AuroraMiddleware/qt5base-lts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6d18e4a2b8
qt5base-lts/tests/auto/network/ssl/qocsp/tst_qocsp.cpp
Alexander Akulich 6d18e4a2b8 Revert "QAbstractSocket: deprecate 'error' member-function" 
This reverts commit 94b3dd77f2.

The patch fixes ambiguity between a getter and a signal by changing the
getter name, but we still have to rename the signal to follow the signals
naming convention.

Revert the commit to keep the getter as is and change the signal name instead.

Change-Id: I0dd60cf1ae9d1bd95beeb8ad58661ca4b1fb63b9
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2020-02-26 23:07:52 +03:00

824 lines
30 KiB
C++
Raw Blame History

/****************************************************************************
**
** Copyright (C) 2018 The Qt Company Ltd.
** Contact: https://www.qt.io/licensing/
**
** This file is part of the test suite of the Qt Toolkit.
**
** $QT_BEGIN_LICENSE:GPL-EXCEPT$
** Commercial License Usage
** Licensees holding valid commercial Qt licenses may use this file in
** accordance with the commercial license agreement provided with the
** Software or, alternatively, in accordance with the terms contained in
** a written agreement between you and The Qt Company. For licensing terms
** and conditions see https://www.qt.io/terms-conditions. For further
** information use the contact form at https://www.qt.io/contact-us.
**
** GNU General Public License Usage
** Alternatively, this file may be used under the terms of the GNU
** General Public License version 3 as published by the Free Software
** Foundation with exceptions as appearing in the file LICENSE.GPL3-EXCEPT
** included in the packaging of this file. Please review the following
** information to ensure the GNU General Public License requirements will
** be met: https://www.gnu.org/licenses/gpl-3.0.html.
**
** $QT_END_LICENSE$
**
****************************************************************************/
#include <QtTest/QtTest>
#include <QtNetwork/private/qtnetworkglobal_p.h>
#include <QtNetwork/private/qsslsocket_openssl_symbols_p.h>
#include <QtNetwork/private/qsslsocket_openssl_p.h>
#include <QtNetwork/qsslcertificate.h>
#include <QtNetwork/qtcpserver.h>
#include <QtNetwork/qsslerror.h>
#include <QtNetwork/qsslkey.h>
#include <QtNetwork/qssl.h>
#include <QtCore/qsharedpointer.h>
#include <QtCore/qbytearray.h>
#include <QtCore/qfileinfo.h>
#include <QtCore/qstring.h>
#include <QtCore/qfile.h>
#include <QtCore/qlist.h>
#include <QtCore/qdir.h>
#include <openssl/ocsp.h>
#include <algorithm>
#include <utility>
// NOTE: the word 'subject' in the code below means the subject of a status request,
// so in general it's our peer's certificate we are asking about.
