diff options
author | Nat Goodspeed <nat@lindenlab.com> | 2024-06-20 12:28:09 -0400 |
---|---|---|
committer | Nat Goodspeed <nat@lindenlab.com> | 2024-06-20 12:28:09 -0400 |
commit | d110358472b83f2f31d60ea0d76f1b426a087f56 (patch) | |
tree | 83617196e7d444c1063075e4a4c50fe19490a4ce /indra/newview/tests/llsechandler_basic_test.cpp | |
parent | bb1f3f08cf93facbf926e57384674441be7e2884 (diff) | |
parent | e92689063bdbe34907348a12f1db39bc81132783 (diff) |
Merge branch 'release/luau-scripting' into lua-speedometer-demo
Diffstat (limited to 'indra/newview/tests/llsechandler_basic_test.cpp')
-rw-r--r-- | indra/newview/tests/llsechandler_basic_test.cpp | 1572 |
1 files changed, 786 insertions, 786 deletions
diff --git a/indra/newview/tests/llsechandler_basic_test.cpp b/indra/newview/tests/llsechandler_basic_test.cpp index da742370fc..bfe32406cb 100644 --- a/indra/newview/tests/llsechandler_basic_test.cpp +++ b/indra/newview/tests/llsechandler_basic_test.cpp @@ -1,4 +1,4 @@ -/** +/** * @file llsechandler_basic_test.cpp * @author Roxie * @date 2009-02-10 @@ -7,21 +7,21 @@ * $LicenseInfo:firstyear=2005&license=viewerlgpl$ * Second Life Viewer Source Code * Copyright (C) 2010, Linden Research, Inc. - * + * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; * version 2.1 of the License only. - * + * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. - * + * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - * + * * Linden Research, Inc., 945 Battery Street, San Francisco, CA 94111 USA * $/LicenseInfo$ */ @@ -66,8 +66,8 @@ ensure("Exception cert is incorrect for " str, valueCompareLLSD(except.getCertDa extern bool _cert_hostname_wildcard_match(const std::string& hostname, const std::string& wildcard_string); -//---------------------------------------------------------------------------- -// Mock objects for the dependencies of the code we're testing +//---------------------------------------------------------------------------- +// Mock objects for the dependencies of the code we're testing std::string gFirstName; std::string gLastName; @@ -82,11 +82,11 @@ void LLControlGroup::setString(const std::string& name, const std::string& val){ std::string LLControlGroup::getString(const std::string& name) { - if (name == "FirstName") - return gFirstName; - else if (name == "LastName") - return gLastName; - return ""; + if (name == "FirstName") + return gFirstName; + else if (name == "LastName") + return gLastName; + return ""; } // Stub for --no-verify-ssl-cert @@ -94,13 +94,13 @@ BOOL LLControlGroup::getBOOL(const std::string& name) { return FALSE; } LLSD LLCredential::getLoginParams() { - LLSD result = LLSD::emptyMap(); - - // legacy credential - result["passwd"] = "$1$testpasssd"; - result["first"] = "myfirst"; - result["last"] ="mylast"; - return result; + LLSD result = LLSD::emptyMap(); + + // legacy credential + result["passwd"] = "$1$testpasssd"; + result["first"] = "myfirst"; + result["last"] ="mylast"; + return result; } void LLCredential::identifierType(std::string &idType) @@ -118,15 +118,15 @@ unsigned char gMACAddress[MAC_ADDRESS_BYTES] = {77,21,46,31,89,2}; S32 LLMachineID::getUniqueID(unsigned char *unique_id, size_t len) { - memcpy(unique_id, gMACAddress, len); - return 1; + memcpy(unique_id, gMACAddress, len); + return 1; } S32 LLMachineID::getLegacyID(unsigned char *unique_id, size_t len) { return 0; } S32 LLMachineID::init() { return 1; } - + LLCertException::LLCertException(const LLSD& cert_data, const std::string& msg) : LLException(msg), @@ -356,7 +356,7 @@ namespace tut "qCSO341jpZaEv/+LfkZ68MdzfHCK9RfQrMiJHteJQg9NZsTYuzaorsrhz+KI9s+w\n" "REpfgVBL1iiBzWzw7OYJCPJZkaJprMeB+qthPttv9n/bGp65XczMM/qVxveNSzDz\n" "-----END CERTIFICATE-----\n" - ); + ); const std::string mPemIntermediateCert( "Certificate:\n" @@ -607,73 +607,73 @@ namespace tut "BdUpK78NAw7pXivdCRj+XjBh\n" "-----END CERTIFICATE-----\n" ); - - // Test wrapper declaration : wrapping nothing for the moment - struct sechandler_basic_test - { - X509 *mX509TestCert, *mX509RootCert, *mX509IntermediateCert, *mX509ChildCert; + + // Test wrapper declaration : wrapping nothing for the moment + struct sechandler_basic_test + { + X509 *mX509TestCert, *mX509RootCert, *mX509IntermediateCert, *mX509ChildCert; LLSD mValidationDate; - - sechandler_basic_test() - { + + sechandler_basic_test() + { LLMachineID::init(); - OpenSSL_add_all_algorithms(); - OpenSSL_add_all_ciphers(); - OpenSSL_add_all_digests(); - ERR_load_crypto_strings(); - gFirstName = ""; - gLastName = ""; + OpenSSL_add_all_algorithms(); + OpenSSL_add_all_ciphers(); + OpenSSL_add_all_digests(); + ERR_load_crypto_strings(); + gFirstName = ""; + gLastName = ""; mValidationDate[CERT_VALIDATION_DATE] = LLDate("2017-04-11T00:00:00.00Z"); - LLFile::remove("test_password.dat"); - LLFile::remove("sechandler_settings.tmp"); + LLFile::remove("test_password.dat"); + LLFile::remove("sechandler_settings.tmp"); - mX509TestCert = NULL; - mX509RootCert = NULL; - mX509IntermediateCert = NULL; - mX509ChildCert = NULL; + mX509TestCert = NULL; + mX509RootCert = NULL; + mX509IntermediateCert = NULL; + mX509ChildCert = NULL; // Read each of the 4 Pem certs and store in mX509*Cert pointers - BIO * validation_bio; - validation_bio = BIO_new_mem_buf((void*)mPemTestCert.c_str(), mPemTestCert.length()); - PEM_read_bio_X509(validation_bio, &mX509TestCert, 0, NULL); - BIO_free(validation_bio); - - validation_bio = BIO_new_mem_buf((void*)mPemRootCert.c_str(), mPemRootCert.length()); - PEM_read_bio_X509(validation_bio, &mX509RootCert, 0, NULL); - BIO_free(validation_bio); - - validation_bio = BIO_new_mem_buf((void*)mPemIntermediateCert.c_str(), mPemIntermediateCert.length()); - PEM_read_bio_X509(validation_bio, &mX509IntermediateCert, 0, NULL); - BIO_free(validation_bio); - - validation_bio = BIO_new_mem_buf((void*)mPemChildCert.c_str(), mPemChildCert.length()); - PEM_read_bio_X509(validation_bio, &mX509ChildCert, 0, NULL); - BIO_free(validation_bio); - } - ~sechandler_basic_test() - { - LLFile::remove("test_password.dat"); - LLFile::remove("sechandler_settings.tmp"); - LLFile::remove("mycertstore.pem"); - X509_free(mX509TestCert); - X509_free(mX509RootCert); - X509_free(mX509IntermediateCert); - X509_free(mX509ChildCert); - } - }; - - // Tut templating thingamagic: test group, object and test instance - typedef test_group<sechandler_basic_test> sechandler_basic_test_factory; - typedef sechandler_basic_test_factory::object sechandler_basic_test_object; - tut::sechandler_basic_test_factory tut_test("LLSecHandler"); - - // --------------------------------------------------------------------------------------- - // Test functions - // --------------------------------------------------------------------------------------- - // test cert data retrieval - template<> template<> - void sechandler_basic_test_object::test<1>() - { + BIO * validation_bio; + validation_bio = BIO_new_mem_buf((void*)mPemTestCert.c_str(), mPemTestCert.length()); + PEM_read_bio_X509(validation_bio, &mX509TestCert, 0, NULL); + BIO_free(validation_bio); + + validation_bio = BIO_new_mem_buf((void*)mPemRootCert.c_str(), mPemRootCert.length()); + PEM_read_bio_X509(validation_bio, &mX509RootCert, 0, NULL); + BIO_free(validation_bio); + + validation_bio = BIO_new_mem_buf((void*)mPemIntermediateCert.c_str(), mPemIntermediateCert.length()); + PEM_read_bio_X509(validation_bio, &mX509IntermediateCert, 0, NULL); + BIO_free(validation_bio); + + validation_bio = BIO_new_mem_buf((void*)mPemChildCert.c_str(), mPemChildCert.length()); + PEM_read_bio_X509(validation_bio, &mX509ChildCert, 0, NULL); + BIO_free(validation_bio); + } + ~sechandler_basic_test() + { + LLFile::remove("test_password.dat"); + LLFile::remove("sechandler_settings.tmp"); + LLFile::remove("mycertstore.pem"); + X509_free(mX509TestCert); + X509_free(mX509RootCert); + X509_free(mX509IntermediateCert); + X509_free(mX509ChildCert); + } + }; + + // Tut templating thingamagic: test group, object and test instance + typedef test_group<sechandler_basic_test> sechandler_basic_test_factory; + typedef sechandler_basic_test_factory::object sechandler_basic_test_object; + tut::sechandler_basic_test_factory tut_test("LLSecHandler"); + + // --------------------------------------------------------------------------------------- + // Test functions + // --------------------------------------------------------------------------------------- + // test cert data retrieval + template<> template<> + void sechandler_basic_test_object::test<1>() + { try { LLPointer<LLBasicCertificate> test_cert(new LLBasicCertificate(mPemTestCert, &mValidationDate)); @@ -690,729 +690,729 @@ namespace tut fail("other exception"); } } - + template<> template<> void sechandler_basic_test_object::test<2>() { - LLPointer<LLCertificate> test_cert(new LLBasicCertificate(mPemChildCert, &mValidationDate)); - - LLSD llsd_cert; - test_cert->getLLSD(llsd_cert); - //std::ostringstream llsd_value; - //llsd_value << LLSDOStreamer<LLSDNotationFormatter>(llsd_cert) << std::endl; - LL_DEBUGS() << "test 1 cert " << llsd_cert << LL_ENDL; - - ensure_equals("Issuer Name/commonName", (std::string)llsd_cert["issuer_name"]["commonName"], "Integration Test Intermediate CA"); - ensure_equals("Issuer Name/countryName", (std::string)llsd_cert["issuer_name"]["countryName"], "US"); - ensure_equals("Issuer Name/state", (std::string)llsd_cert["issuer_name"]["stateOrProvinceName"], "California"); - ensure_equals("Issuer Name/org name", (std::string)llsd_cert["issuer_name"]["organizationName"], "Linden Lab"); - ensure_equals("Issuer Name/org unit", (std::string)llsd_cert["issuer_name"]["organizationalUnitName"], "Second Life Engineering"); - ensure_equals("Issuer name string", (std::string)llsd_cert["issuer_name_string"], + LLPointer<LLCertificate> test_cert(new LLBasicCertificate(mPemChildCert, &mValidationDate)); + + LLSD llsd_cert; + test_cert->getLLSD(llsd_cert); + //std::ostringstream llsd_value; + //llsd_value << LLSDOStreamer<LLSDNotationFormatter>(llsd_cert) << std::endl; + LL_DEBUGS() << "test 1 cert " << llsd_cert << LL_ENDL; + + ensure_equals("Issuer Name/commonName", (std::string)llsd_cert["issuer_name"]["commonName"], "Integration Test Intermediate CA"); + ensure_equals("Issuer Name/countryName", (std::string)llsd_cert["issuer_name"]["countryName"], "US"); + ensure_equals("Issuer Name/state", (std::string)llsd_cert["issuer_name"]["stateOrProvinceName"], "California"); + ensure_equals("Issuer Name/org name", (std::string)llsd_cert["issuer_name"]["organizationName"], "Linden Lab"); + ensure_equals("Issuer Name/org unit", (std::string)llsd_cert["issuer_name"]["organizationalUnitName"], "Second Life Engineering"); + ensure_equals("Issuer name string", (std::string)llsd_cert["issuer_name_string"], "emailAddress=noreply@lindenlab.com,CN=Integration Test Intermediate CA,OU=Second Life Engineering,O=Linden Lab,ST=California,C=US"); - ensure_equals("subject Name/commonName", (std::string)llsd_cert["subject_name"]["commonName"], + ensure_equals("subject Name/commonName", (std::string)llsd_cert["subject_name"]["commonName"], "Integration Test Server Cert"); - ensure_equals("subject Name/countryName", (std::string)llsd_cert["subject_name"]["countryName"], "US"); - ensure_equals("subject Name/state", (std::string)llsd_cert["subject_name"]["stateOrProvinceName"], "California"); - ensure_equals("subject Name/localityName", (std::string)llsd_cert["subject_name"]["localityName"], "San Francisco"); - ensure_equals("subject Name/org name", (std::string)llsd_cert["subject_name"]["organizationName"], "Linden Lab"); - ensure_equals("subjectName/org unit", - (std::string)llsd_cert["subject_name"]["organizationalUnitName"], "Second Life Engineering"); - - ensure_equals("subject name string", - (std::string)llsd_cert["subject_name_string"], + ensure_equals("subject Name/countryName", (std::string)llsd_cert["subject_name"]["countryName"], "US"); + ensure_equals("subject Name/state", (std::string)llsd_cert["subject_name"]["stateOrProvinceName"], "California"); + ensure_equals("subject Name/localityName", (std::string)llsd_cert["subject_name"]["localityName"], "San Francisco"); + ensure_equals("subject Name/org name", (std::string)llsd_cert["subject_name"]["organizationName"], "Linden Lab"); + ensure_equals("subjectName/org unit", + (std::string)llsd_cert["subject_name"]["organizationalUnitName"], "Second Life Engineering"); + + ensure_equals("subject name string", + (std::string)llsd_cert["subject_name_string"], "emailAddress=noreply@lindenlab.com,CN=Integration Test Server Cert,OU=Second Life Engineering,O=Linden Lab,L=San Francisco,ST=California,C=US"); - ensure_equals("serial number", (std::string)llsd_cert["serial_number"], "1000"); - ensure_equals("valid from", (std::string)llsd_cert["valid_from"], "2018-05-22T22:58:15Z"); - ensure_equals("valid to", (std::string)llsd_cert["valid_to"], "2024-07-19T22:58:15Z"); - LLSD expectedKeyUsage = LLSD::emptyArray(); - expectedKeyUsage.append(LLSD((std::string)"digitalSignature")); - expectedKeyUsage.append(LLSD((std::string)"keyEncipherment")); - ensure("key usage", valueCompareLLSD(llsd_cert["keyUsage"], expectedKeyUsage)); - ensure_equals("basic constraints", llsd_cert["basicConstraints"]["CA"].asInteger(), 0); - - ensure("x509 is equal", !X509_cmp(mX509ChildCert, test_cert->getOpenSSLX509())); - } - - - // test protected data - template<> template<> - void sechandler_basic_test_object::test<3>() - { - std::string protected_data = "sUSh3wj77NG9oAMyt3XIhaej3KLZhLZWFZvI6rIGmwUUOmmelrRg0NI9rkOj8ZDpTPxpwToaBT5u" - "GQhakdaGLJznr9bHr4/6HIC1bouKj4n2rs4TL6j2WSjto114QdlNfLsE8cbbE+ghww58g8SeyLQO" - "nyzXoz+/PBz0HD5SMFDuObccoPW24gmqYySz8YoEWhSwO0pUtEEqOjVRsAJgF5wLAtJZDeuilGsq" - "4ZT9Y4wZ9Rh8nnF3fDUL6IGamHe1ClXM1jgBu10F6UMhZbnH4C3aJ2E9+LiOntU+l3iCb2MpkEpr" - "82r2ZAMwIrpnirL/xoYoyz7MJQYwUuMvBPToZJrxNSsjI+S2Z+I3iEJAELMAAA=="; - - std::vector<U8> binary_data(apr_base64_decode_len(protected_data.c_str())); - apr_base64_decode_binary(&binary_data[0], protected_data.c_str()); - - LLXORCipher cipher(gMACAddress, MAC_ADDRESS_BYTES); - cipher.decrypt(&binary_data[0], 16); - unsigned char unique_id[MAC_ADDRESS_BYTES]; + ensure_equals("serial number", (std::string)llsd_cert["serial_number"], "1000"); + ensure_equals("valid from", (std::string)llsd_cert["valid_from"], "2018-05-22T22:58:15Z"); + ensure_equals("valid to", (std::string)llsd_cert["valid_to"], "2024-07-19T22:58:15Z"); + LLSD expectedKeyUsage = LLSD::emptyArray(); + expectedKeyUsage.append(LLSD((std::string)"digitalSignature")); + expectedKeyUsage.append(LLSD((std::string)"keyEncipherment")); + ensure("key usage", valueCompareLLSD(llsd_cert["keyUsage"], expectedKeyUsage)); + ensure_equals("basic constraints", llsd_cert["basicConstraints"]["CA"].asInteger(), 0); + + ensure("x509 is equal", !X509_cmp(mX509ChildCert, test_cert->getOpenSSLX509())); + } + + + // test protected data + template<> template<> + void sechandler_basic_test_object::test<3>() + { + std::string protected_data = "sUSh3wj77NG9oAMyt3XIhaej3KLZhLZWFZvI6rIGmwUUOmmelrRg0NI9rkOj8ZDpTPxpwToaBT5u" + "GQhakdaGLJznr9bHr4/6HIC1bouKj4n2rs4TL6j2WSjto114QdlNfLsE8cbbE+ghww58g8SeyLQO" + "nyzXoz+/PBz0HD5SMFDuObccoPW24gmqYySz8YoEWhSwO0pUtEEqOjVRsAJgF5wLAtJZDeuilGsq" + "4ZT9Y4wZ9Rh8nnF3fDUL6IGamHe1ClXM1jgBu10F6UMhZbnH4C3aJ2E9+LiOntU+l3iCb2MpkEpr" + "82r2ZAMwIrpnirL/xoYoyz7MJQYwUuMvBPToZJrxNSsjI+S2Z+I3iEJAELMAAA=="; + + std::vector<U8> binary_data(apr_base64_decode_len(protected_data.c_str())); + apr_base64_decode_binary(&binary_data[0], protected_data.c_str()); + + LLXORCipher cipher(gMACAddress, MAC_ADDRESS_BYTES); + cipher.decrypt(&binary_data[0], 16); + unsigned char unique_id[MAC_ADDRESS_BYTES]; LLMachineID::getUniqueID(unique_id, sizeof(unique_id)); - LLXORCipher cipher2(unique_id, sizeof(unique_id)); - cipher2.encrypt(&binary_data[0], 16); - std::ofstream temp_file("sechandler_settings.tmp", std::ofstream::binary); - temp_file.write((const char *)&binary_data[0], binary_data.size()); - temp_file.close(); - - LLPointer<LLSecAPIBasicHandler> handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", - "test_password.dat"); - handler->init(); - // data retrieval for existing data - LLSD data = handler->getProtectedData("test_data_type", "test_data_id"); - - - ensure_equals("retrieve existing data1", (std::string)data["data1"], "test_data_1"); - ensure_equals("retrieve existing data2", (std::string)data["data2"], "test_data_2"); - ensure_equals("retrieve existing data3", (std::string)data["data3"]["elem1"], "test element1"); - - // data storage - LLSD store_data = LLSD::emptyMap(); - store_data["store_data1"] = "test_store_data1"; - store_data["store_data2"] = 27; - store_data["store_data3"] = LLSD::emptyMap(); - store_data["store_data3"]["subelem1"] = "test_subelem1"; - - handler->setProtectedData("test_data_type", "test_data_id1", store_data); - data = handler->getProtectedData("test_data_type", "test_data_id"); - - data = handler->getProtectedData("test_data_type", "test_data_id"); - // verify no overwrite of existing data - ensure_equals("verify no overwrite 1", (std::string)data["data1"], "test_data_1"); - ensure_equals("verify no overwrite 2", (std::string)data["data2"], "test_data_2"); - ensure_equals("verify no overwrite 3", (std::string)data["data3"]["elem1"], "test element1"); - - // verify written data is good - data = handler->getProtectedData("test_data_type", "test_data_id1"); - ensure_equals("verify stored data1", (std::string)data["store_data1"], "test_store_data1"); - ensure_equals("verify stored data2", (int)data["store_data2"], 27); - ensure_equals("verify stored data3", (std::string)data["store_data3"]["subelem1"], "test_subelem1"); - - // verify overwrite works - handler->setProtectedData("test_data_type", "test_data_id", store_data); - data = handler->getProtectedData("test_data_type", "test_data_id"); - ensure_equals("verify overwrite stored data1", (std::string)data["store_data1"], "test_store_data1"); - ensure_equals("verify overwrite stored data2", (int)data["store_data2"], 27); - ensure_equals("verify overwrite stored data3", (std::string)data["store_data3"]["subelem1"], "test_subelem1"); - - // verify