diff --git a/.travis.yml b/.travis.yml index 1d05fdf..311c691 100644 --- a/.travis.yml +++ b/.travis.yml @@ -81,7 +81,7 @@ osx_xcode10_3: &osx_xcode10_3 - eval "export COV_COMPTYPE=clang COV_PLATFORM=macOSX" - eval "export PATH=\"${PATH}:$(python3 -m site --user-base)/bin\"" install: - - pip3 install conan --upgrade --user + - python3 -m pip install conan --upgrade --user osx_xcode9: &osx_xcode9 <<: *osx_xcode10_3 diff --git a/CMakeLists.txt b/CMakeLists.txt index 2ca2613..f7aaa38 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -10,6 +10,7 @@ # SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause # cmake_minimum_required(VERSION 3.7) +project(CycloneDDS VERSION 0.1.0) # Set a default build type if none was specified set(default_build_type "RelWithDebInfo") @@ -42,13 +43,12 @@ ENDFUNCTION(PREPEND) # Set module path before defining project so platform files will work. set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/cmake/Modules") -set(CMAKE_PROJECT_NAME_FULL "Eclipse Cyclone DDS") -project(CycloneDDS VERSION 0.1.0) +set(PROJECT_NAME_FULL "Eclipse Cyclone DDS") # Set some convenience variants of the project-name -string(REPLACE " " "-" CMAKE_PROJECT_NAME_DASHED "${CMAKE_PROJECT_NAME_FULL}") -string(TOUPPER ${CMAKE_PROJECT_NAME} CMAKE_PROJECT_NAME_CAPS) -string(TOLOWER ${CMAKE_PROJECT_NAME} CMAKE_PROJECT_NAME_SMALL) +string(REPLACE " " "-" PROJECT_NAME_DASHED "${PROJECT_NAME_FULL}") +string(TOUPPER ${PROJECT_NAME} PROJECT_NAME_CAPS) +string(TOLOWER ${PROJECT_NAME} PROJECT_NAME_SMALL) set(CMAKE_C_STANDARD 99) if(CMAKE_SYSTEM_NAME STREQUAL "VxWorks") @@ -170,17 +170,17 @@ endif() # the address sanitizer for ordinary debug builds; gcc is giving some grief on # Travis, so don't enable it for gcc by default if(NOT USE_SANITIZER) - if(${CMAKE_BUILD_TYPE} STREQUAL "Debug" AND - NOT (${CMAKE_GENERATOR} STREQUAL "Xcode") AND - (${CMAKE_C_COMPILER_ID} STREQUAL "Clang" - OR ${CMAKE_C_COMPILER_ID} STREQUAL "AppleClang")) + if("${CMAKE_BUILD_TYPE}" STREQUAL "Debug" AND + NOT ("${CMAKE_GENERATOR}" STREQUAL "Xcode") AND + ("${CMAKE_C_COMPILER_ID}" STREQUAL "Clang" + OR "${CMAKE_C_COMPILER_ID}" STREQUAL "AppleClang")) message(STATUS "Enabling address sanitizer; set USE_SANITIZER=none to prevent this") set(USE_SANITIZER address) else() set(USE_SANITIZER none) endif() endif() -if(NOT (${USE_SANITIZER} STREQUAL "none")) +if(NOT ("${USE_SANITIZER}" STREQUAL "none")) message(STATUS "Sanitizer set to ${USE_SANITIZER}") add_compile_options(-fno-omit-frame-pointer -fsanitize=${USE_SANITIZER}) link_libraries(-fno-omit-frame-pointer -fsanitize=${USE_SANITIZER}) diff --git a/cmake/Modules/CUnit.cmake b/cmake/Modules/CUnit.cmake index ac63690..1f118b6 100644 --- a/cmake/Modules/CUnit.cmake +++ b/cmake/Modules/CUnit.cmake @@ -281,12 +281,17 @@ function(add_cunit_executable TARGET) set_property( TEST ${ctest} PROPERTY ENVIRONMENT - "DYLD_LIBRARY_PATH=${CUNIT_LIBRARY_DIR}:$ENV{DYLD_LIBRARY_PATH}") + "DYLD_LIBRARY_PATH=${CUNIT_LIBRARY_DIR}:${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{DYLD_LIBRARY_PATH}") elseif(WIN32 AND ${CUNIT_LIBRARY_TYPE} STREQUAL "SHARED_LIBRARY") set_property( TEST ${ctest} PROPERTY ENVIRONMENT "PATH=${CUNIT_LIBRARY_DIR};$ENV{PATH}") + else() + set_property( + TEST ${ctest} + PROPERTY ENVIRONMENT + "LD_LIBRARY_PATH=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{LD_LIBRARY_PATH}") endif() endforeach() diff --git a/cmake/Modules/FindCUnit.cmake b/cmake/Modules/FindCUnit.cmake index 518ed8a..c17b859 100644 --- a/cmake/Modules/FindCUnit.cmake +++ b/cmake/Modules/FindCUnit.cmake @@ -9,31 +9,37 @@ # # SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause # -set(CUNIT_HEADER "CUnit/CUnit.h") - -if(CONAN_INCLUDE_DIRS) - find_path(CUNIT_INCLUDE_DIR ${CUNIT_HEADER} HINTS ${CONAN_INCLUDE_DIRS}) +find_package(CUnit CONFIG QUIET) +if(CUnit_FOUND) + message(STATUS "Found CUnit via Config file: ${CUnit_DIR}") + set(CUNIT_FOUND ${CUnit_FOUND}) else() - find_path(CUNIT_INCLUDE_DIR ${CUNIT_HEADER}) -endif() + set(CUNIT_HEADER "CUnit/CUnit.h") -mark_as_advanced(CUNIT_INCLUDE_DIR) + if(CONAN_INCLUDE_DIRS) + find_path(CUNIT_INCLUDE_DIR ${CUNIT_HEADER} HINTS ${CONAN_INCLUDE_DIRS}) + else() + find_path(CUNIT_INCLUDE_DIR ${CUNIT_HEADER}) + endif() -if(CUNIT_INCLUDE_DIR AND EXISTS "${CUNIT_INCLUDE_DIR}/${CUNIT_HEADER}") - set(PATTERN "^#define CU_VERSION \"([0-9]+)\\.([0-9]+)\\-([0-9]+)\"$") - file(STRINGS "${CUNIT_INCLUDE_DIR}/${CUNIT_HEADER}" CUNIT_H REGEX "${PATTERN}") + mark_as_advanced(CUNIT_INCLUDE_DIR) - string(REGEX REPLACE "${PATTERN}" "\\1" CUNIT_VERSION_MAJOR "${CUNIT_H}") - string(REGEX REPLACE "${PATTERN}" "\\2" CUNIT_VERSION_MINOR "${CUNIT_H}") - string(REGEX REPLACE "${PATTERN}" "\\3" CUNIT_VERSION_PATCH "${CUNIT_H}") + if(CUNIT_INCLUDE_DIR AND EXISTS "${CUNIT_INCLUDE_DIR}/${CUNIT_HEADER}") + set(PATTERN "^#define CU_VERSION \"([0-9]+)\\.([0-9]+)\\-([0-9]+)\"$") + file(STRINGS "${CUNIT_INCLUDE_DIR}/${CUNIT_HEADER}" CUNIT_H REGEX "${PATTERN}") - set(CUNIT_VERSION "${CUNIT_VERSION_MAJOR}.${CUNIT_VERSION_MINOR}-${CUNIT_VERSION_PATCH}") -endif() + string(REGEX REPLACE "${PATTERN}" "\\1" CUNIT_VERSION_MAJOR "${CUNIT_H}") + string(REGEX REPLACE "${PATTERN}" "\\2" CUNIT_VERSION_MINOR "${CUNIT_H}") + string(REGEX REPLACE "${PATTERN}" "\\3" CUNIT_VERSION_PATCH "${CUNIT_H}") -if(CONAN_LIB_DIRS) - find_library(CUNIT_LIBRARY cunit HINTS ${CONAN_LIB_DIRS}) -else() - find_library(CUNIT_LIBRARY cunit) + set(CUNIT_VERSION "${CUNIT_VERSION_MAJOR}.${CUNIT_VERSION_MINOR}-${CUNIT_VERSION_PATCH}") + endif() + + if(CONAN_LIB_DIRS) + find_library(CUNIT_LIBRARY cunit HINTS ${CONAN_LIB_DIRS}) + else() + find_library(CUNIT_LIBRARY cunit) + endif() endif() include(FindPackageHandleStandardArgs) diff --git a/cmake/Modules/Packaging.cmake b/cmake/Modules/Packaging.cmake index da2d7d6..b2d647c 100644 --- a/cmake/Modules/Packaging.cmake +++ b/cmake/Modules/Packaging.cmake @@ -18,39 +18,39 @@ include(CMakePackageConfigHelpers) include(GNUInstallDirs) set(PACKAGING_MODULE_DIR "${PROJECT_SOURCE_DIR}/cmake/Modules/Packaging") -set(CMAKE_INSTALL_CMAKEDIR "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}") +set(CMAKE_INSTALL_CMAKEDIR "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}") # Generates Config.cmake. if(BUILD_IDLC) configure_package_config_file( "${PACKAGING_MODULE_DIR}/PackageConfig.cmake.in" - "${CMAKE_PROJECT_NAME}Config.cmake" + "${PROJECT_NAME}Config.cmake" INSTALL_DESTINATION "${CMAKE_INSTALL_CMAKEDIR}") else() configure_package_config_file( "${PACKAGING_MODULE_DIR}/PackageConfigNoIdlc.cmake.in" - "${CMAKE_PROJECT_NAME}Config.cmake" + "${PROJECT_NAME}Config.cmake" INSTALL_DESTINATION "${CMAKE_INSTALL_CMAKEDIR}") endif() # Generates Version.cmake. write_basic_package_version_file( - "${CMAKE_PROJECT_NAME}Version.cmake" + "${PROJECT_NAME}Version.cmake" VERSION ${PROJECT_VERSION} COMPATIBILITY SameMajorVersion) install( - FILES "${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_PROJECT_NAME}Config.cmake" - "${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_PROJECT_NAME}Version.cmake" + FILES "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}Config.cmake" + "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}Version.cmake" DESTINATION "${CMAKE_INSTALL_CMAKEDIR}" COMPONENT dev) if((NOT DEFINED BUILD_SHARED_LIBS) OR BUILD_SHARED_LIBS) # Generates Targets.cmake file included by Config.cmake. # The files are placed in CMakeFiles/Export in the build tree. install( - EXPORT "${CMAKE_PROJECT_NAME}" - FILE "${CMAKE_PROJECT_NAME}Targets.cmake" - NAMESPACE "${CMAKE_PROJECT_NAME}::" + EXPORT "${PROJECT_NAME}" + FILE "${PROJECT_NAME}Targets.cmake" + NAMESPACE "${PROJECT_NAME}::" DESTINATION "${CMAKE_INSTALL_CMAKEDIR}" COMPONENT dev) endif() @@ -61,7 +61,7 @@ set(CPACK_PACKAGE_VERSION_PATCH ${PROJECT_VERSION_PATCH}) set(CPACK_PACKAGE_VERSION_TWEAK ${PROJECT_VERSION_TWEAK}) set(CPACK_PACKAGE_VERSION ${PROJECT_VERSION}) -set(CPACK_PACKAGE_NAME ${CMAKE_PROJECT_NAME}) +set(CPACK_PACKAGE_NAME ${PROJECT_NAME}) set(CPACK_PACKAGE_VENDOR "Eclipse Cyclone DDS project") set(CPACK_PACKAGE_CONTACT "https://github.com/eclipse-cyclonedds/cyclonedds") set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Implementation of the OMG DDS standard") @@ -84,10 +84,10 @@ set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_BINARY_DIR}/license.txt") # does help to clearify which settings are required for a platform. set(CPACK_COMPONENTS_ALL dev lib) -set(CPACK_COMPONENT_LIB_DISPLAY_NAME "${CMAKE_PROJECT_NAME_FULL} library") -set(CPACK_COMPONENT_LIB_DESCRIPTION "Library used to run programs with ${CMAKE_PROJECT_NAME_FULL}") -set(CPACK_COMPONENT_DEV_DISPLAY_NAME "${CMAKE_PROJECT_NAME_FULL} development") -set(CPACK_COMPONENT_DEV_DESCRIPTION "Development files for use with ${CMAKE_PROJECT_NAME_FULL}") +set(CPACK_COMPONENT_LIB_DISPLAY_NAME "${PROJECT_NAME_FULL} library") +set(CPACK_COMPONENT_LIB_DESCRIPTION "Library used to run programs with ${PROJECT_NAME_FULL}") +set(CPACK_COMPONENT_DEV_DISPLAY_NAME "${PROJECT_NAME_FULL} development") +set(CPACK_COMPONENT_DEV_DESCRIPTION "Development files for use with ${PROJECT_NAME_FULL}") if(WIN32 AND NOT UNIX) if(CMAKE_SIZEOF_VOID_P EQUAL 8) @@ -99,8 +99,8 @@ if(WIN32 AND NOT UNIX) set(CPACK_GENERATOR "WIX;ZIP;${CPACK_GENERATOR}" CACHE STRING "List of package generators") - set(CPACK_PACKAGE_FILE_NAME "${CMAKE_PROJECT_NAME}-${CPACK_PACKAGE_VERSION}-${__arch}") - set(CPACK_PACKAGE_INSTALL_DIRECTORY "${CMAKE_PROJECT_NAME_FULL}") + set(CPACK_PACKAGE_FILE_NAME "${PROJECT_NAME}-${CPACK_PACKAGE_VERSION}-${__arch}") + set(CPACK_PACKAGE_INSTALL_DIRECTORY "${PROJECT_NAME_FULL}") include(InstallRequiredSystemLibraries) elseif(CMAKE_SYSTEM_NAME MATCHES "Linux") @@ -123,7 +123,7 @@ elseif(CMAKE_SYSTEM_NAME MATCHES "Linux") set(CPACK_RPM_COMPONENT_INSTALL ON) # FIXME: The package file name must be updated to include the distribution. # See Fedora and Red Hat packaging guidelines for details. - set(CPACK_RPM_LIB_PACKAGE_NAME "${CMAKE_PROJECT_NAME_DASHED}") + set(CPACK_RPM_LIB_PACKAGE_NAME "${PROJECT_NAME_DASHED}") set(CPACK_RPM_LIB_FILE_NAME "${CPACK_RPM_LIB_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${__arch}.rpm") set(CPACK_RPM_DEV_PACKAGE_NAME "${CPACK_RPM_LIB_PACKAGE_NAME}-devel") set(CPACK_RPM_DEV_FILE_NAME "${CPACK_RPM_DEV_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${__arch}.rpm") @@ -138,7 +138,7 @@ elseif(CMAKE_SYSTEM_NAME MATCHES "Linux") set(CPACK_GENERATOR "DEB;TGZ;${CPACK_GENERATOR}" CACHE STRING "List of package generators") - string(TOLOWER "${CMAKE_PROJECT_NAME_DASHED}" CPACK_DEBIAN_LIB_PACKAGE_NAME) + string(TOLOWER "${PROJECT_NAME_DASHED}" CPACK_DEBIAN_LIB_PACKAGE_NAME) set(CPACK_DEBIAN_LIB_FILE_NAME "${CPACK_DEBIAN_LIB_PACKAGE_NAME}_${CPACK_PACKAGE_VERSION}_${__arch}.deb") set(CPACK_DEBIAN_DEV_PACKAGE_DEPENDS "${CPACK_DEBIAN_LIB_PACKAGE_NAME} (= ${CPACK_PACKAGE_VERSION}), libc6 (>= 2.23)") set(CPACK_DEBIAN_DEV_PACKAGE_NAME "${CPACK_DEBIAN_LIB_PACKAGE_NAME}-dev") diff --git a/cmake/Modules/Packaging/PackageConfig.cmake.in b/cmake/Modules/Packaging/PackageConfig.cmake.in index a1b8344..c8d6d78 100644 --- a/cmake/Modules/Packaging/PackageConfig.cmake.in +++ b/cmake/Modules/Packaging/PackageConfig.cmake.in @@ -11,5 +11,5 @@ # @PACKAGE_INIT@ -include("${CMAKE_CURRENT_LIST_DIR}/@CMAKE_PROJECT_NAME@Targets.cmake") +include("${CMAKE_CURRENT_LIST_DIR}/@PROJECT_NAME@Targets.cmake") include("${CMAKE_CURRENT_LIST_DIR}/idlc/IdlcGenerate.cmake") diff --git a/cmake/Modules/Packaging/PackageConfigNoIdlc.cmake.in b/cmake/Modules/Packaging/PackageConfigNoIdlc.cmake.in index 415b481..038e6f9 100644 --- a/cmake/Modules/Packaging/PackageConfigNoIdlc.cmake.in +++ b/cmake/Modules/Packaging/PackageConfigNoIdlc.cmake.in @@ -11,4 +11,4 @@ # @PACKAGE_INIT@ -include("${CMAKE_CURRENT_LIST_DIR}/@CMAKE_PROJECT_NAME@Targets.cmake") +include("${CMAKE_CURRENT_LIST_DIR}/@PROJECT_NAME@Targets.cmake") diff --git a/colcon.pkg b/colcon.pkg new file mode 100644 index 0000000..2d2a3ae --- /dev/null +++ b/colcon.pkg @@ -0,0 +1,3 @@ +{ + "cmake-args": [ "-DBUILD_IDLC=OFF" ] +} diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt index 2129d74..d78ff71 100644 --- a/examples/CMakeLists.txt +++ b/examples/CMakeLists.txt @@ -9,7 +9,7 @@ # # SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause # -set(CMAKE_INSTALL_EXAMPLESDIR "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}/examples") +set(CMAKE_INSTALL_EXAMPLESDIR "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}/examples") add_subdirectory(helloworld) add_subdirectory(roundtrip) diff --git a/examples/helloworld/CMakeLists.export b/examples/helloworld/CMakeLists.export index 3fcb0af..5712559 100644 --- a/examples/helloworld/CMakeLists.export +++ b/examples/helloworld/CMakeLists.export @@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 3.5) if (NOT TARGET CycloneDDS::ddsc) # Find the CycloneDDS package. If it is not in a default location, try # finding it relative to the example where it most likely resides. - find_package(CycloneDDS REQUIRED PATHS "${CMAKE_SOURCE_DIR}/../../") + find_package(CycloneDDS REQUIRED PATHS "${CMAKE_CURRENT_SOURCE_DIR}/../../") endif() # This is a convenience function, provided by the CycloneDDS package, diff --git a/examples/roundtrip/CMakeLists.export b/examples/roundtrip/CMakeLists.export index 58a36ac..9554013 100644 --- a/examples/roundtrip/CMakeLists.export +++ b/examples/roundtrip/CMakeLists.export @@ -14,7 +14,7 @@ cmake_minimum_required(VERSION 3.5) if (NOT TARGET CycloneDDS::ddsc) # Find the CycloneDDS package. If it is not in a default location, try # finding it relative to the example where it most likely resides. - find_package(CycloneDDS REQUIRED PATHS "${CMAKE_SOURCE_DIR}/../../") + find_package(CycloneDDS REQUIRED PATHS "${CMAKE_CURRENT_SOURCE_DIR}/../../") endif() # This is a convenience function, provided by the CycloneDDS package, diff --git a/examples/throughput/CMakeLists.export b/examples/throughput/CMakeLists.export index dfce4b4..52415e0 100644 --- a/examples/throughput/CMakeLists.export +++ b/examples/throughput/CMakeLists.export @@ -14,7 +14,7 @@ cmake_minimum_required(VERSION 3.5) if (NOT TARGET CycloneDDS::ddsc) # Find the CycloneDDS package. If it is not in a default location, try # finding it relative to the example where it most likely resides. - find_package(CycloneDDS REQUIRED PATHS "${CMAKE_SOURCE_DIR}/../../") + find_package(CycloneDDS REQUIRED PATHS "${CMAKE_CURRENT_SOURCE_DIR}/../../") endif() # This is a convenience function, provided by the CycloneDDS package, diff --git a/package.xml b/package.xml index 5b4b661..9d0980d 100644 --- a/package.xml +++ b/package.xml @@ -12,8 +12,6 @@ https://github.com/eclipse-cyclonedds/cyclonedds cmake - java - maven openssl libcunit-dev python3-sphinx diff --git a/ports/freertos-posix/CMakeLists.txt b/ports/freertos-posix/CMakeLists.txt index 005e13b..0c161ce 100644 --- a/ports/freertos-posix/CMakeLists.txt +++ b/ports/freertos-posix/CMakeLists.txt @@ -24,7 +24,7 @@ endif() # default system locations, i.e. /usr/lib and /usr/include on *NIX platforms. # The install prefix must therefore be postfixed with the project name. if(UNIX) - set(CMAKE_INSTALL_PREFIX "${CMAKE_INSTALL_PREFIX}/${CMAKE_PROJECT_NAME}") + set(CMAKE_INSTALL_PREFIX "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}") endif() set(ENTRYPOINT "real_main" @@ -119,7 +119,7 @@ install( install( TARGETS freertos-sim freertos-sim-loader - EXPORT "${CMAKE_PROJECT_NAME}" + EXPORT "${PROJECT_NAME}" RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}") diff --git a/ports/freertos-posix/freertos-sim.cmake.in b/ports/freertos-posix/freertos-sim.cmake.in index 73b85f2..3ad08f5 100644 --- a/ports/freertos-posix/freertos-sim.cmake.in +++ b/ports/freertos-posix/freertos-sim.cmake.in @@ -11,7 +11,7 @@ # # -# CMake toolchain file generated by @CMAKE_PROJECT_NAME@ +# CMake toolchain file generated by @PROJECT_NAME@ # set(CMAKE_C_COMPILER "@CMAKE_C_COMPILER@") diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 16179d9..c72721e 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -23,7 +23,7 @@ add_subdirectory(ddsrt) if(BUILD_IDLC) add_subdirectory(idlc) endif() -add_subdirectory(security/api) +add_subdirectory(security) add_subdirectory(core) add_subdirectory(tools) if(BUILD_TESTING AND HAVE_MULTI_PROCESS AND BUILD_IDLC) diff --git a/src/core/CMakeLists.txt b/src/core/CMakeLists.txt index 1ae731b..6eb9b91 100644 --- a/src/core/CMakeLists.txt +++ b/src/core/CMakeLists.txt @@ -59,7 +59,7 @@ if(NOT ENABLE_SECURITY) message(STATUS "Building without OMG DDS Security support") else() add_definitions(-DDDSI_INCLUDE_SECURITY) - target_link_libraries(ddsc PRIVATE security_api) + target_link_libraries(ddsc PRIVATE security_core) target_include_directories( ddsc PUBLIC $>) @@ -82,11 +82,11 @@ set_target_properties(ddsc PROPERTIES VERSION ${PROJECT_VERSION} SOVERSION ${PRO # Create a pseudo-target that other targets (i.e. examples, tests) can depend # on and can also be provided as import-target by a package-file when building # those targets outside the regular Cyclone build-tree (i.e. the installed tree) -add_library(${CMAKE_PROJECT_NAME}::ddsc ALIAS ddsc) +add_library(${PROJECT_NAME}::ddsc ALIAS ddsc) install( TARGETS ddsc - EXPORT "${CMAKE_PROJECT_NAME}" + EXPORT "${PROJECT_NAME}" RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT lib LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib diff --git a/src/core/ddsc/CMakeLists.txt b/src/core/ddsc/CMakeLists.txt index e10f21f..b32a4b5 100644 --- a/src/core/ddsc/CMakeLists.txt +++ b/src/core/ddsc/CMakeLists.txt @@ -87,11 +87,6 @@ generate_export_header( EXPORT_FILE_NAME "${CMAKE_CURRENT_BINARY_DIR}/include/dds/export.h" ) -target_include_directories( - ddsc PUBLIC - "$" - "$") - target_sources(ddsc PRIVATE ${srcs_ddsc} @@ -103,29 +98,23 @@ target_sources(ddsc target_include_directories(ddsc PUBLIC + "$" + "$" "$" PRIVATE - "${CMAKE_CURRENT_LIST_DIR}/src") - -target_include_directories(ddsc INTERFACE $) + "${CMAKE_CURRENT_LIST_DIR}/src" + INTERFACE + $) install( - DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/dds" + DIRECTORY + "${CMAKE_CURRENT_LIST_DIR}/include/" + "${CMAKE_CURRENT_BINARY_DIR}/include/" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" COMPONENT dev) -install( - DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/ddsc" - DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" - COMPONENT dev) - -install( - FILES "${CMAKE_CURRENT_BINARY_DIR}/include/dds/export.h" - DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/dds" - COMPONENT dev) - # TODO: improve test inclusion. -if((BUILD_TESTING) AND ((NOT DEFINED MSVC_VERSION) OR (MSVC_VERSION GREATER "1800"))) +if((BUILD_TESTING) AND (BUILD_IDLC) AND ((NOT DEFINED MSVC_VERSION) OR (MSVC_VERSION GREATER "1800"))) add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/tests") endif() diff --git a/src/core/ddsc/cmake/ddsc_project.h.in b/src/core/ddsc/cmake/ddsc_project.h.in index 6eb3884..3b27447 100644 --- a/src/core/ddsc/cmake/ddsc_project.h.in +++ b/src/core/ddsc/cmake/ddsc_project.h.in @@ -17,9 +17,9 @@ #define DDSC_VERSION_MINOR @CycloneDDS_VERSION_MINOR@ #define DDSC_VERSION_PATCH @CycloneDDS_VERSION_PATCH@ #define DDSC_VERSION_TWEAK @CycloneDDS_VERSION_TWEAK@ -#define DDSC_PROJECT_NAME_NOSPACE_CAPS "@CMAKE_PROJECT_NAME_CAPS@" -#define DDSC_PROJECT_NAME_NOSPACE_SMALL "@CMAKE_PROJECT_NAME_SMALL@" -#define DDSC_PROJECT_NAME_NOSPACE "@CMAKE_PROJECT_NAME@" -#define DDSC_PROJECT_NAME "@CMAKE_PROJECT_NAME@" +#define DDSC_PROJECT_NAME_NOSPACE_CAPS "@PROJECT_NAME_CAPS@" +#define DDSC_PROJECT_NAME_NOSPACE_SMALL "@PROJECT_NAME_SMALL@" +#define DDSC_PROJECT_NAME_NOSPACE "@PROJECT_NAME@" +#define DDSC_PROJECT_NAME "@PROJECT_NAME@" #endif /* DDSC_PROJECT_H */ diff --git a/src/core/ddsc/src/dds_sertopic_builtintopic.c b/src/core/ddsc/src/dds_sertopic_builtintopic.c index 3479fa4..07f730c 100644 --- a/src/core/ddsc/src/dds_sertopic_builtintopic.c +++ b/src/core/ddsc/src/dds_sertopic_builtintopic.c @@ -17,7 +17,6 @@ #include "dds/dds.h" #include "dds/ddsrt/heap.h" #include "dds/ddsrt/md5.h" -#include "dds/ddsi/q_bswap.h" #include "dds/ddsi/q_config.h" #include "dds/ddsi/q_freelist.h" #include "dds/ddsi/ddsi_sertopic.h" diff --git a/src/core/ddsc/src/dds_stream.c b/src/core/ddsc/src/dds_stream.c index 3f12777..9be8810 100644 --- a/src/core/ddsc/src/dds_stream.c +++ b/src/core/ddsc/src/dds_stream.c @@ -175,17 +175,17 @@ static void dds_os_put1be (dds_ostreamBE_t * __restrict s, uint8_t v) static void dds_os_put2be (dds_ostreamBE_t * __restrict s, uint16_t v) { - dds_os_put2 (&s->x, toBE2u (v)); + dds_os_put2 (&s->x, ddsrt_toBE2u (v)); } static void dds_os_put4be (dds_ostreamBE_t * __restrict s, uint32_t v) { - dds_os_put4 (&s->x, toBE4u (v)); + dds_os_put4 (&s->x, ddsrt_toBE4u (v)); } static void dds_os_put8be (dds_ostreamBE_t * __restrict s, uint64_t v) { - dds_os_put8 (&s->x, toBE8u (v)); + dds_os_put8 (&s->x, ddsrt_toBE8u (v)); } static void dds_os_put_bytes (dds_ostream_t * __restrict s, const void * __restrict b, uint32_t l) @@ -782,7 +782,7 @@ static bool normalize_uint16 (char * __restrict data, uint32_t * __restrict off, if ((*off = check_align_prim (*off, size, 1)) == UINT32_MAX) return false; if (bswap) - *((uint16_t *) (data + *off)) = bswap2u (*((uint16_t *) (data + *off))); + *((uint16_t *) (data + *off)) = ddsrt_bswap2u (*((uint16_t *) (data + *off))); (*off) += 2; return true; } @@ -792,7 +792,7 @@ static bool normalize_uint32 (char * __restrict data, uint32_t * __restrict off, if ((*off = check_align_prim (*off, size, 2)) == UINT32_MAX) return false; if (bswap) - *((uint32_t *) (data + *off)) = bswap4u (*((uint32_t *) (data + *off))); + *((uint32_t *) (data + *off)) = ddsrt_bswap4u (*((uint32_t *) (data + *off))); (*off) += 4; return true; } @@ -802,7 +802,7 @@ static bool read_and_normalize_uint32 (uint32_t * __restrict val, char * __restr if ((*off = check_align_prim (*off, size, 2)) == UINT32_MAX) return false; if (bswap) - *((uint32_t *) (data + *off)) = bswap4u (*((uint32_t *) (data + *off))); + *((uint32_t *) (data + *off)) = ddsrt_bswap4u (*((uint32_t *) (data + *off))); *val = *((uint32_t *) (data + *off)); (*off) += 4; return true; @@ -813,7 +813,7 @@ static bool normalize_uint64 (char * __restrict data, uint32_t * __restrict off, if ((*off = check_align_prim (*off, size, 3)) == UINT32_MAX) return false; if (bswap) - *((uint64_t *) (data + *off)) = bswap8u (*((uint64_t *) (data + *off))); + *((uint64_t *) (data + *off)) = ddsrt_bswap8u (*((uint64_t *) (data + *off))); (*off) += 8; return true; } @@ -847,7 +847,7 @@ static bool normalize_primarray (char * __restrict data, uint32_t * __restrict o { uint16_t *xs = (uint16_t *) (data + *off); for (uint32_t i = 0; i < num; i++) - xs[i] = bswap2u (xs[i]); + xs[i] = ddsrt_bswap2u (xs[i]); } *off += 2 * num; return true; @@ -858,7 +858,7 @@ static bool normalize_primarray (char * __restrict data, uint32_t * __restrict o { uint32_t *xs = (uint32_t *) (data + *off); for (uint32_t i = 0; i < num; i++) - xs[i] = bswap4u (xs[i]); + xs[i] = ddsrt_bswap4u (xs[i]); } *off += 4 * num; return true; @@ -869,7 +869,7 @@ static bool normalize_primarray (char * __restrict data, uint32_t * __restrict o { uint64_t *xs = (uint64_t *) (data + *off); for (uint32_t i = 0; i < num; i++) - xs[i] = bswap8u (xs[i]); + xs[i] = ddsrt_bswap8u (xs[i]); } *off += 8 * num; return true; @@ -956,7 +956,7 @@ static bool normalize_uni_disc (uint32_t * __restrict val, char * __restrict dat if ((*off = check_align_prim (*off, size, 1)) == UINT32_MAX) return false; if (bswap) - *((uint16_t *) (data + *off)) = bswap2u (*((uint16_t *) (data + *off))); + *((uint16_t *) (data + *off)) = ddsrt_bswap2u (*((uint16_t *) (data + *off))); *val = *((uint16_t *) (data + *off)); (*off) += 2; return true; @@ -964,7 +964,7 @@ static bool normalize_uni_disc (uint32_t * __restrict val, char * __restrict dat if ((*off = check_align_prim (*off, size, 2)) == UINT32_MAX) return false; if (bswap) - *((uint32_t *) (data + *off)) = bswap4u (*((uint32_t *) (data + *off))); + *((uint32_t *) (data + *off)) = ddsrt_bswap4u (*((uint32_t *) (data + *off))); *val = *((uint32_t *) (data + *off)); (*off) += 4; return true; @@ -1180,19 +1180,19 @@ static void dds_stream_swap_insitu (void * __restrict vbuf, uint32_t size, uint3 case 2: { uint16_t *buf = vbuf; for (uint32_t i = 0; i < num; i++) - buf[i] = bswap2u (buf[i]); + buf[i] = ddsrt_bswap2u (buf[i]); break; } case 4: { uint32_t *buf = vbuf; for (uint32_t i = 0; i < num; i++) - buf[i] = bswap4u (buf[i]); + buf[i] = ddsrt_bswap4u (buf[i]); break; } case 8: { uint64_t *buf = vbuf; for (uint32_t i = 0; i < num; i++) - buf[i] = bswap8u (buf[i]); + buf[i] = ddsrt_bswap8u (buf[i]); break; } } @@ -1294,21 +1294,21 @@ static void dds_stream_swap_copy (void * __restrict vdst, const void * __restric const uint16_t *src = vsrc; uint16_t *dst = vdst; for (uint32_t i = 0; i < num; i++) - dst[i] = bswap2u (src[i]); + dst[i] = ddsrt_bswap2u (src[i]); break; } case 4: { const uint32_t *src = vsrc; uint32_t *dst = vdst; for (uint32_t i = 0; i < num; i++) - dst[i] = bswap4u (src[i]); + dst[i] = ddsrt_bswap4u (src[i]); break; } case 8: { const uint64_t *src = vsrc; uint64_t *dst = vdst; for (uint32_t i = 0; i < num; i++) - dst[i] = bswap8u (src[i]); + dst[i] = ddsrt_bswap8u (src[i]); break; } } @@ -1943,7 +1943,7 @@ void dds_ostream_add_to_serdata_default (dds_ostream_t * __restrict s, struct dd (*d) = (void *) s->m_buffer; (*d)->pos = (s->m_index - (uint32_t) offsetof (struct ddsi_serdata_default, data)); (*d)->size = (s->m_size - (uint32_t) offsetof (struct ddsi_serdata_default, data)); - (*d)->hdr.options = toBE2u ((uint16_t) pad); + (*d)->hdr.options = ddsrt_toBE2u ((uint16_t) pad); } void dds_ostreamBE_from_serdata_default (dds_ostreamBE_t * __restrict s, struct ddsi_serdata_default * __restrict d) @@ -1966,5 +1966,5 @@ void dds_ostreamBE_add_to_serdata_default (dds_ostreamBE_t * __restrict s, struc (*d) = (void *) s->x.m_buffer; (*d)->pos = (s->x.m_index - (uint32_t) offsetof (struct ddsi_serdata_default, data)); (*d)->size = (s->x.m_size - (uint32_t) offsetof (struct ddsi_serdata_default, data)); - (*d)->hdr.options = toBE2u ((uint16_t) pad); + (*d)->hdr.options = ddsrt_toBE2u ((uint16_t) pad); } diff --git a/src/core/ddsc/tests/CMakeLists.txt b/src/core/ddsc/tests/CMakeLists.txt index d128134..48423f8 100644 --- a/src/core/ddsc/tests/CMakeLists.txt +++ b/src/core/ddsc/tests/CMakeLists.txt @@ -63,7 +63,7 @@ get_test_property(CUnit_ddsc_config_simple_udp ENVIRONMENT CUnit_ddsc_config_sim set(CUnit_ddsc_config_simple_udp_file "${CMAKE_CURRENT_LIST_DIR}/config_simple_udp.xml") set(CUnit_ddsc_config_simple_udp_uri "file://${CUnit_ddsc_config_simple_udp_file}") set(CUnit_ddsc_config_simple_udp_max_participants "0") -set(CUnit_ddsc_config_simple_udp_env "${CMAKE_PROJECT_NAME_CAPS}_URI=${CUnit_ddsc_config_simple_udp_uri};MAX_PARTICIPANTS=${CUnit_ddsc_config_simple_udp_max_participants};${CUnit_ddsc_config_simple_udp_env}") +set(CUnit_ddsc_config_simple_udp_env "${PROJECT_NAME_CAPS}_URI=${CUnit_ddsc_config_simple_udp_uri};MAX_PARTICIPANTS=${CUnit_ddsc_config_simple_udp_max_participants};${CUnit_ddsc_config_simple_udp_env}") set_tests_properties( CUnit_ddsc_config_simple_udp diff --git a/src/core/ddsi/CMakeLists.txt b/src/core/ddsi/CMakeLists.txt index fb8785f..c437e7f 100644 --- a/src/core/ddsi/CMakeLists.txt +++ b/src/core/ddsi/CMakeLists.txt @@ -31,7 +31,6 @@ PREPEND(srcs_ddsi "${CMAKE_CURRENT_LIST_DIR}/src" q_addrset.c q_bitset_inlines.c q_bswap.c - q_bswap_inlines.c q_config.c q_ddsi_discovery.c q_debmon.c @@ -138,7 +137,7 @@ target_include_directories(ddsc PRIVATE "${CMAKE_CURRENT_LIST_DIR}/include") install( - DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/dds" + DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" COMPONENT dev) diff --git a/src/core/ddsi/include/dds/ddsi/q_bswap.h b/src/core/ddsi/include/dds/ddsi/q_bswap.h index d7f058d..93a3706 100644 --- a/src/core/ddsi/include/dds/ddsi/q_bswap.h +++ b/src/core/ddsi/include/dds/ddsi/q_bswap.h @@ -14,7 +14,7 @@ #include -#include "dds/ddsrt/endian.h" +#include "dds/ddsrt/bswap.h" #include "dds/ddsrt/misc.h" #include "dds/ddsi/q_rtps.h" /* for nn_guid_t, nn_guid_prefix_t */ #include "dds/ddsi/q_protocol.h" /* for nn_sequence_number_t */ @@ -23,71 +23,12 @@ extern "C" { #endif -inline uint16_t bswap2u (uint16_t x) -{ - return (uint16_t) ((x >> 8) | (x << 8)); -} - -inline int16_t bswap2 (int16_t x) -{ - return (int16_t) bswap2u ((uint16_t) x); -} - -inline uint32_t bswap4u (uint32_t x) -{ - return (x >> 24) | ((x >> 8) & 0xff00) | ((x << 8) & 0xff0000) | (x << 24); -} - -inline int32_t bswap4 (int32_t x) -{ - return (int32_t) bswap4u ((uint32_t) x); -} - -inline uint64_t bswap8u (uint64_t x) -{ - const uint32_t newhi = bswap4u ((uint32_t) x); - const uint32_t newlo = bswap4u ((uint32_t) (x >> 32)); - return ((uint64_t) newhi << 32) | (uint64_t) newlo; -} - -inline int64_t bswap8 (int64_t x) -{ - return (int64_t) bswap8u ((uint64_t) x); -} - inline void bswapSN (nn_sequence_number_t *sn) { - sn->high = bswap4 (sn->high); - sn->low = bswap4u (sn->low); + sn->high = ddsrt_bswap4 (sn->high); + sn->low = ddsrt_bswap4u (sn->low); } -#if DDSRT_ENDIAN == DDSRT_LITTLE_ENDIAN -#define toBE2(x) bswap2 (x) -#define toBE2u(x) bswap2u (x) -#define toBE4(x) bswap4 (x) -#define toBE4u(x) bswap4u (x) -#define toBE8(x) bswap8 (x) -#define toBE8u(x) bswap8u (x) -#define fromBE2(x) bswap2 (x) -#define fromBE2u(x) bswap2u (x) -#define fromBE4(x) bswap4 (x) -#define fromBE4u(x) bswap4u (x) -#define fromBE8(x) bswap8 (x) -#define fromBE8u(x) bswap8u (x) -#else -#define toBE2u(x) (x) -#define toBE4(x) (x) -#define toBE4u(x) (x) -#define toBE8(x) (x) -#define toBE8u(x) (x) -#define fromBE2(x) (x) -#define fromBE2u(x) (x) -#define fromBE4(x) (x) -#define fromBE4u(x) (x) -#define fromBE8(x) (x) -#define fromBE8u(x) (x) -#endif - ddsi_guid_prefix_t nn_hton_guid_prefix (ddsi_guid_prefix_t p); ddsi_guid_prefix_t nn_ntoh_guid_prefix (ddsi_guid_prefix_t p); ddsi_entityid_t nn_hton_entityid (ddsi_entityid_t e); diff --git a/src/core/ddsi/src/ddsi_serdata_default.c b/src/core/ddsi/src/ddsi_serdata_default.c index 39879f4..666e0d3 100644 --- a/src/core/ddsi/src/ddsi_serdata_default.c +++ b/src/core/ddsi/src/ddsi_serdata_default.c @@ -296,7 +296,7 @@ static struct ddsi_serdata_default *serdata_default_from_ser_common (const struc const bool needs_bswap = (d->hdr.identifier != NATIVE_ENCODING); d->hdr.identifier = NATIVE_ENCODING; - const uint32_t pad = fromBE2u (d->hdr.options) & 2; + const uint32_t pad = ddsrt_fromBE2u (d->hdr.options) & 2; if (d->pos < pad) { ddsi_serdata_unref (&d->c); @@ -474,7 +474,7 @@ static struct ddsi_serdata *serdata_default_from_sample_plist (const struct ddsi ddsrt_md5_state_t md5st; ddsrt_md5_byte_t digest[16]; topic_name_sz = (uint32_t) strlen (topic_name) + 1; - topic_name_sz_BE = toBE4u (topic_name_sz); + topic_name_sz_BE = ddsrt_toBE4u (topic_name_sz); d->keyhash.m_set = 1; d->keyhash.m_iskey = 0; ddsrt_md5_init (&md5st); diff --git a/src/core/ddsi/src/q_bswap.c b/src/core/ddsi/src/q_bswap.c index 73e1778..c2d11c1 100644 --- a/src/core/ddsi/src/q_bswap.c +++ b/src/core/ddsi/src/q_bswap.c @@ -11,11 +11,13 @@ */ #include "dds/ddsi/q_bswap.h" +extern inline void bswapSN (nn_sequence_number_t *sn); + ddsi_guid_prefix_t nn_hton_guid_prefix (ddsi_guid_prefix_t p) { int i; for (i = 0; i < 3; i++) - p.u[i] = toBE4u (p.u[i]); + p.u[i] = ddsrt_toBE4u (p.u[i]); return p; } @@ -23,19 +25,19 @@ ddsi_guid_prefix_t nn_ntoh_guid_prefix (ddsi_guid_prefix_t p) { int i; for (i = 0; i < 3; i++) - p.u[i] = fromBE4u (p.u[i]); + p.u[i] = ddsrt_fromBE4u (p.u[i]); return p; } ddsi_entityid_t nn_hton_entityid (ddsi_entityid_t e) { - e.u = toBE4u (e.u); + e.u = ddsrt_toBE4u (e.u); return e; } ddsi_entityid_t nn_ntoh_entityid (ddsi_entityid_t e) { - e.u = fromBE4u (e.u); + e.u = ddsrt_fromBE4u (e.u); return e; } @@ -56,25 +58,26 @@ ddsi_guid_t nn_ntoh_guid (ddsi_guid_t g) void bswap_sequence_number_set_hdr (nn_sequence_number_set_header_t *snset) { bswapSN (&snset->bitmap_base); - snset->numbits = bswap4u (snset->numbits); + snset->numbits = ddsrt_bswap4u (snset->numbits); } void bswap_sequence_number_set_bitmap (nn_sequence_number_set_header_t *snset, uint32_t *bits) { const uint32_t n = (snset->numbits + 31) / 32; for (uint32_t i = 0; i < n; i++) - bits[i] = bswap4u (bits[i]); + bits[i] = ddsrt_bswap4u (bits[i]); } void bswap_fragment_number_set_hdr (nn_fragment_number_set_header_t *fnset) { - fnset->bitmap_base = bswap4u (fnset->bitmap_base); - fnset->numbits = bswap4u (fnset->numbits); + fnset->bitmap_base = ddsrt_bswap4u (fnset->bitmap_base); + fnset->numbits = ddsrt_bswap4u (fnset->numbits); } void bswap_fragment_number_set_bitmap (nn_fragment_number_set_header_t *fnset, uint32_t *bits) { const uint32_t n = (fnset->numbits + 31) / 32; for (uint32_t i = 0; i < n; i++) - bits[i] = bswap4u (bits[i]); + bits[i] = ddsrt_bswap4u (bits[i]); } + diff --git a/src/core/ddsi/src/q_init.c b/src/core/ddsi/src/q_init.c index 0e2442a..2d880ac 100644 --- a/src/core/ddsi/src/q_init.c +++ b/src/core/ddsi/src/q_init.c @@ -1044,7 +1044,7 @@ int rtps_init (struct q_globals *gv) that won't repeat in the lifetime of the process. Seems like it ought to work to keep the risks of collisions low. */ { - uint64_t iid = toBE8u (ddsi_iid_gen ()); + uint64_t iid = ddsrt_toBE8u (ddsi_iid_gen ()); ddsrt_md5_state_t st; ddsrt_md5_byte_t digest[16]; ddsrt_md5_init (&st); diff --git a/src/core/ddsi/src/q_lease.c b/src/core/ddsi/src/q_lease.c index 4015085..e35abda 100644 --- a/src/core/ddsi/src/q_lease.c +++ b/src/core/ddsi/src/q_lease.c @@ -320,7 +320,7 @@ void handle_PMD (const struct receiver_state *rst, nn_wctime_t timestamp, uint32 const ParticipantMessageData_t *pmd = (ParticipantMessageData_t *) (data + 1); ddsi_guid_prefix_t p = nn_ntoh_guid_prefix (pmd->participantGuidPrefix); uint32_t kind = ntohl (pmd->kind); - uint32_t length = bswap ? bswap4u (pmd->length) : pmd->length; + uint32_t length = bswap ? ddsrt_bswap4u (pmd->length) : pmd->length; RSTTRACE (" pp %"PRIx32":%"PRIx32":%"PRIx32" kind %u data %u", p.u[0], p.u[1], p.u[2], kind, length); if (len - sizeof (struct CDRHeader) - offsetof (ParticipantMessageData_t, value) < length) debug_print_rawdata (rst->gv, " SHORT2", pmd->value, len - sizeof (struct CDRHeader) - offsetof (ParticipantMessageData_t, value)); diff --git a/src/core/ddsi/src/q_pcap.c b/src/core/ddsi/src/q_pcap.c index 3fb0e68..f588bbc 100644 --- a/src/core/ddsi/src/q_pcap.c +++ b/src/core/ddsi/src/q_pcap.c @@ -144,7 +144,7 @@ void write_pcap_received (struct q_globals *gv, nn_wctime_t tstamp, const struct pcap_hdr.incl_len = pcap_hdr.orig_len = (uint32_t) sz_iud; fwrite (&pcap_hdr, sizeof (pcap_hdr), 1, gv->pcap_fp); u.ipv4_hdr = ipv4_hdr_template; - u.ipv4_hdr.totallength = toBE2u ((unsigned short) sz_iud); + u.ipv4_hdr.totallength = ddsrt_toBE2u ((unsigned short) sz_iud); u.ipv4_hdr.ttl = 128; u.ipv4_hdr.srcip = ((struct sockaddr_in*) src)->sin_addr.s_addr; u.ipv4_hdr.dstip = ((struct sockaddr_in*) dst)->sin_addr.s_addr; @@ -152,7 +152,7 @@ void write_pcap_received (struct q_globals *gv, nn_wctime_t tstamp, const struct fwrite (&u.ipv4_hdr, sizeof (u.ipv4_hdr), 1, gv->pcap_fp); udp_hdr.srcport = ((struct sockaddr_in*) src)->sin_port; udp_hdr.dstport = ((struct sockaddr_in*) dst)->sin_port; - udp_hdr.length = toBE2u ((unsigned short) sz_ud); + udp_hdr.length = ddsrt_toBE2u ((unsigned short) sz_ud); udp_hdr.checksum = 0; /* don't have to compute a checksum for UDPv4 */ fwrite (&udp_hdr, sizeof (udp_hdr), 1, gv->pcap_fp); fwrite (buf, sz, 1, gv->pcap_fp); @@ -177,7 +177,7 @@ void write_pcap_sent (struct q_globals *gv, nn_wctime_t tstamp, const struct soc pcap_hdr.incl_len = pcap_hdr.orig_len = (uint32_t) sz_iud; fwrite (&pcap_hdr, sizeof (pcap_hdr), 1, gv->pcap_fp); u.ipv4_hdr = ipv4_hdr_template; - u.ipv4_hdr.totallength = toBE2u ((unsigned short) sz_iud); + u.ipv4_hdr.totallength = ddsrt_toBE2u ((unsigned short) sz_iud); u.ipv4_hdr.ttl = 255; u.ipv4_hdr.srcip = ((struct sockaddr_in*) src)->sin_addr.s_addr; u.ipv4_hdr.dstip = ((struct sockaddr_in*) hdr->msg_name)->sin_addr.s_addr; @@ -185,7 +185,7 @@ void write_pcap_sent (struct q_globals *gv, nn_wctime_t tstamp, const struct soc fwrite (&u.ipv4_hdr, sizeof (u.ipv4_hdr), 1, gv->pcap_fp); udp_hdr.srcport = ((struct sockaddr_in*) src)->sin_port; udp_hdr.dstport = ((struct sockaddr_in*) hdr->msg_name)->sin_port; - udp_hdr.length = toBE2u ((unsigned short) sz_ud); + udp_hdr.length = ddsrt_toBE2u ((unsigned short) sz_ud); udp_hdr.checksum = 0; /* don't have to compute a checksum for UDPv4 */ fwrite (&udp_hdr, sizeof (udp_hdr), 1, gv->pcap_fp); write_data (gv->pcap_fp, hdr, sz); diff --git a/src/core/ddsi/src/q_plist.c b/src/core/ddsi/src/q_plist.c index d6def9e..5b46109 100644 --- a/src/core/ddsi/src/q_plist.c +++ b/src/core/ddsi/src/q_plist.c @@ -216,7 +216,7 @@ static dds_return_t deser_uint32 (uint32_t *dst, const struct dd * __restrict dd return DDS_RETCODE_BAD_PARAMETER; tmp = *((uint32_t *) (dd->buf + off1)); if (dd->bswap) - tmp = bswap4u (tmp); + tmp = ddsrt_bswap4u (tmp); *dst = tmp; *off = off1 + 4; return 0; @@ -230,7 +230,7 @@ static dds_return_t deser_int64 (int64_t *dst, const struct dd * __restrict dd, return DDS_RETCODE_BAD_PARAMETER; tmp = *((int64_t *) (dd->buf + off1)); if (dd->bswap) - tmp = bswap8 (tmp); + tmp = ddsrt_bswap8 (tmp); *dst = tmp; *off = off1 + 8; return 0; @@ -298,7 +298,7 @@ static dds_return_t deser_statusinfo (void * __restrict dst, size_t * __restrict /* status info is always in BE format (it is an array of 4 octets according to the spec) -- fortunately we have 4 byte alignment anyway -- and can have bits set we don't grok (which we discard) */ - *x = fromBE4u (*((uint32_t *) (dd->buf + srcoff1))) & NN_STATUSINFO_STANDARDIZED; + *x = ddsrt_fromBE4u (*((uint32_t *) (dd->buf + srcoff1))) & NN_STATUSINFO_STANDARDIZED; *dstoff += sizeof (*x); *srcoff = srcoff1 + 4; *flagset->present |= flag; @@ -309,7 +309,7 @@ static dds_return_t ser_statusinfo (struct nn_xmsg *xmsg, nn_parameterid_t pid, { uint32_t const * const x = deser_generic_src (src, &srcoff, alignof (uint32_t)); uint32_t * const p = nn_xmsg_addpar (xmsg, pid, sizeof (uint32_t)); - *p = toBE4u (*x); + *p = ddsrt_toBE4u (*x); return 0; } @@ -2032,8 +2032,8 @@ static dds_return_t do_locator (nn_locators_t *ls, uint64_t *present, uint64_t w memcpy (&loc, dd->buf, sizeof (loc)); if (dd->bswap) { - loc.kind = bswap4 (loc.kind); - loc.port = bswap4u (loc.port); + loc.kind = ddsrt_bswap4 (loc.kind); + loc.port = ddsrt_bswap4u (loc.port); } switch (loc.kind) { @@ -2187,7 +2187,7 @@ static dds_return_t do_port (nn_plist_t *dest, nn_ipaddress_params_tmp_t *dest_t } memcpy (p, dd->buf, sizeof (*p)); if (dd->bswap) - *p = bswap4u (*p); + *p = ddsrt_bswap4u (*p); if (*p <= 0 || *p > 65535) return DDS_RETCODE_BAD_PARAMETER; dest_tmp->present |= fl_tmp; @@ -2488,8 +2488,8 @@ dds_return_t nn_plist_init_frommsg (nn_plist_t *dest, char **nextafterplist, uin /* swapping header partially based on wireshark dissector output, partially on intuition, and in a small part based on the spec */ - pid = (nn_parameterid_t) (dd.bswap ? bswap2u (par->parameterid) : par->parameterid); - length = (uint16_t) (dd.bswap ? bswap2u (par->length) : par->length); + pid = (nn_parameterid_t) (dd.bswap ? ddsrt_bswap2u (par->parameterid) : par->parameterid); + length = (uint16_t) (dd.bswap ? ddsrt_bswap2u (par->length) : par->length); if (pid == PID_SENTINEL) { /* Sentinel terminates list, the length is ignored, DDSI 9.4.2.11. */ @@ -2607,8 +2607,8 @@ unsigned char *nn_plist_quickscan (struct nn_rsample_info *dest, const struct nn nn_parameter_t *par = (nn_parameter_t *) pl; nn_parameterid_t pid; uint16_t length; - pid = (nn_parameterid_t) (dest->bswap ? bswap2u (par->parameterid) : par->parameterid); - length = (uint16_t) (dest->bswap ? bswap2u (par->length) : par->length); + pid = (nn_parameterid_t) (dest->bswap ? ddsrt_bswap2u (par->parameterid) : par->parameterid); + length = (uint16_t) (dest->bswap ? ddsrt_bswap2u (par->length) : par->length); pl += sizeof (*par); if (pid == PID_SENTINEL) return (unsigned char *) pl; @@ -2639,7 +2639,7 @@ unsigned char *nn_plist_quickscan (struct nn_rsample_info *dest, const struct nn { /* can only represent 2 LSBs of statusinfo in "dest", so if others are set, mark it as a "complex_qos" and accept the hit of parsing the data completely. */ - uint32_t stinfo = fromBE4u (*((uint32_t *) pl)); + uint32_t stinfo = ddsrt_fromBE4u (*((uint32_t *) pl)); dest->statusinfo = stinfo & 3u; if ((stinfo & ~3u)) dest->complex_qos = 1; diff --git a/src/core/ddsi/src/q_receive.c b/src/core/ddsi/src/q_receive.c index 352c611..eec9837 100644 --- a/src/core/ddsi/src/q_receive.c +++ b/src/core/ddsi/src/q_receive.c @@ -145,7 +145,7 @@ static int valid_AckNack (const struct receiver_state *rst, AckNack_t *msg, size if (byteswap) { bswap_sequence_number_set_bitmap (&msg->readerSNState, msg->bits); - *count = bswap4 (*count); + *count = ddsrt_bswap4 (*count); } return 1; } @@ -199,8 +199,8 @@ static int valid_InfoTS (InfoTS_t *msg, size_t size, int byteswap) { if (byteswap) { - msg->time.seconds = bswap4 (msg->time.seconds); - msg->time.fraction = bswap4u (msg->time.fraction); + msg->time.seconds = ddsrt_bswap4 (msg->time.seconds); + msg->time.fraction = ddsrt_bswap4u (msg->time.fraction); } return valid_ddsi_timestamp (msg->time); } @@ -214,7 +214,7 @@ static int valid_Heartbeat (Heartbeat_t *msg, size_t size, int byteswap) { bswapSN (&msg->firstSN); bswapSN (&msg->lastSN); - msg->count = bswap4 (msg->count); + msg->count = ddsrt_bswap4 (msg->count); } msg->readerId = nn_ntoh_entityid (msg->readerId); msg->writerId = nn_ntoh_entityid (msg->writerId); @@ -231,8 +231,8 @@ static int valid_HeartbeatFrag (HeartbeatFrag_t *msg, size_t size, int byteswap) if (byteswap) { bswapSN (&msg->writerSN); - msg->lastFragmentNum = bswap4u (msg->lastFragmentNum); - msg->count = bswap4 (msg->count); + msg->lastFragmentNum = ddsrt_bswap4u (msg->lastFragmentNum); + msg->count = ddsrt_bswap4 (msg->count); } msg->readerId = nn_ntoh_entityid (msg->readerId); msg->writerId = nn_ntoh_entityid (msg->writerId); @@ -267,7 +267,7 @@ static int valid_NackFrag (NackFrag_t *msg, size_t size, int byteswap) if (byteswap) { bswap_fragment_number_set_bitmap (&msg->fragmentNumberState, msg->bits); - *count = bswap4 (*count); + *count = ddsrt_bswap4 (*count); } return 1; } @@ -292,8 +292,8 @@ static int valid_Data (const struct receiver_state *rst, struct nn_rmsg *rmsg, D return 0; if (byteswap) { - msg->x.extraFlags = bswap2u (msg->x.extraFlags); - msg->x.octetsToInlineQos = bswap2u (msg->x.octetsToInlineQos); + msg->x.extraFlags = ddsrt_bswap2u (msg->x.extraFlags); + msg->x.octetsToInlineQos = ddsrt_bswap2u (msg->x.octetsToInlineQos); bswapSN (&msg->x.writerSN); } msg->x.readerId = nn_ntoh_entityid (msg->x.readerId); @@ -400,13 +400,13 @@ static int valid_DataFrag (const struct receiver_state *rst, struct nn_rmsg *rms if (byteswap) { - msg->x.extraFlags = bswap2u (msg->x.extraFlags); - msg->x.octetsToInlineQos = bswap2u (msg->x.octetsToInlineQos); + msg->x.extraFlags = ddsrt_bswap2u (msg->x.extraFlags); + msg->x.octetsToInlineQos = ddsrt_bswap2u (msg->x.octetsToInlineQos); bswapSN (&msg->x.writerSN); - msg->fragmentStartingNum = bswap4u (msg->fragmentStartingNum); - msg->fragmentsInSubmessage = bswap2u (msg->fragmentsInSubmessage); - msg->fragmentSize = bswap2u (msg->fragmentSize); - msg->sampleSize = bswap4u (msg->sampleSize); + msg->fragmentStartingNum = ddsrt_bswap4u (msg->fragmentStartingNum); + msg->fragmentsInSubmessage = ddsrt_bswap2u (msg->fragmentsInSubmessage); + msg->fragmentSize = ddsrt_bswap2u (msg->fragmentSize); + msg->sampleSize = ddsrt_bswap4u (msg->sampleSize); } msg->x.readerId = nn_ntoh_entityid (msg->x.readerId); msg->x.writerId = nn_ntoh_entityid (msg->x.writerId); @@ -2665,7 +2665,7 @@ static int handle_submsg_sequence } if (byteswap) { - sm->smhdr.octetsToNextHeader = bswap2u (sm->smhdr.octetsToNextHeader); + sm->smhdr.octetsToNextHeader = ddsrt_bswap2u (sm->smhdr.octetsToNextHeader); } octetsToNextHeader = sm->smhdr.octetsToNextHeader; @@ -2932,7 +2932,7 @@ static bool do_packet (struct thread_state1 * const ts1, struct q_globals *gv, d } if (swap) { - ml->length = bswap4u (ml->length); + ml->length = ddsrt_bswap4u (ml->length); } if (ml->smhdr.submessageId != SMID_PT_MSG_LEN) diff --git a/src/core/ddsi/src/q_xevent.c b/src/core/ddsi/src/q_xevent.c index 9deee7a..775b2f4 100644 --- a/src/core/ddsi/src/q_xevent.c +++ b/src/core/ddsi/src/q_xevent.c @@ -1109,7 +1109,7 @@ static void write_pmd_message (struct thread_state1 * const ts1, struct nn_xpack } u.pmd.participantGuidPrefix = nn_hton_guid_prefix (pp->e.guid.prefix); - u.pmd.kind = toBE4u (pmd_kind); + u.pmd.kind = ddsrt_toBE4u (pmd_kind); u.pmd.length = PMD_DATA_LENGTH; memset (u.pmd.value, 0, u.pmd.length); diff --git a/src/core/ddsi/src/q_xmsg.c b/src/core/ddsi/src/q_xmsg.c index 28c6200..5e704a3 100644 --- a/src/core/ddsi/src/q_xmsg.c +++ b/src/core/ddsi/src/q_xmsg.c @@ -786,7 +786,7 @@ void nn_xmsg_addpar_keyhash (struct nn_xmsg *m, const struct ddsi_serdata *serda static void nn_xmsg_addpar_BE4u (struct nn_xmsg *m, nn_parameterid_t pid, uint32_t x) { unsigned *p = nn_xmsg_addpar (m, pid, sizeof (x)); - *p = toBE4u (x); + *p = ddsrt_toBE4u (x); } void nn_xmsg_addpar_statusinfo (struct nn_xmsg *m, unsigned statusinfo) @@ -800,8 +800,8 @@ void nn_xmsg_addpar_statusinfo (struct nn_xmsg *m, unsigned statusinfo) assert ((statusinfo & ~NN_STATUSINFO_STANDARDIZED) == NN_STATUSINFO_OSPL_AUTO); if (statusinfo & NN_STATUSINFO_OSPL_AUTO) statusinfox |= NN_STATUSINFOX_OSPL_AUTO; - p[0] = toBE4u (statusinfo & NN_STATUSINFO_STANDARDIZED); - p[1] = toBE4u (statusinfox); + p[0] = ddsrt_toBE4u (statusinfo & NN_STATUSINFO_STANDARDIZED); + p[1] = ddsrt_toBE4u (statusinfox); } } @@ -1374,7 +1374,7 @@ int nn_xpack_addmsg (struct nn_xpack *xp, struct nn_xmsg *m, const uint32_t flag assert (m->refd_payload == NULL || (m->refd_payload_iov.iov_len % 4) == 0); if (xp->iov == NULL) - xp->iov = malloc (NN_XMSG_MAX_MESSAGE_IOVECS * sizeof (*xp->iov)); + xp->iov = ddsrt_malloc (NN_XMSG_MAX_MESSAGE_IOVECS * sizeof (*xp->iov)); if (!nn_xpack_mayaddmsg (xp, m, flags)) { diff --git a/src/ddsrt/CMakeLists.txt b/src/ddsrt/CMakeLists.txt index 492136d..8496545 100644 --- a/src/ddsrt/CMakeLists.txt +++ b/src/ddsrt/CMakeLists.txt @@ -117,6 +117,7 @@ list(APPEND headers "${include_path}/dds/ddsrt/static_assert.h") list(APPEND sources + "${source_path}/bswap.c" "${source_path}/io.c" "${source_path}/log.c" "${source_path}/retcode.c" @@ -262,20 +263,9 @@ if(BUILD_TESTING) endif() install( - DIRECTORY "include/dds" + DIRECTORY + "include/" + ${CMAKE_CURRENT_BINARY_DIR}/include/ DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" COMPONENT dev FILES_MATCHING PATTERN "*.h") - -install( - FILES "${CMAKE_CURRENT_BINARY_DIR}/include/dds/version.h" - DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/dds" - COMPONENT dev) - -if(WIN32) - install( - FILES "${CMAKE_CURRENT_BINARY_DIR}/include/getopt.h" - DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" - COMPONENT dev) -endif() - diff --git a/src/ddsrt/include/dds/ddsrt/bswap.h b/src/ddsrt/include/dds/ddsrt/bswap.h new file mode 100644 index 0000000..3e1ff56 --- /dev/null +++ b/src/ddsrt/include/dds/ddsrt/bswap.h @@ -0,0 +1,87 @@ +/* + * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ +#ifndef DDSRT_BSWAP_H +#define DDSRT_BSWAP_H + +#include +#include + +#include "dds/ddsrt/endian.h" + +#if defined (__cplusplus) +extern "C" { +#endif + +inline uint16_t ddsrt_bswap2u (uint16_t x) +{ + return (uint16_t) ((x >> 8) | (x << 8)); +} + +inline int16_t ddsrt_bswap2 (int16_t x) +{ + return (int16_t) ddsrt_bswap2u ((uint16_t) x); +} + +inline uint32_t ddsrt_bswap4u (uint32_t x) +{ + return (x >> 24) | ((x >> 8) & 0xff00) | ((x << 8) & 0xff0000) | (x << 24); +} + +inline int32_t ddsrt_bswap4 (int32_t x) +{ + return (int32_t) ddsrt_bswap4u ((uint32_t) x); +} + +inline uint64_t ddsrt_bswap8u (uint64_t x) +{ + const uint32_t newhi = ddsrt_bswap4u ((uint32_t) x); + const uint32_t newlo = ddsrt_bswap4u ((uint32_t) (x >> 32)); + return ((uint64_t) newhi << 32) | (uint64_t) newlo; +} + +inline int64_t ddsrt_bswap8 (int64_t x) +{ + return (int64_t) ddsrt_bswap8u ((uint64_t) x); +} + +#if DDSRT_ENDIAN == DDSRT_LITTLE_ENDIAN +#define ddsrt_toBE2(x) ddsrt_bswap2 (x) +#define ddsrt_toBE2u(x) ddsrt_bswap2u (x) +#define ddsrt_toBE4(x) ddsrt_bswap4 (x) +#define ddsrt_toBE4u(x) ddsrt_bswap4u (x) +#define ddsrt_toBE8(x) ddsrt_bswap8 (x) +#define ddsrt_toBE8u(x) ddsrt_bswap8u (x) +#define ddsrt_fromBE2(x) ddsrt_bswap2 (x) +#define ddsrt_fromBE2u(x) ddsrt_bswap2u (x) +#define ddsrt_fromBE4(x) ddsrt_bswap4 (x) +#define ddsrt_fromBE4u(x) ddsrt_bswap4u (x) +#define ddsrt_fromBE8(x) ddsrt_bswap8 (x) +#define ddsrt_fromBE8u(x) ddsrt_bswap8u (x) +#else +#define ddsrt_toBE2u(x) (x) +#define ddsrt_toBE4(x) (x) +#define ddsrt_toBE4u(x) (x) +#define ddsrt_toBE8(x) (x) +#define ddsrt_toBE8u(x) (x) +#define ddsrt_fromBE2(x) (x) +#define ddsrt_fromBE2u(x) (x) +#define ddsrt_fromBE4(x) (x) +#define ddsrt_fromBE4u(x) (x) +#define ddsrt_fromBE8(x) (x) +#define ddsrt_fromBE8u(x) (x) +#endif + +#if defined (__cplusplus) +} +#endif + +#endif /* DDSRT_BSWAP_H */ \ No newline at end of file diff --git a/src/ddsrt/include/dds/ddsrt/time.h b/src/ddsrt/include/dds/ddsrt/time.h index a474fb4..fb22669 100644 --- a/src/ddsrt/include/dds/ddsrt/time.h +++ b/src/ddsrt/include/dds/ddsrt/time.h @@ -59,6 +59,9 @@ typedef int64_t dds_duration_t; /** @name Infinite timeout for relative time */ #define DDS_INFINITY ((dds_duration_t) INT64_MAX) +/** @name Invalid time value for assigning to time output when something goes wrong */ +#define DDS_TIME_INVALID ((dds_time_t) INT64_MIN) + /** @name Macro definition for time conversion to nanoseconds @{**/ #define DDS_SECS(n) ((n) * DDS_NSECS_IN_SEC) diff --git a/src/ddsrt/include/dds/version.h.in b/src/ddsrt/include/dds/version.h.in index 3bab290..6eb821c 100644 --- a/src/ddsrt/include/dds/version.h.in +++ b/src/ddsrt/include/dds/version.h.in @@ -17,10 +17,10 @@ #define DDS_VERSION_MINOR @CycloneDDS_VERSION_MINOR@ #define DDS_VERSION_PATCH @CycloneDDS_VERSION_PATCH@ #define DDS_VERSION_TWEAK @CycloneDDS_VERSION_TWEAK@ -#define DDS_PROJECT_NAME_NOSPACE_CAPS "@CMAKE_PROJECT_NAME_CAPS@" -#define DDS_PROJECT_NAME_NOSPACE_SMALL "@CMAKE_PROJECT_NAME_SMALL@" -#define DDS_PROJECT_NAME_NOSPACE "@CMAKE_PROJECT_NAME@" -#define DDS_PROJECT_NAME "@CMAKE_PROJECT_NAME@" +#define DDS_PROJECT_NAME_NOSPACE_CAPS "@PROJECT_NAME_CAPS@" +#define DDS_PROJECT_NAME_NOSPACE_SMALL "@PROJECT_NAME_SMALL@" +#define DDS_PROJECT_NAME_NOSPACE "@PROJECT_NAME@" +#define DDS_PROJECT_NAME "@PROJECT_NAME@" #define DDS_HOST_NAME "@CMAKE_HOST_SYSTEM_NAME@" #define DDS_TARGET_NAME "@CMAKE_SYSTEM_NAME@" diff --git a/src/core/ddsi/src/q_bswap_inlines.c b/src/ddsrt/src/bswap.c similarity index 55% rename from src/core/ddsi/src/q_bswap_inlines.c rename to src/ddsrt/src/bswap.c index 7d5f070..0423eab 100644 --- a/src/core/ddsi/src/q_bswap_inlines.c +++ b/src/ddsrt/src/bswap.c @@ -9,13 +9,11 @@ * * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause */ -#include "dds/ddsi/q_bswap.h" - -extern inline uint16_t bswap2u (uint16_t x); -extern inline uint32_t bswap4u (uint32_t x); -extern inline uint64_t bswap8u (uint64_t x); -extern inline int16_t bswap2 (int16_t x); -extern inline int32_t bswap4 (int32_t x); -extern inline int64_t bswap8 (int64_t x); -extern inline void bswapSN (nn_sequence_number_t *sn); +#include "dds/ddsrt/bswap.h" +extern inline uint16_t ddsrt_bswap2u (uint16_t x); +extern inline uint32_t ddsrt_bswap4u (uint32_t x); +extern inline uint64_t ddsrt_bswap8u (uint64_t x); +extern inline int16_t ddsrt_bswap2 (int16_t x); +extern inline int32_t ddsrt_bswap4 (int32_t x); +extern inline int64_t ddsrt_bswap8 (int64_t x); diff --git a/src/ddsrt/src/dynlib/posix/dynlib.c b/src/ddsrt/src/dynlib/posix/dynlib.c index ec97397..4ee6bb7 100644 --- a/src/ddsrt/src/dynlib/posix/dynlib.c +++ b/src/ddsrt/src/dynlib/posix/dynlib.c @@ -18,78 +18,78 @@ #include "dds/ddsrt/io.h" dds_return_t ddsrt_dlopen(const char *name, bool translate, - ddsrt_dynlib_t *handle) { - dds_return_t retcode = DDS_RETCODE_OK; + ddsrt_dynlib_t *handle) { + dds_return_t retcode = DDS_RETCODE_OK; - assert( handle ); - *handle = NULL; + assert( handle ); + *handle = NULL; - if ((translate) && (strrchr(name, '/') == NULL )) { - /* Add lib and suffix to the name and try to open. */ + if ((translate) && (strrchr(name, '/') == NULL )) { + /* Add lib and suffix to the name and try to open. */ #if __APPLE__ - static const char suffix[] = ".dylib"; + static const char suffix[] = ".dylib"; #else - static const char suffix[] = ".so"; + static const char suffix[] = ".so"; #endif - char* libName; - ddsrt_asprintf( &libName, "lib%s%s", name, suffix); - *handle = dlopen(libName, RTLD_GLOBAL | RTLD_NOW); - ddsrt_free(libName); - } + char* libName; + ddsrt_asprintf( &libName, "lib%s%s", name, suffix); + *handle = dlopen(libName, RTLD_GLOBAL | RTLD_NOW); + ddsrt_free(libName); + } - if (*handle == NULL ) { - /* name contains a path, - * (auto)translate is disabled or - * dlopen on translated name failed. */ - *handle = dlopen(name, RTLD_GLOBAL | RTLD_NOW); - } + if (*handle == NULL ) { + /* name contains a path, + * (auto)translate is disabled or + * dlopen on translated name failed. */ + *handle = dlopen(name, RTLD_GLOBAL | RTLD_NOW); + } - if (*handle != NULL) { - retcode = DDS_RETCODE_OK; - } else { - retcode = DDS_RETCODE_ERROR; - } + if (*handle != NULL) { + retcode = DDS_RETCODE_OK; + } else { + retcode = DDS_RETCODE_ERROR; + } - return retcode; + return retcode; } dds_return_t ddsrt_dlclose(ddsrt_dynlib_t handle) { - assert ( handle ); - return (dlclose(handle) == 0) ? DDS_RETCODE_OK : DDS_RETCODE_ERROR; + assert ( handle ); + return (dlclose(handle) == 0) ? DDS_RETCODE_OK : DDS_RETCODE_ERROR; } dds_return_t ddsrt_dlsym(ddsrt_dynlib_t handle, const char *symbol, - void **address) { - dds_return_t retcode = DDS_RETCODE_OK; + void **address) { + dds_return_t retcode = DDS_RETCODE_OK; - assert( handle ); - assert( address ); - assert( symbol ); + assert( handle ); + assert( address ); + assert( symbol ); - *address = dlsym(handle, symbol); - if (*address == NULL) { - retcode = DDS_RETCODE_ERROR; - } + *address = dlsym(handle, symbol); + if (*address == NULL) { + retcode = DDS_RETCODE_ERROR; + } - return retcode; + return retcode; } dds_return_t ddsrt_dlerror(char *buf, size_t buflen) { - const char *err; - dds_return_t retcode = DDS_RETCODE_OK; + const char *err; + dds_return_t retcode = DDS_RETCODE_OK; - assert (buf ); + assert (buf ); - err = dlerror(); - if (err == NULL) { - retcode = DDS_RETCODE_NOT_FOUND; - } else { - snprintf(buf, buflen, "%s", err); - } + err = dlerror(); + if (err == NULL) { + retcode = DDS_RETCODE_NOT_FOUND; + } else { + snprintf(buf, buflen, "%s", err); + } - return retcode; + return retcode; } diff --git a/src/ddsrt/src/dynlib/windows/dynlib.c b/src/ddsrt/src/dynlib/windows/dynlib.c index 9a8eb46..7b48240 100644 --- a/src/ddsrt/src/dynlib/windows/dynlib.c +++ b/src/ddsrt/src/dynlib/windows/dynlib.c @@ -86,7 +86,8 @@ dds_return_t ddsrt_dlerror(char *buf, size_t buflen) { if ( err == 0 ) { retcode = DDS_RETCODE_NOT_FOUND; } else { - retcode = ddsrt_strerror_r(err, buf, buflen); + ddsrt_strerror_r(err, buf, buflen); + SetLastError(0); } return retcode; diff --git a/src/idlc/CMakeLists.txt b/src/idlc/CMakeLists.txt index 417aa50..5616658 100644 --- a/src/idlc/CMakeLists.txt +++ b/src/idlc/CMakeLists.txt @@ -45,17 +45,17 @@ include(cmake/IdlcGenerate.cmake) install( FILES "cmake/IdlcGenerate.cmake" - DESTINATION "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}/idlc" + DESTINATION "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}/idlc" COMPONENT dev) install( FILES "${IDLC_SCRIPT_IN}" - DESTINATION "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}/idlc" + DESTINATION "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}/idlc" COMPONENT dev) install( FILES "${IDLC_JAR}" - DESTINATION "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}/idlc" + DESTINATION "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}/idlc" PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_WRITE GROUP_EXECUTE WORLD_READ WORLD_EXECUTE COMPONENT dev) diff --git a/src/idlc/src/org/eclipse/cyclonedds/Project.java.in b/src/idlc/src/org/eclipse/cyclonedds/Project.java.in index cce4f8d..bb01a3b 100644 --- a/src/idlc/src/org/eclipse/cyclonedds/Project.java.in +++ b/src/idlc/src/org/eclipse/cyclonedds/Project.java.in @@ -14,6 +14,6 @@ package org.eclipse.cyclonedds; public class Project { public static String version = "@PROJECT_VERSION@"; - public static String name = "@CMAKE_PROJECT_NAME@"; - public static String nameCaps = "@CMAKE_PROJECT_NAME_CAPS@"; + public static String name = "@PROJECT_NAME@"; + public static String nameCaps = "@PROJECT_NAME_CAPS@"; } diff --git a/src/mpt/tests/qos/CMakeLists.txt b/src/mpt/tests/qos/CMakeLists.txt index 0632570..d154298 100644 --- a/src/mpt/tests/qos/CMakeLists.txt +++ b/src/mpt/tests/qos/CMakeLists.txt @@ -11,14 +11,17 @@ # include(${MPT_CMAKE}) -add_compile_options("-I${PROJECT_SOURCE_DIR}/src/core/ddsi/include") - idlc_generate(mpt_rwdata_lib "procs/rwdata.idl") set(sources_qosmatch "procs/rw.c" "qosmatch.c") add_mpt_executable(mpt_qosmatch ${sources_qosmatch}) + +target_include_directories( +mpt_qosmatch PRIVATE +"$") + target_link_libraries(mpt_qosmatch PRIVATE mpt_rwdata_lib) set(sources_ppuserdata diff --git a/src/security/CMakeLists.txt b/src/security/CMakeLists.txt new file mode 100644 index 0000000..2d67ac3 --- /dev/null +++ b/src/security/CMakeLists.txt @@ -0,0 +1,21 @@ +# +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v. 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License +# v. 1.0 which is available at +# http://www.eclipse.org/org/documents/edl-v10.php. +# +# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause +# +cmake_minimum_required(VERSION 3.7) + +if( ENABLE_SECURITY ) + add_subdirectory(api) + add_subdirectory(core) + + if ( ENABLE_SSL) + add_subdirectory(builtin_plugins) + endif() +endif() \ No newline at end of file diff --git a/src/security/api/CMakeLists.txt b/src/security/api/CMakeLists.txt index 63caf64..02586c6 100644 --- a/src/security/api/CMakeLists.txt +++ b/src/security/api/CMakeLists.txt @@ -1,5 +1,5 @@ # -# Copyright(c) 2006 to 2018 ADLINK Technology Limited and others +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others # # This program and the accompanying materials are made available under the # terms of the Eclipse Public License v. 2.0 which is available at @@ -15,7 +15,9 @@ add_library(security_api INTERFACE) target_include_directories( security_api INTERFACE - "$") + "$" + "$" +) install( DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/" diff --git a/src/security/api/include/dds/security/dds_security_api.h b/src/security/api/include/dds/security/dds_security_api.h index 1304201..ba29184 100644 --- a/src/security/api/include/dds/security/dds_security_api.h +++ b/src/security/api/include/dds/security/dds_security_api.