1 //
2 //
3 // Copyright 2018 gRPC authors.
4 //
5 // Licensed under the Apache License, Version 2.0 (the "License");
6 // you may not use this file except in compliance with the License.
7 // You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 //
17 //
18
19 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
20
21 #include <stdlib.h>
22 #include <string.h>
23
24 #include <gmock/gmock.h>
25 #include <gtest/gtest.h>
26
27 #include <grpc/support/alloc.h>
28 #include <grpc/support/log.h>
29 #include <grpc/support/string_util.h>
30
31 #include "src/core/lib/channel/channel_args.h"
32 #include "src/core/lib/config/config_vars.h"
33 #include "src/core/lib/gprpp/crash.h"
34 #include "src/core/lib/gprpp/unique_type_name.h"
35 #include "src/core/lib/security/context/security_context.h"
36 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
37 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
38 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
39 #include "src/core/tsi/transport_security.h"
40 #include "test/core/util/test_config.h"
41 #include "test/core/util/tls_utils.h"
42
43 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
44 #define CLIENT_CERT_PATH "src/core/tsi/test_creds/multi-domain.pem"
45 #define SERVER_CERT_PATH_0 "src/core/tsi/test_creds/server0.pem"
46 #define SERVER_KEY_PATH_0 "src/core/tsi/test_creds/server0.key"
47 #define SERVER_CERT_PATH_1 "src/core/tsi/test_creds/server1.pem"
48 #define SERVER_KEY_PATH_1 "src/core/tsi/test_creds/server1.key"
49
50 namespace grpc_core {
51 namespace testing {
52
53 constexpr const char* kRootCertName = "root_cert_name";
54 constexpr const char* kIdentityCertName = "identity_cert_name";
55 constexpr const char* kErrorMessage = "error_message";
56 constexpr const char* kTargetName = "foo.bar.com:443";
57
58 class TlsSecurityConnectorTest : public ::testing::Test {
59 protected:
TlsSecurityConnectorTest()60 TlsSecurityConnectorTest() {}
61
SetUp()62 void SetUp() override {
63 root_cert_1_ = testing::GetFileContents(CA_CERT_PATH);
64 root_cert_0_ = testing::GetFileContents(CLIENT_CERT_PATH);
65 identity_pairs_1_.emplace_back(
66 testing::GetFileContents(SERVER_KEY_PATH_1),
67 testing::GetFileContents(SERVER_CERT_PATH_1));
68 identity_pairs_0_.emplace_back(
69 testing::GetFileContents(SERVER_KEY_PATH_0),
70 testing::GetFileContents(SERVER_CERT_PATH_0));
71 }
72
VerifyExpectedErrorCallback(void * arg,grpc_error_handle error)73 static void VerifyExpectedErrorCallback(void* arg, grpc_error_handle error) {
74 const char* expected_error_msg = static_cast<const char*>(arg);
75 if (expected_error_msg == nullptr) {
76 EXPECT_EQ(error, absl::OkStatus());
77 } else {
78 EXPECT_EQ(GetErrorMsg(error), expected_error_msg);
79 }
80 }
81
GetErrorMsg(grpc_error_handle error)82 static std::string GetErrorMsg(grpc_error_handle error) {
83 std::string error_str;
84 GPR_ASSERT(
85 grpc_error_get_str(error, StatusStrProperty::kDescription, &error_str));
86 return error_str;
87 }
88
89 std::string root_cert_1_;
90 std::string root_cert_0_;
91 PemKeyCertPairList identity_pairs_1_;
92 PemKeyCertPairList identity_pairs_0_;
93 HostNameCertificateVerifier hostname_certificate_verifier_;
94 };
95
96 class TlsTestCertificateProvider : public grpc_tls_certificate_provider {
97 public:
TlsTestCertificateProvider(RefCountedPtr<grpc_tls_certificate_distributor> distributor)98 explicit TlsTestCertificateProvider(
99 RefCountedPtr<grpc_tls_certificate_distributor> distributor)
100 : distributor_(std::move(distributor)) {}
~TlsTestCertificateProvider()101 ~TlsTestCertificateProvider() override {}
distributor() const102 RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
103 return distributor_;
104 }
105
type() const106 UniqueTypeName type() const override {
107 static UniqueTypeName::Factory kFactory("tls_test");
108 return kFactory.Create();
109 }
110
111 private:
CompareImpl(const grpc_tls_certificate_provider * other) const112 int CompareImpl(const grpc_tls_certificate_provider* other) const override {
113 // TODO(yashykt): Maybe do something better here.
114 return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
115 other);
116 }
117
118 RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
119 };
120
121 //
122 // Tests for Certificate Providers in ChannelSecurityConnector.
123 //
124
TEST_F(TlsSecurityConnectorTest,RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector)125 TEST_F(TlsSecurityConnectorTest,
126 RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
127 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
128 MakeRefCounted<grpc_tls_certificate_distributor>();
129 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
130 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
131 identity_pairs_0_);
132 RefCountedPtr<grpc_tls_certificate_provider> provider =
133 MakeRefCounted<TlsTestCertificateProvider>(distributor);
134 RefCountedPtr<grpc_tls_credentials_options> options =
135 MakeRefCounted<grpc_tls_credentials_options>();
136 options->set_certificate_provider(provider);
137 options->set_watch_root_cert(true);
138 options->set_watch_identity_pair(true);
139 options->set_root_cert_name(kRootCertName);
140 options->set_identity_cert_name(kIdentityCertName);
141 RefCountedPtr<TlsCredentials> credential =
142 MakeRefCounted<TlsCredentials>(options);
143 ChannelArgs new_args;
144 RefCountedPtr<grpc_channel_security_connector> connector =
145 credential->create_security_connector(nullptr, kTargetName, &new_args);
146 EXPECT_NE(connector, nullptr);
147 TlsChannelSecurityConnector* tls_connector =
148 static_cast<TlsChannelSecurityConnector*>(connector.get());
149 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
150 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
151 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
152 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
153 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
154 identity_pairs_1_);
155 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
156 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
157 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
158 }
159
TEST_F(TlsSecurityConnectorTest,SystemRootsWhenCreateChannelSecurityConnector)160 TEST_F(TlsSecurityConnectorTest,
161 SystemRootsWhenCreateChannelSecurityConnector) {
162 // Create options watching for no certificates.