other datatype doesn't conflict - store_data["store_data3"] = "test_store_data3"; - store_data["store_data4"] = 28; - store_data["store_data5"] = LLSD::emptyMap(); - store_data["store_data5"]["subelem2"] = "test_subelem2"; - - handler->setProtectedData("test_data_type1", "test_data_id", store_data); - data = handler->getProtectedData("test_data_type1", "test_data_id"); - ensure_equals("verify datatype stored data3", (std::string)data["store_data3"], "test_store_data3"); - ensure_equals("verify datatype stored data4", (int)data["store_data4"], 28); - ensure_equals("verify datatype stored data5", (std::string)data["store_data5"]["subelem2"], "test_subelem2"); - - // test data not found - - data = handler->getProtectedData("test_data_type1", "test_data_not_found"); - ensure("not found", data.isUndefined()); - - // cause a 'write' by using 'LLPointer' to delete then instantiate a handler - handler = NULL; - handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat"); - handler->init(); - - data = handler->getProtectedData("test_data_type1", "test_data_id"); - ensure_equals("verify datatype stored data3a", (std::string)data["store_data3"], "test_store_data3"); - ensure_equals("verify datatype stored data4a", (int)data["store_data4"], 28); - ensure_equals("verify datatype stored data5a", (std::string)data["store_data5"]["subelem2"], "test_subelem2"); - - // rewrite the initial file to verify reloads - handler = NULL; - std::ofstream temp_file2("sechandler_settings.tmp", std::ofstream::binary); - temp_file2.write((const char *)&binary_data[0], binary_data.size()); - temp_file2.close(); - - // cause a 'write' - handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat"); - handler->init(); - data = handler->getProtectedData("test_data_type1", "test_data_id"); - ensure("not found", data.isUndefined()); - - handler->deleteProtectedData("test_data_type", "test_data_id"); - ensure("Deleted data not found", handler->getProtectedData("test_data_type", "test_data_id").isUndefined()); - - LLFile::remove("sechandler_settings.tmp"); - handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat"); - handler->init(); - data = handler->getProtectedData("test_data_type1", "test_data_id"); - ensure("not found", data.isUndefined()); - handler = NULL; - - ensure(LLFile::isfile("sechandler_settings.tmp")); - } - - // test credenitals - template<> template<> - void sechandler_basic_test_object::test<4>() - { - LLPointer<LLSecAPIBasicHandler> handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat"); - handler->init(); - - LLSD my_id = LLSD::emptyMap(); - LLSD my_authenticator = LLSD::emptyMap(); - my_id["type"] = "test_type"; - my_id["username"] = "testuser@lindenlab.com"; - my_authenticator["type"] = "test_auth"; - my_authenticator["creds"] = "12345"; - - // test creation of credentials - LLPointer<LLCredential> my_cred = handler->createCredential("my_grid", my_id, my_authenticator); - - // test retrieval of credential components - ensure_equals("basic credential creation: identifier", my_id, my_cred->getIdentifier()); - ensure_equals("basic credential creation: authenticator", my_authenticator, my_cred->getAuthenticator()); - ensure_equals("basic credential creation: grid", "my_grid", my_cred->getGrid()); - - // test setting/overwriting of credential components - my_id["first_name"] = "firstname"; - my_id.erase("username"); - my_authenticator.erase("creds"); - my_authenticator["hash"] = "6563245"; - - my_cred->setCredentialData(my_id, my_authenticator); - ensure_equals("set credential data: identifier", my_id, my_cred->getIdentifier()); - ensure_equals("set credential data: authenticator", my_authenticator, my_cred->getAuthenticator()); - ensure_equals("set credential data: grid", "my_grid", my_cred->getGrid()); - - // test loading of a credential, that hasn't been saved, without - // any legacy saved credential data - LLPointer<LLCredential> my_new_cred = handler->loadCredential("my_grid2"); - ensure("unknown credential load test", my_new_cred->getIdentifier().isMap()); - ensure("unknown credential load test", !my_new_cred->getIdentifier().has("type")); - ensure("unknown credential load test", my_new_cred->getAuthenticator().isMap()); - ensure("unknown credential load test", !my_new_cred->getAuthenticator().has("type")); - // test saving of a credential - handler->saveCredential(my_cred, true); - - // test loading of a known credential - my_new_cred = handler->loadCredential("my_grid"); - ensure_equals("load a known credential: identifier", my_id, my_new_cred->getIdentifier()); - ensure_equals("load a known credential: authenticator",my_authenticator, my_new_cred->getAuthenticator()); - ensure_equals("load a known credential: grid", "my_grid", my_cred->getGrid()); - - // test deletion of a credential - handler->deleteCredential(my_new_cred); - - ensure("delete credential: identifier", my_new_cred->getIdentifier().isUndefined()); - ensure("delete credentialt: authenticator", my_new_cred->getIdentifier().isUndefined()); - ensure_equals("delete credential: grid", "my_grid", my_cred->getGrid()); - // load unknown cred - - my_new_cred = handler->loadCredential("my_grid"); - ensure("deleted credential load test", my_new_cred->getIdentifier().isMap()); - ensure("deleted credential load test", !my_new_cred->getIdentifier().has("type")); - ensure("deleted credential load test", my_new_cred->getAuthenticator().isMap()); - ensure("deleted credential load test", !my_new_cred->getAuthenticator().has("type")); - - // test loading of an unknown credential with legacy saved username, but without - // saved password - gFirstName = "myfirstname"; - gLastName = "mylastname"; - my_new_cred = handler->loadCredential("my_legacy_grid"); - ensure_equals("legacy credential with no password: type", - (const std::string)my_new_cred->getIdentifier()["type"], "agent"); - ensure_equals("legacy credential with no password: first_name", - (const std::string)my_new_cred->getIdentifier()["first_name"], "myfirstname"); - ensure_equals("legacy credential with no password: last_name", - (const std::string)my_new_cred->getIdentifier()["last_name"], "mylastname"); - - ensure("legacy credential with no password: no authenticator", my_new_cred->getAuthenticator().isUndefined()); - - // test loading of an unknown credential with legacy saved password and username - - std::string hashed_password = "fSQcLG03eyIWJmkzfyYaKm81dSweLmsxeSAYKGE7fSQ="; - int length = apr_base64_decode_len(hashed_password.c_str()); - std::vector<char> decoded_password(length); - apr_base64_decode(&decoded_password[0], hashed_password.c_str()); - LLXORCipher cipher(gMACAddress, MAC_ADDRESS_BYTES); - cipher.decrypt((U8*)&decoded_password[0], length); - unsigned char unique_id[MAC_ADDRESS_BYTES]; - LLMachineID::getUniqueID(unique_id, sizeof(unique_id)); - LLXORCipher cipher2(unique_id, sizeof(unique_id)); - cipher2.encrypt((U8*)&decoded_password[0], length); - llofstream password_file("test_password.dat", std::ofstream::binary); - password_file.write(&decoded_password[0], length); - password_file.close(); - - my_new_cred = handler->loadCredential("my_legacy_grid2"); - ensure_equals("legacy credential with password: type", - (const std::string)my_new_cred->getIdentifier()["type"], "agent"); - ensure_equals("legacy credential with password: first_name", - (const std::string)my_new_cred->getIdentifier()["first_name"], "myfirstname"); - ensure_equals("legacy credential with password: last_name", - (const std::string)my_new_cred->getIdentifier()["last_name"], "mylastname"); - - LLSD legacy_authenticator = my_new_cred->getAuthenticator(); - ensure_equals("legacy credential with password: type", - (std::string)legacy_authenticator["type"], - "hash"); - ensure_equals("legacy credential with password: algorithm", - (std::string)legacy_authenticator["algorithm"], - "md5"); - ensure_equals("legacy credential with password: algorithm", - (std::string)legacy_authenticator["secret"], - "01234567890123456789012345678901"); - - // test creation of credentials - my_cred = handler->createCredential("mysavedgrid", my_id, my_authenticator); - // test save without saving authenticator. - handler->saveCredential(my_cred, FALSE); - my_new_cred = handler->loadCredential("mysavedgrid"); - ensure_equals("saved credential without auth", - (const std::string)my_new_cred->getIdentifier()["type"], "test_type"); - ensure("no authenticator values were saved", my_new_cred->getAuthenticator().isUndefined()); - } - - // test cert vector - template<> template<> - void sechandler_basic_test_object::test<5>() - { - // validate create from empty vector - LLPointer<LLBasicCertificateVector> test_vector = new LLBasicCertificateVector(); - ensure_equals("when loading with nothing, we should result in no certs in vector", test_vector->size(), 0); - - test_vector->add(new LLBasicCertificate(mPemTestCert, &mValidationDate)); - ensure_equals("one element in vector", test_vector->size(), 1); - test_vector->add(new LLBasicCertificate(mPemChildCert, &mValidationDate)); - ensure_equals("two elements