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at diff --git a/src/security/api/include/dds/security/dds_security_api_access_control.h b/src/security/api/include/dds/security/dds_security_api_access_control.h index 00ca926..8b908b5 100644 --- a/src/security/api/include/dds/security/dds_security_api_access_control.h +++ b/src/security/api/include/dds/security/dds_security_api_access_control.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at diff --git a/src/security/api/include/dds/security/dds_security_api_authentication.h b/src/security/api/include/dds/security/dds_security_api_authentication.h index ebcfa15..4913985 100644 --- a/src/security/api/include/dds/security/dds_security_api_authentication.h +++ b/src/security/api/include/dds/security/dds_security_api_authentication.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at diff --git a/src/security/api/include/dds/security/dds_security_api_cryptography.h b/src/security/api/include/dds/security/dds_security_api_cryptography.h index f082477..5203d3d 100644 --- a/src/security/api/include/dds/security/dds_security_api_cryptography.h +++ b/src/security/api/include/dds/security/dds_security_api_cryptography.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at diff --git a/src/security/api/include/dds/security/dds_security_api_defs.h b/src/security/api/include/dds/security/dds_security_api_defs.h index 82baa98..a0e6739 100644 --- a/src/security/api/include/dds/security/dds_security_api_defs.h +++ b/src/security/api/include/dds/security/dds_security_api_defs.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at diff --git a/src/security/api/include/dds/security/dds_security_api_err.h b/src/security/api/include/dds/security/dds_security_api_err.h index 8795a44..f4e8904 100644 --- a/src/security/api/include/dds/security/dds_security_api_err.h +++ b/src/security/api/include/dds/security/dds_security_api_err.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at @@ -47,13 +47,13 @@ extern "C" { #define DDS_SECURITY_ERR_INVALID_TRUSTED_CA_DIR_MESSAGE "Can not open trusted CA directory" #define DDS_SECURITY_ERR_CA_NOT_TRUSTED_CODE 121 #define DDS_SECURITY_ERR_CA_NOT_TRUSTED_MESSAGE "Identity CA is not trusted" -#define DDS_SECURITY_ERR_CERT_STARTDATE_INVALID_CODE 122 -#define DDS_SECURITY_ERR_CERT_STARTDATE_INVALID_MESSAGE "Certificate start date is in the future" +#define DDS_SECURITY_ERR_CERT_STARTDATE_IN_FUTURE_CODE 122 +#define DDS_SECURITY_ERR_CERT_STARTDATE_IN_FUTURE_MESSAGE "Certificate start date is in the future" #define DDS_SECURITY_ERR_CERT_EXPIRED_CODE 123 #define DDS_SECURITY_ERR_CERT_EXPIRED_MESSAGE "Certificate expired" #define DDS_SECURITY_ERR_INVALID_CRYPTO_RECEIVER_SIGN_CODE 124 -#define DDS_SECURITY_ERR_CERT_AUTHENTICATION_ALGO_KIND_UNKNOWN_CODE 125 -#define DDS_SECURITY_ERR_CERT_AUTHENTICATION_ALGO_KIND_UNKNOWN_MESSAGE "Certificate authentication algorithm unknown" +#define DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_CODE 125 +#define DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_MESSAGE "Certificate authentication algorithm unknown" #define DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE 126 #define DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE "Failed to allocate internal structure" #define DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE 127 diff --git a/src/security/api/include/dds/security/dds_security_api_types.h b/src/security/api/include/dds/security/dds_security_api_types.h index 4e669b4..2957251 100644 --- a/src/security/api/include/dds/security/dds_security_api_types.h +++ b/src/security/api/include/dds/security/dds_security_api_types.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at @@ -20,8 +20,6 @@ extern "C" { #endif - - /************************************************************************** * * * Primitive types. * diff --git a/src/security/builtin_plugins/CMakeLists.txt b/src/security/builtin_plugins/CMakeLists.txt new file mode 100644 index 0000000..69e5aed --- /dev/null +++ b/src/security/builtin_plugins/CMakeLists.txt @@ -0,0 +1,19 @@ +# +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v. 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License +# v. 1.0 which is available at +# http://www.eclipse.org/org/documents/edl-v10.php. +# +# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause +# +cmake_minimum_required(VERSION 3.7) + +add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/authentication") + +# TODO: improve test inclusion. +if((BUILD_TESTING) AND ((NOT DEFINED MSVC_VERSION) OR (MSVC_VERSION GREATER "1800"))) + add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/tests") +endif() \ No newline at end of file diff --git a/src/security/builtin_plugins/authentication/CMakeLists.txt b/src/security/builtin_plugins/authentication/CMakeLists.txt new file mode 100644 index 0000000..f5f46a4 --- /dev/null +++ b/src/security/builtin_plugins/authentication/CMakeLists.txt @@ -0,0 +1,65 @@ +# +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v. 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License +# v. 1.0 which is available at +# http://www.eclipse.org/org/documents/edl-v10.php. +# +# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause +# +include (GenerateExportHeader) + +PREPEND(srcs_authentication "${CMAKE_CURRENT_LIST_DIR}/src" + authentication.c + auth_utils.c +) + +PREPEND(hdrs_private_authentication "${CMAKE_CURRENT_LIST_DIR}/src" + auth_defs.h + authentication.h + auth_utils.h + dds_security_core_if.h +) + +add_library(dds_security_auth SHARED "") + +generate_export_header( + dds_security_auth + BASE_NAME SECURITY + EXPORT_FILE_NAME "${CMAKE_CURRENT_BINARY_DIR}/include/dds/security/export.h" +) + + + +find_package(OpenSSL ) + +add_definitions(-DDDSI_INCLUDE_SSL) + +target_link_libraries(dds_security_auth PUBLIC ddsc) +target_link_libraries(dds_security_auth PUBLIC OpenSSL::SSL) + +target_sources(dds_security_auth + PRIVATE + ${srcs_authentication} + +) + +target_include_directories(dds_security_auth + PUBLIC + "$>" + "$>" + "$>" + "$" +) + +install( + TARGETS + EXPORT "${CMAKE_PROJECT_NAME}" + RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT lib + LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib + ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib +) + + diff --git a/src/security/builtin_plugins/authentication/src/auth_utils.c b/src/security/builtin_plugins/authentication/src/auth_utils.c new file mode 100644 index 0000000..57d5a3a --- /dev/null +++ b/src/security/builtin_plugins/authentication/src/auth_utils.c @@ -0,0 +1,1379 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER >= 0x1000200fL +#define AUTH_INCLUDE_EC +#include +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#define AUTH_INCLUDE_DH_ACCESSORS +#endif +#else +#error "OpenSSL version is not supported" +#endif +#include +#include "dds/ddsrt/time.h" +#include "dds/ddsrt/heap.h" +#include "dds/security/dds_security_api_defs.h" +#include "dds/security/core/dds_security_utils.h" +#include + + +/* There is a problem when compiling on windows w.r.t. X509_NAME. + * The windows api already defines the type X509_NAME which + * conficts with some openssl versions. The workaround is to + * undef the openssl X509_NAME + */ +#ifdef _WIN32 +#undef X509_NAME +#endif + +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/atomics.h" +#include "dds/ddsrt/string.h" +#include "dds/security/core/dds_security_utils.h" +#include +#include "auth_utils.h" + + +#define MAX_TRUSTED_CA 100 + +char * +get_openssl_error_message( + void) +{ + BIO *bio = BIO_new(BIO_s_mem()); + char *msg; + char *buf = NULL; + size_t len; /*BIO_get_mem_data requires long int */ + + if (bio) { + ERR_print_errors(bio); + len = (size_t)BIO_get_mem_data (bio, &buf); + msg = ddsrt_malloc(len + 1); + memcpy(msg, buf, len); + msg[len] = '\0'; + BIO_free(bio); + } else { + msg = ddsrt_strdup("BIO_new failed"); + } + + return msg; +} + +char * +get_certificate_subject_name( + const X509 *cert, + DDS_Security_SecurityException *ex) +{ + X509_NAME *name; + char *subject = NULL; + char *subject_openssl = NULL; + + assert(cert); + + name = X509_get_subject_name(cert); + if (!name) { + goto err_get_subject; + } + + subject_openssl = X509_NAME_oneline( name, NULL, 0 ); + subject = ddsrt_strdup( subject_openssl ); + OPENSSL_free( subject_openssl ); + + return subject; + +err_get_subject: + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "X509_get_subject_name failed : "); + return NULL; +} + +dds_time_t +get_certificate_expiry( + const X509 *cert) +{ + dds_time_t expiry = DDS_TIME_INVALID; + ASN1_TIME *asn1; + + assert(cert); + + asn1 = X509_get_notAfter(cert); + if (asn1 != NULL) { + int days; + int seconds; + if (ASN1_TIME_diff(&days, &seconds, NULL, asn1) == 1 ) { + static const dds_duration_t secs_in_day = 86400; + const dds_time_t now = dds_time(); + const int64_t max_valid_days_to_wait = (INT64_MAX - now) / DDS_NSECS_IN_SEC / secs_in_day; + + if ( days < max_valid_days_to_wait ){ + dds_duration_t delta = ((dds_duration_t)seconds + ((dds_duration_t)days * secs_in_day)) * DDS_NSECS_IN_SEC; + expiry = now + delta; + } else { + return DDS_NEVER; + } + } + } + + return expiry; +} + +DDS_Security_ValidationResult_t +get_subject_name_DER_encoded( + const X509 *cert, + unsigned char **buffer, + size_t *size, + DDS_Security_SecurityException *ex) +{ + unsigned char *tmp = NULL; + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_FAILED; + int32_t sz; + X509_NAME *name; + + assert(cert); + assert(buffer); + assert(size); + + *size = 0; + + name = X509_get_subject_name((X509 *)cert); + if (name) { + sz = i2d_X509_NAME(name, &tmp); + if (sz > 0) { + *size = (size_t)sz; + *buffer = ddsrt_malloc(*size); + memcpy(*buffer, tmp, *size); + OPENSSL_free(tmp); + result = DDS_SECURITY_VALIDATION_OK; + } else if (sz < 0) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "i2d_X509_NAME failed : "); + } + } else { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "X509_get_subject_name failed : "); + } + + return result; +} + + +static DDS_Security_ValidationResult_t +check_key_type_and_size( + EVP_PKEY *key, + int isPrivate, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + const char *sub = isPrivate ? "private key" : "certificate"; + + assert(key); + + switch (EVP_PKEY_id(key)) { + case EVP_PKEY_RSA: + if (EVP_PKEY_bits(key) != 2048) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "RSA %s has unsupported key size (%d)", sub, EVP_PKEY_bits(key)); + } else if (isPrivate) { + RSA *rsaKey = EVP_PKEY_get1_RSA(key); + if (rsaKey) { + if (RSA_check_key(rsaKey) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "RSA key not correct : "); + } + } + RSA_free(rsaKey); + } + break; + case EVP_PKEY_EC: + if (EVP_PKEY_bits(key) != 256) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "EC %s has unsupported key size (%d)", sub, EVP_PKEY_bits(key)); + } else { + EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(key); + if (ecKey) { + if (EC_KEY_check_key(ecKey) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "EC key not correct : "); + } + } + EC_KEY_free(ecKey); + } + break; + default: + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "%s has not supported type", sub); + break; + } + + return result; +} + +static DDS_Security_ValidationResult_t +check_certificate_type_and_size( + X509 *cert, + DDS_Security_SecurityException *ex) +{ + EVP_PKEY *pkey; + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + + assert(cert); + + pkey = X509_get_pubkey(cert); + if (pkey) { + result = check_key_type_and_size(pkey, false, ex); + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_get_pubkey failed"); + } + EVP_PKEY_free(pkey); + + return result; +} + +DDS_Security_ValidationResult_t +check_certificate_expiry( + const X509 *cert, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + + assert(cert); + + if( X509_cmp_current_time(X509_get_notBefore( cert )) == 0 ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERT_STARTDATE_IN_FUTURE_CODE, (int)result, DDS_SECURITY_ERR_CERT_STARTDATE_IN_FUTURE_MESSAGE); + + } + if( X509_cmp_current_time(X509_get_notAfter( cert )) == 0 ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERT_EXPIRED_CODE, (int)result, DDS_SECURITY_ERR_CERT_EXPIRED_MESSAGE); + + } + + return result; +} + + +DDS_Security_ValidationResult_t +load_X509_certificate_from_data( + const char *data, + int len, + X509 **x509Cert, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + BIO *bio; + + assert(data); + assert(len >= 0); + assert(x509Cert); + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((void *) data, len); + if (!bio) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "BIO_new_mem_buf failed"); + goto err_bio_alloc; + } + + *x509Cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + if (!(*x509Cert)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to parse certificate: "); + goto err_cert_read; + } + + /* check authentication algorithm */ + if( get_auhentication_algo_kind( *x509Cert ) == AUTH_ALGO_KIND_UNKNOWN ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_CODE, (int)result, + DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_MESSAGE); + X509_free(*x509Cert); + goto err_cert_read; + } + +err_cert_read: + BIO_free(bio); +err_bio_alloc: + return result; +} + + + +DDS_Security_ValidationResult_t +load_X509_certificate_from_file( + const char *filename, + X509 **x509Cert, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + FILE *file_ptr; + + assert(filename); + assert(x509Cert); + + /*check the file*/ + DDSRT_WARNING_MSVC_OFF(4996); + file_ptr = fopen( filename, "r"); + DDSRT_WARNING_MSVC_ON(4996); + + if( file_ptr == NULL ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, (int)result, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, filename); + goto err_invalid_path; + } + + /*load certificate from file*/ + *x509Cert = PEM_read_X509(file_ptr,NULL,NULL,NULL); + if (!(*x509Cert)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to parse certificate: "); + goto err_invalid_content; + } + + /* check authentication algorithm */ + if( get_auhentication_algo_kind( *x509Cert ) == AUTH_ALGO_KIND_UNKNOWN ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_CODE, (int)result, + DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_MESSAGE); + X509_free(*x509Cert); + goto err_invalid_content; + } + + +err_invalid_content: + (void)fclose( file_ptr ); +err_invalid_path: + + return result; +} + +static DDS_Security_ValidationResult_t +load_private_key_from_data( + const char *data, + const char *password, + EVP_PKEY **privateKey, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + BIO *bio; + const char *pw = (password ? password : ""); + + assert(data); + assert(privateKey); + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((void *) data, -1); + if (!bio) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "BIO_new_mem_buf failed"); + goto err_bio_alloc; + } + + *privateKey = PEM_read_bio_PrivateKey(bio, NULL, NULL, (void *)pw); + if (!(*privateKey)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to parse private key: "); + goto err_key_read; + } + +err_key_read: + BIO_free(bio); +err_bio_alloc: + return result; +} + + +static DDS_Security_ValidationResult_t +load_private_key_from_file( + const char *filepath, + const char *password, + EVP_PKEY **privateKey, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + const char *pw = (password ? password : ""); + FILE *file_ptr; + + assert(filepath); + assert(privateKey); + + /*check the file*/ + DDSRT_WARNING_MSVC_OFF(4996); + file_ptr = fopen( filepath, "r"); + DDSRT_WARNING_MSVC_ON(4996); + + if( file_ptr == NULL ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, (int)result, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, filepath); + goto err_invalid_path; + } + + /*load private key from file*/ + *privateKey = PEM_read_PrivateKey(file_ptr, NULL, NULL, (void *)pw); + if (!(*privateKey)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to parse certificate: "); + goto err_invalid_content; + } + +err_invalid_content: + (void)fclose( file_ptr ); +err_invalid_path: + + return result; +} + + +/* + * Gets the URI string (as referred in DDS Security spec) and returns the URI type + * data: data part of the URI. Typically It contains different format according to URI type. + */ +AuthConfItemPrefix_t +get_conf_item_type( + const char *str, + char **data) +{ + AuthConfItemPrefix_t kind = AUTH_CONF_ITEM_PREFIX_UNKNOWN; + const char *AUTH_CONF_FILE_PREFIX = "file:"; + const char *AUTH_CONF_DATA_PREFIX = "data:,"; + const char *AUTH_CONF_PKCS11_PREFIX = "pkcs11:"; + size_t AUTH_CONF_FILE_PREFIX_LEN = strlen(AUTH_CONF_FILE_PREFIX); + size_t AUTH_CONF_DATA_PREFIX_LEN = strlen(AUTH_CONF_DATA_PREFIX); + size_t AUTH_CONF_PKCS11_PREFIX_LEN = strlen(AUTH_CONF_PKCS11_PREFIX); + char *ptr; + + assert(str); + assert(data); + + ptr = ddssec_strchrs(str, " \t", false); + + if (strncmp(ptr, AUTH_CONF_FILE_PREFIX, AUTH_CONF_FILE_PREFIX_LEN) == 0) { + const char *DOUBLE_SLASH = "//"; + size_t DOUBLE_SLASH_LEN = 2; + if (strncmp(&(ptr[AUTH_CONF_FILE_PREFIX_LEN]), DOUBLE_SLASH, DOUBLE_SLASH_LEN) == 0) { + *data = ddsrt_strdup(&(ptr[AUTH_CONF_FILE_PREFIX_LEN + DOUBLE_SLASH_LEN])); + } else { + *data = ddsrt_strdup(&(ptr[AUTH_CONF_FILE_PREFIX_LEN])); + } + kind = AUTH_CONF_ITEM_PREFIX_FILE; + } else if (strncmp(ptr, AUTH_CONF_DATA_PREFIX, AUTH_CONF_DATA_PREFIX_LEN) == 0) { + kind = AUTH_CONF_ITEM_PREFIX_DATA; + *data = ddsrt_strdup(&(ptr[AUTH_CONF_DATA_PREFIX_LEN])); + } else if (strncmp(ptr, AUTH_CONF_PKCS11_PREFIX, AUTH_CONF_PKCS11_PREFIX_LEN) == 0) { + kind = AUTH_CONF_ITEM_PREFIX_PKCS11; + *data = ddsrt_strdup(&(ptr[AUTH_CONF_PKCS11_PREFIX_LEN])); + } + + return kind; +} + +DDS_Security_ValidationResult_t +load_X509_certificate( + const char *data, + X509 **x509Cert, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + char *contents = NULL; + + assert(data); + assert(x509Cert); + + switch (get_conf_item_type(data, &contents)) { + case AUTH_CONF_ITEM_PREFIX_FILE: + result = load_X509_certificate_from_file(contents, x509Cert, ex); + break; + case AUTH_CONF_ITEM_PREFIX_DATA: + result = load_X509_certificate_from_data(contents, (int)strlen(contents), x509Cert, ex); + break; + case AUTH_CONF_ITEM_PREFIX_PKCS11: + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Certificate pkcs11 format currently not supported:\n%s", data); + break; + default: + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Specified certificate has wrong format:\n%s", data); + break; + } + ddsrt_free(contents); + + if (result == DDS_SECURITY_VALIDATION_OK) { + if ( check_certificate_type_and_size(*x509Cert, ex) != DDS_SECURITY_VALIDATION_OK || + check_certificate_expiry(*x509Cert, ex) != DDS_SECURITY_VALIDATION_OK + ) { + result = DDS_SECURITY_VALIDATION_FAILED; + X509_free(*x509Cert); + } + } + return result; +} + +DDS_Security_ValidationResult_t +load_X509_private_key( + const char *data, + const char *password, + EVP_PKEY **privateKey, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + char *contents = NULL; + + assert(data); + assert(privateKey); + + switch (get_conf_item_type(data, &contents)) { + case AUTH_CONF_ITEM_PREFIX_FILE: + result = load_private_key_from_file(contents, password, privateKey, ex); + break; + case AUTH_CONF_ITEM_PREFIX_DATA: + result = load_private_key_from_data(contents, password, privateKey, ex); + break; + case AUTH_CONF_ITEM_PREFIX_PKCS11: + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "PrivateKey pkcs11 format currently not supported:\n%s", data); + break; + default: + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Specified PrivateKey has wrong format:\n%s", data); + break; + } + ddsrt_free(contents); + + if (result == DDS_SECURITY_VALIDATION_OK) { + if ((result = check_key_type_and_size(*privateKey, true, ex)) != DDS_SECURITY_VALIDATION_OK) { + EVP_PKEY_free(*privateKey); + } + } + + return result; +} + +DDS_Security_ValidationResult_t +verify_certificate( + X509 *identityCert, + X509 *identityCa, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + int r; + X509_STORE *store; + X509_STORE_CTX *ctx; + + + + assert(identityCert); + assert(identityCa); + + /* Currently only a self signed indentiyCa is supported */ + /* Verification of against a certificate chain is not yet supported */ + /* Verification of the certificate expiry using a CRL is not yet supported */ + + store = X509_STORE_new(); + + + if (!store) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_STORE_new failed : "); + goto err_store_new; + } + + if (X509_STORE_add_cert(store, identityCa) != 1) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_STORE_add_cert failed : "); + goto err_add_cert; + } + + ctx = X509_STORE_CTX_new(); + if (!ctx) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_STORE_CTX_new failed : "); + goto err_ctx_new; + } + + if (X509_STORE_CTX_init(ctx, store, identityCert, NULL) != 1) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_STORE_CTX_init failed : "); + goto err_ctx_init; + } + + r = X509_verify_cert(ctx); + if (r != 1) { + const char *msg = X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)); + char *subject = NULL; + + result = DDS_SECURITY_VALIDATION_FAILED; + subject = get_certificate_subject_name(identityCert, NULL); + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Certificate not valid: error: %s subject: %s", msg, subject ? subject : "not found"); + ddsrt_free(subject); + } + +err_ctx_init: + X509_STORE_CTX_free(ctx); +err_ctx_new: +err_add_cert: + X509_STORE_free(store); +err_store_new: + return result; +} + +AuthenticationAlgoKind_t +get_auhentication_algo_kind( + X509 *cert) +{ + AuthenticationAlgoKind_t kind = AUTH_ALGO_KIND_UNKNOWN; + EVP_PKEY *pkey; + + assert(cert); + + pkey = X509_get_pubkey(cert); + + if (pkey) { + switch (EVP_PKEY_id(pkey)) { + case EVP_PKEY_RSA: + if (EVP_PKEY_bits(pkey) == 2048) { + kind = AUTH_ALGO_KIND_RSA_2048; + } + break; + case EVP_PKEY_EC: + if (EVP_PKEY_bits(pkey) == 256) { + kind = AUTH_ALGO_KIND_EC_PRIME256V1; + } + break; + default: + break; + } + EVP_PKEY_free(pkey); + } + + return kind; +} + +AuthenticationChallenge * +generate_challenge( + DDS_Security_SecurityException *ex) +{ + AuthenticationChallenge *result; + + result = ddsrt_malloc(sizeof(*result)); + if (RAND_bytes(result->value, sizeof(result->value)) < 0 ) { + + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "Failed to generate a 256 bit random number "); + ddsrt_free(result); + result = NULL; + } + + return result; +} + +DDS_Security_ValidationResult_t +get_certificate_contents( + X509 *cert, + unsigned char **data, + uint32_t *size, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + BIO *bio = NULL; + size_t sz; + char *ptr; + + if ((bio = BIO_new(BIO_s_mem())) == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "BIO_new_mem_buf failed"); + } else if (!PEM_write_bio_X509(bio, cert)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "PEM_write_bio_X509 failed: "); + } else { + sz = (size_t)BIO_get_mem_data(bio, &ptr); + *data = ddsrt_malloc(sz +1); + memcpy(*data, ptr, sz); + (*data)[sz] = '\0'; + *size = (uint32_t)sz; + } + + if (bio) BIO_free(bio); + + return result; +} + +static DDS_Security_ValidationResult_t +get_rsa_dh_parameters( + EVP_PKEY **params, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + DH *dh = NULL; + + *params = NULL; + + if ((*params = EVP_PKEY_new()) == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to allocate DH generation parameters: "); + } else if ((dh = DH_get_2048_256()) == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to allocate DH parameter using DH_get_2048_256: "); + } else if (EVP_PKEY_set1_DH(*params, dh) <= 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to set DH generation parameters using EVP_PKEY_set1_DH: "); + EVP_PKEY_free(*params); + } + + if (dh) DH_free(dh); + + return result; +} + +static DDS_Security_ValidationResult_t +get_ec_dh_parameters( + EVP_PKEY **params, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_PKEY_CTX *pctx = NULL; + + if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to allocate DH parameter context: "); + } else if (EVP_PKEY_paramgen_init(pctx) <= 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to initialize DH generation context: "); + } else if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1) <= 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to set DH generation parameter generation method: "); + } else if (EVP_PKEY_paramgen(pctx, params) <= 0) { + char *msg = get_openssl_error_message(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to generate DH parameters: "); + ddsrt_free(msg); + } + + if (pctx) EVP_PKEY_CTX_free(pctx); + + return result; +} + + +DDS_Security_ValidationResult_t +generate_dh_keys( + EVP_PKEY **dhkey, + AuthenticationAlgoKind_t authKind, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_FAILED; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *kctx = NULL; + + *dhkey = NULL; + + switch(authKind) { + case AUTH_ALGO_KIND_RSA_2048: + result = get_rsa_dh_parameters(¶ms, ex); + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = get_ec_dh_parameters(¶ms, ex); + break; + default: + assert(0); + break; + } + + if (result != DDS_SECURITY_VALIDATION_OK) { + return result; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to allocate DH generation context: "); + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to initialize DH generation context: "); + } else if (EVP_PKEY_keygen(kctx, dhkey) <= 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to generate DH key pair: "); + } + + if (kctx) EVP_PKEY_CTX_free(kctx); + if (params) EVP_PKEY_free(params); + + return result; +} + +static const BIGNUM * +dh_get_public_key( + DH *dhkey) +{ +#ifdef AUTH_INCLUDE_DH_ACCESSORS + const BIGNUM *pubkey, *privkey; + DH_get0_key(dhkey, &pubkey, &privkey); + return pubkey; +#else + return dhkey->pub_key; +#endif +} + +static int +dh_set_public_key( + DH *dhkey, + BIGNUM *pubkey) +{ +#ifdef AUTH_INCLUDE_DH_ACCESSORS + return DH_set0_key(dhkey, pubkey, NULL); +#else + dhkey->pub_key = pubkey; +#endif + return 1; +} + +static DDS_Security_ValidationResult_t +dh_public_key_to_oct_modp( + EVP_PKEY *pkey, + unsigned char **buffer, + uint32_t *length, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + DH *dhkey; + ASN1_INTEGER *asn1int; + + *buffer = NULL; + + dhkey = EVP_PKEY_get1_DH(pkey); + if (!dhkey) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get DH key from PKEY: "); + goto fail_get_dhkey; + } + + asn1int = BN_to_ASN1_INTEGER(dh_get_public_key(dhkey), NULL); + if (!asn1int) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert DH key to ASN1 integer: "); + goto fail_get_asn1int; + } + + *length = (uint32_t) i2d_ASN1_INTEGER(asn1int, buffer); + + ASN1_INTEGER_free(asn1int); + +fail_get_asn1int: + DH_free(dhkey); +fail_get_dhkey: + return result; +} + +static DDS_Security_ValidationResult_t +dh_public_key_to_oct_ecdh( + EVP_PKEY *pkey, + unsigned char **buffer, + uint32_t *length, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EC_KEY *eckey; + const EC_GROUP *group; + const EC_POINT *point; + size_t sz; + + eckey = EVP_PKEY_get1_EC_KEY(pkey); + if (!eckey) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get EC key from PKEY: "); + goto fail_get_eckey; + } + + point = EC_KEY_get0_public_key(eckey); + if (!point) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get public key from ECKEY: "); + goto fail_get_point; + } + + group = EC_KEY_get0_group(eckey); + if (!group) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get group from ECKEY: "); + goto fail_get_group; + } + + sz = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); + if (sz == 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to serialize public EC key: "); + goto fail_point2oct1; + } + + *buffer = ddsrt_malloc(sz); + + *length = (uint32_t)EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, *buffer, sz, NULL); + if (*length == 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to serialize public EC key: "); + goto fail_point2oct2; + } + + EC_KEY_free(eckey); + + return result; + +fail_point2oct2: + ddsrt_free(*buffer); +fail_point2oct1: +fail_get_group: +fail_get_point: +fail_get_eckey: + EC_KEY_free(eckey); + return result; +} + +DDS_Security_ValidationResult_t +dh_public_key_to_oct( + EVP_PKEY *pkey, + AuthenticationAlgoKind_t algo, + unsigned char **buffer, + uint32_t *length, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + + assert(pkey); + assert(buffer); + assert(length); + + switch (algo) { + case AUTH_ALGO_KIND_RSA_2048: + result = dh_public_key_to_oct_modp(pkey, buffer, length, ex); + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = dh_public_key_to_oct_ecdh(pkey, buffer, length, ex); + break; + default: + assert(0); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Invalid key algorithm specified"); + break; + } + + return result; +} + +static DDS_Security_ValidationResult_t +dh_oct_to_public_key_modp( + EVP_PKEY **pkey, + const unsigned char *keystr, + uint32_t size, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + DH *dhkey; + ASN1_INTEGER *asn1int; + BIGNUM *pubkey; + + *pkey = EVP_PKEY_new(); + if (!(*pkey)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert octet sequence to ASN1 integer: "); + goto fail_alloc_pkey; + } + + asn1int = d2i_ASN1_INTEGER(NULL, (const unsigned char **)&keystr, size); + if (!asn1int) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert octet sequence to ASN1 integer: "); + goto fail_get_asn1int; + } + + pubkey = ASN1_INTEGER_to_BN(asn1int, NULL); + if (!pubkey) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert ASN1 integer to BIGNUM: "); + goto fail_get_pubkey; + } + + dhkey = DH_get_2048_256(); + + if (dh_set_public_key(dhkey, pubkey) == 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to set DH public key: "); + } else if (EVP_PKEY_set1_DH(*pkey, dhkey) == 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert DH to PKEY: "); + } + + ASN1_INTEGER_free(asn1int); + DH_free(dhkey); + + return result; + +fail_get_pubkey: + ASN1_INTEGER_free(asn1int); +fail_get_asn1int: + EVP_PKEY_free(*pkey); +fail_alloc_pkey: + return result; +} + +static DDS_Security_ValidationResult_t +dh_oct_to_public_key_ecdh( + EVP_PKEY **pkey, + const unsigned char *keystr, + uint32_t size, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EC_KEY *eckey; + EC_GROUP *group; + EC_POINT *point; + + group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); + if (!group) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to allocate EC group: "); + goto fail_alloc_group; + } + + point = EC_POINT_new(group); + if (!point) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to allocate EC point: "); + goto fail_alloc_point; + } + + + if (EC_POINT_oct2point(group, point, keystr, size, NULL) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to deserialize EC public key to EC point: "); + goto fail_oct2point; + } + + eckey = EC_KEY_new(); + if (!eckey) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to allocate EC KEY: "); + goto fail_alloc_eckey; + } + + if (EC_KEY_set_group(eckey, group) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert octet sequence to ASN1 integer: "); + goto fail_eckey_set_group; + } + + if (EC_KEY_set_public_key(eckey, point) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to set EC public key: "); + goto fail_eckey_set_pubkey; + } + + *pkey = EVP_PKEY_new(); + if (!(*pkey)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to allocate EVP key: "); + goto fail_alloc_pkey; + } + + if (EVP_PKEY_set1_EC_KEY(*pkey, eckey) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to set EVP key to EC public key: "); + goto fail_pkey_set_eckey; + } + + EC_KEY_free(eckey); + EC_POINT_free(point); + EC_GROUP_free(group); + + return result; + +fail_pkey_set_eckey: + EVP_PKEY_free(*pkey); +fail_alloc_pkey: +fail_eckey_set_pubkey: +fail_eckey_set_group: + EC_KEY_free(eckey); +fail_alloc_eckey: +fail_oct2point: + EC_POINT_free(point); +fail_alloc_point: + EC_GROUP_free(group); +fail_alloc_group: + return result; +} + +DDS_Security_ValidationResult_t +dh_oct_to_public_key( + EVP_PKEY **data, + AuthenticationAlgoKind_t algo, + const unsigned char *str, + uint32_t size, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + + assert(data); + assert(str); + + switch (algo) { + case AUTH_ALGO_KIND_RSA_2048: + result = dh_oct_to_public_key_modp(data, str, size, ex); + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = dh_oct_to_public_key_ecdh(data, str, size, ex); + break; + default: + assert(0); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Invalid key algorithm specified"); + break; + } + + return result; +} + +/* + * Allocates and return a NULL terminated string from given char array with the given size. + */ +char * +string_from_data( + const unsigned char *data, + uint32_t size) +{ + char *str = NULL; + + if (size > 0 && data) { + str = ddsrt_malloc(size+1); + memcpy(str, data, size); + str[size] = '\0'; + } + + return str; +} + +void +free_ca_list_contents( X509Seq *ca_list) +{ + unsigned i; + if( ca_list->buffer != NULL && ca_list->length > 0){ + for (i = 0; i < ca_list->length; ++i) { + X509_free(ca_list->buffer[i]); + } + ddsrt_free ( ca_list->buffer ); + } + ca_list->buffer = NULL; + ca_list->length = 0; +} + +DDS_Security_ValidationResult_t +get_trusted_ca_list ( const char* trusted_ca_dir, + X509Seq *ca_list, + DDS_Security_SecurityException *ex){ + + + DDS_Security_ValidationResult_t loading_result = DDS_RETCODE_OK; + DDSRT_UNUSED_ARG( ca_list ); + DDSRT_UNUSED_ARG( trusted_ca_dir ); + DDSRT_UNUSED_ARG( ex ); +/* TODO: Trusted CA directory tracing function should be ported */ +/* TODO: MAX_TRUSTED_CA limitation will be removed */ +#ifdef TRUSTED_CA_LIST_IMPLEMENTED + + os_result r; + os_dirHandle d_descr; + struct os_dirent d_entry; + struct os_stat_s status; + char *full_file_path; + char *trusted_ca_dir_normalized; + + X509 *ca_buffer_array[MAX_TRUSTED_CA]; /*max trusted CA size */ + unsigned ca_buffer_array_size=0; + unsigned i; + trusted_ca_dir_normalized = os_fileNormalize(trusted_ca_dir); + + r = os_opendir(trusted_ca_dir_normalized, &d_descr); + ddsrt_free ( trusted_ca_dir_normalized ); + + if (r == os_resultSuccess && ca_buffer_array_size < MAX_TRUSTED_CA) { /* accessable */ + r = os_readdir(d_descr, &d_entry); + while (r == os_resultSuccess) { + full_file_path = (char*) ddsrt_malloc(strlen(trusted_ca_dir) + strlen(os_fileSep()) + strlen(d_entry.d_name) + strlen(os_fileSep()) + 1 ); + ddsrt_strcpy(full_file_path, trusted_ca_dir); + ddsrt_strcat(full_file_path, os_fileSep()); + ddsrt_strcat(full_file_path, d_entry.d_name); + + if (os_stat (full_file_path, &status) == os_resultSuccess) { /* accessable */ + if ((strcmp(d_entry.d_name, ".") != 0) && + (strcmp(d_entry.d_name, "..") != 0)) { + char * filename = os_fileNormalize(full_file_path); + + if(filename){ + X509 *identityCA; + loading_result = load_X509_certificate_from_file( filename, &identityCA, ex); + + ddsrt_free(filename); + + if( loading_result == DDS_SECURITY_VALIDATION_OK ){ + ca_buffer_array[ca_buffer_array_size] = identityCA; + ca_buffer_array_size++; + + } + } + } + } + r = os_readdir(d_descr, &d_entry); + + ddsrt_free(full_file_path); + } + + os_closedir (d_descr); + + /* deallocate given ca_list if it is not NULL */ + free_ca_list_contents(ca_list); + + /*copy CAs to out parameter as HASH*/ + if( ca_buffer_array_size > 0 ){ + ca_list->_buffer = ddsrt_malloc( ca_buffer_array_size * sizeof(X509 * ) ); + for (i = 0; i < ca_buffer_array_size; ++i) { + ca_list->_buffer[i] = ca_buffer_array[i]; + + } + + } + ca_list->_length = ca_buffer_array_size; + + return DDS_SECURITY_VALIDATION_OK; + + } + else{ + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_TRUSTED_CA_DIR_CODE, 0, DDS_SECURITY_ERR_INVALID_TRUSTED_CA_DIR_MESSAGE); + return DDS_SECURITY_VALIDATION_FAILED; + } +#endif + + return loading_result; +} + +DDS_Security_ValidationResult_t +create_asymmetrical_signature( + EVP_PKEY *pkey, + const unsigned char *data, + const size_t dataLen, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + if (!(mdctx = EVP_MD_CTX_create())) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to create signing context: "); + goto err_create_ctx; + } + + if (EVP_DigestSignInit(mdctx, &kctx, EVP_sha256(), NULL, pkey) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: "); + goto err_sign; + } + + if (EVP_PKEY_CTX_set_rsa_padding(kctx, RSA_PKCS1_PSS_PADDING) < 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: "); + goto err_sign; + } + + if (EVP_DigestSignUpdate(mdctx, data, dataLen) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to update signing context: "); + goto err_sign; + } + + if (EVP_DigestSignFinal(mdctx, NULL, signatureLen) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize signing context: "); + goto err_sign; + } + + *signature = ddsrt_malloc(sizeof(unsigned char) * (*signatureLen)); + assert(*signature != NULL); + if (EVP_DigestSignFinal(mdctx, *signature, signatureLen) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize signing context: "); + ddsrt_free(*signature); + } + +err_sign: + EVP_MD_CTX_destroy(mdctx); +err_create_ctx: + return result; +} + +DDS_Security_ValidationResult_t +validate_asymmetrical_signature( + EVP_PKEY *pkey, + const unsigned char *data, + const size_t dataLen, + const unsigned char *signature, + const size_t signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + if (!(mdctx = EVP_MD_CTX_create())) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to create verify context: "); + goto err_create_ctx; + } + + if (EVP_DigestVerifyInit(mdctx, &kctx, EVP_sha256(), NULL, pkey) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize verify context: "); + goto err_verify; + } + + if (EVP_PKEY_CTX_set_rsa_padding(kctx, RSA_PKCS1_PSS_PADDING) < 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: "); + goto err_verify; + } + + if (EVP_DigestVerifyUpdate(mdctx, data, dataLen) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to update verify context: "); + goto err_verify; + } + + if (EVP_DigestVerifyFinal(mdctx, signature, signatureLen) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize verify context: "); + goto err_verify; + } + +err_verify: + EVP_MD_CTX_destroy(mdctx); +err_create_ctx: + return result; +} diff --git a/src/security/builtin_plugins/authentication/src/auth_utils.h b/src/security/builtin_plugins/authentication/src/auth_utils.h new file mode 100644 index 0000000..f9db31d --- /dev/null +++ b/src/security/builtin_plugins/authentication/src/auth_utils.h @@ -0,0 +1,238 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef AUTH_UTILS_H +#define AUTH_UTILS_H + +#include "dds/security/dds_security_api.h" +#include "dds/ddsrt/time.h" + +#define DDS_AUTH_PLUGIN_CONTEXT "Authentication" + +typedef enum { + AUTH_ALGO_KIND_UNKNOWN, + AUTH_ALGO_KIND_RSA_2048, + AUTH_ALGO_KIND_EC_PRIME256V1 +} AuthenticationAlgoKind_t; + +typedef enum { + AUTH_CONF_ITEM_PREFIX_UNKNOWN, + AUTH_CONF_ITEM_PREFIX_FILE, + AUTH_CONF_ITEM_PREFIX_DATA, + AUTH_CONF_ITEM_PREFIX_PKCS11 +} AuthConfItemPrefix_t; + + +typedef struct AuthenticationChallenge { + unsigned char value[DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE]; +} AuthenticationChallenge; + +typedef struct { + uint32_t length; + X509 **buffer; +} X509Seq; + +typedef unsigned char HashValue_t[SHA256_DIGEST_LENGTH]; +/*typedef struct HashValue { + unsigned char value[SHA256_DIGEST_LENGTH]; +} HashValue_t; +*/ + +/* Return a string that contains an openssl error description + * When a openssl function returns an error this function can be + * used to retrieve a descriptive error string. + * Note that the returned string should be freed. + */ +char * +get_openssl_error_message( + void); + +/* Return the subject name of contained in a X509 certificate + * Note that the returned string should be freed. + */ +char* +get_certificate_subject_name( + const X509 *cert, + DDS_Security_SecurityException *ex); + +/* Return the expiry date of contained in a X509 certificate + * + */ +dds_time_t +get_certificate_expiry( + const X509 *cert); + +/* Return the subject name of a X509 certificate DER + * encoded. The DER encoded subject name is returned in + * the provided buffer. The length of the allocated + * buffer is returned + * + * return length of allocated buffer or -1 on error + */ +DDS_Security_ValidationResult_t +get_subject_name_DER_encoded( + const X509 *cert, + unsigned char **buffer, + size_t *size, + DDS_Security_SecurityException *ex); + + +/* Load a X509 certificate for the provided data. + * + * data : certificate in PEM format + * x509Cert : the openssl X509 return value + */ +DDS_Security_ValidationResult_t +load_X509_certificate_from_data( + const char *data, + int len, + X509 **x509Cert, + DDS_Security_SecurityException *ex); + + +/* Load a X509 certificate for the provided data. + * + * data : URI of the certificate. URI format is defined in DDS Security spec 9.3.1 + + * x509Cert : the openssl X509 return value + */ +DDS_Security_ValidationResult_t +load_X509_certificate( + const char *data, + X509 **x509Cert, + DDS_Security_SecurityException *ex); + + +/* Load a X509 certificate for the provided file. + * + * filename : path of the file that contains PEM formatted certificate + * x509Cert : the openssl X509 return value + */ +DDS_Security_ValidationResult_t +load_X509_certificate_from_file( + const char *filename, + X509 **x509Cert, + DDS_Security_SecurityException *ex); + +/* Load a Private Key for the provided data. + * + * data : URI of the private key. URI format is defined in DDS Security spec 9.3.1 + * privateKey : the openssl EVP_PKEY return value + */ +DDS_Security_ValidationResult_t +load_X509_private_key( + const char *data, + const char *password, + EVP_PKEY **privateKey, + DDS_Security_SecurityException *ex); + + +/* Validate an identity certificate against the identityCA + * The provided identity certificate is checked if it is + * signed by the identity corresponding to the identityCA. + * + * Note: Currently only a self signed CA is supported + * The function does not yet check a CLR or ocsp + * for expiry of identity certificate. + */ +DDS_Security_ValidationResult_t +verify_certificate( + X509 *identityCert, + X509 *identityCa, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +check_certificate_expiry( + const X509 *cert, + DDS_Security_SecurityException *ex); + +AuthenticationAlgoKind_t +get_auhentication_algo_kind( + X509 *cert); + +AuthenticationChallenge * +generate_challenge( + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +get_certificate_contents( + X509 *cert, + unsigned char **data, + uint32_t *size, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +generate_dh_keys( + EVP_PKEY **dhkey, + AuthenticationAlgoKind_t authKind, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +dh_public_key_to_oct( + EVP_PKEY *pkey, + AuthenticationAlgoKind_t algo, + unsigned char **buffer, + uint32_t *length, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +dh_oct_to_public_key( + EVP_PKEY **data, + AuthenticationAlgoKind_t algo, + const unsigned char *str, + uint32_t size, + DDS_Security_SecurityException *ex); + + +AuthConfItemPrefix_t +get_conf_item_type( + const char *str, + char **data); + +/* + * Frees the contents of theCA list. + */ +void +free_ca_list_contents( + X509Seq *ca_list); + +DDS_Security_ValidationResult_t +get_trusted_ca_list ( + const char* trusted_ca_dir, + X509Seq *ca_list, + DDS_Security_SecurityException *ex); + +char * +string_from_data( + const unsigned char *data, + uint32_t size); + + +DDS_Security_ValidationResult_t +create_asymmetrical_signature( + EVP_PKEY *pkey, + const unsigned char *data, + const size_t dataLen, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +validate_asymmetrical_signature( + EVP_PKEY *pkey, + const unsigned char *data, + const size_t dataLen, + const unsigned char *signature, + const size_t signatureLen, + DDS_Security_SecurityException *ex); + +#endif /* AUTH_UTILS_H */ diff --git a/src/security/builtin_plugins/authentication/src/authentication.c b/src/security/builtin_plugins/authentication/src/authentication.c new file mode 100644 index 0000000..eb4117f --- /dev/null +++ b/src/security/builtin_plugins/authentication/src/authentication.c @@ -0,0 +1,3513 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + + +#include +#include +#include +#include +#include +#include +#include +#include +#include "authentication.h" +#include "dds/ddsrt/heap.h" +#include "dds/security/dds_security_api.h" + + +#if OPENSLL_VERSION_NUMBER >= 0x10002000L +#define AUTH_INCLUDE_EC +#include +#endif +#include + +/* There is a problem when compiling on windows w.r.t. X509_NAME. + * The windows api already defines the type X509_NAME which + * conficts with some openssl versions. The workaround is to + * undef the openssl X509_NAME + */ +#ifdef _WIN32 +#undef X509_NAME +#endif + +#include "dds/security/dds_security_api.h" +#include "dds/security/dds_security_api_types.h" +#include "dds/ddsrt/atomics.h" +#include "stdbool.h" +#include +#include "dds/ddsrt/string.h" +#include "dds/ddsrt/sync.h" +#include "dds/ddsrt/hopscotch.h" + +#include "dds/security/core/shared_secret.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/security/core/dds_security_serialize.h" +#include "auth_utils.h" +#include + +#ifndef EVP_PKEY_id +#define EVP_PKEY_id(k) ((k)->type) +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L +#define REMOVE_THREAD_STATE() ERR_remove_thread_state(NULL); +#elif OPENSSL_VERSION_NUMBER < 0x10000000L +#define REMOVE_THREAD_STATE() ERR_remove_state(0); +#else +#define REMOVE_THREAD_STATE() +#endif + + +#define HANDSHAKE_SIGNATURE_CONTENT_SIZE 6 + +static const char * AUTH_PROTOCOL_CLASS = "DDS:Auth:PKI-DH"; +static const unsigned AUTH_PROTOCOL_VERSION_MAJOR = 1; +static const unsigned AUTH_PROTOCOL_VERSION_MINOR = 0; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_PASSWORD = "dds.sec.auth.password"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; +static const char * PROPERTY_TRUSTED_CA_DIR = "dds.sec.auth.trusted_ca_dir"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * AUTH_HANDSHAKE_REQUEST_TOKEN_ID = "DDS:Auth:PKI-DH:1.0+Req"; +static const char * AUTH_HANDSHAKE_REPLY_TOKEN_ID = "DDS:Auth:PKI-DH:1.0+Reply"; + +static const char * AUTH_HANDSHAKE_FINAL_TOKEN_ID = "DDS:Auth:PKI-DH:1.0+Final"; + +static const char * AUTH_DSIG_ALGO_RSA_2048_SHA256_IDENT = "RSASSA-PSS-SHA256"; +static const char * AUTH_DSIG_ALGO_ECDSA_SHA256_IDENT = "ECDSA-SHA256"; +static const char * AUTH_KAGREE_ALGO_RSA_2048_SHA256_IDENT = "DH+MODP-2048-256"; +static const char * AUTH_KAGREE_ALGO_ECDH_PRIME256V1_IDENT = "ECDH+prime256v1-CEUM"; + + +static const char * ACCESS_PERMISSIONS_CREDENTIAL_TOKEN_ID = "DDS:Access:PermissionsCredential"; +static const char * ACCESS_PROPERTY_PERMISSION_DOCUMENT = "dds.perm.cert"; + + +/** + * Implementation structure for storing encapsulated members of the instance + * while giving only the interface definition to user + */ + +typedef enum { + SECURITY_OBJECT_KIND_UNKNOWN, + SECURITY_OBJECT_KIND_LOCAL_IDENTITY, + SECURITY_OBJECT_KIND_REMOTE_IDENTITY, + SECURITY_OBJECT_KIND_IDENTITY_RELATION, + SECURITY_OBJECT_KIND_HANDSHAKE +} SecurityObjectKind_t; + +typedef enum { + CREATEDREQUEST, + CREATEDREPLY + +} CreatedHandshakeStep_t; + +typedef struct SecurityObject SecurityObject; + +typedef void (*SecurityObjectDestructor)(SecurityObject *obj); + +struct SecurityObject { + int64_t handle; + SecurityObjectKind_t kind; + SecurityObjectDestructor destructor; +}; + + +#ifndef NDEBUG +#define CHECK_OBJECT_KIND(o,k) assert(security_object_valid((SecurityObject *)(o), k)) +#else +#define CHECK_OBJECT_KIND(o,k) +#endif + +#define SECURITY_OBJECT(o) ((SecurityObject *)(o)) +#define SECURITY_OBJECT_HANDLE(o) (SECURITY_OBJECT(o)->handle) +#define IDENTITY_HANDLE(o) ((DDS_Security_IdentityHandle) SECURITY_OBJECT_HANDLE(o)) +#define HANDSHAKE_HANDLE(o) ((DDS_Security_HandshakeHandle) SECURITY_OBJECT_HANDLE(o)) + +#define SECURITY_OBJECT_VALID(o,k) security_object_valid((SecurityObject *)(o), k) + + +typedef struct LocalIdentityInfo { + SecurityObject _parent; + DDS_Security_DomainId domainId; + DDS_Security_GUID_t candidateGUID; + DDS_Security_GUID_t adjustedGUID; + X509 *identityCert; + X509 *identityCA; + EVP_PKEY *privateKey; + DDS_Security_OctetSeq pdata; + AuthenticationAlgoKind_t dsignAlgoKind; + AuthenticationAlgoKind_t kagreeAlgoKind; + char *permissionsDocument; +} LocalIdentityInfo; + +typedef struct RemoteIdentityInfo { + SecurityObject _parent; + DDS_Security_GUID_t guid; + X509 *identityCert; + AuthenticationAlgoKind_t dsignAlgoKind; + AuthenticationAlgoKind_t kagreeAlgoKind; + DDS_Security_IdentityToken *remoteIdentityToken; + DDS_Security_OctetSeq pdata; + char *permissionsDocument; + struct ddsrt_hh *linkHash; /* contains the IdentityRelation objects */ +} RemoteIdentityInfo; + + +/* This structure contains the relation between a local and a remote identity + * The handle for this object is the same as the handle of the associated + * local identity object. The IdentityRelation object will be stored with the + * remote identity. + */ +typedef struct IdentityRelation { + SecurityObject _parent; + LocalIdentityInfo *localIdentity; + RemoteIdentityInfo *remoteIdentity; + AuthenticationChallenge *lchallenge; + AuthenticationChallenge *rchallenge; +} IdentityRelation; + +typedef struct HandshakeInfo { + SecurityObject _parent; + IdentityRelation *relation; + HashValue_t hash_c1; + HashValue_t hash_c2; + EVP_PKEY *ldh; + EVP_PKEY *rdh; + DDS_Security_SharedSecretHandleImpl *shared_secret_handle_impl; + CreatedHandshakeStep_t created_in; +} HandshakeInfo; + +typedef struct dds_security_authentication_impl { + dds_security_authentication base; + int id; //sample internal member + ddsrt_mutex_t lock; + struct ddsrt_hh *objectHash; + struct ddsrt_hh *remoteGuidHash; + struct ut_timed_dispatcher_t *timed_callbacks; + X509Seq trustedCAList; + + + +} dds_security_authentication_impl; + +/* data type for timer dispatcher */ +typedef struct { + dds_security_authentication_impl *auth; + DDS_Security_IdentityHandle hdl; +} validity_cb_info; + + +static bool +security_object_valid( + SecurityObject *obj, + SecurityObjectKind_t kind) +{ + if (!obj) return false; + if (obj->kind != kind) return false; + if (kind == SECURITY_OBJECT_KIND_IDENTITY_RELATION) { + IdentityRelation *relation = (IdentityRelation *)obj; + if (!relation->localIdentity || !relation->remoteIdentity || (ddsrt_address)obj->handle != (ddsrt_address)relation->localIdentity) { + return false; + } + } else if ((ddsrt_address)obj->handle != (ddsrt_address)obj) { + return false; + } + return true; +} + +static uint32_t +security_object_hash ( + const void *obj) +{ + const SecurityObject *object = obj; +#define UINT64_CONST(x, y, z) (((uint64_t) (x) * 1000000 + (y)) * 1000000 + (z)) + const uint64_t c = UINT64_CONST (16292676, 669999, 574021); +#undef UINT64_CONST + const uint32_t x = (uint32_t) object->handle; + return (unsigned) ((x * c) >> 32); +} + +static int +security_object_equal ( + const void *ha, + const void *hb) +{ + const SecurityObject *la = ha; + const SecurityObject *lb = hb; + + return la->handle == lb->handle; +} + +static SecurityObject * +security_object_find( + const struct ddsrt_hh *hh, + int64_t handle) +{ + struct SecurityObject template; + + template.handle = handle; + + return (SecurityObject *) ddsrt_hh_lookup(hh, &template);; +} + +static void +security_object_init( + SecurityObject *obj, + SecurityObjectKind_t kind, + SecurityObjectDestructor destructor) +{ + assert(obj); + + obj->kind = kind; + obj->handle = (int64_t)(ddsrt_address)obj; + obj->destructor = destructor; +} + +static void +security_object_deinit( + SecurityObject *obj) + +{ + assert(obj); + obj->handle = DDS_SECURITY_HANDLE_NIL; + obj->kind = SECURITY_OBJECT_KIND_UNKNOWN; + obj->destructor = NULL; +} + +static void +security_object_free( + SecurityObject *obj) +{ + assert(obj); + if (obj && obj->destructor) { + obj->destructor(obj); + } +} + +static void +localIdentityInfoFree( + SecurityObject *obj); + + + +static LocalIdentityInfo * +localIdentityInfoNew( + DDS_Security_DomainId domainId, + X509 *identityCert, + X509 *identityCa, + EVP_PKEY *privateKey, + const DDS_Security_GUID_t *candidate_participant_guid, + const DDS_Security_GUID_t *adjusted_participant_guid) +{ + LocalIdentityInfo *identity = NULL; + + assert(identityCert); + assert(identityCa); + assert(privateKey); + assert(candidate_participant_guid); + assert(adjusted_participant_guid); + assert(sizeof(DDS_Security_IdentityHandle) == 8); + + identity = ddsrt_malloc(sizeof(*identity)); + memset(identity, 0, sizeof(*identity)); + + security_object_init((SecurityObject *)identity, SECURITY_OBJECT_KIND_LOCAL_IDENTITY, localIdentityInfoFree); + + + + + identity->domainId = domainId; + identity->identityCert = identityCert; + identity->identityCA = identityCa; + identity->privateKey = privateKey; + identity->permissionsDocument = NULL; + identity->dsignAlgoKind = get_auhentication_algo_kind(identityCert); + identity->kagreeAlgoKind = AUTH_ALGO_KIND_EC_PRIME256V1; + + memcpy(&identity->candidateGUID, candidate_participant_guid, sizeof(DDS_Security_GUID_t)); + memcpy(&identity->adjustedGUID, adjusted_participant_guid, sizeof(DDS_Security_GUID_t)); + + return identity; +} + +static void +localIdentityInfoFree( + SecurityObject *obj) +{ + LocalIdentityInfo *identity = (LocalIdentityInfo *)obj; + + CHECK_OBJECT_KIND(obj, SECURITY_OBJECT_KIND_LOCAL_IDENTITY); + + if (identity) { + if (identity->identityCert) { + X509_free(identity->identityCert); + } + if (identity->identityCA) { + X509_free(identity->identityCA); + } + if (identity->privateKey) { + EVP_PKEY_free(identity->privateKey); + } + ddsrt_free(identity->pdata._buffer); + ddsrt_free(identity->permissionsDocument); + security_object_deinit((SecurityObject *)identity); + ddsrt_free(identity); + } +} + +static uint32_t +remote_guid_hash ( + const void *obj) +{ + const RemoteIdentityInfo *identity = obj; + uint32_t tmp[4]; + + memcpy(tmp, &identity->guid, sizeof(tmp)); + + return (tmp[0]^tmp[1]^tmp[2]^tmp[3]); +} + +static int +remote_guid_equal ( + const void *ha, + const void *hb) +{ + const RemoteIdentityInfo *la = ha; + const RemoteIdentityInfo *lb = hb; + + return memcmp(&la->guid, &lb->guid, sizeof(la->guid)) == 0; +} + +static RemoteIdentityInfo * +find_remote_identity_by_guid( + const struct ddsrt_hh *hh, + const DDS_Security_GUID_t *guid) +{ + struct RemoteIdentityInfo template; + + memcpy(&template.guid, guid, sizeof(*guid)); + + return (RemoteIdentityInfo *) ddsrt_hh_lookup(hh, &template); +} + +static void +remoteIdentityInfoFree( + SecurityObject *obj); + +static RemoteIdentityInfo * +remoteIdentityInfoNew( + const DDS_Security_GUID_t *guid, + const DDS_Security_IdentityToken *remote_identity_token) +{ + RemoteIdentityInfo *identity = NULL; + + assert(guid); + assert(remote_identity_token); + + identity = ddsrt_malloc(sizeof(*identity)); + memset(identity, 0, sizeof(*identity)); + + security_object_init((SecurityObject *)identity, SECURITY_OBJECT_KIND_REMOTE_IDENTITY, remoteIdentityInfoFree); + + memcpy(&identity->guid, guid, sizeof(DDS_Security_GUID_t)); + identity->remoteIdentityToken = DDS_Security_DataHolder_alloc(); + DDS_Security_DataHolder_copy(identity->remoteIdentityToken, remote_identity_token); + identity->identityCert = NULL; + identity->dsignAlgoKind = AUTH_ALGO_KIND_UNKNOWN; + identity->kagreeAlgoKind = AUTH_ALGO_KIND_UNKNOWN; + identity->permissionsDocument = ddsrt_strdup(""); + identity->linkHash = ddsrt_hh_new(32, security_object_hash, security_object_equal); + + return identity; +} + +static void +remoteIdentityInfoFree( + SecurityObject *obj) +{ + RemoteIdentityInfo *identity = (RemoteIdentityInfo *)obj; + + CHECK_OBJECT_KIND(obj, SECURITY_OBJECT_KIND_REMOTE_IDENTITY); + + if (identity) { + if (identity->identityCert) { + X509_free(identity->identityCert); + } + DDS_Security_DataHolder_free(identity->remoteIdentityToken); + + ddsrt_hh_free(identity->linkHash); + + ddsrt_free(identity->pdata._buffer); + ddsrt_free(identity->permissionsDocument); + security_object_deinit((SecurityObject *)identity); + ddsrt_free(identity); + } +} + +static void +identityRelationFree( + SecurityObject *obj); + +/* The IdentityRelation provides the association between a local and a remote + * identity. This object manages the challenges which are created for + * each association between a local and a remote identity. + * The lchallenge is the challenge associated with the local identity and + * may be set when a future challenge is communicated with the auth_request_message_token. + * The rchallenge is the challenge received from the remote identity it may be set when + * an auth_request_message_token is received from the remote identity, + */ +static IdentityRelation * +identityRelationNew( + LocalIdentityInfo *localIdentity, + RemoteIdentityInfo *remoteIdentity, + AuthenticationChallenge *lchallenge, + AuthenticationChallenge *rchallenge) +{ + IdentityRelation *relation; + + assert(localIdentity); + assert(remoteIdentity); + + relation = ddsrt_malloc(sizeof(*relation)); + memset(relation, 0, sizeof(*relation)); + + security_object_init((SecurityObject *)relation, SECURITY_OBJECT_KIND_IDENTITY_RELATION, identityRelationFree); + relation->_parent.handle = SECURITY_OBJECT_HANDLE(localIdentity); + + relation->localIdentity = localIdentity; + relation->remoteIdentity = remoteIdentity; + relation->lchallenge = lchallenge; + relation->rchallenge = rchallenge; + + return relation; +} + +static void +identityRelationFree( + SecurityObject *obj) +{ + IdentityRelation *relation = (IdentityRelation *)obj; + + CHECK_OBJECT_KIND(obj, SECURITY_OBJECT_KIND_IDENTITY_RELATION); + + if (relation) { + ddsrt_free(relation->lchallenge); + ddsrt_free(relation->rchallenge); + security_object_deinit((SecurityObject *)relation); + ddsrt_free(relation); + } +} + +static void +handshakeInfoFree( + SecurityObject *obj); + +static HandshakeInfo * +handshakeInfoNew( + LocalIdentityInfo *localIdentity, + RemoteIdentityInfo *remoteIdentity, + IdentityRelation *relation) +{ + HandshakeInfo *handshake; + + assert(localIdentity); + assert(remoteIdentity); + + DDSRT_UNUSED_ARG(localIdentity); + DDSRT_UNUSED_ARG(remoteIdentity); + handshake = ddsrt_malloc(sizeof(*handshake)); + memset(handshake, 0, sizeof(*handshake)); + + security_object_init((SecurityObject *)handshake, SECURITY_OBJECT_KIND_HANDSHAKE, handshakeInfoFree); + + handshake->relation = relation; + handshake->shared_secret_handle_impl = NULL; + + return handshake; +} + +static void +handshakeInfoFree( + SecurityObject *obj) +{ + HandshakeInfo *handshake = (HandshakeInfo *)obj; + + CHECK_OBJECT_KIND(obj, SECURITY_OBJECT_KIND_HANDSHAKE); + + if (handshake) { + if (handshake->ldh) { + EVP_PKEY_free(handshake->ldh); + } + if (handshake->rdh) { + EVP_PKEY_free(handshake->rdh); + } + if(handshake->shared_secret_handle_impl) { + ddsrt_free( handshake->shared_secret_handle_impl->shared_secret); + ddsrt_free( handshake->shared_secret_handle_impl ); + } + security_object_deinit((SecurityObject *)handshake); + ddsrt_free(handshake); + } +} + +static IdentityRelation * +find_identity_relation( + const RemoteIdentityInfo *remote, + int64_t lid) +{ + return (IdentityRelation *)security_object_find(remote->linkHash, lid); +} + +static void +remove_identity_relation( + RemoteIdentityInfo *remote, + IdentityRelation *relation) +{ + (void)ddsrt_hh_remove(remote->linkHash, relation); + security_object_free((SecurityObject *) relation); +} + +static HandshakeInfo * +find_handshake( + const dds_security_authentication_impl *auth, + int64_t localId, + int64_t remoteId) +{ + struct ddsrt_hh_iter it; + SecurityObject *obj; + IdentityRelation *relation; + HandshakeInfo *found = NULL; + + for (obj = ddsrt_hh_iter_first(auth->objectHash, &it); obj && !found; obj = ddsrt_hh_iter_next(&it)) { + if (obj->kind == SECURITY_OBJECT_KIND_HANDSHAKE) { + relation = ((HandshakeInfo *)obj)->relation; + assert(relation); + if ((SECURITY_OBJECT_HANDLE(relation->localIdentity) == localId) && + (SECURITY_OBJECT_HANDLE(relation->remoteIdentity) == remoteId)) { + found = (HandshakeInfo *)obj; + } + } + } + + return found; +} + +static char * +get_authentication_class_id( + void) +{ + char *classId; + size_t sz; + + sz = strlen(AUTH_PROTOCOL_CLASS) + 5; + + classId = ddsrt_malloc(sz); + snprintf(classId, sz, "%s:%1u.