Skip to content

Commit

Permalink
Test SSL ConnectionInfo certificate has the expected value (#3401)
Browse files Browse the repository at this point in the history
  • Loading branch information
@pepone
pepone authored Jan 22, 2025
1 parent 90d402d commit 7cf9671
Show file tree
Hide file tree
Showing 3 changed files with 88 additions and 4 deletions.
24 changes: 22 additions & 2 deletions cpp/test/Ice/info/AllTests.cpp
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
// Copyright (c) ZeroC, Inc.

#include "../../src/Ice/SSL/SSLUtil.h"
#include "Ice/Ice.h"
#include "TestHelper.h"
#include "TestI.h"
Expand Down Expand Up @@ -34,6 +35,19 @@ namespace
}
return nullptr;
}

void checkPeerCertificateSubjectName(string subjectName)
{
test(subjectName.find("CN=127.0.0.1") != string::npos);
test(subjectName.find("OU=Ice") != string::npos);
test(
subjectName.find("O=ZeroC, Inc.") != string::npos || subjectName.find("O=ZeroC\\, Inc.") != string::npos ||
subjectName.find("O=\"ZeroC, Inc.\"") != string::npos);
test(subjectName.find("L=Jupiter") != string::npos);
test(subjectName.find("ST=Florida") != string::npos);
test(subjectName.find("C=US") != string::npos);
test(subjectName.find("[email protected]") != string::npos);
}
}

void
Expand Down Expand Up @@ -235,9 +249,8 @@ allTests(Test::TestHelper* helper)
if (testIntf->ice_getConnection()->type() == "wss")
{
auto wssinfo = dynamic_pointer_cast<Ice::SSL::ConnectionInfo>(wsinfo->underlying);
#if TARGET_OS_IPHONE == 0
test(wssinfo->peerCertificate);
#endif
checkPeerCertificateSubjectName(Ice::SSL::getSubjectName(wssinfo->peerCertificate));
}

test(headers["Upgrade"] == "websocket");
Expand All @@ -251,6 +264,13 @@ allTests(Test::TestHelper* helper)
test(ctx["ws.Sec-WebSocket-Version"] == "13");
test(ctx.find("ws.Sec-WebSocket-Key") != ctx.end());
}
else if (testIntf->ice_getConnection()->type() == "ssl")
{
auto sslinfo = dynamic_pointer_cast<Ice::SSL::ConnectionInfo>(connection->getInfo());
test(sslinfo);
test(sslinfo->peerCertificate);
checkPeerCertificateSubjectName(Ice::SSL::getSubjectName(sslinfo->peerCertificate));
}

connection = testIntf->ice_datagram()->ice_getConnection();
connection->setBufferSize(2048, 1024);
Expand Down
18 changes: 18 additions & 0 deletions csharp/test/Ice/info/AllTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,24 @@ public static void allTests(global::Test.TestHelper helper)
test(ctx["ws.Sec-WebSocket-Protocol"] == "ice.zeroc.com");
test(ctx["ws.Sec-WebSocket-Version"] == "13");
test(ctx["ws.Sec-WebSocket-Key"] != null);

var sslInfo = info.underlying as Ice.SSL.ConnectionInfo;
test((@base.ice_getConnection().type() == "ws" && sslInfo == null) ||
(@base.ice_getConnection().type() == "wss" && sslInfo != null));
if (sslInfo != null)
{
test(sslInfo.certs.Length > 0);
// The SHA1 Thumbprint of the server certificate used in the test.
test(sslInfo.certs[0].Thumbprint == "9E754B7A7BF5E1951CB2A46B565F8BBB8A4A355D");
}
}
else if (@base.ice_getConnection().type() == "ssl")
{
var sslInfo = info as Ice.SSL.ConnectionInfo;
test(sslInfo != null);
test(sslInfo.certs.Length > 0);
// The SHA1 Thumbprint of the server certificate used in the test.
test(sslInfo.certs[0].Thumbprint == "9E754B7A7BF5E1951CB2A46B565F8BBB8A4A355D");
}

connection = @base.ice_datagram().ice_getConnection();
Expand Down
50 changes: 48 additions & 2 deletions java/test/src/main/java/test/Ice/info/AllTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@
import test.Ice.info.Test.TestIntfPrx;

import java.io.PrintWriter;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;

public class AllTests {
private static void test(boolean b) {
Expand Down Expand Up @@ -232,8 +235,8 @@ public static void allTests(test.TestHelper helper) {

if (base.ice_getConnection().type().equals("ws")
|| base.ice_getConnection().type().equals("wss")) {
java.util.Map<String, String> headers =
((WSConnectionInfo) connection.getInfo()).headers;
var wssInfo = (WSConnectionInfo) connection.getInfo();
java.util.Map<String, String> headers = wssInfo.headers;
test(headers.get("Upgrade").equals("websocket"));
test(headers.get("Connection").equals("Upgrade"));
test(headers.get("Sec-WebSocket-Protocol").equals("ice.zeroc.com"));
Expand All @@ -244,6 +247,12 @@ public static void allTests(test.TestHelper helper) {
test(ctx.get("ws.Sec-WebSocket-Protocol").equals("ice.zeroc.com"));
test(ctx.get("ws.Sec-WebSocket-Version").equals("13"));
test(ctx.get("ws.Sec-WebSocket-Key") != null);

if (base.ice_getConnection().type().equals("wss")) {
checkPeerCertificate((com.zeroc.Ice.SSL.ConnectionInfo) wssInfo.underlying);
}
} else if (base.ice_getConnection().type().equals("ssl")) {
checkPeerCertificate((com.zeroc.Ice.SSL.ConnectionInfo) connection.getInfo());
}

connection = base.ice_datagram().ice_getConnection();
Expand All @@ -268,4 +277,41 @@ public static void allTests(test.TestHelper helper) {
communicator.shutdown();
communicator.waitForShutdown();
}

static void checkPeerCertificate(com.zeroc.Ice.SSL.ConnectionInfo info) {
test(info.certs.length > 0);
try {
byte[] thumbprint =
MessageDigest.getInstance("SHA-1").digest(info.certs[0].getEncoded());

// The SHA1 Thumbprint of the server certificate used in the test.
byte[] expected = {
(byte) 0x9E,
(byte) 0x75,
(byte) 0x4B,
(byte) 0x7A,
(byte) 0x7B,
(byte) 0xF5,
(byte) 0xE1,
(byte) 0x95,
(byte) 0x1C,
(byte) 0xB2,
(byte) 0xA4,
(byte) 0x6B,
(byte) 0x56,
(byte) 0x5F,
(byte) 0x8B,
(byte) 0xBB,
(byte) 0x8A,
(byte) 0x4A,
(byte) 0x35,
(byte) 0x5D
};
test(java.util.Arrays.equals(thumbprint, expected));
} catch (NoSuchAlgorithmException e) {
test(false);
} catch (CertificateEncodingException e) {
test(false);
}
}
}

0 comments on commit 7cf9671

Please sign in to comment.