in vector after add", test_vector->size(), 2); - + LLXORCipher cipher2(unique_id, sizeof(unique_id)); + cipher2.encrypt(&binary_data[0], 16); + std::ofstream temp_file("sechandler_settings.tmp", std::ofstream::binary); + temp_file.write((const char *)&binary_data[0], binary_data.size()); + temp_file.close(); + + LLPointer<LLSecAPIBasicHandler> handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", + "test_password.dat"); + handler->init(); + // data retrieval for existing data + LLSD data = handler->getProtectedData("test_data_type", "test_data_id"); + + + ensure_equals("retrieve existing data1", (std::string)data["data1"], "test_data_1"); + ensure_equals("retrieve existing data2", (std::string)data["data2"], "test_data_2"); + ensure_equals("retrieve existing data3", (std::string)data["data3"]["elem1"], "test element1"); + + // data storage + LLSD store_data = LLSD::emptyMap(); + store_data["store_data1"] = "test_store_data1"; + store_data["store_data2"] = 27; + store_data["store_data3"] = LLSD::emptyMap(); + store_data["store_data3"]["subelem1"] = "test_subelem1"; + + handler->setProtectedData("test_data_type", "test_data_id1", store_data); + data = handler->getProtectedData("test_data_type", "test_data_id"); + + data = handler->getProtectedData("test_data_type", "test_data_id"); + // verify no overwrite of existing data + ensure_equals("verify no overwrite 1", (std::string)data["data1"], "test_data_1"); + ensure_equals("verify no overwrite 2", (std::string)data["data2"], "test_data_2"); + ensure_equals("verify no overwrite 3", (std::string)data["data3"]["elem1"], "test element1"); + + // verify written data is good + data = handler->getProtectedData("test_data_type", "test_data_id1"); + ensure_equals("verify stored data1", (std::string)data["store_data1"], "test_store_data1"); + ensure_equals("verify stored data2", (int)data["store_data2"], 27); + ensure_equals("verify stored data3", (std::string)data["store_data3"]["subelem1"], "test_subelem1"); + + // verify overwrite works + handler->setProtectedData("test_data_type", "test_data_id", store_data); + data = handler->getProtectedData("test_data_type", "test_data_id"); + ensure_equals("verify overwrite stored data1", (std::string)data["store_data1"], "test_store_data1"); + ensure_equals("verify overwrite stored data2", (int)data["store_data2"], 27); + ensure_equals("verify overwrite stored data3", (std::string)data["store_data3"]["subelem1"], "test_subelem1"); + + // verify other datatype doesn't conflict + store_data["store_data3"] = "test_store_data3"; + store_data["store_data4"] = 28; + store_data["store_data5"] = LLSD::emptyMap(); + store_data["store_data5"]["subelem2"] = "test_subelem2"; + + handler->setProtectedData("test_data_type1", "test_data_id", store_data); + data = handler->getProtectedData("test_data_type1", "test_data_id"); + ensure_equals("verify datatype stored data3", (std::string)data["store_data3"], "test_store_data3"); + ensure_equals("verify datatype stored data4", (int)data["store_data4"], 28); + ensure_equals("verify datatype stored data5", (std::string)data["store_data5"]["subelem2"], "test_subelem2"); + + // test data not found + + data = handler->getProtectedData("test_data_type1", "test_data_not_found"); + ensure("not found", data.isUndefined()); + + // cause a 'write' by using 'LLPointer' to delete then instantiate a handler + handler = NULL; + handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat"); + handler->init(); + + data = handler->getProtectedData("test_data_type1", "test_data_id"); + ensure_equals("verify datatype stored data3a", (std::string)data["store_data3"], "test_store_data3"); + ensure_equals("verify datatype stored data4a", (int)data["store_data4"], 28); + ensure_equals("verify datatype stored data5a", (std::string)data["store_data5"]["subelem2"], "test_subelem2"); + + // rewrite the initial file to verify reloads + handler = NULL; + std::ofstream temp_file2("sechandler_settings.tmp", std::ofstream::binary); + temp_file2.write((const char *)&binary_data[0], binary_data.size()); + temp_file2.close(); + + // cause a 'write' + handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat"); + handler->init(); + data = handler->getProtectedData("test_data_type1", "test_data_id"); + ensure("not found", data.isUndefined()); + + handler->deleteProtectedData("test_data_type", "test_data_id"); + ensure("Deleted data not found", handler->getProtectedData("test_data_type", "test_data_id").isUndefined()); + + LLFile::remove("sechandler_settings.tmp"); + handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat"); + handler->init(); + data = handler->getProtectedData("test_data_type1", "test_data_id"); + ensure("not found", data.isUndefined()); + handler = NULL; + + ensure(LLFile::isfile("sechandler_settings.tmp")); + } + + // test credenitals + template<> template<> + void sechandler_basic_test_object::test<4>() + { + LLPointer<LLSecAPIBasicHandler> handler = new LLSecAPIBasicHandler("sechandler_settings.tmp", "test_password.dat"); + handler->init(); + + LLSD my_id = LLSD::emptyMap(); + LLSD my_authenticator = LLSD::emptyMap(); + my_id["type"] = "test_type"; + my_id["username"] = "testuser@lindenlab.com"; + my_authenticator["type"] = "test_auth"; + my_authenticator["creds"] = "12345"; + + // test creation of credentials + LLPointer<LLCredential> my_cred = handler->createCredential("my_grid", my_id, my_authenticator); + + // test retrieval of credential components + ensure_equals("basic credential creation: identifier", my_id, my_cred->getIdentifier()); + ensure_equals("basic credential creation: authenticator", my_authenticator, my_cred->getAuthenticator()); + ensure_equals("basic credential creation: grid", "my_grid", my_cred->getGrid()); + + // test setting/overwriting of credential components + my_id["first_name"] = "firstname"; + my_id.erase("username"); + my_authenticator.erase("creds"); + my_authenticator["hash"] = "6563245"; + + my_cred->setCredentialData(my_id, my_authenticator); + ensure_equals("set credential data: identifier", my_id, my_cred->getIdentifier()); + ensure_equals("set credential data: authenticator", my_authenticator, my_cred->getAuthenticator()); + ensure_equals("set credential data: grid", "my_grid", my_cred->getGrid()); + + // test loading of a credential, that hasn't been saved, without + // any legacy saved credential data + LLPointer<LLCredential> my_new_cred = handler->loadCredential("my_grid2"); + ensure("unknown credential load test", my_new_cred->getIdentifier().isMap()); + ensure("unknown credential load test", !my_new_cred->getIdentifier().has("type")); + ensure("unknown credential load test", my_new_cred->getAuthenticator().isMap()); + ensure("unknown credential load test", !my_new_cred->getAuthenticator().has("type")); + // test saving of a credential + handler->saveCredential(my_cred, true); + + // test loading of a known credential + my_new_cred = handler->loadCredential("my_grid"); + ensure_equals("load a known credential: identifier", my_id, my_new_cred->getIdentifier()); + ensure_equals("load a known credential: authenticator",my_authenticator, my_new_cred->getAuthenticator()); + ensure_equals("load a known credential: grid", "my_grid", my_cred->getGrid()); + + // test deletion of a credential + handler->deleteCredential(my_new_cred); + + ensure("delete credential: identifier", my_new_cred->getIdentifier().isUndefined()); + ensure("delete credentialt: authenticator", my_new_cred->getIdentifier().isUndefined()); + ensure_equals("delete credential: grid", "my_grid", my_cred->getGrid()); + // load unknown cred + + my_new_cred = handler->loadCredential("my_grid"); + ensure("deleted credential load test", my_new_cred->getIdentifier().isMap()); + ensure("deleted credential load test", !my_new_cred->getIdentifier().has("type")); + ensure("deleted credential load test", my_new_cred->getAuthenticator().isMap()); + ensure("deleted credential load test", !my_new_cred->getAuthenticator().has("type")); + + // test loading of an unknown credential with legacy saved username, but without + // saved password + gFirstName = "myfirstname"; + gLastName = "mylastname"; + my_new_cred = handler->loadCredential("my_legacy_grid"); + ensure_equals("legacy credential with no password: type", + (const std::string)my_new_cred->getIdentifier()["type"], "agent"); + ensure_equals("legacy credential with no password: first_name", + (const std::string)my_new_cred->getIdentifier()["first_name"], "myfirstname"); + ensure_equals("legacy credential with no password: last_name", + (const std::string)my_new_cred->getIdentifier()["last_name"], "mylastname"); + + ensure("legacy credential with no password: no authenticator", my_new_cred->getAuthenticator().isUndefined()); + + // test loading of an unknown credential with legacy saved password and username + + std::string hashed_password = "fSQcLG03eyIWJmkzfyYaKm81dSweLmsxeSAYKGE7fSQ="; + int length = apr_base64_decode_len(hashed_password.c_str()); + std::vector<char> decoded_password(length); + apr_base64_decode(&decoded_password[0], hashed_password.c_str()); + LLXORCipher