%1u", AUTH_PROTOCOL_CLASS, AUTH_PROTOCOL_VERSION_MAJOR, AUTH_PROTOCOL_VERSION_MINOR); + + return classId; +} + +static const char * +get_authentication_algo( + AuthenticationAlgoKind_t kind) +{ + const char *result; + switch (kind) { + case AUTH_ALGO_KIND_RSA_2048: + result = "RSA-2048"; + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = "EC-prime256v1"; + break; + default: + assert(0); + result = ""; + break; + } + + return result; +} + +static const char * +get_dsign_algo( + AuthenticationAlgoKind_t kind) +{ + const char *result; + switch (kind) { + case AUTH_ALGO_KIND_RSA_2048: + result = AUTH_DSIG_ALGO_RSA_2048_SHA256_IDENT; + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = AUTH_DSIG_ALGO_ECDSA_SHA256_IDENT; + break; + default: + assert(0); + result = ""; + break; + } + + return result; +} + +static const char * +get_kagree_algo( + AuthenticationAlgoKind_t kind) +{ + const char *result; + switch (kind) { + case AUTH_ALGO_KIND_RSA_2048: + result = AUTH_KAGREE_ALGO_RSA_2048_SHA256_IDENT; + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = AUTH_KAGREE_ALGO_ECDH_PRIME256V1_IDENT; + break; + default: + assert(0); + result = ""; + break; + } + + return result; +} + +static AuthenticationAlgoKind_t +get_dsign_algo_from_string( + const char *name) +{ + AuthenticationAlgoKind_t algoKind = AUTH_ALGO_KIND_UNKNOWN; + + if (name) { + if (strcmp(AUTH_DSIG_ALGO_RSA_2048_SHA256_IDENT, name) == 0) { + algoKind = AUTH_ALGO_KIND_RSA_2048; + } else if (strcmp(AUTH_DSIG_ALGO_ECDSA_SHA256_IDENT, name) == 0) { + algoKind = AUTH_ALGO_KIND_EC_PRIME256V1; + } + } + + return algoKind; +} + +static AuthenticationAlgoKind_t +get_kagree_algo_from_string( + const char *name) +{ + AuthenticationAlgoKind_t algoKind = AUTH_ALGO_KIND_UNKNOWN; + + if (name) { + if (strcmp(AUTH_KAGREE_ALGO_RSA_2048_SHA256_IDENT, name) == 0) { + algoKind = AUTH_ALGO_KIND_RSA_2048; + } else if (strcmp(AUTH_KAGREE_ALGO_ECDH_PRIME256V1_IDENT, name) == 0) { + algoKind = AUTH_ALGO_KIND_EC_PRIME256V1; + } + } + + return algoKind; +} + +static void +free_binary_properties( + DDS_Security_BinaryProperty_t *seq, + uint32_t length) +{ + uint32_t i; + + for (i = 0; i < length; i++) { + ddsrt_free(seq[i].name); + ddsrt_free(seq[i].value._buffer); + } + ddsrt_free(seq); +} + +static void +get_hash_binary_property_seq( + const DDS_Security_BinaryPropertySeq *seq, + unsigned char hash[SHA256_DIGEST_LENGTH]) +{ + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + serializer = DDS_Security_Serializer_new(4096, 4096); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, seq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, hash); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); +} + +static DDS_Security_ValidationResult_t +create_signature( + EVP_PKEY *pkey, + const DDS_Security_BinaryProperty_t **binary_properties, + const uint32_t binary_properties_length, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + serializer = DDS_Security_Serializer_new(4096, 4096); + + DDS_Security_Serialize_BinaryPropertyArray(serializer,binary_properties, binary_properties_length); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + + result = create_asymmetrical_signature(pkey, buffer, size, signature, signatureLen, ex); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + return result; +} + +static DDS_Security_ValidationResult_t +validate_signature( + EVP_PKEY *pkey, + const DDS_Security_BinaryProperty_t **properties, + const uint32_t properties_length, + unsigned char *signature, + size_t signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + serializer = DDS_Security_Serializer_new(4096, 4096); + + DDS_Security_Serialize_BinaryPropertyArray(serializer, properties, properties_length); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + + result = validate_asymmetrical_signature(pkey, buffer, size, signature, signatureLen, ex); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + return result; +} + +static DDS_Security_ValidationResult_t +compute_hash_value( + HashValue_t value, + const DDS_Security_BinaryProperty_t **properties, + const uint32_t properties_length, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + DDSRT_UNUSED_ARG(ex); + + serializer = DDS_Security_Serializer_new(4096, 4096); + + DDS_Security_Serialize_BinaryPropertyArray(serializer, properties, properties_length); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, value); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + return result; +} + +static DDS_Security_BinaryProperty_t * +hash_value_to_binary_property( + const char *name, + HashValue_t hash) +{ + DDS_Security_BinaryProperty_t *bp = DDS_Security_BinaryProperty_alloc(); + + DDS_Security_BinaryProperty_set_by_value(bp, name, hash, sizeof(HashValue_t)); + + return bp; +} + + +/* Will be enabled after timed callback feature implementation */ +#if TIMED_CALLBACK_IMPLEMENTED + +static void +validity_callback(struct ut_timed_dispatcher_t *d, + ut_timed_cb_kind kind, + void *listener, + void *arg) +{ + validity_cb_info *info = arg; + + assert(d); + assert(arg); + + if (kind == UT_TIMED_CB_KIND_TIMEOUT) { + assert(listener); + dds_security_authentication_listener *auth_listener = (dds_security_authentication_listener*)listener; + if (auth_listener->on_revoke_identity) { + auth_listener->on_revoke_identity(auth_listener, + (dds_security_authentication*)info->auth, + info->hdl); + + } + } + ddsrt_free(arg); +} + +#endif + +static void +add_validity_end_trigger(dds_security_authentication_impl *auth, + const DDS_Security_IdentityHandle identity_handle, + dds_time_t end) +{ + DDSRT_UNUSED_ARG( auth ); + DDSRT_UNUSED_ARG( identity_handle ); + DDSRT_UNUSED_ARG( end ); + /* Will be enabled after timed call back feature implementation */ + /* + validity_cb_info *arg = ddsrt_malloc(sizeof(validity_cb_info)); + arg->auth = auth; + arg->hdl = identity_handle; + ut_timed_dispatcher_add(auth->timed_callbacks, + validity_callback, + end, + (void*)arg); + */ +} + + + +#define ADJUSTED_GUID_PREFIX_FLAG 0x80 + +static DDS_Security_ValidationResult_t +get_adjusted_participant_guid( + X509 *cert, + const DDS_Security_GUID_t *candidate, + DDS_Security_GUID_t *adjusted, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_FAILED; + unsigned char high[SHA256_DIGEST_LENGTH], low[SHA256_DIGEST_LENGTH]; + unsigned char *subject = NULL; + size_t size=0; + + assert(cert); + assert(candidate); + assert(adjusted); + + result = get_subject_name_DER_encoded(cert, &subject, &size, ex); + if ( result == DDS_SECURITY_VALIDATION_OK ) { + DDS_Security_octet hb = ADJUSTED_GUID_PREFIX_FLAG; + int i; + + SHA256(subject, size, high); + SHA256(&candidate->prefix[0], sizeof(DDS_Security_GuidPrefix_t), low); + + adjusted->entityId = candidate->entityId; + for (i = 0; i < 6; i++) { + adjusted->prefix[i] = hb | high[i] >> 1; + hb = (DDS_Security_octet) (high[i] << 7); + } + for (i = 0; i < 6; i++) { + adjusted->prefix[i + 6] = low[i]; + } + ddsrt_free(subject); + } + + return result; +} +#undef ADJUSTED_GUID_PREFIX_FLAG + +DDS_Security_ValidationResult_t +validate_local_identity( + dds_security_authentication *instance, + DDS_Security_IdentityHandle *local_identity_handle, + DDS_Security_GUID_t *adjusted_participant_guid, + const DDS_Security_DomainId domain_id, + const DDS_Security_Qos *participant_qos, + const DDS_Security_GUID_t *candidate_participant_guid, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + dds_security_authentication_impl *implementation = (dds_security_authentication_impl *) instance; + LocalIdentityInfo *identity; + char *identityCertPEM; + char *identityCaPEM; + char *privateKeyPEM; + char *password; + X509 *identityCert; + X509 *identityCA; + EVP_PKEY *privateKey; + char *trusted_ca_dir; + unsigned i; + dds_time_t certExpiry = DDS_TIME_INVALID; + + /* validate provided arguments */ + if (!instance || !local_identity_handle || !adjusted_participant_guid || !participant_qos || !candidate_participant_guid) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "validate_local_identity: Invalid parameter provided"); + goto err_bad_param; + } + + implementation->id = 2; + + identityCertPEM = DDS_Security_Property_get_value(&participant_qos->property.value, PROPERTY_IDENTITY_CERT); + if (!identityCertPEM) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "validate_local_identity: missing property '%s'", PROPERTY_IDENTITY_CERT); + goto err_no_identity_cert; + } + + identityCaPEM = DDS_Security_Property_get_value(&participant_qos->property.value, PROPERTY_IDENTITY_CA); + if (!identityCaPEM) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "validate_local_identity: missing property '%s'", PROPERTY_IDENTITY_CA); + goto err_no_identity_ca; + } + + privateKeyPEM = DDS_Security_Property_get_value(&participant_qos->property.value, PROPERTY_PRIVATE_KEY); + if (!privateKeyPEM) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "validate_local_identity: missing property '%s'", PROPERTY_PRIVATE_KEY); + goto err_no_private_key; + } + + password = DDS_Security_Property_get_value(&participant_qos->property.value, PROPERTY_PASSWORD); + + + trusted_ca_dir = DDS_Security_Property_get_value(&participant_qos->property.value, PROPERTY_TRUSTED_CA_DIR); + + if( trusted_ca_dir ){ + result = get_trusted_ca_list(trusted_ca_dir, &(implementation->trustedCAList), ex ); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_trusted_ca_dir; + } + } + + + result = load_X509_certificate(identityCaPEM, &identityCA, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_ca; + } + + + /*check for CA if listed in trusted CA files*/ + if( implementation->trustedCAList.length != 0 ){ + const EVP_MD *digest = EVP_get_digestbyname("sha1"); + uint32_t size; + unsigned char hash_buffer[20]; + unsigned char hash_buffer_trusted[20]; + result = DDS_SECURITY_VALIDATION_FAILED; + X509_digest(identityCA, digest, hash_buffer, &size); + for (i = 0; i < implementation->trustedCAList.length; ++i) { + X509_digest(implementation->trustedCAList.buffer[i], digest, hash_buffer_trusted, &size); + if( memcmp( hash_buffer_trusted, hash_buffer,20 ) == 0){ + result = DDS_SECURITY_VALIDATION_OK; + break; + } + } + + if (result != DDS_SECURITY_VALIDATION_OK) { /*not trusted*/ + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CA_NOT_TRUSTED_CODE, (int)result, DDS_SECURITY_ERR_CA_NOT_TRUSTED_MESSAGE); + goto err_identity_ca_not_trusted; + } + } + result = load_X509_certificate(identityCertPEM, &identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_cert; + } + + result = load_X509_private_key(privateKeyPEM, password, &privateKey, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_private_key; + } + + result = verify_certificate(identityCert, identityCA, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_verification_failed; + } + + result = get_adjusted_participant_guid(identityCert, candidate_participant_guid, adjusted_participant_guid, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_adj_guid_failed; + } + + ddsrt_free(password); + ddsrt_free(privateKeyPEM); + ddsrt_free(identityCaPEM); + ddsrt_free(identityCertPEM); + ddsrt_free(trusted_ca_dir); + + identity = localIdentityInfoNew(domain_id, identityCert, identityCA, privateKey, candidate_participant_guid, adjusted_participant_guid); + + *local_identity_handle = IDENTITY_HANDLE(identity); + + /* setup expiry listener */ + certExpiry = get_certificate_expiry( identityCert ); + + if( certExpiry == DDS_TIME_INVALID ){ + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Expiry date of the certificate is invalid"); + goto err_verification_failed; + } else if ( certExpiry != DDS_NEVER ){ + add_validity_end_trigger( implementation, + *local_identity_handle, + certExpiry); + } + + + ddsrt_mutex_lock(&implementation->lock); + (void)ddsrt_hh_add(implementation->objectHash, identity); + + ddsrt_mutex_unlock(&implementation->lock); + + return result; + +err_adj_guid_failed: +err_verification_failed: + EVP_PKEY_free(privateKey); +err_inv_private_key: + X509_free(identityCert); +err_inv_identity_cert: +err_identity_ca_not_trusted: + X509_free(identityCA); +err_inv_identity_ca: +err_inv_trusted_ca_dir: + ddsrt_free(password); + ddsrt_free(privateKeyPEM); + ddsrt_free(trusted_ca_dir); +err_no_private_key: + ddsrt_free(identityCaPEM); +err_no_identity_ca: + ddsrt_free(identityCertPEM); +err_no_identity_cert: +err_bad_param: + return DDS_SECURITY_VALIDATION_FAILED; +} + +DDS_Security_boolean +get_identity_token(dds_security_authentication *instance, + DDS_Security_IdentityToken *identity_token, + const DDS_Security_IdentityHandle handle, + DDS_Security_SecurityException *ex) +{ + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + SecurityObject *obj; + LocalIdentityInfo *identity; + char *snCert, *snCA; + + memset(identity_token, 0, sizeof(*identity_token)); + + /* validate provided arguments */ + if (!instance || !identity_token) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_LOCAL_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid handle provided"); + goto err_inv_handle; + } + identity = (LocalIdentityInfo *)obj; + + snCert = get_certificate_subject_name(identity->identityCert, ex); + + if (!snCert) { + goto err_sn_cert; + } + + snCA = get_certificate_subject_name(identity->identityCA, ex); + if (!snCA) { + goto err_sn_ca; + } + + identity_token->class_id = get_authentication_class_id(); + identity_token->properties._length = 4; + identity_token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + identity_token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + identity_token->properties._buffer[0].value = snCert; + + identity_token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + identity_token->properties._buffer[1].value = ddsrt_strdup(get_authentication_algo(get_auhentication_algo_kind(identity->identityCert))); + + identity_token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + identity_token->properties._buffer[2].value = snCA; + + identity_token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + identity_token->properties._buffer[3].value = ddsrt_strdup(get_authentication_algo(get_auhentication_algo_kind(identity->identityCA))); + + ddsrt_mutex_unlock(&impl->lock); + + return true; + +err_sn_ca: + ddsrt_free(snCert); +err_sn_cert: +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return false; +} + +DDS_Security_boolean get_identity_status_token( + dds_security_authentication *instance, + DDS_Security_IdentityStatusToken *identity_status_token, + const DDS_Security_IdentityHandle handle, + DDS_Security_SecurityException *ex) +{ + DDSRT_UNUSED_ARG(identity_status_token); + DDSRT_UNUSED_ARG(handle); + DDSRT_UNUSED_ARG(ex); + DDSRT_UNUSED_ARG(instance); + + return true; +} + +DDS_Security_boolean +set_permissions_credential_and_token( + dds_security_authentication *instance, + const DDS_Security_IdentityHandle handle, + const DDS_Security_PermissionsCredentialToken *permissions_credential, + const DDS_Security_PermissionsToken *permissions_token, + DDS_Security_SecurityException *ex) +{ + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + LocalIdentityInfo *identity; + + /* validate provided arguments */ + if ((!instance) || + (handle == DDS_SECURITY_HANDLE_NIL) || + (!permissions_credential) || + (!permissions_token) ){ + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid parameter provided"); + return false; + } + + if (!permissions_credential->class_id || + (strcmp(permissions_credential->class_id, ACCESS_PERMISSIONS_CREDENTIAL_TOKEN_ID) != 0)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid parameter provided"); + return false; + } + + if ((permissions_credential->properties._length == 0) || + (permissions_credential->properties._buffer[0].name == NULL) || + (strcmp(permissions_credential->properties._buffer[0].name, ACCESS_PROPERTY_PERMISSION_DOCUMENT) != 0)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid parameter provided"); + return false; + } + + ddsrt_mutex_lock(&impl->lock); + + identity = (LocalIdentityInfo *)security_object_find(impl->objectHash, handle); + if (!identity || !SECURITY_OBJECT_VALID(identity, SECURITY_OBJECT_KIND_LOCAL_IDENTITY)) { + ddsrt_mutex_unlock(&impl->lock); + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid handle provided"); + return false; + } + + if (permissions_credential->properties._buffer[0].value) { + identity->permissionsDocument = ddsrt_strdup(permissions_credential->properties._buffer[0].value); + } else { + identity->permissionsDocument = ddsrt_strdup(""); + } + + ddsrt_mutex_unlock(&impl->lock); + + return true; +} + + +static DDS_Security_ValidationResult_t +validate_remote_identity_token( + const LocalIdentityInfo *localIdent, + const DDS_Security_IdentityToken *token, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + + DDSRT_UNUSED_ARG(localIdent); + + if (token->class_id) { + size_t sz = strlen(AUTH_PROTOCOL_CLASS); + + if (strncmp(AUTH_PROTOCOL_CLASS, token->class_id, sz) == 0) { + char *ptr = &token->class_id[sz]; + char postfix[2]; + unsigned major, minor; + + DDSRT_WARNING_MSVC_OFF(4996); + if (sscanf(ptr, ":%u.%u%1s", &major, &minor, postfix) == 2) { + DDSRT_WARNING_MSVC_ON(4996); + if (major == AUTH_PROTOCOL_VERSION_MAJOR) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "remote identity token: version %u.%u not supported", major, minor); + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "remote identity token: class_id has wrong format"); + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "remote identity token: class_id='%s' not supported", token->class_id); + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "remote identity token: class_id is empty"); + } + + return result; +} + +static DDS_Security_ValidationResult_t +validate_auth_request_token( + const DDS_Security_IdentityToken *token, + AuthenticationChallenge **challenge, + DDS_Security_SecurityException *ex) +{ + uint32_t index; + int found = 0; + + assert(token); + + if (!token->class_id) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: missing class_id"); + goto err_inv_token; + } + + if (strncmp(token->class_id, AUTH_REQUEST_TOKEN_CLASS_ID, strlen(AUTH_REQUEST_TOKEN_CLASS_ID)) != 0) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: class_id '%s' is invalid", token->class_id); + goto err_inv_token; + } + + if (!token->binary_properties._buffer) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: properties are missing"); + goto err_inv_token; + } + + for (index = 0; index < token->binary_properties._length; index++) { + size_t len = strlen(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + if (token->binary_properties._buffer[index].name && + (strncmp(token->binary_properties._buffer[index].name, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME, len) == 0)) { + found = 1; + break; + } + } + + if (!found) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: future_challenge not found"); + goto err_inv_token; + } + + if (token->binary_properties._buffer[index].value._length != sizeof(AuthenticationChallenge)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: future_challenge invalid size"); + goto err_inv_token; + } + + if (!token->binary_properties._buffer[index].value._buffer) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: future_challenge invalid size"); + goto err_inv_token; + } + + if (challenge) { + *challenge = ddsrt_malloc(sizeof(AuthenticationChallenge)); + memcpy(*challenge, &token->binary_properties._buffer[index].value._buffer[0], sizeof(AuthenticationChallenge)); + } + + return DDS_SECURITY_VALIDATION_OK; + +err_inv_token: + return DDS_SECURITY_VALIDATION_FAILED; +} + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token, + AuthenticationChallenge *challenge) +{ + uint32_t len = sizeof(challenge->value); + + DDS_Security_DataHolder_deinit(token); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._length = len; + token->binary_properties._buffer->value._buffer = ddsrt_malloc(len); + memcpy(token->binary_properties._buffer->value._buffer, challenge->value, len); +} + +DDS_Security_ValidationResult_t +validate_remote_identity( + dds_security_authentication *instance, + DDS_Security_IdentityHandle *remote_identity_handle, + DDS_Security_AuthRequestMessageToken *local_auth_request_token, + const DDS_Security_AuthRequestMessageToken *remote_auth_request_token, + const DDS_Security_IdentityHandle local_identity_handle, + const DDS_Security_IdentityToken *remote_identity_token, + const DDS_Security_GUID_t *remote_participant_guid, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + SecurityObject *obj; + LocalIdentityInfo *localIdent; + RemoteIdentityInfo *remoteIdent; + IdentityRelation *relation; + AuthenticationChallenge *lchallenge = NULL, *rchallenge = NULL; + int r; + + /* validate provided arguments */ + if (!instance || !remote_identity_handle || !local_auth_request_token || !remote_identity_token || !remote_participant_guid) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "validate_remote_identity: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, local_identity_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_LOCAL_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "validate_remote_identity: Invalid handle provided"); + goto err_inv_handle; + } + localIdent = (LocalIdentityInfo *) obj; + + /* Check if the provided remote_identity_token is compatible */ + result = validate_remote_identity_token(localIdent, remote_identity_token, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_remote_identity_token; + } + + /* When the remote_auth_request_token is not null, check if it's contents is valid and + * set the futureChallenge from the data contained in the remote_auth_request_token. + */ + if (remote_auth_request_token) { + result = validate_auth_request_token(remote_auth_request_token, &rchallenge, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_auth_req_token; + } + } + + if ((lchallenge = generate_challenge(ex)) == NULL) { + goto err_alloc_challenge; + } + + /* The validate_remote_identity will also create a handshake structure which contains the + * relation between an local an remote identity. This handshake structure is inserted in + * the remote identity structure. + */ + + /* Check if the remote identity has already been validated by a previous validation request. */ + remoteIdent = find_remote_identity_by_guid(impl->remoteGuidHash, remote_participant_guid); + if (!remoteIdent) { + remoteIdent = remoteIdentityInfoNew(remote_participant_guid, remote_identity_token); + (void)ddsrt_hh_add(impl->objectHash, remoteIdent); + (void)ddsrt_hh_add(impl->remoteGuidHash, remoteIdent); + relation = identityRelationNew(localIdent, remoteIdent, lchallenge, rchallenge); + (void)ddsrt_hh_add(remoteIdent->linkHash, relation); + } else { + /* When the remote identity has already been validated before, + check if the remote identity token matches with the existing one + */ + if (!DDS_Security_DataHolder_equal(remoteIdent->remoteIdentityToken, remote_identity_token)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "validate_remote_identity: remote_identity_token does not match with previously received one"); + goto err_inv_duplicate; + } + + relation = find_identity_relation(remoteIdent, SECURITY_OBJECT_HANDLE(localIdent)); + if (!relation) { + relation = identityRelationNew(localIdent, remoteIdent, lchallenge, rchallenge); + r = ddsrt_hh_add(remoteIdent->linkHash, relation); + assert(r); + (void)r; + } else { + if (remote_auth_request_token) { + assert(rchallenge); + ddsrt_free(relation->rchallenge); + relation->rchallenge = rchallenge; + } + ddsrt_free(lchallenge); + } + } + + ddsrt_mutex_unlock(&impl->lock); + + if (!remote_auth_request_token) { + /* Create local_auth_request_token with contents set to the challenge */ + fill_auth_request_token(local_auth_request_token, relation->lchallenge); + } else { + /* Set local_auth_request token to TokenNil */ + DDS_Security_set_token_nil(local_auth_request_token); + } + + *remote_identity_handle = IDENTITY_HANDLE(remoteIdent);; + + if (memcmp(&localIdent->adjustedGUID, &remoteIdent->guid, sizeof(DDS_Security_GUID_t)) < 0) { + result = DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST; + } else { + result = DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE; + } + + return result; + +err_inv_duplicate: + ddsrt_free(lchallenge); +err_alloc_challenge: + ddsrt_free(rchallenge); +err_inv_auth_req_token: +err_remote_identity_token: +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return DDS_SECURITY_VALIDATION_FAILED; +} + +DDS_Security_ValidationResult_t +begin_handshake_request( + dds_security_authentication *instance, + DDS_Security_HandshakeHandle *handshake_handle, + DDS_Security_HandshakeMessageToken *handshake_message, + const DDS_Security_IdentityHandle initiator_identity_handle, + const DDS_Security_IdentityHandle replier_identity_handle, + const DDS_Security_OctetSeq *serialized_local_participant_data, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + HandshakeInfo *handshake = NULL; + IdentityRelation *relation = NULL; + SecurityObject *obj; + LocalIdentityInfo *localIdent; + RemoteIdentityInfo *remoteIdent; + EVP_PKEY *dhkey; + DDS_Security_BinaryProperty_t *tokens; + DDS_Security_BinaryProperty_t *c_id; + DDS_Security_BinaryProperty_t *c_perm; + DDS_Security_BinaryProperty_t *c_pdata; + DDS_Security_BinaryProperty_t *c_dsign_algo; + DDS_Security_BinaryProperty_t *c_kagree_algo; + DDS_Security_BinaryProperty_t *hash_c1; + DDS_Security_BinaryProperty_t *dh1; + DDS_Security_BinaryProperty_t *challenge; + unsigned char *certData; + unsigned char *dhPubKeyData = NULL; + uint32_t certDataSize, dhPubKeyDataSize; + int created = 0; + + /* validate provided arguments */ + if (!instance || !handshake_handle || !handshake_message || !serialized_local_participant_data) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_request: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, initiator_identity_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_LOCAL_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_request: Invalid initiator_identity_handle provided"); + goto err_inv_handle; + } + localIdent = (LocalIdentityInfo *) obj; + + obj = security_object_find(impl->objectHash, replier_identity_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_REMOTE_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_request: Invalid replier_identity_handle provided"); + goto err_inv_handle; + } + remoteIdent = (RemoteIdentityInfo *)obj; + + result = get_certificate_contents(localIdent->identityCert, &certData, &certDataSize, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_alloc_cid; + } + + handshake = find_handshake(impl, SECURITY_OBJECT_HANDLE(localIdent), SECURITY_OBJECT_HANDLE(remoteIdent)); + if (!handshake) { + relation = find_identity_relation(remoteIdent, SECURITY_OBJECT_HANDLE(localIdent)); + assert(relation); + handshake = handshakeInfoNew(localIdent, remoteIdent, relation); + handshake->created_in = CREATEDREQUEST; + (void)ddsrt_hh_add(impl->objectHash, handshake); + created = 1; + } else { + relation = handshake->relation; + assert(relation); + } + + if (!handshake->ldh) { + result = generate_dh_keys(&dhkey, localIdent->kagreeAlgoKind, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_gen_dh_keys; + } + + handshake->ldh = dhkey; + } + + result = dh_public_key_to_oct(handshake->ldh, localIdent->kagreeAlgoKind, &dhPubKeyData, &dhPubKeyDataSize, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_get_public_key; + } + + if (localIdent->pdata._length == 0) { + DDS_Security_OctetSeq_copy(&localIdent->pdata, serialized_local_participant_data); + } + + tokens = DDS_Security_BinaryPropertySeq_allocbuf(8); + c_id = &tokens[0]; + c_perm = &tokens[1]; + c_pdata = &tokens[2]; + c_dsign_algo = &tokens[3]; + c_kagree_algo = &tokens[4]; + hash_c1 = &tokens[5]; + dh1 = &tokens[6]; + challenge = &tokens[7]; + + /* Store the Identity Certificate associated with the local identify in c.id property */ + DDS_Security_BinaryProperty_set_by_ref(c_id, "c.id", certData, certDataSize); + + /* Store the permission document in the c.perm property */ + if (localIdent->permissionsDocument) { + DDS_Security_BinaryProperty_set_by_string(c_perm, "c.perm", localIdent->permissionsDocument); + } else { + DDS_Security_BinaryProperty_set_by_string(c_perm, "c.perm", ""); + } + + /* Store the provided local_participant_data in the c.pdata property */ + DDS_Security_BinaryProperty_set_by_value(c_pdata, "c.pdata", serialized_local_participant_data->_buffer, serialized_local_participant_data->_length); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + DDS_Security_BinaryProperty_set_by_string(c_dsign_algo, "c.dsign_algo", get_dsign_algo(localIdent->dsignAlgoKind)); + + /* Set the used key algorithm descriptor in c.kagree_algo */ + DDS_Security_BinaryProperty_set_by_string(c_kagree_algo, "c.kagree_algo", get_kagree_algo(localIdent->kagreeAlgoKind)); + + /* Calculate the hash_c1 */ + { + DDS_Security_BinaryPropertySeq bseq; + + bseq._length = 5; + bseq._buffer = tokens; + + get_hash_binary_property_seq(&bseq, handshake->hash_c1); + DDS_Security_BinaryProperty_set_by_value(hash_c1, "hash_c1", handshake->hash_c1, sizeof(HashValue_t)); + } + + /* Set the DH public key associated with the local participant in dh1 property */ + assert(dhPubKeyData); + assert(dhPubKeyDataSize < 1200); + DDS_Security_BinaryProperty_set_by_ref(dh1, "dh1", dhPubKeyData, dhPubKeyDataSize); + + /* Set the challenge in challenge1 property */ + DDS_Security_BinaryProperty_set_by_value(challenge, "challenge1", relation->lchallenge->value, sizeof(AuthenticationChallenge)); + + (void)ddsrt_hh_add(impl->objectHash, handshake); + + ddsrt_mutex_unlock(&impl->lock); + + handshake_message->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REQUEST_TOKEN_ID); + handshake_message->properties._length = 0; + handshake_message->properties._buffer = NULL; + handshake_message->binary_properties._length = 8; + handshake_message->binary_properties._buffer = tokens; + *handshake_handle = HANDSHAKE_HANDLE(handshake); + + return DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE; + +err_get_public_key: +err_gen_dh_keys: + if (created) { + (void)ddsrt_hh_remove(impl->objectHash, handshake); + security_object_free((SecurityObject *)handshake); + } +err_alloc_cid: + ddsrt_free(certData); +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return DDS_SECURITY_VALIDATION_FAILED; +} + +static DDS_Security_ValidationResult_t +validate_pdata( + const DDS_Security_OctetSeq *seq, + X509 *cert, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + DDS_Security_Deserializer deserializer; + DDS_Security_ParticipantBuiltinTopicData *pdata; + DDS_Security_GUID_t cguid, aguid; + + deserializer = DDS_Security_Deserializer_new(seq->_buffer, seq->_length); + if (!deserializer) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: c.pdata invalid encoding"); + goto err_invalid_data; + } + + pdata = DDS_Security_ParticipantBuiltinTopicData_alloc(); + + if (!DDD_Security_Deserialize_ParticipantBuiltinTopicData(deserializer, pdata, ex)) { + result = DDS_SECURITY_VALIDATION_FAILED; + goto err_incorrect_data; + } + + memset(&cguid, 0, sizeof(DDS_Security_GUID_t)); + result = get_adjusted_participant_guid(cert, &cguid, &aguid, ex); + if (result == DDS_SECURITY_VALIDATION_OK) { + DDS_Security_BuiltinTopicKey_t key; + DDD_Security_BuiltinTopicKeyBE(key, pdata->key); + if (memcmp(key, aguid.prefix, 6) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: c.pdata contains incorrect participant guid"); + } + } + +err_incorrect_data: + DDS_Security_ParticipantBuiltinTopicData_free(pdata); + DDS_Security_Deserializer_free(deserializer); +err_invalid_data: + return result; +} + +static DDS_Security_ValidationResult_t +validate_handshake_request_token( + const DDS_Security_HandshakeMessageToken *token, + HandshakeInfo *handshake, + X509Seq *trusted_ca_list, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + IdentityRelation *relation = handshake->relation; + X509 *identityCert; + const DDS_Security_BinaryProperty_t *c_id; + const DDS_Security_BinaryProperty_t *c_perm; + const DDS_Security_BinaryProperty_t *c_pdata; + const DDS_Security_BinaryProperty_t *c_dsign_algo; + const DDS_Security_BinaryProperty_t *c_kagree_algo; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *challenge; + const DDS_Security_BinaryProperty_t *hash_c1; + EVP_PKEY *pdhkey = NULL; + AuthenticationAlgoKind_t dsignAlgoKind; + AuthenticationAlgoKind_t kagreeAlgoKind; + unsigned i; + + assert(relation); + + /* Check class_id */ + if (!token->class_id || + (strncmp(AUTH_HANDSHAKE_REQUEST_TOKEN_ID, token->class_id, strlen(AUTH_HANDSHAKE_REQUEST_TOKEN_ID)) != 0)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken incorrect class_id: %s (expected %s)", token->class_id ? token->class_id: "NULL", AUTH_HANDSHAKE_REQUEST_TOKEN_ID); + goto err_inv_class_id; + } + + /* Check presents of mandatory properties + * - c.id + * - c.perm + * - c.pdata + * - c.dsign_algo + * - c.kagree_algo + * - dh1 + * - challenge1 + */ + c_id = DDS_Security_DataHolder_find_binary_property(token, "c.id"); + if (!c_id || (c_id->value._length == 0) || (c_id->value._buffer == NULL)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.id missing"); + goto err_no_c_id; + } + + result = load_X509_certificate_from_data((char*)c_id->value._buffer, (int)c_id->value._length, &identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_identity_cert_load; + } + + if( trusted_ca_list->length == 0 ){ //no trusted set. check with local CA + result = verify_certificate(identityCert, relation->localIdentity->identityCA, ex); + } + else{ + /* Make sure we have a clean exception, in case it was uninitialized. */ + DDS_Security_Exception_clean(ex); + for (i = 0; i < trusted_ca_list->length; ++i) { + /* We'll only return the exception of the last one, if it failed. */ + DDS_Security_Exception_reset(ex); + result = verify_certificate(identityCert, trusted_ca_list->buffer[i], ex); + if (result == DDS_SECURITY_VALIDATION_OK) { + break; + } + } + } + + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_cert; + } + + result = check_certificate_expiry( identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_cert; + } + + c_perm = DDS_Security_DataHolder_find_binary_property(token, "c.perm"); + if (!c_perm) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.perm missing"); + goto err_no_c_perm; + } + + if (c_perm->value._length > 0) { + ddsrt_free(relation->remoteIdentity->permissionsDocument); + relation->remoteIdentity->permissionsDocument = string_from_data(c_perm->value._buffer, c_perm->value._length); + } + + c_pdata = DDS_Security_DataHolder_find_binary_property(token, "c.pdata"); + if (!c_pdata) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.pdata missing"); + goto err_no_c_pdata; + } + + result = validate_pdata(&c_pdata->value, identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_pdata; + } + + c_dsign_algo = DDS_Security_DataHolder_find_binary_property(token, "c.dsign_algo"); + if (!c_dsign_algo) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.dsign_algo missing"); + goto err_no_c_dsign_algo; + } + + dsignAlgoKind = get_dsign_algo_from_string((const char *)c_dsign_algo->value._buffer); + if (dsignAlgoKind == AUTH_ALGO_KIND_UNKNOWN) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.dsign_algo not supported"); + goto err_no_c_dsign_algo; + } + + c_kagree_algo = DDS_Security_DataHolder_find_binary_property(token, "c.kagree_algo"); + if (!c_kagree_algo) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.kagree_algo missing"); + goto err_no_c_kagree_algo; + } + + kagreeAlgoKind = get_kagree_algo_from_string((const char *)c_kagree_algo->value._buffer); + if (kagreeAlgoKind == AUTH_ALGO_KIND_UNKNOWN) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.kagree_algo not support"); + goto err_no_c_kagree_algo; + } + + dh1 = DDS_Security_DataHolder_find_binary_property(token, "dh1"); + if (!dh1 || dh1->value._length == 0 || dh1->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property dh1 missing"); + goto err_no_dh; + } + + result = dh_oct_to_public_key(&pdhkey, kagreeAlgoKind, dh1->value._buffer, dh1->value._length, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_no_dh; + } + + challenge = DDS_Security_DataHolder_find_binary_property(token, "challenge1"); + if (!challenge) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property challenge1 missing"); + goto err_no_challenge; + } + + if (challenge->value._length != sizeof(AuthenticationChallenge) || challenge->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property challenge1 invalid"); + goto err_no_challenge; + } + + /* When validate_remote_identity was provided with a remote_auth_request_token + * then the future_challenge in the remote identity was set and the challenge1 + * property of the handshake_request_token should be the same as the + * future_challenge stored in the remote identity. + */ + if (relation->rchallenge) { + if (memcmp(relation->rchallenge->value, challenge->value._buffer, sizeof(AuthenticationChallenge)) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property challenge1 does not match future_challenge"); + goto err_no_challenge; + } + } else { + if (challenge->value._length == sizeof(relation->rchallenge->value)) { + relation->rchallenge = ddsrt_malloc(sizeof(AuthenticationChallenge)); + memcpy(relation->rchallenge, challenge->value._buffer, challenge->value._length); + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property challenge1 invalid (incorrect size)"); + goto err_no_challenge; + } + } + + /* Compute the hash_c1 value */ + { + const DDS_Security_BinaryProperty_t * binary_properties[5]; + + binary_properties[0] = c_id; + binary_properties[1] = c_perm; + binary_properties[2] = c_pdata; + binary_properties[3] = c_dsign_algo; + binary_properties[4] = c_kagree_algo; + + (void)compute_hash_value(&handshake->hash_c1[0], binary_properties, 5, NULL); + } + + hash_c1 = DDS_Security_DataHolder_find_binary_property(token, "hash_c1"); + if (hash_c1) { + if ((hash_c1->value._length == sizeof(HashValue_t)) && + (memcmp(hash_c1->value._buffer, &handshake->hash_c1, sizeof(HashValue_t)) == 0)) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property hash_c1 invalid (incorrect size)"); + goto err_inv_hash_c1; + } + } + + if (!relation->remoteIdentity->identityCert) { + relation->remoteIdentity->identityCert = identityCert; + } else { + X509_free(relation->remoteIdentity->identityCert); + relation->remoteIdentity->identityCert = identityCert; + } + + relation->remoteIdentity->dsignAlgoKind = dsignAlgoKind; + relation->remoteIdentity->kagreeAlgoKind = kagreeAlgoKind; + + DDS_Security_OctetSeq_copy(&relation->remoteIdentity->pdata, &c_pdata->value); + + handshake->rdh = pdhkey; + + return result; + +err_inv_hash_c1: +err_no_challenge: + EVP_PKEY_free(pdhkey); +err_no_dh: +err_no_c_kagree_algo: +err_no_c_dsign_algo: +err_inv_pdata: +err_no_c_pdata: +err_no_c_perm: +err_inv_identity_cert: + X509_free(identityCert); +err_identity_cert_load: +err_no_c_id: +err_inv_class_id: + return result; +} + + +static DDS_Security_ValidationResult_t +validate_handshake_reply_token( + const DDS_Security_HandshakeMessageToken *token, + HandshakeInfo *handshake, + EVP_PKEY **pdhkey, + X509Seq *trusted_ca_list, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + IdentityRelation *relation = handshake->relation; + X509 *identityCert; + EVP_PKEY *public_key; + const DDS_Security_BinaryProperty_t *c_id; + const DDS_Security_BinaryProperty_t *c_perm; + const DDS_Security_BinaryProperty_t *c_pdata; + const DDS_Security_BinaryProperty_t *c_dsign_algo; + const DDS_Security_BinaryProperty_t *c_kagree_algo; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *dh2; + const DDS_Security_BinaryProperty_t *hash_c1; + const DDS_Security_BinaryProperty_t *hash_c2; + const DDS_Security_BinaryProperty_t *challenge1; + const DDS_Security_BinaryProperty_t *challenge2; + const DDS_Security_BinaryProperty_t *signature; + AuthenticationAlgoKind_t dsignAlgoKind; + AuthenticationAlgoKind_t kagreeAlgoKind; + + unsigned i; + + assert(relation); + + /* Check class_id */ + if (!token->class_id || + (strncmp(AUTH_HANDSHAKE_REPLY_TOKEN_ID, token->class_id, strlen(AUTH_HANDSHAKE_REPLY_TOKEN_ID)) != 0)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken incorrect class_id: %s (expected %s)", token->class_id ? token->class_id: "NULL", AUTH_HANDSHAKE_REPLY_TOKEN_ID); + goto err_inv_class_id; + } + + /* Check presents of mandatory properties + * - c.id + * - c.perm + * - c.pdata + * - c.dsign_algo + * - c.kagree_algo + * - challenge1 + * - dh2 + * - challenge2 + * - signature + */ + c_id = DDS_Security_DataHolder_find_binary_property(token, "c.id"); + if (!c_id || (c_id->value._length == 0) || (c_id->value._buffer == NULL)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.id missing"); + goto err_no_c_id; + } + + /* Verify Identity Certificate */ + result = load_X509_certificate_from_data((char*)c_id->value._buffer, (int)c_id->value._length, &identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK ) { + goto err_identity_cert_load; + } + + if( trusted_ca_list->length == 0 ){ //no trusted set. check with local CA + result = verify_certificate(identityCert, relation->localIdentity->identityCA, ex); + } + else{ + /* Make sure we have a clean exception, in case it was uninitialized. */ + DDS_Security_Exception_clean(ex); + for (i = 0; i < trusted_ca_list->length; ++i) { + /* We'll only return the exception of the last one, if it failed. */ + DDS_Security_Exception_reset(ex); + result = verify_certificate(identityCert, trusted_ca_list->buffer[i], ex); + if (result == DDS_SECURITY_VALIDATION_OK) { + break; + } + } + } + + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_cert; + } + + result = check_certificate_expiry( identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_cert; + } + + c_perm = DDS_Security_DataHolder_find_binary_property(token, "c.perm"); + if (!c_perm) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.perm missing"); + goto err_no_c_perm; + } + + if (c_perm->value._length > 0) { + ddsrt_free(relation->remoteIdentity->permissionsDocument); + relation->remoteIdentity->permissionsDocument = string_from_data(c_perm->value._buffer, c_perm->value._length); + } + + c_pdata = DDS_Security_DataHolder_find_binary_property(token, "c.pdata"); + if (!c_pdata) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.pdata missing"); + goto err_no_c_pdata; + } + + result = validate_pdata(&c_pdata->value, identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_pdata; + } + + c_dsign_algo = DDS_Security_DataHolder_find_binary_property(token, "c.dsign_algo"); + if (!c_dsign_algo) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.dsign_algo missing"); + goto err_no_c_dsign_algo; + } + + dsignAlgoKind = get_dsign_algo_from_string((const char *)c_dsign_algo->value._buffer); + if (dsignAlgoKind == AUTH_ALGO_KIND_UNKNOWN) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.dsign_algo not supported"); + goto err_no_c_dsign_algo; + } + + c_kagree_algo = DDS_Security_DataHolder_find_binary_property(token, "c.kagree_algo"); + if (!c_kagree_algo) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.kagree_algo missing"); + goto err_no_c_kagree_algo; + } + + kagreeAlgoKind = get_kagree_algo_from_string((const char *)c_kagree_algo->value._buffer); + if (kagreeAlgoKind == AUTH_ALGO_KIND_UNKNOWN) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.kagree_algo not support"); + goto err_no_c_kagree_algo; + } + + /* dh1 is optional */ + dh1 = DDS_Security_DataHolder_find_binary_property(token, "dh1"); + DDSRT_UNUSED_ARG(dh1); /*print it for integration purposes */ + + dh2 = DDS_Security_DataHolder_find_binary_property(token, "dh2"); + if (!dh2 || dh2->value._length == 0 || dh2->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property dh2 missing"); + goto err_no_dh; + } + + hash_c1 = DDS_Security_DataHolder_find_binary_property(token, "hash_c1"); + if (hash_c1) { + if ((hash_c1->value._length == sizeof(HashValue_t)) && + (memcmp(hash_c1->value._buffer, handshake->hash_c1, sizeof(HashValue_t)) == 0)) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property hash_c1 invalid"); + goto err_inv_hash_c1; + } + } + + /* Compute the hash_c2 value */ + { + const DDS_Security_BinaryProperty_t * binary_properties[5]; + + binary_properties[0] = c_id; + binary_properties[1] = c_perm; + binary_properties[2] = c_pdata; + binary_properties[3] = c_dsign_algo; + binary_properties[4] = c_kagree_algo; + + (void)compute_hash_value(&handshake->hash_c2[0], binary_properties, 5, NULL); + } + + hash_c2 = DDS_Security_DataHolder_find_binary_property(token, "hash_c2"); + if (hash_c2) { + if ((hash_c2->value._length == sizeof(HashValue_t)) && + (memcmp(hash_c2->value._buffer, handshake->hash_c2, sizeof(HashValue_t)) == 0)) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property hash_c2 invalid"); + goto err_inv_hash_c2; + } + } + + signature = DDS_Security_DataHolder_find_binary_property(token, "signature"); + if (!signature || signature->value._length == 0 || signature->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property signature missing"); + goto err_no_signature; + } + + *pdhkey = NULL; + result = dh_oct_to_public_key(pdhkey, kagreeAlgoKind, dh2->value._buffer, dh2->value._length, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_dh; + } + + challenge1 = DDS_Security_DataHolder_find_binary_property(token, "challenge1"); + if (!challenge1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 missing"); + goto err_no_challenge; + } + + if (challenge1->value._length != sizeof(AuthenticationChallenge) || challenge1->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 invalid"); + goto err_no_challenge; + } + + + challenge2 = DDS_Security_DataHolder_find_binary_property(token, "challenge2"); + if (!challenge2) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 missing"); + goto err_no_challenge; + } + + if (challenge2->value._length != sizeof(AuthenticationChallenge) || challenge2->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 invalid"); + goto err_no_challenge; + } + /* When validate_remote_identity was provided with a remote_auth_request_token + * then the future_challenge in the remote identity was set and the challenge2 + * property of the handshake_reply_token should be the same as the + * future_challenge stored in the remote identity. + */ + + + + if (relation->rchallenge) { + if (memcmp(relation->rchallenge->value, challenge2->value._buffer, sizeof(AuthenticationChallenge)) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 does not match future_challenge"); + goto err_no_challenge; + } + } else { + if (challenge2->value._length == sizeof(relation->rchallenge->value)) { + relation->rchallenge = ddsrt_malloc(sizeof(AuthenticationChallenge)); + memcpy(relation->rchallenge, challenge2->value._buffer, challenge2->value._length); + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 invalid (incorrect size)"); + goto err_no_challenge; + } + } + + + if (relation->lchallenge) { + if (memcmp(relation->lchallenge->value, challenge1->value._buffer, sizeof(AuthenticationChallenge)) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 does not match future_challenge"); + goto err_no_challenge; + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: No future challenge exists for this token"); + goto err_no_challenge; + } + + + /* TODO: check if an identity certificate was already associated with the remote identity and + * when that is the case both should be the same + */ + if (!relation->remoteIdentity->identityCert) { + relation->remoteIdentity->identityCert = identityCert; + } else { + X509_free(relation->remoteIdentity->identityCert); + relation->remoteIdentity->identityCert = identityCert; + } + + relation->remoteIdentity->dsignAlgoKind = dsignAlgoKind; + relation->remoteIdentity->kagreeAlgoKind = kagreeAlgoKind; + + + public_key = X509_get_pubkey(relation->remoteIdentity->identityCert); + if (public_key) { + /*prepare properties*/ + const DDS_Security_BinaryProperty_t *properties[HANDSHAKE_SIGNATURE_CONTENT_SIZE]; + DDS_Security_BinaryProperty_t *hash_c1_val = hash_value_to_binary_property("hash_c1", handshake->hash_c1); + DDS_Security_BinaryProperty_t *hash_c2_val = hash_value_to_binary_property("hash_c2", handshake->hash_c2); + + properties[0] = hash_c2_val; + properties[1] = challenge2; + properties[2] = dh2; + properties[3] = challenge1; + properties[4] = dh1; + properties[5] = hash_c1_val; + + result = validate_signature(public_key,properties, HANDSHAKE_SIGNATURE_CONTENT_SIZE, signature->value._buffer,signature->value._length, ex); + + EVP_PKEY_free(public_key); + DDS_Security_BinaryProperty_free(hash_c1_val); + DDS_Security_BinaryProperty_free(hash_c2_val); + + if( result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_signature; + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_get_pubkey failed"); + goto err_inv_identity_cert; + } + + + DDS_Security_OctetSeq_copy(&relation->remoteIdentity->pdata, &c_pdata->value); + + return result; + +err_inv_signature: +err_no_challenge: +err_inv_dh: +err_no_signature: +err_inv_hash_c2: +err_inv_hash_c1: +err_no_dh: +err_no_c_kagree_algo: +err_no_c_dsign_algo: +err_inv_pdata: +err_no_c_pdata: +err_no_c_perm: +err_inv_identity_cert: + X509_free(identityCert); +err_identity_cert_load: +err_no_c_id: +err_inv_class_id: + return result; +} + + +static DDS_Security_ValidationResult_t +validate_handshake_final_token( + const DDS_Security_HandshakeMessageToken *token, + HandshakeInfo *handshake, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + IdentityRelation *relation = handshake->relation; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *dh2; + const DDS_Security_BinaryProperty_t *hash_c1; + const DDS_Security_BinaryProperty_t *hash_c2; + const DDS_Security_BinaryProperty_t *challenge1; + const DDS_Security_BinaryProperty_t *challenge2; + const DDS_Security_BinaryProperty_t *signature; + EVP_PKEY *public_key; + + assert(relation); + + /* Check class_id */ + if (!token->class_id || + (strncmp(AUTH_HANDSHAKE_FINAL_TOKEN_ID, token->class_id, strlen(AUTH_HANDSHAKE_FINAL_TOKEN_ID)) != 0)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken incorrect class_id: %s (expected %s)", token->class_id ? token->class_id: "NULL", AUTH_HANDSHAKE_FINAL_TOKEN_ID); + goto err_inv_class_id; + } + + /* Check presents of mandatory properties + * - challenge1 + * - challenge2 + * - signature + */ + + + /* dh1 is optional */ + dh1 = DDS_Security_DataHolder_find_binary_property(token, "dh1"); + + DDSRT_UNUSED_ARG(dh1); /*print it for integration purposes */ + + /* dh2 is optional */ + dh2 = DDS_Security_DataHolder_find_binary_property(token, "dh2"); + DDSRT_UNUSED_ARG(dh2); /*print it for integration purposes */ + + /* hash_c1 is optional */ + hash_c1 = DDS_Security_DataHolder_find_binary_property(token, "hash_c1"); + if (hash_c1) { + if ((hash_c1->value._length == sizeof(HashValue_t)) && + (memcmp(hash_c1->value._buffer, handshake->hash_c1, sizeof(HashValue_t)) == 0)) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property hash_c1 invalid"); + goto err_inv_hash_c1; + } + } + + /* hash_c2 is optional */ + hash_c2 = DDS_Security_DataHolder_find_binary_property(token, "hash_c2"); + if (hash_c2) { + if ((hash_c2->value._length == sizeof(HashValue_t)) && + (memcmp(hash_c2->value._buffer, handshake->hash_c2, sizeof(HashValue_t)) == 0)) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property hash_c2 invalid"); + goto err_inv_hash_c2; + } + } + + challenge1 = DDS_Security_DataHolder_find_binary_property(token, "challenge1"); + if (!challenge1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 missing"); + goto err_no_challenge; + } + + if (challenge1->value._length != sizeof(AuthenticationChallenge) || challenge1->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 invalid"); + goto err_no_challenge; + } + + + challenge2 = DDS_Security_DataHolder_find_binary_property(token, "challenge2"); + if (!challenge2) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 missing"); + goto err_no_challenge; + } + + if (challenge2->value._length != sizeof(AuthenticationChallenge) || challenge2->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 invalid"); + goto err_no_challenge; + } + + /* When validate_remote_identity was provided with a remote_auth_request_token + * then the future_challenge in the remote identity was set and the challenge1 + * property of the handshake_reply_token should be the same as the + * future_challenge stored in the remote identity. + */ + + + + if (relation->rchallenge) { + if (memcmp(relation->rchallenge->value, challenge1->value._buffer, sizeof(AuthenticationChallenge)) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 does not match future_challenge"); + goto err_no_challenge; + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: No challenge exists to check challenge1 in the token."); + goto err_no_challenge; + } + + if (relation->lchallenge) { + if (memcmp(relation->lchallenge->value, challenge2->value._buffer, sizeof(AuthenticationChallenge)) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 does not match future_challenge"); + goto err_no_challenge; + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: No challenge exists to check challenge2 in the token."); + goto err_no_challenge; + } + + signature = DDS_Security_DataHolder_find_binary_property(token, "signature"); + if (!signature) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property signature missing"); + goto err_no_challenge; + } + + /* Validate signature */ + public_key = X509_get_pubkey(relation->remoteIdentity->identityCert); + if (public_key) { + /*prepare properties*/ + const DDS_Security_BinaryProperty_t *properties[HANDSHAKE_SIGNATURE_CONTENT_SIZE]; + DDS_Security_BinaryProperty_t *hash_c1_val = hash_value_to_binary_property("hash_c1", handshake->hash_c1); + DDS_Security_BinaryProperty_t *hash_c2_val = hash_value_to_binary_property("hash_c2", handshake->hash_c2); + + properties[0] = hash_c1_val; + properties[1] = challenge1; + properties[2] = dh1; + properties[3] = challenge2; + properties[4] = dh2; + properties[5] = hash_c2_val; + + result = validate_signature(public_key,properties, HANDSHAKE_SIGNATURE_CONTENT_SIZE ,signature->value._buffer,signature->value._length,ex ); + + EVP_PKEY_free(public_key); + DDS_Security_BinaryProperty_free(hash_c1_val); + DDS_Security_BinaryProperty_free(hash_c2_val); + + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_signature; + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_get_pubkey failed"); + goto err_inv_identity_cert; + } + +err_inv_hash_c2: +err_inv_hash_c1: +err_no_challenge: +err_inv_class_id: +err_inv_identity_cert: +err_inv_signature: + return result; +} + +DDS_Security_ValidationResult_t +begin_handshake_reply( + dds_security_authentication *instance, + DDS_Security_HandshakeHandle *handshake_handle, + DDS_Security_HandshakeMessageToken *handshake_message_out, + const DDS_Security_HandshakeMessageToken *handshake_message_in, + const DDS_Security_IdentityHandle initiator_identity_handle, + const DDS_Security_IdentityHandle replier_identity_handle, + const DDS_Security_OctetSeq *serialized_local_participant_data, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + HandshakeInfo *handshake = NULL; + IdentityRelation *relation = NULL; + SecurityObject *obj; + LocalIdentityInfo *localIdent; + RemoteIdentityInfo *remoteIdent; + EVP_PKEY *dhkeyLocal = NULL; + DDS_Security_BinaryProperty_t *tokens; + DDS_Security_BinaryProperty_t *c_id; + DDS_Security_BinaryProperty_t *c_perm; + DDS_Security_BinaryProperty_t *c_pdata; + DDS_Security_BinaryProperty_t *c_dsign_algo; + DDS_Security_BinaryProperty_t *c_kagree_algo; + DDS_Security_BinaryProperty_t *hash_c1; + const DDS_Security_BinaryProperty_t *hash_c1_ref; + DDS_Security_BinaryProperty_t *hash_c2; + DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *dh1_ref; + DDS_Security_BinaryProperty_t *dh2; + DDS_Security_BinaryProperty_t *challenge1; + DDS_Security_BinaryProperty_t *challenge2; + DDS_Security_BinaryProperty_t *signature; + unsigned char *certData; + unsigned char *dhPubKeyData; + uint32_t certDataSize, dhPubKeyDataSize; + uint32_t tokenSize, idx; + int created = 0; + + /* validate provided arguments */ + if (!instance || !handshake_handle || !handshake_message_out || !handshake_message_in || !serialized_local_participant_data) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_reply: Invalid parameter provided"); + goto err_bad_param; + } + + if ((serialized_local_participant_data->_length == 0) || (serialized_local_participant_data->_buffer == NULL)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_reply: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, replier_identity_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_LOCAL_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_reply: Invalid replier_identity_handle provided"); + goto err_inv_handle; + } + localIdent = (LocalIdentityInfo *) obj; + + obj = security_object_find(impl->objectHash, initiator_identity_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_REMOTE_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_reply: Invalid initiator_identity_handle provided"); + goto err_inv_handle; + } + remoteIdent = (RemoteIdentityInfo *)obj; + + handshake = find_handshake(impl, SECURITY_OBJECT_HANDLE(localIdent), SECURITY_OBJECT_HANDLE(remoteIdent)); + if (!handshake) { + relation = find_identity_relation(remoteIdent, SECURITY_OBJECT_HANDLE(localIdent)); + assert(relation); + handshake = handshakeInfoNew(localIdent, remoteIdent, relation); + handshake->created_in = CREATEDREPLY; + (void)ddsrt_hh_add(impl->objectHash, handshake); + created = 1; + } else { + relation = handshake->relation; + assert(relation); + } + + result = validate_handshake_request_token(handshake_message_in, handshake, &(impl->trustedCAList), ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_token; + } + + result = get_certificate_contents(localIdent->identityCert, &certData, &certDataSize, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_alloc_cid; + } + + if (!handshake->ldh) { + result = generate_dh_keys(&dhkeyLocal, remoteIdent->kagreeAlgoKind, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_gen_dh_keys; + } + + handshake->ldh = dhkeyLocal; + EVP_PKEY_copy_parameters(handshake->rdh, handshake->ldh); + } + + result = dh_public_key_to_oct(handshake->ldh, remoteIdent->kagreeAlgoKind, &dhPubKeyData, &dhPubKeyDataSize, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_get_public_key; + } + + if (localIdent->pdata._length == 0) { + DDS_Security_OctetSeq_copy(&localIdent->pdata, serialized_local_participant_data); + } + + hash_c1_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "hash_c1"); + tokenSize = hash_c1_ref ? 