Skip to content

Commit ed234c3

Browse files
rjzakrvolosatovs
rjzak
authored and
rvolosatovs
committed
chore: refactor test certs, unit tests
Signed-off-by: Richard Zak <richard@profian.com>
1 parent 5b324f3 commit ed234c3

File tree

10 files changed

+118
-112
lines changed

10 files changed

+118
-112
lines changed

Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@ toml = { version = "0.5.9", default-features = false }
3434

3535
[dev-dependencies]
3636
tower = { version = "^0.4.11", features = ["util"] }
37+
axum = "^0.5.1"
3738
http = "^0.2.6"
3839
memoffset = "0.6.4"
3940
testaso = "0.1"

certs/test/crt.der

-436 Bytes
Binary file not shown.

certs/test/key.der

-138 Bytes
Binary file not shown.

src/main.rs

Lines changed: 117 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,7 @@ struct Args {
7878
}
7979

8080
#[derive(Debug)]
81+
#[cfg_attr(test, derive(Clone))]
8182
struct State {
8283
key: Zeroizing<Vec<u8>>,
8384
crt: Vec<u8>,
@@ -364,19 +365,17 @@ mod tests {
364365
use x509::request::CertReqInfo;
365366
use x509::{ext::Extension, name::RdnSequence};
366367

368+
use axum::response::Response;
367369
use http::{header::CONTENT_TYPE, Request};
368370
use hyper::Body;
369371
use tower::ServiceExt; // for `app.oneshot()`
370372

371-
const CRT: &[u8] = include_bytes!("../certs/test/crt.der");
372-
const KEY: &[u8] = include_bytes!("../certs/test/key.der");
373+
fn certificates_state() -> State {
374+
State::load(None, "testdata/ca.key", "testdata/ca.crt").unwrap()
375+
}
373376

374-
fn state() -> State {
375-
State {
376-
key: KEY.to_owned().into(),
377-
crt: CRT.into(),
378-
san: None,
379-
}
377+
fn hostname_state() -> State {
378+
State::generate(None, "localhost").unwrap()
380379
}
381380

382381
fn cr(curve: ObjectIdentifier, exts: Vec<Extension<'_>>) -> Vec<u8> {
@@ -403,6 +402,15 @@ mod tests {
403402
cri.sign(&pki).unwrap()
404403
}
405404

405+
async fn attest_response(state: State, response: Response) {
406+
let body = hyper::body::to_bytes(response.into_body()).await.unwrap();
407+
let path = PkiPath::from_der(&body).unwrap();
408+
let issr = Certificate::from_der(&state.crt).unwrap();
409+
assert_eq!(2, path.0.len());
410+
assert_eq!(issr, path.0[0]);
411+
issr.tbs_certificate.verify_crt(&path.0[1]).unwrap();
412+
}
413+
406414
#[test]
407415
fn reencode() {
408416
let encoded = cr(SECP_256_R_1, vec![]);
@@ -418,7 +426,7 @@ mod tests {
418426
}
419427

420428
#[tokio::test]
421-
async fn kvm() {
429+
async fn kvm_certs() {
422430
let ext = Extension {
423431
extn_id: Kvm::OID,
424432
critical: false,
@@ -432,19 +440,59 @@ mod tests {
432440
.body(Body::from(cr(SECP_256_R_1, vec![ext])))
433441
.unwrap();
434442

435-
let response = app(state()).oneshot(request).await.unwrap();
443+
let response = app(certificates_state()).oneshot(request).await.unwrap();
436444
assert_eq!(response.status(), StatusCode::OK);
445+
attest_response(certificates_state(), response).await;
446+
}
437447

