            ca_with_intermediate_and_client_certificate,
+            ca_with_intermediate_and_server_certificate, client_certificate_type,
             server_certificate_type,
         },
         generate,
@@ -262,4 +268,26 @@ mod tests {
 
         assert!(result.is_ok());
     }
+
+    #[test]
+    fn should_verify_server_with_intermediate_ca() {
+        let root = ca_with_intermediate_and_server_certificate();
+        let mut certs = generate(&root).unwrap();
+        let root_ca = certs.pop().unwrap();
+        let intermediate_ca = certs.pop().unwrap();
+        let server = certs.pop().unwrap();
+        let mut roots = RootCertStore::empty();
+        roots.add(root_ca.certificate.der().clone()).unwrap();
+
+        let server_verifier = WebPkiServerVerifier::builder(roots.into()).build().unwrap();
+        let result = server_verifier.verify_server_cert(
+            server.certificate.der(),
+            &[intermediate_ca.certificate.der().clone()],
+            &ServerName::try_from("my-server.org").unwrap(),
+            &[],
+            UnixTime::now(),
+        );
+
+        assert!(result.is_ok());
+    }
 }