12 : 11; + + tokens = DDS_Security_BinaryPropertySeq_allocbuf(tokenSize); + idx = 0; + c_id = &tokens[idx++]; + c_perm = &tokens[idx++]; + c_pdata = &tokens[idx++]; + c_dsign_algo = &tokens[idx++]; + c_kagree_algo = &tokens[idx++]; + signature = &tokens[idx++]; + hash_c2 = &tokens[idx++]; + challenge2 = &tokens[idx++]; + dh2 = &tokens[idx++]; + challenge1 = &tokens[idx++]; + dh1 = &tokens[idx++]; + hash_c1 = hash_c1_ref ? &tokens[idx++] : NULL; + + /* Store the Identity Certificate associated with the local identify in c.id property */ + DDS_Security_BinaryProperty_set_by_ref(c_id, "c.id", certData, certDataSize); + certData = NULL; + + /* Store the permission document in the c.perm property */ + if (localIdent->permissionsDocument) { + DDS_Security_BinaryProperty_set_by_string(c_perm, "c.perm", localIdent->permissionsDocument); + } else { + DDS_Security_BinaryProperty_set_by_string(c_perm, "c.perm", ""); + } + + /* Store the provided local_participant_data in the c.pdata property */ + DDS_Security_BinaryProperty_set_by_value(c_pdata, "c.pdata", serialized_local_participant_data->_buffer, serialized_local_participant_data->_length); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + DDS_Security_BinaryProperty_set_by_string(c_dsign_algo, "c.dsign_algo", get_dsign_algo(localIdent->dsignAlgoKind)); + + /* Set the used key algorithm descriptor in c.kagree_algo */ + DDS_Security_BinaryProperty_set_by_string(c_kagree_algo, "c.kagree_algo", get_kagree_algo(remoteIdent->kagreeAlgoKind)); + + /* Calculate the hash_c2 */ + { + DDS_Security_BinaryPropertySeq bseq; + + bseq._length = 5; + bseq._buffer = tokens; + + get_hash_binary_property_seq(&bseq, handshake->hash_c2); + DDS_Security_BinaryProperty_set_by_value(hash_c2, "hash_c2", handshake->hash_c2, sizeof(HashValue_t)); + } + + /* Set the DH public key associated with the local participant in dh2 property */ + DDS_Security_BinaryProperty_set_by_ref(dh2, "dh2", dhPubKeyData, dhPubKeyDataSize); + + /* Set the DH public key associated with the local participant in hash_c1 property */ + if (hash_c1) { + DDS_Security_BinaryProperty_set_by_value(hash_c1, "hash_c1", hash_c1_ref->value._buffer, hash_c1_ref->value._length); + } + + /* Set the DH public key associated with the local participant in dh1 property */ + if (dh1) { + dh1_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "dh1"); + if (dh1_ref) { + DDS_Security_BinaryProperty_set_by_value(dh1, "dh1", dh1_ref->value._buffer, dh1_ref->value._length); + } + } + + /* Set the challenge in challenge1 property */ + assert(relation->rchallenge); + DDS_Security_BinaryProperty_set_by_value(challenge1, "challenge1", relation->rchallenge->value, sizeof(AuthenticationChallenge)); + + /* Set the challenge in challenge2 property */ + assert(relation->lchallenge); + + DDS_Security_BinaryProperty_set_by_value(challenge2, "challenge2", relation->lchallenge->value, sizeof(AuthenticationChallenge)); + + /* Calculate the signature */ + { + unsigned char *sign; + size_t signlen; + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_CONTENT_SIZE ]; + DDS_Security_BinaryProperty_t *hash_c1_val = hash_value_to_binary_property("hash_c1", handshake->hash_c1); + DDS_Security_BinaryProperty_t *hash_c2_val = hash_value_to_binary_property("hash_c2", handshake->hash_c2); + + binary_properties[0] = hash_c2_val; + binary_properties[1] = challenge2; + binary_properties[2] = dh2; + binary_properties[3] = challenge1; + binary_properties[4] = dh1; + binary_properties[5] = hash_c1_val; + + result = create_signature(localIdent->privateKey, binary_properties, HANDSHAKE_SIGNATURE_CONTENT_SIZE , &sign, &signlen, ex); + + DDS_Security_BinaryProperty_free(hash_c1_val); + DDS_Security_BinaryProperty_free(hash_c2_val); + + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_signature; + } + DDS_Security_BinaryProperty_set_by_ref(signature, "signature", sign, (uint32_t)signlen); + } + + (void)ddsrt_hh_add(impl->objectHash, handshake); + + handshake_message_out->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REPLY_TOKEN_ID); + handshake_message_out->binary_properties._length = tokenSize; + handshake_message_out->binary_properties._buffer = tokens; + + ddsrt_mutex_unlock(&impl->lock); + + + *handshake_handle = HANDSHAKE_HANDLE(handshake); + + if (result == DDS_SECURITY_VALIDATION_OK) { + result = DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE; + } + + return result; + +err_signature: + free_binary_properties(tokens, tokenSize); +err_get_public_key: +err_gen_dh_keys: + ddsrt_free(certData); +err_alloc_cid: +err_inv_token: + if (created) { + (void)ddsrt_hh_remove(impl->objectHash, handshake); + security_object_free((SecurityObject *)handshake); + } +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return DDS_SECURITY_VALIDATION_FAILED; +} + + +static bool +generate_shared_secret( + const HandshakeInfo *handshake, + unsigned char **shared_secret, + DDS_Security_long *length, + DDS_Security_SecurityException *ex) +{ + bool result = false; + EVP_PKEY_CTX *ctx; + size_t skeylen; + unsigned char *secret = NULL; + + *shared_secret = NULL; + + ctx = EVP_PKEY_CTX_new( handshake->ldh, NULL /* no engine */); + if (!ctx) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Shared secret failed to create context: "); + goto fail_ctx_new; + } + + if (EVP_PKEY_derive_init(ctx) <= 0) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Shared secret failed to initialize context: "); + goto fail_derive; + } + if (EVP_PKEY_derive_set_peer(ctx, handshake->rdh) <= 0) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Shared secret failed to set peer key: "); + goto fail_derive; + } + + /* Determine buffer length */ + if (EVP_PKEY_derive(ctx, NULL, &skeylen) <= 0) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Shared secret failed to determine key length: "); + goto fail_derive; + } + + secret = ddsrt_malloc(skeylen); + if (EVP_PKEY_derive(ctx, secret, &skeylen) <= 0) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Could not compute the shared secret: "); + goto fail_derive; + } + + *shared_secret = ddsrt_malloc(SHA256_DIGEST_LENGTH); + *length = SHA256_DIGEST_LENGTH; + + SHA256(secret, skeylen, *shared_secret); + + result = true; + +fail_derive: + ddsrt_free(secret); + EVP_PKEY_CTX_free(ctx); +fail_ctx_new: + return result; +} + + + + +DDS_Security_ValidationResult_t +process_handshake( + dds_security_authentication *instance, + DDS_Security_HandshakeMessageToken *handshake_message_out, + const DDS_Security_HandshakeMessageToken *handshake_message_in, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + HandshakeInfo *handshake = NULL; + IdentityRelation *relation = NULL; + SecurityObject *obj; + EVP_PKEY *dhkeyRemote = NULL; + DDS_Security_BinaryProperty_t *tokens = NULL; + DDS_Security_BinaryProperty_t *hash_c1 = NULL; + const DDS_Security_BinaryProperty_t *hash_c1_ref; + const DDS_Security_BinaryProperty_t *hash_c2_ref; + const DDS_Security_BinaryProperty_t *challenge1_ref; + const DDS_Security_BinaryProperty_t *challenge2_ref; + const DDS_Security_BinaryProperty_t *dh1_ref; + const DDS_Security_BinaryProperty_t *dh2_ref; + DDS_Security_BinaryProperty_t *hash_c2 = NULL; + DDS_Security_BinaryProperty_t *dh1; + DDS_Security_BinaryProperty_t *dh2; + DDS_Security_BinaryProperty_t *challenge1; + DDS_Security_BinaryProperty_t *challenge2; + DDS_Security_BinaryProperty_t *signature; + uint32_t tokenSize=0, idx; + DDS_Security_octet * challenge1_ref_for_shared_secret, *challenge2_ref_for_shared_secret; + + /* validate provided arguments */ + if (!instance || !handshake_handle || !handshake_message_out || !handshake_message_in) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Invalid parameter provided"); + goto err_bad_param; + } + + memset(handshake_message_out, 0, sizeof(DDS_Security_HandshakeMessageToken)); + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, handshake_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_HANDSHAKE)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Invalid replier_identity_handle provided"); + goto err_inv_handle; + } + handshake = (HandshakeInfo *) obj; + relation = handshake->relation; + assert(relation); + + /* check if the handle created by a handshake_request or handshake_reply */ + + switch (handshake->created_in) { + case CREATEDREQUEST: + /* The source of the handshake_handle is a begin_handshake_request function + * So, handshake_message_in should have been came from a remote begin_handshake_reply function + */ + /* Verify Message Token contents according to Spec 9.3.2.5.2 (Reply Message) */ + result = validate_handshake_reply_token(handshake_message_in, handshake, &dhkeyRemote, &(impl->trustedCAList), ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_token; + } + + /*set received remote DH (dh2) */ + handshake->rdh = dhkeyRemote; + + EVP_PKEY_copy_parameters(handshake->rdh, handshake->ldh); + + /* Prepare HandshakeFinalMessageToken */ + + /* Get references from message_in */ + hash_c1_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "hash_c1"); + hash_c2_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "hash_c2"); + dh1_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "dh1"); + dh2_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "dh2"); + challenge1_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, + "challenge1"); + challenge2_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, + "challenge2"); + + tokenSize = 3; /* challenge1, challenge2 and signature are already exist */ + if (hash_c1_ref) + tokenSize++; + if (hash_c2_ref) + tokenSize++; + if (dh1_ref) + tokenSize++; + if (dh2_ref) + tokenSize++; + + tokens = DDS_Security_BinaryPropertySeq_allocbuf(tokenSize); + idx = 0; + signature = &tokens[idx++]; + hash_c2 = hash_c2_ref ? &tokens[idx++] : NULL; + challenge2 = &tokens[idx++]; + dh2 = dh2_ref ? &tokens[idx++] : NULL; + challenge1 = &tokens[idx++]; + dh1 = dh1_ref ? &tokens[idx++] : NULL; + hash_c1 = hash_c1_ref ? &tokens[idx++] : NULL; + + if (hash_c1) { + DDS_Security_BinaryProperty_set_by_value(hash_c1, "hash_c1", hash_c1_ref->value._buffer, + hash_c1_ref->value._length); + } + if (hash_c2) { + DDS_Security_BinaryProperty_set_by_value(hash_c2, "hash_c2", hash_c2_ref->value._buffer, + hash_c2_ref->value._length); + } + if (dh1) { + DDS_Security_BinaryProperty_set_by_value(dh1, "dh1", dh1_ref->value._buffer, + dh1_ref->value._length); + } + if (dh2) { + DDS_Security_BinaryProperty_set_by_value(dh2, "dh2", dh2_ref->value._buffer, + dh2_ref->value._length); + } + assert(relation->lchallenge); + if (challenge1 && challenge1_ref) { + DDS_Security_BinaryProperty_set_by_value(challenge1, "challenge1", challenge1_ref->value._buffer, + challenge1_ref->value._length); + } + assert(relation->rchallenge); + if (challenge2 && challenge2_ref) { + DDS_Security_BinaryProperty_set_by_value(challenge2, "challenge2", challenge2_ref->value._buffer, + challenge2_ref->value._length); + } + + + /* Calculate the signature */ + { + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_CONTENT_SIZE ]; + DDS_Security_BinaryProperty_t *hash_c1_val = hash_value_to_binary_property("hash_c1", handshake->hash_c1); + DDS_Security_BinaryProperty_t *hash_c2_val = hash_value_to_binary_property("hash_c2", handshake->hash_c2); + unsigned char *sign; + size_t signlen; + + binary_properties[0] = hash_c1_val; + binary_properties[1] = challenge1; + binary_properties[2] = dh1; + binary_properties[3] = challenge2; + binary_properties[4] = dh2; + binary_properties[5] = hash_c2_val; + + result = create_signature(relation->localIdentity->privateKey, binary_properties, HANDSHAKE_SIGNATURE_CONTENT_SIZE, &sign, &signlen, ex); + + DDS_Security_BinaryProperty_free(hash_c1_val); + DDS_Security_BinaryProperty_free(hash_c2_val); + + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_signature; + } + + DDS_Security_BinaryProperty_set_by_ref(signature, "signature", sign, (uint32_t)signlen); + } + + handshake_message_out->class_id = ddsrt_strdup(AUTH_HANDSHAKE_FINAL_TOKEN_ID); + handshake_message_out->binary_properties._length = tokenSize; + handshake_message_out->binary_properties._buffer = tokens; + + challenge1_ref_for_shared_secret = (DDS_Security_octet*)(handshake->relation->lchallenge); + challenge2_ref_for_shared_secret = (DDS_Security_octet*)(handshake->relation->rchallenge); + + result = DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE; + + break; + case CREATEDREPLY: + /* The source of the handshake_handle is a begin_handshake_reply function + * So, handshake_message_in should have been came from a remote process_handshake function + */ + + /* Verify Message Token contents according to Spec 9.3.2.5.3 (Final Message) */ + result = validate_handshake_final_token(handshake_message_in, handshake, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_token; + } + + + challenge2_ref_for_shared_secret = (DDS_Security_octet*)(handshake->relation->lchallenge); + challenge1_ref_for_shared_secret = (DDS_Security_octet*)(handshake->relation->rchallenge); + + result = DDS_SECURITY_VALIDATION_OK; + + break; + default: + ddsrt_mutex_unlock(&impl->lock); + goto err_bad_param; + } + + /* Compute shared secret */ + { + DDS_Security_long shared_secret_length; + unsigned char *shared_secret; + + if (!generate_shared_secret(handshake, &shared_secret, &shared_secret_length, ex)) { + goto err_openssl; + } + + handshake->shared_secret_handle_impl = ddsrt_malloc( sizeof(DDS_Security_SharedSecretHandleImpl)); + handshake->shared_secret_handle_impl->shared_secret = shared_secret; + handshake->shared_secret_handle_impl->shared_secret_size = shared_secret_length; + + /* put references to challenge1 and challenge2 into shared secret object */ + memcpy( handshake->shared_secret_handle_impl->challenge1, challenge1_ref_for_shared_secret, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); + memcpy( handshake->shared_secret_handle_impl->challenge2, challenge2_ref_for_shared_secret, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); + } + + { /* setup expiry listener */ + dds_time_t certExpiry = get_certificate_expiry( handshake->relation->remoteIdentity->identityCert ); + + if( certExpiry == DDS_TIME_INVALID ){ + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Expiry date of the certificate is invalid"); + goto err_invalid_expiry; + } else if( certExpiry != DDS_NEVER ){ + add_validity_end_trigger( impl, + IDENTITY_HANDLE( handshake->relation->remoteIdentity ), + certExpiry); + } + + } + + ddsrt_mutex_unlock(&impl->lock); + + return result; + +err_invalid_expiry: + ddsrt_free( handshake->shared_secret_handle_impl->shared_secret ); + ddsrt_free( handshake->shared_secret_handle_impl ); +err_openssl: +err_signature: + if (handshake_message_out->class_id) { + DDS_Security_DataHolder_deinit(handshake_message_out); + } +err_inv_token: +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return DDS_SECURITY_VALIDATION_FAILED; +} + +DDS_Security_SharedSecretHandle get_shared_secret( + dds_security_authentication *instance, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex) +{ + + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + SecurityObject *obj; + + /* validate provided arguments */ + if (!instance || !handshake_handle) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_handshake_handle: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + obj = security_object_find(impl->objectHash, handshake_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_HANDSHAKE)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_handshake_handle: Invalid handle provided"); + goto err_invalid_handle; + } + + ddsrt_mutex_unlock(&impl->lock); + return (DDS_Security_SharedSecretHandle)(ddsrt_address)((HandshakeInfo*)obj)->shared_secret_handle_impl; + + + err_invalid_handle: + ddsrt_mutex_unlock(&impl->lock); + err_bad_param: + return DDS_SECURITY_HANDLE_NIL; +} + +DDS_Security_boolean +get_authenticated_peer_credential_token( + dds_security_authentication *instance, + DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex) +{ + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + HandshakeInfo *handshake = NULL; + X509 *identity_cert; + char *permissions_doc; + unsigned char *cert_data; + uint32_t cert_data_size; + + /* validate provided arguments */ + if (!instance || !handshake_handle || !peer_credential_token) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, + DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE); + return false; + } + + ddsrt_mutex_lock(&impl->lock); + + handshake = (HandshakeInfo *) security_object_find(impl->objectHash, handshake_handle); + if (!handshake || !SECURITY_OBJECT_VALID(handshake, SECURITY_OBJECT_KIND_HANDSHAKE)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, + DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE); + goto err_inv_handle; + } + + identity_cert = handshake->relation->remoteIdentity->identityCert; + if (!identity_cert) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_OPERATION_NOT_PERMITTED_CODE, 0, + DDS_SECURITY_ERR_OPERATION_NOT_PERMITTED_MESSAGE); + goto err_missing_attr; + } + + permissions_doc = handshake->relation->remoteIdentity->permissionsDocument; + if (!permissions_doc) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_MISSING_REMOTE_PERMISSIONS_DOCUMENT_CODE, 0, + DDS_SECURITY_ERR_MISSING_REMOTE_PERMISSIONS_DOCUMENT_MESSAGE); + goto err_missing_attr; + } + + if (get_certificate_contents(identity_cert, &cert_data, &cert_data_size, ex) != DDS_SECURITY_VALIDATION_OK) { + goto err_alloc_cid; + } + + memset(peer_credential_token, 0, sizeof(*peer_credential_token)); + + peer_credential_token->class_id = get_authentication_class_id(); + + peer_credential_token->properties._length = 2; + peer_credential_token->properties._buffer = DDS_Security_PropertySeq_allocbuf(peer_credential_token->properties._length); + + peer_credential_token->properties._buffer[0].name = ddsrt_strdup("c.id"); + peer_credential_token->properties._buffer[0].value = (char *)cert_data; + peer_credential_token->properties._buffer[0].propagate = false; + + peer_credential_token->properties._buffer[1].name = ddsrt_strdup("c.perm"); + peer_credential_token->properties._buffer[1].value = ddsrt_strdup(permissions_doc); + peer_credential_token->properties._buffer[1].propagate = false; + + ddsrt_mutex_unlock(&impl->lock); + + return true; + +err_alloc_cid: +err_missing_attr: +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); + return false; +} + +DDS_Security_boolean set_listener(dds_security_authentication *instance, + const dds_security_authentication_listener *listener, + DDS_Security_SecurityException *ex) +{ + dds_security_authentication_impl *auth = (dds_security_authentication_impl*)instance; + + DDSRT_UNUSED_ARG(auth); + DDSRT_UNUSED_ARG(listener); + DDSRT_UNUSED_ARG(ex); + + /* Will be enabled after timed call back feature implementation */ +#if TIMED_CALLBACK_IMPLEMENTED + if (listener) { + ut_timed_dispatcher_enable(auth->timed_callbacks, (void*)listener); + } else { + ut_timed_dispatcher_disable(auth->timed_callbacks); + } +#endif + return true; +} + +DDS_Security_boolean return_identity_token(dds_security_authentication *instance, + const DDS_Security_IdentityToken *token, + DDS_Security_SecurityException *ex) +{ + DDSRT_UNUSED_ARG(token); + DDSRT_UNUSED_ARG(ex); + DDSRT_UNUSED_ARG(instance); + + return true; +} + +DDS_Security_boolean return_identity_status_token( + dds_security_authentication *instance, + const DDS_Security_IdentityStatusToken *token, + DDS_Security_SecurityException *ex) +{ + DDSRT_UNUSED_ARG(token); + DDSRT_UNUSED_ARG(ex); + DDSRT_UNUSED_ARG(instance); + + return true; +} + +DDS_Security_boolean return_authenticated_peer_credential_token( + dds_security_authentication *instance, + const DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token, + DDS_Security_SecurityException *ex) +{ + if ((!instance) || (!peer_credential_token)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE); + return false; + } + + DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)peer_credential_token); + + return true; +} + +DDS_Security_boolean +return_handshake_handle(dds_security_authentication *instance, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex) +{ + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + SecurityObject *obj; + HandshakeInfo *handshake; + + /* validate provided arguments */ + if (!instance || !handshake_handle) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_handshake_handle: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + obj = security_object_find(impl->objectHash, handshake_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_HANDSHAKE)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_handshake_handle: Invalid handle provided"); + goto err_invalid_handle; + } + handshake = (HandshakeInfo *)obj; + + assert(handshake->relation); + + (void)ddsrt_hh_remove(impl->objectHash, obj); + security_object_free((SecurityObject *)handshake); + + ddsrt_mutex_unlock(&impl->lock); + + return true; + +err_invalid_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return false; +} + + +static void +invalidate_local_related_objects( + dds_security_authentication_impl *impl, + LocalIdentityInfo *localIdent) +{ + struct ddsrt_hh_iter it; + SecurityObject *obj; + + for (obj = ddsrt_hh_iter_first(impl->objectHash, &it); obj != NULL; obj = ddsrt_hh_iter_next(&it)) { + if (obj->kind == SECURITY_OBJECT_KIND_REMOTE_IDENTITY) { + RemoteIdentityInfo *remoteIdent = (RemoteIdentityInfo *)obj; + IdentityRelation *relation; + HandshakeInfo *handshake; + + handshake = find_handshake(impl, SECURITY_OBJECT_HANDLE(localIdent), SECURITY_OBJECT_HANDLE(remoteIdent)); + if (handshake) { + (void)ddsrt_hh_remove(impl->objectHash, handshake); + security_object_free((SecurityObject *) handshake); + } + + relation = find_identity_relation(remoteIdent, SECURITY_OBJECT_HANDLE(localIdent)); + if (relation) { + remove_identity_relation(remoteIdent, relation); + } + } + } +} + +static void +invalidate_remote_related_objects( + dds_security_authentication_impl *impl, + RemoteIdentityInfo *remoteIdentity) +{ + struct ddsrt_hh_iter it; + IdentityRelation *relation; + HandshakeInfo *handshake; + + for (relation = ddsrt_hh_iter_first(remoteIdentity->linkHash, &it); relation != NULL; relation = ddsrt_hh_iter_next(&it)) { + handshake = find_handshake(impl, SECURITY_OBJECT_HANDLE(relation->localIdentity), SECURITY_OBJECT_HANDLE(remoteIdentity)); + if (handshake) { + (void)ddsrt_hh_remove(impl->objectHash, handshake); + security_object_free((SecurityObject *) handshake); + } + + (void)ddsrt_hh_remove(remoteIdentity->linkHash, relation); + security_object_free((SecurityObject *) relation); + } +} + +DDS_Security_boolean +return_identity_handle( + dds_security_authentication *instance, + const DDS_Security_IdentityHandle identity_handle, + DDS_Security_SecurityException *ex) +{ + DDS_Security_boolean result = true; + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + SecurityObject *obj; + LocalIdentityInfo *localIdent; + RemoteIdentityInfo *remoteIdent; + + /* validate provided arguments */ + if (!instance || !identity_handle) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_identity_handle: Invalid parameter provided"); + goto err_bad_param; + } + + /* Currently the implementation of the handle does not provide information + * about the kind of handle. In this case a valid handle could refer to a + * LocalIdentityObject or a RemoteIdentityObject + */ + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, identity_handle); + if (!obj) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_identity_handle: Invalid handle provided"); + goto err_invalid_handle; + } + + switch (obj->kind) { + case SECURITY_OBJECT_KIND_LOCAL_IDENTITY: + localIdent = (LocalIdentityInfo *) obj; + invalidate_local_related_objects(impl, localIdent); + (void)ddsrt_hh_remove(impl->objectHash, obj); + security_object_free(obj); + break; + case SECURITY_OBJECT_KIND_REMOTE_IDENTITY: + remoteIdent = (RemoteIdentityInfo *) obj; + invalidate_remote_related_objects(impl, remoteIdent); + (void)ddsrt_hh_remove(impl->remoteGuidHash, remoteIdent); + (void)ddsrt_hh_remove(impl->objectHash, obj); + security_object_free(obj); + break; + default: + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_identity_handle: Invalid handle provided"); + result = false; + break; + } + + ddsrt_mutex_unlock(&impl->lock); + + return result; + +err_invalid_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return false; +} + +DDS_Security_boolean return_sharedsecret_handle( + dds_security_authentication *instance, + const DDS_Security_SharedSecretHandle sharedsecret_handle, + DDS_Security_SecurityException *ex) +{ + DDSRT_UNUSED_ARG(sharedsecret_handle); + DDSRT_UNUSED_ARG(ex); + DDSRT_UNUSED_ARG(instance); + + return true; +} + +int32_t init_authentication( const char *argument, void **context) +{ + + dds_security_authentication_impl *authentication; + + DDSRT_UNUSED_ARG(argument); + + /* allocate implementation wrapper */ + authentication = (dds_security_authentication_impl*) ddsrt_malloc( + sizeof(dds_security_authentication_impl)); + memset(authentication, 0, sizeof(dds_security_authentication_impl)); + + /* assign dispatcher to be notified when a validity date ends */ + /* Disable it until timed callback is ready */ + /*authentication->timed_callbacks = ut_timed_dispatcher_new(); */ + + /* assign the interface functions */ + authentication->base.validate_local_identity = &validate_local_identity; + + authentication->base.get_identity_token = &get_identity_token; + + authentication->base.get_identity_status_token = &get_identity_status_token; + + authentication->base.set_permissions_credential_and_token = + &set_permissions_credential_and_token; + + authentication->base.validate_remote_identity = &validate_remote_identity; + + authentication->base.begin_handshake_request = &begin_handshake_request; + + authentication->base.begin_handshake_reply = &begin_handshake_reply; + + authentication->base.process_handshake = &process_handshake; + + authentication->base.get_shared_secret = &get_shared_secret; + + authentication->base.get_authenticated_peer_credential_token = + &get_authenticated_peer_credential_token; + + authentication->base.set_listener = &set_listener; + + authentication->base.return_identity_token = &return_identity_token; + + authentication->base.return_identity_status_token = + &return_identity_status_token; + + authentication->base.return_authenticated_peer_credential_token = + &return_authenticated_peer_credential_token; + + authentication->base.return_handshake_handle = &return_handshake_handle; + + authentication->base.return_identity_handle = &return_identity_handle; + + authentication->base.return_sharedsecret_handle = &return_sharedsecret_handle; + + //prepare implementation wrapper + authentication->id = 1; + + ddsrt_mutex_init(&authentication->lock); + + authentication->objectHash = ddsrt_hh_new(32, security_object_hash, security_object_equal); + authentication->remoteGuidHash = ddsrt_hh_new(32, remote_guid_hash, remote_guid_equal); + + memset( &authentication->trustedCAList, 0, sizeof(X509Seq)); + + + /* Initialize openssl */ + OpenSSL_add_all_algorithms(); + OpenSSL_add_all_ciphers(); + OpenSSL_add_all_digests(); + ERR_load_BIO_strings(); + ERR_load_crypto_strings(); + + //return the instance + *context = authentication; + return 0; + +/* we can not get ddsrt_mutex_init result. So ignore the lines below */ +#if MUTEX_INIT_RESULT_IMPLEMENTED +err_mutex_failed: + ddsrt_free(authentication); + return -1; +#endif +} + +int32_t finalize_authentication(void *instance) +{ + dds_security_authentication_impl *authentication = instance; + + if( authentication ){ + ddsrt_mutex_lock(&authentication->lock); + + /* Will be enabled after timed call back feature implementation */ + /* ut_timed_dispatcher_free(authentication->timed_callbacks); */ + if (authentication->remoteGuidHash) { + ddsrt_hh_free(authentication->remoteGuidHash); + } + + if (authentication->objectHash) { + struct ddsrt_hh_iter it; + SecurityObject *obj; + for (obj = ddsrt_hh_iter_first(authentication->objectHash, &it); obj != NULL; obj = ddsrt_hh_iter_next(&it)) { + security_object_free(obj); + } + ddsrt_hh_free(authentication->objectHash); + } + + free_ca_list_contents(&(authentication->trustedCAList)); + + ddsrt_mutex_unlock(&authentication->lock); + + ddsrt_mutex_destroy(&authentication->lock); + + ddsrt_free((dds_security_authentication_impl*) instance); + } + + RAND_cleanup(); + EVP_cleanup(); + CRYPTO_cleanup_all_ex_data(); + REMOVE_THREAD_STATE(); + ERR_free_strings(); + + return 0; +} diff --git a/src/security/builtin_plugins/authentication/src/authentication.h b/src/security/builtin_plugins/authentication/src/authentication.h new file mode 100644 index 0000000..dcbcfd6 --- /dev/null +++ b/src/security/builtin_plugins/authentication/src/authentication.h @@ -0,0 +1,146 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + + +#ifndef SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_ +#define SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_ + +#include "dds/ddsrt/atomics.h" +#include "dds/security/dds_security_api.h" +#include "dds/security/export.h" + +SECURITY_EXPORT int32_t +init_authentication(const char *argument, void **context); + +SECURITY_EXPORT int32_t +finalize_authentication(void *context); + + + + +DDS_Security_ValidationResult_t +validate_local_identity( + dds_security_authentication *instance, + DDS_Security_IdentityHandle *local_identity_handle, + DDS_Security_GUID_t *adjusted_participant_guid, + const DDS_Security_DomainId domain_id, + const DDS_Security_Qos *participant_qos, + const DDS_Security_GUID_t *candidate_participant_guid, + + DDS_Security_SecurityException *ex); +DDS_Security_boolean +get_identity_token(dds_security_authentication *instance, + DDS_Security_IdentityToken *identity_token, + const DDS_Security_IdentityHandle handle, + DDS_Security_SecurityException *ex); +DDS_Security_boolean +set_permissions_credential_and_token( + dds_security_authentication *instance, + const DDS_Security_IdentityHandle handle, + const DDS_Security_PermissionsCredentialToken *permissions_credential, + const DDS_Security_PermissionsToken *permissions_token, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +validate_remote_identity( + dds_security_authentication *instance, + DDS_Security_IdentityHandle *remote_identity_handle, + DDS_Security_AuthRequestMessageToken *local_auth_request_token, + const DDS_Security_AuthRequestMessageToken *remote_auth_request_token, + const DDS_Security_IdentityHandle local_identity_handle, + const DDS_Security_IdentityToken *remote_identity_token, + const DDS_Security_GUID_t *remote_participant_guid, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +begin_handshake_request( + dds_security_authentication *instance, + DDS_Security_HandshakeHandle *handshake_handle, + DDS_Security_HandshakeMessageToken *handshake_message, + const DDS_Security_IdentityHandle initiator_identity_handle, + const DDS_Security_IdentityHandle replier_identity_handle, + const DDS_Security_OctetSeq *serialized_local_participant_data, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +begin_handshake_reply( + dds_security_authentication *instance, + DDS_Security_HandshakeHandle *handshake_handle, + DDS_Security_HandshakeMessageToken *handshake_message_out, + const DDS_Security_HandshakeMessageToken *handshake_message_in, + const DDS_Security_IdentityHandle initiator_identity_handle, + const DDS_Security_IdentityHandle replier_identity_handle, + const DDS_Security_OctetSeq *serialized_local_participant_data, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +process_handshake( + dds_security_authentication *instance, + DDS_Security_HandshakeMessageToken *handshake_message_out, + const DDS_Security_HandshakeMessageToken *handshake_message_in, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex); + +DDS_Security_SharedSecretHandle get_shared_secret( + dds_security_authentication *instance, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean +get_authenticated_peer_credential_token( + dds_security_authentication *instance, + DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex); + + +DDS_Security_boolean get_identity_status_token( + dds_security_authentication *instance, + DDS_Security_IdentityStatusToken *identity_status_token, + const DDS_Security_IdentityHandle handle, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean set_listener(dds_security_authentication *instance, + const dds_security_authentication_listener *listener, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean return_identity_token(dds_security_authentication *instance, + const DDS_Security_IdentityToken *token, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean return_identity_status_token( + dds_security_authentication *instance, + const DDS_Security_IdentityStatusToken *token, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean return_authenticated_peer_credential_token( + dds_security_authentication *instance, + const DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean +return_handshake_handle(dds_security_authentication *instance, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex); +DDS_Security_boolean +return_identity_handle( + dds_security_authentication *instance, + const DDS_Security_IdentityHandle identity_handle, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean return_sharedsecret_handle( + dds_security_authentication *instance, + const DDS_Security_SharedSecretHandle sharedsecret_handle, + DDS_Security_SecurityException *ex); + + +#endif /* SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_ */ diff --git a/src/security/builtin_plugins/tests/CMakeLists.txt b/src/security/builtin_plugins/tests/CMakeLists.txt new file mode 100644 index 0000000..7290ca4 --- /dev/null +++ b/src/security/builtin_plugins/tests/CMakeLists.txt @@ -0,0 +1,51 @@ + # +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v. 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License +# v. 1.0 which is available at +# http://www.eclipse.org/org/documents/edl-v10.php. +# +# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause +# +include(CUnit) + +set(security_auth_test_sources + "validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c" + "get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c" + "validate_local_identity/src/validate_local_identity_utests.c" + "validate_remote_identity/src/validate_remote_identity_utests.c" + "validate_begin_handshake_request/src/validate_begin_handshake_request_utests.c" + "process_handshake/src/process_handshake_utests.c" + "common/src/handshake_helper.c" + "common/src/loader.c") + +add_cunit_executable(cunit_security_plugins ${security_auth_test_sources}) +target_include_directories( + cunit_security_plugins PRIVATE + "$" + "$>" + "$>" + "$>" + "$" + "$" + ) + + +target_link_libraries(cunit_security_plugins PRIVATE ddsc security_api) + + +find_package(OpenSSL ) +if(OPENSSL_FOUND) + target_link_libraries(cunit_security_plugins PRIVATE OpenSSL::SSL) + +else() + message(FATAL_ERROR "To build without openssl support, set DDSC_ENABLE_OPENSSL to OFF") +endif() + +set(CUnit_builtin_plugins_tests_dir "${CMAKE_CURRENT_LIST_DIR}") + +configure_file("config_env.h.in" "config_env.h") + + diff --git a/src/security/builtin_plugins/tests/common/src/handshake_helper.c b/src/security/builtin_plugins/tests/common/src/handshake_helper.c new file mode 100644 index 0000000..2ff63bd --- /dev/null +++ b/src/security/builtin_plugins/tests/common/src/handshake_helper.c @@ -0,0 +1,579 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ +#include "handshake_helper.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/ddsrt/string.h" +#include "dds/ddsrt/heap.h" +#include +#include +#include "dds/ddsrt/environ.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" +#include "dds/ddsrt/misc.h" +#include "dds/security/core/shared_secret.h" + +#if OPENSSL_VERSION_NUMBER >= 0x1000200fL +#define AUTH_INCLUDE_EC +#include +#include + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#define AUTH_INCLUDE_DH_ACCESSORS +#endif +#else +#error "version not found" +#endif + + +const BIGNUM * +dh_get_public_key( + DH *dhkey) +{ +#ifdef AUTH_INCLUDE_DH_ACCESSORS + const BIGNUM *pubkey, *privkey; + DH_get0_key(dhkey, &pubkey, &privkey); + return pubkey; +#else + return dhkey->pub_key; +#endif +} + +int +dh_set_public_key( + DH *dhkey, + BIGNUM *pubkey) +{ +#ifdef AUTH_INCLUDE_DH_ACCESSORS + return DH_set0_key(dhkey, pubkey, NULL); +#else + dhkey->pub_key = pubkey; +#endif + return 1; +} + + +/* for DEBUG purposes */ +void print_binary_test( char* name, unsigned char *value, uint32_t size){ + uint32_t i; + printf("%s: ",name ); + for( i=0; i< size; i++) + { + printf("%x",value[i]); + } + printf("\n"); +} + +DDS_Security_BinaryProperty_t * +print_binary_properties_test( + DDS_Security_DataHolder *token) +{ + DDS_Security_BinaryProperty_t *result = NULL; + uint32_t i; + for (i = 0; i < token->binary_properties._length && !result; i++) { + print_binary_test( token->binary_properties._buffer[i].name, token->binary_properties._buffer[i].value._buffer, token->binary_properties._buffer[i].value._length); + } + + return result; +} + +DDS_Security_ValidationResult_t +create_signature_for_test( + EVP_PKEY *pkey, + const DDS_Security_BinaryProperty_t **binary_properties, + const uint32_t binary_properties_length, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + serializer = DDS_Security_Serializer_new(4096, 4096); + + DDS_Security_Serialize_BinaryPropertyArray(serializer,binary_properties, binary_properties_length); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + + result = create_asymmetrical_signature_for_test(pkey, buffer, size, signature, signatureLen, ex); + + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + return result; +} + +#if( AC_TESTS_IMPLEMENTED ) +static DDS_Security_ValidationResult_t +screate_asymmetrical_signature_for_test( + EVP_PKEY *pkey, + void *data, + size_t dataLen, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + if (!(mdctx = EVP_MD_CTX_create())) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to create signing context: %s", msg); + ddsrt_free(msg); + goto err_create_ctx; + } + + if (EVP_DigestSignInit(mdctx, &kctx, EVP_sha256(), NULL, pkey) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to initialize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_PKEY_CTX_set_rsa_padding(kctx, RSA_PKCS1_PSS_PADDING) < 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to initialize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_DigestSignUpdate(mdctx, data, dataLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to update signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_DigestSignFinal(mdctx, NULL, signatureLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to finalize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + //*signature = ddsrt_malloc(sizeof(unsigned char) * (*signatureLen)); + *signature = OPENSSL_malloc(*signatureLen); + if (EVP_DigestSignFinal(mdctx, *signature, signatureLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to finalize signing context: %s", msg); + ddsrt_free(msg); + ddsrt_free(signature); + } + +err_sign: + EVP_MD_CTX_destroy(mdctx); +err_create_ctx: + return result; +} +#endif + + +char * +get_openssl_error_message_for_test( + void) +{ + BIO *bio = BIO_new(BIO_s_mem()); + char *msg; + char *buf = NULL; + size_t len; + + if (bio) { + ERR_print_errors(bio); + len = (size_t)BIO_get_mem_data (bio, &buf); + msg = ddsrt_malloc(len + 1); + memset(msg, 0, len+1); + memcpy(msg, buf, len); + BIO_free(bio); + } else { + msg = ddsrt_strdup("BIO_new failed"); + } + + return msg; +} + +DDS_Security_ValidationResult_t +validate_asymmetrical_signature_for_test( + EVP_PKEY *pkey, + void *data, + size_t dataLen, + unsigned char *signature, + size_t signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_MD_CTX *mdctx = NULL; + + if (!(mdctx = EVP_MD_CTX_create())) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to create verify context: %s", msg); + ddsrt_free(msg); + goto err_create_ctx; + } + + if (EVP_DigestVerifyInit(mdctx, NULL, EVP_sha256(), NULL, pkey) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize verify context: %s", msg); + ddsrt_free(msg); + goto err_verify; + } + + if (EVP_DigestVerifyUpdate(mdctx, data, dataLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to update verify context: %s", msg); + ddsrt_free(msg); + goto err_verify; + } + + if (EVP_DigestVerifyFinal(mdctx, signature, signatureLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize verify context: %s", msg); + ddsrt_free(msg); + goto err_verify; + } + +err_verify: + EVP_MD_CTX_destroy(mdctx); +err_create_ctx: + return result; +} + +DDS_Security_ValidationResult_t +get_public_key( + EVP_PKEY *pkey, + unsigned char **buffer, + size_t *length, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + BIO *bio = NULL; + char *ptr = NULL; + size_t sz; + + assert(pkey); + assert(buffer); + + *length = 0; + + bio = BIO_new(BIO_s_mem()); + + if ( bio == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get public key: BIO_new_mem_buf failed"); + } else if (!PEM_write_bio_PUBKEY(bio, pkey)) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get public key: PEM_write_bio_PUBKEY failed: %s", msg); + ddsrt_free(msg); + } else { + sz = (size_t)BIO_get_mem_data(bio, &ptr); + *buffer = ddsrt_malloc(sz +1); + memcpy(*buffer, ptr, sz); + *length = sz; + } + + if (bio) BIO_free(bio); + + return result; +} + +static EVP_PKEY * +modp_data_to_pubkey( + const unsigned char *data, + uint32_t size) +{ + EVP_PKEY *pkey= NULL; + DH *dhkey = NULL; + ASN1_INTEGER *asni; + BIGNUM *bn = NULL; + + if (!(asni = d2i_ASN1_INTEGER(NULL, &data, size))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to decode DH public key: %s", msg); + ddsrt_free(msg); + goto fail_asni; + } + + if (!(bn = ASN1_INTEGER_to_BN(asni, NULL))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert to BIGNU<: %s", msg); + ddsrt_free(msg); + goto fail_bn; + } + + if (!(dhkey = DH_get_2048_256())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate dhkey: %s", msg); + ddsrt_free(msg); + goto fail_dhkey; + } + + dh_set_public_key(dhkey,bn); + + if (!(pkey = EVP_PKEY_new())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate pkey: %s", msg); + ddsrt_free(msg); + goto fail_pkey; + } + + if (!EVP_PKEY_set1_DH(pkey, dhkey)) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set public key: %s", msg); + ddsrt_free(msg); + EVP_PKEY_free(pkey); + pkey = NULL; + } + + ASN1_INTEGER_free(asni); + DH_free(dhkey); + + return pkey; + +fail_pkey: + DH_free(dhkey); +fail_dhkey: + BN_free(bn); +fail_bn: + ASN1_INTEGER_free(asni); +fail_asni: + return NULL; +} + +static EVP_PKEY * +ecdh_data_to_pubkey( + const unsigned char *data, + uint32_t size) +{ + EVP_PKEY *pkey = NULL; + EC_KEY *eckey = NULL; + EC_GROUP *group = NULL; + EC_POINT *point = NULL; + + if (!(group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EC group: %s", msg); + ddsrt_free(msg); + } else if (!(point = EC_POINT_new(group))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EC point: %s", msg); + ddsrt_free(msg); + } else if (EC_POINT_oct2point(group, point, data, size, NULL) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to deserialize EC public key to EC point: %s", msg); + ddsrt_free(msg); + } else if (!(eckey = EC_KEY_new())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EC KEY: %s", msg); + ddsrt_free(msg); + } else if (EC_KEY_set_group(eckey, group) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert octet sequence to ASN1 integer: %s", msg); + ddsrt_free(msg); + } else if (EC_KEY_set_public_key(eckey, point) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set EC public key: %s", msg); + ddsrt_free(msg); + } else if (!(pkey = EVP_PKEY_new())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EVP key: %s", msg); + ddsrt_free(msg); + } else if (EVP_PKEY_set1_EC_KEY(pkey, eckey) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set EVP key to EC public key: %s", msg); + ddsrt_free(msg); + EVP_PKEY_free(pkey); + pkey = NULL; + } + + if (eckey) EC_KEY_free(eckey); + if (point) EC_POINT_free(point); + if (group) EC_GROUP_free(group); + + return pkey; +} + +int +check_shared_secret( + dds_security_authentication *auth, + int use_ecdh, + const DDS_Security_BinaryProperty_t *dh_remote, + EVP_PKEY *dh_local_private, + + DDS_Security_HandshakeHandle handshake_handle) + +{ +/* calculate shared secret with the other side */ + EVP_PKEY_CTX *ctx = NULL; + size_t skeylen; + EVP_PKEY *dh_remote_public = NULL; + DDS_Security_SharedSecretHandle shared_secret_local_handle; + DDS_Security_SecurityException exception; + DDS_Security_octet *shared_secret_local; + DDS_Security_octet shared_secret_remote[SHA256_DIGEST_LENGTH]; + DDS_Security_octet *secret; + int result; + + if (use_ecdh) { + dh_remote_public = ecdh_data_to_pubkey(dh_remote->value._buffer, dh_remote->value._length); + } else { + dh_remote_public = modp_data_to_pubkey(dh_remote->value._buffer, dh_remote->value._length); + } + + if (!dh_remote_public) { + CU_FAIL("Coud not decode DH public key"); + } + + ctx = EVP_PKEY_CTX_new(dh_local_private, NULL /* no engine */); + if (!ctx) + { + /* Error occurred */ + CU_FAIL("Coud not allocate CTX"); + } + + if (EVP_PKEY_derive_init(ctx) <= 0) + { + /* Error */ + CU_FAIL("Coud not init"); + } + result = EVP_PKEY_derive_set_peer(ctx, dh_remote_public) ; + if (result<= 0) + { + /* Error */ + char *msg = get_openssl_error_message_for_test(); + printf("DH remote public: %s\n",dh_remote->value._buffer); + printf("SSL Error: %s\n", msg); + ddsrt_free(msg); + CU_FAIL("Could not set peer"); + } + + /* Determine buffer length */ + result = EVP_PKEY_derive(ctx, NULL, &skeylen); + if (result <= 0) + { + /* Error */ + CU_FAIL("Could not set derive"); + } + + secret = ddsrt_malloc(skeylen+1); + + if (EVP_PKEY_derive(ctx, secret, &skeylen) <= 0) + { + /* Error */ + CU_FAIL("Could not set derive"); + } + + SHA256(secret, skeylen, shared_secret_remote); + + ddsrt_free(secret); + + /* get the secret handle */ + shared_secret_local_handle = auth->get_shared_secret( auth, handshake_handle, &exception); + + /* convert handle to object */ + shared_secret_local = ((DDS_Security_SharedSecretHandleImpl *)(shared_secret_local_handle))->shared_secret; + /*compare with remote. They should be same */ + + if (ctx) { + EVP_PKEY_CTX_free(ctx); + } + + if (dh_remote_public) { + EVP_PKEY_free(dh_remote_public); + } + + return memcmp(shared_secret_local, shared_secret_remote, SHA256_DIGEST_LENGTH); +} + + + +DDS_Security_ValidationResult_t +create_asymmetrical_signature_for_test( + EVP_PKEY *pkey, + void *data, + size_t dataLen, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + if (!(mdctx = EVP_MD_CTX_create())) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to create signing context: %s", msg); + ddsrt_free(msg); + goto err_create_ctx; + } + + if (EVP_DigestSignInit(mdctx, &kctx, EVP_sha256(), NULL, pkey) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_PKEY_CTX_set_rsa_padding(kctx, RSA_PKCS1_PSS_PADDING) < 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_DigestSignUpdate(mdctx, data, dataLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to update signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_DigestSignFinal(mdctx, NULL, signatureLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + //*signature = os_malloc(sizeof(unsigned char) * (*signatureLen)); + *signature = OPENSSL_malloc(*signatureLen); + if (EVP_DigestSignFinal(mdctx, *signature, signatureLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize signing context: %s", msg); + ddsrt_free(msg); + ddsrt_free(signature); + } + + err_sign: + EVP_MD_CTX_destroy(mdctx); + err_create_ctx: + return result; +} + + diff --git a/src/security/builtin_plugins/tests/common/src/handshake_helper.h b/src/security/builtin_plugins/tests/common/src/handshake_helper.h new file mode 100644 index 0000000..b6e2e38 --- /dev/null +++ b/src/security/builtin_plugins/tests/common/src/handshake_helper.h @@ -0,0 +1,90 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef DDS_SECURITY_BUITIN_TEST_HANDSHAKE_HELPER_H +#define DDS_SECURITY_BUITIN_TEST_HANDSHAKE_HELPER_H + +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_serialize.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +const BIGNUM * +dh_get_public_key( + DH *dhkey); + +int +dh_set_public_key( + DH *dhkey, + BIGNUM *pubkey); + +DDS_Security_ValidationResult_t +create_signature_for_test( + EVP_PKEY *pkey, + const DDS_Security_BinaryProperty_t **binary_properties, + const uint32_t binary_properties_length, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +create_asymmetrical_signature_for_test( + EVP_PKEY *pkey, + void *data, + size_t dataLen, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex); + +char * +get_openssl_error_message_for_test( + void); + +DDS_Security_ValidationResult_t +validate_asymmetrical_signature_for_test( + EVP_PKEY *pkey, + void *data, + size_t dataLen, + unsigned char *signature, + size_t signatureLen, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +get_public_key( + EVP_PKEY *pkey, + unsigned char **buffer, + size_t *length, + DDS_Security_SecurityException *ex); + +/* for DEBUG purposes */ +void print_binary_test( char* name, unsigned char *value, uint32_t size); + +DDS_Security_BinaryProperty_t * +print_binary_properties_test( + DDS_Security_DataHolder *token); + +int +check_shared_secret( + dds_security_authentication *auth, + int use_ecdh, + const DDS_Security_BinaryProperty_t *dh_remote, + EVP_PKEY *dh_local_private, + DDS_Security_HandshakeHandle handshake_handle); + +#endif \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/common/src/loader.c b/src/security/builtin_plugins/tests/common/src/loader.c new file mode 100644 index 0000000..c6584f2 --- /dev/null +++ b/src/security/builtin_plugins/tests/common/src/loader.c @@ -0,0 +1,222 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#include +#include +#include "loader.h" +#include "dds/ddsrt/dynlib.h" +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/string.h" +#include "sys/stat.h" +#include "assert.h" +#include "stdio.h" +#include "string.h" +#include "dds/security/core/dds_security_utils.h" + +struct plugin_info { + void *context; + ddsrt_dynlib_t lib_handle; + plugin_init func_init; + plugin_finalize func_fini; +}; + +struct plugins_hdl { + struct plugin_info plugin_ac; + struct plugin_info plugin_auth; + struct plugin_info plugin_crypto; +}; + +static void* +load_plugin( + struct plugin_info *info, + const char *name_lib, + const char *name_init, + const char *name_fini) +{ + dds_return_t result; + void *plugin = NULL; + assert(info); + + result = ddsrt_dlopen(name_lib, true, &info->lib_handle); + if (result == DDS_RETCODE_OK && info->lib_handle) { + + result = ddsrt_dlsym(info->lib_handle, name_init, (void **)&info->func_init); + if( result != DDS_RETCODE_OK || info->func_init == NULL) { + char buf[200]; + ddsrt_dlerror(buf, 200); + printf("ERROR: could not init %s\n. Invalid init function: %s: %s", name_lib, name_init, buf); + return plugin; + } + + result = ddsrt_dlsym(info->lib_handle, name_fini, (void **)&info->func_fini); + if( result != DDS_RETCODE_OK || info->func_fini == NULL ) { + printf("ERROR: could not init %s\n. Invalid fini function: %s", name_lib, name_fini); + return plugin; + } + + char * init_parameters = ""; + (void)info->func_init(init_parameters, &plugin); + if (plugin) { + info->context = plugin; + } else { + printf("ERROR: could not init %s\n", name_lib); + } + } else { + char buffer[300]; + ddsrt_dlerror(buffer,300); + printf("ERROR: could not load %s. %s\n", name_lib, buffer); + } + return plugin; +} + +struct plugins_hdl* +load_plugins( + dds_security_access_control **ac, + dds_security_authentication **auth, + dds_security_cryptography **crypto) +{ + struct plugins_hdl *plugins = ddsrt_malloc(sizeof(struct plugins_hdl)); + assert(plugins); + memset(plugins, 0, sizeof(struct plugins_hdl)); + if (ac) { + *ac = load_plugin(&(plugins->plugin_ac), + "dds_security_ac", + "init_access_control", + "finalize_access_control"); + if (!(*ac)) { + goto err; + } + } + if (auth) { + *auth = load_plugin(&(plugins->plugin_auth), + //"dds_security_auth", + "dds_security_auth", + "init_authentication", + "finalize_authentication"); + if (!(*auth)) { + goto err; + } + } + if (crypto) { + *crypto = load_plugin(&(plugins->plugin_crypto), + "dds_security_crypto", + "init_crypto", + "finalize_crypto"); + if (!(*crypto)) { + goto err; + } + } + return plugins; + +err: + unload_plugins(plugins); + return NULL; +} + +static void +unload_plugin( + struct plugin_info *info) +{ + dds_return_t result; + assert(info); + + if (info->lib_handle) { + if (info->func_fini && info->context) { + info->func_fini(info->context); + } + result = ddsrt_dlclose( info->lib_handle ); + if ( result != 0 ){ + printf( "Error occured while closing the library\n"); + } + } +} + +void +unload_plugins( + struct plugins_hdl *plugins) +{ + assert (plugins); + unload_plugin(&(plugins->plugin_ac)); + unload_plugin(&(plugins->plugin_auth)); + unload_plugin(&(plugins->plugin_crypto)); + ddsrt_free(plugins); +} + +static size_t +regular_file_size( + const char *filename) +{ + size_t sz = 0; + /* Provided? */ + if (filename) { + /* Accessible? */ +#if _WIN32 + struct _stat stat_info; + int ret = _stat( filename, &stat_info ); +#else + struct stat stat_info; + int ret = stat( filename, &stat_info ); +#endif + if ( ret == 0 ) { + /* Regular? */ +#ifdef WIN32 + if (stat_info.st_mode & _S_IFREG) { +#else + if (S_ISREG(stat_info.st_mode)) { +#endif + /* Yes, so get the size. */ + sz = ( size_t ) stat_info.st_size; + } + } + } + return sz; +} + +char * +load_file_contents( + const char *filename) +{ + char *document = NULL; + char *fname; + size_t sz, r; + FILE *fp; + + assert(filename); + + /* Get portable file name. */ + fname = DDS_Security_normalize_file( filename ); + if (fname) { + /* Get size if it is a accessible regular file (no dir or link). */ + sz = regular_file_size(fname); + if (sz > 0) { + /* Open the actual file. */ + DDSRT_WARNING_MSVC_OFF(4996); + fp = fopen(fname, "r"); + DDSRT_WARNING_MSVC_ON(4996); + if (fp) { + /* Read the content. */ + document = ddsrt_malloc(sz + 1); + r = fread(document, 1, sz, fp); + if (r == 0) { + ddsrt_free(document); + document = NULL; + } else { + document[r] = '\0'; + } + (void)fclose(fp); + } + } + ddsrt_free(fname); + } + + return document; +} diff --git a/src/security/builtin_plugins/tests/common/src/loader.h b/src/security/builtin_plugins/tests/common/src/loader.h new file mode 100644 index 0000000..305ac53 --- /dev/null +++ b/src/security/builtin_plugins/tests/common/src/loader.h @@ -0,0 +1,34 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef _DBT_SECURITY_PLUGINS_LOADER_H_ +#define _DBT_SECURITY_PLUGINS_LOADER_H_ + +#include "dds/security/dds_security_api.h" + +struct plugins_hdl; + +struct plugins_hdl* +load_plugins( + dds_security_access_control **ac, + dds_security_authentication **auth, + dds_security_cryptography **crypto); + +void +unload_plugins( + struct plugins_hdl *plugins); + +char* +load_file_contents( + const char *filename); + +#endif diff --git a/src/security/builtin_plugins/tests/config_env.h.in b/src/security/builtin_plugins/tests/config_env.h.in new file mode 100644 index 0000000..3f2b23a --- /dev/null +++ b/src/security/builtin_plugins/tests/config_env.h.in @@ -0,0 +1,17 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ +#ifndef CONFIG_ENV_H +#define CONFIG_ENV_H + +#define CONFIG_ENV_TESTS_DIR "@CUnit_builtin_plugins_tests_dir@" + +#endif /* CONFIG_ENV_H */ diff --git a/src/security/builtin_plugins/tests/get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c b/src/security/builtin_plugins/tests/get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c new file mode 100644 index 0000000..12216c5 --- /dev/null +++ b/src/security/builtin_plugins/tests/get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c @@ -0,0 +1,1648 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +/* CUnit includes. */ + +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" +/* Test helper includes. */ +#include "common/src/loader.h" +#include "common/src/handshake_helper.h" + +#include "dds/security/dds_security_api.h" +#include +#include +#include +#include + +#include "dds/ddsrt/string.h" +#include "dds/ddsrt/heap.h" +#include +#include +#include "dds/ddsrt/environ.h" + +#include "dds/ddsrt/misc.h" +#include "dds/ddsrt/endian.