163 RefCountedPtr<grpc_tls_credentials_options> root_options =
164 MakeRefCounted<grpc_tls_credentials_options>();
165 RefCountedPtr<TlsCredentials> root_credential =
166 MakeRefCounted<TlsCredentials>(root_options);
167 ChannelArgs root_new_args;
168 RefCountedPtr<grpc_channel_security_connector> root_connector =
169 root_credential->create_security_connector(nullptr, "some_target",
170 &root_new_args);
171 EXPECT_NE(root_connector, nullptr);
172 TlsChannelSecurityConnector* tls_root_connector =
173 static_cast<TlsChannelSecurityConnector*>(root_connector.get());
174 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
175 }
176
TEST_F(TlsSecurityConnectorTest,SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector)177 TEST_F(TlsSecurityConnectorTest,
178 SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
179 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
180 MakeRefCounted<grpc_tls_certificate_distributor>();
181 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
182 identity_pairs_0_);
183 RefCountedPtr<grpc_tls_certificate_provider> provider =
184 MakeRefCounted<TlsTestCertificateProvider>(distributor);
185 // Create options only watching for identity certificates.
186 RefCountedPtr<grpc_tls_credentials_options> root_options =
187 MakeRefCounted<grpc_tls_credentials_options>();
188 root_options->set_certificate_provider(provider);
189 root_options->set_watch_identity_pair(true);
190 root_options->set_identity_cert_name(kIdentityCertName);
191 RefCountedPtr<TlsCredentials> root_credential =
192 MakeRefCounted<TlsCredentials>(root_options);
193 ChannelArgs root_new_args;
194 RefCountedPtr<grpc_channel_security_connector> root_connector =
195 root_credential->create_security_connector(nullptr, "some_target",
196 &root_new_args);
197 EXPECT_NE(root_connector, nullptr);
198 TlsChannelSecurityConnector* tls_root_connector =
199 static_cast<TlsChannelSecurityConnector*>(root_connector.get());
200 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
201 EXPECT_EQ(tls_root_connector->KeyCertPairListForTesting(), identity_pairs_0_);
202 // If we have a root update, we shouldn't receive them in security connector,
203 // since we claimed to use default system roots.
204 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
205 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
206 EXPECT_NE(tls_root_connector->RootCertsForTesting(), root_cert_1_);
207 }
208
TEST_F(TlsSecurityConnectorTest,RootCertsObtainedWhenCreateChannelSecurityConnector)209 TEST_F(TlsSecurityConnectorTest,
210 RootCertsObtainedWhenCreateChannelSecurityConnector) {
211 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
212 MakeRefCounted<grpc_tls_certificate_distributor>();
213 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
214 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
215 identity_pairs_0_);
216 RefCountedPtr<grpc_tls_certificate_provider> provider =
217 MakeRefCounted<TlsTestCertificateProvider>(distributor);
218 // Create options only watching for root certificates.
219 RefCountedPtr<grpc_tls_credentials_options> root_options =
220 MakeRefCounted<grpc_tls_credentials_options>();
221 root_options->set_certificate_provider(provider);
222 root_options->set_watch_root_cert(true);
223 root_options->set_root_cert_name(kRootCertName);
224 RefCountedPtr<TlsCredentials> root_credential =
225 MakeRefCounted<TlsCredentials>(root_options);
226 ChannelArgs root_new_args;
227 RefCountedPtr<grpc_channel_security_connector> root_connector =
228 root_credential->create_security_connector(nullptr, "some_target",
229 &root_new_args);
230 EXPECT_NE(root_connector, nullptr);
231 TlsChannelSecurityConnector* tls_root_connector =
232 static_cast<TlsChannelSecurityConnector*>(root_connector.get());
233 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
234 EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_0_);
235 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
236 EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
237 EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_1_);
238 }
239
TEST_F(TlsSecurityConnectorTest,CertPartiallyObtainedWhenCreateChannelSecurityConnector)240 TEST_F(TlsSecurityConnectorTest,
241 CertPartiallyObtainedWhenCreateChannelSecurityConnector) {
242 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
243 MakeRefCounted<grpc_tls_certificate_distributor>();
244 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
245 RefCountedPtr<grpc_tls_certificate_provider> provider =
246 MakeRefCounted<TlsTestCertificateProvider>(distributor);
247 // Registered the options watching both certs, but only root certs are
248 // available at distributor right now.
249 RefCountedPtr<grpc_tls_credentials_options> options =
250 MakeRefCounted<grpc_tls_credentials_options>();
251 options->set_certificate_provider(provider);
252 options->set_watch_root_cert(true);
253 options->set_watch_identity_pair(true);
254 options->set_root_cert_name(kRootCertName);
255 options->set_identity_cert_name(kIdentityCertName);
256 RefCountedPtr<TlsCredentials> credential =
257 MakeRefCounted<TlsCredentials>(options);
258 ChannelArgs new_args;
259 RefCountedPtr<grpc_channel_security_connector> connector =
260 credential->create_security_connector(nullptr, kTargetName, &new_args);
261 EXPECT_NE(connector, nullptr);
262 TlsChannelSecurityConnector* tls_connector =
263 static_cast<TlsChannelSecurityConnector*>(connector.get());
264 // The client_handshaker_factory_ shouldn't be updated.
265 EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
266 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
267 // After updating the root certs, the client_handshaker_factory_ should be
268 // updated.
269 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
270 identity_pairs_0_);
271 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
272 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
273 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
274 }
275
TEST_F(TlsSecurityConnectorTest,DistributorHasErrorForChannelSecurityConnector)276 TEST_F(TlsSecurityConnectorTest,
277 DistributorHasErrorForChannelSecurityConnector) {
278 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
279 MakeRefCounted<grpc_tls_certificate_distributor>();
280 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
281 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
282 identity_pairs_0_);
283 RefCountedPtr<grpc_tls_certificate_provider> provider =
284 MakeRefCounted<TlsTestCertificateProvider>(distributor);
285 RefCountedPtr<grpc_tls_credentials_options> options =
286 MakeRefCounted<grpc_tls_credentials_options>();
287 options->set_certificate_provider(provider);
288 options->set_watch_root_cert(true);
289 options->set_watch_identity_pair(true);
290 options->set_root_cert_name(kRootCertName);
291 options->set_identity_cert_name(kIdentityCertName);
292 RefCountedPtr<TlsCredentials> credential =
293 MakeRefCounted<TlsCredentials>(options);
294 ChannelArgs new_args;
295 RefCountedPtr<grpc_channel_security_connector> connector =
296 credential->create_security_connector(nullptr, kTargetName, &new_args);
297 EXPECT_NE(connector, nullptr);
298 TlsChannelSecurityConnector* tls_connector =
299 static_cast<TlsChannelSecurityConnector*>(connector.get());
300 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
301 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
302 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
303 // Calling SetErrorForCert on distributor shouldn't invalidate the previous
304 // valid credentials.