cipher(gMACAddress, MAC_ADDRESS_BYTES); + cipher.decrypt((U8*)&decoded_password[0], length); + unsigned char unique_id[MAC_ADDRESS_BYTES]; + LLMachineID::getUniqueID(unique_id, sizeof(unique_id)); + LLXORCipher cipher2(unique_id, sizeof(unique_id)); + cipher2.encrypt((U8*)&decoded_password[0], length); + llofstream password_file("test_password.dat", std::ofstream::binary); + password_file.write(&decoded_password[0], length); + password_file.close(); + + my_new_cred = handler->loadCredential("my_legacy_grid2"); + ensure_equals("legacy credential with password: type", + (const std::string)my_new_cred->getIdentifier()["type"], "agent"); + ensure_equals("legacy credential with password: first_name", + (const std::string)my_new_cred->getIdentifier()["first_name"], "myfirstname"); + ensure_equals("legacy credential with password: last_name", + (const std::string)my_new_cred->getIdentifier()["last_name"], "mylastname"); + + LLSD legacy_authenticator = my_new_cred->getAuthenticator(); + ensure_equals("legacy credential with password: type", + (std::string)legacy_authenticator["type"], + "hash"); + ensure_equals("legacy credential with password: algorithm", + (std::string)legacy_authenticator["algorithm"], + "md5"); + ensure_equals("legacy credential with password: algorithm", + (std::string)legacy_authenticator["secret"], + "01234567890123456789012345678901"); + + // test creation of credentials + my_cred = handler->createCredential("mysavedgrid", my_id, my_authenticator); + // test save without saving authenticator. + handler->saveCredential(my_cred, FALSE); + my_new_cred = handler->loadCredential("mysavedgrid"); + ensure_equals("saved credential without auth", + (const std::string)my_new_cred->getIdentifier()["type"], "test_type"); + ensure("no authenticator values were saved", my_new_cred->getAuthenticator().isUndefined()); + } + + // test cert vector + template<> template<> + void sechandler_basic_test_object::test<5>() + { + // validate create from empty vector + LLPointer<LLBasicCertificateVector> test_vector = new LLBasicCertificateVector(); + ensure_equals("when loading with nothing, we should result in no certs in vector", test_vector->size(), 0); + + test_vector->add(new LLBasicCertificate(mPemTestCert, &mValidationDate)); + ensure_equals("one element in vector", test_vector->size(), 1); + test_vector->add(new LLBasicCertificate(mPemChildCert, &mValidationDate)); + ensure_equals("two elements in vector after add", test_vector->size(), 2); + // add duplicate; should be a no-op (and log at DEBUG level) - test_vector->add(new LLBasicCertificate(mPemChildCert, &mValidationDate)); - ensure_equals("two elements in vector after re-add", test_vector->size(), 2); - - // validate order - X509* test_cert = (*test_vector)[0]->getOpenSSLX509(); - ensure("first cert added remains first cert", !X509_cmp(test_cert, mX509TestCert)); - X509_free(test_cert); - - test_cert = (*test_vector)[1]->getOpenSSLX509(); - ensure("second cert is second cert", !X509_cmp(test_cert, mX509ChildCert)); - X509_free(test_cert); - - // - // validate iterator - // - LLBasicCertificateVector::iterator current_cert = test_vector->begin(); - LLBasicCertificateVector::iterator copy_current_cert = current_cert; - // operator++(int) - ensure("validate iterator++ element in vector is expected cert", *current_cert++ == (*test_vector)[0]); - ensure("validate 2nd iterator++ element in vector is expected cert", *current_cert++ == (*test_vector)[1]); - ensure("validate end iterator++", current_cert == test_vector->end()); - - // copy - ensure("validate copy iterator element in vector is expected cert", *copy_current_cert == (*test_vector)[0]); - - // operator--(int) - current_cert--; - ensure("validate iterator-- element in vector is expected cert", *current_cert-- == (*test_vector)[1]); - ensure("validate iterator-- element in vector is expected cert", *current_cert == (*test_vector)[0]); - - ensure("begin iterator is equal", current_cert == test_vector->begin()); - - // operator++ - ensure("validate ++iterator element in vector is expected cert", *++current_cert == (*test_vector)[1]); - ensure("end of cert vector after ++iterator", ++current_cert == test_vector->end()); - // operator-- - ensure("validate --iterator element in vector is expected cert", *--current_cert == (*test_vector)[1]); - ensure("validate 2nd --iterator element in vector is expected cert", *--current_cert == (*test_vector)[0]); - - test_vector->erase(test_vector->begin()); - ensure_equals("one element in store after remove", test_vector->size(), 1); - test_cert = (*test_vector)[0]->getOpenSSLX509(); - ensure("Child cert remains", !X509_cmp(test_cert, mX509ChildCert)); - X509_free(test_cert); - - // validate insert - test_vector->insert(test_vector->begin(), new LLBasicCertificate(mPemIntermediateCert, &mValidationDate)); - test_cert = (*test_vector)[0]->getOpenSSLX509(); - ensure_equals("two elements in store after insert", test_vector->size(), 2); - ensure("validate intermediate cert was inserted at first position", !X509_cmp(test_cert, mX509IntermediateCert)); - X509_free(test_cert); - test_cert = (*test_vector)[1]->getOpenSSLX509(); - ensure("validate child cert still there", !X509_cmp(test_cert, mX509ChildCert)); - X509_free(test_cert); - - //validate find - LLSD find_info = LLSD::emptyMap(); - find_info["subjectKeyIdentifier"] = "bb:59:9f:de:6b:51:a7:6c:b3:6d:5b:8b:42:f7:b1:65:77:17:a4:e4"; - LLBasicCertificateVector::iterator found_cert = test_vector->find(find_info); - ensure("found some cert", found_cert != test_vector->end()); + test_vector->add(new LLBasicCertificate(mPemChildCert, &mValidationDate)); + ensure_equals("two elements in vector after re-add", test_vector->size(), 2); + + // validate order + X509* test_cert = (*test_vector)[0]->getOpenSSLX509(); + ensure("first cert added remains first cert", !X509_cmp(test_cert, mX509TestCert)); + X509_free(test_cert); + + test_cert = (*test_vector)[1]->getOpenSSLX509(); + ensure("second cert is second cert", !X509_cmp(test_cert, mX509ChildCert)); + X509_free(test_cert); + + // + // validate iterator + // + LLBasicCertificateVector::iterator current_cert = test_vector->begin(); + LLBasicCertificateVector::iterator copy_current_cert = current_cert; + // operator++(int) + ensure("validate iterator++ element in vector is expected cert", *current_cert++ == (*test_vector)[0]); + ensure("validate 2nd iterator++ element in vector is expected cert", *current_cert++ == (*test_vector)[1]); + ensure("validate end iterator++", current_cert == test_vector->end()); + + // copy + ensure("validate copy iterator element in vector is expected cert", *copy_current_cert == (*test_vector)[0]); + + // operator--(int) + current_cert--; + ensure("validate iterator-- element in vector is expected cert", *current_cert-- == (*test_vector)[1]); + ensure("validate iterator-- element in vector is expected cert", *current_cert == (*test_vector)[0]); + + ensure("begin iterator is equal", current_cert == test_vector->begin()); + + // operator++ + ensure("validate ++iterator element in vector is expected cert", *++current_cert == (*test_vector)[1]); + ensure("end of cert vector after ++iterator", ++current_cert == test_vector->end()); + // operator-- + ensure("validate --iterator element in vector is expected cert", *--current_cert == (*test_vector)[1]); + ensure("validate 2nd --iterator element in vector is expected cert", *--current_cert == (*test_vector)[0]); + + test_vector->erase(test_vector->begin()); + ensure_equals("one element in store after remove", test_vector->size(), 1); + test_cert = (*test_vector)[0]->getOpenSSLX509(); + ensure("Child cert remains", !X509_cmp(test_cert, mX509ChildCert)); + X509_free(test_cert); + + // validate insert + test_vector->insert(test_vector->begin(), new LLBasicCertificate(mPemIntermediateCert, &mValidationDate)); + test_cert = (*test_vector)[0]->getOpenSSLX509(); + ensure_equals("two elements in store after insert", test_vector->size(), 2); + ensure("validate intermediate cert was inserted at first position", !X509_cmp(test_cert, mX509IntermediateCert)); + X509_free(test_cert); + test_cert = (*test_vector)[1]->getOpenSSLX509(); + ensure("validate child cert still there", !X509_cmp(test_cert, mX509ChildCert)); + X509_free(test_cert); + + //validate find + LLSD find_info = LLSD::emptyMap(); + find_info["subjectKeyIdentifier"] = "bb:59:9f:de:6b:51:a7:6c:b3:6d:5b:8b:42:f7:b1:65:77:17:a4:e4"; + LLBasicCertificateVector::iterator found_cert = test_vector->find(find_info); + ensure("found some cert", found_cert != test_vector->end()); X509* found_x509 = (*found_cert).get()->getOpenSSLX509(); - ensure("child cert was found", !X509_cmp(found_x509, mX509ChildCert)); - X509_free(found_x509); - - find_info["subjectKeyIdentifier"] = "00:00:00:00"; // bogus - current_cert =test_vector->find(find_info); - ensure("didn't find cert", current_cert == test_vector->end()); - } - - // test cert store - template<> template<> - void sechandler_basic_test_object::test<6>() - { - // validate