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_utils.h" + +#define HANDSHAKE_SIGNATURE_SIZE 6 + +#if DDSRT_ENDIAN == DDSRT_LITTLE_ENDIAN +static unsigned bswap4u (unsigned x) +{ + return (x >> 24) | ((x >> 8) & 0xff00) | ((x << 8) & 0xff0000) | (x << 24); +} +#define toBE4u(x) bswap4u (x) +#define fromBE4u(x) bswap4u (x) +#else +#define toBE4u(x) (x) +#define fromBE4u(x) (x) +#endif + + +static const char * AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0"; +static const char * PERM_ACCESS_CLASS_ID = "DDS:Access:Permissions:1.0"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * PROPERTY_PERM_CA_SUBJECT_NAME = "ds.perm_ca.sn"; + +static const char * SUBJECT_NAME_IDENTITY_CERT = "CN=CHAM-574 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA = "CN=CHAM-574 authority,O=Some Company,ST=Some-State,C=NL"; + +static const char * RSA_2048_ALGORITHM_NAME = "RSA-2048"; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char * AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Req"; +static const char * AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Reply"; +static const char * AUTH_HANDSHAKE_FINAL_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Final"; + +static const char * PERMISSIONS_DOCUMENT = "permissions_document"; + +typedef enum { + HANDSHAKE_REQUEST, + HANDSHAKE_REPLY, + HANDSHAKE_FINAL +} HandshakeStep_t; + + +struct octet_seq { + unsigned char *data; + uint32_t length; +}; + +static const char * AUTH_DSIGN_ALGO_RSA_NAME = "RSASSA-PSS-SHA256"; +static const char * AUTH_KAGREE_ALGO_RSA_NAME = "DH+MODP-2048-256"; +static const char * AUTH_KAGREE_ALGO_ECDH_NAME = "ECDH+prime256v1-CEUM"; + + + +static const char *identity_certificate = + +"data:,-----BEGIN CERTIFICATE-----\n" +"MIIDYDCCAkigAwIBAgIBBDANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowdTELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMRAwDgYDVQQKEwdBRExpbmsgMREwDwYDVQQLEwhJU1Qg\n" +"VGVzdDETMBEGA1UEAxMKQWxpY2UgVGVzdDEfMB0GCSqGSIb3DQEJARYQYWxpY2VA\n" +"YWRsaW5rLmlzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBW+tEZ\n" +"Baw7EQCEXyzH9n7IkZ8PQIKe8hG1LAOGYOF/oUYQZJO/HxbWoC4rFqOC20+A6is6\n" +"kFwr1Zzp/Wurk9CrFXo5Nomi6ActH6LUM57nYqN68w6U38z/XkQxVY/ESZ5dySfD\n" +"9Q1C8R+zdE8gwbimdYmwX7ioz336nghM2CoAHPDRthQeJupl8x4V7isOltr9CGx8\n" +"+imJXbGr39OK6u87cNLeu23sUkOIC0lSRMIqIQK3oJtHS70J2qecXdqp9MhE7Xky\n" +"/GPlI8ptQ1gJ8A3cAOvtI9mtMJMszs2EKWTLfeTcmfJHKKhKjvCgDdh3Jan4x5YP\n" +"Yg7HG6H+ceOUkMMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAkvuqZzyJ3Nu4/Eo5\n" +"kD0nVgYGBUl7cspu+636q39zPSrxLEDMUWz+u8oXLpyGcgiZ8lZulPTV8dmOn+3C\n" +"Vg55c5C+gbnbX3MDyb3wB17296RmxYf6YNul4sFOmj6+g2i+Dw9WH0PBCVKbA84F\n" +"jR3Gx2Pfoifor3DvT0YFSsjNIRt090u4dQglbIb6cWEafC7O24t5jFhGPvJ7L9SE\n" +"gB0Drh/HmKTVuaqaRkoOKkKaKuWoXsszK1ZFda1DHommnR5LpYPsDRQ2fVM4EuBF\n" +"By03727uneuG8HLuNcLEV9H0i7LxtyfFkyCPUQvWG5jehb7xPOz/Ml26NAwwjlTJ\n" +"xEEFrw==\n" +"-----END CERTIFICATE-----\n"; + + +static const char *identity_ca = +"data:,-----BEGIN CERTIFICATE-----\n" +"MIIEKTCCAxGgAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcjELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ\n" +"ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0\n" +"ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANa/ENFfGVXg\n" +"bPLTzBdDfiZQcp5dWZ//Pb8ErFOJu8uosVHFv8t69dgjHgNHB4OsjmjnR7GfKUZT\n" +"0cMvWJnjsC7DDlBwFET9rj4k40n96bbVCH9I7+tNhsoqzc6Eu+5h4sk7VfNGTM2Z\n" +"SyCd4GiSZRuA44rRbhXI7/LDpr4hY5J9ZDo5AM9ZyoLAoh774H3CZWD67S35XvUs\n" +"72dzE6uKG/vxBbvZ7eW2GLO6ewa9UxlnLVMPfJdpkp/xYXwwcPW2+2YXCge1ujxs\n" +"tjrOQJ5HUySh6DkE/kZpx8zwYWm9AaCrsvCIX1thsqgvKy+U5v1FS1L58eGc6s//\n" +"9yMgNhU29R0CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRNVUJN\n" +"FzhJPReYT4QSx6dK53CXCTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX\n" +"CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF\n" +"BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG\n" +"AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAcOLF\n" +"ZYdJguj0uxeXB8v3xnUr1AWz9+gwg0URdfNLU2KvF2lsb/uznv6168b3/FcPgezN\n" +"Ihl9GqB+RvGwgXS/1UelCGbQiIUdsNxk246P4uOGPIyW32RoJcYPWZcpY+cw11tQ\n" +"NOnk994Y5/8ad1DmcxVLLqq5kwpXGWQufV1zOONq8B+mCvcVAmM4vkyF/de56Lwa\n" +"sAMpk1p77uhaDnuq2lIR4q3QHX2wGctFid5Q375DRscFQteY01r/dtwBBrMn0wuL\n" +"AMNx9ZGD+zAoOUaslpIlEQ+keAxk3jgGMWFMxF81YfhEnXzevSQXWpyek86XUyFL\n" +"O9IAQi5pa15gXjSbUg==\n" +"-----END CERTIFICATE-----\n"; + +static const char *REMOTE_IDENTITY_CERTIFICATE = +"-----BEGIN CERTIFICATE-----\n" +"MIIDcDCCAligAwIBAgIBBTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcDELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMQ8wDQYDVQQKEwZBRExpbmsxETAPBgNVBAsTCElTVCBU\n" +"ZXN0MREwDwYDVQQDEwhCb2IgVGVzdDEdMBsGCSqGSIb3DQEJARYOYm9iQGFkbGlu\n" +"ay5pc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqhuWnwhxXZ\n" +"qffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d4gVibBgx\n" +"5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNPfp5a4P+8\n" +"UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi5DOjf2/r\n" +"3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMql605xsms\n" +"d6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U5BUMtZ+P\n" +"2OBLk/CPAgMBAAGjEzARMA8GA1UdDwEB/wQFAwMH/4AwDQYJKoZIhvcNAQELBQAD\n" +"ggEBAJV71Ckf1zsks5mJXqdUb8bTVHg4hN32pwjCL5c6W2XHAv+YHwE/fN3C1VIY\n" +"bC8zjUC9dCOyC2AvOQyZQ1eC/WoK6FlXjHVX2upL4lXQ9WL9ztt1mgdRrhvUPuUn\n" +"aBE8VgNU0t4jl93xMIaU8hB0kQsV+kdcN0cWbrF3mT4s9njRvopJ8hS2UE60V2wA\n" +"ceUOazH+QGPh1k0jkynrTlVR9GrpebQwZ2UFeinVO0km17IAyQkz+OmPc4jQLJMl\n" +"CmkbmMwowdLMKC6r/HyE87dN7NvFnRM5iByJklRwN7WDYZrl72HoUOlgTZ7PjW2G\n" +"jTxK8xXtDCXC/3CNpe0YFnOga8g=\n" +"-----END CERTIFICATE-----\n"; + + +static const char *private_key = + +"data:,-----BEGIN RSA PRIVATE KEY-----\n" +"MIIEowIBAAKCAQEA0Fb60RkFrDsRAIRfLMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBk\n" +"k78fFtagLisWo4LbT4DqKzqQXCvVnOn9a6uT0KsVejk2iaLoBy0fotQznudio3rz\n" +"DpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2\n" +"FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf04rq7ztw0t67bexSQ4gLSVJEwiohAreg\n" +"m0dLvQnap5xd2qn0yETteTL8Y+Ujym1DWAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ\n" +"8kcoqEqO8KAN2HclqfjHlg9iDscbof5x45SQwwIDAQABAoIBAG0dYPeqd0IhHWJ7\n" +"8azufbchLMN1pX/D51xG2uptssfnpHuhkkufSZUYi4QipRS2ME6PYhWJ8pmTi6lH\n" +"E6cUkbI0KGd/F4U2gPdhNrR9Fxwea5bbifkVF7Gx/ZkRjZJiZ3w9+mCNTQbJDKhh\n" +"wITAzzT6WYznhvqbzzBX1fTa6kv0GAQtX7aHKM+XIwkhX2gzU5TU80bvH8aMrT05\n" +"tAMGQqkUeRnpo0yucBl4VmTZzd/+X/d2UyXR0my15jE5iH5o+p+E6qTRE9D+MGUd\n" +"MQ6Ftj0Untqy1lcog1ZLL6zPlnwcD4jgY5VCYDgvabnrSwymOJapPLsAEdWdq+U5\n" +"ec44BMECgYEA/+3qPUrd4XxA517qO3fCGBvf2Gkr7w5ZDeATOTHGuD8QZeK0nxPl\n" +"CWhRjdgkqo0fyf1cjczL5XgYayo+YxkO1Z4RUU+8lJAHlVx9izOQo+MTQfkwH4BK\n" +"LYlHxMoHJwAOXXoE+dmBaDh5xT0mDUGU750r763L6EFovE4qRBn9hxkCgYEA0GWz\n" +"rpOPNxb419WxG9npoQYdCZ5IbmEOGDH3ReggVzWHmW8sqtkqTZm5srcyDpqAc1Gu\n" +"paUveMblEBbU+NFJjLWOfwB5PCp8jsrqRgCQSxolShiVkc3Vu3oyzMus9PDge1eo\n" +"9mwVGO7ojQKWRu/WVAakENPaAjeyyhv4dqSNnjsCgYEAlwe8yszqoY1k8+U0T0G+\n" +"HeIdOCXgkmOiNCj+zyrLvaEhuS6PLq1b5TBVqGJcSPWdQ+MrglbQIKu9pUg5ptt7\n" +"wJ5WU+i9PeK9Ruxc/g/BFKYFkFJQjtZzb+nqm3wpul8zGwDN/O/ZiTqCyd3rHbmM\n" +"/dZ/viKPCZHIEBAEq0m3LskCgYBndzcAo+5k8ZjWwBfQth5SfhCIp/daJgGzbYtR\n" +"P/BenAsY2KOap3tjT8Fsw5usuHSxzIojX6H0Gvu7Qzq11mLn43Q+BeQrRQTWeFRc\n" +"MQdy4iZFZXNNEp7dF8yE9VKHwdgSJPGUdxD6chMvf2tRCN6mlS171VLV6wVvZvez\n" +"H/vX5QKBgD2Dq/NHpjCpAsECP9awmNF5Akn5WJbRGmegwXIih2mOtgtYYDeuQyxY\n" +"ZCrdJFfIUjUVPagshEmUklKhkYMYpzy2PQDVtaVcm6UNFroxT5h+J+KDs1LN1H8G\n" +"LsASrzyAg8EpRulwXEfLrWKiu9DKv8bMEgO4Ovgz8zTKJZIFhcac\n" +"-----END RSA PRIVATE KEY-----\n"; + + +static char *remote_private_key = +"-----BEGIN RSA PRIVATE KEY-----\n" +"MIIEowIBAAKCAQEAweb6oblp8IcV2an3z5n484Hu8PdaF+CEpW6CHwV6d7C49pqi\n" +"0rGIYATSQJ/xZdTmXhcNHeIFYmwYMeWXXI7Ivgpb2CvB+d+IkyXza4jMoYOJElsW\n" +"RdU4sX8NxUuy6oyhGOWTT36eWuD/vFL3qK2CbrK55b9Q4hemj4SUIfCetiem4cet\n" +"gzSzu3WWzdAVLJ1rcg3H4uQzo39v695UkX3nJ97ga9UGEWkuRa1fjEqBnIyNzO+Z\n" +"notU01Ke2E+GVkUeaylDKpetOcbJrHerKiWiqH2JsO8ArmlSfOqW/8PLK3XXSrdt\n" +"cVHkDTCp+PR+q2nszDhN1OQVDLWfj9jgS5PwjwIDAQABAoIBAHfgWhED9VgL29le\n" +"uGMzmPLK4LM+6Qcb+kXghTeyhl1a928WeRVzRpG+SVJEz9QaBHYlICnaY2PO2kJ2\n" +"49YIPFkpRFDn9JuLs/7tFonj4Eb2cBbWE3YG9W7e0t+oBiv1117yB9m8uSAMPG7s\n" +"iEpTQvE3M7CzT8kHwCS4XXCCN0z7LqKyZ1heScjdfhV3D2TnFFjdtQ/9KfQa3hIc\n" +"6ftbpi4EKbfasspyqfrJ/cqjHzse9iEXLOZJhs+atBAKe/uJ4Hc3LRPbX4MPniAp\n" +"JJrldXFK9p+HILlbXvu+5n+DSGbZmT1x9a/E9suGyoJiASDH2Ax4yCVTi+v8C1R2\n" +"aKdU1LkCgYEA/3dFuM6zIHwiJ0GKT0gtJL6J3m+i51SNcRIm8deXt6HULMpUNajj\n" +"vZ1bgQm/h+uRBlPV3swkaVxvPTIabOTY4gmCBSzvVCSIAKHVc/+5Nkl9KruwSq4G\n" +"tctmXZ7ymMDi+6QGCJTJkAx6jptXyrzC00HOjXOwyQ+iDipqgr3A8FsCgYEAwk7B\n" +"2/hi569EIHFRT6nz/JMqQVPZ/MJDKoKhffTbnjQ5OAzpiVN6cyThMM1iVJEBFNhx\n" +"OEacy60Qj0TtR1oYrQSRSLm58TTxiuB4Pohbmg3iU+kSM/eTq/ups/Ul1oCs2eAb\n" +"POfweD3c4d4i7sN8bUNQXehiE4MOlK9TYQy39t0CgYAJht0mwy6S644qgJsz0bE9\n" +"SY3Cqc8daV3M9axWIIAb7QEImpMBXUcA7zlWWpK18ub5oW68XEiPVU8grRmnLfGY\n" +"nFoo70ANlz8rJt3a8ZJqn9r3GQC+CDdf2DH9E8xgPfE5CSjgcQwDPzPi1ZA0k02A\n" +"q1eUltfk55xXguVt8r2bOQKBgQC7+kldr1yv20VDRZ1uPnMGRLE6Zg6bkqw78gid\n" +"vEbDNK6uZP+BlTr/LgyVk/yu52Fucz6FPPrvqEw+7mXHA4ifya1r+BHFIn0S57os\n" +"dOp5jTkKCI9NqxQ3683vhRjH/dA7L63qLFDdYqvP74FID+LOKbMURn6rdbyjZ0J4\n" +"vz8yGQKBgHIzcKlQosRxf+KptOPMGRs30L9PnH+sNmTo2SmEzAGkBkt1msGRh/2l\n" +"uT3hOEhUXL9knRyXwQSXgrIwr9QwI5rGS5FAgX26TgBtPBDs2NuyyhhS5yxsiEPT\n" +"BR+EjQFW9dzRkpRJgvsG4DcNAhFn7fQqFNcWXgFWuBXmGNkdtEGR\n" +"-----END RSA PRIVATE KEY-----"; + + + +static struct plugins_hdl *g_plugins = NULL; +static dds_security_authentication *g_auth = NULL; + +static DDS_Security_IdentityHandle g_local_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle g_remote_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_AuthRequestMessageToken g_remote_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static const DDS_Security_BinaryProperty_t *g_challenge1_predefined_glb = NULL; +static const DDS_Security_BinaryProperty_t *g_challenge2_predefined_glb = NULL; +static DDS_Security_OctetSeq g_serialized_participant_data = DDS_SECURITY_SEQUENCE_INIT; +static DDS_Security_ParticipantBuiltinTopicData *g_local_participant_data = NULL; + +static DDS_Security_ParticipantBuiltinTopicData *g_remote_participant_data1 = NULL; +static DDS_Security_ParticipantBuiltinTopicData *g_remote_participant_data2 = NULL; +static DDS_Security_GUID_t g_candidate_participant_guid; +static DDS_Security_GUID_t g_remote_participant_guid1; +static DDS_Security_GUID_t g_remote_participant_guid2; + +static EVP_PKEY *g_dh_modp_key = NULL; +static EVP_PKEY *g_dh_ecdh_key = NULL; +static struct octet_seq g_dh_modp_pub_key = {NULL, 0}; +static struct octet_seq g_dh_ecdh_pub_key = {NULL, 0}; + + +static void +octet_seq_init( + struct octet_seq *seq, + unsigned char *data, + uint32_t size) +{ + seq->data = ddsrt_malloc(size); + memcpy(seq->data, data, size); + seq->length = size; +} + +static void +octet_seq_deinit( + struct octet_seq *seq) +{ + ddsrt_free(seq->data); +} + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size); + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->minor_code = 0; + ex->code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static void +initialize_identity_token( + DDS_Security_IdentityToken *token, + const char *certAlgo, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CERT); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +initialize_permissions_token( + DDS_Security_PermissionsToken *token, + const char *caAlgo) +{ + token->class_id = ddsrt_strdup(PERM_ACCESS_CLASS_ID); + token->properties._length = 2; + token->properties._maximum = 2; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_PERM_CA_SUBJECT_NAME); + token->properties._buffer[1].value = ddsrt_strdup(caAlgo); +} + + + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token) +{ + uint32_t i; + size_t len = 32; + unsigned char *challenge; + + challenge = ddsrt_malloc(len); + + for (i = 0; i < len; i++) { + challenge[i] = (unsigned char)(0xFF - i); + } + + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._maximum = 1; + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._maximum = (DDS_Security_unsigned_long) len; + token->binary_properties._buffer->value._length = (DDS_Security_unsigned_long) len; + token->binary_properties._buffer->value._buffer = challenge; +} + + +static DDS_Security_BinaryProperty_t * +find_binary_property( + DDS_Security_DataHolder *token, + const char *name) +{ + DDS_Security_BinaryProperty_t *result = NULL; + uint32_t i; + + for (i = 0; i < token->binary_properties._length && !result; i++) { + if (token->binary_properties._buffer[i].name && (strcmp(token->binary_properties._buffer[i].name, name) == 0)) { + result = &token->binary_properties._buffer[i]; + } + } + + return result; +} + + +static DDS_Security_Property_t * +find_property( + DDS_Security_DataHolder *token, + const char *name) +{ + DDS_Security_Property_t *result = NULL; + uint32_t i; + + for (i = 0; i < token->properties._length && !result; i++) { + if (token->properties._buffer[i].name && (strcmp(token->properties._buffer[i].name, name) == 0)) { + result = &token->properties._buffer[i]; + } + } + + return result; +} + +static void +deinitialize_identity_token( + DDS_Security_IdentityToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + + +static int +validate_local_identity(void) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GUID_t local_participant_guid; + DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + unsigned char *sdata; + size_t sz; + + memset(&local_participant_guid, 0, sizeof(local_participant_guid)); + memcpy(&g_candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&g_candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key); + + /* Now call the function. */ + result = g_auth->validate_local_identity( + g_auth, + &g_local_identity_handle, + &local_participant_guid, + domain_id, + &participant_qos, + &g_candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + res = -1; + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + g_local_participant_data = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&g_local_participant_data->key[0], &local_participant_guid, 12); + /* convert from big-endian format to native format */ + g_local_participant_data->key[0] = fromBE4u(g_local_participant_data->key[0]); + g_local_participant_data->key[1] = fromBE4u(g_local_participant_data->key[1]); + g_local_participant_data->key[2] = fromBE4u(g_local_participant_data->key[2]); + + initialize_identity_token(&g_local_participant_data->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&g_local_participant_data->permissions_token, RSA_2048_ALGORITHM_NAME); + + g_local_participant_data->security_info.participant_security_attributes = 0x01; + g_local_participant_data->security_info.plugin_participant_security_attributes = 0x02; + + serializer_participant_data(g_local_participant_data, &sdata, &sz); + + g_serialized_participant_data._length = g_serialized_participant_data._maximum = (DDS_Security_unsigned_long) sz; + g_serialized_participant_data._buffer = sdata; + + return res; +} + +static void +release_local_identity(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (g_local_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = g_auth->return_identity_handle(g_auth, g_local_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + + DDS_Security_OctetSeq_deinit(&g_serialized_participant_data); + + if (g_local_participant_data) { + DDS_Security_ParticipantBuiltinTopicData_free(g_local_participant_data); + } +} + +static X509 * +load_certificate( + const char *data) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_mem_buf((void *) data, -1); + if (!bio) { + return NULL; + } + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + + BIO_free(bio); + + return cert; +} + +static int +get_adjusted_participant_guid( + X509 *cert, + const DDS_Security_GUID_t *candidate, + DDS_Security_GUID_t *adjusted) +{ + int result = 0; + unsigned char high[SHA256_DIGEST_LENGTH], low[SHA256_DIGEST_LENGTH]; + unsigned char *subject; + DDS_Security_octet hb = 0x80; + X509_NAME *name; + unsigned char *tmp = NULL; + int32_t i, size; + + name = X509_get_subject_name(cert); + size = i2d_X509_NAME(name, &tmp); + if (size > 0) { + subject = ddsrt_malloc((size_t) size); + memcpy(subject, tmp, (size_t)size); + OPENSSL_free(tmp); + + SHA256(subject, (size_t)size, high); + SHA256(&candidate->prefix[0], sizeof(DDS_Security_GuidPrefix_t), low); + + adjusted->entityId = candidate->entityId; + for (i = 0; i < 6; i++) { + adjusted->prefix[i] = hb | high[i]>>1; + hb = (unsigned char)( high[i]<<7 ); + } + for (i = 0; i < 6; i++) { + adjusted->prefix[i+6] = low[i]; + } + ddsrt_free(subject); + result = 1; + } + + return result; +} + +static int +create_dh_key_modp_2048( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *kctx = NULL; + DH *dh = NULL; + + *pkey = NULL; + + if ((params = EVP_PKEY_new()) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EVP_PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((dh = DH_get_2048_256()) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate DH parameter: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_set1_DH(params, dh) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set DH parameter to MODP_2048_256: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate KEY context %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize KEY context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate :MODP_2048_256 keys %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (params) EVP_PKEY_free(params); + if (kctx) EVP_PKEY_CTX_free(kctx); + if (dh) DH_free(dh); + + return r; +} + +static int +get_dh_public_key_modp_2048( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + int r = 0; + DH *dhkey; + unsigned char *buffer = NULL; + uint32_t size; + ASN1_INTEGER *asn1int; + + dhkey = EVP_PKEY_get1_DH(pkey); + if (!dhkey) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get DH key from PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + goto fail_get_dhkey; + } + + asn1int = BN_to_ASN1_INTEGER( dh_get_public_key(dhkey) , NULL); + if (!asn1int) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert DH key to ASN1 integer: %s", msg); + ddsrt_free(msg); + r = -1; + goto fail_get_pubkey; + } + + size = (uint32_t)i2d_ASN1_INTEGER(asn1int, &buffer); + octet_seq_init(pubkey, buffer, size); + + ASN1_INTEGER_free(asn1int); + OPENSSL_free(buffer); + +fail_get_pubkey: + DH_free(dhkey); +fail_get_dhkey: + return r; +} + +static int +create_dh_key_ecdh( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + *pkey = NULL; + + if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate DH parameter context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_paramgen_init(pctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize DH generation context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set DH generation parameter generation method: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_paramgen(pctx, ¶ms) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate DH parameters: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate KEY context %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize KEY context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate :MODP_2048_256 keys %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (kctx) EVP_PKEY_CTX_free(kctx); + if (params) EVP_PKEY_free(params); + if (pctx) EVP_PKEY_CTX_free(pctx); + + return r; +} + +static int +get_dh_public_key_ecdh( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + int r = 0; + EC_KEY *eckey = NULL; + const EC_GROUP *group = NULL; + const EC_POINT *point = NULL; + size_t sz; + + if (!(eckey = EVP_PKEY_get1_EC_KEY(pkey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get EC key from PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!(point = EC_KEY_get0_public_key(eckey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get public key from ECKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!(group = EC_KEY_get0_group(eckey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get group from ECKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((sz = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, NULL)) != 0) { + pubkey->data = ddsrt_malloc(sz); + pubkey->length = (uint32_t) EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, pubkey->data, sz, NULL); + if (pubkey->length == 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to serialize public EC key: %s", msg); + ddsrt_free(msg); + octet_seq_deinit(pubkey); + r = -1; + } + } else { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to serialize public EC key: %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (eckey) EC_KEY_free(eckey); + + return r; +} + +static int +validate_remote_identities (const char *remote_id_certificate) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityToken remote_identity_token; + static DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_GUID_t guid1; + DDS_Security_GUID_t guid2; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix1 = {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab}; + DDS_Security_GuidPrefix_t prefix2 = {0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + X509 *cert; + + memcpy(&guid1.prefix, &prefix1, sizeof(prefix1)); + memcpy(&guid1.entityId, &entityId, sizeof(entityId)); + memcpy(&guid2.prefix, &prefix2, sizeof(prefix2)); + memcpy(&guid2.entityId, &entityId, sizeof(entityId)); + + if (g_local_identity_handle == DDS_SECURITY_HANDLE_NIL) { + return -1; + } + + cert = load_certificate(remote_id_certificate); + if (!cert) { + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid1, &g_remote_participant_guid1)) { + X509_free(cert); + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid2, &g_remote_participant_guid2)) { + X509_free(cert); + return -1; + } + + X509_free(cert); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + + reset_exception(&exception); + + fill_auth_request_token(&g_remote_auth_request_token); + + result = g_auth->validate_remote_identity( + g_auth, + &g_remote_identity_handle, + &local_auth_request_token, + &g_remote_auth_request_token, + g_local_identity_handle, + &remote_identity_token, + &g_remote_participant_guid2, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + g_remote_participant_data1 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&g_remote_participant_data1->key[0], &g_remote_participant_guid1, 12); + g_remote_participant_data1->key[0] = fromBE4u(g_remote_participant_data1->key[0]); + g_remote_participant_data1->key[1] = fromBE4u(g_remote_participant_data1->key[1]); + g_remote_participant_data1->key[2] = fromBE4u(g_remote_participant_data1->key[2]); + + initialize_identity_token(&g_remote_participant_data1->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&g_remote_participant_data1->permissions_token, RSA_2048_ALGORITHM_NAME); + + g_remote_participant_data1->security_info.participant_security_attributes = 0x01; + g_remote_participant_data1->security_info.plugin_participant_security_attributes = 0x02; + + g_remote_participant_data2 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&g_remote_participant_data2->key[0], &g_remote_participant_guid2, 12); + g_remote_participant_data2->key[0] = fromBE4u(g_remote_participant_data2->key[0]); + g_remote_participant_data2->key[1] = fromBE4u(g_remote_participant_data2->key[1]); + g_remote_participant_data2->key[2] = fromBE4u(g_remote_participant_data2->key[2]); + + initialize_identity_token(&g_remote_participant_data2->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&g_remote_participant_data2->permissions_token, RSA_2048_ALGORITHM_NAME); + + g_remote_participant_data2->security_info.participant_security_attributes = 0x01; + g_remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + g_remote_participant_data2->security_info.participant_security_attributes = 0x01; + g_remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + g_challenge1_predefined_glb = find_binary_property(&g_remote_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + g_challenge2_predefined_glb = g_challenge1_predefined_glb; + + return res; +} + +static void +release_remote_identities(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (g_remote_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = g_auth->return_identity_handle(g_auth, g_remote_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + + DDS_Security_DataHolder_deinit(&g_remote_auth_request_token); + + DDS_Security_ParticipantBuiltinTopicData_free(g_remote_participant_data1); + DDS_Security_ParticipantBuiltinTopicData_free(g_remote_participant_data2); +} + +CU_Init(ddssec_builtin_get_authenticated_peer_credential) +{ + int result = 0; + + /* Only need the authentication plugin. */ + g_plugins = load_plugins(NULL /* Access Control */, + &g_auth /* Authentication */, + NULL /* Cryptograpy */); + if (g_plugins) { + result = validate_local_identity(); + if (result >= 0) { + result = validate_remote_identities( REMOTE_IDENTITY_CERTIFICATE ); + } + if (result >= 0) { + result = create_dh_key_modp_2048(&g_dh_modp_key); + } + if (result >= 0) { + result = get_dh_public_key_modp_2048(g_dh_modp_key, &g_dh_modp_pub_key); + } + if (result >= 0) { + result = create_dh_key_ecdh(&g_dh_ecdh_key); + } + if (result >= 0) { + result = get_dh_public_key_ecdh(g_dh_ecdh_key, &g_dh_ecdh_pub_key); + } + } else { + result = -1; + } + + + return result; +} + +CU_Clean(ddssec_builtin_get_authenticated_peer_credential) +{ + release_local_identity(); + release_remote_identities(); + unload_plugins(g_plugins); + octet_seq_deinit(&g_dh_modp_pub_key); + octet_seq_deinit(&g_dh_ecdh_pub_key); + if (g_dh_modp_key) { + EVP_PKEY_free(g_dh_modp_key); + } + if (g_dh_ecdh_key) { + EVP_PKEY_free(g_dh_ecdh_key); + } + return 0; +} + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size) +{ + DDS_Security_Serializer serializer; + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDD_Security_Serialize_ParticipantBuiltinTopicData(serializer, pdata); + DDS_Security_Serializer_buffer(serializer, buffer, size); + DDS_Security_Serializer_free(serializer); +} + + +static void +set_binary_property_value( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const unsigned char *data, + size_t length) +{ + assert(bp); + assert(name); + assert(data); + + bp->name = ddsrt_strdup(name); + bp->value._maximum = bp->value._length = (DDS_Security_unsigned_long) length; + if (length) { + bp->value._buffer = ddsrt_malloc(length); + memcpy(bp->value._buffer, data, length); + } else { + bp->value._buffer = NULL; + } +} + +static void +set_binary_property_string( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const char *data) +{ + uint32_t length; + + assert(bp); + assert(name); + assert(data); + + length = (uint32_t)strlen(data) + 1; + set_binary_property_value(bp, name, (const unsigned char *)data, length); +} + +static void +fill_handshake_message_token( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const char *certificate, + const char *dsign, + const char *kagree, + const struct octet_seq *diffie_hellman1, + const unsigned char *challengeData, + unsigned int challengeDataSize, + const struct octet_seq *diffie_hellman2, + const unsigned char *challengeData2, + unsigned int challengeDataSize2, + const DDS_Security_BinaryProperty_t *hash1_from_request, + const DDS_Security_BinaryProperty_t *hash2_from_reply, + HandshakeStep_t step) +{ + DDS_Security_BinaryProperty_t *tokens; + DDS_Security_BinaryProperty_t *c_id; + DDS_Security_BinaryProperty_t *c_perm; + DDS_Security_BinaryProperty_t *c_pdata; + DDS_Security_BinaryProperty_t *c_dsign_algo; + DDS_Security_BinaryProperty_t *c_kagree_algo; + DDS_Security_BinaryProperty_t *hash_c1; + DDS_Security_BinaryProperty_t *hash_c2; + DDS_Security_BinaryProperty_t *dh1; + DDS_Security_BinaryProperty_t *dh2; + DDS_Security_BinaryProperty_t *challenge1; + DDS_Security_BinaryProperty_t *challenge2; + DDS_Security_BinaryProperty_t *signature; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + unsigned idx; + unsigned char *serialized_local_participant_data; + size_t serialized_local_participant_data_size; + /*unsigned hash[32];*/ + + switch( step ) + { + + case HANDSHAKE_REQUEST: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(8); + c_id = &tokens[0]; + c_perm = &tokens[1]; + c_pdata = &tokens[2]; + c_dsign_algo = &tokens[3]; + c_kagree_algo = &tokens[4]; + hash_c1 = &tokens[5]; + dh1 = &tokens[6]; + challenge1 = &tokens[7]; + + serializer_participant_data(pdata, &serialized_local_participant_data, &serialized_local_participant_data_size); + + /* Store the Identity Certificate associated with the local identify in c.id property */ + if (certificate) { + set_binary_property_string(c_id, "c.id", certificate); + } else { + set_binary_property_string(c_id, "c.idx", "rubbish"); + } + + /* Store the permission document in the c.perm property */ + set_binary_property_string(c_perm, "c.perm", PERMISSIONS_DOCUMENT); + + /* Store the provided g_local_participant_data in the c.pdata property */ + set_binary_property_value(c_pdata, "c.pdata", serialized_local_participant_data, serialized_local_participant_data_size); + ddsrt_free(serialized_local_participant_data); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + if (dsign) { + set_binary_property_string(c_dsign_algo, "c.dsign_algo", dsign); + } else { + set_binary_property_string(c_dsign_algo, "c.dsign_algox", "rubbish"); + } + + /* Set the used key algorithm descriptor in c.kagree_algo */ + if (kagree) { + set_binary_property_string(c_kagree_algo, "c.kagree_algo", kagree); + } else { + set_binary_property_string(c_kagree_algo, "c.kagree_algox", "rubbish"); + } + + /* Calculate the hash_c1 */ + { + DDS_Security_BinaryPropertySeq bseq; + DDS_Security_Serializer serializer; + unsigned char hash1_sentrequest_arr[32]; + unsigned char *buffer; + size_t size; + + bseq._length = bseq._maximum = 5; + bseq._buffer = tokens; + + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, &bseq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, hash1_sentrequest_arr); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + set_binary_property_value(hash_c1, "hash_c1", hash1_sentrequest_arr, sizeof(hash1_sentrequest_arr)); + } + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", g_challenge1_predefined_glb->value._buffer, g_challenge1_predefined_glb->value._length); + } + + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 8; + token->binary_properties._buffer = tokens; + break; + + case HANDSHAKE_REPLY: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(12); + idx = 0; + c_id = &tokens[idx++]; + c_perm = &tokens[idx++]; + c_pdata = &tokens[idx++]; + c_dsign_algo = &tokens[idx++]; + c_kagree_algo = &tokens[idx++]; + hash_c2 = &tokens[idx++]; + challenge2 = &tokens[idx++]; + dh2 = &tokens[idx++]; + challenge1 = &tokens[idx++]; + dh1 = &tokens[idx++]; + hash_c1 = &tokens[idx++] ; + signature = &tokens[idx++]; + + serializer_participant_data(pdata, &serialized_local_participant_data, &serialized_local_participant_data_size); + + /* Store the Identity Certificate associated with the local identify in c.id property */ + if (certificate) { + set_binary_property_string(c_id, "c.id", certificate); + } else { + set_binary_property_string(c_id, "c.idx", "rubbish"); + } + + /* Store the permission document in the c.perm property */ + set_binary_property_string(c_perm, "c.perm", PERMISSIONS_DOCUMENT); + + /* Store the provided g_local_participant_data in the c.pdata property */ + set_binary_property_value(c_pdata, "c.pdata", serialized_local_participant_data, serialized_local_participant_data_size); + ddsrt_free(serialized_local_participant_data); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + if (dsign) { + set_binary_property_string(c_dsign_algo, "c.dsign_algo", dsign); + } else { + set_binary_property_string(c_dsign_algo, "c.dsign_algox", "rubbish"); + } + + /* Set the used key algorithm descriptor in c.kagree_algo */ + if (kagree) { + set_binary_property_string(c_kagree_algo, "c.kagree_algo", kagree); + } else { + set_binary_property_string(c_kagree_algo, "c.kagree_algox", "rubbish"); + } + + CU_ASSERT(hash1_from_request != NULL); + + set_binary_property_value(hash_c1, "hash_c1", hash1_from_request->value._buffer, hash1_from_request->value._length); + + /* Calculate the hash_c2 */ + { + DDS_Security_BinaryPropertySeq bseq; + DDS_Security_Serializer serializer; + unsigned char hash2_sentreply_arr[32]; + unsigned char *buffer; + size_t size; + + bseq._length = bseq._maximum = 5; + bseq._buffer = tokens; + + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, &bseq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, hash2_sentreply_arr); + + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + set_binary_property_value(hash_c2, "hash_c2", hash2_sentreply_arr, sizeof(hash2_sentreply_arr)); + } + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", challenge2->value._buffer, challenge2->value._length); + } + + /* Set the challenge in challenge2 property */ + if (challengeData2) { + set_binary_property_value(challenge2, "challenge2", challengeData2, challengeDataSize2); + } else { + set_binary_property_value(challenge2, "challenge2x", challenge2->value._buffer, challenge2->value._length); + } + + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the DH public key associated with the local participant in dh2 property */ + if (diffie_hellman2) { + set_binary_property_value(dh2, "dh2", diffie_hellman2->data, diffie_hellman2->length); + } else { + set_binary_property_string(dh2, "dh2x", "rubbish"); + } + + /* Calculate the signature */ + { + BIO *bio; + EVP_PKEY *private_key_x509; + unsigned char *sign; + size_t signlen; + + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_SIZE ]; + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((const char *) remote_private_key, -1); + assert( bio ); + private_key_x509 = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + assert (private_key_x509 ); + + binary_properties[0] = hash_c2; + binary_properties[1] = challenge2; + binary_properties[2] = dh2; + binary_properties[3] = challenge1; + binary_properties[4] = dh1; + binary_properties[5] = hash_c1; + + if (create_signature_for_test(private_key_x509, binary_properties, HANDSHAKE_SIGNATURE_SIZE , &sign, &signlen, &exception) != DDS_SECURITY_VALIDATION_OK) + { + printf("Exception: %s\n", exception.message); + } + set_binary_property_value(signature, "signature", sign, signlen); + + ddsrt_free(sign); + BIO_free(bio); + EVP_PKEY_free(private_key_x509); + } + + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 12; + token->binary_properties._buffer = tokens; + break; + + case HANDSHAKE_FINAL: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(7); + idx = 0; + signature = &tokens[idx++]; + hash_c1 = &tokens[idx++]; + challenge1 = &tokens[idx++]; + dh1 = &tokens[idx++]; + challenge2 = &tokens[idx++]; + dh2 = &tokens[idx++]; + hash_c2 = &tokens[idx++]; + + CU_ASSERT(hash1_from_request != NULL); + CU_ASSERT(hash2_from_reply != NULL); + + set_binary_property_value(hash_c1, "hash_c1", hash1_from_request->value._buffer, hash1_from_request->value._length); + set_binary_property_value(hash_c2, "hash_c2", hash2_from_reply->value._buffer, hash2_from_reply->value._length); + + printf("process: %s\n", hash_c1->name); + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", challenge2->value._buffer, challenge2->value._length); + } + + /* Set the challenge in challenge2 property */ + if (challengeData2) { + set_binary_property_value(challenge2, "challenge2", challengeData2, challengeDataSize2); + } else { + set_binary_property_value(challenge2, "challenge2x", challenge2->value._buffer, challenge2->value._length); + } + + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the DH public key associated with the local participant in dh2 property */ + if (diffie_hellman2) { + set_binary_property_value(dh2, "dh2", diffie_hellman2->data, diffie_hellman2->length); + } else { + set_binary_property_string(dh2, "dh2x", "rubbish"); + } + + /* Calculate the signature */ + { + BIO *bio; + EVP_PKEY *private_key_x509; + unsigned char *sign; + size_t signlen; + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_SIZE ]; + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((const char *) remote_private_key, -1); + assert( bio ); + private_key_x509 = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + assert (private_key_x509 ); + + binary_properties[0] = hash_c1; + binary_properties[1] = challenge1; + binary_properties[2] = dh1; + binary_properties[3] = challenge2; + binary_properties[4] = dh2; + binary_properties[5] = hash_c2; + + if (create_signature_for_test(private_key_x509, binary_properties, HANDSHAKE_SIGNATURE_SIZE, &sign, &signlen, &exception) != DDS_SECURITY_VALIDATION_OK) + { + printf("Exception: %s\n", exception.message); + } + set_binary_property_value(signature, "signature", sign, signlen); + + ddsrt_free(sign); + BIO_free(bio); + EVP_PKEY_free(private_key_x509); + } + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_FINAL_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 7; + token->binary_properties._buffer = tokens; + break; + } +} + +static void +fill_handshake_message_token_default( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const unsigned char *challengeData, + unsigned int challengeDataSize) +{ + fill_handshake_message_token( + token, pdata, REMOTE_IDENTITY_CERTIFICATE, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + &g_dh_modp_pub_key, challengeData, challengeDataSize, NULL, NULL, 0, NULL, NULL, HANDSHAKE_REQUEST); +} + +static void +handshake_message_deinit( + DDS_Security_HandshakeMessageToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +CU_Test(ddssec_builtin_get_authenticated_peer_credential,token_after_request ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_AuthenticatedPeerCredentialToken credential_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *challenge1_glb; + const DDS_Security_Property_t *c_id; + const DDS_Security_Property_t *c_perm; + struct octet_seq dh1_pub_key; + + CU_ASSERT_FATAL (g_auth != NULL); + CU_ASSERT_FATAL (g_local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (g_remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (g_auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (g_auth->process_handshake != NULL); + + /* simulate request */ + result = g_auth->begin_handshake_request( + g_auth, + &handshake_handle, + &handshake_token_out, + g_local_identity_handle, + g_remote_identity_handle, + &g_serialized_participant_data, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* mock reply */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + fill_handshake_message_token( + &handshake_reply_token_in, + g_remote_participant_data2, + REMOTE_IDENTITY_CERTIFICATE, + AUTH_DSIGN_ALGO_RSA_NAME, + AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, + challenge1_glb->value._buffer, + challenge1_glb->value._length, + &g_dh_ecdh_pub_key, + g_challenge2_predefined_glb->value._buffer, + g_challenge2_predefined_glb->value._length, + hash1_sentrequest, + NULL, + HANDSHAKE_REPLY); + handshake_message_deinit(&handshake_token_out); + + /* simulate process */ + result = g_auth->process_handshake( + g_auth, + &handshake_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE); + + /* + * Actual test. + */ + success = g_auth->get_authenticated_peer_credential_token( + g_auth, + &credential_token, + handshake_handle, + &exception); + + CU_ASSERT_TRUE (success); + + CU_ASSERT_FATAL(credential_token.class_id != NULL); + CU_ASSERT(strcmp(credential_token.class_id, AUTH_PROTOCOL_CLASS_ID) == 0); + CU_ASSERT(credential_token.properties._length == 2); + CU_ASSERT(credential_token.binary_properties._length == 0); + + c_id = find_property(&credential_token, "c.id"); + CU_ASSERT_FATAL(c_id != NULL); + CU_ASSERT_FATAL(c_id->value != NULL); + //printf("c_id->value: %s\n", c_id->value); + CU_ASSERT(strcmp(c_id->value, REMOTE_IDENTITY_CERTIFICATE) == 0); + + c_perm = find_property(&credential_token, "c.perm"); + CU_ASSERT_FATAL(c_perm != NULL); + CU_ASSERT_FATAL(c_perm->value != NULL); + //printf("c_perm->value: %s\n", c_perm->value); + CU_ASSERT(strcmp(c_perm->value, PERMISSIONS_DOCUMENT) == 0); + + success = g_auth->return_authenticated_peer_credential_token(g_auth, &credential_token, &exception); + CU_ASSERT_TRUE (success); + CU_ASSERT(credential_token.class_id == NULL); + CU_ASSERT(credential_token.properties._buffer == NULL); + CU_ASSERT(credential_token.properties._maximum == 0); + CU_ASSERT(credential_token.properties._length == 0); + CU_ASSERT(credential_token.binary_properties._buffer == NULL); + CU_ASSERT(credential_token.binary_properties._maximum == 0); + CU_ASSERT(credential_token.binary_properties._length == 0); + + success = g_auth->return_handshake_handle(g_auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_reply_token_in); + handshake_message_deinit(&handshake_token_out); +} + +CU_Test(ddssec_builtin_get_authenticated_peer_credential,token_after_reply ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_final_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_final_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_AuthenticatedPeerCredentialToken credential_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_boolean success; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *hash2_sentreply; + const DDS_Security_BinaryProperty_t *challenge2_glb; + const DDS_Security_BinaryProperty_t *dh2; + const DDS_Security_Property_t *c_id; + const DDS_Security_Property_t *c_perm; + struct octet_seq dh2_pub_key; + + CU_ASSERT_FATAL (g_auth->process_handshake != NULL); + + CU_ASSERT_FATAL (g_auth != NULL); + CU_ASSERT_FATAL (g_local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (g_remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (g_auth->begin_handshake_reply != NULL); + + /* simulate reply */ + fill_handshake_message_token_default( + &handshake_token_in, + g_remote_participant_data1, + g_challenge1_predefined_glb->value._buffer, + g_challenge1_predefined_glb->value._length); + + result = g_auth->begin_handshake_reply( + g_auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + g_remote_identity_handle, + g_local_identity_handle, + &g_serialized_participant_data, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* mock final */ + dh2 = find_binary_property(&handshake_token_out, "dh2"); + dh2_pub_key.data = dh2->value._buffer; + dh2_pub_key.length = dh2->value._length; + challenge2_glb = find_binary_property(&handshake_token_out, "challenge2"); + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + hash2_sentreply = find_binary_property(&handshake_token_out, "hash_c2"); + fill_handshake_message_token( + &handshake_final_token_in, + NULL, + REMOTE_IDENTITY_CERTIFICATE, + AUTH_DSIGN_ALGO_RSA_NAME, + AUTH_KAGREE_ALGO_ECDH_NAME, + &g_dh_modp_pub_key, + g_challenge1_predefined_glb->value._buffer, + g_challenge1_predefined_glb->value._length, + &dh2_pub_key, + challenge2_glb->value._buffer, + challenge2_glb->value._length, + hash1_sentrequest, + hash2_sentreply, + HANDSHAKE_FINAL); + + /* simulate process */ + result = g_auth->process_handshake( + g_auth, + &handshake_final_token_out, + &handshake_final_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_OK); + + /* + * Actual test. + */ + success = g_auth->get_authenticated_peer_credential_token( + g_auth, + &credential_token, + handshake_handle, + &exception); + + CU_ASSERT_TRUE (success); + + CU_ASSERT_FATAL(credential_token.class_id != NULL); + CU_ASSERT(strcmp(credential_token.class_id, AUTH_PROTOCOL_CLASS_ID) == 0); + CU_ASSERT(credential_token.properties._length == 2); + CU_ASSERT(credential_token.binary_properties._length == 0); + + c_id = find_property(&credential_token, "c.id"); + CU_ASSERT_FATAL(c_id != NULL); + CU_ASSERT_FATAL(c_id->value != NULL); + //printf("c_id->value: %s\n", c_id->value); + CU_ASSERT(strcmp(c_id->value, REMOTE_IDENTITY_CERTIFICATE) == 0); + + c_perm = find_property(&credential_token, "c.perm"); + CU_ASSERT_FATAL(c_perm != NULL); + CU_ASSERT_FATAL(c_perm->value != NULL); + //printf("c_perm->value: %s\n", c_perm->value); + CU_ASSERT(strcmp(c_perm->value, PERMISSIONS_DOCUMENT) == 0); + + + success = g_auth->return_authenticated_peer_credential_token(g_auth, &credential_token, &exception); + CU_ASSERT_TRUE (success); + CU_ASSERT(credential_token.class_id == NULL); + CU_ASSERT(credential_token.properties._buffer == NULL); + CU_ASSERT(credential_token.properties._maximum == 0); + CU_ASSERT(credential_token.properties._length == 0); + CU_ASSERT(credential_token.binary_properties._buffer == NULL); + CU_ASSERT(credential_token.binary_properties._maximum == 0); + CU_ASSERT(credential_token.binary_properties._length == 0); + + success = g_auth->return_handshake_handle(g_auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_final_token_in); + handshake_message_deinit(&handshake_final_token_out); +} + +CU_Test(ddssec_builtin_get_authenticated_peer_credential,token_invalid_arguments ) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_AuthenticatedPeerCredentialToken credential_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeHandle invalid_handle = 3; + DDS_Security_boolean success; + + success = g_auth->get_authenticated_peer_credential_token(g_auth, &credential_token, invalid_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); + + success = g_auth->get_authenticated_peer_credential_token(NULL, &credential_token, invalid_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); + + success = g_auth->get_authenticated_peer_credential_token(g_auth, NULL, invalid_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); + + success = g_auth->get_authenticated_peer_credential_token(g_auth, &credential_token, 0, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); + + success = g_auth->return_authenticated_peer_credential_token(NULL, &credential_token, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); + + success = g_auth->return_authenticated_peer_credential_token(g_auth, NULL, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); +} diff --git a/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/identity_ca b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/identity_ca new file mode 100644 index 0000000..f003d92 --- /dev/null +++ b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkTCCAnmgAwIBAgIJAJvGJOEKNct1MA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTAeFw0xODAy +MTIxNTA1MDVaFw0yMDEyMDIxNTA1MDVaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx +GDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAM/dCO4QAcCduw0NMqShDpTvGT6DClTFAJE8ZfuPCHKqNkicRbyj +sVXfF35Sdo6K92Ksz4G7i1RqJU2n8c7hg2EFUza0lIGgmTHV/DvFBcbAa0PpvdKS +XoPtSNDh65/GO1R7oeSFRzapqsLMPUwOWi46dYvRnPabxs21xHxn56JeuG74bad5 +PMTBvA2SiiTYPBlHGJS78GPo3BPMjL0MzPoMmumO8NSVYI+MEDY1lC4KkyZVKqtV +nIfaO/7adcM19xOAfAHkwhLGBC/bVAEqelev+GH/42xjNv532nM4/JVtBns+msR5 +DAYdtr6i82b7zhU1+lOOihv4lmQHoSnTya8CAwEAAaNQME4wHQYDVR0OBBYEFFYr +0CpiwxgFcZnW6IQEhxGv/vwiMB8GA1UdIwQYMBaAFFYr0CpiwxgFcZnW6IQEhxGv +/vwiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKbBt0ht72fdtxwm +Kr0pOsKyDW0Rd5Ca5aDK4qAhDL0AD5+O6ShGYCnFNDGk3J5Yzawp8VoKrhDZZyUt +z2b0jNucVapAvPMA4066QxeIfvFmWcS73l7vjjeUoKWmNNGWprTg3RLsacTorKuY +ZRL7wsThfrhvg4B/OOIWKp5MEwIrUfnQzUca8getF2eyTt6QcMtE29AW5+01QTzj +fxZgzkmJFYBE2K/TLMDBDd+bz/8XnmPrJ01VUntXiXenTGTcIbJerB6GYQojjvhy +ZrOeuHTON1ndFiQkpeZA67ByZjkKVoJG3I8fwBjzcLE7u/QAQptVPjJXXcSpL7fA +a1tOvqw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/remote_identity_ca.crt b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/remote_identity_ca.crt new file mode 100644 index 0000000..6b096a0 --- /dev/null +++ b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/remote_identity_ca.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKTCCAxGgAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcjELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ +ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0 +ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANa/ENFfGVXg +bPLTzBdDfiZQcp5dWZ//Pb8ErFOJu8uosVHFv8t69dgjHgNHB4OsjmjnR7GfKUZT +0cMvWJnjsC7DDlBwFET9rj4k40n96bbVCH9I7+tNhsoqzc6Eu+5h4sk7VfNGTM2Z +SyCd4GiSZRuA44rRbhXI7/LDpr4hY5J9ZDo5AM9ZyoLAoh774H3CZWD67S35XvUs +72dzE6uKG/vxBbvZ7eW2GLO6ewa9UxlnLVMPfJdpkp/xYXwwcPW2+2YXCge1ujxs +tjrOQJ5HUySh6DkE/kZpx8zwYWm9AaCrsvCIX1thsqgvKy+U5v1FS1L58eGc6s// +9yMgNhU29R0CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRNVUJN +FzhJPReYT4QSx6dK53CXCTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX +CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF +BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG +AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAcOLF +ZYdJguj0uxeXB8v3xnUr1AWz9+gwg0URdfNLU2KvF2lsb/uznv6168b3/FcPgezN +Ihl9GqB+RvGwgXS/1UelCGbQiIUdsNxk246P4uOGPIyW32RoJcYPWZcpY+cw11tQ +NOnk994Y5/8ad1DmcxVLLqq5kwpXGWQufV1zOONq8B+mCvcVAmM4vkyF/de56Lwa +sAMpk1p77uhaDnuq2lIR4q3QHX2wGctFid5Q375DRscFQteY01r/dtwBBrMn0wuL +AMNx9ZGD+zAoOUaslpIlEQ+keAxk3jgGMWFMxF81YfhEnXzevSQXWpyek86XUyFL +O9IAQi5pa15gXjSbUg== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/root_CA_RSA.crt b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/root_CA_RSA.crt new file mode 100644 index 0000000..61346df --- /dev/null +++ b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/root_CA_RSA.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEtjCCA56gAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMTAwMDAwMFoXDTI3MDYxMDIzNTk1OVowcjELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ +ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0 +ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANRf3XKmM6O+ +WoYPNpOAdkGKKZHLJ8ZuPxVVBMX6oJAlcOmkhLzfkHSA+gl/OWaMOXIEtN512gyL +YszBf1RImwVzRjJFwIxzGzVQ68jYNj+qBbsOt+IG+hs3wgVCLFkCh+J7hXUgvk8A +eRM/SRrI42dQfcgKUAMNi4/iX6Vs+FV9pHB63L4PiLA9hfUE25sH6EsIC7icvGDJ +6cGG94glVSHDI1NtXfsNHY+NGY/jYKtQZklqU3lew5I60aJIsea+Wk6PJiz4hyXv +XVVmrcNeG1g4OEFgiSXZC2XknDw8t9+ELprGNvuJvTFxwPMAgLeF4IhEQC9dQY2W +BRwUxtZBzukCAwEAAaOCAVUwggFRMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFER4 +R6N3MQ1Wl7gn+R8wwHloDCVZMB8GA1UdIwQYMBaAFER4R6N3MQ1Wl7gn+R8wwHlo +DCVZMA8GA1UdDwEB/wQFAwMH/4Awge8GA1UdJQEB/wSB5DCB4QYIKwYBBQUHAwEG +CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3 +AgEVBgorBgEEAYI3AgEWBgorBgEEAYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3 +CgMEBglghkgBhvhCBAEGCysGAQQBgjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYG +CCsGAQUFBwMHBggrBgEFBQgCAgYKKwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUF +BwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAwXuEWDG3 +aAyL+DsGr0B4YMLjHtx6FjzkJOpTtXQhkrtSMpD3Xytl7Wfz8lyWuTnbrk8F4gWO +IkJR/NdMGW27SmeYU0z7QAGRDwtHX6kqqizQbCwf4F6P/2QftcLp1VrlsIlb0gyx +gLjpGmn5TT7gj+ahW0iIRglOwhzCvkNu6agYpdGwVirSyLShy/Hq303DZSbVuktz +5/PmZKpufnoGqURNnJqbV4TQipE0FiDmp2o+gVgJ+DVRhiCdfk68Xp7+TlmxCDfZ +C3qb18qrwAZ4AL3T9/RlzfkXh4ME9V6wqa5Y6j7Vwx5Ef2OHL+mnMnoNSXDLRh6j +45ky66su5dROpA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt new file mode 100644 index 0000000..35506b8 --- /dev/null +++ b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIBAjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMzAwMDAwMFoXDTI3MDYxMDIzNTk1OVowfTELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMSQwIgYDVQQDExtJ +ZGVudGl0eSBDQSBUZXN0IFdpdGggQ2hhaW4xJjAkBgkqhkiG9w0BCQEWF2luZm9A +aXN0LmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA1r8Q0V8ZVeBs8tPMF0N+JlBynl1Zn/89vwSsU4m7y6ixUcW/y3r12CMeA0cH +g6yOaOdHsZ8pRlPRwy9YmeOwLsMOUHAURP2uPiTjSf3pttUIf0jv602GyirNzoS7 +7mHiyTtV80ZMzZlLIJ3gaJJlG4DjitFuFcjv8sOmviFjkn1kOjkAz1nKgsCiHvvg +fcJlYPrtLfle9SzvZ3MTq4ob+/EFu9nt5bYYs7p7Br1TGWctUw98l2mSn/FhfDBw +9bb7ZhcKB7W6PGy2Os5AnkdTJKHoOQT+RmnHzPBhab0BoKuy8IhfW2GyqC8rL5Tm +/UVLUvnx4Zzqz//3IyA2FTb1HQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYD +VR0OBBYEFE1VQk0XOEk9F5hPhBLHp0rncJcJMB8GA1UdIwQYMBaAFER4R6N3MQ1W +l7gn+R8wwHloDCVZMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYB +BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggr +BgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEB +CwUAA4IBAQCbl7ed4p66G6WquxO7ceZFvYKn3kDErjCfXHcqHxBnA2xTpoZCGj95 +Qpirqo6N4UcLX5sn3CmgyVk0dYvlti/53FJgZ9XQDNxBuEYWPkY7vO+Uo0WdYpGz +ZDNIUQpiPMA7bHvwKldTIs77xxtnw9kbBU2k0xQyb2tdZNfD5YqSI1MeUtpEpNFW +sbC8+mQ3clzWpjF8eHH1fFSAmlJ+z1Uqmtt2FK0vRz+MQcpydwvpMnfqGdcwhGPQ +X4HZreLObjBA8KUEkUB3+rZXuELBgkk/c8/jRZl7QF5jJDLQCCLg7KoYBKN2GuTt +/dzeSnP7VZm/nTL8wpCvKgSOwOGgklf2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/process_handshake/src/process_handshake_utests.c b/src/security/builtin_plugins/tests/process_handshake/src/process_handshake_utests.c new file mode 100644 index 0000000..e717e54 --- /dev/null +++ b/src/security/builtin_plugins/tests/process_handshake/src/process_handshake_utests.c @@ -0,0 +1,2447 @@ + + +/* CUnit includes. */ +#include "common/src/handshake_helper.h" + +/* Test helper includes. */ +#include "common/src/loader.h" + +/* Private header include */ +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/security/dds_security_api.h" +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/string.h" +#include "dds/ddsrt/endian.h" +#include +#include +#include "dds/ddsrt/environ.