diff --git a/CMakeLists.txt b/CMakeLists.txt index ac4f4aa38549f..fb91c5ee669d2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1073,6 +1073,7 @@ if(gRPC_BUILD_TESTS) add_dependencies(buildtests_cxx grpclb_end2end_test) endif() add_dependencies(buildtests_cxx h2_ssl_cert_test) + add_dependencies(buildtests_cxx h2_ssl_certs_curves_test) add_dependencies(buildtests_cxx h2_ssl_session_reuse_test) add_dependencies(buildtests_cxx h2_tls_peer_property_external_verifier_test) add_dependencies(buildtests_cxx handle_tests) @@ -13704,6 +13705,40 @@ target_link_libraries(h2_ssl_cert_test ) +endif() +if(gRPC_BUILD_TESTS) + +add_executable(h2_ssl_certs_curves_test + test/core/end2end/cq_verifier.cc + test/core/end2end/h2_ssl_certs_curves_test.cc +) +target_compile_features(h2_ssl_certs_curves_test PUBLIC cxx_std_14) +target_include_directories(h2_ssl_certs_curves_test + PRIVATE + ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_SOURCE_DIR}/include + ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR} + ${_gRPC_RE2_INCLUDE_DIR} + ${_gRPC_SSL_INCLUDE_DIR} + ${_gRPC_UPB_GENERATED_DIR} + ${_gRPC_UPB_GRPC_GENERATED_DIR} + ${_gRPC_UPB_INCLUDE_DIR} + ${_gRPC_XXHASH_INCLUDE_DIR} + ${_gRPC_ZLIB_INCLUDE_DIR} + third_party/googletest/googletest/include + third_party/googletest/googletest + third_party/googletest/googlemock/include + third_party/googletest/googlemock + ${_gRPC_PROTO_GENS_DIR} +) + +target_link_libraries(h2_ssl_certs_curves_test + ${_gRPC_ALLTARGETS_LIBRARIES} + gtest + grpc_test_util +) + + endif() if(gRPC_BUILD_TESTS) diff --git a/build_autogenerated.yaml b/build_autogenerated.yaml index d81f2a779133b..7749a8349b47e 100644 --- a/build_autogenerated.yaml +++ b/build_autogenerated.yaml @@ -9596,6 +9596,18 @@ targets: deps: - gtest - grpc_test_util +- name: h2_ssl_certs_curves_test + gtest: true + build: test + language: c++ + headers: + - test/core/end2end/cq_verifier.h + src: + - test/core/end2end/cq_verifier.cc + - test/core/end2end/h2_ssl_certs_curves_test.cc + deps: + - gtest + - grpc_test_util - name: h2_ssl_session_reuse_test gtest: true build: test diff --git a/src/core/tsi/ssl_transport_security.cc b/src/core/tsi/ssl_transport_security.cc index 6acda5eaab0af..b14b3ad3164ed 100644 --- a/src/core/tsi/ssl_transport_security.cc +++ b/src/core/tsi/ssl_transport_security.cc @@ -153,9 +153,8 @@ static int g_ssl_ex_verified_root_cert_index = -1; #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_NO_ENGINE) static const char kSslEnginePrefix[] = "engine:"; #endif -#if OPENSSL_VERSION_NUMBER >= 0x30000000 -static const int kSslEcCurveNames[] = {NID_X9_62_prime256v1}; -#endif +static const int kSslEcCurveNames[] = {NID_X9_62_prime256v1, NID_secp384r1, + NID_secp521r1}; #if OPENSSL_VERSION_NUMBER < 0x10100000 static gpr_mu* g_openssl_mutexes = nullptr; @@ -800,17 +799,16 @@ static tsi_result populate_ssl_context( return TSI_INVALID_ARGUMENT; } { -#if OPENSSL_VERSION_NUMBER < 0x30000000L - EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (!SSL_CTX_set_tmp_ecdh(context, ecdh)) { +#if OPENSSL_VERSION_NUMBER < 0x10101000L + if (!SSL_CTX_set1_curves(context, kSslEcCurveNames, + ((sizeof(kSslEcCurveNames) / sizeof(int))))) { gpr_log(GPR_ERROR, "Could not set ephemeral ECDH key."); - EC_KEY_free(ecdh); return TSI_INTERNAL_ERROR; } SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE); - EC_KEY_free(ecdh); #else - if (!SSL_CTX_set1_groups(context, kSslEcCurveNames, 1)) { + if (!SSL_CTX_set1_groups(context, kSslEcCurveNames, + ((sizeof(kSslEcCurveNames) / sizeof(int))))) { gpr_log(GPR_ERROR, "Could not set ephemeral ECDH key."); return TSI_INTERNAL_ERROR; } diff --git a/src/core/tsi/test_creds/BUILD b/src/core/tsi/test_creds/BUILD index f6072bc552bde..d887a71fbdb41 100644 --- a/src/core/tsi/test_creds/BUILD +++ b/src/core/tsi/test_creds/BUILD @@ -16,14 +16,29 @@ licenses(["notice"]) exports_files([ "ca.pem", - "server1.key", - "server1.pem", + "ca_p256.pem", + "ca_p384.pem", + "ca_p521.pem", "server0.key", "server0.pem", + "server1.key", + "server1.pem", + "server1_p256.key", + "server1_p256.pem", + "server1_p384.key", + "server1_p384.pem", + "server1_p521.key", + "server1_p521.pem", "client.key", "client.pem", "client-with-spiffe.key", "client-with-spiffe.pem", + "client_p256.key", + "client_p256.pem", + "client_p384.key", + "client_p384.pem", + "client_p521.key", + "client_p521.pem", "badserver.key", "badserver.pem", "badclient.key", diff --git a/src/core/tsi/test_creds/README b/src/core/tsi/test_creds/README index f3a6679e39ce4..61d74bc935720 100644 --- a/src/core/tsi/test_creds/README +++ b/src/core/tsi/test_creds/README @@ -16,7 +16,7 @@ common name which is set to badserver.test.google.com. Valid test credentials: ======================= -The ca is self-signed: +The ca is self-signed with RSA: ---------------------- $ openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem \ @@ -128,7 +128,29 @@ $ openssl req -key leaf_signed_by_intermediate.key -new -out temp.csr -config le $ openssl x509 -req -days 3650 -in temp.csr -CA intermediate_ca.pem -CAkey intermediate_ca.key -CAcreateserial -out leaf_signed_by_intermediate.pem -extfile leaf_signed_by_intermediate.cnf -extensions 'v3_req' $ cat leaf_signed_by_intermediate.pem intermediate_ca.pem > leaf_and_intermediate_chain.pem +ECDSA CAs and certs/keys +------------------------ +For P256, P384 or P521 curves, assign $NAME to prime256v1, secp384r1 or secp521r1 and $SUFFIX to p256, p384 or p521 respectively. + +$ openssl ecparam -name $NAME -genkey -noout -out temp.pem +$ openssl pkcs8 -topk8 -in temp.pem -out ca_${SUFFIX}.key -nocrypt +$ rm temp.pem +$ openssl req -x509 -days 3650 -new -key ca_${SUFFIX}.key -nodes -out ca_${SUFFIX}.pem -config ca-openssl.cnf -extensions 'v3_req' + +Sign client certs (with common name testclient) with the above CAs: +$ openssl ecparam -name $NAME -genkey -noout -out temp.pem +$ openssl pkcs8 -topk8 -in temp.pem -out client_${SUFFIX}.key -nocrypt +$ rm temp.pem +$ openssl req -key client_${SUFFIX}.key -new -out temp.csr +$ openssl x509 -req -days 3650 -in temp.csr -CA ca_${SUFFIX}.pem -CAkey ca_${SUFFIX}.key -CAcreateserial -out client_${SUFFIX}.pem + +Sign server certs (with common name *.test.google.com) with the above CAs: +$ openssl ecparam -name $NAME -genkey -noout -out temp.pem +$ openssl pkcs8 -topk8 -in temp.pem -out server1_${SUFFIX}.key -nocrypt +$ rm temp.pem +$ openssl req -key server1_${SUFFIX}.key -new -out temp.csr -config server1-openssl.cnf +$ openssl x509 -req -days 3650 -in temp.csr -CA ca_${SUFFIX}.pem -CAkey ca_${SUFFIX}.key -CAcreateserial -out server1_${SUFFIX}.pem -extensions 'v3_req' -extfile server1-openssl.cnf Clean up: --------- diff --git a/src/core/tsi/test_creds/ca_p256.key b/src/core/tsi/test_creds/ca_p256.key new file mode 100644 index 0000000000000..ec679aaee46cc --- /dev/null +++ b/src/core/tsi/test_creds/ca_p256.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgGXLU0TtzErcyGDE/ +fhbphpw2Zdhw3iZmUvnxsFG08iKhRANCAAR1Y4rj/7GFUANxiV8QcKvYC8pdbIsy +jfe1qgcyL6gwxxbqokJllnvfTGdcH65l9M4xCSKWe+PeghI+i9NTu7R0 +-----END PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/ca_p256.pem b/src/core/tsi/test_creds/ca_p256.pem new file mode 100644 index 0000000000000..6e8aa6e24ae41 --- /dev/null +++ b/src/core/tsi/test_creds/ca_p256.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7TCCAZOgAwIBAgIUPLuUtYXNndWg+lpfpgmhpyGhLF8wCgYIKoZIzj0EAwIw +VjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu +dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIzMTEw +MzE2MjcwMFoXDTMzMTAzMTE2MjcwMFowVjELMAkGA1UEBhMCQVUxEzARBgNVBAgM +ClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEP +MA0GA1UEAwwGdGVzdGNhMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdWOK4/+x +hVADcYlfEHCr2AvKXWyLMo33taoHMi+oMMcW6qJCZZZ730xnXB+uZfTOMQkilnvj +3oISPovTU7u0dKM/MD0wDAYDVR0TBAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwHQYD +VR0OBBYEFAwTlsQiF6A70bdNxAl4Y1x+3uVlMAoGCCqGSM49BAMCA0gAMEUCIQC+ +T4oowHyHutdr+Iu1X0wNoJ3Hodxp+ihtgou95+Tw8gIgFW4DMB0mATGgi8zIXREx +1yXBQ+a2DYE6lSUUPChRUB8= +-----END CERTIFICATE----- diff --git a/src/core/tsi/test_creds/ca_p384.key b/src/core/tsi/test_creds/ca_p384.key new file mode 100644 index 0000000000000..c24f0c055a7d5 --- /dev/null +++ b/src/core/tsi/test_creds/ca_p384.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBS37qQ3DuoihlwFOS2 +zwN9egL1Vi+tpeBXElrm7/+7A/SA2OENZfXeQnb1HpqcgaOhZANiAATy4kYuJN4L +27TvhbEY/dXD3MuZm71pQQOjqES1aghcPTFR04WDWIIVmzTuUUjz4XAcrOf1CsTu +T1NEXZnHX/8A99OYsw/nlPRhvjAhPZ/kK5KH7NWK9+N7suf7QFP0PJU= +-----END PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/ca_p384.pem b/src/core/tsi/test_creds/ca_p384.pem new file mode 100644 index 0000000000000..7d09f86a2861b --- /dev/null +++ b/src/core/tsi/test_creds/ca_p384.