305 distributor->SetErrorForCert(kRootCertName, GRPC_ERROR_CREATE(kErrorMessage),
306 absl::nullopt);
307 distributor->SetErrorForCert(kIdentityCertName, absl::nullopt,
308 GRPC_ERROR_CREATE(kErrorMessage));
309 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
310 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
311 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
312 }
313
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoTargetName)314 TEST_F(TlsSecurityConnectorTest,
315 CreateChannelSecurityConnectorFailNoTargetName) {
316 RefCountedPtr<grpc_tls_credentials_options> options =
317 MakeRefCounted<grpc_tls_credentials_options>();
318 RefCountedPtr<TlsCredentials> credential =
319 MakeRefCounted<TlsCredentials>(options);
320 ChannelArgs new_args;
321 RefCountedPtr<grpc_channel_security_connector> connector =
322 credential->create_security_connector(nullptr, nullptr, &new_args);
323 EXPECT_EQ(connector, nullptr);
324 }
325
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoCredentials)326 TEST_F(TlsSecurityConnectorTest,
327 CreateChannelSecurityConnectorFailNoCredentials) {
328 auto connector =
329 TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
330 nullptr, MakeRefCounted<grpc_tls_credentials_options>(), nullptr,
331 kTargetName, nullptr, nullptr);
332 EXPECT_EQ(connector, nullptr);
333 }
334
TEST_F(TlsSecurityConnectorTest,CreateChannelSecurityConnectorFailNoOptions)335 TEST_F(TlsSecurityConnectorTest, CreateChannelSecurityConnectorFailNoOptions) {
336 RefCountedPtr<grpc_tls_credentials_options> options =
337 MakeRefCounted<grpc_tls_credentials_options>();
338 RefCountedPtr<TlsCredentials> credential =
339 MakeRefCounted<TlsCredentials>(options);
340 auto connector =
341 TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
342 credential, nullptr, nullptr, kTargetName, nullptr, nullptr);
343 EXPECT_EQ(connector, nullptr);
344 }
345
346 //
347 // Tests for Certificate Verifier in ChannelSecurityConnector.
348 //
349
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithSyncExternalVerifierSucceeds)350 TEST_F(TlsSecurityConnectorTest,
351 ChannelSecurityConnectorWithSyncExternalVerifierSucceeds) {
352 auto* sync_verifier_ = new SyncExternalVerifier(true);
353 ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
354 RefCountedPtr<grpc_tls_credentials_options> options =
355 MakeRefCounted<grpc_tls_credentials_options>();
356 options->set_verify_server_cert(true);
357 options->set_certificate_verifier(core_external_verifier.Ref());
358 options->set_check_call_host(false);
359 RefCountedPtr<TlsCredentials> credential =
360 MakeRefCounted<TlsCredentials>(options);
361 ChannelArgs new_args;
362 RefCountedPtr<grpc_channel_security_connector> connector =
363 credential->create_security_connector(nullptr, kTargetName, &new_args);
364 EXPECT_NE(connector, nullptr);
365 TlsChannelSecurityConnector* tls_connector =
366 static_cast<TlsChannelSecurityConnector*>(connector.get());
367 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
368 // Construct a basic TSI Peer.
369 tsi_peer peer;
370 GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
371 GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
372 "h2", strlen("h2"),
373 &peer.properties[0]) == TSI_OK);
374 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
375 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
376 &peer.properties[1]) == TSI_OK);
377 RefCountedPtr<grpc_auth_context> auth_context;
378 ExecCtx exec_ctx;
379 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
380 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
381 ChannelArgs args;
382 tls_connector->check_peer(peer, nullptr, args, &auth_context,
383 on_peer_checked);
384 }
385
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithSyncExternalVerifierFails)386 TEST_F(TlsSecurityConnectorTest,
387 ChannelSecurityConnectorWithSyncExternalVerifierFails) {
388 auto* sync_verifier_ = new SyncExternalVerifier(false);
389 ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
390 RefCountedPtr<grpc_tls_credentials_options> options =
391 MakeRefCounted<grpc_tls_credentials_options>();
392 options->set_verify_server_cert(true);
393 options->set_certificate_verifier(core_external_verifier.Ref());
394 options->set_check_call_host(false);
395 RefCountedPtr<TlsCredentials> credential =
396 MakeRefCounted<TlsCredentials>(options);
397 ChannelArgs new_args;
398 RefCountedPtr<grpc_channel_security_connector> connector =
399 credential->create_security_connector(nullptr, kTargetName, &new_args);
400 EXPECT_NE(connector, nullptr);
401 TlsChannelSecurityConnector* tls_connector =
402 static_cast<TlsChannelSecurityConnector*>(connector.get());
403 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
404 // Construct a basic TSI Peer.
405 tsi_peer peer;
406 GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
407 GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
408 "h2", strlen("h2"),
409 &peer.properties[0]) == TSI_OK);
410 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
411 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
412 &peer.properties[1]) == TSI_OK);
413 RefCountedPtr<grpc_auth_context> auth_context;
414 const char* expected_error_msg =
415 "Custom verification check failed with error: UNAUTHENTICATED: "
416 "SyncExternalVerifier failed";
417 ExecCtx exec_ctx;
418 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
419 VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
420 grpc_schedule_on_exec_ctx);
421 tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
422 on_peer_checked);
423 }
424
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorSucceedsOnSameCredentials)425 TEST_F(TlsSecurityConnectorTest,
426 CompareChannelSecurityConnectorSucceedsOnSameCredentials) {
427 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
428 MakeRefCounted<grpc_tls_certificate_distributor>();
429 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
430 RefCountedPtr<grpc_tls_certificate_provider> provider =
431 MakeRefCounted<TlsTestCertificateProvider>(distributor);
432 auto options = MakeRefCounted<grpc_tls_credentials_options>();
433 options->set_certificate_provider(provider);
434 options->set_watch_root_cert(true);
435 options->set_root_cert_name(kRootCertName);
436 RefCountedPtr<TlsCredentials> credential =
437 MakeRefCounted<TlsCredentials>(options);
438 ChannelArgs connector_args;
439 ChannelArgs other_connector_args;
440 RefCountedPtr<grpc_channel_security_connector> connector =
441 credential->create_security_connector(nullptr, kTargetName,
442 &connector_args);
443 RefCountedPtr<grpc_channel_security_connector> other_connector =
444 credential->create_security_connector(nullptr, kTargetName,
445 &other_connector_args);
446 // Comparing the equality of security connectors generated from the same
447 // channel credentials with same settings should succeed.