using SslError = QT_PREPEND_NAMESPACE(QSslError);
using VectorOfErrors = QT_PREPEND_NAMESPACE(QVector<SslError>);
using Latin1String = QT_PREPEND_NAMESPACE(QLatin1String);
Q_DECLARE_METATYPE(SslError)
Q_DECLARE_METATYPE(VectorOfErrors)
Q_DECLARE_METATYPE(Latin1String)
QT_BEGIN_NAMESPACE
namespace {
using OcspResponse = QSharedPointer<OCSP_RESPONSE>;
using BasicResponse = QSharedPointer<OCSP_BASICRESP>;
using SingleResponse = QSharedPointer<OCSP_SINGLERESP>;
using CertId = QSharedPointer<OCSP_CERTID>;
using EvpKey = QSharedPointer<EVP_PKEY>;
using Asn1Time = QSharedPointer<ASN1_TIME>;
using CertificateChain = QList<QSslCertificate>;
using NativeX509Ptr = X509 *;
class X509Stack {
public:
explicit X509Stack(const QList<QSslCertificate> &chain);
~X509Stack();
int size() const;
X509 *operator[](int index) const;
operator STACK_OF(X509) *() const;
private:
OPENSSL_STACK *stack = nullptr;
Q_DISABLE_COPY(X509Stack)
};
X509Stack::X509Stack(const QList<QSslCertificate> &chain)
{
if (!chain.size())
return;
stack = q_OPENSSL_sk_new_null();
if (!stack)
return;
for (const QSslCertificate &cert : chain) {
X509 *nativeCert = NativeX509Ptr(cert.handle());
if (!nativeCert)
continue;
q_OPENSSL_sk_push(stack, nativeCert);
q_X509_up_ref(nativeCert);
}
}
X509Stack::~X509Stack()
{
if (stack)
q_OPENSSL_sk_pop_free(stack, reinterpret_cast<void(*)(void*)>(q_X509_free));
}
int X509Stack::size() const
{
if (stack)
return q_OPENSSL_sk_num(stack);
return 0;
}
X509 *X509Stack::operator[](int index) const
{
return NativeX509Ptr(q_OPENSSL_sk_value(stack, index));
}
X509Stack::operator STACK_OF(X509) *() const
{
return reinterpret_cast<STACK_OF(X509)*>(stack);
}
struct OcspTimeStamp
{
OcspTimeStamp() = default;
OcspTimeStamp(long secondsBeforeNow, long secondsAfterNow);
static Asn1Time timeToAsn1Time(long adjustment);
Asn1Time thisUpdate;
Asn1Time nextUpdate;
};
OcspTimeStamp::OcspTimeStamp(long secondsBeforeNow, long secondsAfterNow)
{
Asn1Time start = timeToAsn1Time(secondsBeforeNow);
Asn1Time end = timeToAsn1Time(secondsAfterNow);
if (start.data() && end.data()) {
thisUpdate.swap(start);
nextUpdate.swap(end);
}
}
Asn1Time OcspTimeStamp::timeToAsn1Time(long adjustment)
{
if (ASN1_TIME *adjusted = q_X509_gmtime_adj(nullptr, adjustment))
return Asn1Time(adjusted, q_ASN1_TIME_free);
return Asn1Time{};
}
struct OcspResponder
{
OcspResponder(const OcspTimeStamp &stamp, const CertificateChain &subjs,
const CertificateChain &respChain, const QSslKey &respPKey);
QByteArray buildResponse(int responseStatus, int certificateStatus) const;
static EvpKey privateKeyToEVP_PKEY(const QSslKey &privateKey);
static CertId certificateToCertId(X509 *subject, X509 *issuer);
static QByteArray responseToDer(OCSP_RESPONSE *response);
OcspTimeStamp timeStamp;
// Plural, we can send a 'wrong' BasicResponse containing more than
// 1 SingleResponse.
X509Stack subjects;
X509Stack responderChain;
QSslKey responderKey;
};
OcspResponder::OcspResponder(const OcspTimeStamp &stamp, const CertificateChain &subjs,
const CertificateChain &respChain, const QSslKey &respPKey)
: timeStamp(stamp),
subjects(subjs),
responderChain(respChain),
responderKey(respPKey)
{
}
QByteArray OcspResponder::buildResponse(int responseStatus, int certificateStatus) const
{
if (responseStatus != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
OCSP_RESPONSE *response = q_OCSP_response_create(responseStatus, nullptr);
if (!response)
return {};
const OcspResponse rGuard(response, q_OCSP_RESPONSE_free);
return responseToDer(response);
}
Q_ASSERT(subjects.size() && responderChain.size() && responderKey.handle());
const EvpKey nativeKey = privateKeyToEVP_PKEY(responderKey);
if (!nativeKey.data())
return {};
OCSP_BASICRESP *basicResponse = q_OCSP_BASICRESP_new();
if (!basicResponse)
return {};
const BasicResponse brGuard(basicResponse, q_OCSP_BASICRESP_free);
for (int i = 0, e = subjects.size(); i < e; ++i) {
X509 *subject = subjects[i];
Q_ASSERT(subject);
CertId certId = certificateToCertId(subject, responderChain[0]);
if (!certId.data())
return {};
// NOTE: we do not own this 'singleResponse':
ASN1_TIME *revisionTime = certificateStatus == V_OCSP_CERTSTATUS_REVOKED ?
