From 543dcfb676e62e9a8ec3181644129317781d11eb Mon Sep 17 00:00:00 2001 From: dergecko Date: Mon, 16 Dec 2024 08:21:25 +0100 Subject: [PATCH] test: :white_check_mark: add server cert verification test --- test-certs/src/configuration/certificates.rs | 25 +++++++++++++++ test-certs/src/generation.rs | 32 ++++++++++++++++++-- 2 files changed, 55 insertions(+), 2 deletions(-) diff --git a/test-certs/src/configuration/certificates.rs b/test-certs/src/configuration/certificates.rs index 99a19a5..05c68bb 100644 --- a/test-certs/src/configuration/certificates.rs +++ b/test-certs/src/configuration/certificates.rs @@ -169,6 +169,23 @@ pub mod fixtures { certs } + /// Provides a [`CertificateRoot`] with a root ca, an intermediate ca, and a server cert. + pub fn ca_with_intermediate_and_server_certificate() -> CertificateRoot { + let certs = CertificateRoot { + certificates: HashMap::from([( + "root-ca".to_string(), + CertificateType::CertificateAuthority(CertificateAuthorityConfiguration { + export_key: false, + certificates: HashMap::from_iter([( + "intermediate-ca".to_string(), + ca_with_server_certificate_type(), + )]), + }), + )]), + }; + certs + } + /// Provides a [`CertificateRoot`] with only one ca certificate. pub fn ca_certificate() -> CertificateRoot { let certs = CertificateRoot { @@ -223,6 +240,14 @@ pub mod fixtures { }) } + /// Provides a [`CertificateType`] that is a ca certificate that issues one server certificate. + pub fn ca_with_server_certificate_type() -> CertificateType { + CertificateType::CertificateAuthority(CertificateAuthorityConfiguration { + certificates: HashMap::from([("server".to_string(), server_certificate_type())]), + ..Default::default() + }) + } + /// Provides a [`CertificateType`] that is a server certificate. pub fn server_certificate_type() -> CertificateType { CertificateType::Server(ServerConfiguration { diff --git a/test-certs/src/generation.rs b/test-certs/src/generation.rs index 862444a..c4365bf 100644 --- a/test-certs/src/generation.rs +++ b/test-certs/src/generation.rs @@ -163,12 +163,18 @@ fn certificate_params( mod tests { use std::net::{IpAddr, Ipv4Addr}; - use rustls::{RootCertStore, pki_types::UnixTime, server::WebPkiClientVerifier}; + use rustls::{ + RootCertStore, + client::{WebPkiServerVerifier, danger::ServerCertVerifier}, + pki_types::{ServerName, UnixTime}, + server::WebPkiClientVerifier, + }; use crate::{ configuration::certificates::fixtures::{ ca_certificate_type, ca_with_client_certificates, - ca_with_intermediate_and_client_certificate, client_certificate_type, + ca_with_intermediate_and_client_certificate, + ca_with_intermediate_and_server_certificate, client_certificate_type, server_certificate_type, }, generate, @@ -262,4 +268,26 @@ mod tests { assert!(result.is_ok()); } + + #[test] + fn should_verify_server_with_intermediate_ca() { + let root = ca_with_intermediate_and_server_certificate(); + let mut certs = generate(&root).unwrap(); + let root_ca = certs.pop().unwrap(); + let intermediate_ca = certs.pop().unwrap(); + let server = certs.pop().unwrap(); + let mut roots = RootCertStore::empty(); + roots.add(root_ca.certificate.der().clone()).unwrap(); + + let server_verifier = WebPkiServerVerifier::builder(roots.into()).build().unwrap(); + let result = server_verifier.verify_server_cert( + server.certificate.der(), + &[intermediate_ca.certificate.der().clone()], + &ServerName::try_from("my-server.org").unwrap(), + &[], + UnixTime::now(), + ); + + assert!(result.is_ok()); + } }