proxygen
ExportedAuthenticatorTest.cpp
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2018-present, Facebook, Inc.
3  * All rights reserved.
4  *
5  * This source code is licensed under the BSD-style license found in the
6  * LICENSE file in the root directory of this source tree.
7  */
8 
9 #include <gmock/gmock.h>
10 #include <gtest/gtest.h>
11 
12 #include <fizz/crypto/test/TestUtil.h>
13 #include <fizz/extensions/exportedauth/ExportedAuthenticator.h>
14 #include <fizz/protocol/test/Mocks.h>
15 #include <fizz/protocol/test/TestMessages.h>
16 #include <fizz/record/Extensions.h>
17 #include <fizz/record/Types.h>
18 #include <folly/String.h>
19 #include <folly/ssl/Init.h>
20 
21 using namespace folly;
22 using namespace folly::io;
23 
24 using namespace testing;
25 
26 namespace fizz {
27 namespace test {
28 
29 StringPiece expected_auth_request = {
30  "14303132333435363738396162636465666768696a000a000d0006000404030804"};
31 StringPiece expected_authenticator = {
32  "0b000004000000000f00000d040300097369676e617475726514000020b523548c421b05f7f3c33276fbdd5266ba2df103796d7d483368259860a648f2"};
33 StringPiece expected_cr_context = {"303132333435363738396162636465666768696a"};
34 StringPiece expected_cert = {
35  "308201ee30820195a003020102020900c569eec901ce86d9300a06082a8648ce3d0403023054310b3009060355040613025553310b300906035504080c024e59310b300906035504070c024e59310d300b060355040a0c0446697a7a310d300b060355040b0c0446697a7a310d300b06035504030c0446697a7a301e170d3137303430343138323930395a170d3431313132343138323930395a3054310b3009060355040613025553310b300906035504080c024e59310b300906035504070c024e59310d300b060355040a0c0446697a7a310d300b060355040b0c0446697a7a310d300b06035504030c0446697a7a3059301306072a8648ce3d020106082a8648ce3d030107034200049d87bcaddb65d8dcf6df8b148a9679b5b710db19c95a9badfff13468cb358b4e21d24a5c826112658ebb96d64e2985dfb41c1948334391a4aa81b67837e2dbf0a350304e301d0603551d0e041604143c5b8ba954d9752faf3c8ad6d1a62449dccaa850301f0603551d230418301680143c5b8ba954d9752faf3c8ad6d1a62449dccaa850300c0603551d13040530030101ff300a06082a8648ce3d04030203470030440220349b7d34d7132fb2756576e0bfa36cbe1723337a7a6f5ef9c8d3bf1aa7efa4a5022025c50a91e0aa4272f1f52c3d5583a7d7cee14b178835273a0bd814303e62d714"};
36 StringPiece expected_empty_authenticator = {
37  "1400002011fae4bcdf4673b6dfb276d886c4cd1c5b0920da961643f062d1d4a6062115b1"};
38 
39 TEST(ExportedAuthenticatorTest, TestAuthenticatorRequest) {
40  auto buf = folly::IOBuf::copyBuffer(unhexlify(expected_auth_request));
41  folly::io::Cursor cursor(buf.get());
42  CertificateRequest cr = decode<CertificateRequest>(cursor);
43  EXPECT_EQ(cr.certificate_request_context->computeChainDataLength(), 20);
44  EXPECT_EQ(cr.extensions.size(), 1);
45  EXPECT_TRUE(getExtension<SignatureAlgorithms>(cr.extensions).hasValue());
46  auto encodedAuthRequest = ExportedAuthenticator::getAuthenticatorRequest(
47  std::move(cr.certificate_request_context), std::move(cr.extensions));
48  EXPECT_EQ(
49  expected_auth_request,
50  StringPiece(hexlify(encodedAuthRequest->coalesce())));
51 }
52 
53 TEST(ExportedAuthenticatorTest, TestEmptyAuthenticatorRequest) {