timeStamp.thisUpdate.data() : nullptr;
if (!q_OCSP_basic_add1_status(basicResponse, certId.data(), certificateStatus, 0, revisionTime,
timeStamp.thisUpdate.data(), timeStamp.nextUpdate.data())) {
return {};
}
}
if (q_OCSP_basic_sign(basicResponse, responderChain[0], nativeKey.data(), q_EVP_sha1(),
responderChain, 0) != 1) {
return {};
}
OCSP_RESPONSE *ocspResponse = q_OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, basicResponse);
if (!ocspResponse)
return {};
const OcspResponse rGuard(ocspResponse, q_OCSP_RESPONSE_free);
return responseToDer(ocspResponse);
}
EvpKey OcspResponder::privateKeyToEVP_PKEY(const QSslKey &privateKey)
{
const EvpKey nullKey;
if (privateKey.isNull() || privateKey.algorithm() != QSsl::Rsa) {
// We use only RSA keys in this auto-test, since we test OCSP only,
// not handshake/TLS in general.
return nullKey;
}
EVP_PKEY *nativeKey = q_EVP_PKEY_new();
if (!nativeKey)
return nullKey;
const EvpKey keyGuard(nativeKey, q_EVP_PKEY_free);
if (!q_EVP_PKEY_set1_RSA(nativeKey, reinterpret_cast<RSA *>(privateKey.handle())))
return nullKey;
return keyGuard;
}
CertId OcspResponder::certificateToCertId(X509 *subject, X509 *issuer)
{
const CertId nullId;
if (!subject || !issuer)
return nullId;
const EVP_MD *digest = q_EVP_sha1();
if (!digest)
return nullId;
OCSP_CERTID *certId = q_OCSP_cert_to_id(digest, subject, issuer);
if (!certId)
return nullId;
return CertId(certId, q_OCSP_CERTID_free);
}
QByteArray OcspResponder::responseToDer(OCSP_RESPONSE *response)
{
if (!response)
return {};
const int derSize = q_i2d_OCSP_RESPONSE(response, nullptr);
if (derSize <= 0)
return {};
QByteArray derData(derSize, Qt::Uninitialized);
unsigned char *pData = reinterpret_cast<unsigned char *>(derData.data());
const int serializedSize = q_i2d_OCSP_RESPONSE(response, &pData);
if (serializedSize != derSize)
return {};
return derData;
}
// The QTcpServer capable of sending OCSP status responses.
class OcspServer : public QTcpServer
{
Q_OBJECT
public:
OcspServer(const CertificateChain &serverChain, const QSslKey &privateKey);
void configureResponse(const QByteArray &responseDer);
QString hostName() const;
QString peerVerifyName() const;
Q_SIGNALS:
void internalServerError();
private:
void incomingConnection(qintptr descriptor) override;
public:
QSslConfiguration serverConfig;
QSslSocket serverSocket;
};
OcspServer::OcspServer(const CertificateChain &serverChain, const QSslKey &privateKey)
{
Q_ASSERT(serverChain.size());
Q_ASSERT(!privateKey.isNull());
serverConfig = QSslConfiguration::defaultConfiguration();
serverConfig.setLocalCertificateChain(serverChain);
serverConfig.setPrivateKey(privateKey);
}
void OcspServer::configureResponse(const QByteArray &responseDer)
{
serverConfig.setBackendConfigurationOption("Qt-OCSP-response", responseDer);
}
QString OcspServer::hostName() const
{
// It's 'name' and not 'address' to be consistent with QSslSocket's naming style,
// where it's connectToHostEncrypted(hostName, ...)