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" + +#include +#include +#include +#include +#include + + +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_utils.h" + +#define HANDSHAKE_SIGNATURE_SIZE 6 + +#if DDSRT_ENDIAN == DDSRT_LITTLE_ENDIAN +static unsigned bswap4u (unsigned x) +{ + return (x >> 24) | ((x >> 8) & 0xff00) | ((x << 8) & 0xff0000) | (x << 24); +} +#define toBE4u(x) bswap4u (x) +#define fromBE4u(x) bswap4u (x) +#else +#define toBE4u(x) (x) +#define fromBE4u(x) (x) +#endif + + +static const char * AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0"; +static const char * PERM_ACCESS_CLASS_ID = "DDS:Access:Permissions:1.0"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; +static const char * PROPERTY_TRUSTED_CA_DIR = "dds.sec.auth.trusted_ca_dir"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * PROPERTY_PERM_CA_SUBJECT_NAME = "ds.perm_ca.sn"; + +static const char * SUBJECT_NAME_IDENTITY_CERT = "CN=CHAM-574 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA = "CN=CHAM-574 authority,O=Some Company,ST=Some-State,C=NL"; + +static const char * RSA_2048_ALGORITHM_NAME = "RSA-2048"; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char * AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Req"; +static const char * AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Reply"; +static const char * AUTH_HANDSHAKE_FINAL_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Final"; + +typedef enum { + HANDSHAKE_REQUEST, + HANDSHAKE_REPLY, + HANDSHAKE_FINAL +} HandshakeStep_t; + + +struct octet_seq { + unsigned char *data; + uint32_t length; +}; + +static const char * AUTH_DSIGN_ALGO_RSA_NAME = "RSASSA-PSS-SHA256"; +static const char * AUTH_KAGREE_ALGO_RSA_NAME = "DH+MODP-2048-256"; +static const char * AUTH_KAGREE_ALGO_ECDH_NAME = "ECDH+prime256v1-CEUM"; + + + +static const char *identity_certificate = + +"data:,-----BEGIN CERTIFICATE-----\n" +"MIIDYDCCAkigAwIBAgIBBDANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowdTELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMRAwDgYDVQQKEwdBRExpbmsgMREwDwYDVQQLEwhJU1Qg\n" +"VGVzdDETMBEGA1UEAxMKQWxpY2UgVGVzdDEfMB0GCSqGSIb3DQEJARYQYWxpY2VA\n" +"YWRsaW5rLmlzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBW+tEZ\n" +"Baw7EQCEXyzH9n7IkZ8PQIKe8hG1LAOGYOF/oUYQZJO/HxbWoC4rFqOC20+A6is6\n" +"kFwr1Zzp/Wurk9CrFXo5Nomi6ActH6LUM57nYqN68w6U38z/XkQxVY/ESZ5dySfD\n" +"9Q1C8R+zdE8gwbimdYmwX7ioz336nghM2CoAHPDRthQeJupl8x4V7isOltr9CGx8\n" +"+imJXbGr39OK6u87cNLeu23sUkOIC0lSRMIqIQK3oJtHS70J2qecXdqp9MhE7Xky\n" +"/GPlI8ptQ1gJ8A3cAOvtI9mtMJMszs2EKWTLfeTcmfJHKKhKjvCgDdh3Jan4x5YP\n" +"Yg7HG6H+ceOUkMMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAkvuqZzyJ3Nu4/Eo5\n" +"kD0nVgYGBUl7cspu+636q39zPSrxLEDMUWz+u8oXLpyGcgiZ8lZulPTV8dmOn+3C\n" +"Vg55c5C+gbnbX3MDyb3wB17296RmxYf6YNul4sFOmj6+g2i+Dw9WH0PBCVKbA84F\n" +"jR3Gx2Pfoifor3DvT0YFSsjNIRt090u4dQglbIb6cWEafC7O24t5jFhGPvJ7L9SE\n" +"gB0Drh/HmKTVuaqaRkoOKkKaKuWoXsszK1ZFda1DHommnR5LpYPsDRQ2fVM4EuBF\n" +"By03727uneuG8HLuNcLEV9H0i7LxtyfFkyCPUQvWG5jehb7xPOz/Ml26NAwwjlTJ\n" +"xEEFrw==\n" +"-----END CERTIFICATE-----\n"; + + +static const char *identity_ca = +"data:,-----BEGIN CERTIFICATE-----\n" +"MIIEKTCCAxGgAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcjELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ\n" +"ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0\n" +"ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANa/ENFfGVXg\n" +"bPLTzBdDfiZQcp5dWZ//Pb8ErFOJu8uosVHFv8t69dgjHgNHB4OsjmjnR7GfKUZT\n" +"0cMvWJnjsC7DDlBwFET9rj4k40n96bbVCH9I7+tNhsoqzc6Eu+5h4sk7VfNGTM2Z\n" +"SyCd4GiSZRuA44rRbhXI7/LDpr4hY5J9ZDo5AM9ZyoLAoh774H3CZWD67S35XvUs\n" +"72dzE6uKG/vxBbvZ7eW2GLO6ewa9UxlnLVMPfJdpkp/xYXwwcPW2+2YXCge1ujxs\n" +"tjrOQJ5HUySh6DkE/kZpx8zwYWm9AaCrsvCIX1thsqgvKy+U5v1FS1L58eGc6s//\n" +"9yMgNhU29R0CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRNVUJN\n" +"FzhJPReYT4QSx6dK53CXCTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX\n" +"CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF\n" +"BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG\n" +"AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAcOLF\n" +"ZYdJguj0uxeXB8v3xnUr1AWz9+gwg0URdfNLU2KvF2lsb/uznv6168b3/FcPgezN\n" +"Ihl9GqB+RvGwgXS/1UelCGbQiIUdsNxk246P4uOGPIyW32RoJcYPWZcpY+cw11tQ\n" +"NOnk994Y5/8ad1DmcxVLLqq5kwpXGWQufV1zOONq8B+mCvcVAmM4vkyF/de56Lwa\n" +"sAMpk1p77uhaDnuq2lIR4q3QHX2wGctFid5Q375DRscFQteY01r/dtwBBrMn0wuL\n" +"AMNx9ZGD+zAoOUaslpIlEQ+keAxk3jgGMWFMxF81YfhEnXzevSQXWpyek86XUyFL\n" +"O9IAQi5pa15gXjSbUg==\n" +"-----END CERTIFICATE-----\n"; + +static const char *remote_identity_certificate = +"-----BEGIN CERTIFICATE-----\n" +"MIIDcDCCAligAwIBAgIBBTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcDELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMQ8wDQYDVQQKEwZBRExpbmsxETAPBgNVBAsTCElTVCBU\n" +"ZXN0MREwDwYDVQQDEwhCb2IgVGVzdDEdMBsGCSqGSIb3DQEJARYOYm9iQGFkbGlu\n" +"ay5pc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqhuWnwhxXZ\n" +"qffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d4gVibBgx\n" +"5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNPfp5a4P+8\n" +"UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi5DOjf2/r\n" +"3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMql605xsms\n" +"d6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U5BUMtZ+P\n" +"2OBLk/CPAgMBAAGjEzARMA8GA1UdDwEB/wQFAwMH/4AwDQYJKoZIhvcNAQELBQAD\n" +"ggEBAJV71Ckf1zsks5mJXqdUb8bTVHg4hN32pwjCL5c6W2XHAv+YHwE/fN3C1VIY\n" +"bC8zjUC9dCOyC2AvOQyZQ1eC/WoK6FlXjHVX2upL4lXQ9WL9ztt1mgdRrhvUPuUn\n" +"aBE8VgNU0t4jl93xMIaU8hB0kQsV+kdcN0cWbrF3mT4s9njRvopJ8hS2UE60V2wA\n" +"ceUOazH+QGPh1k0jkynrTlVR9GrpebQwZ2UFeinVO0km17IAyQkz+OmPc4jQLJMl\n" +"CmkbmMwowdLMKC6r/HyE87dN7NvFnRM5iByJklRwN7WDYZrl72HoUOlgTZ7PjW2G\n" +"jTxK8xXtDCXC/3CNpe0YFnOga8g=\n" +"-----END CERTIFICATE-----\n"; + + +static const char *private_key = + +"data:,-----BEGIN RSA PRIVATE KEY-----\n" +"MIIEowIBAAKCAQEA0Fb60RkFrDsRAIRfLMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBk\n" +"k78fFtagLisWo4LbT4DqKzqQXCvVnOn9a6uT0KsVejk2iaLoBy0fotQznudio3rz\n" +"DpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2\n" +"FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf04rq7ztw0t67bexSQ4gLSVJEwiohAreg\n" +"m0dLvQnap5xd2qn0yETteTL8Y+Ujym1DWAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ\n" +"8kcoqEqO8KAN2HclqfjHlg9iDscbof5x45SQwwIDAQABAoIBAG0dYPeqd0IhHWJ7\n" +"8azufbchLMN1pX/D51xG2uptssfnpHuhkkufSZUYi4QipRS2ME6PYhWJ8pmTi6lH\n" +"E6cUkbI0KGd/F4U2gPdhNrR9Fxwea5bbifkVF7Gx/ZkRjZJiZ3w9+mCNTQbJDKhh\n" +"wITAzzT6WYznhvqbzzBX1fTa6kv0GAQtX7aHKM+XIwkhX2gzU5TU80bvH8aMrT05\n" +"tAMGQqkUeRnpo0yucBl4VmTZzd/+X/d2UyXR0my15jE5iH5o+p+E6qTRE9D+MGUd\n" +"MQ6Ftj0Untqy1lcog1ZLL6zPlnwcD4jgY5VCYDgvabnrSwymOJapPLsAEdWdq+U5\n" +"ec44BMECgYEA/+3qPUrd4XxA517qO3fCGBvf2Gkr7w5ZDeATOTHGuD8QZeK0nxPl\n" +"CWhRjdgkqo0fyf1cjczL5XgYayo+YxkO1Z4RUU+8lJAHlVx9izOQo+MTQfkwH4BK\n" +"LYlHxMoHJwAOXXoE+dmBaDh5xT0mDUGU750r763L6EFovE4qRBn9hxkCgYEA0GWz\n" +"rpOPNxb419WxG9npoQYdCZ5IbmEOGDH3ReggVzWHmW8sqtkqTZm5srcyDpqAc1Gu\n" +"paUveMblEBbU+NFJjLWOfwB5PCp8jsrqRgCQSxolShiVkc3Vu3oyzMus9PDge1eo\n" +"9mwVGO7ojQKWRu/WVAakENPaAjeyyhv4dqSNnjsCgYEAlwe8yszqoY1k8+U0T0G+\n" +"HeIdOCXgkmOiNCj+zyrLvaEhuS6PLq1b5TBVqGJcSPWdQ+MrglbQIKu9pUg5ptt7\n" +"wJ5WU+i9PeK9Ruxc/g/BFKYFkFJQjtZzb+nqm3wpul8zGwDN/O/ZiTqCyd3rHbmM\n" +"/dZ/viKPCZHIEBAEq0m3LskCgYBndzcAo+5k8ZjWwBfQth5SfhCIp/daJgGzbYtR\n" +"P/BenAsY2KOap3tjT8Fsw5usuHSxzIojX6H0Gvu7Qzq11mLn43Q+BeQrRQTWeFRc\n" +"MQdy4iZFZXNNEp7dF8yE9VKHwdgSJPGUdxD6chMvf2tRCN6mlS171VLV6wVvZvez\n" +"H/vX5QKBgD2Dq/NHpjCpAsECP9awmNF5Akn5WJbRGmegwXIih2mOtgtYYDeuQyxY\n" +"ZCrdJFfIUjUVPagshEmUklKhkYMYpzy2PQDVtaVcm6UNFroxT5h+J+KDs1LN1H8G\n" +"LsASrzyAg8EpRulwXEfLrWKiu9DKv8bMEgO4Ovgz8zTKJZIFhcac\n" +"-----END RSA PRIVATE KEY-----\n"; + + +static char *remote_private_key = +"-----BEGIN RSA PRIVATE KEY-----\n" +"MIIEowIBAAKCAQEAweb6oblp8IcV2an3z5n484Hu8PdaF+CEpW6CHwV6d7C49pqi\n" +"0rGIYATSQJ/xZdTmXhcNHeIFYmwYMeWXXI7Ivgpb2CvB+d+IkyXza4jMoYOJElsW\n" +"RdU4sX8NxUuy6oyhGOWTT36eWuD/vFL3qK2CbrK55b9Q4hemj4SUIfCetiem4cet\n" +"gzSzu3WWzdAVLJ1rcg3H4uQzo39v695UkX3nJ97ga9UGEWkuRa1fjEqBnIyNzO+Z\n" +"notU01Ke2E+GVkUeaylDKpetOcbJrHerKiWiqH2JsO8ArmlSfOqW/8PLK3XXSrdt\n" +"cVHkDTCp+PR+q2nszDhN1OQVDLWfj9jgS5PwjwIDAQABAoIBAHfgWhED9VgL29le\n" +"uGMzmPLK4LM+6Qcb+kXghTeyhl1a928WeRVzRpG+SVJEz9QaBHYlICnaY2PO2kJ2\n" +"49YIPFkpRFDn9JuLs/7tFonj4Eb2cBbWE3YG9W7e0t+oBiv1117yB9m8uSAMPG7s\n" +"iEpTQvE3M7CzT8kHwCS4XXCCN0z7LqKyZ1heScjdfhV3D2TnFFjdtQ/9KfQa3hIc\n" +"6ftbpi4EKbfasspyqfrJ/cqjHzse9iEXLOZJhs+atBAKe/uJ4Hc3LRPbX4MPniAp\n" +"JJrldXFK9p+HILlbXvu+5n+DSGbZmT1x9a/E9suGyoJiASDH2Ax4yCVTi+v8C1R2\n" +"aKdU1LkCgYEA/3dFuM6zIHwiJ0GKT0gtJL6J3m+i51SNcRIm8deXt6HULMpUNajj\n" +"vZ1bgQm/h+uRBlPV3swkaVxvPTIabOTY4gmCBSzvVCSIAKHVc/+5Nkl9KruwSq4G\n" +"tctmXZ7ymMDi+6QGCJTJkAx6jptXyrzC00HOjXOwyQ+iDipqgr3A8FsCgYEAwk7B\n" +"2/hi569EIHFRT6nz/JMqQVPZ/MJDKoKhffTbnjQ5OAzpiVN6cyThMM1iVJEBFNhx\n" +"OEacy60Qj0TtR1oYrQSRSLm58TTxiuB4Pohbmg3iU+kSM/eTq/ups/Ul1oCs2eAb\n" +"POfweD3c4d4i7sN8bUNQXehiE4MOlK9TYQy39t0CgYAJht0mwy6S644qgJsz0bE9\n" +"SY3Cqc8daV3M9axWIIAb7QEImpMBXUcA7zlWWpK18ub5oW68XEiPVU8grRmnLfGY\n" +"nFoo70ANlz8rJt3a8ZJqn9r3GQC+CDdf2DH9E8xgPfE5CSjgcQwDPzPi1ZA0k02A\n" +"q1eUltfk55xXguVt8r2bOQKBgQC7+kldr1yv20VDRZ1uPnMGRLE6Zg6bkqw78gid\n" +"vEbDNK6uZP+BlTr/LgyVk/yu52Fucz6FPPrvqEw+7mXHA4ifya1r+BHFIn0S57os\n" +"dOp5jTkKCI9NqxQ3683vhRjH/dA7L63qLFDdYqvP74FID+LOKbMURn6rdbyjZ0J4\n" +"vz8yGQKBgHIzcKlQosRxf+KptOPMGRs30L9PnH+sNmTo2SmEzAGkBkt1msGRh/2l\n" +"uT3hOEhUXL9knRyXwQSXgrIwr9QwI5rGS5FAgX26TgBtPBDs2NuyyhhS5yxsiEPT\n" +"BR+EjQFW9dzRkpRJgvsG4DcNAhFn7fQqFNcWXgFWuBXmGNkdtEGR\n" +"-----END RSA PRIVATE KEY-----"; + +static const char *unrelated_identity = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV\n" + "BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w\n" + "DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy\n" + "MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI\n" + "DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx\n" + "GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" + "ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32\n" + "/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix\n" + "6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he\n" + "bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV\n" + "G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp\n" + "EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst\n" + "gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5\n" + "+6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB\n" + "CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ\n" + "xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC\n" + "QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh\n" + "XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV\n" + "+1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0\n" + "B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2\n" + "-----END CERTIFICATE-----\n"; + + +static const char *remote_identity_trusted = + "-----BEGIN CERTIFICATE-----\n" + "MIIDcDCCAligAwIBAgIBBTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" + "aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" + "Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcDELMAkGA1UEBhMC\n" + "TkwxCzAJBgNVBAgTAk9WMQ8wDQYDVQQKEwZBRExpbmsxETAPBgNVBAsTCElTVCBU\n" + "ZXN0MREwDwYDVQQDEwhCb2IgVGVzdDEdMBsGCSqGSIb3DQEJARYOYm9iQGFkbGlu\n" + "ay5pc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqhuWnwhxXZ\n" + "qffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d4gVibBgx\n" + "5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNPfp5a4P+8\n" + "UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi5DOjf2/r\n" + "3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMql605xsms\n" + "d6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U5BUMtZ+P\n" + "2OBLk/CPAgMBAAGjEzARMA8GA1UdDwEB/wQFAwMH/4AwDQYJKoZIhvcNAQELBQAD\n" + "ggEBAJV71Ckf1zsks5mJXqdUb8bTVHg4hN32pwjCL5c6W2XHAv+YHwE/fN3C1VIY\n" + "bC8zjUC9dCOyC2AvOQyZQ1eC/WoK6FlXjHVX2upL4lXQ9WL9ztt1mgdRrhvUPuUn\n" + "aBE8VgNU0t4jl93xMIaU8hB0kQsV+kdcN0cWbrF3mT4s9njRvopJ8hS2UE60V2wA\n" + "ceUOazH+QGPh1k0jkynrTlVR9GrpebQwZ2UFeinVO0km17IAyQkz+OmPc4jQLJMl\n" + "CmkbmMwowdLMKC6r/HyE87dN7NvFnRM5iByJklRwN7WDYZrl72HoUOlgTZ7PjW2G\n" + "jTxK8xXtDCXC/3CNpe0YFnOga8g=\n" + "-----END CERTIFICATE-----\n"; + +static const char *remote_identity_untrusted = + "-----BEGIN CERTIFICATE-----\n" + "MIIELTCCAxWgAwIBAgIBATANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGzAZBgNVBAMTEkJvYiBU\n" + "ZXN0IFVudHJ1c3RlZDEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3QuYWRsaW5rdGVj\n" + "aC5jb20wHhcNMTgwNjIwMDAwMDAwWhcNMjcwNjE5MjM1OTU5WjB0MQswCQYDVQQG\n" + "EwJOTDELMAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGzAZBgNVBAMT\n" + "EkJvYiBUZXN0IFVudHJ1c3RlZDEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3QuYWRs\n" + "aW5rdGVjaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqh\n" + "uWnwhxXZqffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d\n" + "4gVibBgx5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNP\n" + "fp5a4P+8UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi\n" + "5DOjf2/r3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMq\n" + "l605xsmsd6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U\n" + "5BUMtZ+P2OBLk/CPAgMBAAGjgckwgcYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU\n" + "QpxLPHT5o/GQRwdBw2scINXnWlUwHwYDVR0jBBgwFoAUQpxLPHT5o/GQRwdBw2sc\n" + "INXnWlUwDwYDVR0PAQH/BAUDAwf/gDBlBgNVHSUBAf8EWzBZBggrBgEFBQcDAQYI\n" + "KwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJ\n" + "BggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEB\n" + "ABcyab7F7OAsjUSW0YWkVRX1SUMkW25xLLs8koXhHrdnBqgnmOur0xO72/fmTTX9\n" + "KnCUmQj+dAOmmZrAaIZzqLtMyp4ibHZPfOBwmM0MFnyuwyEnCEYvjPN3FTB0HEgS\n" + "vCoFH1001LVi4oC1mEMxYaNW4/5Tgl+DTqGF+tctJe3hvbxh+Uu5M0320VAvASjt\n" + "cJ0me6Ug1FJJ60tgXgZ+M/8V6AXhrQGNgN6WkPMFbbLi5IyEld186QPeLdZ8vCtz\n" + "StjIV9HZGR1XLotlXarbjVtjxavZJjtwiySeYkAgG7Zjy7LalPSJiIdAD3R/ny+S\n" + "9kXDKiw/HgYxb8xiy9gdlSc=\n" + "-----END CERTIFICATE-----\n"; + + +static const char *remote_identity_trusted_expired = + "-----BEGIN CERTIFICATE-----\n" + "MIIEKTCCAxGgAwIBAgIBBjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" + "aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" + "Y29tMB4XDTE4MDMwMTAwMDAwMFoXDTE4MDQyMzIzNTk1OVowcjELMAkGA1UEBhMC\n" + "TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBC\n" + "b2IgVGVzdCBFeHBpcmVkMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0\n" + "ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHm+qG5afCH\n" + "Fdmp98+Z+POB7vD3WhfghKVugh8FenewuPaaotKxiGAE0kCf8WXU5l4XDR3iBWJs\n" + "GDHll1yOyL4KW9grwfnfiJMl82uIzKGDiRJbFkXVOLF/DcVLsuqMoRjlk09+nlrg\n" + "/7xS96itgm6yueW/UOIXpo+ElCHwnrYnpuHHrYM0s7t1ls3QFSyda3INx+LkM6N/\n" + "b+veVJF95yfe4GvVBhFpLkWtX4xKgZyMjczvmZ6LVNNSnthPhlZFHmspQyqXrTnG\n" + "yax3qyoloqh9ibDvAK5pUnzqlv/Dyyt110q3bXFR5A0wqfj0fqtp7Mw4TdTkFQy1\n" + "n4/Y4EuT8I8CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRCnEs8\n" + "dPmj8ZBHB0HDaxwg1edaVTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX\n" + "CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF\n" + "BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG\n" + "AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAdY5n\n" + "5ElOhpHq/YPWUs68t8HNIhqfokqjLZAgzNyU5QFppb9tPpmFCugerfjlScNwp5HB\n" + "X6/WjK4runDrgzXfmrBogR4Kscb1KJSm8KAmnzXVUNr1iyASlHxI7241kYdQvTH2\n" + "LL6b0kjsD5lKAnNh4id0SDHfy/CKg5d7dUxxO1mX48jUiIZtmFqgjej8tFLHy/w/\n" + "usI5ErlI0qzI6lkoRxPCEWLbXWeBDm3/smHeDbYa/+Lw4Bid8U1+ZSAuC1CT7a7F\n" + "O3gAjPUL0jzRztp5Yj3dYPV8YyJHLEKr75IXNedV9YKhT4f6kTS3UEjMTqYbYsix\n" + "MtqgY283RjsExzjNvw==\n" + "-----END CERTIFICATE-----\n"; + +static struct plugins_hdl *plugins = NULL; +static dds_security_authentication *auth = NULL; +static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle1 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_AuthRequestMessageToken g_local_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static DDS_Security_AuthRequestMessageToken g_remote_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static const DDS_Security_BinaryProperty_t *challenge1_predefined_glb = NULL; +static const DDS_Security_BinaryProperty_t *challenge2_predefined_glb = NULL; +static DDS_Security_OctetSeq serialized_participant_data = DDS_SECURITY_SEQUENCE_INIT; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data1 = NULL; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data2 = NULL; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data3 = NULL; +static DDS_Security_GUID_t candidate_participant_guid; +static DDS_Security_GUID_t remote_participant_guid1; +static DDS_Security_GUID_t remote_participant_guid2; + +static EVP_PKEY *dh_modp_key = NULL; +static EVP_PKEY *dh_ecdh_key = NULL; +static struct octet_seq dh_modp_pub_key = {NULL, 0}; +static struct octet_seq dh_ecdh_pub_key = {NULL, 0}; +static struct octet_seq invalid_dh_pub_key = {NULL, 0}; + + +static void +octet_seq_init( + struct octet_seq *seq, + unsigned char *data, + uint32_t size) +{ + seq->data = ddsrt_malloc(size); + memcpy(seq->data, data, size); + seq->length = size; +} + +static void +octet_seq_deinit( + struct octet_seq *seq) +{ + ddsrt_free(seq->data); +} + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size); + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->minor_code = 0; + ex->code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static void +initialize_identity_token( + DDS_Security_IdentityToken *token, + const char *certAlgo, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CERT); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +initialize_permissions_token( + DDS_Security_PermissionsToken *token, + const char *caAlgo) +{ + token->class_id = ddsrt_strdup(PERM_ACCESS_CLASS_ID); + token->properties._length = 2; + token->properties._maximum = 2; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_PERM_CA_SUBJECT_NAME); + token->properties._buffer[1].value = ddsrt_strdup(caAlgo); +} + + + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token) +{ + uint32_t i; + uint32_t len = 32; + unsigned char *challenge; + + challenge = ddsrt_malloc(len); + + for (i = 0; i < len; i++) { + challenge[i] = (unsigned char)(0xFF - i); + } + + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._maximum = 1; + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._maximum = len; + token->binary_properties._buffer->value._length = len; + token->binary_properties._buffer->value._buffer = challenge; +} + + +static DDS_Security_BinaryProperty_t * +find_binary_property( + DDS_Security_DataHolder *token, + const char *name) +{ + DDS_Security_BinaryProperty_t *result = NULL; + uint32_t i; + + for (i = 0; i < token->binary_properties._length && !result; i++) { + if (token->binary_properties._buffer[i].name && (strcmp(token->binary_properties._buffer[i].name, name) == 0)) { + result = &token->binary_properties._buffer[i]; + } + } + + return result; +} + +static void +deinitialize_identity_token( + DDS_Security_IdentityToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +static int +validate_local_identity(const char* trusted_ca_dir) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GUID_t local_participant_guid; + DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + DDS_Security_ParticipantBuiltinTopicData *local_participant_data; + unsigned char *sdata; + size_t size; + + memset(&local_participant_guid, 0, sizeof(local_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + if( trusted_ca_dir != NULL){ + char trusted_ca_dir_path[1024]; + dds_security_property_init(&participant_qos.property.value, 4); +#ifdef WIN32 + snprintf(trusted_ca_dir_path, 1024, "%s\\testsuite\\dbt\\security_plugin\\tests\\validate_begin_handshake_reply\\etc\\%s", CONFIG_ENV_TESTS_DIR,trusted_ca_dir); +#else + snprintf(trusted_ca_dir_path, 1024, "%s/validate_begin_handshake_reply/etc/%s", CONFIG_ENV_TESTS_DIR, trusted_ca_dir); +#endif + participant_qos.property.value._buffer[3].name = ddsrt_strdup(PROPERTY_TRUSTED_CA_DIR); + participant_qos.property.value._buffer[3].value = ddsrt_strdup(trusted_ca_dir_path); + } + else{ + dds_security_property_init(&participant_qos.property.value, 3); + } + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &local_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + res = -1; + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + local_participant_data = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&local_participant_data->key[0], &local_participant_guid, 12); + /* convert from big-endian format to native format */ + local_participant_data->key[0] = fromBE4u(local_participant_data->key[0]); + local_participant_data->key[1] = fromBE4u(local_participant_data->key[1]); + local_participant_data->key[2] = fromBE4u(local_participant_data->key[2]); + + initialize_identity_token(&local_participant_data->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&local_participant_data->permissions_token, RSA_2048_ALGORITHM_NAME); + + local_participant_data->security_info.participant_security_attributes = 0x01; + local_participant_data->security_info.plugin_participant_security_attributes = 0x02; + + serializer_participant_data(local_participant_data, &sdata, &size); + + serialized_participant_data._length = serialized_participant_data._maximum = (DDS_Security_unsigned_long) size; + serialized_participant_data._buffer = sdata; + + DDS_Security_ParticipantBuiltinTopicData_free(local_participant_data); + + return res; +} + +static void +release_local_identity(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (local_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + + DDS_Security_OctetSeq_deinit(&serialized_participant_data); +} + +static X509 * +load_certificate( + const char *data) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_mem_buf((void *) data, -1); + if (!bio) { + return NULL; + } + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + + BIO_free(bio); + + return cert; +} + +static int +get_adjusted_participant_guid( + X509 *cert, + const DDS_Security_GUID_t *candidate, + DDS_Security_GUID_t *adjusted) +{ + int result = 0; + unsigned char high[SHA256_DIGEST_LENGTH], low[SHA256_DIGEST_LENGTH]; + unsigned char *subject; + DDS_Security_octet hb = 0x80; + X509_NAME *name; + unsigned char *tmp = NULL; + int i, sz; + + name = X509_get_subject_name(cert); + sz = i2d_X509_NAME(name, &tmp); + if (sz > 0) { + subject = ddsrt_malloc( (size_t)sz); + memcpy(subject, tmp, (size_t)sz); + OPENSSL_free(tmp); + + SHA256(subject, (size_t)sz, high); + SHA256(&candidate->prefix[0], sizeof(DDS_Security_GuidPrefix_t), low); + + adjusted->entityId = candidate->entityId; + for (i = 0; i < 6; i++) { + adjusted->prefix[i] = hb | high[i]>>1; + hb = (DDS_Security_octet)(high[i]<<7); + } + for (i = 0; i < 6; i++) { + adjusted->prefix[i+6] = low[i]; + } + ddsrt_free(subject); + result = 1; + } + + return result; +} + +static int +create_dh_key_modp_2048( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *kctx = NULL; + DH *dh = NULL; + + *pkey = NULL; + + if ((params = EVP_PKEY_new()) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EVP_PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((dh = DH_get_2048_256()) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate DH parameter: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_set1_DH(params, dh) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set DH parameter to MODP_2048_256: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate KEY context %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize KEY context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate :MODP_2048_256 keys %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (params) EVP_PKEY_free(params); + if (kctx) EVP_PKEY_CTX_free(kctx); + if (dh) DH_free(dh); + + return r; +} + +static int +get_dh_public_key_modp_2048( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + int r = 0; + DH *dhkey; + unsigned char *buffer = NULL; + uint32_t size; + ASN1_INTEGER *asn1int; + + dhkey = EVP_PKEY_get1_DH(pkey); + if (!dhkey) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get DH key from PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + goto fail_get_dhkey; + } + + asn1int = BN_to_ASN1_INTEGER( dh_get_public_key(dhkey) , NULL); + if (!asn1int) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert DH key to ASN1 integer: %s", msg); + ddsrt_free(msg); + r = -1; + goto fail_get_pubkey; + } + + size = (uint32_t) i2d_ASN1_INTEGER(asn1int, &buffer); + octet_seq_init(pubkey, buffer, size); + + ASN1_INTEGER_free(asn1int); + OPENSSL_free(buffer); + +fail_get_pubkey: + DH_free(dhkey); +fail_get_dhkey: + return r; +} + +static int +create_dh_key_ecdh( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + *pkey = NULL; + + if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate DH parameter context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_paramgen_init(pctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize DH generation context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set DH generation parameter generation method: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_paramgen(pctx, ¶ms) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate DH parameters: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate KEY context %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize KEY context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate :MODP_2048_256 keys %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (kctx) EVP_PKEY_CTX_free(kctx); + if (params) EVP_PKEY_free(params); + if (pctx) EVP_PKEY_CTX_free(pctx); + + return r; +} + +static int +get_dh_public_key_ecdh( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + int r = 0; + EC_KEY *eckey = NULL; + const EC_GROUP *group = NULL; + const EC_POINT *point = NULL; + size_t sz; + + if (!(eckey = EVP_PKEY_get1_EC_KEY(pkey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get EC key from PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!(point = EC_KEY_get0_public_key(eckey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get public key from ECKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!(group = EC_KEY_get0_group(eckey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get group from ECKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((sz = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, NULL)) != 0) { + pubkey->data = ddsrt_malloc(sz); + pubkey->length = (uint32_t) EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, pubkey->data, sz, NULL); + if (pubkey->length == 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to serialize public EC key: %s", msg); + ddsrt_free(msg); + octet_seq_deinit(pubkey); + r = -1; + } + } else { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to serialize public EC key: %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (eckey) EC_KEY_free(eckey); + + return r; +} + +static int +validate_remote_identities (const char *remote_id_certificate) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityToken remote_identity_token; + static DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_GUID_t guid1; + DDS_Security_GUID_t guid2; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix1 = {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab}; + DDS_Security_GuidPrefix_t prefix2 = {0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + X509 *cert; + + memcpy(&guid1.prefix, &prefix1, sizeof(prefix1)); + memcpy(&guid1.entityId, &entityId, sizeof(entityId)); + memcpy(&guid2.prefix, &prefix2, sizeof(prefix2)); + memcpy(&guid2.entityId, &entityId, sizeof(entityId)); + + if (local_identity_handle == DDS_SECURITY_HANDLE_NIL) { + return -1; + } + + cert = load_certificate(remote_id_certificate); + if (!cert) { + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid1, &remote_participant_guid1)) { + X509_free(cert); + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid2, &remote_participant_guid2)) { + X509_free(cert); + return -1; + } + + X509_free(cert); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle1, + &g_local_auth_request_token, + NULL, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid1, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + fill_auth_request_token(&g_remote_auth_request_token); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle2, + &local_auth_request_token, + &g_remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid2, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + remote_participant_data1 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data1->key[0], &remote_participant_guid1, 12); + remote_participant_data1->key[0] = fromBE4u(remote_participant_data1->key[0]); + remote_participant_data1->key[1] = fromBE4u(remote_participant_data1->key[1]); + remote_participant_data1->key[2] = fromBE4u(remote_participant_data1->key[2]); + + initialize_identity_token(&remote_participant_data1->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data1->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data1->security_info.participant_security_attributes = 0x01; + remote_participant_data1->security_info.plugin_participant_security_attributes = 0x02; + + remote_participant_data2 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data2->key[0], &remote_participant_guid2, 12); + remote_participant_data2->key[0] = fromBE4u(remote_participant_data2->key[0]); + remote_participant_data2->key[1] = fromBE4u(remote_participant_data2->key[1]); + remote_participant_data2->key[2] = fromBE4u(remote_participant_data2->key[2]); + + initialize_identity_token(&remote_participant_data2->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data2->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data2->security_info.participant_security_attributes = 0x01; + remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + remote_participant_data3 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data3->key[0], &candidate_participant_guid, 12); + + initialize_identity_token(&remote_participant_data3->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data3->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data2->security_info.participant_security_attributes = 0x01; + remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + challenge1_predefined_glb = find_binary_property(&g_remote_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + challenge2_predefined_glb = challenge1_predefined_glb; + + return res; +} + +static void +release_remote_identities(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle1, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + if (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle2, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + + DDS_Security_DataHolder_deinit(&g_local_auth_request_token); + DDS_Security_DataHolder_deinit(&g_remote_auth_request_token); + + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data1); + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data2); + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data3); +} + +CU_Init(ddssec_builtin_process_handshake) +{ + int result = 0; + + /* Only need the authentication plugin. */ + plugins = load_plugins(NULL /* Access Control */, + &auth /* Authentication */, + NULL /* Cryptograpy */); + if (plugins) { + result = validate_local_identity( NULL ); + if (result >= 0) { + result = validate_remote_identities( remote_identity_certificate ); + } + if (result >= 0) { + result = create_dh_key_modp_2048(&dh_modp_key); + } + if (result >= 0) { + result = get_dh_public_key_modp_2048(dh_modp_key, &dh_modp_pub_key); + } + if (result >= 0) { + result = create_dh_key_ecdh(&dh_ecdh_key); + } + if (result >= 0) { + result = get_dh_public_key_ecdh(dh_ecdh_key, &dh_ecdh_pub_key); + } + if (result >= 0) { + octet_seq_init(&invalid_dh_pub_key, dh_modp_pub_key.data, dh_modp_pub_key.length); + invalid_dh_pub_key.data[0] = 0x08; + } + } else { + result = -1; + } + + + return result; +} + +CU_Clean(ddssec_builtin_process_handshake) +{ + release_local_identity(); + release_remote_identities(); + unload_plugins(plugins); + octet_seq_deinit(&dh_modp_pub_key); + octet_seq_deinit(&dh_ecdh_pub_key); + octet_seq_deinit(&invalid_dh_pub_key); + if (dh_modp_key) { + EVP_PKEY_free(dh_modp_key); + } + if (dh_ecdh_key) { + EVP_PKEY_free(dh_ecdh_key); + } + return 0; +} + +static bool +compare_octet_seq( + const DDS_Security_OctetSeq *seq1, + const DDS_Security_OctetSeq *seq2) +{ + int r; + if (seq1 && seq2) { + r = (int)(seq2->_length - seq1->_length); + if (r == 0) { + r = memcmp(seq1->_buffer, seq2->_buffer, seq1->_length); + } + } else if (seq1 == seq2) { + r = 0; + } else { + r = (seq2 > seq1) ? 1 : -1; + } + return r; +} + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size) +{ + DDS_Security_Serializer serializer; + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDD_Security_Serialize_ParticipantBuiltinTopicData(serializer, pdata); + DDS_Security_Serializer_buffer(serializer, buffer, size); + DDS_Security_Serializer_free(serializer); +} + + +static void +set_binary_property_value( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const unsigned char *data, + uint32_t length) +{ + assert(bp); + assert(name); + assert(data); + + bp->name = ddsrt_strdup(name); + bp->value._maximum = bp->value._length = length; + if (length) { + bp->value._buffer = ddsrt_malloc(length); + memcpy(bp->value._buffer, data, length); + } else { + bp->value._buffer = NULL; + } +} + +static void +set_binary_property_string( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const char *data) +{ + uint32_t length; + + assert(bp); + assert(name); + assert(data); + + length = (uint32_t)strlen(data) + 1; + set_binary_property_value(bp, name, (const unsigned char *)data, length); +} + +static void +fill_handshake_message_token( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const char *certificate, + const char *dsign, + const char *kagree, + const struct octet_seq *diffie_hellman1, + const unsigned char *challengeData, + unsigned int challengeDataSize, + const struct octet_seq *diffie_hellman2, + const unsigned char *challengeData2, + unsigned int challengeDataSize2, + const DDS_Security_BinaryProperty_t *hash1_from_request, + const DDS_Security_BinaryProperty_t *hash2_from_reply, + HandshakeStep_t step) +{ + DDS_Security_BinaryProperty_t *tokens; + DDS_Security_BinaryProperty_t *c_id; + DDS_Security_BinaryProperty_t *c_perm; + DDS_Security_BinaryProperty_t *c_pdata; + DDS_Security_BinaryProperty_t *c_dsign_algo; + DDS_Security_BinaryProperty_t *c_kagree_algo; + DDS_Security_BinaryProperty_t *hash_c1; + DDS_Security_BinaryProperty_t *hash_c2; + DDS_Security_BinaryProperty_t *dh1; + DDS_Security_BinaryProperty_t *dh2; + DDS_Security_BinaryProperty_t *challenge1; + DDS_Security_BinaryProperty_t *challenge2; + DDS_Security_BinaryProperty_t *signature; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + unsigned idx; + unsigned char *serialized_local_participant_data; + size_t serialized_local_participant_data_size; + /*unsigned hash[32];*/ + + switch( step ) + { + + case HANDSHAKE_REQUEST: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(8); + c_id = &tokens[0]; + c_perm = &tokens[1]; + c_pdata = &tokens[2]; + c_dsign_algo = &tokens[3]; + c_kagree_algo = &tokens[4]; + hash_c1 = &tokens[5]; + dh1 = &tokens[6]; + challenge1 = &tokens[7]; + + serializer_participant_data(pdata, &serialized_local_participant_data, &serialized_local_participant_data_size); + + /* Store the Identity Certificate associated with the local identify in c.id property */ + if (certificate) { + set_binary_property_string(c_id, "c.id", certificate); + } else { + set_binary_property_string(c_id, "c.idx", "rubbish"); + } + + /* Store the permission document in the c.perm property */ + set_binary_property_string(c_perm, "c.perm", "permissions_document"); + + /* Store the provided local_participant_data in the c.pdata property */ + set_binary_property_value(c_pdata, "c.pdata", serialized_local_participant_data, (uint32_t)serialized_local_participant_data_size); + ddsrt_free(serialized_local_participant_data); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + if (dsign) { + set_binary_property_string(c_dsign_algo, "c.dsign_algo", dsign); + } else { + set_binary_property_string(c_dsign_algo, "c.dsign_algox", "rubbish"); + } + + /* Set the used key algorithm descriptor in c.kagree_algo */ + if (kagree) { + set_binary_property_string(c_kagree_algo, "c.kagree_algo", kagree); + } else { + set_binary_property_string(c_kagree_algo, "c.kagree_algox", "rubbish"); + } + + /* Calculate the hash_c1 */ + { + DDS_Security_BinaryPropertySeq bseq; + DDS_Security_Serializer serializer; + unsigned char hash1_sentrequest_arr[32]; + unsigned char *buffer; + size_t size; + + bseq._length = bseq._maximum = 5; + bseq._buffer = tokens; + + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, &bseq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, hash1_sentrequest_arr); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + set_binary_property_value(hash_c1, "hash_c1", hash1_sentrequest_arr, sizeof(hash1_sentrequest_arr)); + } + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length); + } + + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 8; + token->binary_properties._buffer = tokens; + break; + + case HANDSHAKE_REPLY: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(12); + idx = 0; + c_id = &tokens[idx++]; + c_perm = &tokens[idx++]; + c_pdata = &tokens[idx++]; + c_dsign_algo = &tokens[idx++]; + c_kagree_algo = &tokens[idx++]; + hash_c2 = &tokens[idx++]; + challenge2 = &tokens[idx++]; + dh2 = &tokens[idx++]; + challenge1 = &tokens[idx++]; + dh1 = &tokens[idx++]; + hash_c1 = &tokens[idx++] ; + signature = &tokens[idx++]; + + serializer_participant_data(pdata, &serialized_local_participant_data, &serialized_local_participant_data_size); + + /* Store the Identity Certificate associated with the local identify in c.id property */ + if (certificate) { + set_binary_property_string(c_id, "c.id", certificate); + } else { + set_binary_property_string(c_id, "c.idx", "rubbish"); + } + + /* Store the permission document in the c.perm property */ + set_binary_property_string(c_perm, "c.perm", "permissions_document"); + + /* Store the provided local_participant_data in the c.pdata property */ + set_binary_property_value(c_pdata, "c.pdata", serialized_local_participant_data, (uint32_t )serialized_local_participant_data_size); + ddsrt_free(serialized_local_participant_data); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + if (dsign) { + set_binary_property_string(c_dsign_algo, "c.dsign_algo", dsign); + } else { + set_binary_property_string(c_dsign_algo, "c.dsign_algox", "rubbish"); + } + + /* Set the used key algorithm descriptor in c.kagree_algo */ + if (kagree) { + set_binary_property_string(c_kagree_algo, "c.kagree_algo", kagree); + } else { + set_binary_property_string(c_kagree_algo, "c.kagree_algox", "rubbish"); + } + + CU_ASSERT(hash1_from_request != NULL); + + set_binary_property_value(hash_c1, "hash_c1", hash1_from_request->value._buffer, hash1_from_request->value._length); + + /* Calculate the hash_c2 */ + { + DDS_Security_BinaryPropertySeq bseq; + DDS_Security_Serializer serializer; + unsigned char hash2_sentreply_arr[32]; + unsigned char *buffer; + size_t size; + + bseq._length = bseq._maximum = 5; + bseq._buffer = tokens; + + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, &bseq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, hash2_sentreply_arr); + + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + set_binary_property_value(hash_c2, "hash_c2", hash2_sentreply_arr, sizeof(hash2_sentreply_arr)); + } + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", challenge2->value._buffer, challenge2->value._length); + } + + /* Set the challenge in challenge2 property */ + if (challengeData2) { + set_binary_property_value(challenge2, "challenge2", challengeData2, challengeDataSize2); + } else { + set_binary_property_value(challenge2, "challenge2x", challenge2->value._buffer, challenge2->value._length); + } + + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the DH public key associated with the local participant in dh2 property */ + if (diffie_hellman2) { + set_binary_property_value(dh2, "dh2", diffie_hellman2->data, diffie_hellman2->length); + } else { + set_binary_property_string(dh2, "dh2x", "rubbish"); + } + + /* Calculate the signature */ + { + BIO *bio; + EVP_PKEY *private_key_x509; + unsigned char *sign; + size_t signlen; + + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_SIZE ]; + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((const char *) remote_private_key, -1); + assert( bio ); + private_key_x509 = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + assert (private_key_x509 ); + + binary_properties[0] = hash_c2; + binary_properties[1] = challenge2; + binary_properties[2] = dh2; + binary_properties[3] = challenge1; + binary_properties[4] = dh1; + binary_properties[5] = hash_c1; + + if (create_signature_for_test(private_key_x509, binary_properties, HANDSHAKE_SIGNATURE_SIZE , &sign, &signlen, &exception) != DDS_SECURITY_VALIDATION_OK) + { + printf("Exception: %s\n", exception.message); + } + set_binary_property_value(signature, "signature", sign, (uint32_t ) signlen); + + ddsrt_free(sign); + EVP_PKEY_free(private_key_x509); + BIO_free(bio); + } + + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 12; + token->binary_properties._buffer = tokens; + break; + + case HANDSHAKE_FINAL: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(7); + idx = 0; + signature = &tokens[idx++]; + hash_c1 = &tokens[idx++]; + challenge1 = &tokens[idx++]; + dh1 = &tokens[idx++]; + challenge2 = &tokens[idx++]; + dh2 = &tokens[idx++]; + hash_c2 = &tokens[idx++]; + + CU_ASSERT(hash1_from_request != NULL); + CU_ASSERT(hash2_from_reply != NULL); + + set_binary_property_value(hash_c1, "hash_c1", hash1_from_request->value._buffer, hash1_from_request->value._length); + set_binary_property_value(hash_c2, "hash_c2", hash2_from_reply->value._buffer, hash2_from_reply->value._length); + + printf("process: %s\n", hash_c1->name); + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", challenge2->value._buffer, challenge2->value._length); + } + + /* Set the challenge in challenge2 property */ + if (challengeData2) { + set_binary_property_value(challenge2, "challenge2", challengeData2, challengeDataSize2); + } else { + set_binary_property_value(challenge2, "challenge2x", challenge2->value._buffer, challenge2->value._length); + } + + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the DH public key associated with the local participant in dh2 property */ + if (diffie_hellman2) { + set_binary_property_value(dh2, "dh2", diffie_hellman2->data, diffie_hellman2->length); + } else { + set_binary_property_string(dh2, "dh2x", "rubbish"); + } + + /* Calculate the signature */ + { + BIO *bio; + EVP_PKEY *private_key_x509; + unsigned char *sign; + size_t signlen; + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_SIZE ]; + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((const char *) remote_private_key, -1); + assert( bio ); + private_key_x509 = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + assert (private_key_x509 ); + + binary_properties[0] = hash_c1; + binary_properties[1] = challenge1; + binary_properties[2] = dh1; + binary_properties[3] = challenge2; + binary_properties[4] = dh2; + binary_properties[5] = hash_c2; + + if (create_signature_for_test(private_key_x509, binary_properties, HANDSHAKE_SIGNATURE_SIZE, &sign, &signlen, &exception) != DDS_SECURITY_VALIDATION_OK) + { + printf("Exception: %s\n", exception.message); + } + set_binary_property_value(signature, "signature", sign, (uint32_t) signlen); + + ddsrt_free(sign); + EVP_PKEY_free(private_key_x509); + BIO_free(bio); + } + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_FINAL_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 7; + token->binary_properties._buffer = tokens; + break; + } +} + +static void +fill_handshake_message_token_default( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const unsigned char *challengeData, + unsigned int challengeDataSize) +{ + fill_handshake_message_token( + token, pdata, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + &dh_modp_pub_key, challengeData, challengeDataSize, NULL, NULL, 0, NULL, NULL, HANDSHAKE_REQUEST); +} + +static void +handshake_message_deinit( + DDS_Security_HandshakeMessageToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +static bool +validate_handshake_token( + DDS_Security_HandshakeMessageToken *token, + const DDS_Security_OctetSeq *challenge1, + const DDS_Security_OctetSeq *challenge2, + HandshakeStep_t token_type) +{ + const DDS_Security_BinaryProperty_t *property; + const char * class_id; + + switch (token_type) + { + case HANDSHAKE_REQUEST: + class_id = AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID; + break; + case HANDSHAKE_REPLY: + class_id = AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID; + break; + case HANDSHAKE_FINAL: + class_id = AUTH_HANDSHAKE_FINAL_TOKEN_CLASS_ID; + break; + default: + class_id = NULL; + CU_FAIL("HandshakeMessageToken invalid token type"); + } + + if (!token->class_id || strcmp(token->class_id, class_id) != 0) { + CU_FAIL("HandshakeMessageToken incorrect class_id"); + } else if ((property = find_binary_property(token, "hash_c2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'hash_c2' not found"); + } else if ((property = find_binary_property(token, "dh2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'dh2' not found"); + } else if ((property = find_binary_property(token, "hash_c1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'hash_c1' not found"); + } else if ((property = find_binary_property(token, "dh1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'dh1' not found"); + } else if ((property = find_binary_property(token, "challenge1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' not found"); + } else if (challenge1 && compare_octet_seq(challenge1, &property->value) != 0) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' incorrect value"); + } else if ((property = find_binary_property(token, "challenge2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge2' not found"); + } else if (challenge2 && compare_octet_seq(challenge2, &property->value) != 0) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge2' incorrect value"); + } else { + return true; + } + + return false; +} + +CU_Test(ddssec_builtin_process_handshake,happy_day_after_request ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *challenge1_glb; + struct octet_seq dh1_pub_key; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + /* prepare reply */ + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_ecdh_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_reply_token_out, &challenge1_glb->value, &challenge2_predefined_glb->value, HANDSHAKE_FINAL)); + + CU_ASSERT( check_shared_secret(auth, 1, dh1, dh_ecdh_key, handshake_handle)== 0); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); + handshake_message_deinit(&handshake_reply_token_out); +} + +CU_Test(ddssec_builtin_process_handshake,happy_day_after_reply ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_final_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_final_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *hash2_sentreply; + const DDS_Security_BinaryProperty_t *challenge2_glb; + const DDS_Security_BinaryProperty_t *dh2; + struct octet_seq dh2_pub_key; + + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token_out, &challenge1_predefined_glb->value, NULL, HANDSHAKE_REPLY)); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + hash2_sentreply = find_binary_property(&handshake_token_out, "hash_c2"); + + /*Get DH2 value */ + dh2 = find_binary_property(&handshake_token_out, "dh2"); + + /* get challenge 2 from the message */ + challenge2_glb = find_binary_property(&handshake_token_out, "challenge2"); + + reset_exception(&exception); + + /* prepare final */ + dh2_pub_key.data = dh2->value._buffer; + dh2_pub_key.length = dh2->value._length; + + fill_handshake_message_token( + &handshake_final_token_in, NULL, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh_modp_pub_key, challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length, + &dh2_pub_key, challenge2_glb->value._buffer, challenge2_glb->value._length, hash1_sentrequest, hash2_sentreply, HANDSHAKE_FINAL); + + result = auth->process_handshake( + auth, + &handshake_final_token_out, + &handshake_final_token_in, + handshake_handle, + &exception); + + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_OK); + + CU_ASSERT( check_shared_secret(auth, 0, dh2, dh_modp_key, handshake_handle)== 0); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_final_token_in); + handshake_message_deinit(&handshake_final_token_out); +} + +CU_Test(ddssec_builtin_process_handshake,invalid_arguments ) +{ + + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_final_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *hash2_sentreply; + const DDS_Security_BinaryProperty_t *challenge2_glb; + const DDS_Security_BinaryProperty_t *dh2; + struct octet_seq dh2_pub_key; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token_out, &challenge1_predefined_glb->value, NULL, HANDSHAKE_REPLY)); + + /*Get DH2 value */ + dh2 = find_binary_property(&handshake_token_out, "dh2"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + hash2_sentreply = find_binary_property(&handshake_token_out, "hash_c2"); + + /* get challenge 2 from the message */ + challenge2_glb = find_binary_property(&handshake_token_out, "challenge2"); + + reset_exception(&exception); + + /* prepare final */ + dh2_pub_key.data = dh2->value._buffer; + dh2_pub_key.length = dh2->value._length; + + fill_handshake_message_token( + &handshake_final_token_in, NULL, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + &dh_modp_pub_key, challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length, + &dh2_pub_key, challenge2_glb->value._buffer, challenge2_glb->value._length, + hash1_sentrequest, hash2_sentreply, HANDSHAKE_FINAL); + + + result = auth->process_handshake( + auth, + NULL, + &handshake_final_token_in, + handshake_handle, + &exception); + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_token_out, + NULL, + handshake_handle, + &exception); + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_token_out, + &handshake_final_token_in, + 0, + &exception); + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_final_token_in); +} + + +CU_Test(ddssec_builtin_process_handshake,invalid_certificate ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *challenge1_glb; + const DDS_Security_BinaryProperty_t *dh1; + struct octet_seq dh1_pub_key; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + /* prepare reply */ + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, unrelated_identity, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_ecdh_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, + hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); +} + +CU_Test(ddssec_builtin_process_handshake,invalid_dsign_algo ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *challenge1_glb; + const DDS_Security_BinaryProperty_t *dh1; + struct octet_seq dh1_pub_key; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + /* prepare reply */ + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_certificate, + "RSASSA-PSS-SHA128", AUTH_KAGREE_ALGO_RSA_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_modp_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, + hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); +} + +CU_Test(ddssec_builtin_process_handshake,invalid_kagree_algo ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *challenge1_glb; + const DDS_Security_BinaryProperty_t *dh1; + struct octet_seq dh1_pub_key; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + /* prepare reply */ + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, "DH+MODP-2048-128", + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_modp_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, + hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); +} + +CU_Test(ddssec_builtin_process_handshake,invalid_diffie_hellman ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *challenge1_glb; + const DDS_Security_BinaryProperty_t *dh1; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + /* prepare reply */ + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + &invalid_dh_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_modp_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, + hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); +} + + +CU_Test(ddssec_builtin_process_handshake,return_handle) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (handshake_handle != DDS_SECURITY_HANDLE_NIL); + + reset_exception(&exception); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); +} + + +CU_Test(ddssec_builtin_process_handshake,extended_certificate_check ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *challenge1_glb; + struct octet_seq dh1_pub_key; + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_trusted ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + /* prepare reply */ + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_trusted, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_ecdh_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_reply_token_out, &challenge1_glb->value, &challenge2_predefined_glb->value, HANDSHAKE_FINAL)); + + CU_ASSERT( check_shared_secret(auth, 1, dh1, dh_ecdh_key, handshake_handle)== 0); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); + handshake_message_deinit(&handshake_reply_token_out); + + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_trusted_expired ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + /* prepare reply */ + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_trusted_expired, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_ecdh_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + + reset_exception(&exception); + + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); + handshake_message_deinit(&handshake_reply_token_out); + + + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_untrusted ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + /* prepare reply */ + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_untrusted, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_ecdh_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT_FATAL(exception.code != 0); + + + reset_exception(&exception); + + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); + handshake_message_deinit(&handshake_reply_token_out); + +} diff --git a/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/identity_ca b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/identity_ca new file mode 100644 index 0000000..7e2675c --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/identity_ca @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx +MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k +ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz +2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf +zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB +pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL +FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME +BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW +gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB +Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME +BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK +KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI +KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU +AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI +hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s +iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC +LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm +geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t +Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd +sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/remote_ca.crt b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/remote_ca.crt new file mode 100644 index 0000000..6b096a0 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/remote_ca.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKTCCAxGgAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcjELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ +ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0 +ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANa/ENFfGVXg +bPLTzBdDfiZQcp5dWZ//Pb8ErFOJu8uosVHFv8t69dgjHgNHB4OsjmjnR7GfKUZT +0cMvWJnjsC7DDlBwFET9rj4k40n96bbVCH9I7+tNhsoqzc6Eu+5h4sk7VfNGTM2Z +SyCd4GiSZRuA44rRbhXI7/LDpr4hY5J9ZDo5AM9ZyoLAoh774H3CZWD67S35XvUs +72dzE6uKG/vxBbvZ7eW2GLO6ewa9UxlnLVMPfJdpkp/xYXwwcPW2+2YXCge1ujxs +tjrOQJ5HUySh6DkE/kZpx8zwYWm9AaCrsvCIX1thsqgvKy+U5v1FS1L58eGc6s// +9yMgNhU29R0CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRNVUJN +FzhJPReYT4QSx6dK53CXCTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX +CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF +BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG +AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAcOLF +ZYdJguj0uxeXB8v3xnUr1AWz9+gwg0URdfNLU2KvF2lsb/uznv6168b3/FcPgezN +Ihl9GqB+RvGwgXS/1UelCGbQiIUdsNxk246P4uOGPIyW32RoJcYPWZcpY+cw11tQ +NOnk994Y5/8ad1DmcxVLLqq5kwpXGWQufV1zOONq8B+mCvcVAmM4vkyF/de56Lwa +sAMpk1p77uhaDnuq2lIR4q3QHX2wGctFid5Q375DRscFQteY01r/dtwBBrMn0wuL +AMNx9ZGD+zAoOUaslpIlEQ+keAxk3jgGMWFMxF81YfhEnXzevSQXWpyek86XUyFL +O9IAQi5pa15gXjSbUg== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/root_CA_RSA.crt b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/root_CA_RSA.crt new file mode 100644 index 0000000..61346df --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/root_CA_RSA.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEtjCCA56gAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMTAwMDAwMFoXDTI3MDYxMDIzNTk1OVowcjELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ +ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0 +ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANRf3XKmM6O+ +WoYPNpOAdkGKKZHLJ8ZuPxVVBMX6oJAlcOmkhLzfkHSA+gl/OWaMOXIEtN512gyL +YszBf1RImwVzRjJFwIxzGzVQ68jYNj+qBbsOt+IG+hs3wgVCLFkCh+J7hXUgvk8A +eRM/SRrI42dQfcgKUAMNi4/iX6Vs+FV9pHB63L4PiLA9hfUE25sH6EsIC7icvGDJ +6cGG94glVSHDI1NtXfsNHY+NGY/jYKtQZklqU3lew5I60aJIsea+Wk6PJiz4hyXv +XVVmrcNeG1g4OEFgiSXZC2XknDw8t9+ELprGNvuJvTFxwPMAgLeF4IhEQC9dQY2W +BRwUxtZBzukCAwEAAaOCAVUwggFRMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFER4 +R6N3MQ1Wl7gn+R8wwHloDCVZMB8GA1UdIwQYMBaAFER4R6N3MQ1Wl7gn+R8wwHlo +DCVZMA8GA1UdDwEB/wQFAwMH/4Awge8GA1UdJQEB/wSB5DCB4QYIKwYBBQUHAwEG +CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3 +AgEVBgorBgEEAYI3AgEWBgorBgEEAYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3 +CgMEBglghkgBhvhCBAEGCysGAQQBgjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYG +CCsGAQUFBwMHBggrBgEFBQgCAgYKKwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUF +BwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAwXuEWDG3 +aAyL+DsGr0B4YMLjHtx6FjzkJOpTtXQhkrtSMpD3Xytl7Wfz8lyWuTnbrk8F4gWO +IkJR/NdMGW27SmeYU0z7QAGRDwtHX6kqqizQbCwf4F6P/2QftcLp1VrlsIlb0gyx +gLjpGmn5TT7gj+ahW0iIRglOwhzCvkNu6agYpdGwVirSyLShy/Hq303DZSbVuktz +5/PmZKpufnoGqURNnJqbV4TQipE0FiDmp2o+gVgJ+DVRhiCdfk68Xp7+TlmxCDfZ +C3qb18qrwAZ4AL3T9/RlzfkXh4ME9V6wqa5Y6j7Vwx5Ef2OHL+mnMnoNSXDLRh6j +45ky66su5dROpA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c new file mode 100644 index 0000000..3b2907e --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c @@ -0,0 +1,2125 @@ + + + + +/* CUnit includes. */ + + +/* Test helper includes. */ +#include "common/src/loader.h" +#include "config_env.h" + +/* Private header include */ +#include +#include +#include +#include +#include +#include + +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/security/dds_security_api.h" +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/string.h" +#include +#include +#include "dds/ddsrt/environ.h" +#include "dds/ddsrt/endian.