54  EXPECT_THROW(
55  ExportedAuthenticator::getAuthenticatorRequest(
56  nullptr, std::vector<fizz::Extension>()),
57  FizzException);
58  auto emptyContext = folly::IOBuf::create(0);
59  EXPECT_THROW(
60  ExportedAuthenticator::getAuthenticatorRequest(
61  std::move(emptyContext), std::vector<fizz::Extension>()),
62  FizzException);
63 }
64 
65 class AuthenticatorTest : public ::testing::Test {
66  public:
67  void SetUp() override {
68  folly::ssl::init();
69  CertificateRequest cr;
70  cr.certificate_request_context =
71  folly::IOBuf::copyBuffer("0123456789abcdefghij");
72  SignatureAlgorithms sigAlgs;
73  sigAlgs.supported_signature_algorithms.push_back(
74  SignatureScheme::ecdsa_secp256r1_sha256);
75  cr.extensions.push_back(encodeExtension(std::move(sigAlgs)));
76  auto authRequest = encode<CertificateRequest>(std::move(cr));
77  authrequest_ = std::move(authRequest);
78  CipherSuite cipher = CipherSuite::TLS_AES_128_GCM_SHA256;
79  deriver_ = Factory().makeKeyDeriver(cipher);
80  handshakeContext_ =
81  folly::IOBuf::copyBuffer("12345678901234567890123456789012");
82  finishedKey_ = folly::IOBuf::copyBuffer("12345678901234567890123456789012");
83  schemes_.push_back(SignatureScheme::ecdsa_secp256r1_sha256);
84  }
85 
86  protected:
87  std::unique_ptr<KeyDerivation> deriver_;
88  std::vector<SignatureScheme> schemes_;
89  Buf authrequest_;
90  Buf handshakeContext_;
91  Buf finishedKey_;
92 };
93 
94 TEST_F(AuthenticatorTest, TestValidAuthenticator) {
95  auto mockCert = std::make_shared<MockSelfCert>();
96  EXPECT_CALL(*mockCert, _getCertMessage(_)).WillOnce(InvokeWithoutArgs([]() {
97  return TestMessages::certificate();
98  }));
99  EXPECT_CALL(*mockCert, getSigSchemes())
100  .WillOnce(Return(std::vector<SignatureScheme>(
101  1, SignatureScheme::ecdsa_secp256r1_sha256)));
102  EXPECT_CALL(*mockCert, sign(_, CertificateVerifyContext::Authenticator, _))
103  .WillOnce(
104  InvokeWithoutArgs([]() { return IOBuf::copyBuffer("signature"); }));
105 
106  auto reencodedAuthenticator = ExportedAuthenticator::makeAuthenticator(
107  deriver_,
108  schemes_,
109  *mockCert,
110  std::move(authrequest_),
111  std::move(handshakeContext_),
112  std::move(finishedKey_),
113  CertificateVerifyContext::Authenticator);
114  EXPECT_EQ(
115  expected_authenticator,
116  (StringPiece(hexlify(reencodedAuthenticator->coalesce()))));
117 }
118 
119 TEST_F(AuthenticatorTest, TestEmptyAuthenticator) {
120  auto mockCert = std::make_shared<MockSelfCert>();
121  EXPECT_CALL(*mockCert, getSigSchemes())
122  .WillOnce(Return(std::vector<SignatureScheme>(
123  1, SignatureScheme::ecdsa_secp256r1_sha256)));
124  schemes_.clear();
125  auto reencodedAuthenticator = ExportedAuthenticator::makeAuthenticator(
126  deriver_,
127  schemes_,
128  *mockCert,
129  std::move(authrequest_),
130  std::move(handshakeContext_),
131  std::move(finishedKey_),
132  CertificateVerifyContext::Authenticator);
133  EXPECT_EQ(
134  expected_empty_authenticator,
135  StringPiece(hexlify(reencodedAuthenticator->coalesce())));
136 }
137 