const QHostAddress &addr = serverAddress();
if (addr == QHostAddress::Any || addr == QHostAddress::AnyIPv4)
return QStringLiteral("127.0.0.1");
if (addr == QHostAddress::AnyIPv6)
return QStringLiteral("::1");
return addr.toString();
}
QString OcspServer::peerVerifyName() const
{
const CertificateChain &localChain = serverConfig.localCertificateChain();
if (localChain.isEmpty())
return {};
const auto cert = localChain.first();
if (cert.isNull())
return {};
const QStringList &names = cert.subjectInfo(QSslCertificate::CommonName);
return names.isEmpty() ? QString{} : names.first();
}
void OcspServer::incomingConnection(qintptr socketDescriptor)
{
close();
if (!serverSocket.setSocketDescriptor(socketDescriptor)) {
emit internalServerError();
return;
}
serverSocket.setSslConfiguration(serverConfig);
// Since we test a client, not a server, we don't care about any
// possible errors on the server (QAbstractSocket or QSslSocket-related).
// Thus, we don't connect to any error signal.
serverSocket.startServerEncryption();
}
} // unnamed namespace
class tst_QOcsp : public QObject
{
Q_OBJECT
public slots:
void initTestCase();
private slots:
void connectSelfSigned();
void badStatus_data();
void badStatus();
void multipleSingleResponses();
void malformedResponse();
void expiredResponse_data();
void expiredResponse();
void noNextUpdate();
void wrongCertificateInResponse_data();
void wrongCertificateInResponse();
void untrustedResponder();
// OCSPTODO: more tests in future ...
private:
void setupOcspClient(QSslSocket &clientSocket, const CertificateChain &trustedCAs,
const QString &peerName);
bool containsOcspErrors(const QList<QSslError> &errorsFound) const;
static bool containsError(const QList<QSslError> &errors, QSslError::SslError code);
static QByteArray goodResponse(const CertificateChain &subject, const CertificateChain &responder,
const QSslKey &privateKey, long beforeNow = -1000, long afterNow = 1000);
static bool loadPrivateKey(const QString &keyName, QSslKey &key);
static CertificateChain issuerToChain(const CertificateChain &chain);
static CertificateChain subjectToChain(const CertificateChain &chain);
static QString certDirPath;
void (QSslSocket::*socketErrorSignal)(QAbstractSocket::SocketError) = &QAbstractSocket::error;
void (QSslSocket::*tlsErrorsSignal)(const QList<QSslError> &) = &QSslSocket::sslErrors;
void (QTestEventLoop::*exitLoopSlot)() = &QTestEventLoop::exitLoop;
const int handshakeTimeoutMS = 500;
QTestEventLoop loop;
std::vector<QSslError::SslError> ocspErrorCodes = {QSslError::OcspNoResponseFound,
QSslError::OcspMalformedRequest,
QSslError::OcspMalformedResponse,
QSslError::OcspInternalError,
QSslError::OcspTryLater,
QSslError::OcspSigRequred,
QSslError::OcspUnauthorized,
QSslError::OcspResponseCannotBeTrusted,
QSslError::OcspResponseCertIdUnknown,
QSslError::OcspResponseExpired,
QSslError::OcspStatusUnknown};
};
#define QCOMPARE_SINGLE_ERROR(sslSocket, expectedError) \
const auto &tlsErrors = sslSocket.sslHandshakeErrors(); \
QCOMPARE(tlsErrors.size(), 1); \
QCOMPARE(tlsErrors[0].error(), expectedError)
#define QVERIFY_HANDSHAKE_WITHOUT_ERRORS(sslSocket) \
QVERIFY(sslSocket.isEncrypted()); \
QCOMPARE(sslSocket.state(), QAbstractSocket::ConnectedState); \
QVERIFY(sslSocket.sslHandshakeErrors().isEmpty())
#define QDECLARE_CHAIN(object, chainFileName) \
CertificateChain object = QSslCertificate::fromPath(certDirPath + QLatin1String(chainFileName)); \
QVERIFY(object.size())
#define QDECLARE_PRIVATE_KEY(key, keyFileName) \
QSslKey key; \
QVERIFY(loadPrivateKey(QLatin1String(keyFileName), key))
QString tst_QOcsp::certDirPath;
void tst_QOcsp::initTestCase()
{
QVERIFY(QSslSocket::supportsSsl());
certDirPath = QFileInfo(QFINDTESTDATA("certs")).absolutePath();
QVERIFY(certDirPath.size() > 0);
certDirPath += QDir::separator() + QStringLiteral("certs") + QDir::separator();
}
void tst_QOcsp::connectSelfSigned()
{
// This test may look a bit confusing, since we have essentially 1
// self-signed certificate, which we trust for the purpose of this test,
// but we also request its (the certificate's) status and then we sign
// the status response using the same certificate and the corresponding
// private key. Anyway, we test the very basic things here: we send
// an OCSP status request, we verify the response (if server has sent it),
// and detect errors (if any).