load with nothing - LLFile::remove("mycertstore.pem"); - LLPointer<LLBasicCertificateStore> test_store = new LLBasicCertificateStore("mycertstore.pem"); - ensure_equals("when loading with nothing, we should result in no certs in store", test_store->size(), 0); - - // validate load with empty file - test_store->save(); - test_store = NULL; - test_store = new LLBasicCertificateStore("mycertstore.pem"); - ensure_equals("when loading with nothing, we should result in no certs in store", test_store->size(), 0); - test_store=NULL; - - // instantiate a cert store from a file - llofstream certstorefile("mycertstore.pem", std::ios::out); - certstorefile << mPemChildCert << std::endl << mPemTestCert << std::endl; - certstorefile.close(); - // validate loaded certs - test_store = new LLBasicCertificateStore("mycertstore.pem"); - ensure_equals("two elements in store", test_store->size(), 2); - - // operator[] - X509* test_cert = (*test_store)[0]->getOpenSSLX509(); - - ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); - X509_free(test_cert); - test_cert = (*test_store)[1]->getOpenSSLX509(); - ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509TestCert)); - X509_free(test_cert); - - - // validate save - LLFile::remove("mycertstore.pem"); - test_store->save(); - test_store = NULL; - test_store = new LLBasicCertificateStore("mycertstore.pem"); - ensure_equals("two elements in store after save", test_store->size(), 2); - LLCertificateStore::iterator current_cert = test_store->begin(); - test_cert = (*current_cert)->getOpenSSLX509(); - ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); - current_cert++; - X509_free(test_cert); - test_cert = (*current_cert)->getOpenSSLX509(); - ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509TestCert)); - X509_free(test_cert); - current_cert++; - ensure("end of cert store", current_cert == test_store->end()); - - } - - // cert name wildcard matching - template<> template<> - void sechandler_basic_test_object::test<7>() - { - ensure("simple name match", - _cert_hostname_wildcard_match("foo", "foo")); - - ensure("simple name match, with end period", - _cert_hostname_wildcard_match("foo.", "foo.")); - - ensure("simple name match, with begin period", - _cert_hostname_wildcard_match(".foo", ".foo")); - - ensure("simple name match, with mismatched period cn", - _cert_hostname_wildcard_match("foo.", "foo")); - - ensure("simple name match, with mismatched period hostname", - _cert_hostname_wildcard_match("foo", "foo.")); - - ensure("simple name match, with subdomain", - _cert_hostname_wildcard_match("foo.bar", "foo.bar")); - - ensure("stutter name match", - _cert_hostname_wildcard_match("foobbbbfoo", "foo*bbbfoo")); - - ensure("simple name match, with beginning wildcard", - _cert_hostname_wildcard_match("foobar", "*bar")); - - ensure("simple name match, with ending wildcard", - _cert_hostname_wildcard_match("foobar", "foo*")); - - ensure("simple name match, with beginning null wildcard", - _cert_hostname_wildcard_match("foobar", "*foobar")); - - ensure("simple name match, with ending null wildcard", - _cert_hostname_wildcard_match("foobar", "foobar*")); - - ensure("simple name match, with embedded wildcard", - _cert_hostname_wildcard_match("foobar", "f*r")); - - ensure("simple name match, with embedded null wildcard", - _cert_hostname_wildcard_match("foobar", "foo*bar")); - - ensure("simple name match, with dual embedded wildcard", - _cert_hostname_wildcard_match("foobar", "f*o*ar")); - - ensure("simple name mismatch", - !_cert_hostname_wildcard_match("bar", "foo")); - - ensure("simple name mismatch, with end period", - !_cert_hostname_wildcard_match("foobar.", "foo.")); - - ensure("simple name mismatch, with begin period", - !_cert_hostname_wildcard_match(".foobar", ".foo")); - - ensure("simple name mismatch, with subdomain", - !_cert_hostname_wildcard_match("foobar.bar", "foo.bar")); - - ensure("simple name mismatch, with beginning wildcard", - !_cert_hostname_wildcard_match("foobara", "*bar")); - - ensure("simple name mismatch, with ending wildcard", - !_cert_hostname_wildcard_match("oobar", "foo*")); - - ensure("simple name mismatch, with embedded wildcard", - !_cert_hostname_wildcard_match("oobar", "f*r")); - - ensure("simple name mismatch, with dual embedded wildcard", - !_cert_hostname_wildcard_match("foobar", "f*d*ar")); - - ensure("simple wildcard", - _cert_hostname_wildcard_match("foobar", "*")); - - ensure("long domain", - _cert_hostname_wildcard_match("foo.bar.com", "foo.bar.com")); - - ensure("long domain with multiple wildcards", - _cert_hostname_wildcard_match("foo.bar.com", "*.b*r.com")); - - ensure("end periods", - _cert_hostname_wildcard_match("foo.bar.com.", "*.b*r.com.")); - - ensure("match end period", - _cert_hostname_wildcard_match("foo.bar.com.", "*.b*r.com")); - - ensure("match end period2", - _cert_hostname_wildcard_match("foo.bar.com", "*.b*r.com.")); - - ensure("wildcard mismatch", - !_cert_hostname_wildcard_match("bar.com", "*.bar.com")); - - ensure("wildcard match", - _cert_hostname_wildcard_match("foo.bar.com", "*.bar.com")); - - ensure("wildcard match", - _cert_hostname_wildcard_match("foo.foo.bar.com", "*.bar.com")); - - ensure("wildcard match", - _cert_hostname_wildcard_match("foo.foo.bar.com", "*.*.com")); - - ensure("wildcard mismatch", - !_cert_hostname_wildcard_match("foo.foo.bar.com", "*.foo.com")); - } - - // test cert chain - template<> template<> - void sechandler_basic_test_object::test<8>() - { - // validate create from empty chain - LLPointer<LLBasicCertificateChain> test_chain = new LLBasicCertificateChain(NULL); - ensure_equals("when loading with nothing, we should result in no certs in chain", test_chain->size(), 0); - - // Single cert in the chain. - X509_STORE_CTX *test_store = X509_STORE_CTX_new(); + ensure("child cert was found", !X509_cmp(found_x509, mX509ChildCert)); + X509_free(found_x509); + + find_info["subjectKeyIdentifier"] = "00:00:00:00"; // bogus + current_cert =test_vector->find(find_info); + ensure("didn't find cert", current_cert == test_vector->end()); + } + + // test cert store + template<> template<> + void sechandler_basic_test_object::test<6>() + { + // validate load with nothing + LLFile::remove("mycertstore.pem"); + LLPointer<LLBasicCertificateStore> test_store = new LLBasicCertificateStore("mycertstore.pem"); + ensure_equals("when loading with nothing, we should result in no certs in store", test_store->size(), 0); + + // validate load with empty file + test_store->save(); + test_store = NULL; + test_store = new LLBasicCertificateStore("mycertstore.pem"); + ensure_equals("when loading with nothing, we should result in no certs in store", test_store->size(), 0); + test_store=NULL; + + // instantiate a cert store from a file + llofstream certstorefile("mycertstore.pem", std::ios::out); + certstorefile << mPemChildCert << std::endl << mPemTestCert << std::endl; + certstorefile.close(); + // validate loaded certs + test_store = new LLBasicCertificateStore("mycertstore.pem"); + ensure_equals("two elements in store", test_store->size(), 2); + + // operator[] + X509* test_cert = (*test_store)[0]->getOpenSSLX509(); + + ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); + X509_free(test_cert); + test_cert = (*test_store)[1]->getOpenSSLX509(); + ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509TestCert)); + X509_free(test_cert); + + + // validate save + LLFile::remove("mycertstore.pem"); + test_store->save(); + test_store = NULL; + test_store = new LLBasicCertificateStore("mycertstore.pem"); + ensure_equals("two elements in store after save", test_store->size(), 2); + LLCertificateStore::iterator current_cert = test_store->begin(); + test_cert = (*current_cert)->getOpenSSLX509(); + ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); + current_cert++; + X509_free(test_cert); + test_cert = (*current_cert)->getOpenSSLX509(); + ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509TestCert)); + X509_free(test_cert); + current_cert++; + ensure("end of cert store", current_cert == test_store->end()); + + } + + // cert name wildcard matching + template<> template<> + void sechandler_basic_test_object::test<7>() + { + ensure("simple name match", + _cert_hostname_wildcard_match("foo", "foo")); + + ensure("simple name match, with end period", + _cert_hostname_wildcard_match("foo.", "foo.")); + + ensure("simple name match, with begin period", + _cert_hostname_wildcard_match(".foo", ".foo")); + + ensure("simple name match, with mismatched period cn", + _cert_hostname_wildcard_match("foo.", "foo")); + + ensure("simple name match, with mismatched period hostname", + _cert_hostname_wildcard_match("foo", "foo.")); + + ensure("simple name match, with subdomain", + _cert_hostname_wildcard_match("foo.bar", "foo.bar")); + + ensure("stutter name match", + _cert_hostname_wildcard_match("foobbbbfoo", "foo*bbbfoo")); + + ensure("simple name match, with beginning wildcard", + _cert_hostname_wildcard_match("foobar", "*bar")); + + ensure("simple name match, with ending wildcard", + _cert_hostname_wildcard_match("foobar", "foo*")); + + ensure("simple name match, with beginning null wildcard", + _cert_hostname_wildcard_match("foobar", "*foobar")); + + ensure("simple name match, with ending null wildcard", + _cert_hostname_wildcard_match("foobar", "foobar*")); + + ensure("simple name match, with embedded wildcard", + _cert_hostname_wildcard_match("foobar", "f*r")); + + ensure("simple name match, with embedded null wildcard", + _cert_hostname_wildcard_match("foobar", "foo*bar")); + + ensure("simple name match, with dual embedded wildcard", + _cert_hostname_wildcard_match("foobar", "f*o*ar")); + + ensure("simple name mismatch", + !