Test VerifyCertificate()

Icinga · Jan 28, 2025 · 8fe67fc · 8fe67fc
1 parent d55c364
commit 8fe67fc
Show file tree

Hide file tree

Showing 2 changed files with 102 additions and 0 deletions.
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
@@ -175,6 +175,13 @@ add_boost_test(base
     base_tlsutility/iscertuptodate_ok
     base_tlsutility/iscertuptodate_expiring
     base_tlsutility/iscertuptodate_old
+    base_tlsutility/verifycertificate_ok
+    base_tlsutility/verifycertificate_leafexpired
+    base_tlsutility/verifycertificate_caexpired
+    base_tlsutility/verifycertificate_leafnotyetvalid
+    base_tlsutility/verifycertificate_canotyetvalid
+    base_tlsutility/verifycertificate_issuermismatch
+    base_tlsutility/verifycertificate_sigmismatch
     base_utility/parse_version
     base_utility/compare_version
     base_utility/comparepasswords_works

diff --git a/test/base-tlsutility.cpp b/test/base-tlsutility.cpp
@@ -54,6 +54,24 @@ static std::shared_ptr<X509> MakeCert(const char* issuer, EVP_PKEY* signer, cons
 	return std::shared_ptr<X509>(cert, X509_free);
 }
 
+static void ShortValidity(ASN1_TIME* notBefore, ASN1_TIME* notAfter)
+{
+	BOOST_REQUIRE(X509_gmtime_adj(notBefore, -60));
+	BOOST_REQUIRE(X509_gmtime_adj(notAfter, 60));
+}
+
+static void ExpiredRecently(ASN1_TIME* notBefore, ASN1_TIME* notAfter)
+{
+	BOOST_REQUIRE(X509_gmtime_adj(notBefore, -120));
+	BOOST_REQUIRE(X509_gmtime_adj(notAfter, -60));
+}
+
+static void NotYetValid(ASN1_TIME* notBefore, ASN1_TIME* notAfter)
+{
+	BOOST_REQUIRE(X509_gmtime_adj(notBefore, 60));
+	BOOST_REQUIRE(X509_gmtime_adj(notAfter, 120));
+}
+
 static const long l_2016 = 1480000000; // Thu Nov 24 15:06:40 UTC 2016
 static const long l_2017 = 1490000000; // Mon Mar 20 08:53:20 UTC 2017
 
@@ -132,4 +150,81 @@ BOOST_AUTO_TEST_CASE(iscertuptodate_old)
 	})));
 }
 
+BOOST_AUTO_TEST_CASE(verifycertificate_ok)
+{
+	auto caKey (GenKeypair());
+
+	BOOST_CHECK(VerifyCertificate(
+		MakeCert("Icinga CA", caKey, "Icinga CA", caKey, ShortValidity),
+		MakeCert("Icinga CA", caKey, "example.com", GenKeypair(), ShortValidity),
+		String()
+	));
+}
+
+BOOST_AUTO_TEST_CASE(verifycertificate_leafexpired)
+{
+	auto caKey (GenKeypair());
+
+	BOOST_CHECK_THROW(VerifyCertificate(
+		MakeCert("Icinga CA", caKey, "Icinga CA", caKey, ShortValidity),
+		MakeCert("Icinga CA", caKey, "example.com", GenKeypair(), ExpiredRecently),
+		String()
+	), openssl_error);
+}
+
+BOOST_AUTO_TEST_CASE(verifycertificate_caexpired)
+{
+	auto caKey (GenKeypair());
+
+	BOOST_CHECK_THROW(VerifyCertificate(
+		MakeCert("Icinga CA", caKey, "Icinga CA", caKey, ExpiredRecently),
+		MakeCert("Icinga CA", caKey, "example.com", GenKeypair(), ShortValidity),
+		String()
+	), openssl_error);
+}
+
+BOOST_AUTO_TEST_CASE(verifycertificate_leafnotyetvalid)
+{
+	auto caKey (GenKeypair());
+
+	BOOST_CHECK_THROW(VerifyCertificate(
+		MakeCert("Icinga CA", caKey, "Icinga CA", caKey, ShortValidity),
+		MakeCert("Icinga CA", caKey, "example.com", GenKeypair(), NotYetValid),
+		String()
+	), openssl_error);
+}
+
+BOOST_AUTO_TEST_CASE(verifycertificate_canotyetvalid)
+{
+	auto caKey (GenKeypair());
+
+	BOOST_CHECK_THROW(VerifyCertificate(
+		MakeCert("Icinga CA", caKey, "Icinga CA", caKey, NotYetValid),
+		MakeCert("Icinga CA", caKey, "example.com", GenKeypair(), ShortValidity),
+		String()
+	), openssl_error);
+}
+
+BOOST_AUTO_TEST_CASE(verifycertificate_issuermismatch)
+{
+	auto caKey (GenKeypair());
+
+	BOOST_CHECK_THROW(VerifyCertificate(
+		MakeCert("Icinga CA", caKey, "Icinga CA", caKey, ShortValidity),
+		MakeCert("Icigna CA", caKey, "example.com", GenKeypair(), ShortValidity),
+		String()
+	), openssl_error);
+}
+
+BOOST_AUTO_TEST_CASE(verifycertificate_sigmismatch)
+{
+	auto caKey (GenKeypair());
+
+	BOOST_CHECK_THROW(VerifyCertificate(
+		MakeCert("Icinga CA", caKey, "Icinga CA", caKey, ShortValidity),
+		MakeCert("Icinga CA", GenKeypair(), "example.com", GenKeypair(), ShortValidity),
+		String()
+	), openssl_error);
+}
+
 BOOST_AUTO_TEST_SUITE_END()