QDECLARE_CHAIN(subjectChain, "ss1.crt");
QDECLARE_CHAIN(responderChain, "ss1.crt");
QDECLARE_PRIVATE_KEY(privateKey, "ss1-private.key");
{
// This server ignores our status request:
const QSslError::SslError expectedError = QSslError::OcspNoResponseFound;
OcspServer server(subjectChain, privateKey);
QVERIFY(server.listen());
connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot);
QSslSocket clientSocket;
QSslConfiguration clientConfig = QSslConfiguration::defaultConfiguration();
auto roots = clientConfig.caCertificates();
setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName());
clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort());
loop.enterLoopMSecs(handshakeTimeoutMS);
QVERIFY(!clientSocket.isEncrypted());
QCOMPARE_SINGLE_ERROR(clientSocket, expectedError);
}
{
// Now the server will send a valid 'status: good' response.
OcspServer server(subjectChain, privateKey);
const QByteArray response(goodResponse(subjectChain, responderChain, privateKey));
QVERIFY(response.size());
server.configureResponse(response);
QVERIFY(server.listen());
QSslSocket clientSocket;
setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName());
clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort());
loop.enterLoopMSecs(handshakeTimeoutMS);
QVERIFY_HANDSHAKE_WITHOUT_ERRORS(clientSocket);
}
}
void tst_QOcsp::badStatus_data()
{
QTest::addColumn<int>("responseStatus");
QTest::addColumn<int>("certificateStatus");
QTest::addColumn<QSslError>("expectedError");
QTest::addRow("malformed-request") << OCSP_RESPONSE_STATUS_MALFORMEDREQUEST << 1 << QSslError(QSslError::OcspMalformedRequest);
QTest::addRow("internal-error") << OCSP_RESPONSE_STATUS_INTERNALERROR << 2 << QSslError(QSslError::OcspInternalError);
QTest::addRow("try-later") << OCSP_RESPONSE_STATUS_TRYLATER << 3 << QSslError(QSslError::OcspTryLater);
QTest::addRow("signed-request-require") << OCSP_RESPONSE_STATUS_SIGREQUIRED << 2 << QSslError(QSslError::OcspSigRequred);
QTest::addRow("unauthorized-request") << OCSP_RESPONSE_STATUS_UNAUTHORIZED << 1 <<QSslError(QSslError::OcspUnauthorized);
QTest::addRow("certificate-revoked") << OCSP_RESPONSE_STATUS_SUCCESSFUL << V_OCSP_CERTSTATUS_REVOKED
<< QSslError(QSslError::CertificateRevoked);
QTest::addRow("status-unknown") << OCSP_RESPONSE_STATUS_SUCCESSFUL << V_OCSP_CERTSTATUS_UNKNOWN
<< QSslError(QSslError::OcspStatusUnknown);
}
void tst_QOcsp::badStatus()
{
// This test works with two types of 'bad' responses:
// 1. 'Error messages' (the response's status is anything but SUCCESSFUL,
// no information about the certificate itself, no signature);
// 2. 'REVOKED' or 'UNKNOWN' status for a certificate in question.