_cert_hostname_wildcard_match("bar", "foo")); + + ensure("simple name mismatch, with end period", + !_cert_hostname_wildcard_match("foobar.", "foo.")); + + ensure("simple name mismatch, with begin period", + !_cert_hostname_wildcard_match(".foobar", ".foo")); + + ensure("simple name mismatch, with subdomain", + !_cert_hostname_wildcard_match("foobar.bar", "foo.bar")); + + ensure("simple name mismatch, with beginning wildcard", + !_cert_hostname_wildcard_match("foobara", "*bar")); + + ensure("simple name mismatch, with ending wildcard", + !_cert_hostname_wildcard_match("oobar", "foo*")); + + ensure("simple name mismatch, with embedded wildcard", + !_cert_hostname_wildcard_match("oobar", "f*r")); + + ensure("simple name mismatch, with dual embedded wildcard", + !_cert_hostname_wildcard_match("foobar", "f*d*ar")); + + ensure("simple wildcard", + _cert_hostname_wildcard_match("foobar", "*")); + + ensure("long domain", + _cert_hostname_wildcard_match("foo.bar.com", "foo.bar.com")); + + ensure("long domain with multiple wildcards", + _cert_hostname_wildcard_match("foo.bar.com", "*.b*r.com")); + + ensure("end periods", + _cert_hostname_wildcard_match("foo.bar.com.", "*.b*r.com.")); + + ensure("match end period", + _cert_hostname_wildcard_match("foo.bar.com.", "*.b*r.com")); + + ensure("match end period2", + _cert_hostname_wildcard_match("foo.bar.com", "*.b*r.com.")); + + ensure("wildcard mismatch", + !_cert_hostname_wildcard_match("bar.com", "*.bar.com")); + + ensure("wildcard match", + _cert_hostname_wildcard_match("foo.bar.com", "*.bar.com")); + + ensure("wildcard match", + _cert_hostname_wildcard_match("foo.foo.bar.com", "*.bar.com")); + + ensure("wildcard match", + _cert_hostname_wildcard_match("foo.foo.bar.com", "*.*.com")); + + ensure("wildcard mismatch", + !_cert_hostname_wildcard_match("foo.foo.bar.com", "*.foo.com")); + } + + // test cert chain + template<> template<> + void sechandler_basic_test_object::test<8>() + { + // validate create from empty chain + LLPointer<LLBasicCertificateChain> test_chain = new LLBasicCertificateChain(NULL); + ensure_equals("when loading with nothing, we should result in no certs in chain", test_chain->size(), 0); + + // Single cert in the chain. + X509_STORE_CTX *test_store = X509_STORE_CTX_new(); X509_STORE_CTX_set_cert(test_store, mX509ChildCert); X509_STORE_CTX_set0_untrusted(test_store, NULL); - test_chain = new LLBasicCertificateChain(test_store); - X509_STORE_CTX_free(test_store); - ensure_equals("two elements in store", test_chain->size(), 1); - X509* test_cert = (*test_chain)[0]->getOpenSSLX509(); - ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); - X509_free(test_cert); - - // cert + CA - - test_store = X509_STORE_CTX_new(); + test_chain = new LLBasicCertificateChain(test_store); + X509_STORE_CTX_free(test_store); + ensure_equals("two elements in store", test_chain->size(), 1); + X509* test_cert = (*test_chain)[0]->getOpenSSLX509(); + ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); + X509_free(test_cert); + + // cert + CA + + test_store = X509_STORE_CTX_new(); X509_STORE_CTX_set_cert(test_store, mX509ChildCert); X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null()); - sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert); - test_chain = new LLBasicCertificateChain(test_store); - X509_STORE_CTX_free(test_store); - ensure_equals("two elements in store", test_chain->size(), 2); - test_cert = (*test_chain)[0]->getOpenSSLX509(); - ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); - X509_free(test_cert); - test_cert = (*test_chain)[1]->getOpenSSLX509(); - ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509IntermediateCert)); - X509_free(test_cert); - - // cert + nonrelated - - test_store = X509_STORE_CTX_new(); + sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert); + test_chain = new LLBasicCertificateChain(test_store); + X509_STORE_CTX_free(test_store); + ensure_equals("two elements in store", test_chain->size(), 2); + test_cert = (*test_chain)[0]->getOpenSSLX509(); + ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); + X509_free(test_cert); + test_cert = (*test_chain)[1]->getOpenSSLX509(); + ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509IntermediateCert)); + X509_free(test_cert); + + // cert + nonrelated + + test_store = X509_STORE_CTX_new(); X509_STORE_CTX_set_cert(test_store, mX509ChildCert); X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null()); - sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509TestCert); - test_chain = new LLBasicCertificateChain(test_store); - X509_STORE_CTX_free(test_store); - ensure_equals("two elements in store", test_chain->size(), 1); - test_cert = (*test_chain)[0]->getOpenSSLX509(); - ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); - X509_free(test_cert); - - // cert + CA + nonrelated - test_store = X509_STORE_CTX_new(); + sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509TestCert); + test_chain = new LLBasicCertificateChain(test_store); + X509_STORE_CTX_free(test_store); + ensure_equals("two elements in store", test_chain->size(), 1); + test_cert = (*test_chain)[0]->getOpenSSLX509(); + ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); + X509_free(test_cert); + + // cert + CA + nonrelated + test_store = X509_STORE_CTX_new(); X509_STORE_CTX_set_cert(test_store, mX509ChildCert); X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null()); - sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert); - sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509TestCert); - test_chain = new LLBasicCertificateChain(test_store); - X509_STORE_CTX_free(test_store); - ensure_equals("two elements in store", test_chain->size(), 2); - test_cert = (*test_chain)[0]->getOpenSSLX509(); - ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); - X509_free(test_cert); - test_cert = (*test_chain)[1]->getOpenSSLX509(); - ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509IntermediateCert)); - X509_free(test_cert); - - // cert + intermediate + CA - test_store = X509_STORE_CTX_new(); + sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert); + sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509TestCert); + test_chain = new LLBasicCertificateChain(test_store); + X509_STORE_CTX_free(test_store); + ensure_equals("two elements in store", test_chain->size(), 2); + test_cert = (*test_chain)[0]->getOpenSSLX509(); + ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); + X509_free(test_cert); + test_cert = (*test_chain)[1]->getOpenSSLX509(); + ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509IntermediateCert)); + X509_free(test_cert); + + // cert + intermediate + CA + test_store = X509_STORE_CTX_new(); X509_STORE_CTX_set_cert(test_store, mX509ChildCert); X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null()); - sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert); - sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509RootCert); - test_chain = new LLBasicCertificateChain(test_store); - X509_STORE_CTX_free(test_store); - ensure_equals("three elements in store", test_chain->size(), 3); - test_cert = (*test_chain)[0]->getOpenSSLX509(); - ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); - X509_free(test_cert); - test_cert = (*test_chain)[1]->getOpenSSLX509(); - ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509IntermediateCert)); - X509_free(test_cert); - - test_cert = (*test_chain)[2]->getOpenSSLX509(); - ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509RootCert)); - X509_free(test_cert); - } - - // test cert validation - template<> template<> - void sechandler_basic_test_object::test<9>() - { - // start with a trusted store with our known root cert - LLFile::remove("mycertstore.pem"); - LLPointer<LLBasicCertificateStore> test_store = new LLBasicCertificateStore("mycertstore.pem"); - test_store->add(new LLBasicCertificate(mX509RootCert, &mValidationDate)); - LLSD validation_params; - - // validate basic trust for a chain containing only the intermediate cert. (1 deep) - LLPointer<LLBasicCertificateChain> test_chain = new LLBasicCertificateChain(NULL); - - test_chain->add(new LLBasicCertificate(mX509IntermediateCert, &mValidationDate)); - - test_store->validate(0, test_chain, validation_params); - - // add the root certificate to the chain and revalidate - test_chain->add(new LLBasicCertificate(mX509RootCert, &mValidationDate)); - test_store->validate(0, test_chain, validation_params); - - // add