mirror of
https://github.com/XTLS/Xray-core.git
synced 2026-05-14 10:00:34 +00:00
TLS client: Add pin_test.go for leaf and CA (#5553)
https://github.com/XTLS/Xray-core/pull/5532#issuecomment-3760231005
This commit is contained in:
风扇滑翔翼
@@ -1,12 +1,15 @@
|
|||||||
package tls
|
package tls
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/xtls/xray-core/common"
|
||||||
|
"github.com/xtls/xray-core/common/protocol/tls/cert"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestCalculateCertHash(t *testing.T) {
|
func TestCalculateCertHash(t *testing.T) {
|
||||||
@@ -95,3 +98,60 @@ uI6HqHFD3iEct8fBkYfQiwH2e1eu9OwgujiWHsutyK8VvzVB3/YnhQ/TzciRjPqz
|
|||||||
assert.Equal(t, fingerprint, hash)
|
assert.Equal(t, fingerprint, hash)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestVerifyPeerLeafCert(t *testing.T) {
|
||||||
|
leafCert := cert.MustGenerate(nil, cert.DNSNames("example.com"))
|
||||||
|
leaf := common.Must2(x509.ParseCertificate(leafCert.Certificate))
|
||||||
|
|
||||||
|
caHash := GenerateCertHash(leafCert.Certificate)
|
||||||
|
|
||||||
|
r := &RandCarrier{
|
||||||
|
Config: &tls.Config{
|
||||||
|
ServerName: "example.com",
|
||||||
|
},
|
||||||
|
PinnedPeerCertSha256: [][]byte{caHash},
|
||||||
|
}
|
||||||
|
|
||||||
|
rawCerts := [][]byte{leaf.Raw}
|
||||||
|
err := r.verifyPeerCert(rawCerts, nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal("expected to verify leaf cert signed by pinned CA, but got error:", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// make the pinned hash incorrect
|
||||||
|
r.PinnedPeerCertSha256[0][0] += 1
|
||||||
|
err = r.verifyPeerCert(rawCerts, nil)
|
||||||
|
if err == nil {
|
||||||
|
t.Fatal("expected to fail verifying leaf cert with incorrect pinned CA hash, but got no error")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestVerifyPeerCACert(t *testing.T) {
|
||||||
|
caCert := cert.MustGenerate(nil, cert.Authority(true), cert.KeyUsage(x509.KeyUsageCertSign))
|
||||||
|
ca := common.Must2(x509.ParseCertificate(caCert.Certificate))
|
||||||
|
|
||||||
|
leafCert := cert.MustGenerate(caCert, cert.DNSNames("example.com"))
|
||||||
|
leaf := common.Must2(x509.ParseCertificate(leafCert.Certificate))
|
||||||
|
|
||||||
|
caHash := GenerateCertHash(ca)
|
||||||
|
|
||||||
|
r := &RandCarrier{
|
||||||
|
Config: &tls.Config{
|
||||||
|
ServerName: "example.com",
|
||||||
|
},
|
||||||
|
PinnedPeerCertSha256: [][]byte{caHash},
|
||||||
|
}
|
||||||
|
|
||||||
|
rawCerts := [][]byte{leaf.Raw, ca.Raw}
|
||||||
|
err := r.verifyPeerCert(rawCerts, nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal("expected to verify leaf cert signed by pinned CA, but got error:", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// make the pinned hash incorrect
|
||||||
|
r.PinnedPeerCertSha256[0][0] += 1
|
||||||
|
err = r.verifyPeerCert(rawCerts, nil)
|
||||||
|
if err == nil {
|
||||||
|
t.Fatal("expected to fail verifying leaf cert with incorrect pinned CA hash, but got no error")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user