You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

205 lines
7.5 KiB

// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <stdio.h>
#include "cast/common/certificate/cast_trust_store.h"
#include "cast/common/certificate/testing/test_helpers.h"
#include "cast/common/channel/proto/cast_channel.pb.h"
#include "cast/common/channel/testing/fake_cast_socket.h"
#include "cast/common/channel/testing/mock_socket_error_handler.h"
#include "cast/common/channel/virtual_connection_router.h"
#include "cast/common/public/cast_socket.h"
#include "cast/receiver/channel/device_auth_namespace_handler.h"
#include "cast/receiver/channel/static_credentials.h"
#include "cast/receiver/channel/testing/device_auth_test_helpers.h"
#include "cast/sender/channel/cast_auth_util.h"
#include "cast/sender/channel/message_util.h"
#include "gtest/gtest.h"
#include "platform/test/paths.h"
#include "testing/util/read_file.h"
namespace openscreen {
namespace cast {
namespace {
using ::cast::channel::CastMessage;
using ::cast::channel::DeviceAuthMessage;
using ::testing::_;
using ::testing::Invoke;
const std::string& GetSpecificTestDataPath() {
static std::string data_path = GetTestDataPath() + "cast/receiver/channel/";
return data_path;
}
class DeviceAuthTest : public ::testing::Test {
public:
void SetUp() override {
socket_ = fake_cast_socket_pair_.socket.get();
router_.TakeSocket(&mock_error_handler_,
std::move(fake_cast_socket_pair_.socket));
router_.AddHandlerForLocalId(kPlatformReceiverId, &auth_handler_);
}
protected:
void RunAuthTest(std::string serialized_crl,
TrustStore* fake_crl_trust_store,
bool should_succeed = true,
bool record_this_test = false) {
bssl::UniquePtr<X509> parsed_cert;
TrustStore fake_trust_store;
InitStaticCredentialsFromFiles(
&creds_, &parsed_cert, &fake_trust_store, data_path_ + "device_key.pem",
data_path_ + "device_chain.pem", data_path_ + "device_tls.pem");
creds_.device_creds.serialized_crl = std::move(serialized_crl);
// Send an auth challenge. |auth_handler_| will automatically respond
// via |router_| and we will catch the result in |challenge_reply|.
AuthContext auth_context = AuthContext::Create();
CastMessage auth_challenge = CreateAuthChallengeMessage(auth_context);
if (record_this_test) {
std::string output;
DeviceAuthMessage auth_message;
ASSERT_EQ(auth_challenge.payload_type(),
::cast::channel::CastMessage_PayloadType_BINARY);
ASSERT_TRUE(
auth_message.ParseFromString(auth_challenge.payload_binary()));
ASSERT_TRUE(auth_message.has_challenge());
ASSERT_FALSE(auth_message.has_response());
ASSERT_FALSE(auth_message.has_error());
ASSERT_TRUE(auth_challenge.SerializeToString(&output));
const std::string pb_path = data_path_ + "auth_challenge.pb";
FILE* fd = fopen(pb_path.c_str(), "wb");
ASSERT_TRUE(fd);
ASSERT_EQ(fwrite(output.data(), 1, output.size(), fd), output.size());
fclose(fd);
}
CastMessage challenge_reply;
EXPECT_CALL(fake_cast_socket_pair_.mock_peer_client, OnMessage(_, _))
.WillOnce(
Invoke([&challenge_reply](CastSocket* socket, CastMessage message) {
challenge_reply = std::move(message);
}));
ASSERT_TRUE(
fake_cast_socket_pair_.peer_socket->Send(std::move(auth_challenge))
.ok());
if (record_this_test) {
std::string output;
DeviceAuthMessage auth_message;
ASSERT_EQ(challenge_reply.payload_type(),
::cast::channel::CastMessage_PayloadType_BINARY);
ASSERT_TRUE(
auth_message.ParseFromString(challenge_reply.payload_binary()));