448 EXPECT_EQ(connector->cmp(other_connector.get()), 0);
449 }
450
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorFailsOnDifferentChannelCredentials)451 TEST_F(TlsSecurityConnectorTest,
452 CompareChannelSecurityConnectorFailsOnDifferentChannelCredentials) {
453 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
454 MakeRefCounted<grpc_tls_certificate_distributor>();
455 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
456 RefCountedPtr<grpc_tls_certificate_provider> provider =
457 MakeRefCounted<TlsTestCertificateProvider>(distributor);
458 auto options = MakeRefCounted<grpc_tls_credentials_options>();
459 options->set_certificate_provider(provider);
460 options->set_watch_root_cert(true);
461 options->set_root_cert_name(kRootCertName);
462 RefCountedPtr<TlsCredentials> credential =
463 MakeRefCounted<TlsCredentials>(options);
464 ChannelArgs connector_args;
465 RefCountedPtr<grpc_channel_security_connector> connector =
466 credential->create_security_connector(nullptr, kTargetName,
467 &connector_args);
468 auto other_options = MakeRefCounted<grpc_tls_credentials_options>();
469 other_options->set_certificate_provider(provider);
470 other_options->set_watch_root_cert(true);
471 other_options->set_root_cert_name(kRootCertName);
472 other_options->set_watch_identity_pair(true);
473 RefCountedPtr<TlsCredentials> other_credential =
474 MakeRefCounted<TlsCredentials>(other_options);
475 ChannelArgs other_connector_args;
476 RefCountedPtr<grpc_channel_security_connector> other_connector =
477 other_credential->create_security_connector(nullptr, kTargetName,
478 &other_connector_args);
479 // Comparing the equality of security connectors generated from different
480 // channel credentials should fail.
481 EXPECT_NE(connector->cmp(other_connector.get()), 0);
482 }
483
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorFailsOnDifferentCallCredentials)484 TEST_F(TlsSecurityConnectorTest,
485 CompareChannelSecurityConnectorFailsOnDifferentCallCredentials) {
486 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
487 MakeRefCounted<grpc_tls_certificate_distributor>();
488 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
489 RefCountedPtr<grpc_tls_certificate_provider> provider =
490 MakeRefCounted<TlsTestCertificateProvider>(distributor);
491 auto options = MakeRefCounted<grpc_tls_credentials_options>();
492 options->set_certificate_provider(provider);
493 options->set_watch_root_cert(true);
494 options->set_root_cert_name(kRootCertName);
495 RefCountedPtr<TlsCredentials> credential =
496 MakeRefCounted<TlsCredentials>(options);
497 ChannelArgs connector_args;
498 RefCountedPtr<grpc_channel_security_connector> connector =
499 credential->create_security_connector(nullptr, kTargetName,
500 &connector_args);
501 grpc_call_credentials* call_creds =
502 grpc_md_only_test_credentials_create("", "");
503 ChannelArgs other_connector_args;
504 RefCountedPtr<grpc_channel_security_connector> other_connector =
505 credential->create_security_connector(
506 RefCountedPtr<grpc_call_credentials>(call_creds), kTargetName,
507 &other_connector_args);
508 // Comparing the equality of security connectors generated with different call
509 // credentials should fail.
510 EXPECT_NE(connector->cmp(other_connector.get()), 0);
511 }
512
TEST_F(TlsSecurityConnectorTest,CompareChannelSecurityConnectorFailsOnDifferentTargetNames)513 TEST_F(TlsSecurityConnectorTest,
514 CompareChannelSecurityConnectorFailsOnDifferentTargetNames) {
515 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
516 MakeRefCounted<grpc_tls_certificate_distributor>();
517 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
518 RefCountedPtr<grpc_tls_certificate_provider> provider =
519 MakeRefCounted<TlsTestCertificateProvider>(distributor);
520 auto options = MakeRefCounted<grpc_tls_credentials_options>();
521 options->set_certificate_provider(provider);
522 options->set_watch_root_cert(true);
523 options->set_root_cert_name(kRootCertName);
524 RefCountedPtr<TlsCredentials> credential =
525 MakeRefCounted<TlsCredentials>(options);
526 ChannelArgs connector_args;
527 ChannelArgs other_connector_args;
528 RefCountedPtr<grpc_channel_security_connector> connector =
529 credential->create_security_connector(nullptr, kTargetName,
530 &connector_args);
531 RefCountedPtr<grpc_channel_security_connector> other_connector =
532 credential->create_security_connector(nullptr, "", &other_connector_args);
533 // Comparing the equality of security connectors generated with different
534 // target names should fail.
535 EXPECT_NE(connector->cmp(other_connector.get()), 0);
536 }
537
538 // Tests for ServerSecurityConnector.
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithAsyncExternalVerifierSucceeds)539 TEST_F(TlsSecurityConnectorTest,
540 ChannelSecurityConnectorWithAsyncExternalVerifierSucceeds) {
541 auto* async_verifier = new AsyncExternalVerifier(true);
542 auto* core_external_verifier =
543 new ExternalCertificateVerifier(async_verifier->base());
544 auto options = MakeRefCounted<grpc_tls_credentials_options>();
545 options->set_verify_server_cert(true);
546 options->set_certificate_verifier(core_external_verifier->Ref());
547 options->set_check_call_host(false);
548 RefCountedPtr<TlsCredentials> credential =
549 MakeRefCounted<TlsCredentials>(options);
550 ChannelArgs new_args;
551 RefCountedPtr<grpc_channel_security_connector> connector =
552 credential->create_security_connector(nullptr, kTargetName, &new_args);
553 EXPECT_NE(connector, nullptr);
554 TlsChannelSecurityConnector* tls_connector =
555 static_cast<TlsChannelSecurityConnector*>(connector.get());
556 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
557 // Construct a basic TSI Peer.