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICKjCCAbCgAwIBAgIUQ5u1l9zc4BdSXdyGzv369f5bg48wCgYIKoZIzj0EAwIw +VjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu +dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIzMTEw +MzE2MzA0NloXDTMzMTAzMTE2MzA0NlowVjELMAkGA1UEBhMCQVUxEzARBgNVBAgM +ClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEP +MA0GA1UEAwwGdGVzdGNhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8uJGLiTeC9u0 +74WxGP3Vw9zLmZu9aUEDo6hEtWoIXD0xUdOFg1iCFZs07lFI8+FwHKzn9QrE7k9T +RF2Zx1//APfTmLMP55T0Yb4wIT2f5CuSh+zVivfje7Ln+0BT9DyVoz8wPTAMBgNV +HRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDAdBgNVHQ4EFgQUb8tXaPFgds0JZZoJ +YnC/wJlCbVQwCgYIKoZIzj0EAwIDaAAwZQIxAK8RnPWkSWG0cEf++GtjkHJ3y25Y +KLkZ6uWM4nZIGzZPqEJbS5gIM6suXFjRtwRQqAIwEfAG1ncStBs3s3qx5XFcd/Uj +7V61x1CjF+QVvMD0KW7xJB7Yl+EbY+2Y2xnG4PJL +-----END CERTIFICATE----- diff --git a/src/core/tsi/test_creds/ca_p521.key b/src/core/tsi/test_creds/ca_p521.key new file mode 100644 index 0000000000000..dee9ffb029686 --- /dev/null +++ b/src/core/tsi/test_creds/ca_p521.key @@ -0,0 +1,8 @@ +-----BEGIN PRIVATE KEY----- +MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBQ6PfMspzmbOlPa0e +0UfWb7NGIIKvgCMmGVPSP7wR+jX//eJRO+YeLmcLq6zWOOs+5Z6oPKHR5Et5nht4 +FQR62gShgYkDgYYABAFRBRdfON+9qLmJlo0tHLIw9d4fIMYsM8hnbUPBAuIalAMo +nDKdN8753qgnp74d9WQsYHtsw9dn6/0qwbh4qpYSrAE1nvVbh3zUkAqLQNkqV8cu +fPCDLMvFDl3iy4hoOmK+fNYi+NS3gn6P1o6UIjN0xQEc7l/zUaw0D5VZqRoiniuR +gA== +-----END PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/ca_p521.pem b/src/core/tsi/test_creds/ca_p521.pem new file mode 100644 index 0000000000000..2d617cd9730c3 --- /dev/null +++ b/src/core/tsi/test_creds/ca_p521.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICdDCCAdagAwIBAgIUKWOObDjdan+iuXsgkA6IDD68O2swCgYIKoZIzj0EAwIw +VjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu +dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIzMTEw +MzE2MzIzM1oXDTMzMTAzMTE2MzIzM1owVjELMAkGA1UEBhMCQVUxEzARBgNVBAgM +ClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEP +MA0GA1UEAwwGdGVzdGNhMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBUQUXXzjf +vai5iZaNLRyyMPXeHyDGLDPIZ21DwQLiGpQDKJwynTfO+d6oJ6e+HfVkLGB7bMPX +Z+v9KsG4eKqWEqwBNZ71W4d81JAKi0DZKlfHLnzwgyzLxQ5d4suIaDpivnzWIvjU +t4J+j9aOlCIzdMUBHO5f81GsNA+VWakaIp4rkYCjPzA9MAwGA1UdEwQFMAMBAf8w +DgYDVR0PAQH/BAQDAgIEMB0GA1UdDgQWBBTJAGZMKQJ9qfu5hutnaruWRZl2zjAK +BggqhkjOPQQDAgOBiwAwgYcCQUUZ/IXyiGqtbxzdIHqv/1D+rp8aarvdaOTNB2JJ +tB+1K70n+scJpIG8z7JE69HfX4wDk7abumj57IOxWu0y8kttAkIAlBTyuSm0qiH4 +Z6NzTDgSdw6Z6ufZQC+2HGRAOt/55XgmYURg+u9BNcYGUAHNpWjffgpe5ZMM3mwu +IxgpucHjxPg= +-----END CERTIFICATE----- diff --git a/src/core/tsi/test_creds/client_p256.key b/src/core/tsi/test_creds/client_p256.key new file mode 100644 index 0000000000000..e0ac6e6806c8d --- /dev/null +++ b/src/core/tsi/test_creds/client_p256.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgf/INCWORFRUTDFz8 +Cs/JBWd2bikxsZ3WQaiB+PhllGShRANCAATQBhts3haEdFCU9wRsuranYR2M/Hpu +ot70CuQx3/8NHVoPDhBJmY8cT3Kl+cZbZZQVgI4K73654dCQX6iEKAr+ +-----END PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/client_p256.pem b/src/core/tsi/test_creds/client_p256.pem new file mode 100644 index 0000000000000..29d7ace36047f --- /dev/null +++ b/src/core/tsi/test_creds/client_p256.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBqjCCAVECFHEbCKugIii9thZRk2zjetwgBvMMMAoGCCqGSM49BAMCMFYxCzAJ +BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l +dCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnRlc3RjYTAeFw0yMzExMDMxNjQ2 +MzlaFw0zMzEwMzExNjQ2MzlaMFoxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21l +LVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEzARBgNV +BAMMCnRlc3RjbGllbnQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATQBhts3haE +dFCU9wRsuranYR2M/Hpuot70CuQx3/8NHVoPDhBJmY8cT3Kl+cZbZZQVgI4K7365 +4dCQX6iEKAr+MAoGCCqGSM49BAMCA0cAMEQCIDH4032bdUo8bI7edpUZsY5P4uvc +BPLhFiExTVcylcqgAiAkMLgS02akwRmLwlQeJYqVhl5bdN8IbpItL4NXlbkbZA== +-----END CERTIFICATE----- diff --git a/src/core/tsi/test_creds/client_p384.key b/src/core/tsi/test_creds/client_p384.key new file mode 100644 index 0000000000000..88e4a08cabe12 --- /dev/null +++ b/src/core/tsi/test_creds/client_p384.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCG55oUtgGStvL54n21 +gMY9Yt1Qs8SsJzZ8/51JmG1EIFWV0krJzJ/1z5I1wwLwRDqhZANiAAR3G/m1B73j +aZ2BstNrjFKpdarWPTLLwuiozfzRYk/0NBPiVVByk6hYGqLsFS1+xuqLEdMviayK +45LI41NfJ1RSoZ2/ozN/+oALK+L0mVkHKQwWDLidKFVETPL9eS3UX/U= +-----END PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/client_p384.pem b/src/core/tsi/test_creds/client_p384.pem new file mode 100644 index 0000000000000..698a34d786744 --- /dev/null +++ b/src/core/tsi/test_creds/client_p384.