the child cert at the head of the chain, and revalidate (3 deep chain) - test_chain->insert(test_chain->begin(), new LLBasicCertificate(mX509ChildCert, &mValidationDate)); - test_store->validate(0, test_chain, validation_params); - - // basic failure cases - test_chain = new LLBasicCertificateChain(NULL); - //validate with only the child cert in chain, but child cert was previously - // trusted - test_chain->add(new LLBasicCertificate(mX509ChildCert, &mValidationDate)); - - // validate without the trust flag. - test_store->validate(VALIDATION_POLICY_TRUSTED, test_chain, validation_params); - - // Validate with child cert but no parent, and no parent in CA store - test_store = new LLBasicCertificateStore("mycertstore.pem"); - ensure_throws("no CA, with only a child cert", - LLCertValidationTrustException, - (*test_chain)[0], - test_store->validate, - VALIDATION_POLICY_TRUSTED, - test_chain, - validation_params); - - - // validate without the trust flag. - test_store->validate(0, test_chain, validation_params); - - // clear out the store - test_store = new LLBasicCertificateStore("mycertstore.pem"); - // append the intermediate cert - test_chain->add(new LLBasicCertificate(mX509IntermediateCert, &mValidationDate)); - ensure_throws("no CA, with child and intermediate certs", - LLCertValidationTrustException, - (*test_chain)[1], - test_store->validate, - VALIDATION_POLICY_TRUSTED | VALIDATION_POLICY_TRUSTED, - test_chain, - validation_params); - // validate without the trust flag - test_store->validate(0, test_chain, validation_params); - - // Test time validity - LLSD child_info; - ((*test_chain)[0])->getLLSD(child_info); - validation_params = LLSD::emptyMap(); - validation_params[CERT_VALIDATION_DATE] = LLDate(child_info[CERT_VALID_FROM].asDate().secondsSinceEpoch() + 1.0); - test_store->validate(VALIDATION_POLICY_TIME | VALIDATION_POLICY_TRUSTED, + sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert); + sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509RootCert); + test_chain = new LLBasicCertificateChain(test_store); + X509_STORE_CTX_free(test_store); + ensure_equals("three elements in store", test_chain->size(), 3); + test_cert = (*test_chain)[0]->getOpenSSLX509(); + ensure("validate first element in store is expected cert", !X509_cmp(test_cert, mX509ChildCert)); + X509_free(test_cert); + test_cert = (*test_chain)[1]->getOpenSSLX509(); + ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509IntermediateCert)); + X509_free(test_cert); + + test_cert = (*test_chain)[2]->getOpenSSLX509(); + ensure("validate second element in store is expected cert", !X509_cmp(test_cert, mX509RootCert)); + X509_free(test_cert); + } + + // test cert validation + template<> template<> + void sechandler_basic_test_object::test<9>() + { + // start with a trusted store with our known root cert + LLFile::remove("mycertstore.pem"); + LLPointer<LLBasicCertificateStore> test_store = new LLBasicCertificateStore("mycertstore.pem"); + test_store->add(new LLBasicCertificate(mX509RootCert, &mValidationDate)); + LLSD validation_params; + + // validate basic trust for a chain containing only the intermediate cert. (1 deep) + LLPointer<LLBasicCertificateChain> test_chain = new LLBasicCertificateChain(NULL); + + test_chain->add(new LLBasicCertificate(mX509IntermediateCert, &mValidationDate)); + + test_store->validate(0, test_chain, validation_params); + + // add the root certificate to the chain and revalidate + test_chain->add(new LLBasicCertificate(mX509RootCert, &mValidationDate)); + test_store->validate(0, test_chain, validation_params); + + // add the child cert at the head of the chain, and revalidate (3 deep chain) + test_chain->insert(test_chain->begin(), new LLBasicCertificate(mX509ChildCert, &mValidationDate)); + test_store->validate(0, test_chain, validation_params); + + // basic failure cases + test_chain = new LLBasicCertificateChain(NULL); + //validate with only the child cert in chain, but child cert was previously + // trusted + test_chain->add(new LLBasicCertificate(mX509ChildCert, &mValidationDate)); + + // validate without the trust flag. + test_store->validate(VALIDATION_POLICY_TRUSTED, test_chain, validation_params); + + // Validate with child cert but no parent, and no parent in CA store + test_store = new LLBasicCertificateStore("mycertstore.pem"); + ensure_throws("no CA, with only a child cert", + LLCertValidationTrustException, + (*test_chain)[0], + test_store->validate, + VALIDATION_POLICY_TRUSTED, + test_chain, + validation_params); + + + // validate without the trust flag. + test_store->validate(0, test_chain, validation_params); + + // clear out the store + test_store = new LLBasicCertificateStore("mycertstore.pem"); + // append the intermediate cert + test_chain->add(new LLBasicCertificate(mX509IntermediateCert, &mValidationDate)); + ensure_throws("no CA, with child and intermediate certs", + LLCertValidationTrustException, + (*test_chain)[1], + test_store->validate, + VALIDATION_POLICY_TRUSTED | VALIDATION_POLICY_TRUSTED, + test_chain, + validation_params); + // validate without the trust flag + test_store->validate(0, test_chain, validation_params); + + // Test time validity + LLSD child_info; + ((*test_chain)[0])->getLLSD(child_info); + validation_params = LLSD::emptyMap(); + validation_params[CERT_VALIDATION_DATE] = LLDate(child_info[CERT_VALID_FROM].asDate().secondsSinceEpoch() + 1.0); + test_store->validate(VALIDATION_POLICY_TIME | VALIDATION_POLICY_TRUSTED, test_chain, validation_params); - validation_params = LLSD::emptyMap(); - validation_params[CERT_VALIDATION_DATE] = child_info[CERT_VALID_FROM].asDate(); - - validation_params[CERT_VALIDATION_DATE] = LLDate(child_info[CERT_VALID_FROM].asDate().secondsSinceEpoch() - 1.0); - - // test not yet valid - ensure_throws("Child cert not yet valid" , - LLCertValidationExpirationException, - (*test_chain)[0], - test_store->validate, - VALIDATION_POLICY_TIME | VALIDATION_POLICY_TRUSTED, - test_chain, - validation_params); - validation_params = LLSD::emptyMap(); - validation_params[CERT_VALIDATION_DATE] = LLDate(child_info[CERT_VALID_TO].asDate().secondsSinceEpoch() + 1.0); - - // test cert expired - ensure_throws("Child cert expired", - LLCertValidationExpirationException, - (*test_chain)[0], - test_store->validate, - VALIDATION_POLICY_TIME | VALIDATION_POLICY_TRUSTED, - test_chain, - validation_params); - - // test SSL KU - // validate basic trust for a chain containing child and intermediate. - test_chain = new LLBasicCertificateChain(NULL); - test_chain->add(new LLBasicCertificate(mX509ChildCert, &mValidationDate)); - test_chain->add(new LLBasicCertificate(mX509IntermediateCert, &mValidationDate)); - test_store->validate(VALIDATION_POLICY_SSL_KU | VALIDATION_POLICY_TRUSTED, - test_chain, validation_params); - - test_chain = new LLBasicCertificateChain(NULL); - test_chain->add(new LLBasicCertificate(mX509TestCert, &mValidationDate)); - - test_store = new LLBasicCertificateStore("mycertstore.pem"); - ensure_throws("Cert doesn't have ku", - LLCertKeyUsageValidationException, - (*test_chain)[0], - test_store->validate, - VALIDATION_POLICY_SSL_KU | VALIDATION_POLICY_TRUSTED, - test_chain, - validation_params); - - test_store->validate(0, test_chain, validation_params); - } + validation_params = LLSD::emptyMap(); + validation_params[CERT_VALIDATION_DATE] = child_info[CERT_VALID_FROM].asDate(); + + validation_params[CERT_VALIDATION_DATE] = LLDate(child_info[CERT_VALID_FROM].asDate().secondsSinceEpoch() - 1.0); + + // test not yet valid + ensure_throws("Child cert not yet valid" , + LLCertValidationExpirationException, + (*test_chain)[0], + test_store->validate, + VALIDATION_POLICY_TIME | VALIDATION_POLICY_TRUSTED, + test_chain, + validation_params); + validation_params = LLSD::emptyMap(); + validation_params[CERT_VALIDATION_DATE] = LLDate(child_info[CERT_VALID_TO].asDate().secondsSinceEpoch() + 1.0); + + // test cert expired + ensure_throws("Child cert expired", + LLCertValidationExpirationException, + (*test_chain)[0], + test_store->validate, + VALIDATION_POLICY_TIME | VALIDATION_POLICY_TRUSTED, + test_chain, + validation_params); + + // test SSL KU + // validate basic trust for a chain containing child and intermediate. + test_chain = new LLBasicCertificateChain(NULL); + test_chain->add(new LLBasicCertificate(mX509ChildCert, &mValidationDate)); + test_chain->add(new LLBasicCertificate(mX509IntermediateCert, &mValidationDate)); + test_store->validate(VALIDATION_POLICY_SSL_KU | VALIDATION_POLICY_TRUSTED, + test_chain, validation_params); + + test_chain = new LLBasicCertificateChain(NULL); + test_chain->add(new LLBasicCertificate(mX509TestCert, &mValidationDate)); + + test_store = new LLBasicCertificateStore("mycertstore.pem"); + ensure_throws("Cert doesn't have ku", + LLCertKeyUsageValidationException, + (*test_chain)[0], + test_store->validate, + VALIDATION_POLICY_SSL_KU | VALIDATION_POLICY_TRUSTED, + test_chain, + validation_params); + + test_store->validate(0, test_chain, validation_params); + } }; |