558 tsi_peer peer;
559 GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
560 GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
561 "h2", strlen("h2"),
562 &peer.properties[0]) == TSI_OK);
563 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
564 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
565 &peer.properties[1]) == TSI_OK);
566 RefCountedPtr<grpc_auth_context> auth_context;
567 ExecCtx exec_ctx;
568 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
569 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
570 tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
571 on_peer_checked);
572 core_external_verifier->Unref();
573 }
574
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithAsyncExternalVerifierFails)575 TEST_F(TlsSecurityConnectorTest,
576 ChannelSecurityConnectorWithAsyncExternalVerifierFails) {
577 auto* async_verifier = new AsyncExternalVerifier(false);
578 auto* core_external_verifier =
579 new ExternalCertificateVerifier(async_verifier->base());
580 auto options = MakeRefCounted<grpc_tls_credentials_options>();
581 options->set_verify_server_cert(true);
582 options->set_certificate_verifier(core_external_verifier->Ref());
583 options->set_check_call_host(false);
584 RefCountedPtr<TlsCredentials> credential =
585 MakeRefCounted<TlsCredentials>(options);
586 ChannelArgs new_args;
587 RefCountedPtr<grpc_channel_security_connector> connector =
588 credential->create_security_connector(nullptr, kTargetName, &new_args);
589 EXPECT_NE(connector, nullptr);
590 TlsChannelSecurityConnector* tls_connector =
591 static_cast<TlsChannelSecurityConnector*>(connector.get());
592 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
593 // Construct a basic TSI Peer.
594 tsi_peer peer;
595 GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
596 GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
597 "h2", strlen("h2"),
598 &peer.properties[0]) == TSI_OK);
599 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
600 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
601 &peer.properties[1]) == TSI_OK);
602 RefCountedPtr<grpc_auth_context> auth_context;
603 const char* expected_error_msg =
604 "Custom verification check failed with error: UNAUTHENTICATED: "
605 "AsyncExternalVerifier failed";
606 ExecCtx exec_ctx;
607 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
608 VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
609 grpc_schedule_on_exec_ctx);
610 tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
611 on_peer_checked);
612 core_external_verifier->Unref();
613 }
614
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorHostnameVerifierSucceeds)615 TEST_F(TlsSecurityConnectorTest,
616 ChannelSecurityConnectorHostnameVerifierSucceeds) {
617 RefCountedPtr<grpc_tls_credentials_options> options =
618 MakeRefCounted<grpc_tls_credentials_options>();
619 options->set_verify_server_cert(true);
620 options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
621 options->set_check_call_host(false);
622 RefCountedPtr<TlsCredentials> credential =
623 MakeRefCounted<TlsCredentials>(options);
624 ChannelArgs new_args;
625 RefCountedPtr<grpc_channel_security_connector> connector =
626 credential->create_security_connector(nullptr, kTargetName, &new_args);
627 EXPECT_NE(connector, nullptr);
628 TlsChannelSecurityConnector* tls_connector =
629 static_cast<TlsChannelSecurityConnector*>(connector.get());
630 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
631 // Construct a full TSI Peer.
632 tsi_peer peer;
633 GPR_ASSERT(tsi_construct_peer(7, &peer) == TSI_OK);
634 GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
635 "h2", strlen("h2"),
636 &peer.properties[0]) == TSI_OK);
637 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
638 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
639 &peer.properties[1]) == TSI_OK);
640 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
641 TSI_X509_PEM_CERT_PROPERTY, "pem_cert", &peer.properties[2]) ==
642 TSI_OK);
643 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
644 TSI_SECURITY_LEVEL_PEER_PROPERTY,
645 tsi_security_level_to_string(TSI_PRIVACY_AND_INTEGRITY),
646 &peer.properties[3]) == TSI_OK);
647 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
648 TSI_X509_PEM_CERT_CHAIN_PROPERTY, "pem_cert_chain",
649 &peer.properties[4]) == TSI_OK);
650 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
651 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.bar.com",
652 &peer.properties[5]) == TSI_OK);
653 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
654 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.baz.com",
655 &peer.properties[6]) == TSI_OK);
656 RefCountedPtr<grpc_auth_context> auth_context;
657 ExecCtx exec_ctx;
658 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
659 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
660 tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
661 on_peer_checked);
662 }
663
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorHostnameVerifierFails)664 TEST_F(TlsSecurityConnectorTest,
665 ChannelSecurityConnectorHostnameVerifierFails) {
666 RefCountedPtr<grpc_tls_credentials_options> options =
667 MakeRefCounted<grpc_tls_credentials_options>();
668 options->set_verify_server_cert(true);
669 options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
670 RefCountedPtr<TlsCredentials> credential =
671 MakeRefCounted<TlsCredentials>(options);
672 ChannelArgs new_args;
673 RefCountedPtr<grpc_channel_security_connector> connector =
674 credential->create_security_connector(nullptr, kTargetName, &new_args);
675 EXPECT_NE(connector, nullptr);
676 TlsChannelSecurityConnector* tls_connector =
677 static_cast<TlsChannelSecurityConnector*>(connector.get());
678 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
679 // Construct a full TSI Peer.
680 tsi_peer peer;
681 GPR_ASSERT(tsi_construct_peer(7, &peer) == TSI_OK);
682 GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
683 "h2", strlen("h2"),
684 &peer.properties[0]) == TSI_OK);
685 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
686 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.com",
687 &peer.properties[1]) == TSI_OK);
688 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
689 TSI_X509_PEM_CERT_PROPERTY, "pem_cert", &peer.properties[2]) ==
690 TSI_OK);
691 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
692 TSI_SECURITY_LEVEL_PEER_PROPERTY,
693 tsi_security_level_to_string(TSI_PRIVACY_AND_INTEGRITY),
694 &peer.properties[3]) == TSI_OK);
695 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
696 TSI_X509_PEM_CERT_CHAIN_PROPERTY, "pem_cert_chain",
697 &peer.properties[4]) == TSI_OK);
698 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
699 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "*.com",
700 &peer.properties[5]) == TSI_OK);
701 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
702 TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.baz.com",
703 &peer.properties[6]) == TSI_OK);
704 RefCountedPtr<grpc_auth_context> auth_context;
705 const char* expected_error_msg =
706 "Custom verification check failed with error: UNAUTHENTICATED: Hostname "
707 "Verification "
708 "Check failed.";
709 ExecCtx exec_ctx;
710 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
711 VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
712 grpc_schedule_on_exec_ctx);
713 tls_connector->check_peer(peer, nullptr, new_args, &auth_context,
714 on_peer_checked);
715 }
716
TEST_F(TlsSecurityConnectorTest,ChannelSecurityConnectorWithVerifiedRootCertSubjectSucceeds)717 TEST_F(TlsSecurityConnectorTest,
718 ChannelSecurityConnectorWithVerifiedRootCertSubjectSucceeds) {
719 auto* sync_verifier = new SyncExternalVerifier(true);
720 ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
721 RefCountedPtr<grpc_tls_credentials_options> options =
722 MakeRefCounted<grpc_tls_credentials_options>();
723 options->set_verify_server_cert(true);
724 options->set_certificate_verifier(core_external_verifier.Ref());
725 options->set_check_call_host(false);
726 RefCountedPtr<TlsCredentials> credential =
727 MakeRefCounted<TlsCredentials>(options);
728 ChannelArgs new_args;
729 RefCountedPtr<grpc_channel_security_connector> connector =
730 credential->create_security_connector(nullptr, kTargetName, &new_args);
731 EXPECT_NE(connector, nullptr);
732 TlsChannelSecurityConnector* tls_connector =
733 static_cast<TlsChannelSecurityConnector*>(connector.get());
734 EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
735 // Construct a basic TSI Peer.