QFETCH(const int, responseStatus);
QFETCH(const int, certificateStatus);
QFETCH(const QSslError, expectedError);
QDECLARE_CHAIN(subjectChain, "infbobchain.crt");
QCOMPARE(subjectChain.size(), 2);
QDECLARE_CHAIN(responderChain, "ca1.crt");
QDECLARE_PRIVATE_KEY(subjPrivateKey, "infbob.key");
QDECLARE_PRIVATE_KEY(respPrivateKey, "ca1.key");
OcspServer server(subjectChain, subjPrivateKey);
const OcspTimeStamp stamp(-1000, 1000);
OcspResponder builder(stamp, subjectToChain(subjectChain), responderChain, respPrivateKey);
const QByteArray response(builder.buildResponse(responseStatus, certificateStatus));
QVERIFY(response.size());
server.configureResponse(response);
QVERIFY(server.listen());
connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot);
QSslSocket clientSocket;
setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName());
clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort());
loop.enterLoopMSecs(handshakeTimeoutMS);
QVERIFY(!clientSocket.isEncrypted());
QCOMPARE_SINGLE_ERROR(clientSocket, expectedError.error());
}
void tst_QOcsp::multipleSingleResponses()
{
// We handle a response with more than one SingleResponse as malformed:
const QSslError::SslError expectedError = QSslError::OcspMalformedResponse;
// Here we use subjectChain only to generate a response, the server
// is configured with the responder chain (it's the same cert after all).
QDECLARE_CHAIN(subjectChain, "ss1.crt");
QDECLARE_CHAIN(responderChain, "ss1.crt");
QDECLARE_PRIVATE_KEY(privateKey, "ss1-private.key");
// Let's have more than 1 certificate in a chain:
subjectChain.append(subjectChain[0]);
OcspServer server(responderChain, privateKey);
// Generate a BasicOCSPResponse containing 2 SingleResponses:
const QByteArray response(goodResponse(subjectChain, responderChain, privateKey));
QVERIFY(response.size());
server.configureResponse(response);
QVERIFY(server.listen());
connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot);
QSslSocket clientSocket;
setupOcspClient(clientSocket, issuerToChain(responderChain), server.peerVerifyName());
clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort());
loop.enterLoopMSecs(handshakeTimeoutMS);
QVERIFY(!clientSocket.isEncrypted());
QCOMPARE_SINGLE_ERROR(clientSocket, expectedError);
}
void tst_QOcsp::malformedResponse()
{
QDECLARE_CHAIN(serverChain, "ss1.crt");
QDECLARE_PRIVATE_KEY(privateKey, "ss1-private.key");
OcspServer server(serverChain, privateKey);
// Let's send some arbitrary bytes instead of DER and see what happens next:
server.configureResponse("Sure, you can trust me, this cert was not revoked (I don't say it was issued at all)!");
QVERIFY(server.listen());
connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot);
QSslSocket clientSocket;
setupOcspClient(clientSocket, issuerToChain(serverChain), server.peerVerifyName());
clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort());
loop.enterLoopMSecs(handshakeTimeoutMS);
QVERIFY(!clientSocket.isEncrypted());
QCOMPARE(clientSocket.error(), QAbstractSocket::SslHandshakeFailedError);
}
void tst_QOcsp::expiredResponse_data()
{
QTest::addColumn<long>("beforeNow");
QTest::addColumn<long>("afterNow");
QTest::addRow("expired") << -2000L << -1000L;
QTest::addRow("not-valid-yet") << 5000L << 10000L;
QTest::addRow("next-before-this") << -1000L << -2000L;
}
void tst_QOcsp::expiredResponse()
{
// We report different kinds of problems with [thisUpdate, nextUpdate]
// as 'expired' (to keep it simple):
const QSslError::SslError expectedError = QSslError::OcspResponseExpired;
QFETCH(const long, beforeNow);
QFETCH(const long, afterNow);
QDECLARE_CHAIN(subjectChain, "ss1.crt");
QDECLARE_CHAIN(responderChain, "ss1.crt");
QDECLARE_PRIVATE_KEY(privateKey, "ss1-private.key");
OcspServer server(subjectChain, privateKey);
const QByteArray response(goodResponse(subjectChain, responderChain, privateKey, beforeNow, afterNow));
QVERIFY(response.size());
server.configureResponse(response);
QVERIFY(server.listen());
connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot);
QSslSocket clientSocket;
setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName());
clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort());
loop.enterLoopMSecs(handshakeTimeoutMS);
QVERIFY(!clientSocket.isEncrypted());
QCOMPARE_SINGLE_ERROR(clientSocket, expectedError);
}
void tst_QOcsp::noNextUpdate()
{
// RFC2560, 2.4:
// "If nextUpdate is not set, the responder is indicating that newer
// revocation information is available all the time."