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" + + +#if DDSRT_ENDIAN == DDSRT_LITTLE_ENDIAN +unsigned bswap4u (unsigned x); +unsigned bswap4u (unsigned x) +{ + return (x >> 24) | ((x >> 8) & 0xff00) | ((x << 8) & 0xff0000) | (x << 24); +} +#define toBE4u(x) bswap4u (x) +#define fromBE4u(x) bswap4u (x) +#else +#define toBE4u(x) (x) +#define fromBE4u(x) (x) +#endif + + +static const char * AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0"; +static const char * PERM_ACCESS_CLASS_ID = "DDS:Access:Permissions:1.0"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; +static const char * PROPERTY_TRUSTED_CA_DIR = "dds.sec.auth.trusted_ca_dir"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * PROPERTY_PERM_CA_SUBJECT_NAME = "ds.perm_ca.sn"; + +static const char * SUBJECT_NAME_IDENTITY_CERT = "CN=CHAM-574 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA = "CN=CHAM-574 authority,O=Some Company,ST=Some-State,C=NL"; + +static const char * RSA_2048_ALGORITHM_NAME = "RSA-2048"; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char * AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Req"; +static const char * AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Reply"; + + +static const char * AUTH_DSIGN_ALGO_RSA_NAME = "RSASSA-PSS-SHA256"; +static const char * AUTH_KAGREE_ALGO_RSA_NAME = "DH+MODP-2048-256"; + +static unsigned char *dh_pubkey_modp_2048_value = NULL; +static unsigned char *invalid_dh_pubkey_modp_2048_value = NULL; +static size_t dh_pubkey_modp_2048_length = 0; + +static const char *identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n" + "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n" + "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n" + "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n" + "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n" + "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n" + "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n" + "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n" + "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n" + "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n" + "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n" + "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n" + "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n" + "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n" + "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n" + "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n" + "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n" + "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n" + "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n" + "-----END CERTIFICATE-----\n"; + + +static const char *remote_identity_certificate = + "-----BEGIN CERTIFICATE-----\n" + "MIIEPTCCAyWgAwIBAgIIRmtzSKaI+rowDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDMy\n" + "MzEyMDEwMFoYDzIyMjIwMjIyMjIyMjAwWjBYMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MREwDwYDVQQDEwhDSEFNLTU3NzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n" + "ggEBAMKlWGK8f/AEjK7viu9CdydJmorKyk3oK8PWmZX3B+3k8eFW32NXv2+BK5vk\n" + "sAOhEcCAV2/125iAGvXs5vq5GshjgHXwJysKOFBwLiCPHzLaOX095ib6pgPejjgV\n" + "gGsGrRAKetCAqxv+pf1n4zD9VSLDrnHrxbzvosQdBCgSBPiTFK5qDAGhVGR48Pp9\n" + "gAqZPhdLfH47S/6scRJNywoXrIxp2CnuHd4fVvyQlPNLHwlX1nOr76bGOjGqFsFU\n" + "/mcPN7aGFIh4KQK9KvHt5+SApLgBBdrn9njgaIC7VN9ddSp2Jz2vHAPR52dqM0SW\n" + "dl7uyOiT/TK6q8f7aFKqk29r/OkCAwEAAaOCAQAwgf0wDAYDVR0PBAUDAwf/gDCB\n" + "7AYDVR0lBIHkMIHhBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEF\n" + "BQcDBAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcK\n" + "AwEGCisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEAQYLKwYBBAGCNwoD\n" + "BAEGCCsGAQUFBwMFBggrBgEFBQcDBgYIKwYBBQUHAwcGCCsGAQUFCAICBgorBgEE\n" + "AYI3FAICBggrBgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0G\n" + "CSqGSIb3DQEBCwUAA4IBAQAniERWU9f/ijm9t8xuyOujEKDJl0Ded4El9mM5UYPR\n" + "ZSnabPNKQjABBS4sVISIYVwfQxGkPgK0MeMBKqs/kWsZ4rp8h5hlZvxFX8H148mo\n" + "3apNgdc/VylDBW5Ltbrypn/dZh9hFZE8Y/Uvo9HPksVEkjYuFN5v7e8/mwxTcrZ1\n" + "BAZrTlDTiCR046NN1lUs/7oUaNCruFV7AU6RbGYnSzM6plPJHMRa9nzNeO0uPaHK\n" + "kNPe+/UGpMi7cpF9w0M5Z1wW+Nq45bBRejFLQkHSjOEeGL2zi7T1HFAHZQydd6Wo\n" + "zYffGTmyHqIjNArbOWEMYN6s1nqsQS+ifolr0MtfeHad\n" + "-----END CERTIFICATE-----\n"; + +static const char *identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n" + "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n" + "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n" + "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n" + "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n" + "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n" + "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n" + "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n" + "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n" + "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n" + "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n" + "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n" + "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n" + "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n" + "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n" + "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n" + "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n" + "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n" + "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n" + "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n" + "-----END CERTIFICATE-----\n"; + + +static const char *private_key = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n" + "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n" + "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n" + "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n" + "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n" + "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n" + "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n" + "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n" + "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n" + "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n" + "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n" + "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n" + "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n" + "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n" + "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n" + "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n" + "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n" + "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n" + "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n" + "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n" + "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n" + "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n" + "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n" + "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n" + "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n" + "-----END RSA PRIVATE KEY-----\n"; + + +static const char *diffie_hellman_pubkey = + "-----BEGIN PUBLIC KEY-----\n" + "MIICJDCCARcGCSqGSIb3DQEDATCCAQgCggEBAJxLLigSIC7JjO/kdQ7LT1v0FPvM\n" + "Cq4hZrg6cX1IKzinaJJai3CcWpjMxoJ+jDBh2iekZavJli9qa400FC94UchqsE8s\n" + "I68LRbSkocvSWHOyayGrn04XLvhZPwulZFfEZ0xmg+vcTt2xS5IvX0qC1nrMpVu9\n" + "d9A93n+PZqRWJcJThoApChRT0lVp6CC9dn7oVnIPWyGfUZH9UOzXrx8Rq6wKnWPs\n" + "G0Igaia4uLDIqGKJ1Nr2HmLY8exKcK539X38I2NokzQrwhKdBlIXF5yYGhH+ib0U\n" + "yrdbK1kJBiaXh2CMMPQ7skXZDeQ/ixgTI/cXwaMC3ddE+7l/GTHo/azJawsCAQID\n" + "ggEFAAKCAQB3SB4wP5voPc5YcUpFiJXXlQe7DQxfzo5Mq1A/e8Raw/qzCkJMkcoT\n" + "v656vj4s7PbmzWLDLs0mAD7lU4U+HSnhuBmP46aIZVZORZqQmhzn073iqPiRN8eC\n" + "XPXgsMc8sgpbOoUGo89nuMGaucu2i4ZpLdJTkoFfC6wE2wZg11mr/hfX7+KmKSSp\n" + "V/+h6wROt824MijsuDjxHgZJWuM1jqzFq5skMJ84uwBF5LG3A6sTFnobBQXily5H\n" + "vYh/wWf+lRxeoNRW6B0t7xukZ+a71gg2Fxtm1f3RkLh4IcWfuYAcn5R9Hvgvx7Ex\n" + "DrqVRGbTZZa7fgtiQjj7HF6Cg/btOz2T\n" + "-----END PUBLIC KEY-----\n"; + +static const char *unrelated_identity = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV\n" + "BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w\n" + "DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy\n" + "MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI\n" + "DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx\n" + "GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" + "ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32\n" + "/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix\n" + "6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he\n" + "bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV\n" + "G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp\n" + "EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst\n" + "gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5\n" + "+6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB\n" + "CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ\n" + "xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC\n" + "QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh\n" + "XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV\n" + "+1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0\n" + "B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2\n" + "-----END CERTIFICATE-----\n"; + +#ifdef TRUSTED_CA_DIR_IMPLEMENTED +static const char *remote_identity_trusted = + "-----BEGIN CERTIFICATE-----\n" + "MIIDcDCCAligAwIBAgIBBTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" + "aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" + "Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcDELMAkGA1UEBhMC\n" + "TkwxCzAJBgNVBAgTAk9WMQ8wDQYDVQQKEwZBRExpbmsxETAPBgNVBAsTCElTVCBU\n" + "ZXN0MREwDwYDVQQDEwhCb2IgVGVzdDEdMBsGCSqGSIb3DQEJARYOYm9iQGFkbGlu\n" + "ay5pc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqhuWnwhxXZ\n" + "qffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d4gVibBgx\n" + "5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNPfp5a4P+8\n" + "UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi5DOjf2/r\n" + "3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMql605xsms\n" + "d6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U5BUMtZ+P\n" + "2OBLk/CPAgMBAAGjEzARMA8GA1UdDwEB/wQFAwMH/4AwDQYJKoZIhvcNAQELBQAD\n" + "ggEBAJV71Ckf1zsks5mJXqdUb8bTVHg4hN32pwjCL5c6W2XHAv+YHwE/fN3C1VIY\n" + "bC8zjUC9dCOyC2AvOQyZQ1eC/WoK6FlXjHVX2upL4lXQ9WL9ztt1mgdRrhvUPuUn\n" + "aBE8VgNU0t4jl93xMIaU8hB0kQsV+kdcN0cWbrF3mT4s9njRvopJ8hS2UE60V2wA\n" + "ceUOazH+QGPh1k0jkynrTlVR9GrpebQwZ2UFeinVO0km17IAyQkz+OmPc4jQLJMl\n" + "CmkbmMwowdLMKC6r/HyE87dN7NvFnRM5iByJklRwN7WDYZrl72HoUOlgTZ7PjW2G\n" + "jTxK8xXtDCXC/3CNpe0YFnOga8g=\n" + "-----END CERTIFICATE-----\n"; + +static const char *remote_identity_untrusted = + "-----BEGIN CERTIFICATE-----\n" + "MIIELTCCAxWgAwIBAgIBATANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGzAZBgNVBAMTEkJvYiBU\n" + "ZXN0IFVudHJ1c3RlZDEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3QuYWRsaW5rdGVj\n" + "aC5jb20wHhcNMTgwNjIwMDAwMDAwWhcNMjcwNjE5MjM1OTU5WjB0MQswCQYDVQQG\n" + "EwJOTDELMAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGzAZBgNVBAMT\n" + "EkJvYiBUZXN0IFVudHJ1c3RlZDEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3QuYWRs\n" + "aW5rdGVjaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqh\n" + "uWnwhxXZqffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d\n" + "4gVibBgx5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNP\n" + "fp5a4P+8UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi\n" + "5DOjf2/r3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMq\n" + "l605xsmsd6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U\n" + "5BUMtZ+P2OBLk/CPAgMBAAGjgckwgcYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU\n" + "QpxLPHT5o/GQRwdBw2scINXnWlUwHwYDVR0jBBgwFoAUQpxLPHT5o/GQRwdBw2sc\n" + "INXnWlUwDwYDVR0PAQH/BAUDAwf/gDBlBgNVHSUBAf8EWzBZBggrBgEFBQcDAQYI\n" + "KwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJ\n" + "BggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEB\n" + "ABcyab7F7OAsjUSW0YWkVRX1SUMkW25xLLs8koXhHrdnBqgnmOur0xO72/fmTTX9\n" + "KnCUmQj+dAOmmZrAaIZzqLtMyp4ibHZPfOBwmM0MFnyuwyEnCEYvjPN3FTB0HEgS\n" + "vCoFH1001LVi4oC1mEMxYaNW4/5Tgl+DTqGF+tctJe3hvbxh+Uu5M0320VAvASjt\n" + "cJ0me6Ug1FJJ60tgXgZ+M/8V6AXhrQGNgN6WkPMFbbLi5IyEld186QPeLdZ8vCtz\n" + "StjIV9HZGR1XLotlXarbjVtjxavZJjtwiySeYkAgG7Zjy7LalPSJiIdAD3R/ny+S\n" + "9kXDKiw/HgYxb8xiy9gdlSc=\n" + "-----END CERTIFICATE-----\n"; + +static const char *remote_identity_trusted_expired = + "-----BEGIN CERTIFICATE-----\n" + "MIIEKTCCAxGgAwIBAgIBBjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" + "aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" + "Y29tMB4XDTE4MDMwMTAwMDAwMFoXDTE4MDQyMzIzNTk1OVowcjELMAkGA1UEBhMC\n" + "TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBC\n" + "b2IgVGVzdCBFeHBpcmVkMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0\n" + "ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHm+qG5afCH\n" + "Fdmp98+Z+POB7vD3WhfghKVugh8FenewuPaaotKxiGAE0kCf8WXU5l4XDR3iBWJs\n" + "GDHll1yOyL4KW9grwfnfiJMl82uIzKGDiRJbFkXVOLF/DcVLsuqMoRjlk09+nlrg\n" + "/7xS96itgm6yueW/UOIXpo+ElCHwnrYnpuHHrYM0s7t1ls3QFSyda3INx+LkM6N/\n" + "b+veVJF95yfe4GvVBhFpLkWtX4xKgZyMjczvmZ6LVNNSnthPhlZFHmspQyqXrTnG\n" + "yax3qyoloqh9ibDvAK5pUnzqlv/Dyyt110q3bXFR5A0wqfj0fqtp7Mw4TdTkFQy1\n" + "n4/Y4EuT8I8CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRCnEs8\n" + "dPmj8ZBHB0HDaxwg1edaVTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX\n" + "CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF\n" + "BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG\n" + "AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAdY5n\n" + "5ElOhpHq/YPWUs68t8HNIhqfokqjLZAgzNyU5QFppb9tPpmFCugerfjlScNwp5HB\n" + "X6/WjK4runDrgzXfmrBogR4Kscb1KJSm8KAmnzXVUNr1iyASlHxI7241kYdQvTH2\n" + "LL6b0kjsD5lKAnNh4id0SDHfy/CKg5d7dUxxO1mX48jUiIZtmFqgjej8tFLHy/w/\n" + "usI5ErlI0qzI6lkoRxPCEWLbXWeBDm3/smHeDbYa/+Lw4Bid8U1+ZSAuC1CT7a7F\n" + "O3gAjPUL0jzRztp5Yj3dYPV8YyJHLEKr75IXNedV9YKhT4f6kTS3UEjMTqYbYsix\n" + "MtqgY283RjsExzjNvw==\n" + "-----END CERTIFICATE-----\n"; +#endif + +static struct plugins_hdl *plugins = NULL; +static dds_security_authentication *auth = NULL; +static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle1 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_AuthRequestMessageToken g_local_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static DDS_Security_AuthRequestMessageToken g_remote_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static const DDS_Security_BinaryProperty_t *challenge1 = NULL; +static const DDS_Security_BinaryProperty_t *challenge2 = NULL; +static DDS_Security_OctetSeq serialized_participant_data = DDS_SECURITY_SEQUENCE_INIT; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data1 = NULL; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data2 = NULL; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data3 = NULL; +static DDS_Security_GUID_t candidate_participant_guid; +static DDS_Security_GUID_t remote_participant_guid1; +static DDS_Security_GUID_t remote_participant_guid2; +static bool future_challenge_done = false; + + +#if OPENSSL_VERSION_NUMBER >= 0x1000200fL +#define AUTH_INCLUDE_EC +#include +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#define AUTH_INCLUDE_DH_ACCESSORS +#endif +#else +#error "version not found" +#endif + + +static const BIGNUM * +dh_get_public_key( + DH *dhkey) +{ +#ifdef AUTH_INCLUDE_DH_ACCESSORS + const BIGNUM *pubkey, *privkey; + DH_get0_key(dhkey, &pubkey, &privkey); + return pubkey; +#else + return dhkey->pub_key; +#endif +} + + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size); + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->code = 0; + ex->minor_code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static char * +get_openssl_error( + void) +{ + BIO *bio = BIO_new(BIO_s_mem()); + char *msg; + char *buf = NULL; + size_t len; + + if (bio) { + ERR_print_errors(bio); + len = (size_t) BIO_get_mem_data (bio, &buf); + msg = (char *) ddsrt_malloc(len + 1); + memset(msg, 0, len+1); + memcpy(msg, buf, len); + BIO_free(bio); + } else { + msg = ddsrt_strdup("BIO_new failed"); + } + + return msg; +} + +static void +initialize_identity_token( + DDS_Security_IdentityToken *token, + const char *certAlgo, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CERT); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +initialize_permissions_token( + DDS_Security_PermissionsToken *token, + const char *caAlgo) +{ + token->class_id = ddsrt_strdup(PERM_ACCESS_CLASS_ID); + token->properties._length = 2; + token->properties._maximum = 2; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_PERM_CA_SUBJECT_NAME); + token->properties._buffer[1].value = ddsrt_strdup(caAlgo); +} + + + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token) +{ + uint32_t i; + uint32_t len = 32; + unsigned char *challenge; + + challenge = ddsrt_malloc(len); + + for (i = 0; i < len; i++) { + challenge[i] = (unsigned char)(0xFF - i); + } + + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._maximum = 1; + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._maximum = len; + token->binary_properties._buffer->value._length = len; + token->binary_properties._buffer->value._buffer = challenge; +} + +static DDS_Security_BinaryProperty_t * +find_binary_property( + DDS_Security_DataHolder *token, + const char *name) +{ + DDS_Security_BinaryProperty_t *result = NULL; + uint32_t i; + + for (i = 0; i < token->binary_properties._length && !result; i++) { + if (token->binary_properties._buffer[i].name && (strcmp(token->binary_properties._buffer[i].name, name) == 0)) { + result = &token->binary_properties._buffer[i]; + } + } + + return result; +} + + +static void +deinitialize_identity_token( + DDS_Security_IdentityToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +static int +validate_local_identity(const char* trusted_ca_dir) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GUID_t local_participant_guid; + DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + DDS_Security_ParticipantBuiltinTopicData *local_participant_data; + unsigned char *sdata; + size_t sz; + + memset(&local_participant_guid, 0, sizeof(local_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + if( trusted_ca_dir != NULL){ + char trusted_ca_dir_path[1024]; + dds_security_property_init(&participant_qos.property.value, 4); +#ifdef WIN32 + snprintf(trusted_ca_dir_path, 1024, "%s\\validate_begin_handshake_reply\\etc\\%s", CONFIG_ENV_TESTS_DIR,trusted_ca_dir); +#else + snprintf(trusted_ca_dir_path, 1024, "%s/validate_begin_handshake_reply/etc/%s", CONFIG_ENV_TESTS_DIR, trusted_ca_dir); +#endif + participant_qos.property.value._buffer[3].name = ddsrt_strdup(PROPERTY_TRUSTED_CA_DIR); + participant_qos.property.value._buffer[3].value = ddsrt_strdup(trusted_ca_dir_path); + } + else{ + dds_security_property_init(&participant_qos.property.value, 3); + } + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &local_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + res = -1; + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + local_participant_data = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&local_participant_data->key[0], &local_participant_guid, 12); + /* convert from big-endian format to native format */ + local_participant_data->key[0] = fromBE4u(local_participant_data->key[0]); + local_participant_data->key[1] = fromBE4u(local_participant_data->key[1]); + local_participant_data->key[2] = fromBE4u(local_participant_data->key[2]); + + initialize_identity_token(&local_participant_data->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&local_participant_data->permissions_token, RSA_2048_ALGORITHM_NAME); + + local_participant_data->security_info.participant_security_attributes = 0x01; + local_participant_data->security_info.plugin_participant_security_attributes = 0x02; + + serializer_participant_data(local_participant_data, &sdata, &sz); + + serialized_participant_data._length = serialized_participant_data._maximum = (uint32_t) sz; + serialized_participant_data._buffer = sdata; + + DDS_Security_ParticipantBuiltinTopicData_free(local_participant_data); + + return res; +} + +static void +release_local_identity(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (local_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + local_identity_handle = DDS_SECURITY_HANDLE_NIL; + } + DDS_Security_OctetSeq_deinit(&serialized_participant_data); +} + + +static X509 * +load_certificate( + const char *data) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_mem_buf((void *) data, -1); + if (!bio) { + return NULL; + } + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + + BIO_free(bio); + + return cert; +} + +static int +get_adjusted_participant_guid( + X509 *cert, + const DDS_Security_GUID_t *candidate, + DDS_Security_GUID_t *adjusted) +{ + int result = 0; + unsigned char high[SHA256_DIGEST_LENGTH], low[SHA256_DIGEST_LENGTH]; + unsigned char *subject; + DDS_Security_octet hb = 0x80; + X509_NAME *name; + unsigned char *tmp = NULL; + int i; + size_t sz; + + name = X509_get_subject_name(cert); + sz = (size_t) i2d_X509_NAME(name, &tmp); + if (sz > 0) { + subject = ddsrt_malloc( sz); + memcpy(subject, tmp, sz); + OPENSSL_free(tmp); + + SHA256(subject, sz, high); + SHA256(&candidate->prefix[0], sizeof(DDS_Security_GuidPrefix_t), low); + + adjusted->entityId = candidate->entityId; + for (i = 0; i < 6; i++) { + adjusted->prefix[i] = hb | high[i]>>1; + hb = (unsigned char) ( high[i]<<7 ); + } + for (i = 0; i < 6; i++) { + adjusted->prefix[i+6] = low[i]; + } + ddsrt_free(subject); + result = 1; + } + + return result; +} + +static int +set_dh_public_key( + const char *keystr, + unsigned char **pubkey, + size_t *size) +{ + int r = 0; + BIO *bio = NULL; + EVP_PKEY *pkey; + DH *dhkey; + unsigned char *buffer = NULL; + ASN1_INTEGER *asn1int; + + *pubkey = NULL; + + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((void *) keystr, -1); + if (!bio) { + char *msg = get_openssl_error(); + r = -1; + printf("BIO_new_mem_buf failed: %s", msg); + ddsrt_free(msg); + goto fail_alloc_bio; + } + + pkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL); + if (!pkey) { + char *msg = get_openssl_error(); + r = -1; + printf("Failed to read public key: %s", msg); + ddsrt_free(msg); + goto fail_key_read; + } + + dhkey = EVP_PKEY_get1_DH(pkey); + if (!dhkey) { + char *msg = get_openssl_error(); + r = -1; + printf("Failed to get DH key from PKEY: %s", msg); + ddsrt_free(msg); + goto fail_get_dhkey; + } + + asn1int = BN_to_ASN1_INTEGER(dh_get_public_key(dhkey), NULL); + + if (!asn1int) { + char *msg = get_openssl_error(); + r = -1; + printf("Failed to convert DH key to ASN1 integer: %s", msg); + ddsrt_free(msg); + goto fail_get_pubkey; + } + + *size = (size_t)i2d_ASN1_INTEGER(asn1int, &buffer); + + *pubkey = ddsrt_malloc(*size); + memcpy(*pubkey, buffer, *size); + ddsrt_free(buffer); + + ASN1_INTEGER_free(asn1int); + +fail_get_pubkey: + DH_free(dhkey); +fail_get_dhkey: + EVP_PKEY_free(pkey); +fail_key_read: + BIO_free(bio); +fail_alloc_bio: + return r; +} + + +static int +set_dh_keys(void) +{ + int r; + + r = set_dh_public_key(diffie_hellman_pubkey, &dh_pubkey_modp_2048_value, &dh_pubkey_modp_2048_length); + if (r) { + invalid_dh_pubkey_modp_2048_value = ddsrt_malloc(dh_pubkey_modp_2048_length); + memcpy(invalid_dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length); + invalid_dh_pubkey_modp_2048_value[0] = 0x8; + } + return r; +} + + +static int +validate_remote_identities (const char *remote_id_certificate) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityToken remote_identity_token; + static DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_GUID_t guid1; + DDS_Security_GUID_t guid2; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix1 = {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab}; + DDS_Security_GuidPrefix_t prefix2 = {0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + X509 *cert; + + memcpy(&guid1.prefix, &prefix1, sizeof(prefix1)); + memcpy(&guid1.entityId, &entityId, sizeof(entityId)); + memcpy(&guid2.prefix, &prefix2, sizeof(prefix2)); + memcpy(&guid2.entityId, &entityId, sizeof(entityId)); + + if (local_identity_handle == DDS_SECURITY_HANDLE_NIL) { + return -1; + } + + cert = load_certificate(remote_id_certificate); + if (!cert) { + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid1, &remote_participant_guid1)) { + X509_free(cert); + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid2, &remote_participant_guid2)) { + X509_free(cert); + return -1; + } + + X509_free(cert); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle1, + &g_local_auth_request_token, + NULL, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid1, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + res = -1; + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + fill_auth_request_token(&g_remote_auth_request_token); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle2, + &local_auth_request_token, + &g_remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid2, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + res = -1; + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + remote_participant_data1 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data1->key[0], &remote_participant_guid1, 12); + remote_participant_data1->key[0] = fromBE4u(remote_participant_data1->key[0]); + remote_participant_data1->key[1] = fromBE4u(remote_participant_data1->key[1]); + remote_participant_data1->key[2] = fromBE4u(remote_participant_data1->key[2]); + + + initialize_identity_token(&remote_participant_data1->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data1->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data1->security_info.participant_security_attributes = 0x01; + remote_participant_data1->security_info.plugin_participant_security_attributes = 0x02; + + remote_participant_data2 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data2->key[0], &remote_participant_guid2, 12); + remote_participant_data2->key[0] = fromBE4u(remote_participant_data2->key[0]); + remote_participant_data2->key[1] = fromBE4u(remote_participant_data2->key[1]); + remote_participant_data2->key[2] = fromBE4u(remote_participant_data2->key[2]); + + initialize_identity_token(&remote_participant_data2->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data2->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data2->security_info.participant_security_attributes = 0x01; + remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + remote_participant_data3 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data3->key[0], &candidate_participant_guid, 12); + + initialize_identity_token(&remote_participant_data3->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data3->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data2->security_info.participant_security_attributes = 0x01; + remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + challenge1 = find_binary_property(&g_local_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + challenge2 = find_binary_property(&g_remote_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + return res; +} + +static void +release_remote_identities(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle1, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + remote_identity_handle1 = DDS_SECURITY_HANDLE_NIL; + } + if (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle2, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; + } + + DDS_Security_DataHolder_deinit(&g_local_auth_request_token); + DDS_Security_DataHolder_deinit(&g_remote_auth_request_token); + + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data1); + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data2); + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data3); + remote_participant_data1 = NULL; + remote_participant_data2 = NULL; + remote_participant_data3 = NULL; +} + +static void init_testcase(void) +{ + + int res = 0; + /* Only need the authentication plugin. */ + plugins = load_plugins(NULL /* Access Control */, + &auth /* Authentication */, + NULL /* Cryptograpy */); + + if (plugins) { + res = validate_local_identity( NULL ); + if (res == 0) { + res = validate_remote_identities( remote_identity_certificate ); + } + if (res == 0){ + res = set_dh_keys(); + } + } else { + res = -1; + } + + CU_ASSERT_FATAL( res == 0 ); +} + +static void fini_testcase(void) +{ + release_local_identity(); + release_remote_identities(); + unload_plugins(plugins); + ddsrt_free(invalid_dh_pubkey_modp_2048_value); + ddsrt_free(dh_pubkey_modp_2048_value); + +} + + + + +static bool +compare_octet_seq( + const DDS_Security_OctetSeq *seq1, + const DDS_Security_OctetSeq *seq2) +{ + int r; + if (seq1 && seq2) { + r = (int)(seq2->_length - seq1->_length); + if (r == 0) { + r = memcmp(seq1->_buffer, seq2->_buffer, seq1->_length); + } + } else if (seq1 == seq2) { + r = 0; + } else { + r = (seq2 > seq1) ? 1 : -1; + } + return r; +} + +static bool +valid_c_id_property( + const char *certificate, + const DDS_Security_OctetSeq *value) +{ + if (value->_length == 0) { + CU_FAIL("c.id has no value"); + return false; + } + if (strncmp(certificate, (const char *)value->_buffer, value->_length) != 0) { + return false; + } + return true; +} + +static bool +valid_string_value( + const char *expected, + const DDS_Security_OctetSeq *value) +{ + size_t len = strlen(expected) + 1; + + if (strncmp(expected, (const char *)value->_buffer, len) != 0) { + return false; + } + + return true; +} + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size) +{ + DDS_Security_Serializer serializer; + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDD_Security_Serialize_ParticipantBuiltinTopicData(serializer, pdata); + DDS_Security_Serializer_buffer(serializer, buffer, size); + DDS_Security_Serializer_free(serializer); +} + + +static void +set_binary_property_value( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const unsigned char *data, + size_t length) +{ + assert(bp); + assert(name); + assert(data); + + bp->name = ddsrt_strdup(name); + bp->value._maximum = bp->value._length = (DDS_Security_unsigned_long) length; + if (length) { + bp->value._buffer = ddsrt_malloc(length); + memcpy(bp->value._buffer, data, length); + } else { + bp->value._buffer = NULL; + } +} + +static void +set_binary_property_string( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const char *data) +{ + size_t length; + + assert(bp); + assert(name); + assert(data); + + length = strlen(data) + 1; + set_binary_property_value(bp, name, (const unsigned char *)data, length); +} + +static void +fill_handshake_message_token( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const char *certificate, + const char *dsign, + const char *kagree, + const unsigned char *diffie_hellman, + const size_t diffie_hellman_size, + const unsigned char *challengeData, + size_t challengeDataSize) +{ + DDS_Security_BinaryProperty_t *tokens; + DDS_Security_BinaryProperty_t *c_id; + DDS_Security_BinaryProperty_t *c_perm; + DDS_Security_BinaryProperty_t *c_pdata; + DDS_Security_BinaryProperty_t *c_dsign_algo; + DDS_Security_BinaryProperty_t *c_kagree_algo; + DDS_Security_BinaryProperty_t *hash_c1; + DDS_Security_BinaryProperty_t *dh1; + DDS_Security_BinaryProperty_t *challenge; + unsigned char *serialized_local_participant_data; + size_t serialized_local_participant_data_size; + unsigned char hash[32]; + + serializer_participant_data(pdata, &serialized_local_participant_data, &serialized_local_participant_data_size); + + tokens = DDS_Security_BinaryPropertySeq_allocbuf(8); + c_id = &tokens[0]; + c_perm = &tokens[1]; + c_pdata = &tokens[2]; + c_dsign_algo = &tokens[3]; + c_kagree_algo = &tokens[4]; + hash_c1 = &tokens[5]; + dh1 = &tokens[6]; + challenge = &tokens[7]; + + /* Store the Identity Certificate associated with the local identify in c.id property */ + if (certificate) { + set_binary_property_string(c_id, "c.id", certificate); + } else { + set_binary_property_string(c_id, "c.idx", "rubbish"); + } + + /* Store the permission document in the c.perm property */ + set_binary_property_string(c_perm, "c.perm", "permissions_document"); + + /* Store the provided local_participant_data in the c.pdata property */ + set_binary_property_value(c_pdata, "c.pdata", serialized_local_participant_data, serialized_local_participant_data_size); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + if (dsign) { + set_binary_property_string(c_dsign_algo, "c.dsign_algo", dsign); + } else { + set_binary_property_string(c_dsign_algo, "c.dsign_algox", "rubbish"); + } + + /* Set the used key algorithm descriptor in c.kagree_algo */ + if (kagree) { + set_binary_property_string(c_kagree_algo, "c.kagree_algo", kagree); + } else { + set_binary_property_string(c_kagree_algo, "c.kagree_algox", "rubbish"); + } + + /* Calculate the hash_c1 */ + { + DDS_Security_BinaryPropertySeq bseq; + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + bseq._length = bseq._maximum = 5; + bseq._buffer = tokens; + + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, &bseq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, (unsigned char *)&hash); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + set_binary_property_value(hash_c1, "hash_c1", (const unsigned char *) &hash, sizeof(hash)); + } + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman) { + set_binary_property_value(dh1, "dh1", diffie_hellman, diffie_hellman_size); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge, "challenge1x", challenge2->value._buffer, challenge2->value._length); + } + + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 8; + token->binary_properties._buffer = tokens; + + ddsrt_free(serialized_local_participant_data); +} + +static void +fill_handshake_message_token_default( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const unsigned char *challengeData, + unsigned int challengeDataSize) +{ + fill_handshake_message_token( + token, pdata, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challengeData, challengeDataSize); +} + +static void +handshake_message_deinit( + DDS_Security_HandshakeMessageToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +static bool +validate_handshake_token( + DDS_Security_HandshakeMessageToken *token, + const DDS_Security_OctetSeq *challenge_1, + const DDS_Security_OctetSeq *challenge_2) +{ + const DDS_Security_BinaryProperty_t *property; + + if (!token->class_id || strcmp(token->class_id, AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID) != 0) { + CU_FAIL("HandshakeMessageToken incorrect class_id"); + } else if ((property = find_binary_property(token, "c.id")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.id' not found"); + } else if (!valid_c_id_property(&identity_certificate[6], &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.id' value is invalid"); + } else if ((property = find_binary_property(token, "c.pdata")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.pdata' not found"); + } else if ((property = find_binary_property(token, "c.dsign_algo")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.dsign_algo' not found"); + } else if (!valid_string_value(AUTH_DSIGN_ALGO_RSA_NAME, &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.dsign_algo' incorrect value"); + } else if ((property = find_binary_property(token, "c.kagree_algo")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.kagree_algo' not found"); + } else if (!valid_string_value(AUTH_KAGREE_ALGO_RSA_NAME, &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.kagree_algo' incorrect value"); + } else if ((property = find_binary_property(token, "hash_c2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'hash_c2' not found"); + } else if ((property = find_binary_property(token, "dh2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'dh2' not found"); + } else if ((property = find_binary_property(token, "hash_c1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'hash_c1' not found"); + } else if ((property = find_binary_property(token, "dh1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'dh1' not found"); + } else if ((property = find_binary_property(token, "challenge1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' not found"); + } else if (challenge_1 && compare_octet_seq(challenge_1, &property->value) != 0) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' incorrect value"); + } else if ((property = find_binary_property(token, "challenge2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge2' not found"); + } else if (challenge_2 && compare_octet_seq(challenge_2, &property->value) != 0) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge2' incorrect value"); + } else { + return true; + } + + return false; +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply, happy_day, .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token_out, &challenge2->value, NULL)); + + reset_exception(&exception); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,future_challenge, .init = init_testcase, .fini = fini_testcase) + +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data2, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token_out, &challenge2->value, &challenge1->value)); + + reset_exception(&exception); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + + future_challenge_done = true; +} + + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_arguments, .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_OctetSeq serdata = DDS_SECURITY_SEQUENCE_INIT; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge1->value._buffer, challenge1->value._length); + + result = auth->begin_handshake_reply( + auth, + NULL, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + NULL, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + NULL, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + 0, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + 0, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + NULL, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serdata, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_certificate, .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, unrelated_identity, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, NULL, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_participant_data , .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_BinaryProperty_t *property; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data3, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + property = find_binary_property(&handshake_token_in, "c.pdata"); + CU_ASSERT_FATAL(property != NULL); + + ddsrt_free(property->name); + property->name = ddsrt_strdup("c.pdatax"); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_dsign_algo , .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + "RSASSA-PSS-SHA128", AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + NULL, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_kagree_algo , .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, "DH+MODP-2048-128", + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, NULL, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_diffie_hellman , .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + invalid_dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + NULL, 0, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_challenge , .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data2, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge1->value._buffer, challenge1->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, NULL, 0); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,return_handle, .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (handshake_handle != DDS_SECURITY_HANDLE_NIL); + + reset_exception(&exception); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT ( success == false ); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + +} + +/*TODO: test is waiting for Trusted CA parsing function */ + +#if(0) +CU _ Test(validate_begin_handshake_reply,extended_certificate_check ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_trusted ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_trusted, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token_out, &challenge2->value, NULL)); + + reset_exception(&exception); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_untrusted ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_untrusted, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT_FATAL( exception.code != 0 ); + + reset_exception(&exception); + + auth->return_handshake_handle(auth, handshake_handle, &exception); + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + reset_exception(&exception); + + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_trusted_expired ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_trusted_expired, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT_FATAL( exception.code != 0 ); + + reset_exception(&exception); + + + auth->return_handshake_handle(auth, handshake_handle, &exception); + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + reset_exception(&exception); +} +#endif diff --git a/src/security/builtin_plugins/tests/validate_begin_handshake_request/src/validate_begin_handshake_request_utests.c b/src/security/builtin_plugins/tests/validate_begin_handshake_request/src/validate_begin_handshake_request_utests.c new file mode 100644 index 0000000..5137565 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_begin_handshake_request/src/validate_begin_handshake_request_utests.c @@ -0,0 +1,828 @@ + + + + +/* CUnit includes. */ +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/security/dds_security_api.h" +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/string.h" +#include +#include +#include "dds/ddsrt/environ.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" + + +/* Test helper includes. */ +#include "common/src/loader.h" + +/* Private header include */ + +#include + +static const char * AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * SUBJECT_NAME_IDENTITY_CERT = "CN=CHAM-574 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA = "CN=CHAM-574 authority,O=Some Company,ST=Some-State,C=NL"; + +static const char * RSA_2048_ALGORITHM_NAME = "RSA-2048"; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char * AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Req"; + +static const char * AUTH_DSIGN_ALGO_RSA_NAME = "RSASSA-PSS-SHA256"; +static const char * AUTH_KAGREE_ALGO_ECDH_NAME = "ECDH+prime256v1-CEUM"; +/* static const char * AUTH_KAGREE_ALGO_RSA_NAME = "DH+MODP-2048-256"; */ + + + +static const char *identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n" + "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n" + "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n" + "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n" + "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n" + "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n" + "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n" + "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n" + "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n" + "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n" + "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n" + "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n" + "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n" + "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n" + "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n" + "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n" + "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n" + "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n" + "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n" + "-----END CERTIFICATE-----\n"; + + +static const char *identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n" + "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n" + "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n" + "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n" + "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n" + "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n" + "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n" + "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n" + "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n" + "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n" + "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n" + "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n" + "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n" + "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n" + "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n" + "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n" + "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n" + "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n" + "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n" + "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n" + "-----END CERTIFICATE-----\n"; + + +static const char *private_key = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n" + "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n" + "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n" + "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n" + "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n" + "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n" + "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n" + "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n" + "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n" + "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n" + "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n" + "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n" + "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n" + "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n" + "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n" + "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n" + "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n" + "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n" + "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n" + "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n" + "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n" + "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n" + "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n" + "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n" + "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n" + "-----END RSA PRIVATE KEY-----\n"; + + + +static struct plugins_hdl *plugins = NULL; +static dds_security_authentication *auth = NULL; +static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle1 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_AuthRequestMessageToken g_local_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static DDS_Security_AuthRequestMessageToken g_remote_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static const DDS_Security_BinaryProperty_t *challenge1 = NULL; +static const DDS_Security_BinaryProperty_t *challenge2 = NULL; + + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->minor_code = 0; + ex->code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static void +initialize_identity_token( + DDS_Security_IdentityToken *token, + const char *certAlgo, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CERT); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token) +{ + uint32_t i; + uint32_t len = 32; + unsigned char *challenge; + + challenge = ddsrt_malloc(len); + + for (i = 0; i < len; i++) { + challenge[i] = (unsigned char)(0xFF - i); + } + + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._maximum = 1; + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._maximum = len; + token->binary_properties._buffer->value._length = len; + token->binary_properties._buffer->value._buffer = challenge; +} + +static const DDS_Security_BinaryProperty_t * +find_binary_property( + DDS_Security_DataHolder *token, + const char *name) +{ + const DDS_Security_BinaryProperty_t *result = NULL; + uint32_t i; + + for (i = 0; i < token->binary_properties._length && !result; i++) { + if (token->binary_properties._buffer[i].name && (strcmp(token->binary_properties._buffer[i].name, name) == 0)) { + result = &token->binary_properties._buffer[i]; + } + } + + return result; +} + + +static void +deinitialize_identity_token( + DDS_Security_IdentityToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +static int +validate_local_identity(void) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GUID_t local_participant_guid; + DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + + memset(&local_participant_guid, 0, sizeof(local_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &local_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + res = -1; + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + return res; +} + +static void +release_local_identity(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (local_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } +} + +static int +validate_remote_identities (void) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityToken remote_identity_token; + static DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_GUID_t remote_participant_guid1; + DDS_Security_GUID_t remote_participant_guid2; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix1 = {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab}; + DDS_Security_GuidPrefix_t prefix2 = {0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + + memcpy(&remote_participant_guid1.prefix, &prefix1, sizeof(prefix1)); + memcpy(&remote_participant_guid1.entityId, &entityId, sizeof(entityId)); + memcpy(&remote_participant_guid2.prefix, &prefix2, sizeof(prefix2)); + memcpy(&remote_participant_guid2.entityId, &entityId, sizeof(entityId)); + + if (local_identity_handle == DDS_SECURITY_HANDLE_NIL) { + return -1; + } + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle1, + &g_local_auth_request_token, + NULL, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid1, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + fill_auth_request_token(&g_remote_auth_request_token); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle2, + &local_auth_request_token, + &g_remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid2, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + challenge1 = find_binary_property(&g_local_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + challenge2 = find_binary_property(&g_remote_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + return res; +} + +static void +release_remote_identities(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle1, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + if (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle2, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + + DDS_Security_DataHolder_deinit(&g_local_auth_request_token); + DDS_Security_DataHolder_deinit(&g_remote_auth_request_token); +} + +static void +fill_local_participant_data( + DDS_Security_OctetSeq *pdata, + uint32_t length) +{ + uint32_t i; + + pdata->_length = pdata->_maximum = length; + pdata->_buffer = ddsrt_malloc(length); + + for (i = 0; i < length; i++) { + pdata->_buffer[i] = (unsigned char)(i % 256); + } +} + +static void +release_local_participant_data( + DDS_Security_OctetSeq *pdata) +{ + if (pdata) { + ddsrt_free(pdata->_buffer); + } +} + +CU_Init(ddssec_builtin_validate_begin_handshake_request) +{ + int res = 0; + + /* Only need the authentication plugin. */ + plugins = load_plugins(NULL /* Access Control */, + &auth /* Authentication */, + NULL /* Cryptograpy */); + if (plugins) { + res = validate_local_identity(); + if (res >= 0) { + res = validate_remote_identities(); + } + } else { + res = -1; + } + + return res; +} + +CU_Clean(ddssec_builtin_validate_begin_handshake_request) +{ + release_local_identity(); + release_remote_identities(); + unload_plugins(plugins); + return 0; +} + +static bool +compare_octet_seq( + const DDS_Security_OctetSeq *seq1, + const DDS_Security_OctetSeq *seq2) +{ + int r; + if (seq1 && seq2) { + r = (int)(seq2->_length - seq1->_length); + if (r == 0) { + r = memcmp(seq1->_buffer, seq2->_buffer, seq1->_length); + } + } else if (seq1 == seq2) { + r = 0; + } else { + r = (seq2 > seq1) ? 1 : -1; + } + return r; +} + +static bool +valid_c_id_property( + const char *certificate, + const DDS_Security_OctetSeq *value) +{ + if (value->_length == 0) { + CU_FAIL("c.id has no value"); + return false; + } + if (strncmp(certificate, (const char *)value->_buffer, value->_length) != 0) { + return false; + } + return true; +} + +static bool +valid_string_value( + const char *expected, + const DDS_Security_OctetSeq *value) +{ + size_t len = strlen(expected) + 1; + + if (strncmp(expected, (const char *)value->_buffer, len) != 0) { + return false; + } + + return true; +} + + + +static bool +validate_handshake_token( + DDS_Security_HandshakeMessageToken *token, + const DDS_Security_OctetSeq *challenge) +{ + const DDS_Security_BinaryProperty_t *property; + + if (!token->class_id || strcmp(token->class_id, AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID) != 0) { + CU_FAIL("HandshakeMessageToken incorrect class_id"); + } else if ((property = find_binary_property(token, "c.id")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.id' not found"); + } else if (!valid_c_id_property(&identity_certificate[6], &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.id' value is invalid"); + } else if ((property = find_binary_property(token, "c.pdata")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.pdata' not found"); + } else if ((property = find_binary_property(token, "c.dsign_algo")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.dsign_algo' not found"); + } else if (!valid_string_value(AUTH_DSIGN_ALGO_RSA_NAME, &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.dsign_algo' incorrect value"); + } else if ((property = find_binary_property(token, "c.kagree_algo")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.kagree_algo' not found"); + } else if (!valid_string_value(AUTH_KAGREE_ALGO_ECDH_NAME, &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.kagree_algo' incorrect value"); + } else if ((property = find_binary_property(token, "hash_c1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'hash_c1' not found"); + } else if ((property = find_binary_property(token, "dh1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'dh1' not found"); + } else if ((property = find_binary_property(token, "challenge1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' not found"); + } else if (challenge && compare_octet_seq(challenge, &property->value) != 0) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' incorrect value"); + } else { + return true; + } + + return false; +} + + + +CU_Test(ddssec_builtin_validate_begin_handshake_request,happy_day_challenge) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_OctetSeq local_participant_data; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + + fill_local_participant_data(&local_participant_data, 82); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + local_identity_handle, + remote_identity_handle2, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token, NULL)); + + reset_exception(&exception); + + release_local_participant_data(&local_participant_data); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + DDS_Security_DataHolder_deinit(&handshake_token); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_request,happy_day_future_challenge) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_OctetSeq local_participant_data; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + + fill_local_participant_data(&local_participant_data, 82); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + local_identity_handle, + remote_identity_handle1, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token, &challenge1->value)); + + reset_exception(&exception); + + release_local_participant_data(&local_participant_data); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + DDS_Security_DataHolder_deinit(&handshake_token); +} + + +CU_Test(ddssec_builtin_validate_begin_handshake_request,invalid_arguments) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_OctetSeq local_participant_data; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + + fill_local_participant_data(&local_participant_data, 82); + + result = auth->begin_handshake_request( + auth, + NULL, + &handshake_token, + local_identity_handle, + remote_identity_handle1, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + NULL, + local_identity_handle, + remote_identity_handle1, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + 0x1234598, + remote_identity_handle1, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + local_identity_handle, + 0x1234598, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + local_identity_handle, + remote_identity_handle1, + NULL, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + release_local_participant_data(&local_participant_data); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_request,return_handle) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_OctetSeq local_participant_data; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + + fill_local_participant_data(&local_participant_data, 82); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + local_identity_handle, + remote_identity_handle2, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (handshake_handle != DDS_SECURITY_HANDLE_NIL); + + reset_exception(&exception); + + release_local_participant_data(&local_participant_data); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + DDS_Security_DataHolder_deinit(&handshake_token); +} diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/Alice_Test_2.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/Alice_Test_2.crt new file mode 100644 index 0000000..f5f77eb --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/Alice_Test_2.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJTCCAw2gAwIBAgIBFzANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGjAYBgNVBAMTEUlkZW50 +aXR5IENBIFRlc3QyMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0ZWNo +LmNvbTAeFw0xODA3MjAwMDAwMDBaFw0yNzA3MTkyMzU5NTlaMG0xCzAJBgNVBAYT +Ak5MMQswCQYDVQQIEwJPVjETMBEGA1UEChMKQURMaW5rIElTVDEUMBIGA1UEAxML +QWxpY2UgVGVzdDIxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Fb60RkFrDsRAIRf +LMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBkk78fFtagLisWo4LbT4DqKzqQXCvVnOn9 +a6uT0KsVejk2iaLoBy0fotQznudio3rzDpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0 +TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf +04rq7ztw0t67bexSQ4gLSVJEwiohAregm0dLvQnap5xd2qn0yETteTL8Y+Ujym1D +WAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ8kcoqEqO8KAN2HclqfjHlg9iDscbof5x +45SQwwIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFL66FT0vnlFE ++PKrtV+KhJoLsCOWMB8GA1UdIwQYMBaAFIFGyWkPWvNkBD2SCYj9H+NfnlOLMA8G +A1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYBBQUHAwEGCCsGAQUFBwMC +BggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDCQYIKwYBBQUH +Aw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEBCwUAA4IBAQCsBINpBXSp +Xe3f5MMObeUXE2VhWZWIjMdDQRFDDjq6u1YR7rbffsCReiCX5zviU2dtVV8VN3MQ +k7wp8qEDKwP1ToMIwZGwT4Hfwei1eueJ1vuotgiGe0Gm3otXlGsb0C5otnsu63MM +OeFgkpZde3VpIqK9EmhgjWOD8TXc8Me7zBlYSEIaXkkwP0jAKRf5vFgz0WfE5ITx +SDKUO0OrcN789flO/OKLAHZ4cqNcxNPkMz7h9VBSgRRRk115HEa8Fe46nl1YpwRG +0urHlyAKoUV+J+I3Qy4+SwIDwix978hgGN3bKVyv9q0yAQRzpZ54EJOj4C7lNEpB +roGVpY4yYP/B +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/Bob_Chain_Test.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/Bob_Chain_Test.crt new file mode 100644 index 0000000..e980af3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/Bob_Chain_Test.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJDCCAwygAwIBAgIBAzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxJDAiBgNVBAMTG0lkZW50 +aXR5IENBIFRlc3QgV2l0aCBDaGFpbjEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3Qu +YWRsaW5rdGVjaC5jb20wHhcNMTgwNjEzMDAwMDAwWhcNMjcwNjEwMjM1OTU5WjBw +MQswCQYDVQQGEwJOTDELMAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1Qx +FzAVBgNVBAMTDkJvYiBDaGFpbiBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlz +dC5hZGxpbmt0ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMHm+qG5afCHFdmp98+Z+POB7vD3WhfghKVugh8FenewuPaaotKxiGAE0kCf8WXU +5l4XDR3iBWJsGDHll1yOyL4KW9grwfnfiJMl82uIzKGDiRJbFkXVOLF/DcVLsuqM +oRjlk09+nlrg/7xS96itgm6yueW/UOIXpo+ElCHwnrYnpuHHrYM0s7t1ls3QFSyd +a3INx+LkM6N/b+veVJF95yfe4GvVBhFpLkWtX4xKgZyMjczvmZ6LVNNSnthPhlZF +HmspQyqXrTnGyax3qyoloqh9ibDvAK5pUnzqlv/Dyyt110q3bXFR5A0wqfj0fqtp +7Mw4TdTkFQy1n4/Y4EuT8I8CAwEAAaOBuzCBuDAdBgNVHQ4EFgQUQpxLPHT5o/GQ +RwdBw2scINXnWlUwHwYDVR0jBBgwFoAUTVVCTRc4ST0XmE+EEsenSudwlwkwDwYD +VR0PAQH/BAUDAwf/gDBlBgNVHSUBAf8EWzBZBggrBgEFBQcDAQYIKwYBBQUHAwIG +CCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBggrBgEFBQcD +DQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAJwd60WigqbB +/6CT0ekvXZdvIV5IaIKiy6KYU0/0ebPVXn0YKp9LQTE6lYCr6hZUcEjBfkFBZhAy +KJJOb2sUXAnYqnX/mIipiNb7oHsCHxVCKAwEcmxsS3tGl2CXgpKL8EQQFKJgSrC/ +uzhf2QESQ0T5Mgni1jXXGf6SAwFAjk+mAM9bMdrtLOX39e5aKrgpZOHmdFke+m/K +upxP/M0/omTNNQaSfWDmfDvpdsRD9+mFG12Kzgpue2jut1qeICvSmcQsu2OBYG/Q +ZXMx8e8azoX0KB+njf826UcVgDkDmfwN9taOU2lFsmZAvYhpIslNwtH/Htu3zJWO +vQxyIh+kxFQ= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test2.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test2.crt new file mode 100644 index 0000000..592eea3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test2.