736 std::string expected_subject =
737 "CN=testca,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU";
738 tsi_peer peer;
739 EXPECT_EQ(tsi_construct_peer(2, &peer), TSI_OK);
740 EXPECT_EQ(
741 tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
742 strlen("h2"), &peer.properties[0]),
743 TSI_OK);
744 EXPECT_EQ(tsi_construct_string_peer_property_from_cstring(
745 TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY,
746 expected_subject.c_str(), &peer.properties[1]),
747 TSI_OK);
748 RefCountedPtr<grpc_auth_context> auth_context;
749 ExecCtx exec_ctx;
750 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
751 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
752 ChannelArgs args;
753 tls_connector->check_peer(peer, nullptr, args, &auth_context,
754 on_peer_checked);
755 }
756
757 //
758 // Tests for Certificate Providers in ServerSecurityConnector.
759 //
760
TEST_F(TlsSecurityConnectorTest,RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector)761 TEST_F(TlsSecurityConnectorTest,
762 RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector) {
763 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
764 MakeRefCounted<grpc_tls_certificate_distributor>();
765 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
766 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
767 identity_pairs_0_);
768 RefCountedPtr<grpc_tls_certificate_provider> provider =
769 MakeRefCounted<TlsTestCertificateProvider>(distributor);
770 RefCountedPtr<grpc_tls_credentials_options> options =
771 MakeRefCounted<grpc_tls_credentials_options>();
772 options->set_certificate_provider(provider);
773 options->set_watch_root_cert(true);
774 options->set_watch_identity_pair(true);
775 options->set_root_cert_name(kRootCertName);
776 options->set_identity_cert_name(kIdentityCertName);
777 RefCountedPtr<TlsServerCredentials> credential =
778 MakeRefCounted<TlsServerCredentials>(options);
779 RefCountedPtr<grpc_server_security_connector> connector =
780 credential->create_security_connector(ChannelArgs());
781 EXPECT_NE(connector, nullptr);
782 TlsServerSecurityConnector* tls_connector =
783 static_cast<TlsServerSecurityConnector*>(connector.get());
784 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
785 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
786 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
787 distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
788 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
789 identity_pairs_1_);
790 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
791 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
792 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
793 }
794
795 // Note that on server side, we don't have tests watching root certs only,
796 // because in TLS, the identity certs should always be presented. If we don't
797 // provide, it will try to load certs from some default system locations, and
798 // will hence fail on some systems.
TEST_F(TlsSecurityConnectorTest,IdentityCertsObtainedWhenCreateServerSecurityConnector)799 TEST_F(TlsSecurityConnectorTest,
800 IdentityCertsObtainedWhenCreateServerSecurityConnector) {
801 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
802 MakeRefCounted<grpc_tls_certificate_distributor>();
803 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
804 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
805 identity_pairs_0_);
806 RefCountedPtr<grpc_tls_certificate_provider> provider =
807 MakeRefCounted<TlsTestCertificateProvider>(distributor);
808 // Create options only watching for identity certificates.
809 RefCountedPtr<grpc_tls_credentials_options> identity_options =
810 MakeRefCounted<grpc_tls_credentials_options>();
811 identity_options->set_certificate_provider(provider);
812 identity_options->set_watch_identity_pair(true);
813 identity_options->set_identity_cert_name(kIdentityCertName);
814 RefCountedPtr<TlsServerCredentials> identity_credential =
815 MakeRefCounted<TlsServerCredentials>(identity_options);
816 RefCountedPtr<grpc_server_security_connector> identity_connector =
817 identity_credential->create_security_connector(ChannelArgs());
818 EXPECT_NE(identity_connector, nullptr);
819 TlsServerSecurityConnector* tls_identity_connector =
820 static_cast<TlsServerSecurityConnector*>(identity_connector.get());
821 EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
822 nullptr);
823 EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
824 identity_pairs_0_);
825 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
826 identity_pairs_1_);
827 EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
828 nullptr);
829 EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
830 identity_pairs_1_);
831 }
832
TEST_F(TlsSecurityConnectorTest,CertPartiallyObtainedWhenCreateServerSecurityConnector)833 TEST_F(TlsSecurityConnectorTest,
834 CertPartiallyObtainedWhenCreateServerSecurityConnector) {
835 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
836 MakeRefCounted<grpc_tls_certificate_distributor>();
837 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
838 identity_pairs_0_);
839 RefCountedPtr<grpc_tls_certificate_provider> provider =
840 MakeRefCounted<TlsTestCertificateProvider>(distributor);
841 // Registered the options watching both certs, but only root certs are
842 // available at distributor right now.
843 RefCountedPtr<grpc_tls_credentials_options> options =
844 MakeRefCounted<grpc_tls_credentials_options>();
845 options->set_certificate_provider(provider);
846 options->set_watch_root_cert(true);
847 options->set_watch_identity_pair(true);
848 options->set_root_cert_name(kRootCertName);
849 options->set_identity_cert_name(kIdentityCertName);
850 RefCountedPtr<TlsServerCredentials> credential =
851 MakeRefCounted<TlsServerCredentials>(options);
852 RefCountedPtr<grpc_server_security_connector> connector =
853 credential->create_security_connector(ChannelArgs());
854 EXPECT_NE(connector, nullptr);
855 TlsServerSecurityConnector* tls_connector =
856 static_cast<TlsServerSecurityConnector*>(connector.get());
857 // The server_handshaker_factory_ shouldn't be updated.
858 EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
859 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
860 // After updating the root certs, the server_handshaker_factory_ should be
861 // updated.