//
// This test is just to verify that we correctly handle such responses.
QDECLARE_CHAIN(subjectChain, "ss1.crt");
QDECLARE_CHAIN(responderChain, "ss1.crt");
QDECLARE_PRIVATE_KEY(privateKey, "ss1-private.key");
OcspServer server(subjectChain, privateKey);
OcspTimeStamp openRange(-1000, 0);
openRange.nextUpdate.clear();
const OcspResponder responder(openRange, subjectChain, responderChain, privateKey);
const QByteArray response(responder.buildResponse(OCSP_RESPONSE_STATUS_SUCCESSFUL,
V_OCSP_CERTSTATUS_GOOD));
QVERIFY(response.size());
server.configureResponse(response);
QVERIFY(server.listen());
connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot);
QSslSocket clientSocket;
setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName());
clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort());
loop.enterLoopMSecs(handshakeTimeoutMS);
QVERIFY_HANDSHAKE_WITHOUT_ERRORS(clientSocket);
}
void tst_QOcsp::wrongCertificateInResponse_data()
{
QTest::addColumn<QLatin1String>("respChainName");
QTest::addColumn<QLatin1String>("respKeyName");
QTest::addColumn<QLatin1String>("wrongChainName");
QTest::addRow("same-CA-wrong-subject") << QLatin1String("ca1.crt") << QLatin1String("ca1.key")
<< QLatin1String("alice.crt");
QTest::addRow("wrong-CA-same-subject") << QLatin1String("ss1.crt") << QLatin1String("ss1-private.key")
<< QLatin1String("alice.crt");
QTest::addRow("wrong-CA-wrong-subject") << QLatin1String("ss1.crt") << QLatin1String("ss1-private.key")
<< QLatin1String("ss1.crt");
}
void tst_QOcsp::wrongCertificateInResponse()
{
QFETCH(const QLatin1String, respChainName);
QFETCH(const QLatin1String, respKeyName);
QFETCH(const QLatin1String, wrongChainName);
// In this test, the server will send a valid response (correctly signed
// by a trusted key/cert) but for a wrong certificate (not the one the
// server presented to the client in the server's 'Certificate' message).