138 TEST(ExportedAuthenticatorTest, TestGetContext) {
139  StringPiece authenticator = {
140  "0b00020f14303132333435363738396162636465666768696a0001f70001f2308201ee30820195a003020102020900c569eec901ce86d9300a06082a8648ce3d0403023054310b3009060355040613025553310b300906035504080c024e59310b300906035504070c024e59310d300b060355040a0c0446697a7a310d300b060355040b0c0446697a7a310d300b06035504030c0446697a7a301e170d3137303430343138323930395a170d3431313132343138323930395a3054310b3009060355040613025553310b300906035504080c024e59310b300906035504070c024e59310d300b060355040a0c0446697a7a310d300b060355040b0c0446697a7a310d300b06035504030c0446697a7a3059301306072a8648ce3d020106082a8648ce3d030107034200049d87bcaddb65d8dcf6df8b148a9679b5b710db19c95a9badfff13468cb358b4e21d24a5c826112658ebb96d64e2985dfb41c1948334391a4aa81b67837e2dbf0a350304e301d0603551d0e041604143c5b8ba954d9752faf3c8ad6d1a62449dccaa850301f0603551d230418301680143c5b8ba954d9752faf3c8ad6d1a62449dccaa850300c0603551d13040530030101ff300a06082a8648ce3d04030203470030440220349b7d34d7132fb2756576e0bfa36cbe1723337a7a6f5ef9c8d3bf1aa7efa4a5022025c50a91e0aa4272f1f52c3d5583a7d7cee14b178835273a0bd814303e62d71400000f00004a04030046304402204ee36706cefd7b5de1b87eef8a756b1f69365451cae050163e030d7cb7594fbc022040aaadc7770b0404c5deb6fd9d9a2161423fb993a0a5b9e38f2c0e0d9183a52d1400002001dd31f46369c46fe41712e83ae7c46d31fdae816024edbb3b58cc29e2234852"};
141  auto buf = folly::IOBuf::copyBuffer(unhexlify(authenticator));
142  auto certRequestContext =
143  ExportedAuthenticator::getAuthenticatorContext(std::move(buf));
144  EXPECT_EQ(
145  expected_cr_context,
146  StringPiece(hexlify(certRequestContext->coalesce())));
147 }
148 
149 class ValidateAuthenticatorTest : public ::testing::Test {
150  public:
151  void SetUp() override {
152  folly::ssl::init();
153  CipherSuite cipher = CipherSuite::TLS_AES_128_GCM_SHA256;
154  deriver_ = Factory().makeKeyDeriver(cipher);
155  schemes_.push_back(SignatureScheme::ecdsa_secp256r1_sha256);
156  authrequest_ = {
157  "14303132333435363738396162636465666768696a0008000d000400020403"};
158  handshakeContext_ = {"12345678901234567890123456789012"};
159  finishedKey_ = {"12345678901234567890123456789012"};
160  }
161 
162  protected:
163  std::unique_ptr<KeyDerivation> deriver_;
164  std::vector<SignatureScheme> schemes_;
165  StringPiece authrequest_;
166  StringPiece handshakeContext_;
167  StringPiece finishedKey_;
168 };
169 
170 TEST_F(ValidateAuthenticatorTest, TestValidateValidAuthenticator) {
171  auto cert = fizz::test::getCert(kP256Certificate);
172  auto key = fizz::test::getPrivateKey(kP256Key);
173  std::vector<folly::ssl::X509UniquePtr> certs;
174  certs.push_back(std::move(cert));
175  SelfCertImpl<KeyType::P256> certificate(std::move(key), std::move(certs));
176  auto authenticatorRequest = folly::IOBuf::copyBuffer(unhexlify(authrequest_));
177  auto handshakeContext =
178  folly::IOBuf::copyBuffer(unhexlify(handshakeContext_));
179  auto finishedMacKey = folly::IOBuf::copyBuffer(unhexlify(finishedKey_));
180  auto authenticator = ExportedAuthenticator::makeAuthenticator(
181  deriver_,
182  schemes_,