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB6TCCAW4CFBUrSSmZFLN1F4DSQ8GmD6ujE59NMAoGCCqGSM49BAMCMFYxCzAJ +BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l +dCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnRlc3RjYTAeFw0yMzExMDMxNjQ3 +MzNaFw0zMzEwMzExNjQ3MzNaMFoxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21l +LVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEzARBgNV +BAMMCnRlc3RjbGllbnQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAR3G/m1B73jaZ2B +stNrjFKpdarWPTLLwuiozfzRYk/0NBPiVVByk6hYGqLsFS1+xuqLEdMviayK45LI +41NfJ1RSoZ2/ozN/+oALK+L0mVkHKQwWDLidKFVETPL9eS3UX/UwCgYIKoZIzj0E +AwIDaQAwZgIxALyQfGdP8QNaNTG4thV6AMOMbeEZ7ic3ab3VUbrzGJL2Bm2QknAa +aIKH7H/nfRo3zQIxAMuAfX6ua9m7O4juEsJUiWmCikU56OdCvJ7LdLz23Jr6BTFs +lCwoCJMXp4SvFBjkXA== +-----END CERTIFICATE----- diff --git a/src/core/tsi/test_creds/client_p521.key b/src/core/tsi/test_creds/client_p521.key new file mode 100644 index 0000000000000..d09991160e469 --- /dev/null +++ b/src/core/tsi/test_creds/client_p521.key @@ -0,0 +1,8 @@ +-----BEGIN PRIVATE KEY----- +MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBppzS8G/BisQYQ9ZS +mUtjProQYh7ZbnXws+pAbSWuTBTDdy4M4DVabZT1Xz5F8vxHl19/6sPCSER2Q9ZO +JcAENzihgYkDgYYABAF7CDUfwYbWRJA0pg6+6EF9a4fFu6KKbpaOZyLnf6M+A4cz +MGZgld2gv7sKkbYqKLgWqubBl3xO29MNJtr44CpXeAA3fkUxGJH71nI7ciWWtD5j +Y1uw9Jg4iECAHkUMkah0uMbS3Z3/MKZDnFcCn/lBViEKLyjqhGxGK3Imq14JREUE +nA== +-----END PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/client_p521.pem b/src/core/tsi/test_creds/client_p521.pem new file mode 100644 index 0000000000000..dbbf988574a3b --- /dev/null +++ b/src/core/tsi/test_creds/client_p521.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICMzCCAZQCFHpikmBZFARTiGZY/fLaXFwemK7JMAoGCCqGSM49BAMCMFYxCzAJ +BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l +dCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnRlc3RjYTAeFw0yMzExMDMxNjQ4 +MThaFw0zMzEwMzExNjQ4MThaMFoxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21l +LVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEzARBgNV +BAMMCnRlc3RjbGllbnQwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAF7CDUfwYbW +RJA0pg6+6EF9a4fFu6KKbpaOZyLnf6M+A4czMGZgld2gv7sKkbYqKLgWqubBl3xO +29MNJtr44CpXeAA3fkUxGJH71nI7ciWWtD5jY1uw9Jg4iECAHkUMkah0uMbS3Z3/ +MKZDnFcCn/lBViEKLyjqhGxGK3Imq14JREUEnDAKBggqhkjOPQQDAgOBjAAwgYgC +QgHKR5TNOimX3u5CfyLmlLQfq2XV1p87T83VzcMZAZVLt0uY8HGVKgfz7lTZmeDU +QLFdRfyL7xWU73E/IakzwxQ8XwJCAcMiStKsd/fEqakBOMaSrKf4HW0BKfBMknzX +nB4jk/HrpAFH73U8RaEHkWNvZAZMRuuf42JEvD/WYo1NzkDKQCYv +-----END CERTIFICATE----- diff --git a/src/core/tsi/test_creds/server1_p256.key b/src/core/tsi/test_creds/server1_p256.key new file mode 100644 index 0000000000000..0afb640eec1cb --- /dev/null +++ b/src/core/tsi/test_creds/server1_p256.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgX3lS1sVqqA4Y1okH +gpPua6BQDQEx16BKNU7RJ2JnmHWhRANCAATSCk+bxOa91Fea4DIaxOk6Kr/BZ64I +bdGfQhL5vpOr1lttUYY3Vrw0nRRpqwTfb/4ckWBCe0A2gJ3ZimcziDuW +-----END PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/server1_p256.pem b/src/core/tsi/test_creds/server1_p256.pem new file mode 100644 index 0000000000000..1204ae110bf91 --- /dev/null +++ b/src/core/tsi/test_creds/server1_p256.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICajCCAhCgAwIBAgIUMzJGWNICD8UXAJZPxK6rLYLg+ywwCgYIKoZIzj0EAwIw +VjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu +dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIzMTEw +MzE3MDgzOVoXDTMzMTAzMTE3MDgzOVowZTELMAkGA1UEBhMCVVMxETAPBgNVBAgM +CElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMRUwEwYDVQQKDAxFeGFtcGxlLCBD +by4xGjAYBgNVBAMMESoudGVzdC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZI +zj0DAQcDQgAE0gpPm8TmvdRXmuAyGsTpOiq/wWeuCG3Rn0IS+b6Tq9ZbbVGGN1a8 +NJ0UaasE32/+HJFgQntANoCd2YpnM4g7lqOBrDCBqTAJBgNVHRMEAjAAMAsGA1Ud +DwQEAwIF4DBPBgNVHREESDBGghAqLnRlc3QuZ29vZ2xlLmZyghh3YXRlcnpvb2ku +dGVzdC5nb29nbGUuYmWCEioudGVzdC55b3V0dWJlLmNvbYcEwKgBAzAdBgNVHQ4E +FgQUvxQhs4Mo4oQb5yFMnRXgYLZCxA0wHwYDVR0jBBgwFoAUDBOWxCIXoDvRt03E +CXhjXH7e5WUwCgYIKoZIzj0EAwIDSAAwRQIhAIXof8XuM6DC1zaTedKenL1kEGF1 +NK3LHr8ga0MqkfeIAiAqwDgN/+vL4M1MhBbHJjhJqwSsTu/xOCzEsz4rnPn3yA== +-----END CERTIFICATE----- diff --git a/src/core/tsi/test_creds/server1_p384.key b/src/core/tsi/test_creds/server1_p384.key new file mode 100644 index 0000000000000..e6df544351c06 --- /dev/null +++ b/src/core/tsi/test_creds/server1_p384.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBOMbTE7k26YMVxFgw7 +NEiptA2loi/OqNbhMtKZIWk3mQsANaSismkI+5XqvRFDOrihZANiAAQT/Fc/XtkC +tQopM6yOWEbr5N+AQ3deMnhmJtJmqUjRaqJtFfC6DoPalKmSIJuiTt9kcTnX7GVu +IP9PzNbcZhvBxaWvgd7Nqw82DMjXbhQZ0mYDxv4YE8baRubwi1kPzOw= +-----END PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/server1_p384.pem b/src/core/tsi/test_creds/server1_p384.pem new file mode 100644 index 0000000000000..16b5f8cdd392e --- /dev/null +++ b/src/core/tsi/test_creds/server1_p384.