862 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
863 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
864 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
865 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
866 }
867
TEST_F(TlsSecurityConnectorTest,DistributorHasErrorForServerSecurityConnector)868 TEST_F(TlsSecurityConnectorTest,
869 DistributorHasErrorForServerSecurityConnector) {
870 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
871 MakeRefCounted<grpc_tls_certificate_distributor>();
872 distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
873 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
874 identity_pairs_0_);
875 RefCountedPtr<grpc_tls_certificate_provider> provider =
876 MakeRefCounted<TlsTestCertificateProvider>(distributor);
877 RefCountedPtr<grpc_tls_credentials_options> options =
878 MakeRefCounted<grpc_tls_credentials_options>();
879 options->set_certificate_provider(provider);
880 options->set_watch_root_cert(true);
881 options->set_watch_identity_pair(true);
882 options->set_root_cert_name(kRootCertName);
883 options->set_identity_cert_name(kIdentityCertName);
884 RefCountedPtr<TlsServerCredentials> credential =
885 MakeRefCounted<TlsServerCredentials>(options);
886 RefCountedPtr<grpc_server_security_connector> connector =
887 credential->create_security_connector(ChannelArgs());
888 EXPECT_NE(connector, nullptr);
889 TlsServerSecurityConnector* tls_connector =
890 static_cast<TlsServerSecurityConnector*>(connector.get());
891 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
892 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
893 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
894 // Calling SetErrorForCert on distributor shouldn't invalidate the previous
895 // valid credentials.
896 distributor->SetErrorForCert(kRootCertName, GRPC_ERROR_CREATE(kErrorMessage),
897 absl::nullopt);
898 distributor->SetErrorForCert(kIdentityCertName, absl::nullopt,
899 GRPC_ERROR_CREATE(kErrorMessage));
900 EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
901 EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
902 EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
903 }
904
TEST_F(TlsSecurityConnectorTest,CreateServerSecurityConnectorFailNoCredentials)905 TEST_F(TlsSecurityConnectorTest,
906 CreateServerSecurityConnectorFailNoCredentials) {
907 auto connector = TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
908 nullptr, MakeRefCounted<grpc_tls_credentials_options>());
909 EXPECT_EQ(connector, nullptr);
910 }
911
TEST_F(TlsSecurityConnectorTest,CreateServerSecurityConnectorFailNoOptions)912 TEST_F(TlsSecurityConnectorTest, CreateServerSecurityConnectorFailNoOptions) {
913 RefCountedPtr<grpc_tls_credentials_options> options =
914 MakeRefCounted<grpc_tls_credentials_options>();
915 RefCountedPtr<TlsServerCredentials> credential =
916 MakeRefCounted<TlsServerCredentials>(options);
917 auto connector = TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
918 credential, nullptr);
919 EXPECT_EQ(connector, nullptr);
920 }
921
TEST_F(TlsSecurityConnectorTest,CompareServerSecurityConnectorSucceedsOnSameCredentials)922 TEST_F(TlsSecurityConnectorTest,
923 CompareServerSecurityConnectorSucceedsOnSameCredentials) {
924 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
925 MakeRefCounted<grpc_tls_certificate_distributor>();
926 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
927 identity_pairs_0_);
928 RefCountedPtr<grpc_tls_certificate_provider> provider =
929 MakeRefCounted<TlsTestCertificateProvider>(distributor);
930 auto options = MakeRefCounted<grpc_tls_credentials_options>();
931 options->set_certificate_provider(provider);
932 options->set_watch_identity_pair(true);
933 options->set_identity_cert_name(kIdentityCertName);
934 RefCountedPtr<TlsServerCredentials> credential =
935 MakeRefCounted<TlsServerCredentials>(options);
936 RefCountedPtr<grpc_server_security_connector> connector =
937 credential->create_security_connector(ChannelArgs());
938 RefCountedPtr<grpc_server_security_connector> other_connector =
939 credential->create_security_connector(ChannelArgs());
940 // Comparing the equality of security connectors generated from the same
941 // server credentials with same settings should succeed.
942 EXPECT_EQ(connector->cmp(other_connector.get()), 0);
943 }
944
TEST_F(TlsSecurityConnectorTest,CompareServerSecurityConnectorFailsOnDifferentServerCredentials)945 TEST_F(TlsSecurityConnectorTest,
946 CompareServerSecurityConnectorFailsOnDifferentServerCredentials) {
947 RefCountedPtr<grpc_tls_certificate_distributor> distributor =
948 MakeRefCounted<grpc_tls_certificate_distributor>();
949 distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
950 identity_pairs_0_);
951 RefCountedPtr<grpc_tls_certificate_provider> provider =
952 MakeRefCounted<TlsTestCertificateProvider>(distributor);
953 auto options = MakeRefCounted<grpc_tls_credentials_options>();
954 options->set_certificate_provider(provider);
955 options->set_watch_identity_pair(true);
956 options->set_identity_cert_name(kIdentityCertName);
957 RefCountedPtr<TlsServerCredentials> credential =
958 MakeRefCounted<TlsServerCredentials>(options);
959 RefCountedPtr<grpc_server_security_connector> connector =
960 credential->create_security_connector(ChannelArgs());
961 RefCountedPtr<TlsServerCredentials> other_credential =
962 MakeRefCounted<TlsServerCredentials>(options);
963 RefCountedPtr<grpc_server_security_connector> other_connector =
964 other_credential->create_security_connector(ChannelArgs());
965 // Comparing the equality of security connectors generated from different
966 // server credentials should fail.
967 EXPECT_NE(connector->cmp(other_connector.get()), 0);
968 }
969
970 //
971 // Tests for Certificate Verifier in ServerSecurityConnector.
972 //
973
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithSyncExternalVerifierSucceeds)974 TEST_F(TlsSecurityConnectorTest,
975 ServerSecurityConnectorWithSyncExternalVerifierSucceeds) {
976 auto* sync_verifier = new SyncExternalVerifier(true);
977 ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
978 RefCountedPtr<grpc_tls_credentials_options> options =
979 MakeRefCounted<grpc_tls_credentials_options>();
980 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
981 options->set_certificate_verifier(core_external_verifier.Ref());
982 auto provider =
983 MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
984 options->set_certificate_provider(std::move(provider));
985 options->set_watch_identity_pair(true);
986 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
987 auto connector = credentials->create_security_connector(ChannelArgs());
988 // Construct a basic TSI Peer.