ASSERT_TRUE(auth_message.has_response());
ASSERT_FALSE(auth_message.has_challenge());
ASSERT_FALSE(auth_message.has_error());
ASSERT_TRUE(auth_message.response().SerializeToString(&output));
const std::string pb_path = data_path_ + "auth_response.pb";
FILE* fd = fopen(pb_path.c_str(), "wb");
ASSERT_TRUE(fd);
ASSERT_EQ(fwrite(output.data(), 1, output.size(), fd), output.size());
fclose(fd);
}
DateTime December2019 = {};
December2019.year = 2019;
December2019.month = 12;
December2019.day = 17;
const ErrorOr<CastDeviceCertPolicy> error_or_policy =
AuthenticateChallengeReplyForTest(
challenge_reply, parsed_cert.get(), auth_context,
fake_crl_trust_store ? CRLPolicy::kCrlRequired
: CRLPolicy::kCrlOptional,
&fake_trust_store, fake_crl_trust_store, December2019);
EXPECT_EQ(error_or_policy.is_value(), should_succeed);
}
const std::string& data_path_{GetSpecificTestDataPath()};
FakeCastSocketPair fake_cast_socket_pair_;
MockSocketErrorHandler mock_error_handler_;
CastSocket* socket_;
StaticCredentialsProvider creds_;
VirtualConnectionRouter router_;
DeviceAuthNamespaceHandler auth_handler_{&creds_};
};
TEST_F(DeviceAuthTest, MANUAL_SerializeTestData) {
if (::testing::GTEST_FLAG(filter) ==
"DeviceAuthTest.MANUAL_SerializeTestData") {
RunAuthTest(std::string(), nullptr, true, true);
}
}
TEST_F(DeviceAuthTest, AuthIntegration) {
RunAuthTest(std::string(), nullptr);
}
TEST_F(DeviceAuthTest, GoodCrl) {
auto fake_crl_trust_store =
TrustStore::CreateInstanceFromPemFile(data_path_ + "crl_root.pem");
RunAuthTest(ReadEntireFileToString(data_path_ + "good_crl.pb"),
&fake_crl_trust_store);
}
TEST_F(DeviceAuthTest, InvalidCrlTime) {
auto fake_crl_trust_store =
TrustStore::CreateInstanceFromPemFile(data_path_ + "crl_root.pem");
RunAuthTest(ReadEntireFileToString(data_path_ + "invalid_time_crl.pb"),
&fake_crl_trust_store, false);
}
TEST_F(DeviceAuthTest, IssuerRevoked) {
auto fake_crl_trust_store =
TrustStore::CreateInstanceFromPemFile(data_path_ + "crl_root.pem");
RunAuthTest(ReadEntireFileToString(data_path_ + "issuer_revoked_crl.pb"),
&fake_crl_trust_store, false);
}
TEST_F(DeviceAuthTest, DeviceRevoked) {
auto fake_crl_trust_store =
TrustStore::CreateInstanceFromPemFile(data_path_ + "crl_root.pem");
RunAuthTest(ReadEntireFileToString(data_path_ + "device_revoked_crl.pb"),
&fake_crl_trust_store, false);
}
TEST_F(DeviceAuthTest, IssuerSerialRevoked) {
auto fake_crl_trust_store =
TrustStore::CreateInstanceFromPemFile(data_path_ + "crl_root.pem");
RunAuthTest(
ReadEntireFileToString(data_path_ + "issuer_serial_revoked_crl.pb"),
&fake_crl_trust_store, false);
}
TEST_F(DeviceAuthTest, DeviceSerialRevoked) {
auto fake_crl_trust_store =
TrustStore::CreateInstanceFromPemFile(data_path_ + "crl_root.pem");
RunAuthTest(
ReadEntireFileToString(data_path_ + "device_serial_revoked_crl.pb"),
&fake_crl_trust_store, false);
}
TEST_F(DeviceAuthTest, BadCrlSignerCert) {
auto fake_crl_trust_store =
TrustStore::CreateInstanceFromPemFile(data_path_ + "crl_root.pem");
RunAuthTest(ReadEntireFileToString(data_path_ + "bad_signer_cert_crl.pb"),
&fake_crl_trust_store, false);
}
TEST_F(DeviceAuthTest, BadCrlSignature) {
auto fake_crl_trust_store =
TrustStore::CreateInstanceFromPemFile(data_path_ + "crl_root.pem");
RunAuthTest(ReadEntireFileToString(data_path_ + "bad_signature_crl.pb"),
&fake_crl_trust_store, false);
}
} // namespace
} // namespace cast
} // namespace openscreen