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICpzCCAi2gAwIBAgIUKP1CPRwkJL8veW/rZ44TeLxhgf4wCgYIKoZIzj0EAwIw +VjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu +dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIzMTEw +MzE3MDU1OFoXDTMzMTAzMTE3MDU1OFowZTELMAkGA1UEBhMCVVMxETAPBgNVBAgM +CElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMRUwEwYDVQQKDAxFeGFtcGxlLCBD +by4xGjAYBgNVBAMMESoudGVzdC5nb29nbGUuY29tMHYwEAYHKoZIzj0CAQYFK4EE +ACIDYgAEE/xXP17ZArUKKTOsjlhG6+TfgEN3XjJ4ZibSZqlI0WqibRXwug6D2pSp +kiCbok7fZHE51+xlbiD/T8zW3GYbwcWlr4HezasPNgzI124UGdJmA8b+GBPG2kbm +8ItZD8zso4GsMIGpMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgME8GA1UdEQRIMEaC +ECoudGVzdC5nb29nbGUuZnKCGHdhdGVyem9vaS50ZXN0Lmdvb2dsZS5iZYISKi50 +ZXN0LnlvdXR1YmUuY29thwTAqAEDMB0GA1UdDgQWBBQWdCAVIpUBjNOCSObz1XRq +G24wbTAfBgNVHSMEGDAWgBRvy1do8WB2zQllmglicL/AmUJtVDAKBggqhkjOPQQD +AgNoADBlAjEAigxqqVOPY/4yw9NJbLuy7rgCSIgmflU31Jv9pcShnB+lu09Ojntk +lBVp6rvp3RK4AjBIYmXoXApZuhej7srweQ/GF332d4eQ/XdEvRRvueFJ+Z/5YRQK +9QpyJqwWVXCmx8E= +-----END CERTIFICATE----- diff --git a/src/core/tsi/test_creds/server1_p521.key b/src/core/tsi/test_creds/server1_p521.key new file mode 100644 index 0000000000000..faa57fd90043d --- /dev/null +++ b/src/core/tsi/test_creds/server1_p521.key @@ -0,0 +1,8 @@ +-----BEGIN PRIVATE KEY----- +MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIAopSSX3MXcdFj5ZMn +6LAw90RqFabicgAumGtTdBpUg2Uh8WckBVaPZ2tCeByxBFzOdxbfRdoAh5HqDvYu +gs//TqmhgYkDgYYABAHlLIip/GcdqheCKfcP+urfriemnLCtrwGHvmMCEwUmsi79 +/uw8KKC+53kkF/obVxWLW11zPTGvZTNB7o869vsNDwCUcivWDvIQTUcxLqfT+QLq +3NK3AyKJsG2U8e5p3vziqwLQEHRkTukV/sZbd2l2PxC4LoRQnYpGJ1tAxqLvAfYF +fw== +-----END PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/server1_p521.pem b/src/core/tsi/test_creds/server1_p521.pem new file mode 100644 index 0000000000000..7fc0a43432d1d --- /dev/null +++ b/src/core/tsi/test_creds/server1_p521.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8jCCAlOgAwIBAgIUG9PQMKWv/CO/fNFce9JE9YuIa74wCgYIKoZIzj0EAwIw +VjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu +dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIzMTEw +MzE3MDgwMloXDTMzMTAzMTE3MDgwMlowZTELMAkGA1UEBhMCVVMxETAPBgNVBAgM +CElsbGlub2lzMRAwDgYDVQQHDAdDaGljYWdvMRUwEwYDVQQKDAxFeGFtcGxlLCBD +by4xGjAYBgNVBAMMESoudGVzdC5nb29nbGUuY29tMIGbMBAGByqGSM49AgEGBSuB +BAAjA4GGAAQB5SyIqfxnHaoXgin3D/rq364nppywra8Bh75jAhMFJrIu/f7sPCig +vud5JBf6G1cVi1tdcz0xr2UzQe6POvb7DQ8AlHIr1g7yEE1HMS6n0/kC6tzStwMi +ibBtlPHuad784qsC0BB0ZE7pFf7GW3dpdj8QuC6EUJ2KRidbQMai7wH2BX+jgaww +gakwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwTwYDVR0RBEgwRoIQKi50ZXN0Lmdv +b2dsZS5mcoIYd2F0ZXJ6b29pLnRlc3QuZ29vZ2xlLmJlghIqLnRlc3QueW91dHVi +ZS5jb22HBMCoAQMwHQYDVR0OBBYEFPYv3eqdBfB9MAawZ6NwhJQEa2WRMB8GA1Ud +IwQYMBaAFMkAZkwpAn2p+7mG62dqu5ZFmXbOMAoGCCqGSM49BAMCA4GMADCBiAJC +AbAAt3BoGPWnHzlh8pEY8y5j23xaPtcvJRYhpWU+jklcoKqRfC0gwHystNfuSduT +Oyc88KHtxL1jGJ/Iar7Bok7vAkIBPJ+Eo++AWSbthCfRfi3JKk3CVx5BgDfKiFBW +31Dr6b9NgZik1NCrjWEiGCyRXQS9J582RT8s/Lbt8VlBPMwCzS0= +-----END CERTIFICATE----- diff --git a/test/core/end2end/BUILD b/test/core/end2end/BUILD index 939db44b584f9..0e53196d725c3 100644 --- a/test/core/end2end/BUILD +++ b/test/core/end2end/BUILD @@ -655,6 +655,44 @@ grpc_cc_test( ], ) +grpc_cc_test( + name = "h2_ssl_certs_curves_test", + srcs = ["h2_ssl_certs_curves_test.cc"], + data = [ + "//src/core/tsi/test_creds:ca_p256.pem", + "//src/core/tsi/test_creds:ca_p384.pem", + "//src/core/tsi/test_creds:ca_p521.pem", + "//src/core/tsi/test_creds:client_p256.key", + "//src/core/tsi/test_creds:client_p256.pem", + "//src/core/tsi/test_creds:client_p384.key", + "//src/core/tsi/test_creds:client_p384.pem", + "//src/core/tsi/test_creds:client_p521.key", + "//src/core/tsi/test_creds:client_p521.pem", + "//src/core/tsi/test_creds:server1_p256.key", + "//src/core/tsi/test_creds:server1_p256.pem", + "//src/core/tsi/test_creds:server1_p384.key", + "//src/core/tsi/test_creds:server1_p384.pem", + "//src/core/tsi/test_creds:server1_p521.key", + "//src/core/tsi/test_creds:server1_p521.pem", + ], + external_deps = ["gtest"], + language = "C++", + deps = [ + "cq_verifier", + "//:channel_arg_names", + "//:config_vars", + "//:exec_ctx", + "//:gpr", + "//:grpc", + "//:grpc_public_hdrs", + "//src/core:channel_args", + "//src/core:error", + "//src/core:grpc_ssl_credentials", + "//src/core:useful", + "//test/core/util:grpc_test_util", + ], +) + grpc_cc_test( name = "h2_tls_peer_property_external_verifier_test", srcs = ["h2_tls_peer_property_external_verifier_test.cc"], diff --git a/test/core/end2end/h2_ssl_certs_curves_test.cc b/test/core/end2end/h2_ssl_certs_curves_test.cc new file mode 100644 index 0000000000000..b1020c3218333 --- /dev/null +++ b/test/core/end2end/h2_ssl_certs_curves_test.cc @@ -0,0 +1,378 @@ +// +// +// Copyright 2018 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// + +#include + +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "src/core/lib/channel/channel_args.h" +#include "src/core/lib/config/config_vars.h" +#include "src/core/lib/gpr/useful.h" +#include "src/core/lib/gprpp/host_port.h" +#include "src/core/lib/iomgr/error.h" +#include "src/core/lib/iomgr/exec_ctx.h" +#include "src/core/lib/iomgr/load_file.h" +#include "src/core/lib/security/credentials/ssl/ssl_credentials.h" +#include "test/core/end2end/cq_verifier.h" +#include "test/core/util/port.h" +#include "test/core/util/test_config.h" + +constexpr char kCaCertPath0[] = "src/core/tsi/test_creds/ca_p256.pem"; +constexpr char kCaCertPath1[] = "src/core/tsi/test_creds/ca_p384.pem"; +constexpr char kCaCertPath2[] = "src/core/tsi/test_creds/ca_p521.pem"; +constexpr char kClientCertPath0[] = "src/core/tsi/test_creds/client_p256.pem"; +constexpr char kClientKeyPath0[] = "src/core/tsi/test_creds/client_p256.key"; +constexpr char kClientCertPath1[] = "src/core/tsi/test_creds/client_p384.pem"; +constexpr char kClientKeyPath1[] = "src/core/tsi/test_creds/client_p384.key"; +constexpr char kClientCertPath2[] = "src/core/tsi/test_creds/client_p521.pem"; +constexpr char kClientKeyPath2[] = "src/core/tsi/test_creds/client_p521.key"; +constexpr char kServerCertPath0[] = "src/core/tsi/test_creds/server1_p256.pem"; +constexpr char kServerKeyPath0[] = "src/core/tsi/test_creds/server1_p256.key"; +constexpr char kServerCertPath1[] = "src/core/tsi/test_creds/server1_p384.pem"; +constexpr char kServerKeyPath1[] = "src/core/tsi/test_creds/server1_p384.key"; +constexpr char kServerCertPath2[] = "src/core/tsi/test_creds/server1_p521.pem"; +constexpr char kServerKeyPath2[] = "src/core/tsi/test_creds/server1_p521.key"; + +namespace grpc { +namespace testing { +namespace { + +gpr_timespec five_seconds_time() { return grpc_timeout_seconds_to_deadline(5); } + +grpc_server* server_create(grpc_completion_queue* cq, const char* server_addr, + const char* ca_cert_path, + const char* server_cert_path, + const char* server_key_path) { + grpc_slice ca_slice, cert_slice, key_slice; + GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file", + grpc_load_file(ca_cert_path, 1, &ca_slice))); + GPR_ASSERT(GRPC_LOG_IF_ERROR( + "load_file", grpc_load_file(server_cert_path, 1, &cert_slice))); + GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file", + grpc_load_file(server_key_path, 1, &key_slice))); + const char* ca_cert = + reinterpret_cast GRPC_SLICE_START_PTR(ca_slice); + const char* server_cert = + reinterpret_cast GRPC_SLICE_START_PTR(cert_slice); + const char* server_key = + reinterpret_cast GRPC_SLICE_START_PTR(key_slice); + grpc_ssl_pem_key_cert_pair pem_cert_key_pair = {server_key, server_cert}; + auto* cert_config = + grpc_ssl_server_certificate_config_create(ca_cert, &pem_cert_key_pair, 1); + auto* options = grpc_ssl_server_credentials_create_options_using_config( + GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY, cert_config); + grpc_server_credentials* server_creds = + grpc_ssl_server_credentials_create_with_options(options); + // This is a hack but we don't have a public API to force TLS version yet. + // + // The tests in this file are only meaningful with TLSv1.2 only there is the + // public key from the certificate used for key exchange and the key type's + // compatibility will be checked: + // https://datatracker.ietf.org/doc/html/rfc8422#section-5.3. + // In TLSv1.3 key exchange negotiation follows a different flow + // (https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.7) and no longer + // involves the key in the certificate. + reinterpret_cast(server_creds) + ->set_max_tls_version(grpc_tls_version::TLS1_2); + grpc_server* server = grpc_server_create(nullptr, nullptr); + grpc_server_register_completion_queue(server, cq, nullptr); + GPR_ASSERT(grpc_server_add_http2_port(server, server_addr, server_creds)); + grpc_server_credentials_release(server_creds); + grpc_server_start(server); + + grpc_slice_unref(cert_slice); + grpc_slice_unref(key_slice); + grpc_slice_unref(ca_slice); + return server; +} + +grpc_channel* client_create(const char* server_addr, const char* ca_cert_path, + const char* client_cert_path, + const