const QSslError::SslError expectedError = QSslError::OcspResponseCertIdUnknown;
QDECLARE_CHAIN(subjectChain, "infbobchain.crt");
QDECLARE_PRIVATE_KEY(subjectKey, "infbob.key");
QDECLARE_CHAIN(responderChain, respChainName);
QDECLARE_PRIVATE_KEY(responderKey, respKeyName);
QDECLARE_CHAIN(wrongChain, wrongChainName);
OcspServer server(subjectToChain(subjectChain), subjectKey);
const QByteArray wrongResponse(goodResponse(wrongChain, responderChain, responderKey));
QVERIFY(wrongResponse.size());
server.configureResponse(wrongResponse);
QVERIFY(server.listen());
connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot);
QSslSocket clientSocket;
setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName());
clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort());
loop.enterLoopMSecs(handshakeTimeoutMS);
QVERIFY(!clientSocket.isEncrypted());
QVERIFY(containsError(clientSocket.sslHandshakeErrors(), expectedError));
}
void tst_QOcsp::untrustedResponder()
{
const QSslError::SslError expectedError = QSslError::OcspResponseCannotBeTrusted;
QDECLARE_CHAIN(subjectChain, "infbobchain.crt");
QDECLARE_PRIVATE_KEY(subjectKey, "infbob.key");
QDECLARE_CHAIN(responderChain, "ca1.crt");
QDECLARE_PRIVATE_KEY(responderKey, "ca1.key");
OcspServer server(subjectChain, subjectKey);
const QByteArray response(goodResponse(subjectToChain(subjectChain), responderChain, responderKey));
QVERIFY(response.size());
server.configureResponse(response);
QVERIFY(server.listen());
connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot);
QSslSocket clientSocket;
setupOcspClient(clientSocket, {}, server.peerVerifyName());
clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort());
loop.enterLoopMSecs(handshakeTimeoutMS);
QVERIFY(!clientSocket.isEncrypted());
QVERIFY(containsError(clientSocket.sslHandshakeErrors(), expectedError));
}
void tst_QOcsp::setupOcspClient(QSslSocket &clientSocket, const CertificateChain &caCerts, const QString &name)
{
QSslConfiguration clientConfig = QSslConfiguration::defaultConfiguration();
clientConfig.setOcspStaplingEnabled(true);
if (caCerts.size()) {
auto roots = clientConfig.caCertificates();
roots.append(caCerts);
clientConfig.setCaCertificates(roots);
}
clientSocket.setSslConfiguration(clientConfig);
clientSocket.setPeerVerifyName(name);
connect(&clientSocket, socketErrorSignal, &loop, exitLoopSlot);
connect(&clientSocket, tlsErrorsSignal, &loop, exitLoopSlot);
connect(&clientSocket, &QSslSocket::encrypted, &loop, exitLoopSlot);
}
bool tst_QOcsp::containsOcspErrors(const QList<QSslError> &errorsFound) const
{
for (auto code : ocspErrorCodes) {
if (containsError(errorsFound, code))
return true;
}
return false;
}
bool tst_QOcsp::containsError(const QList<QSslError> &errors, QSslError::SslError code)
{
const auto it = std::find_if(errors.begin(), errors.end(),
[&code](const QSslError &other){return other.error() == code;});
return it != errors.end();
}
QByteArray tst_QOcsp::goodResponse(const CertificateChain &subject, const CertificateChain &responder,
const QSslKey &privateKey, long beforeNow, long afterNow)
{
const OcspResponder builder(OcspTimeStamp(beforeNow, afterNow), subject, responder, privateKey);
return builder.buildResponse(OCSP_RESPONSE_STATUS_SUCCESSFUL, V_OCSP_CERTSTATUS_GOOD);
}
bool tst_QOcsp::loadPrivateKey(const QString &keyFileName, QSslKey &key)
{
QFile keyFile(certDirPath + keyFileName);
if (!keyFile.open(QIODevice::ReadOnly))
return false;
key = QSslKey(keyFile.readAll(), QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey);
return !key.isNull();
}
CertificateChain tst_QOcsp::issuerToChain(const CertificateChain &chain)
{
// Here we presume that, if the chain isn't a single self-signed certificate, its second
// entry is the issuer.
const int length = chain.size();
Q_ASSERT(length > 0);
return CertificateChain() << chain[length > 1 ? 1 : 0];
}
CertificateChain tst_QOcsp::subjectToChain(const CertificateChain &chain)
{
Q_ASSERT(chain.size());
return CertificateChain() << chain[0];
}
QT_END_NAMESPACE
QTEST_MAIN(tst_QOcsp)
#include "tst_qocsp.moc"
Reference in New Issue View Git Blame Copy Permalink