438-
let body = hyper::body::to_bytes(response.into_body()).await.unwrap();
439-
let path = PkiPath::from_der(&body).unwrap();
440-
let issr = Certificate::from_der(CRT).unwrap();
441-
assert_eq!(2, path.0.len());
442-
assert_eq!(issr, path.0[0]);
443-
issr.tbs_certificate.verify_crt(&path.0[1]).unwrap();
448+
#[tokio::test]
449+
async fn kvm_hostname() {
450+
let ext = Extension {
451+
extn_id: Kvm::OID,
452+
critical: false,
453+
extn_value: &[],
454+
};
455+
456+
let request = Request::builder()
457+
.method("POST")
458+
.uri("/")
459+
.header(CONTENT_TYPE, PKCS10)
460+
.body(Body::from(cr(SECP_256_R_1, vec![ext])))
461+
.unwrap();
462+
463+
let state = hostname_state();
464+
let response = app(state.clone()).oneshot(request).await.unwrap();
465+
assert_eq!(response.status(), StatusCode::OK);
466+
attest_response(state, response).await;
467+
}
468+
469+
#[tokio::test]
470+
async fn sgx_certs() {
471+
for quote in [
472+
include_bytes!("ext/sgx/quote.unknown").as_slice(),
473+
include_bytes!("ext/sgx/quote.icelake").as_slice(),
474+
] {
475+
let ext = Extension {
476+
extn_id: Sgx::OID,
477+
critical: false,
478+
extn_value: quote,
479+
};
480+
481+
let request = Request::builder()
482+
.method("POST")
483+
.uri("/")
484+
.header(CONTENT_TYPE, PKCS10)
485+
.body(Body::from(cr(SECP_256_R_1, vec![ext])))
486+
.unwrap();
487+
488+
let response = app(certificates_state()).oneshot(request).await.unwrap();
489+
assert_eq!(response.status(), StatusCode::OK);
490+
attest_response(certificates_state(), response).await;
491+
}
444492
}
445493

446494
#[tokio::test]
447-
async fn sgx() {
495+
async fn sgx_hostname() {
448496
for quote in [
449497
include_bytes!("ext/sgx/quote.unknown").as_slice(),
450498
include_bytes!("ext/sgx/quote.icelake").as_slice(),
@@ -462,20 +510,42 @@ mod tests {
462510
.body(Body::from(cr(SECP_256_R_1, vec![ext])))
463511
.unwrap();
464512

465-
let response = app(state()).oneshot(request).await.unwrap();
513+
let state = hostname_state();
514+
let response = app(state.clone()).oneshot(request).await.unwrap();
466515
assert_eq!(response.status(), StatusCode::OK);
516+
attest_response(state, response).await;
517+
}
518+
}
467519

468-
let body = hyper::body::to_bytes(response.into_body()).await.unwrap();
469-
let path = PkiPath::from_der(&body).unwrap();
470-
let issr = Certificate::from_der(CRT).unwrap();
471-
assert_eq!(2, path.0.len());
472-
assert_eq!(issr, path.0[0]);
473-
issr.tbs_certificate.verify_crt(&path.0[1]).unwrap();
520+
#[tokio::test]
521+
async fn snp_certs() {
522+
let evidence = ext::snp::Evidence {
523+
vcek: Certificate::from_der(include_bytes!("ext/snp/milan.vcek")).unwrap(),
524+
report: include_bytes!("ext/snp/milan.rprt"),
474525
}
526+
.to_vec()
527+
.unwrap();
528+
529+
let ext = Extension {
530+
extn_id: Snp::OID,
531+
critical: false,
532+
extn_value: &evidence,
533+
};
534+
535+
let request = Request::builder()
536+
.method("POST")
537+
.uri("/")
538+
.header(CONTENT_TYPE, PKCS10)
539+
.body(Body::from(cr(SECP_384_R_1, vec![ext])))
540+
.unwrap();
541+
542+
let response = app(certificates_state()).oneshot(request).await.unwrap();
543+
assert_eq!(response.status(), StatusCode::OK);
544+
attest_response(certificates_state(), response).await;
475545
}
476546

477547
#[tokio::test]
478-
async fn snp() {
548+
async fn snp_hostname() {
479549
let evidence = ext::snp::Evidence {
480550
vcek: Certificate::from_der(include_bytes!("ext/snp/milan.vcek")).unwrap(),
481551
report: include_bytes!("ext/snp/milan.rprt"),
@@ -496,27 +566,35 @@ mod tests {
496566
.body(Body::from(cr(SECP_384_R_1, vec![ext])))
497567
.unwrap();
498568

499-
let response = app(state()).oneshot(request).await.unwrap();
569+
let state = hostname_state();
570+
let response = app(state.clone()).oneshot(request).await.unwrap();
500571
assert_eq!(response.status(), StatusCode::OK);
572+
attest_response(state, response).await;
573+
}
501574

502-
let body = hyper::body::to_bytes(response.into_body()).await.unwrap();
503-
let path = PkiPath::from_der(&body).unwrap();
504-
let issr = Certificate::from_der(CRT).unwrap();
505-
assert_eq!(2, path.0.len());
506-
assert_eq!(issr, path.0[0]);
507-
issr.tbs_certificate.verify_crt(&path.0[1]).unwrap();
575+
#[tokio::test]
576+
async fn err_no_attestation_certs() {
577+
let request = Request::builder()
578+
.method("POST")
579+
.uri("/")
580+
.header(CONTENT_TYPE, PKCS10)
581+
.body(Body::from(cr(SECP_256_R_1, vec![])))
582+
.unwrap();
583+
584+
let response = app(certificates_state()).oneshot(request).await.unwrap();
585+
assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
508586
}
509587