char* client_key_path) { + grpc_slice ca_slice, cert_slice, key_slice; + GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file", + grpc_load_file(ca_cert_path, 1, &ca_slice))); + GPR_ASSERT(GRPC_LOG_IF_ERROR( + "load_file", grpc_load_file(client_cert_path, 1, &cert_slice))); + GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file", + grpc_load_file(client_key_path, 1, &key_slice))); + const char* ca_cert = + reinterpret_cast GRPC_SLICE_START_PTR(ca_slice); + const char* client_cert = + reinterpret_cast GRPC_SLICE_START_PTR(cert_slice); + const char* client_key = + reinterpret_cast GRPC_SLICE_START_PTR(key_slice); + grpc_ssl_pem_key_cert_pair signed_client_key_cert_pair = {client_key, + client_cert}; + grpc_channel_credentials* client_creds = grpc_ssl_credentials_create( + ca_cert, &signed_client_key_cert_pair, nullptr, nullptr); + + grpc_arg args[] = { + grpc_channel_arg_string_create( + const_cast(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG), + const_cast("waterzooi.test.google.be")), + }; + + grpc_channel_args* client_args = + grpc_channel_args_copy_and_add(nullptr, args, GPR_ARRAY_SIZE(args)); + + grpc_channel* client = + grpc_channel_create(server_addr, client_creds, client_args); + GPR_ASSERT(client != nullptr); + grpc_channel_credentials_release(client_creds); + + { + grpc_core::ExecCtx exec_ctx; + grpc_channel_args_destroy(client_args); + } + + grpc_slice_unref(cert_slice); + grpc_slice_unref(key_slice); + grpc_slice_unref(ca_slice); + return client; +} + +void do_round_trip(grpc_completion_queue* cq, grpc_server* server, + const char* server_addr, const char* ca_cert_path, + const char* client_cert_path, const char* client_key_path) { + grpc_channel* client = client_create(server_addr, ca_cert_path, + client_cert_path, client_key_path); + + grpc_core::CqVerifier cqv(cq); + grpc_op ops[6]; + grpc_op* op; + grpc_metadata_array initial_metadata_recv; + grpc_metadata_array trailing_metadata_recv; + grpc_metadata_array request_metadata_recv; + grpc_call_details call_details; + grpc_status_code status; + grpc_call_error error; + grpc_slice details; + int was_cancelled = 2; + + gpr_timespec deadline = grpc_timeout_seconds_to_deadline(60); + grpc_call* c = grpc_channel_create_call( + client, nullptr, GRPC_PROPAGATE_DEFAULTS, cq, + grpc_slice_from_static_string("/foo"), nullptr, deadline, nullptr); + GPR_ASSERT(c); + + grpc_metadata_array_init(&initial_metadata_recv); + grpc_metadata_array_init(&trailing_metadata_recv); + grpc_metadata_array_init(&request_metadata_recv); + grpc_call_details_init(&call_details); + + memset(ops, 0, sizeof(ops)); + op = ops; + op->op = GRPC_OP_SEND_INITIAL_METADATA; + op->data.send_initial_metadata.count = 0; + op->flags = 0; + op->reserved = nullptr; + op++; + op->op = GRPC_OP_SEND_CLOSE_FROM_CLIENT; + op->flags = 0; + op->reserved = nullptr; + op++; + op->op = GRPC_OP_RECV_INITIAL_METADATA; + op->data.recv_initial_metadata.recv_initial_metadata = &initial_metadata_recv; + op->flags = 0; + op->reserved = nullptr; + op++; + op->op = GRPC_OP_RECV_STATUS_ON_CLIENT; + op->data.recv_status_on_client.trailing_metadata = &trailing_metadata_recv; + op->data.recv_status_on_client.status = &status; + op->data.recv_status_on_client.status_details = &details; + op->flags = 0; + op->reserved = nullptr; + op++; + error = grpc_call_start_batch(c, ops, static_cast(op - ops), + grpc_core::CqVerifier::tag(1), nullptr); + GPR_ASSERT(GRPC_CALL_OK == error); + + grpc_call* s; + error = grpc_server_request_call(server, &s, &call_details, + &request_metadata_recv, cq, cq, + grpc_core::CqVerifier::tag(101)); + GPR_ASSERT(GRPC_CALL_OK == error); + cqv.Expect(grpc_core::CqVerifier::tag(101), true); + cqv.Verify(); + + memset(ops, 0, sizeof(ops)); + op = ops; + op->op = GRPC_OP_SEND_INITIAL_METADATA; + op->data.send_initial_metadata.count = 0; + op->flags = 0; + op->reserved = nullptr; + op++; + op->op = GRPC_OP_RECV_CLOSE_ON_SERVER; + op->data.recv_close_on_server.cancelled = &was_cancelled; + op->flags = 0; + op->reserved = nullptr; + op++; + op->op = GRPC_OP_SEND_STATUS_FROM_SERVER; + op->data.send_status_from_server.trailing_metadata_count = 0; + op->data.send_status_from_server.status = GRPC_STATUS_OK; + op->flags = 0; + op->reserved = nullptr; + op++; + error = grpc_call_start_batch(s, ops, static_cast(op - ops), + grpc_core::CqVerifier::tag(103), nullptr); + GPR_ASSERT(GRPC_CALL_OK == error); + + cqv.Expect(grpc_core::CqVerifier::tag(103), true); + cqv.Expect(grpc_core::CqVerifier::tag(1), true); + cqv.Verify(); + + grpc_metadata_array_destroy(&initial_metadata_recv); + grpc_metadata_array_destroy(&trailing_metadata_recv); + grpc_metadata_array_destroy(&request_metadata_recv); + grpc_call_details_destroy(&call_details); + + grpc_call_unref(c); + grpc_call_unref(s); + + grpc_channel_destroy(client); +} + +void drain_cq(grpc_completion_queue* cq) { + grpc_event ev; + do { + ev = grpc_completion_queue_next(cq, five_seconds_time(), nullptr); + } while (ev.type != GRPC_QUEUE_SHUTDOWN); +} + +TEST(H2SslCertsEllipicCurvesTest, RoundTripWithP256Curve) { + int port = grpc_pick_unused_port_or_die(); + + std::string server_addr = grpc_core::JoinHostPort("localhost", port); + + grpc_completion_queue* cq = grpc_completion_queue_create_for_next(nullptr); + + grpc_server* server = server_create(cq, server_addr.c_str(), kCaCertPath0, + kServerCertPath0, kServerKeyPath0); + + do_round_trip(cq, server, server_addr.c_str(), kCaCertPath0, kClientCertPath0, + kClientKeyPath0); + + GPR_ASSERT(grpc_completion_queue_next( + cq, grpc_timeout_milliseconds_to_deadline(100), nullptr) + .type == GRPC_QUEUE_TIMEOUT); + + grpc_server_shutdown_and_notify(server, cq, grpc_core::CqVerifier::tag(1000)); + grpc_event ev; + do { + ev = grpc_completion_queue_next(cq, grpc_timeout_seconds_to_deadline(5), + nullptr); + } while (ev.type != GRPC_OP_COMPLETE || + ev.tag != grpc_core::CqVerifier::tag(1000)); + grpc_server_destroy(server); + + grpc_completion_queue_shutdown(cq); + drain_cq(cq); + grpc_completion_queue_destroy(cq); +} + +TEST(H2SslCertsEllipicCurvesTest, RoundTripWithP384Curve) { + int port = grpc_pick_unused_port_or_die(); + + std::string server_addr = grpc_core::JoinHostPort("localhost", port); + + grpc_completion_queue* cq = grpc_completion_queue_create_for_next(nullptr); + + grpc_server* server = server_create(cq, server_addr.c_str(), kCaCertPath1, + kServerCertPath1, kServerKeyPath1); + + do_round_trip(cq, server, server_addr.c_str(), kCaCertPath1, kClientCertPath1, + kClientKeyPath1); + + GPR_ASSERT(grpc_completion_queue_next( + cq, grpc_timeout_milliseconds_to_deadline(100), nullptr) + .type == GRPC_QUEUE_TIMEOUT); + + grpc_server_shutdown_and_notify(server, cq, grpc_core::CqVerifier::tag(1000)); + grpc_event ev; + do { + ev = grpc_completion_queue_next(cq, grpc_timeout_seconds_to_deadline(5), + nullptr); + } while (ev.type != GRPC_OP_COMPLETE || + ev.tag != grpc_core::CqVerifier::tag(1000)); + grpc_server_destroy(server); + + grpc_completion_queue_shutdown(cq); + drain_cq(cq); + grpc_completion_queue_destroy(cq); +} + +TEST(H2SslCertsEllipicCurvesTest, RoundTripWithP521Curve) { + int port = grpc_pick_unused_port_or_die(); + + std::string server_addr = grpc_core::JoinHostPort("localhost", port); + + grpc_completion_queue* cq = grpc_completion_queue_create_for_next(nullptr); + + grpc_server* server = server_create(cq, server_addr.c_str(), kCaCertPath2, + kServerCertPath2, kServerKeyPath2); + + do_round_trip(cq, server, server_addr.c_str(), kCaCertPath2, kClientCertPath2, + kClientKeyPath2); + + GPR_ASSERT(grpc_completion_queue_next( + cq, grpc_timeout_milliseconds_to_deadline(100), nullptr) + .type == GRPC_QUEUE_TIMEOUT); + + grpc_server_shutdown_and_notify(server, cq, grpc_core::CqVerifier::tag(1000)); + grpc_event ev; + do { + ev = grpc_completion_queue_next(cq, grpc_timeout_seconds_to_deadline(5), + nullptr); + } while (ev.type != GRPC_OP_COMPLETE || + ev.tag != grpc_core::CqVerifier::tag(1000)); + grpc_server_destroy(server); + + grpc_completion_queue_shutdown(cq); + drain_cq(cq); + grpc_completion_queue_destroy(cq); +} + +} // namespace +} // namespace testing +} // namespace grpc + +int main(int argc, char** argv) { + grpc::testing::TestEnvironment env(&argc, argv); + grpc_core::ConfigVars::Overrides overrides; + grpc_core::ConfigVars::SetOverrides(overrides); + + grpc_init(); + ::testing::InitGoogleTest(&argc, argv); + int ret = RUN_ALL_TESTS(); + grpc_shutdown(); + + return ret; +} diff --git a/tools/run_tests/generated/tests.json b/tools/run_tests/generated/tests.json index b24f41f5d1815..3f3b6ad263412 100644 --- a/tools/run_tests/generated/tests.json +++ b/tools/run_tests/generated/tests.json @@ -4347,6 +4347,30 @@ ], "uses_polling": true }, + { + "args": [], + "benchmark": false, + "ci_platforms": [ + "linux", + "mac", + "posix", + "windows" + ], + "cpu_cost": 1.0, + "exclude_configs": [], + "exclude_iomgrs": [], + "flaky": false, + "gtest": true, + "language": "c++", + "name": "h2_ssl_certs_curves_test", + "platforms": [ + "linux", + "mac", + "posix", + "windows" + ], + "uses_polling": true + }, { "args": [], "benchmark": false,