183  certificate,
184  std::move(authenticatorRequest),
185  std::move(handshakeContext),
186  std::move(finishedMacKey),
187  CertificateVerifyContext::Authenticator);
188 
189  authenticatorRequest = folly::IOBuf::copyBuffer(unhexlify(authrequest_));
190  handshakeContext = folly::IOBuf::copyBuffer(unhexlify(handshakeContext_));
191  finishedMacKey = folly::IOBuf::copyBuffer(unhexlify(finishedKey_));
192  auto decodedCerts = ExportedAuthenticator::validate(
193  deriver_,
194  std::move(authenticatorRequest),
195  std::move(authenticator),
196  std::move(handshakeContext),
197  std::move(finishedMacKey),
198  CertificateVerifyContext::Authenticator);
199  EXPECT_TRUE(decodedCerts.hasValue());
200  EXPECT_EQ((*decodedCerts).size(), 1);
201  EXPECT_EQ(
202  expected_cert,
203  StringPiece(hexlify(((*decodedCerts)[0].cert_data)->coalesce())));
204 }
205 
206 TEST_F(ValidateAuthenticatorTest, TestValidateEmptyAuthenticator) {
207  auto cert = fizz::test::getCert(kP256Certificate);
208  auto key = fizz::test::getPrivateKey(kP256Key);
209  std::vector<folly::ssl::X509UniquePtr> certs;
210  certs.push_back(std::move(cert));
211  SelfCertImpl<KeyType::P256> certificate(std::move(key), std::move(certs));
212  schemes_.clear();
213  auto authenticatorRequest = folly::IOBuf::copyBuffer(unhexlify(authrequest_));
214  auto handshakeContext =
215  folly::IOBuf::copyBuffer(unhexlify(handshakeContext_));
216  auto finishedMacKey = folly::IOBuf::copyBuffer(unhexlify(finishedKey_));
217  auto authenticator = ExportedAuthenticator::makeAuthenticator(
218  deriver_,
219  schemes_,
220  certificate,
221  std::move(authenticatorRequest),
222  std::move(handshakeContext),
223  std::move(finishedMacKey),
224  CertificateVerifyContext::Authenticator);
225 
226  authenticatorRequest = folly::IOBuf::copyBuffer(unhexlify(authrequest_));
227  handshakeContext = folly::IOBuf::copyBuffer(unhexlify(handshakeContext_));
228  finishedMacKey = folly::IOBuf::copyBuffer(unhexlify(finishedKey_));
229  auto decodedCerts = ExportedAuthenticator::validate(
230  deriver_,
231  std::move(authenticatorRequest),
232  std::move(authenticator),
233  std::move(handshakeContext),
234  std::move(finishedMacKey),
235  CertificateVerifyContext::Authenticator);
236  EXPECT_TRUE(decodedCerts.hasValue());
237  EXPECT_EQ((*decodedCerts).size(), 0);
238 }
239 
240 } // namespace test
241 } // namespace fizz
folly::unhexlify
bool unhexlify(const InputString &input, OutputString &output)
Definition: String-inl.h:616
EXPECT_THROW
#define EXPECT_THROW(statement, expected_exception)
Definition: gtest.h:1843
fizz::test::kP256Key
constexpr folly::StringPiece kP256Key
Definition: TestUtil.h:18
folly::IOBuf::create
static std::unique_ptr< IOBuf > create(std::size_t capacity)
Definition: IOBuf.cpp:229
fizz::encode< CertificateRequest >
Buf encode< CertificateRequest >(CertificateRequest &&cr)
Definition: Types-inl.h:384
fizz::test::expected_cr_context
StringPiece expected_cr_context
Definition: ExportedAuthenticatorTest.cpp:33
EXPECT_EQ
#define EXPECT_EQ(val1, val2)
Definition: gtest.h:1922
folly::gen::move