510588
#[tokio::test]
511-
async fn err_no_attestation() {
589+
async fn err_no_attestation_hostname() {
512590
let request = Request::builder()
513591
.method("POST")
514592
.uri("/")
515593
.header(CONTENT_TYPE, PKCS10)
516594
.body(Body::from(cr(SECP_256_R_1, vec![])))
517595
.unwrap();
518596

519-
let response = app(state()).oneshot(request).await.unwrap();
597+
let response = app(hostname_state()).oneshot(request).await.unwrap();
520598
assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
521599
}
522600

@@ -528,7 +606,7 @@ mod tests {
528606
.body(Body::from(cr(SECP_256_R_1, vec![])))
529607
.unwrap();
530608

531-
let response = app(state()).oneshot(request).await.unwrap();
609+
let response = app(certificates_state()).oneshot(request).await.unwrap();
532610
assert_eq!(response.status(), StatusCode::BAD_REQUEST);
533611
}
534612

@@ -541,7 +619,7 @@ mod tests {
541619
.body(Body::from(cr(SECP_256_R_1, vec![])))
542620
.unwrap();
543621

544-
let response = app(state()).oneshot(request).await.unwrap();
622+
let response = app(certificates_state()).oneshot(request).await.unwrap();
545623
assert_eq!(response.status(), StatusCode::BAD_REQUEST);
546624
}
547625

@@ -554,7 +632,7 @@ mod tests {
554632
.body(Body::empty())
555633
.unwrap();
556634

557-
let response = app(state()).oneshot(request).await.unwrap();
635+
let response = app(certificates_state()).oneshot(request).await.unwrap();
558636
assert_eq!(response.status(), StatusCode::BAD_REQUEST);
559637
}
560638

@@ -567,7 +645,7 @@ mod tests {
567645
.body(Body::from(vec![0x01, 0x02, 0x03, 0x04]))
568646
.unwrap();
569647

570-
let response = app(state()).oneshot(request).await.unwrap();
648+
let response = app(certificates_state()).oneshot(request).await.unwrap();
571649
assert_eq!(response.status(), StatusCode::BAD_REQUEST);
572650
}
573651

@@ -584,7 +662,7 @@ mod tests {
584662
.body(Body::from(cr))
585663
.unwrap();
586664

587-
let response = app(state()).oneshot(request).await.unwrap();
665+
let response = app(certificates_state()).oneshot(request).await.unwrap();
588666
assert_eq!(response.status(), StatusCode::BAD_REQUEST);
589667
}
590668
}

testdata/ca.srl

Lines changed: 0 additions & 1 deletion
This file was deleted.

testdata/generate.sh

Lines changed: 0 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -8,18 +8,3 @@ printf "\nGenerating CA certificate\n"
88
openssl req -new -x509 -config ca.conf -key ca.key -out ca.crt
99
printf "\nCA "
1010
openssl x509 -noout -text -in ca.crt
11-
12-
printf "\nGenerating Server key\n"
13-
openssl ecparam -genkey -name prime256v1 | openssl pkcs8 -topk8 -nocrypt -out server.key
14-
printf "\nServer "
15-
openssl pkey -noout -text -in server.key
16-
17-
printf "\nGenerating Server Certificate Signing Request\n"
18-
openssl req -new -config server.conf -key server.key -out server.csr
19-
printf "\nServer "
20-
openssl req -text -in server.csr
21-
22-
printf "\nGenerating Server Certificate\n"
23-
openssl x509 -req -days 9999 -CAcreateserial -CA ca.crt -CAkey ca.key -in server.csr -out server.crt -extfile server.conf -extensions server_crt
24-
printf "\nServer "
25-
openssl x509 -noout -text -in server.crt

testdata/server.conf

Lines changed: 0 additions & 28 deletions
This file was deleted.

testdata/server.crt

Lines changed: 0 additions & 14 deletions
This file was deleted.

testdata/server.csr

Lines changed: 0 additions & 10 deletions
This file was deleted.

testdata/server.key

Lines changed: 0 additions & 5 deletions
This file was deleted.

0 commit comments

Comments
 (0)