989 tsi_peer peer;
990 GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
991 GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
992 "h2", strlen("h2"),
993 &peer.properties[0]) == TSI_OK);
994 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
995 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
996 &peer.properties[1]) == TSI_OK);
997 RefCountedPtr<grpc_auth_context> auth_context;
998 ExecCtx exec_ctx;
999 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1000 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
1001 ChannelArgs args;
1002 connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1003 }
1004
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithSyncExternalVerifierFails)1005 TEST_F(TlsSecurityConnectorTest,
1006 ServerSecurityConnectorWithSyncExternalVerifierFails) {
1007 auto* sync_verifier = new SyncExternalVerifier(false);
1008 ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
1009 RefCountedPtr<grpc_tls_credentials_options> options =
1010 MakeRefCounted<grpc_tls_credentials_options>();
1011 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1012 options->set_certificate_verifier(core_external_verifier.Ref());
1013 auto provider =
1014 MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1015 options->set_certificate_provider(std::move(provider));
1016 options->set_watch_identity_pair(true);
1017 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1018 auto connector = credentials->create_security_connector(ChannelArgs());
1019 // Construct a basic TSI Peer.
1020 tsi_peer peer;
1021 GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
1022 GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
1023 "h2", strlen("h2"),
1024 &peer.properties[0]) == TSI_OK);
1025 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
1026 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1027 &peer.properties[1]) == TSI_OK);
1028 RefCountedPtr<grpc_auth_context> auth_context;
1029 const char* expected_error_msg =
1030 "Custom verification check failed with error: UNAUTHENTICATED: "
1031 "SyncExternalVerifier failed";
1032 ExecCtx exec_ctx;
1033 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1034 VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
1035 grpc_schedule_on_exec_ctx);
1036 ChannelArgs args;
1037 connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1038 }
1039
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithAsyncExternalVerifierSucceeds)1040 TEST_F(TlsSecurityConnectorTest,
1041 ServerSecurityConnectorWithAsyncExternalVerifierSucceeds) {
1042 auto* async_verifier = new AsyncExternalVerifier(true);
1043 auto* core_external_verifier =
1044 new ExternalCertificateVerifier(async_verifier->base());
1045 auto options = MakeRefCounted<grpc_tls_credentials_options>();
1046 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1047 options->set_certificate_verifier(core_external_verifier->Ref());
1048 auto provider =
1049 MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1050 options->set_certificate_provider(std::move(provider));
1051 options->set_watch_identity_pair(true);
1052 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1053 auto connector = credentials->create_security_connector(ChannelArgs());
1054 // Construct a basic TSI Peer.
1055 tsi_peer peer;
1056 GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
1057 GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
1058 "h2", strlen("h2"),
1059 &peer.properties[0]) == TSI_OK);
1060 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
1061 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1062 &peer.properties[1]) == TSI_OK);
1063 RefCountedPtr<grpc_auth_context> auth_context;
1064 ExecCtx exec_ctx;
1065 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1066 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
1067 ChannelArgs args;
1068 connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1069 core_external_verifier->Unref();
1070 }
1071
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithAsyncExternalVerifierFails)1072 TEST_F(TlsSecurityConnectorTest,
1073 ServerSecurityConnectorWithAsyncExternalVerifierFails) {
1074 auto* async_verifier = new AsyncExternalVerifier(false);
1075 auto* core_external_verifier =
1076 new ExternalCertificateVerifier(async_verifier->base());
1077 RefCountedPtr<grpc_tls_credentials_options> options =
1078 MakeRefCounted<grpc_tls_credentials_options>();
1079 options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1080 options->set_certificate_verifier(core_external_verifier->Ref());
1081 auto provider =
1082 MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1083 options->set_certificate_provider(std::move(provider));
1084 options->set_watch_identity_pair(true);
1085 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1086 auto connector = credentials->create_security_connector(ChannelArgs());
1087 // Construct a basic TSI Peer.
1088 tsi_peer peer;
1089 GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
1090 GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
1091 "h2", strlen("h2"),
1092 &peer.properties[0]) == TSI_OK);
1093 GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
1094 TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1095 &peer.properties[1]) == TSI_OK);
1096 RefCountedPtr<grpc_auth_context> auth_context;
1097 const char* expected_error_msg =
1098 "Custom verification check failed with error: UNAUTHENTICATED: "
1099 "AsyncExternalVerifier failed";
1100 ExecCtx exec_ctx;
1101 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1102 VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
1103 grpc_schedule_on_exec_ctx);
1104 ChannelArgs args;
1105 connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1106 core_external_verifier->Unref();
1107 }
1108
TEST_F(TlsSecurityConnectorTest,ServerSecurityConnectorWithVerifiedRootSubjectCertSucceeds)1109 TEST_F(TlsSecurityConnectorTest,
1110 ServerSecurityConnectorWithVerifiedRootSubjectCertSucceeds) {
1111 auto* sync_verifier = new SyncExternalVerifier(true);
1112 ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
1113 RefCountedPtr<grpc_tls_credentials_options> options =
1114 MakeRefCounted<grpc_tls_credentials_options>();
1115 options->set_cert_request_type(
1116 GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
1117 options->set_certificate_verifier(core_external_verifier.Ref());
1118 auto provider =
1119 MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1120 options->set_certificate_provider(std::move(provider));
1121 options->set_watch_identity_pair(true);
1122 auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1123 auto connector = credentials->create_security_connector(ChannelArgs());
1124 // Construct a basic TSI Peer.
1125 std::string expected_subject =
1126 "CN=testca,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU";
1127 tsi_peer peer;
1128 EXPECT_EQ(tsi_construct_peer(2, &peer), TSI_OK);
1129 EXPECT_EQ(
1130 tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL, "h2",
1131 strlen("h2"), &peer.properties[0]),
1132 TSI_OK);
1133 EXPECT_EQ(tsi_construct_string_peer_property_from_cstring(
1134 TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY,
1135 expected_subject.c_str(), &peer.properties[1]),
1136 TSI_OK);
1137 RefCountedPtr<grpc_auth_context> auth_context;
1138 ExecCtx exec_ctx;
1139 grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1140 VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
1141 ChannelArgs args;
1142 connector->check_peer(peer, nullptr, args, &auth_context, on_peer_checked);
1143 }
1144 } // namespace testing
1145 } // namespace grpc_core
1146
main(int argc,char ** argv)1147 int main(int argc, char** argv) {
1148 grpc::testing::TestEnvironment env(&argc, argv);
1149 grpc_core::ConfigVars::Overrides overrides;
1150 overrides.default_ssl_roots_file_path = CA_CERT_PATH;
1151 grpc_core::ConfigVars::SetOverrides(overrides);
1152 ::testing::InitGoogleTest(&argc, argv);
1153 grpc_init();
1154 int ret = RUN_ALL_TESTS();
1155 grpc_shutdown();
1156 return ret;
1157 }
1158