constexpr detail::Map< Move > move
Definition: Base-inl.h:2567
fizz::CipherSuite
CipherSuite
Definition: Types.h:153
folly::ssl::init
void init()
Definition: Init.cpp:54
fizz::test::AuthenticatorTest::schemes_
std::vector< SignatureScheme > schemes_
Definition: ExportedAuthenticatorTest.cpp:88
fizz::test::getPrivateKey
EvpPkeyUniquePtr getPrivateKey(StringPiece key)
Definition: TestUtil.cpp:21
folly
—— Concurrent Priority Queue Implementation ——
Definition: AtomicBitSet.h:29
fizz::test::AuthenticatorTest::deriver_
std::unique_ptr< KeyDerivation > deriver_
Definition: ExportedAuthenticatorTest.cpp:87
testing::InvokeWithoutArgs
PolymorphicAction< internal::InvokeWithoutArgsAction< FunctionImpl > > InvokeWithoutArgs(FunctionImpl function_impl)
Definition: gmock-actions.h:1168
fizz::test::getCert
folly::ssl::X509UniquePtr getCert(folly::StringPiece cert)
Definition: TestUtil.cpp:48
cipher
CipherSuite cipher
Definition: ClientProtocol.cpp:1006
fizz::CertificateRequest::certificate_request_context
Buf certificate_request_context
Definition: Types.h:253
expected_cert
StringPiece expected_cert
Definition: SecondaryAuthManagerTest.cpp:33
fizz::CertificateRequest::extensions
std::vector< Extension > extensions
Definition: Types.h:254
fizz::SignatureAlgorithms::supported_signature_algorithms
std::vector< SignatureScheme > supported_signature_algorithms
Definition: Extensions.h:17
fizz
Definition: Actions.h:16
folly::TEST_F
TEST_F(AsyncSSLSocketWriteTest, write_coalescing1)
Definition: AsyncSSLSocketWriteTest.cpp:120
EXPECT_TRUE
#define EXPECT_TRUE(condition)
Definition: gtest.h:1859
fizz::test::expected_authenticator
StringPiece expected_authenticator
Definition: ExportedAuthenticatorTest.cpp:31
fizz::test::expected_empty_authenticator
StringPiece expected_empty_authenticator
Definition: ExportedAuthenticatorTest.cpp:36
fizz::Buf
std::unique_ptr< folly::IOBuf > Buf
Definition: Types.h:22
EXPECT_CALL
#define EXPECT_CALL(obj, call)
Definition: gmock-spec-builders.h:1845
testing::_
const internal::AnythingMatcher _
Definition: gmock-matchers.h:3729
fizz::encodeExtension
Extension encodeExtension(const TokenBindingParameters &params)
Definition: Types.cpp:113
folly::StringPiece
Range< const char * > StringPiece
Definition: ScopedEventBaseThread.h:29
folly::hexlify
bool hexlify(const InputString &input, OutputString &output, bool append_output)
Definition: String-inl.h:596
folly::IOBuf::copyBuffer
static std::unique_ptr< IOBuf > copyBuffer(const void *buf, std::size_t size, std::size_t headroom=0, std::size_t minTailroom=0)
Definition: IOBuf.h:1587
fizz::Factory::makeKeyDeriver
virtual std::unique_ptr< KeyDerivation > makeKeyDeriver(CipherSuite cipher) const
Definition: Factory.h:62
folly::TEST
TEST(SequencedExecutor, CPUThreadPoolExecutor)
Definition: SequencedExecutorTest.cpp:68
expected_auth_request
StringPiece expected_auth_request
Definition: SecondaryAuthManagerTest.cpp:30
testing::Return
internal::ReturnAction< R > Return(R value)
Definition: gmock-actions.h:1061
fizz::test::kP256Certificate
constexpr folly::StringPiece kP256Certificate
Definition: TestUtil.h:41