diff --git a/tests/builder.rs b/tests/builder.rs new file mode 100644 index 0000000..3fade34 --- /dev/null +++ b/tests/builder.rs @@ -0,0 +1,83 @@ +use std::sync::Arc; + +use rustls::ClientConfig as RusTlsClientConfig; +use rustls::ServerConfig as RusTlsServerConfig; + +use rustls_rustcrypto::provider as rustcrypto_provider; + +mod fake_time; +use fake_time::FakeTime; + +mod fake_cert_server_verifier; +use fake_cert_server_verifier::FakeServerCertVerifier; + +mod fake_cert_client_verifier; +use fake_cert_client_verifier::FakeClientCertVerifier; + +mod fake_cert_server_resolver; +use fake_cert_server_resolver::FakeServerCertResolver; + +// Test integration between rustls and rustls in Client builder context +#[test] +fn integrate_client_builder_with_details_fake() { + let provider = rustcrypto_provider(); + let time_provider = FakeTime {}; + + let fake_server_cert_verifier = FakeServerCertVerifier {}; + + let builder_init = + RusTlsClientConfig::builder_with_details(Arc::new(provider), Arc::new(time_provider)); + + let builder_default_versions = builder_init + .with_safe_default_protocol_versions() + .expect("Default protocol versions error?"); + + let dangerous_verifier = builder_default_versions + .dangerous() + .with_custom_certificate_verifier(Arc::new(fake_server_cert_verifier)); + + // Out of scope + let rustls_client_config = dangerous_verifier.with_no_client_auth(); + + // RustCrypto is not fips + assert_eq!(rustls_client_config.fips(), false); +} + +use rustls::DistinguishedName; + +// Test integration between rustls and rustls in Server builder context +#[test] +fn integrate_server_builder_with_details_fake() { + let provider = rustcrypto_provider(); + let time_provider = FakeTime {}; + + let builder_init = + RusTlsServerConfig::builder_with_details(Arc::new(provider), Arc::new(time_provider)); + + let builder_default_versions = builder_init + .with_safe_default_protocol_versions() + .expect("Default protocol versions error?"); + + // A DistinguishedName is a Vec wrapped in internal types. + // DER or BER encoded Subject field from RFC 5280 for a single certificate. + // The Subject field is encoded as an RFC 5280 Name + //let b_wrap_in: &[u8] = b""; // TODO: should have constant somewhere + + let dummy_entry: &[u8] = b""; + + let client_dn = [DistinguishedName::in_sequence(dummy_entry)]; + + let client_cert_verifier = FakeClientCertVerifier { dn: client_dn }; + + let dangerous_verifier = + builder_default_versions.with_client_cert_verifier(Arc::new(client_cert_verifier)); + + let server_cert_resolver = FakeServerCertResolver {}; + + // Out of scope + let rustls_client_config = + dangerous_verifier.with_cert_resolver(Arc::new(server_cert_resolver)); + + // RustCrypto is not fips + assert_eq!(rustls_client_config.fips(), false); +} diff --git a/tests/fake_cert_client_verifier.rs b/tests/fake_cert_client_verifier.rs new file mode 100644 index 0000000..a8dc9cc --- /dev/null +++ b/tests/fake_cert_client_verifier.rs @@ -0,0 +1,71 @@ +use rustls::DistinguishedName; +use rustls::Error; + +use rustls::SignatureScheme; + +use rustls::pki_types::CertificateDer; +use rustls::pki_types::UnixTime; +use rustls::DigitallySignedStruct; + +use rustls::client::danger::HandshakeSignatureValid; +use rustls::server::danger::ClientCertVerified; +use rustls::server::danger::ClientCertVerifier; + +#[derive(Debug)] +pub struct FakeClientCertVerifier { + pub dn: [DistinguishedName; 1], +} + +impl ClientCertVerifier for FakeClientCertVerifier { + fn root_hint_subjects(&self) -> &[DistinguishedName] { + &self.dn + } + fn verify_client_cert( + &self, + _end_entity: &CertificateDer<'_>, + _intermediates: &[CertificateDer<'_>], + _now: UnixTime, + ) -> Result { + Ok(ClientCertVerified::assertion()) + } + fn verify_tls12_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &DigitallySignedStruct, + ) -> Result { + Ok(HandshakeSignatureValid::assertion()) + } + fn verify_tls13_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &DigitallySignedStruct, + ) -> Result { + Ok(HandshakeSignatureValid::assertion()) + } + fn supported_verify_schemes(&self) -> Vec { + vec![ + SignatureScheme::RSA_PKCS1_SHA1, + SignatureScheme::ECDSA_SHA1_Legacy, + SignatureScheme::RSA_PKCS1_SHA256, + SignatureScheme::ECDSA_NISTP256_SHA256, + SignatureScheme::RSA_PKCS1_SHA384, + SignatureScheme::ECDSA_NISTP384_SHA384, + SignatureScheme::RSA_PKCS1_SHA512, + SignatureScheme::ECDSA_NISTP521_SHA512, + SignatureScheme::RSA_PSS_SHA256, + SignatureScheme::RSA_PSS_SHA384, + SignatureScheme::RSA_PSS_SHA512, + SignatureScheme::ED25519, + SignatureScheme::ED448, + //SignatureScheme::Unknown(u16), + ] + } + fn offer_client_auth(&self) -> bool { + true + } + fn client_auth_mandatory(&self) -> bool { + false + } +} diff --git a/tests/fake_cert_server_resolver.rs b/tests/fake_cert_server_resolver.rs new file mode 100644 index 0000000..7028c8b --- /dev/null +++ b/tests/fake_cert_server_resolver.rs @@ -0,0 +1,15 @@ +use std::sync::Arc; + +use rustls::server::ClientHello; + +use rustls::server::ResolvesServerCert; +use rustls::sign::CertifiedKey; + +#[derive(Debug)] +pub struct FakeServerCertResolver; + +impl ResolvesServerCert for FakeServerCertResolver { + fn resolve(&self, _client_hello: ClientHello<'_>) -> Option> { + None + } +} diff --git a/tests/fake_cert_server_verifier.rs b/tests/fake_cert_server_verifier.rs new file mode 100644 index 0000000..2786058 --- /dev/null +++ b/tests/fake_cert_server_verifier.rs @@ -0,0 +1,59 @@ +use rustls::client::danger::HandshakeSignatureValid; +use rustls::client::danger::ServerCertVerified; +use rustls::client::danger::ServerCertVerifier; +use rustls::pki_types::CertificateDer; +use rustls::pki_types::ServerName; +use rustls::pki_types::UnixTime; +use rustls::DigitallySignedStruct; +use rustls::Error; +use rustls::SignatureScheme; + +#[derive(Debug)] +pub struct FakeServerCertVerifier; + +impl ServerCertVerifier for FakeServerCertVerifier { + fn verify_server_cert( + &self, + _end_entity: &CertificateDer<'_>, + _intermediates: &[CertificateDer<'_>], + _server_name: &ServerName<'_>, + _ocsp_response: &[u8], + _now: UnixTime, + ) -> Result { + Ok(ServerCertVerified::assertion()) + } + fn verify_tls12_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &DigitallySignedStruct, + ) -> Result { + Ok(HandshakeSignatureValid::assertion()) + } + fn verify_tls13_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &DigitallySignedStruct, + ) -> Result { + Ok(HandshakeSignatureValid::assertion()) + } + fn supported_verify_schemes(&self) -> Vec { + vec![ + SignatureScheme::RSA_PKCS1_SHA1, + SignatureScheme::ECDSA_SHA1_Legacy, + SignatureScheme::RSA_PKCS1_SHA256, + SignatureScheme::ECDSA_NISTP256_SHA256, + SignatureScheme::RSA_PKCS1_SHA384, + SignatureScheme::ECDSA_NISTP384_SHA384, + SignatureScheme::RSA_PKCS1_SHA512, + SignatureScheme::ECDSA_NISTP521_SHA512, + SignatureScheme::RSA_PSS_SHA256, + SignatureScheme::RSA_PSS_SHA384, + SignatureScheme::RSA_PSS_SHA512, + SignatureScheme::ED25519, + SignatureScheme::ED448, + //SignatureScheme::Unknown(u16), + ] + } +} diff --git a/tests/fake_time.rs b/tests/fake_time.rs new file mode 100644 index 0000000..83dc3fa --- /dev/null +++ b/tests/fake_time.rs @@ -0,0 +1,11 @@ +use rustls::pki_types::UnixTime; +use rustls::time_provider::TimeProvider; + +#[derive(Debug)] +pub struct FakeTime; + +impl TimeProvider for FakeTime { + fn current_time(&self) -> Option { + None + } +}