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKzCCAxOgAwIBAgIBFjANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGjAYBgNVBAMTEUlkZW50 +aXR5IENBIFRlc3QyMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0ZWNo +LmNvbTAeFw0xODA3MjAwMDAwMDBaFw0yNzA3MTkyMzU5NTlaMHMxCzAJBgNVBAYT +Ak5MMQswCQYDVQQIEwJPVjETMBEGA1UEChMKQURMaW5rIElTVDEaMBgGA1UEAxMR +SWRlbnRpdHkgQ0EgVGVzdDIxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlu +a3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyIweDOdB +xotexcDiUdbIdDLu9A6/KSpkxUJnYb2iRhBonmCNFvErEokso/Dga6QT3rg83UCg +GMJBSJSZhq/j+eZweHoXS8Ccet/aF2iNj5A5Uhn476M3zMg+rCoos2yKlpZLOz1x +QjrRJfeOoBHvkHkxBeupnnQPx4oAro7zoXMIO83NKLwCROC/kGq1ktW8fbKa5THQ +z0QfZG3zAeD93N+dTAqA+jkCfzbrQepF243Tu4cLaGwVALZ/8cZ7sky8+OOmKnBU +P9r+U/4L62DVJYnYkTGnYEwqXcM1b8/JHasmKEaHXgAu/UI5i/SZfRPZUyC1ERSv +tX6k7sBxZZSPLQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIFG +yWkPWvNkBD2SCYj9H+NfnlOLMB8GA1UdIwQYMBaAFIFGyWkPWvNkBD2SCYj9H+Nf +nlOLMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYBBQUHAwEGCCsG +AQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDCQYI +KwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEBCwUAA4IBAQCK +SkemYQIvsslkMc8PNHSk2om4xk7hUXkatAZPN9dvRravu3PJqMWxpQ0TWbddrkBL +he7/ARC2G9vVUwQl2b8K1Rjt/nZ3j+NPvhCDzcPyxjornyN8IG1NJQVH18fTxR23 +6PvDBE0H2trA3WJgKo6Wlxo6CHWts8ulFWWXBE1nNQw30hU49FDsFn3nz6Gry4ti +/ouAvbz+UXSsT9R+zkci3A394sEsOCZSStgAnXsejU45pCt6OtCGaLfDvEPp21az +OEjuIaj6Kbd+MHeLyPoe+d1Bkl39OnAUEJ8q2HdwvIg2ZqP6h0agm5gpZo/ALDWn +9P3owIGVsHFGkYqhHc+K +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test_With_Chain.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test_With_Chain.crt new file mode 100644 index 0000000..35506b8 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test_With_Chain.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIBAjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMzAwMDAwMFoXDTI3MDYxMDIzNTk1OVowfTELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMSQwIgYDVQQDExtJ +ZGVudGl0eSBDQSBUZXN0IFdpdGggQ2hhaW4xJjAkBgkqhkiG9w0BCQEWF2luZm9A +aXN0LmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA1r8Q0V8ZVeBs8tPMF0N+JlBynl1Zn/89vwSsU4m7y6ixUcW/y3r12CMeA0cH +g6yOaOdHsZ8pRlPRwy9YmeOwLsMOUHAURP2uPiTjSf3pttUIf0jv602GyirNzoS7 +7mHiyTtV80ZMzZlLIJ3gaJJlG4DjitFuFcjv8sOmviFjkn1kOjkAz1nKgsCiHvvg +fcJlYPrtLfle9SzvZ3MTq4ob+/EFu9nt5bYYs7p7Br1TGWctUw98l2mSn/FhfDBw +9bb7ZhcKB7W6PGy2Os5AnkdTJKHoOQT+RmnHzPBhab0BoKuy8IhfW2GyqC8rL5Tm +/UVLUvnx4Zzqz//3IyA2FTb1HQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYD +VR0OBBYEFE1VQk0XOEk9F5hPhBLHp0rncJcJMB8GA1UdIwQYMBaAFER4R6N3MQ1W +l7gn+R8wwHloDCVZMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYB +BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggr +BgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEB +CwUAA4IBAQCbl7ed4p66G6WquxO7ceZFvYKn3kDErjCfXHcqHxBnA2xTpoZCGj95 +Qpirqo6N4UcLX5sn3CmgyVk0dYvlti/53FJgZ9XQDNxBuEYWPkY7vO+Uo0WdYpGz +ZDNIUQpiPMA7bHvwKldTIs77xxtnw9kbBU2k0xQyb2tdZNfD5YqSI1MeUtpEpNFW +sbC8+mQ3clzWpjF8eHH1fFSAmlJ+z1Uqmtt2FK0vRz+MQcpydwvpMnfqGdcwhGPQ +X4HZreLObjBA8KUEkUB3+rZXuELBgkk/c8/jRZl7QF5jJDLQCCLg7KoYBKN2GuTt +/dzeSnP7VZm/nTL8wpCvKgSOwOGgklf2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/alice.pem b/src/security/builtin_plugins/tests/validate_local_identity/etc/alice.pem new file mode 100644 index 0000000..07a5977 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/alice.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Fb60RkFrDsRAIRfLMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBk +k78fFtagLisWo4LbT4DqKzqQXCvVnOn9a6uT0KsVejk2iaLoBy0fotQznudio3rz +DpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2 +FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf04rq7ztw0t67bexSQ4gLSVJEwiohAreg +m0dLvQnap5xd2qn0yETteTL8Y+Ujym1DWAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ +8kcoqEqO8KAN2HclqfjHlg9iDscbof5x45SQwwIDAQABAoIBAG0dYPeqd0IhHWJ7 +8azufbchLMN1pX/D51xG2uptssfnpHuhkkufSZUYi4QipRS2ME6PYhWJ8pmTi6lH +E6cUkbI0KGd/F4U2gPdhNrR9Fxwea5bbifkVF7Gx/ZkRjZJiZ3w9+mCNTQbJDKhh +wITAzzT6WYznhvqbzzBX1fTa6kv0GAQtX7aHKM+XIwkhX2gzU5TU80bvH8aMrT05 +tAMGQqkUeRnpo0yucBl4VmTZzd/+X/d2UyXR0my15jE5iH5o+p+E6qTRE9D+MGUd +MQ6Ftj0Untqy1lcog1ZLL6zPlnwcD4jgY5VCYDgvabnrSwymOJapPLsAEdWdq+U5 +ec44BMECgYEA/+3qPUrd4XxA517qO3fCGBvf2Gkr7w5ZDeATOTHGuD8QZeK0nxPl +CWhRjdgkqo0fyf1cjczL5XgYayo+YxkO1Z4RUU+8lJAHlVx9izOQo+MTQfkwH4BK +LYlHxMoHJwAOXXoE+dmBaDh5xT0mDUGU750r763L6EFovE4qRBn9hxkCgYEA0GWz +rpOPNxb419WxG9npoQYdCZ5IbmEOGDH3ReggVzWHmW8sqtkqTZm5srcyDpqAc1Gu +paUveMblEBbU+NFJjLWOfwB5PCp8jsrqRgCQSxolShiVkc3Vu3oyzMus9PDge1eo +9mwVGO7ojQKWRu/WVAakENPaAjeyyhv4dqSNnjsCgYEAlwe8yszqoY1k8+U0T0G+ +HeIdOCXgkmOiNCj+zyrLvaEhuS6PLq1b5TBVqGJcSPWdQ+MrglbQIKu9pUg5ptt7 +wJ5WU+i9PeK9Ruxc/g/BFKYFkFJQjtZzb+nqm3wpul8zGwDN/O/ZiTqCyd3rHbmM +/dZ/viKPCZHIEBAEq0m3LskCgYBndzcAo+5k8ZjWwBfQth5SfhCIp/daJgGzbYtR +P/BenAsY2KOap3tjT8Fsw5usuHSxzIojX6H0Gvu7Qzq11mLn43Q+BeQrRQTWeFRc +MQdy4iZFZXNNEp7dF8yE9VKHwdgSJPGUdxD6chMvf2tRCN6mlS171VLV6wVvZvez +H/vX5QKBgD2Dq/NHpjCpAsECP9awmNF5Akn5WJbRGmegwXIih2mOtgtYYDeuQyxY +ZCrdJFfIUjUVPagshEmUklKhkYMYpzy2PQDVtaVcm6UNFroxT5h+J+KDs1LN1H8G +LsASrzyAg8EpRulwXEfLrWKiu9DKv8bMEgO4Ovgz8zTKJZIFhcac +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/bob.pem b/src/security/builtin_plugins/tests/validate_local_identity/etc/bob.pem new file mode 100644 index 0000000..cf62cc3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/bob.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAweb6oblp8IcV2an3z5n484Hu8PdaF+CEpW6CHwV6d7C49pqi +0rGIYATSQJ/xZdTmXhcNHeIFYmwYMeWXXI7Ivgpb2CvB+d+IkyXza4jMoYOJElsW +RdU4sX8NxUuy6oyhGOWTT36eWuD/vFL3qK2CbrK55b9Q4hemj4SUIfCetiem4cet +gzSzu3WWzdAVLJ1rcg3H4uQzo39v695UkX3nJ97ga9UGEWkuRa1fjEqBnIyNzO+Z +notU01Ke2E+GVkUeaylDKpetOcbJrHerKiWiqH2JsO8ArmlSfOqW/8PLK3XXSrdt +cVHkDTCp+PR+q2nszDhN1OQVDLWfj9jgS5PwjwIDAQABAoIBAHfgWhED9VgL29le +uGMzmPLK4LM+6Qcb+kXghTeyhl1a928WeRVzRpG+SVJEz9QaBHYlICnaY2PO2kJ2 +49YIPFkpRFDn9JuLs/7tFonj4Eb2cBbWE3YG9W7e0t+oBiv1117yB9m8uSAMPG7s +iEpTQvE3M7CzT8kHwCS4XXCCN0z7LqKyZ1heScjdfhV3D2TnFFjdtQ/9KfQa3hIc +6ftbpi4EKbfasspyqfrJ/cqjHzse9iEXLOZJhs+atBAKe/uJ4Hc3LRPbX4MPniAp +JJrldXFK9p+HILlbXvu+5n+DSGbZmT1x9a/E9suGyoJiASDH2Ax4yCVTi+v8C1R2 +aKdU1LkCgYEA/3dFuM6zIHwiJ0GKT0gtJL6J3m+i51SNcRIm8deXt6HULMpUNajj +vZ1bgQm/h+uRBlPV3swkaVxvPTIabOTY4gmCBSzvVCSIAKHVc/+5Nkl9KruwSq4G +tctmXZ7ymMDi+6QGCJTJkAx6jptXyrzC00HOjXOwyQ+iDipqgr3A8FsCgYEAwk7B +2/hi569EIHFRT6nz/JMqQVPZ/MJDKoKhffTbnjQ5OAzpiVN6cyThMM1iVJEBFNhx +OEacy60Qj0TtR1oYrQSRSLm58TTxiuB4Pohbmg3iU+kSM/eTq/ups/Ul1oCs2eAb +POfweD3c4d4i7sN8bUNQXehiE4MOlK9TYQy39t0CgYAJht0mwy6S644qgJsz0bE9 +SY3Cqc8daV3M9axWIIAb7QEImpMBXUcA7zlWWpK18ub5oW68XEiPVU8grRmnLfGY +nFoo70ANlz8rJt3a8ZJqn9r3GQC+CDdf2DH9E8xgPfE5CSjgcQwDPzPi1ZA0k02A +q1eUltfk55xXguVt8r2bOQKBgQC7+kldr1yv20VDRZ1uPnMGRLE6Zg6bkqw78gid +vEbDNK6uZP+BlTr/LgyVk/yu52Fucz6FPPrvqEw+7mXHA4ifya1r+BHFIn0S57os +dOp5jTkKCI9NqxQ3683vhRjH/dA7L63qLFDdYqvP74FID+LOKbMURn6rdbyjZ0J4 +vz8yGQKBgHIzcKlQosRxf+KptOPMGRs30L9PnH+sNmTo2SmEzAGkBkt1msGRh/2l +uT3hOEhUXL9knRyXwQSXgrIwr9QwI5rGS5FAgX26TgBtPBDs2NuyyhhS5yxsiEPT +BR+EjQFW9dzRkpRJgvsG4DcNAhFn7fQqFNcWXgFWuBXmGNkdtEGR +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_ca new file mode 100644 index 0000000..cfd24b6 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_ca @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICEDCCAbegAwIBAgIJAPOifu8ejrRRMAoGCCqGSM49BAMCMGUxCzAJBgNVBAYT +Ak5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5v +bG9neSBCLlYuMSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTAeFw0x +OTAyMTgxMDQwMTZaFw00NjA3MDYxMDQwMTZaMGUxCzAJBgNVBAYTAk5MMRMwEQYD +VQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5vbG9neSBCLlYu +MSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABMXCYXBHEryADoYXMEE0Jw9aHlA7p3KVFzuypxuez0n7rKoX +k9kanNtrw5o2X4WSWKM7zkH4I6AU7xSAQgJN+8GjUDBOMB0GA1UdDgQWBBR1Llq9 +zrRrTJLSvUJykksncZ+HsDAfBgNVHSMEGDAWgBR1Llq9zrRrTJLSvUJykksncZ+H +sDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIHKRM3VeB2F7z3nJT752 +gY5mNdj91ulmNX84TXA7UHNKAiA2ytpsV4OKURHkjyn1gnW48JDKtHGZF6/tMNvX +VrDITA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate new file mode 100644 index 0000000..5c29b6e --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate @@ -0,0 +1,50 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4096 (0x1000) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=NL, ST=Some-State, O=ADLINK Technology B.V., CN=CHAM_570 CA certificate + Validity + Not Before: Feb 18 10:52:41 2019 GMT + Not After : Jul 6 10:52:41 2046 GMT + Subject: C=NL, ST=Some-State, O=ADLINK Technology B.V., CN=CHAM_570 Identity certificate + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:9d:b5:7b:f5:fe:63:da:24:e4:0c:26:c5:32:55: + 55:b3:7f:7a:60:ea:0d:56:2c:0a:85:e0:5b:85:5a: + 01:1b:69:fc:23:79:98:33:d6:60:d5:d9:ab:1e:1d: + 7a:1e:c2:5f:ad:30:9b:73:45:40:39:d9:07:f7:59: + 8d:44:f6:6b:e3 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Basic Constraints: + CA:false + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + C6:68:7E:D7:20:B3:51:4B:D4:50:54:26:12:86:BE:9B:EA:55:A1:EA + X509v3 Authority Key Identifier: + keyid:75:2E:5A:BD:CE:B4:6B:4C:92:D2:BD:42:72:92:4B:27:71:9F:87:B0 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:b2:a7:be:fb:0b:d4:e2:87:b0:2c:c9:b8:fa: + 10:b0:18:4b:dc:6a:bc:58:55:e8:22:46:93:d8:b1:5b:50:17: + 77:02:20:2a:cf:42:10:fc:7e:02:39:37:44:4a:cf:9b:a3:9a: + 55:cb:15:2d:12:86:06:7e:d4:b8:24:7a:57:13:48:b5:69 +-----BEGIN CERTIFICATE----- +MIICOzCCAeGgAwIBAgICEAAwCgYIKoZIzj0EAwIwZTELMAkGA1UEBhMCTkwxEzAR +BgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIu +Vi4xIDAeBgNVBAMMF0NIQU1fNTcwIENBIGNlcnRpZmljYXRlMB4XDTE5MDIxODEw +NTI0MVoXDTQ2MDcwNjEwNTI0MVowazELMAkGA1UEBhMCTkwxEzARBgNVBAgMClNv +bWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIuVi4xJjAkBgNV +BAMMHUNIQU1fNTcwIElkZW50aXR5IGNlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEnbV79f5j2iTkDCbFMlVVs396YOoNViwKheBbhVoBG2n8I3mY +M9Zg1dmrHh16HsJfrTCbc0VAOdkH91mNRPZr46N7MHkwCQYDVR0TBAIwADAsBglg +hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O +BBYEFMZoftcgs1FL1FBUJhKGvpvqVaHqMB8GA1UdIwQYMBaAFHUuWr3OtGtMktK9 +QnKSSydxn4ewMAoGCCqGSM49BAMCA0gAMEUCIQCyp777C9Tih7Asybj6ELAYS9xq +vFhV6CJGk9ixW1AXdwIgKs9CEPx+Ajk3RErPm6OaVcsVLRKGBn7UuCR6VxNItWk= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate_unsupported b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate_unsupported new file mode 100644 index 0000000..220abcf --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate_unsupported @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICFTCCAbygAwIBAgICEAEwCgYIKoZIzj0EAwIwWjELMAkGA1UEBhMCTkwxEzAR +BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5 +IEx0ZDETMBEGA1UEAwwKQ0hBTTUwMF9DQTAeFw0xODAyMTkxMDMyMjRaFw0xOTAy +MTkxMDMyMjRaMGExCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMMEUNIQU01 +NjkgdW5zdXAga2V5MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEKt3HYPnDlEOS +zYqTzT2patyreLHN2Jty22KXwjaNAjgrwujdPr+MW38DsyBF5Yn9o3sweTAJBgNV +HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp +Y2F0ZTAdBgNVHQ4EFgQUG9MuQz3W/AKA98AyOKhI2af9I+0wHwYDVR0jBBgwFoAU +ACsYsaEsZfjfRVrj0IBmcsncVyMwCgYIKoZIzj0EAwIDRwAwRAIgfhisahVmgghI +GaaQavdKHpM/OTVODZPzYjky6Am+z08CIBidnuuznXrZtr78oy/tAES/7Lz8P5Iw +Q1y5Vo8CdXQQ +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key new file mode 100644 index 0000000..214e2dd --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP3SnBXzcCc0uUEiG +0CPNdcV0hBewOnVoh4d9q9E5U5ihRANCAASdtXv1/mPaJOQMJsUyVVWzf3pg6g1W +LAqF4FuFWgEbafwjeZgz1mDV2aseHXoewl+tMJtzRUA52Qf3WY1E9mvj +-----END PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_unsupported b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_unsupported new file mode 100644 index 0000000..421d9a3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_unsupported @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MG8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEVTBTAgEBBBh8p6kwBS7jT86ctN33 +Vs4vosHh7upPZBWhNAMyAAQq3cdg+cOUQ5LNipPNPalq3Kt4sc3Ym3LbYpfCNo0C +OCvC6N0+v4xbfwOzIEXlif0= +-----END PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_w_password b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_w_password new file mode 100644 index 0000000..f1f6e13 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_w_password @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,11055B75D406068EB1FF850646228EA9 + +GUnwN8e2gvUkopN3ak+2dK1dSTSKSJguers3h5C+qQDq57By933ijCCjUTu2LY/F +ERH6m8UD6H5ij/QDsXLx6tH/dFQ7An+Zao3eD2N2zquGED/OfTQJFv3gBKs4RUtg +66dfuv9mNSXt7Rnu9uBNtodm5JGifczdmIPHn0mNY2g= +-----END EC PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca new file mode 100644 index 0000000..7e2675c --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx +MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k +ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz +2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf +zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB +pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL +FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME +BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW +gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB +Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME +BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK +KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI +KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU +AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI +hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s +iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC +LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm +geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t +Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd +sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca_private_key new file mode 100644 index 0000000..eb4f6fc --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca_private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAuhWt04Xi/lK3WQqfRoVP9lm53j9rf2r1Gt5rsA7bT8XiNl1P +ZGYwUfeZgF5nuEj1x5OfmAzd9fQKiI3t6Coc5Mv54Lyh9hpKCSmMVp7gwXzBB3VY +s9kPf8bKNmbx+dLpMFmtKX8dvxFVdcEcXkHEXf1FX6tykyYsxtDPPJjmLxhAMNyx +X83n+5NWgrjqH0Jgby7pFLnXGKTM38hxae5UKlOAnK60eUbZn4lH61n3Ri3mtojw +waSYDfBEjjMBB7TkxAQ3JWJx/S+Lewh0M/n110uSFhbAyvXwjEI58Q7A1Xjazc02 +CxWmazIPUuiFEAhLEFrJ6ucHkvKJjqVS1JvZJQIDAQABAoIBAFktMHtw60J0A3fB +dmkGVDa78y4F+I88g6/XrYXW6NUHAQyKlRSJQFjXrpFtLImNNXPqVA47BFftFusw +ETY0kFo5QkuoOnnFSXuwlJeiVhWDosHfQ54UxK+4ZYnCte3CXIwWPbzoNSoutWTU +IbMuE1vzlz5s3GCWZ9jzkoz4vT8NrkucEQ2sxvAVWk2//SoQljN+b4BLDdsWl3Bq +l+9JR2EzROXrPH5voYUZV17LbnCOmU+6ucxlGu704oqLJBxtNyYKsSEh4KMo4lX4 +bOZVSct3LXifj5BQmF9vbi5FiJqFGtoY4iBw0IUq05CJ4nsQuW1ZLucXaw1tBRKn +S1l/C0ECgYEA9zWVLQtWGrOZ7we7dTbF5ghZ541NjR9NmBFET5lNRU5yDG0poRdh +WD2qioGJigV6ZaEoXny0jFqqqqPM5S/sDRtoicK+XlFuhURw0CZCAsisjVhCDGXU ++FJRbR+As7NFvb/9itvNE+PD4p39UXObePzM9JnlHSP7Ml0KdJqcQHUCgYEAwLOp +Sp9k0CbFy/lQCSBbBiiu6ol/OxSzOBuZsFIbV8ILcn8v5NWdrcArssJBMdLTIaHN +nrTxKOOAzFnPW6DeRmWM/NnwizB/a6uo34q6ywmXmgFSQPX86XTVZCdD96nNik0C +KaEY2SqJxrnYstVApWRJAwy7T2jxJEj0aEZBH/ECgYEAmYyTuyXWdsFl9N2lp1m9 +NHOtfDD9oZF2/eSDvLlpEIp4NpW7jM7b7RZojp2FU9CxRN0EGSR2dNOAPHt/sj/A +7CdBGIh4/FayQl7Pf8qzp80DuMvAQrkhvphK8W/m3jeVMxZEovKCAD+yFVmy1dvs +DwtfNvM8J4yI47B85Q5/zV0CgYArxGKN/VfjYvsH0e9Ys02ZP4JC6MnJ/HCcLMCi +aHOnYf5BmhuhqNbwULZcGny+OTkU6XAPPN+NPubRAxDyqb3yVTxJbaKRqok2Rj3L +z/GPDfWt1+D7uiMgTxXscnKgfKOfZtA37kv7fwrd5PYP4BmXtwhSNgERDy+94wgH +6vT9sQKBgBqsTsdDmBmKLQM/JzQC2AeQo0/ZFZIXdsiCShMbo2XALlaxZDYDu1it +M/zkpmWmHncrBnnW3h6ME1ZZj2HGTowDuJvQqR7cZW5jWY3uLpOnEAGeOoKPhfOP +IW2pVPZXq3Zl1yn86oG7C7poPRq0PRu+q2HtHP6/M0NgtGBx8F9M +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate new file mode 100644 index 0000000..6d3379d --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy +MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v +gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD +3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk +ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox +qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn +ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH +/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI +KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE +AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB +gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK +KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID +BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7 +Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG +yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE +I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35 +iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl +nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate_1024key b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate_1024key new file mode 100644 index 0000000..9384833 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate_1024key @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrjCCAZYCCQDn8i4K9c4ErjANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjE2MTAy +MzM2WhcNMjMwODA5MTAyMzM2WjBXMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYD +VQQDDAdDSEFNNTY5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS5w0h8L70 +hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLbKT2eRViY/xPuPXQmfRim01QM +sZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4IhNzEGs5v4pTJAOzraoZcVmXnf +Mr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB +AQBdZ2ijHYH8TkOGBqzsNwnNwPaDb/NA0vAO9T5kSOm8HA8vKHnNza+DeUJN+5P/ +P4fLK7UZqpQN32MpvXL0068g99RLjAzAsEVn+0FTyc08r9p/KO/dxxdMKeET7Cpv +rMpu3W0A/EJptCQsTEZI0iqts7T2qQVXzoDlnUwEt3xdmKYJ9jbEq1UUCeexD3nP +LB+JtUtfGevVzIoBjHv0qA3ePA24jDUlx5bxFeoIDC4tEewvUG5ZekftsRdNe3fk +3LkwyK+4NN1ZCa2+S5SOAfjZA2o6qXiq/le0vWRgl7AHEgDr6w7xoRsw4K5dQ+0R +eKtsBC4XO1GqrNYdKuJb1MhI +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_ca new file mode 100644 index 0000000..b7b7678 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDljCCAn6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UEBhMCTkwx +EzARBgNVBAgMCk92ZXJpanNzZWwxEDAOBgNVBAcMB0hlbmdlbG8xDzANBgNVBAoM +BkFETElOSzEYMBYGA1UEAwwPQ0hBTTUwMCBSb290IENBMB4XDTE4MDIwOTE2Mjky +MVoXDTI4MDIwNzE2MjkyMVowVTELMAkGA1UEBhMCTkwxEzARBgNVBAgMCk92ZXJp +anNzZWwxDzANBgNVBAoMBkFETElOSzEgMB4GA1UEAwwXQ0hBTTUwMCBJbnRlcm1l +ZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwucuU/L6N +iYxYJ7tyzcdzwXwYbr4GynZE4u2Sd7hcXrQGxTotm9BEhOZWscSGvH+UJSp0Vrb4 +3zDppiJ76ys6PeSBw1PpxdO97fO+eAE5DoXRj0a9lmnjbsV6waZ2GxgYQNVmKqbI +uPDfW+jsmRcTO94s05GWQshHeiqxuEUAv3/Qe2vOhulrg4YDcXrIDWK93cr1EmRX +Eq3Ck+Fjwtk5wAk3TANv2XQkVfS80jYAurL8J+XC2kyYB7e8KO92zqlfVXXMC3NI +YDcq86bAI4NNMjVE2zIVheMLoOEXaV7KUTYfEQABZl76aWLDxjED9kf371tcrZzJ +6xZ1M/rPGNblAgMBAAGjZjBkMB0GA1UdDgQWBBQngrlZqhQptCR4p04zqHamYUx7 +RTAfBgNVHSMEGDAWgBQrLYI+RHJtx1Pze8MSZbhaOful1DASBgNVHRMBAf8ECDAG +AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAfMmiQ0tv +o3K3xwSS621tsfkijUTx920hAe1XYY2XKrG7a/MJBhStex5A3AfqPOY9UMihkBl9 +3hgxOaddX9SAf2eLk2JLhqxZi1U/GVzT5h10AKLA5WUXIK4UGz3JRqhEm7V39t/N +G0LCdpWOZueezkfO6eGcAvOKthdd32a3zbn+rzzDHdsjzxhEEv8d8x1Xf4xH2dgk +HlpmpvXMfG/1aCzIpWGEPdkB7WR694GiCmh7hnFBiY+h1GFj2l5dThd51QqAlncM +u+NmlPCrFZL0ulwRFeo80KOwDpxkqgavDlP9irdWqM9VHybjGu0xFHCeElz9M6od +ym/MCh4ax7jDxg== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_certificate new file mode 100644 index 0000000..453f1fd --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_certificate @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVTQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_private_key new file mode 100644 index 0000000..2672622 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Z5zZ1dz2a22cI8ZPnZEHDt6St8DL6AzQBzz4k310Vdioyx8 +bLiu8Ffhjx5l6Pe26LerwcTUDe4X8aAyy/igTvbN1fvDl+pTqxe4UOvuv6fRIEaM +jRqNtXiMxsHNjGiQCoyJjTGzOxQ074ZN7vlU0ybZZyryTNbYJ3GxGcES64v9jBAu +V0vzuRUE+AFz6wOm0XBjKglWLUNHIusHdfD3oAP60phkkX/0zneI2V5MXxw/mDpB +3Mcc/bF+Cp8joF2ZvIw3QXO68Yg3qfJCIy9OlbMyXqEK8Y7n/HDWbW6Jf+xAkuWj +NmDse7dA3P+tvVdkOcGkVQVecVQidAc1IfKyBQIDAQABAoIBAEddUpzUQTTS11Hq +5gVF7lpORYxH8KW+PLSPJtjdAduLjKAQ++tn1OcuhDRdfQSbkUIZhfgqMqerb6tr +ht+6fZlknR9E34pQ1LtjD/U83cOSNrhuTFudtrEZoZPpVzl+P8vXnNzdFs/+SSdi +6hV5/U8F4u4kyOkwG9cR9eF2wiI+oQ/RBKCXUo3OVs9K27A/OkKsb7coL7yBsgBj +lzorS9a/DyHT2eiMKjwCZFyG4A66EkLi6t9JLJ8oTkI2WskXYeVEAbEXE57RWm44 +2OgTgfsgYgf2ftXq93KD17FN1m77dqp7EPAhjGnRHNq7+0Ykr1EO1nbDfqHG4gS+4o +lfP8iwECgYEA58da0R34l93yQnK0mAtoobwvsOjADnBVhBg9L4s2eDs8liUjf0zt +7hcMdUJaa7iMuNf3qGtnZtRURc3kSOE429Or7fCAYUr/AaA7+2ekPG1vjMb50tVv +se5rwb1hvgMYe2L5ktJJAg+RcmqpY+ncJ+hP/vWwZRxUKvXba50qqEkCgYEA54ZE +mJfSueGM/63xlhP71CM4OWtTqkQGp2OmgTOsBI5q/GUXr8vMR8sCEMHAc6HyXzmL +x/RnAoa/vTX58rXBk0QjfO9esIHa452697EIaJu5w8skCLDv2e/f+Jg7o/IDyUZs +5lqhiEuH9Qc3sx2nhnSYXMZWqwh8OchI7dCSE90CgYEAzrJ1JhpxUJYI7wM2VIWQ +GPQnH8BhTj8VtEidgCHJQK2rGUcjgepMIVECtiunUXtyW4GWBedKfmSKhvnXRLs9 +pqT9JaOeCaYFBiEsfMZvqUY4e/YSYtge1PIHvO40FWzTT23zneDUZPcXQY8nYsfy +otBFTt0yIumBkhJRTIYLvakCgYA+CcttvBj6OAcJJ/n5RgeP05QoRqsXj7zcs6YV +LtxkKClg0lHjiE+H2U0HYnOISJfijk/3V3UWxzavo7wDHlLtfC+qNZYA4/rcTRKh +dm2TYk8HuPJB5e+PTWiNe3VXu+zpzRY3L4fjNqIKtVFmjIasT6fYDEmC8PYgoZtx +JhdOfQKBgCD/bDkc+VI6lwQtoQQKiSfQjKGe+6Cw9K/obzWO0uJwBvZrGLXF8tTc +MOPIv9OILt7DYxpMXAiHv8HtzH5CFVrZ/nj63Soka/j2yvUdBDrGhyIbsc4pDu+ +lCFa0ZiT/u5vRAiOkM6GuStH4HxnW9LtwBtiYXtfU7IPExJiAlsq +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/new/CHAM-577.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/CHAM-577.crt new file mode 100644 index 0000000..3b30c97 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/CHAM-577.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEPTCCAyWgAwIBAgIIRmtzSKaI+rowDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDMy +MzEyMDEwMFoYDzIyMjIwMjIyMjIyMjAwWjBYMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MREwDwYDVQQDEwhDSEFNLTU3NzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMKlWGK8f/AEjK7viu9CdydJmorKyk3oK8PWmZX3B+3k8eFW32NXv2+BK5vk +sAOhEcCAV2/125iAGvXs5vq5GshjgHXwJysKOFBwLiCPHzLaOX095ib6pgPejjgV +gGsGrRAKetCAqxv+pf1n4zD9VSLDrnHrxbzvosQdBCgSBPiTFK5qDAGhVGR48Pp9 +gAqZPhdLfH47S/6scRJNywoXrIxp2CnuHd4fVvyQlPNLHwlX1nOr76bGOjGqFsFU +/mcPN7aGFIh4KQK9KvHt5+SApLgBBdrn9njgaIC7VN9ddSp2Jz2vHAPR52dqM0SW +dl7uyOiT/TK6q8f7aFKqk29r/OkCAwEAAaOCAQAwgf0wDAYDVR0PBAUDAwf/gDCB +7AYDVR0lBIHkMIHhBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEF +BQcDBAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcK +AwEGCisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEAQYLKwYBBAGCNwoD +BAEGCCsGAQUFBwMFBggrBgEFBQcDBgYIKwYBBQUHAwcGCCsGAQUFCAICBgorBgEE +AYI3FAICBggrBgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0G +CSqGSIb3DQEBCwUAA4IBAQAniERWU9f/ijm9t8xuyOujEKDJl0Ded4El9mM5UYPR +ZSnabPNKQjABBS4sVISIYVwfQxGkPgK0MeMBKqs/kWsZ4rp8h5hlZvxFX8H148mo +3apNgdc/VylDBW5Ltbrypn/dZh9hFZE8Y/Uvo9HPksVEkjYuFN5v7e8/mwxTcrZ1 +BAZrTlDTiCR046NN1lUs/7oUaNCruFV7AU6RbGYnSzM6plPJHMRa9nzNeO0uPaHK +kNPe+/UGpMi7cpF9w0M5Z1wW+Nq45bBRejFLQkHSjOEeGL2zi7T1HFAHZQydd6Wo +zYffGTmyHqIjNArbOWEMYN6s1nqsQS+ifolr0MtfeHad +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca new file mode 100644 index 0000000..7e2675c --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx +MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k +ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz +2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf +zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB +pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL +FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME +BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW +gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB +Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME +BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK +KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI +KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU +AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI +hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s +iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC +LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm +geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t +Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd +sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca_private_key new file mode 100644 index 0000000..eb4f6fc --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca_private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAuhWt04Xi/lK3WQqfRoVP9lm53j9rf2r1Gt5rsA7bT8XiNl1P +ZGYwUfeZgF5nuEj1x5OfmAzd9fQKiI3t6Coc5Mv54Lyh9hpKCSmMVp7gwXzBB3VY +s9kPf8bKNmbx+dLpMFmtKX8dvxFVdcEcXkHEXf1FX6tykyYsxtDPPJjmLxhAMNyx +X83n+5NWgrjqH0Jgby7pFLnXGKTM38hxae5UKlOAnK60eUbZn4lH61n3Ri3mtojw +waSYDfBEjjMBB7TkxAQ3JWJx/S+Lewh0M/n110uSFhbAyvXwjEI58Q7A1Xjazc02 +CxWmazIPUuiFEAhLEFrJ6ucHkvKJjqVS1JvZJQIDAQABAoIBAFktMHtw60J0A3fB +dmkGVDa78y4F+I88g6/XrYXW6NUHAQyKlRSJQFjXrpFtLImNNXPqVA47BFftFusw +ETY0kFo5QkuoOnnFSXuwlJeiVhWDosHfQ54UxK+4ZYnCte3CXIwWPbzoNSoutWTU +IbMuE1vzlz5s3GCWZ9jzkoz4vT8NrkucEQ2sxvAVWk2//SoQljN+b4BLDdsWl3Bq +l+9JR2EzROXrPH5voYUZV17LbnCOmU+6ucxlGu704oqLJBxtNyYKsSEh4KMo4lX4 +bOZVSct3LXifj5BQmF9vbi5FiJqFGtoY4iBw0IUq05CJ4nsQuW1ZLucXaw1tBRKn +S1l/C0ECgYEA9zWVLQtWGrOZ7we7dTbF5ghZ541NjR9NmBFET5lNRU5yDG0poRdh +WD2qioGJigV6ZaEoXny0jFqqqqPM5S/sDRtoicK+XlFuhURw0CZCAsisjVhCDGXU ++FJRbR+As7NFvb/9itvNE+PD4p39UXObePzM9JnlHSP7Ml0KdJqcQHUCgYEAwLOp +Sp9k0CbFy/lQCSBbBiiu6ol/OxSzOBuZsFIbV8ILcn8v5NWdrcArssJBMdLTIaHN +nrTxKOOAzFnPW6DeRmWM/NnwizB/a6uo34q6ywmXmgFSQPX86XTVZCdD96nNik0C +KaEY2SqJxrnYstVApWRJAwy7T2jxJEj0aEZBH/ECgYEAmYyTuyXWdsFl9N2lp1m9 +NHOtfDD9oZF2/eSDvLlpEIp4NpW7jM7b7RZojp2FU9CxRN0EGSR2dNOAPHt/sj/A +7CdBGIh4/FayQl7Pf8qzp80DuMvAQrkhvphK8W/m3jeVMxZEovKCAD+yFVmy1dvs +DwtfNvM8J4yI47B85Q5/zV0CgYArxGKN/VfjYvsH0e9Ys02ZP4JC6MnJ/HCcLMCi +aHOnYf5BmhuhqNbwULZcGny+OTkU6XAPPN+NPubRAxDyqb3yVTxJbaKRqok2Rj3L +z/GPDfWt1+D7uiMgTxXscnKgfKOfZtA37kv7fwrd5PYP4BmXtwhSNgERDy+94wgH +6vT9sQKBgBqsTsdDmBmKLQM/JzQC2AeQo0/ZFZIXdsiCShMbo2XALlaxZDYDu1it +M/zkpmWmHncrBnnW3h6ME1ZZj2HGTowDuJvQqR7cZW5jWY3uLpOnEAGeOoKPhfOP +IW2pVPZXq3Zl1yn86oG7C7poPRq0PRu+q2HtHP6/M0NgtGBx8F9M +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_certificate new file mode 100644 index 0000000..6d3379d --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_certificate @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy +MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v +gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD +3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk +ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox +qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn +ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH +/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI +KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE +AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB +gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK +KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID +BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7 +Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG +yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE +I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35 +iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl +nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/new/private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/private_key new file mode 100644 index 0000000..06f57d1 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf +Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m +JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM +AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv +psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c +A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx +m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK +GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+ +BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2 +iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw +Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i +2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y +T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6 +D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB +Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG +eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ +2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV +0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt +O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+ +pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba +VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k +X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD +NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc +nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi +w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk= +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Alice_Test_2.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Alice_Test_2.crt new file mode 100644 index 0000000..f5f77eb --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Alice_Test_2.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJTCCAw2gAwIBAgIBFzANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGjAYBgNVBAMTEUlkZW50 +aXR5IENBIFRlc3QyMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0ZWNo +LmNvbTAeFw0xODA3MjAwMDAwMDBaFw0yNzA3MTkyMzU5NTlaMG0xCzAJBgNVBAYT +Ak5MMQswCQYDVQQIEwJPVjETMBEGA1UEChMKQURMaW5rIElTVDEUMBIGA1UEAxML +QWxpY2UgVGVzdDIxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Fb60RkFrDsRAIRf +LMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBkk78fFtagLisWo4LbT4DqKzqQXCvVnOn9 +a6uT0KsVejk2iaLoBy0fotQznudio3rzDpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0 +TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf +04rq7ztw0t67bexSQ4gLSVJEwiohAregm0dLvQnap5xd2qn0yETteTL8Y+Ujym1D +WAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ8kcoqEqO8KAN2HclqfjHlg9iDscbof5x +45SQwwIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFL66FT0vnlFE ++PKrtV+KhJoLsCOWMB8GA1UdIwQYMBaAFIFGyWkPWvNkBD2SCYj9H+NfnlOLMA8G +A1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYBBQUHAwEGCCsGAQUFBwMC +BggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDCQYIKwYBBQUH +Aw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEBCwUAA4IBAQCsBINpBXSp +Xe3f5MMObeUXE2VhWZWIjMdDQRFDDjq6u1YR7rbffsCReiCX5zviU2dtVV8VN3MQ +k7wp8qEDKwP1ToMIwZGwT4Hfwei1eueJ1vuotgiGe0Gm3otXlGsb0C5otnsu63MM +OeFgkpZde3VpIqK9EmhgjWOD8TXc8Me7zBlYSEIaXkkwP0jAKRf5vFgz0WfE5ITx +SDKUO0OrcN789flO/OKLAHZ4cqNcxNPkMz7h9VBSgRRRk115HEa8Fe46nl1YpwRG +0urHlyAKoUV+J+I3Qy4+SwIDwix978hgGN3bKVyv9q0yAQRzpZ54EJOj4C7lNEpB +roGVpY4yYP/B +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Bob_Chain_Test.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Bob_Chain_Test.crt new file mode 100644 index 0000000..e980af3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Bob_Chain_Test.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJDCCAwygAwIBAgIBAzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxJDAiBgNVBAMTG0lkZW50 +aXR5IENBIFRlc3QgV2l0aCBDaGFpbjEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3Qu +YWRsaW5rdGVjaC5jb20wHhcNMTgwNjEzMDAwMDAwWhcNMjcwNjEwMjM1OTU5WjBw +MQswCQYDVQQGEwJOTDELMAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1Qx +FzAVBgNVBAMTDkJvYiBDaGFpbiBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlz +dC5hZGxpbmt0ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMHm+qG5afCHFdmp98+Z+POB7vD3WhfghKVugh8FenewuPaaotKxiGAE0kCf8WXU +5l4XDR3iBWJsGDHll1yOyL4KW9grwfnfiJMl82uIzKGDiRJbFkXVOLF/DcVLsuqM +oRjlk09+nlrg/7xS96itgm6yueW/UOIXpo+ElCHwnrYnpuHHrYM0s7t1ls3QFSyd +a3INx+LkM6N/b+veVJF95yfe4GvVBhFpLkWtX4xKgZyMjczvmZ6LVNNSnthPhlZF +HmspQyqXrTnGyax3qyoloqh9ibDvAK5pUnzqlv/Dyyt110q3bXFR5A0wqfj0fqtp +7Mw4TdTkFQy1n4/Y4EuT8I8CAwEAAaOBuzCBuDAdBgNVHQ4EFgQUQpxLPHT5o/GQ +RwdBw2scINXnWlUwHwYDVR0jBBgwFoAUTVVCTRc4ST0XmE+EEsenSudwlwkwDwYD +VR0PAQH/BAUDAwf/gDBlBgNVHSUBAf8EWzBZBggrBgEFBQcDAQYIKwYBBQUHAwIG +CCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBggrBgEFBQcD +DQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAJwd60WigqbB +/6CT0ekvXZdvIV5IaIKiy6KYU0/0ebPVXn0YKp9LQTE6lYCr6hZUcEjBfkFBZhAy +KJJOb2sUXAnYqnX/mIipiNb7oHsCHxVCKAwEcmxsS3tGl2CXgpKL8EQQFKJgSrC/ +uzhf2QESQ0T5Mgni1jXXGf6SAwFAjk+mAM9bMdrtLOX39e5aKrgpZOHmdFke+m/K +upxP/M0/omTNNQaSfWDmfDvpdsRD9+mFG12Kzgpue2jut1qeICvSmcQsu2OBYG/Q +ZXMx8e8azoX0KB+njf826UcVgDkDmfwN9taOU2lFsmZAvYhpIslNwtH/Htu3zJWO +vQxyIh+kxFQ= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test2.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test2.crt new file mode 100644 index 0000000..592eea3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test2.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKzCCAxOgAwIBAgIBFjANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGjAYBgNVBAMTEUlkZW50 +aXR5IENBIFRlc3QyMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0ZWNo +LmNvbTAeFw0xODA3MjAwMDAwMDBaFw0yNzA3MTkyMzU5NTlaMHMxCzAJBgNVBAYT +Ak5MMQswCQYDVQQIEwJPVjETMBEGA1UEChMKQURMaW5rIElTVDEaMBgGA1UEAxMR +SWRlbnRpdHkgQ0EgVGVzdDIxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlu +a3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyIweDOdB +xotexcDiUdbIdDLu9A6/KSpkxUJnYb2iRhBonmCNFvErEokso/Dga6QT3rg83UCg +GMJBSJSZhq/j+eZweHoXS8Ccet/aF2iNj5A5Uhn476M3zMg+rCoos2yKlpZLOz1x +QjrRJfeOoBHvkHkxBeupnnQPx4oAro7zoXMIO83NKLwCROC/kGq1ktW8fbKa5THQ +z0QfZG3zAeD93N+dTAqA+jkCfzbrQepF243Tu4cLaGwVALZ/8cZ7sky8+OOmKnBU +P9r+U/4L62DVJYnYkTGnYEwqXcM1b8/JHasmKEaHXgAu/UI5i/SZfRPZUyC1ERSv +tX6k7sBxZZSPLQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIFG +yWkPWvNkBD2SCYj9H+NfnlOLMB8GA1UdIwQYMBaAFIFGyWkPWvNkBD2SCYj9H+Nf +nlOLMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYBBQUHAwEGCCsG +AQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDCQYI +KwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEBCwUAA4IBAQCK +SkemYQIvsslkMc8PNHSk2om4xk7hUXkatAZPN9dvRravu3PJqMWxpQ0TWbddrkBL +he7/ARC2G9vVUwQl2b8K1Rjt/nZ3j+NPvhCDzcPyxjornyN8IG1NJQVH18fTxR23 +6PvDBE0H2trA3WJgKo6Wlxo6CHWts8ulFWWXBE1nNQw30hU49FDsFn3nz6Gry4ti +/ouAvbz+UXSsT9R+zkci3A394sEsOCZSStgAnXsejU45pCt6OtCGaLfDvEPp21az +OEjuIaj6Kbd+MHeLyPoe+d1Bkl39OnAUEJ8q2HdwvIg2ZqP6h0agm5gpZo/ALDWn +9P3owIGVsHFGkYqhHc+K +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test_With_Chain.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test_With_Chain.crt new file mode 100644 index 0000000..35506b8 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test_With_Chain.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIBAjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMzAwMDAwMFoXDTI3MDYxMDIzNTk1OVowfTELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMSQwIgYDVQQDExtJ +ZGVudGl0eSBDQSBUZXN0IFdpdGggQ2hhaW4xJjAkBgkqhkiG9w0BCQEWF2luZm9A +aXN0LmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA1r8Q0V8ZVeBs8tPMF0N+JlBynl1Zn/89vwSsU4m7y6ixUcW/y3r12CMeA0cH +g6yOaOdHsZ8pRlPRwy9YmeOwLsMOUHAURP2uPiTjSf3pttUIf0jv602GyirNzoS7 +7mHiyTtV80ZMzZlLIJ3gaJJlG4DjitFuFcjv8sOmviFjkn1kOjkAz1nKgsCiHvvg +fcJlYPrtLfle9SzvZ3MTq4ob+/EFu9nt5bYYs7p7Br1TGWctUw98l2mSn/FhfDBw +9bb7ZhcKB7W6PGy2Os5AnkdTJKHoOQT+RmnHzPBhab0BoKuy8IhfW2GyqC8rL5Tm +/UVLUvnx4Zzqz//3IyA2FTb1HQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYD +VR0OBBYEFE1VQk0XOEk9F5hPhBLHp0rncJcJMB8GA1UdIwQYMBaAFER4R6N3MQ1W +l7gn+R8wwHloDCVZMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYB +BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggr +BgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEB +CwUAA4IBAQCbl7ed4p66G6WquxO7ceZFvYKn3kDErjCfXHcqHxBnA2xTpoZCGj95 +Qpirqo6N4UcLX5sn3CmgyVk0dYvlti/53FJgZ9XQDNxBuEYWPkY7vO+Uo0WdYpGz +ZDNIUQpiPMA7bHvwKldTIs77xxtnw9kbBU2k0xQyb2tdZNfD5YqSI1MeUtpEpNFW +sbC8+mQ3clzWpjF8eHH1fFSAmlJ+z1Uqmtt2FK0vRz+MQcpydwvpMnfqGdcwhGPQ +X4HZreLObjBA8KUEkUB3+rZXuELBgkk/c8/jRZl7QF5jJDLQCCLg7KoYBKN2GuTt +/dzeSnP7VZm/nTL8wpCvKgSOwOGgklf2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/alice.pem b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/alice.pem new file mode 100644 index 0000000..07a5977 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/alice.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Fb60RkFrDsRAIRfLMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBk +k78fFtagLisWo4LbT4DqKzqQXCvVnOn9a6uT0KsVejk2iaLoBy0fotQznudio3rz +DpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2 +FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf04rq7ztw0t67bexSQ4gLSVJEwiohAreg +m0dLvQnap5xd2qn0yETteTL8Y+Ujym1DWAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ +8kcoqEqO8KAN2HclqfjHlg9iDscbof5x45SQwwIDAQABAoIBAG0dYPeqd0IhHWJ7 +8azufbchLMN1pX/D51xG2uptssfnpHuhkkufSZUYi4QipRS2ME6PYhWJ8pmTi6lH +E6cUkbI0KGd/F4U2gPdhNrR9Fxwea5bbifkVF7Gx/ZkRjZJiZ3w9+mCNTQbJDKhh +wITAzzT6WYznhvqbzzBX1fTa6kv0GAQtX7aHKM+XIwkhX2gzU5TU80bvH8aMrT05 +tAMGQqkUeRnpo0yucBl4VmTZzd/+X/d2UyXR0my15jE5iH5o+p+E6qTRE9D+MGUd +MQ6Ftj0Untqy1lcog1ZLL6zPlnwcD4jgY5VCYDgvabnrSwymOJapPLsAEdWdq+U5 +ec44BMECgYEA/+3qPUrd4XxA517qO3fCGBvf2Gkr7w5ZDeATOTHGuD8QZeK0nxPl +CWhRjdgkqo0fyf1cjczL5XgYayo+YxkO1Z4RUU+8lJAHlVx9izOQo+MTQfkwH4BK +LYlHxMoHJwAOXXoE+dmBaDh5xT0mDUGU750r763L6EFovE4qRBn9hxkCgYEA0GWz +rpOPNxb419WxG9npoQYdCZ5IbmEOGDH3ReggVzWHmW8sqtkqTZm5srcyDpqAc1Gu +paUveMblEBbU+NFJjLWOfwB5PCp8jsrqRgCQSxolShiVkc3Vu3oyzMus9PDge1eo +9mwVGO7ojQKWRu/WVAakENPaAjeyyhv4dqSNnjsCgYEAlwe8yszqoY1k8+U0T0G+ +HeIdOCXgkmOiNCj+zyrLvaEhuS6PLq1b5TBVqGJcSPWdQ+MrglbQIKu9pUg5ptt7 +wJ5WU+i9PeK9Ruxc/g/BFKYFkFJQjtZzb+nqm3wpul8zGwDN/O/ZiTqCyd3rHbmM +/dZ/viKPCZHIEBAEq0m3LskCgYBndzcAo+5k8ZjWwBfQth5SfhCIp/daJgGzbYtR +P/BenAsY2KOap3tjT8Fsw5usuHSxzIojX6H0Gvu7Qzq11mLn43Q+BeQrRQTWeFRc +MQdy4iZFZXNNEp7dF8yE9VKHwdgSJPGUdxD6chMvf2tRCN6mlS171VLV6wVvZvez +H/vX5QKBgD2Dq/NHpjCpAsECP9awmNF5Akn5WJbRGmegwXIih2mOtgtYYDeuQyxY +ZCrdJFfIUjUVPagshEmUklKhkYMYpzy2PQDVtaVcm6UNFroxT5h+J+KDs1LN1H8G +LsASrzyAg8EpRulwXEfLrWKiu9DKv8bMEgO4Ovgz8zTKJZIFhcac +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/bob.pem b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/bob.pem new file mode 100644 index 0000000..cf62cc3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/bob.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAweb6oblp8IcV2an3z5n484Hu8PdaF+CEpW6CHwV6d7C49pqi +0rGIYATSQJ/xZdTmXhcNHeIFYmwYMeWXXI7Ivgpb2CvB+d+IkyXza4jMoYOJElsW +RdU4sX8NxUuy6oyhGOWTT36eWuD/vFL3qK2CbrK55b9Q4hemj4SUIfCetiem4cet +gzSzu3WWzdAVLJ1rcg3H4uQzo39v695UkX3nJ97ga9UGEWkuRa1fjEqBnIyNzO+Z +notU01Ke2E+GVkUeaylDKpetOcbJrHerKiWiqH2JsO8ArmlSfOqW/8PLK3XXSrdt +cVHkDTCp+PR+q2nszDhN1OQVDLWfj9jgS5PwjwIDAQABAoIBAHfgWhED9VgL29le +uGMzmPLK4LM+6Qcb+kXghTeyhl1a928WeRVzRpG+SVJEz9QaBHYlICnaY2PO2kJ2 +49YIPFkpRFDn9JuLs/7tFonj4Eb2cBbWE3YG9W7e0t+oBiv1117yB9m8uSAMPG7s +iEpTQvE3M7CzT8kHwCS4XXCCN0z7LqKyZ1heScjdfhV3D2TnFFjdtQ/9KfQa3hIc +6ftbpi4EKbfasspyqfrJ/cqjHzse9iEXLOZJhs+atBAKe/uJ4Hc3LRPbX4MPniAp +JJrldXFK9p+HILlbXvu+5n+DSGbZmT1x9a/E9suGyoJiASDH2Ax4yCVTi+v8C1R2 +aKdU1LkCgYEA/3dFuM6zIHwiJ0GKT0gtJL6J3m+i51SNcRIm8deXt6HULMpUNajj +vZ1bgQm/h+uRBlPV3swkaVxvPTIabOTY4gmCBSzvVCSIAKHVc/+5Nkl9KruwSq4G +tctmXZ7ymMDi+6QGCJTJkAx6jptXyrzC00HOjXOwyQ+iDipqgr3A8FsCgYEAwk7B +2/hi569EIHFRT6nz/JMqQVPZ/MJDKoKhffTbnjQ5OAzpiVN6cyThMM1iVJEBFNhx +OEacy60Qj0TtR1oYrQSRSLm58TTxiuB4Pohbmg3iU+kSM/eTq/ups/Ul1oCs2eAb +POfweD3c4d4i7sN8bUNQXehiE4MOlK9TYQy39t0CgYAJht0mwy6S644qgJsz0bE9 +SY3Cqc8daV3M9axWIIAb7QEImpMBXUcA7zlWWpK18ub5oW68XEiPVU8grRmnLfGY +nFoo70ANlz8rJt3a8ZJqn9r3GQC+CDdf2DH9E8xgPfE5CSjgcQwDPzPi1ZA0k02A +q1eUltfk55xXguVt8r2bOQKBgQC7+kldr1yv20VDRZ1uPnMGRLE6Zg6bkqw78gid +vEbDNK6uZP+BlTr/LgyVk/yu52Fucz6FPPrvqEw+7mXHA4ifya1r+BHFIn0S57os +dOp5jTkKCI9NqxQ3683vhRjH/dA7L63qLFDdYqvP74FID+LOKbMURn6rdbyjZ0J4 +vz8yGQKBgHIzcKlQosRxf+KptOPMGRs30L9PnH+sNmTo2SmEzAGkBkt1msGRh/2l +uT3hOEhUXL9knRyXwQSXgrIwr9QwI5rGS5FAgX26TgBtPBDs2NuyyhhS5yxsiEPT +BR+EjQFW9dzRkpRJgvsG4DcNAhFn7fQqFNcWXgFWuBXmGNkdtEGR +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_ca new file mode 100644 index 0000000..cfd24b6 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_ca @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICEDCCAbegAwIBAgIJAPOifu8ejrRRMAoGCCqGSM49BAMCMGUxCzAJBgNVBAYT +Ak5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5v +bG9neSBCLlYuMSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTAeFw0x +OTAyMTgxMDQwMTZaFw00NjA3MDYxMDQwMTZaMGUxCzAJBgNVBAYTAk5MMRMwEQYD +VQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5vbG9neSBCLlYu +MSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABMXCYXBHEryADoYXMEE0Jw9aHlA7p3KVFzuypxuez0n7rKoX +k9kanNtrw5o2X4WSWKM7zkH4I6AU7xSAQgJN+8GjUDBOMB0GA1UdDgQWBBR1Llq9 +zrRrTJLSvUJykksncZ+HsDAfBgNVHSMEGDAWgBR1Llq9zrRrTJLSvUJykksncZ+H +sDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIHKRM3VeB2F7z3nJT752 +gY5mNdj91ulmNX84TXA7UHNKAiA2ytpsV4OKURHkjyn1gnW48JDKtHGZF6/tMNvX +VrDITA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate new file mode 100644 index 0000000..5c29b6e --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate @@ -0,0 +1,50 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4096 (0x1000) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=NL, ST=Some-State, O=ADLINK Technology B.V., CN=CHAM_570 CA certificate + Validity + Not Before: Feb 18 10:52:41 2019 GMT + Not After : Jul 6 10:52:41 2046 GMT + Subject: C=NL, ST=Some-State, O=ADLINK Technology B.V., CN=CHAM_570 Identity certificate + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:9d:b5:7b:f5:fe:63:da:24:e4:0c:26:c5:32:55: + 55:b3:7f:7a:60:ea:0d:56:2c:0a:85:e0:5b:85:5a: + 01:1b:69:fc:23:79:98:33:d6:60:d5:d9:ab:1e:1d: + 7a:1e:c2:5f:ad:30:9b:73:45:40:39:d9:07:f7:59: + 8d:44:f6:6b:e3 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Basic Constraints: + CA:false + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + C6:68:7E:D7:20:B3:51:4B:D4:50:54:26:12:86:BE:9B:EA:55:A1:EA + X509v3 Authority Key Identifier: + keyid:75:2E:5A:BD:CE:B4:6B:4C:92:D2:BD:42:72:92:4B:27:71:9F:87:B0 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:b2:a7:be:fb:0b:d4:e2:87:b0:2c:c9:b8:fa: + 10:b0:18:4b:dc:6a:bc:58:55:e8:22:46:93:d8:b1:5b:50:17: + 77:02:20:2a:cf:42:10:fc:7e:02:39:37:44:4a:cf:9b:a3:9a: + 55:cb:15:2d:12:86:06:7e:d4:b8:24:7a:57:13:48:b5:69 +-----BEGIN CERTIFICATE----- +MIICOzCCAeGgAwIBAgICEAAwCgYIKoZIzj0EAwIwZTELMAkGA1UEBhMCTkwxEzAR +BgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIu +Vi4xIDAeBgNVBAMMF0NIQU1fNTcwIENBIGNlcnRpZmljYXRlMB4XDTE5MDIxODEw +NTI0MVoXDTQ2MDcwNjEwNTI0MVowazELMAkGA1UEBhMCTkwxEzARBgNVBAgMClNv +bWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIuVi4xJjAkBgNV +BAMMHUNIQU1fNTcwIElkZW50aXR5IGNlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEnbV79f5j2iTkDCbFMlVVs396YOoNViwKheBbhVoBG2n8I3mY +M9Zg1dmrHh16HsJfrTCbc0VAOdkH91mNRPZr46N7MHkwCQYDVR0TBAIwADAsBglg +hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O +BBYEFMZoftcgs1FL1FBUJhKGvpvqVaHqMB8GA1UdIwQYMBaAFHUuWr3OtGtMktK9 +QnKSSydxn4ewMAoGCCqGSM49BAMCA0gAMEUCIQCyp777C9Tih7Asybj6ELAYS9xq +vFhV6CJGk9ixW1AXdwIgKs9CEPx+Ajk3RErPm6OaVcsVLRKGBn7UuCR6VxNItWk= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate_unsupported b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate_unsupported new file mode 100644 index 0000000..220abcf --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate_unsupported @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICFTCCAbygAwIBAgICEAEwCgYIKoZIzj0EAwIwWjELMAkGA1UEBhMCTkwxEzAR +BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5 +IEx0ZDETMBEGA1UEAwwKQ0hBTTUwMF9DQTAeFw0xODAyMTkxMDMyMjRaFw0xOTAy +MTkxMDMyMjRaMGExCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMMEUNIQU01 +NjkgdW5zdXAga2V5MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEKt3HYPnDlEOS +zYqTzT2patyreLHN2Jty22KXwjaNAjgrwujdPr+MW38DsyBF5Yn9o3sweTAJBgNV +HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp +Y2F0ZTAdBgNVHQ4EFgQUG9MuQz3W/AKA98AyOKhI2af9I+0wHwYDVR0jBBgwFoAU +ACsYsaEsZfjfRVrj0IBmcsncVyMwCgYIKoZIzj0EAwIDRwAwRAIgfhisahVmgghI +GaaQavdKHpM/OTVODZPzYjky6Am+z08CIBidnuuznXrZtr78oy/tAES/7Lz8P5Iw +Q1y5Vo8CdXQQ +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key new file mode 100644 index 0000000..214e2dd --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP3SnBXzcCc0uUEiG +0CPNdcV0hBewOnVoh4d9q9E5U5ihRANCAASdtXv1/mPaJOQMJsUyVVWzf3pg6g1W +LAqF4FuFWgEbafwjeZgz1mDV2aseHXoewl+tMJtzRUA52Qf3WY1E9mvj +-----END PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_unsupported b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_unsupported new file mode 100644 index 0000000..421d9a3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_unsupported @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MG8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEVTBTAgEBBBh8p6kwBS7jT86ctN33 +Vs4vosHh7upPZBWhNAMyAAQq3cdg+cOUQ5LNipPNPalq3Kt4sc3Ym3LbYpfCNo0C +OCvC6N0+v4xbfwOzIEXlif0= +-----END PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_w_password b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_w_password new file mode 100644 index 0000000..f1f6e13 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_w_password @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,11055B75D406068EB1FF850646228EA9 + +GUnwN8e2gvUkopN3ak+2dK1dSTSKSJguers3h5C+qQDq57By933ijCCjUTu2LY/F +ERH6m8UD6H5ij/QDsXLx6tH/dFQ7An+Zao3eD2N2zquGED/OfTQJFv3gBKs4RUtg +66dfuv9mNSXt7Rnu9uBNtodm5JGifczdmIPHn0mNY2g= +-----END EC PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_ca new file mode 100644 index 0000000..f003d92 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkTCCAnmgAwIBAgIJAJvGJOEKNct1MA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTAeFw0xODAy +MTIxNTA1MDVaFw0yMDEyMDIxNTA1MDVaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx +GDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAM/dCO4QAcCduw0NMqShDpTvGT6DClTFAJE8ZfuPCHKqNkicRbyj +sVXfF35Sdo6K92Ksz4G7i1RqJU2n8c7hg2EFUza0lIGgmTHV/DvFBcbAa0PpvdKS +XoPtSNDh65/GO1R7oeSFRzapqsLMPUwOWi46dYvRnPabxs21xHxn56JeuG74bad5 +PMTBvA2SiiTYPBlHGJS78GPo3BPMjL0MzPoMmumO8NSVYI+MEDY1lC4KkyZVKqtV +nIfaO/7adcM19xOAfAHkwhLGBC/bVAEqelev+GH/42xjNv532nM4/JVtBns+msR5 +DAYdtr6i82b7zhU1+lOOihv4lmQHoSnTya8CAwEAAaNQME4wHQYDVR0OBBYEFFYr +0CpiwxgFcZnW6IQEhxGv/vwiMB8GA1UdIwQYMBaAFFYr0CpiwxgFcZnW6IQEhxGv +/vwiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKbBt0ht72fdtxwm +Kr0pOsKyDW0Rd5Ca5aDK4qAhDL0AD5+O6ShGYCnFNDGk3J5Yzawp8VoKrhDZZyUt +z2b0jNucVapAvPMA4066QxeIfvFmWcS73l7vjjeUoKWmNNGWprTg3RLsacTorKuY +ZRL7wsThfrhvg4B/OOIWKp5MEwIrUfnQzUca8getF2eyTt6QcMtE29AW5+01QTzj +fxZgzkmJFYBE2K/TLMDBDd+bz/8XnmPrJ01VUntXiXenTGTcIbJerB6GYQojjvhy +ZrOeuHTON1ndFiQkpeZA67ByZjkKVoJG3I8fwBjzcLE7u/QAQptVPjJXXcSpL7fA +a1tOvqw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate new file mode 100644 index 0000000..7c03aae --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate_1024key b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate_1024key new file mode 100644 index 0000000..9384833 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate_1024key @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrjCCAZYCCQDn8i4K9c4ErjANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjE2MTAy +MzM2WhcNMjMwODA5MTAyMzM2WjBXMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYD +VQQDDAdDSEFNNTY5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS5w0h8L70 +hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLbKT2eRViY/xPuPXQmfRim01QM +sZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4IhNzEGs5v4pTJAOzraoZcVmXnf +Mr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB +AQBdZ2ijHYH8TkOGBqzsNwnNwPaDb/NA0vAO9T5kSOm8HA8vKHnNza+DeUJN+5P/ +P4fLK7UZqpQN32MpvXL0068g99RLjAzAsEVn+0FTyc08r9p/KO/dxxdMKeET7Cpv +rMpu3W0A/EJptCQsTEZI0iqts7T2qQVXzoDlnUwEt3xdmKYJ9jbEq1UUCeexD3nP +LB+JtUtfGevVzIoBjHv0qA3ePA24jDUlx5bxFeoIDC4tEewvUG5ZekftsRdNe3fk +3LkwyK+4NN1ZCa2+S5SOAfjZA2o6qXiq/le0vWRgl7AHEgDr6w7xoRsw4K5dQ+0R +eKtsBC4XO1GqrNYdKuJb1MhI +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_ca new file mode 100644 index 0000000..b7b7678 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDljCCAn6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UEBhMCTkwx +EzARBgNVBAgMCk92ZXJpanNzZWwxEDAOBgNVBAcMB0hlbmdlbG8xDzANBgNVBAoM +BkFETElOSzEYMBYGA1UEAwwPQ0hBTTUwMCBSb290IENBMB4XDTE4MDIwOTE2Mjky +MVoXDTI4MDIwNzE2MjkyMVowVTELMAkGA1UEBhMCTkwxEzARBgNVBAgMCk92ZXJp +anNzZWwxDzANBgNVBAoMBkFETElOSzEgMB4GA1UEAwwXQ0hBTTUwMCBJbnRlcm1l +ZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwucuU/L6N +iYxYJ7tyzcdzwXwYbr4GynZE4u2Sd7hcXrQGxTotm9BEhOZWscSGvH+UJSp0Vrb4 +3zDppiJ76ys6PeSBw1PpxdO97fO+eAE5DoXRj0a9lmnjbsV6waZ2GxgYQNVmKqbI +uPDfW+jsmRcTO94s05GWQshHeiqxuEUAv3/Qe2vOhulrg4YDcXrIDWK93cr1EmRX +Eq3Ck+Fjwtk5wAk3TANv2XQkVfS80jYAurL8J+XC2kyYB7e8KO92zqlfVXXMC3NI +YDcq86bAI4NNMjVE2zIVheMLoOEXaV7KUTYfEQABZl76aWLDxjED9kf371tcrZzJ +6xZ1M/rPGNblAgMBAAGjZjBkMB0GA1UdDgQWBBQngrlZqhQptCR4p04zqHamYUx7 +RTAfBgNVHSMEGDAWgBQrLYI+RHJtx1Pze8MSZbhaOful1DASBgNVHRMBAf8ECDAG +AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAfMmiQ0tv +o3K3xwSS621tsfkijUTx920hAe1XYY2XKrG7a/MJBhStex5A3AfqPOY9UMihkBl9 +3hgxOaddX9SAf2eLk2JLhqxZi1U/GVzT5h10AKLA5WUXIK4UGz3JRqhEm7V39t/N +G0LCdpWOZueezkfO6eGcAvOKthdd32a3zbn+rzzDHdsjzxhEEv8d8x1Xf4xH2dgk +HlpmpvXMfG/1aCzIpWGEPdkB7WR694GiCmh7hnFBiY+h1GFj2l5dThd51QqAlncM +u+NmlPCrFZL0ulwRFeo80KOwDpxkqgavDlP9irdWqM9VHybjGu0xFHCeElz9M6od +ym/MCh4ax7jDxg== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_certificate new file mode 100644 index 0000000..453f1fd --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_certificate @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVTQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_private_key new file mode 100644 index 0000000..2672622 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Z5zZ1dz2a22cI8ZPnZEHDt6St8DL6AzQBzz4k310Vdioyx8 +bLiu8Ffhjx5l6Pe26LerwcTUDe4X8aAyy/igTvbN1fvDl+pTqxe4UOvuv6fRIEaM +jRqNtXiMxsHNjGiQCoyJjTGzOxQ074ZN7vlU0ybZZyryTNbYJ3GxGcES64v9jBAu +V0vzuRUE+AFz6wOm0XBjKglWLUNHIusHdfD3oAP60phkkX/0zneI2V5MXxw/mDpB +3Mcc/bF+Cp8joF2ZvIw3QXO68Yg3qfJCIy9OlbMyXqEK8Y7n/HDWbW6Jf+xAkuWj +NmDse7dA3P+tvVdkOcGkVQVecVQidAc1IfKyBQIDAQABAoIBAEddUpzUQTTS11Hq +5gVF7lpORYxH8KW+PLSPJtjdAduLjKAQ++tn1OcuhDRdfQSbkUIZhfgqMqerb6tr +ht+6fZlknR9E34pQ1LtjD/U83cOSNrhuTFudtrEZoZPpVzl+P8vXnNzdFs/+SSdi +6hV5/U8F4u4kyOkwG9cR9eF2wiI+oQ/RBKCXUo3OVs9K27A/OkKsb7coL7yBsgBj +lzorS9a/DyHT2eiMKjwCZFyG4A66EkLi6t9JLJ8oTkI2WskXYeVEAbEXE57RWm44 +2OgTgfsgYgf2ftXq93KD17FN1m77dqp7EPAhjGnRHNq7+0Ykr1EO1nbDfqHG4gS+4o +lfP8iwECgYEA58da0R34l93yQnK0mAtoobwvsOjADnBVhBg9L4s2eDs8liUjf0zt +7hcMdUJaa7iMuNf3qGtnZtRURc3kSOE429Or7fCAYUr/AaA7+2ekPG1vjMb50tVv +se5rwb1hvgMYe2L5ktJJAg+RcmqpY+ncJ+hP/vWwZRxUKvXba50qqEkCgYEA54ZE +mJfSueGM/63xlhP71CM4OWtTqkQGp2OmgTOsBI5q/GUXr8vMR8sCEMHAc6HyXzmL +x/RnAoa/vTX58rXBk0QjfO9esIHa452697EIaJu5w8skCLDv2e/f+Jg7o/IDyUZs +5lqhiEuH9Qc3sx2nhnSYXMZWqwh8OchI7dCSE90CgYEAzrJ1JhpxUJYI7wM2VIWQ +GPQnH8BhTj8VtEidgCHJQK2rGUcjgepMIVECtiunUXtyW4GWBedKfmSKhvnXRLs9 +pqT9JaOeCaYFBiEsfMZvqUY4e/YSYtge1PIHvO40FWzTT23zneDUZPcXQY8nYsfy +otBFTt0yIumBkhJRTIYLvakCgYA+CcttvBj6OAcJJ/n5RgeP05QoRqsXj7zcs6YV +LtxkKClg0lHjiE+H2U0HYnOISJfijk/3V3UWxzavo7wDHlLtfC+qNZYA4/rcTRKh +dm2TYk8HuPJB5e+PTWiNe3VXu+zpzRY3L4fjNqIKtVFmjIasT6fYDEmC8PYgoZtx +JhdOfQKBgCD/bDkc+VI6lwQtoQQKiSfQjKGe+6Cw9K/obzWO0uJwBvZrGLXF8tTc +MOPIv9OILt7DYxpMXAiHv8HtzH5CFVrZ/nj63Soka/j2yvUdBDrGhyIbsc4pDu+ +lCFa0ZiT/u5vRAiOkM6GuStH4HxnW9LtwBtiYXtfU7IPExJiAlsq +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key new file mode 100644 index 0000000..e21560b --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Z5zZ1dz2a22cI8ZPnZEHDt6St8DL6AzQBzz4k310Vdioyx8 +bLiu8Ffhjx5l6Pe26LerwcTUDe4X8aAyy/igTvbN1fvDl+pTqxe4UOvuv6fRIEaM +jRqNtXiMxsHNjGiQCoyJjTGzOxQ074ZN7vlU0ybZZyryTNbYJ3GxGcES64v9jBAu +V0vzuRUE+AFz6wOm0XBjKglWLUNHIusHdfD3oAP60phkkX/0zneI2V5MXxw/mDpB +3Mcc/bF+Cp8joF2ZvIw3QXO68Yg3qfJCIy9OlbMyXqEK8Y7n/HDWbW6Jf+xAkuWj +NmDse7dA3P+tvVdkOcGkVQVecVQidAc1IfKyBQIDAQABAoIBAEddUpzUQTTS11Hq +5gVF7lpORYxH8KW+PLSPJtjdAduLjKFQ++tn1OcuhDRdfQSbkUIZhfgqMqerb6tr +ht+6fZlknR9E34pQ1LtjD/U83cOSNrhuTFudtrEZoZPpVzl+P8vXnNzdFs/+SSdi +6hV5/U8F4u4kyOkwG9cR9eF2wiI+oQ/RBKCXUo3OVs9K27A/OkKsb7coL7yBsgBj +lzorS9a/DyHT2eiMKjwCZFyG4A66EkLi6t9JLJ8oTkI2WskXYeVEAbEXE57RWm44 +2OgTI/Yc2yrtXq93KD17FN1m77dqp7EPAhjGnRHNq7+0Ykr1EO1nbDfqHG4gS+4o +lfP8iwECgYEA58da0R34l93yQnK0mAtoobwvsOjADnBVhBg9L4s2eDs8liUjf0zt +7hcMdUJaa7iMuNf3qGtnZtRURc3kSOE429Or7fCAYUr/AaA7+2ekPG1vjMb50tVv +se5rwb1hvgMYe2L5ktJJAg+RcmqpY+ncJ+hP/vWwZRxUKvXba50qqEkCgYEA54ZE +mJfSueGM/63xlhP71CM4OWtTqkQGp2OmgTOsBI5q/GUXr8vMR8sCEMHAc6HyXzmL +x/RnAoa/vTX58rXBk0QjfO9esIHa452697EIaJu5w8skCLDv2e/f+Jg7o/IDyUZs +5lqhiEuH9Qc3sx2nhnSYXMZWqwh8OchI7dCSE90CgYEAzrJ1JhpxUJYI7wM2VIWQ +GPQnH8BhTj8VtEidgCHJQK2rGUcjgepMIVECtiunUXtyW4GWBedKfmSKhvnXRLs9 +pqT9JaOeCaYFBiEsfMZvq8f4e/YSYtge1PIHvO40FWzTT23zneDUZPcXQY8nYsfy +otBFTt0yIumBkhJRTIYLvakCgYA+CcttvBj6OAcJJ/n5RgeP05QoRqsXj7zcs6YV +LtxkKClg0lHjiE+H2U0HYnOISJfijk/3V3UWxzavo7wDHlLtfC+qNZYA4/rcTRKh +dm2TYk8HuPJB5e+PTWiNe3VXu+zpzRY3L4fjNqIKtVFmjIasT6fYDEmC8PYgoZtx +JhdOfQKBgCD/bDkc+VI6lwQtoQQKiSfQjKGe+6Cw9K/obzWO0uJwBvZrGLXF8tTc +MOPIv9OILt7DYxpMXAiHv8HtzH5CFVrZ/nj63SRoka/j2yvUdBDrGhyIbsc4pDu+ +lCFa0ZiT/u5vRAiOkM6GuStH4HxnW9LtwBtiYXtfU7IPExJiAlsq +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_1024 b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_1024 new file mode 100644 index 0000000..709bcd6 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_1024 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDS5w0h8L70hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLb +KT2eRViY/xPuPXQmfRim01QMsZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4Ih +NzEGs5v4pTJAOzraoZcVmXnfMr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQAB +AoGAQi7LijkYU3fJCsql2Vj8X2eogwJphHf5eHLR296U3QyxyxKOR6Q7d+1fDjQN +txeF2YYsND3hBFK+ENlm23eE7Z1tpWtnLNJ9OH84ZkPnqTnEcWsRddT/x9vKOPMz +eK8QNetD3AP5qXsjpIpgep1diWYHCyhMTAFISzvdtC7pvFECQQD2zoqwRtF26lzg +QPR02Z+L80R2VhpeLoqMIplT1bmlrPlDr/eIwvtu1eQFyGSASG2EFs1rucdJl7qu +SrJ+eyv1AkEA2sIjy8+RCk1uH8kEwYaMJ3dccqnpcMCZ1b3GncKl+ICmDCYcpfd5 +rP5tX+GL3RVw370pUApJvrVTgOpAVHYjdwJAOYz8BhLdcS9BLQG4fy7n50h4pGd7 +io6ru/Wtb0EdIybskP4NaJSe8L9rhnWuCcPZ1b1DdWVCtURuQYoliRzLqQJBAJWO +ZrSfKpS1jRVT89lu6ADPXLfTrBH2yvVS8ifG/HshUOQ7ZhidUWVQ6GvFoj46u1lr +VIQxFGu6QeV/wQ09W08CQHGkrZgu/FpS2tNvYmKNDHOna+dW452N5N81u5sRP1A8 +x9pYC9xoOGE2E8v1ocMJDPoMe0yk1QSX9mjhhwYOy28= +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_not_matching b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_not_matching new file mode 100644 index 0000000..735a9af --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_not_matching @@ -0,0 +1,48 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAz90I7hABwJ27DQ0ypKEOlO8ZPoMKVMUAkTxl+48Icqo2SJxF +vKOxVd8XflJ2jor3YqzPgbuLVGolTafxzuGDYQVTNrSUgaCZMdX8O8UFxsBrQ+m9 +0pJeg+1I0OHrn8Y7VHuh5IVHNqmqwsw9TA5aLjp1i9Gc9pvGzbXEfGfnol64bvht +p3k8xMG8DZKKJNg8GUcYlLvwY+jcE8yMvQzM+gya6Y7w1JVgj4wQNjWULgqTJlUq +q1Wch9o7/tp1wzX3E4B8AeTCEsYEL9tUASp6V6/4Yf/jbGM2/nfaczj8lW0Gez6a +xHkMBh22vqLzZvvOFTX6U46KG/iWZAehKdPJrwIDAQABAoIBAQDGvQsAsoU6aJSj +Ee9NwD903nZAcoG6MvEr65eGQWdOWre0DNYQWmH/PGH2AVohR3Tn/1oXK/03JJWt +/dkQeEVoyfKZ52Xl2mseXv3fF61CLk9gi2dWoWOEt6ZbMOZbyOiJCfvrxhIkjWwa ++7PPuBk5AePJXwy4LJCTtiq61418i2Bbl6JamytgxsiVK9kZXdN6JqEVYmweMpmR +T1mzi7lssyttBIXwG8ajStUteIYLyi8d+UX4S08EyV0VGL0p5+F8xTY1jVX/t6Y0 +KbANJdjEab9mbndzbxprJlS08KBLgdnAO4w0nmINiaO2isXOLoV8SU3tTqHC3W7c +CCSKJdGBAoGBAP9vCSP1AaEjYa6sfEUgThpCo7PhRuOMEDb+4ldv9O+hzXv5I8td +gbDs1g3jyhb0yhW9uV9NsuKBtsmv1zYFswZDNbdr2S1VZPMpAx+SeLHQWy6HbU/t +oHoOO+l8erFVvR2uqit5rBDzN6/lh4SoQzYE9JDAnXJp9W0rKAdtBSLRAoGBANBT +AIErbPo4EuU13DaEa+EfoU4Abktyi+L8dpdoXMq6sHg3Mlhifr+ryoybrMMA3tmT +6ekBCSVThF0/+HAFRAJthnyBgUd0D710JDHro47Mg37CxU+V8JYqZJGHUSfqng7/ +pM7LjM99VhigquH4PoDH4YpL8vnIeEMNmny4iER/AoGBAJj8k+jpUXSFkHfh7vwo +AR9RUmLmRmL6/KsztbTQ5U6xBjV+XqXq90ZUU1A2Yk+lhXPIEkK2crGfJy9dFfTR +LQxPLNkSyxyPzMqmgaxjOc6mEDap/hqlJDx2UgPh/kpAI+inOFyZnyj3wx6ixqv5 +a2frR996vdJNDCW6d1sbPLxBAoGBAMO66IN0UJy76Izw0Olr+4v10vFdmENM6T+o +IqhZBq33P+yDN8sxJ5NgjhsT/Pruq3LT9XbVYUlvsbKHcx2U5PQ/AZejedqvokZH +g+ZfVjnJz1ZfG1GOOBBu3jSZZdfSKRVAfhFJ0A/229ihxEwxmFAY/MCaYTzsbInb +kyXRnz5zAoGBAIT9Fuk7zhfubYvkzIQ0kj/IxL3QohVRKcoGapDMSwNjTvxZdKxF +WXkhhJT095QznHP1fhp90fBKlOdsReDWfZXMYtZTqo2+ezK8qb6xMlm+LE09y+Na +f7pp1EPnIqyEX27B4aQ81M8tkCqbdlv3CdjFSusp6SsWTGTjr/5SAMDS +-----END RSA PRIVATE KEY----- + +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_w_password b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_w_password new file mode 100644 index 0000000..ba09dc0 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_w_password @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,0C9C38C5678AECD200E024A9A5BC717A + +wbXYsR78o4DIaQbKsB4cwEFge79GMKbcMgIWK+9k86dPk09WZkj7JCSJXIxPLYOG +tFZrw/z86cakEhf90a4Moa1cwByrcFB+bpWoEqsx/C4javWxXMENbmQ5x8gDpmzT +qqLI7xnd2mYj7HcfE7eXi+Nub5w1tBxN0CWaxpR54ZVvfcPE6Od4SHGughdUN4AK +OdVIq5YuzMhuTDJKy+kGOtjH8pBWvo8S12T2UQEuusx5WUbEJ6m+E80aN7M6gCA+ +XmNTt3PsV9PfZPL2Off/90gqTBdMhwn+sEVlqYG0TAnXZQEI8ZNtAGy77CFplqdT +SmI3x8Sza7lchEMFhRiayX9pMBPUlwckVPrCoMQ4b4WkHYoGLO7dNVAA8Osud46+ +6MZKHStjdzwKz9MzWa7lXhXV+0sX5bcAzQexuE+wO8QQ/t5uwDmQHol0JVdRX8NB +/Exk6aT7mWajFvukXVirpUGWnEK2W+O8/VBzVZ7z69EjZ09Pu4Y/+cbX12LGSwMb +WVtnZY6BsrV++vikQuL3ByTBDPRHio2H8hThh1Kv8n5VEBUrk7tLUp3Z15cbfC6s +LDHX6kB2OKmmdqLOOMo4lToZfnrVK/dzeXFbtNH1POpR4/e5Nk0SyZrWo+E/AqIv +nLQ3fhLCPOB5rjAhuM8iXOwqn8HHNlv9j8mlgCcgwK7focYVc/IXARLOfFOjOA/s +EqMRbb/eKsC930NHBZkhlqRJKCwA37AMvnOhN4R0VOq/40K+62IUK9E1643KyWs0 +vWk0rFY0OKorQXzI33lbBYZ5zHt8oxGNx3us+6jGP85iv8UEaO6FpgajEUn6Gzp/ +wyvr1C/B/Hfr6eTbt4C6Fi5fMfZgM6VEcJuaFZnoC9tWdhlNsY1pwtPghMM7yBwc +1Ye0TxdF36exJWu1gXVTse1Vdc9i4QWpT2fbPQtcIgdtNk01K+2defie384IOnQQ +O8/SRsrnLRLV3IDFh/VBJS1ZVm8Zmt10yGgRwtYHntMkIopoFRWcm9/Gh3iBFKKH +OTVXxgKOUYk4qXG61N8k0M+TIdoOHZIha3Myis1tQVmA/b/4FRKPYgdrFijhXNLM +wwMHQOS14xBF2KBgaak7dMUWhGrClw1hc3HmMXuM+OLvxy+f8MC3JP2U5AuCs472 +hc41KWxioqNMPVXZgVnHf3aEec+hBFceqYnlzG+E/Gagiufu8WMySaZgzXMRb5aV +x2OVcakSKrTC5EKbLDlZ6+1NRJht7wdSefh0o/Crc9LzcFqBL0Qp3WCvyY8gDVkQ +EGqoVYOE6Hz/NX5/17F1+5VuWT7nBWABHKFFriOoJ3VR9sZhp0HiMznZEF1AwVuZ +xHtDWQemfBywEQG23qbr+o7mQASh1zki8b4fP1HQmbHhaJarjwGdiVNIgcF7s7Qk +NYNcgsc1l0KuNHvredTnYwPhv3C08IBfjtd2H9u0A+AWl5RlR4GDfv2Jzbe/F8U+ +0gxj8D2XWHlkbHIXKVk6jxj64xyNE1xB0Sv7gsDWpkaK6aw/zdsyxqiji4mThcYE +cRSl4y9CGZREaiyD8dk/uiqKfQ26c1gfOUDYS2fKjH5NKh4J80wQj0GvS6nHiDH4 +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/remote b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/remote new file mode 100644 index 0000000..195709a --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/remote @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMzCCAhsCCQDn8i4K9c4ErzANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMzIzMTIw +MTE5WhcNMjMxMDMxMTIwMTE5WjBYMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMREwDwYD +VQQDDAhDSEFNLTU3NzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcc +IMlRp2EnOC/UIIOF2gm+wtsikv5CscDuyq9DA2QgS5TTKqivDAdOSUIcbVn8qb6/ +77viarmRXml3VHJdhR2abtY6xYKYF2SCFiyoNk6ITq+YBrCfmMh/bCYTD6c5vnl4 +SKomIArU1g1YAxHxHqZRX1oonldUdP4lqq+Qt6fllYFhHNAl5JjrrCuPpXmAW3pC +z4b3HWP/6vnbOFFMYkwGprVoAljcnAG7C7zSjW2M3RN4xA/z6Lps8qrPFB2iAXaP +ZnST1rkqctf2IDWVwloG0uJnqiigcIz6+hvf5VMU0ax+CrYqFGav/uwvPCiHcUkF +3a/O3z+4xGHaBagfHukCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAXZlNPz6raCBp +F+iyNWTGy27OyM/TZNE9QTPI28TQEmLfqCrRfq+uHhBQ3U9TgS3xX/f5b+BPHuaD +N6vl/yECAQa+0r33EFdoe8rGa0Mr5VvADcqPmk/sp9K62fRcP4aCgliDi8g9G8q1 +XNgO/EA9HhFlFKPzLPFMhq7qqPOQWO/EddoxA/qCMGZtN+TAxqLKVB0lipJoSa0x +XqtYvNWiaShPceSk4SAjAdpdhvxOpA/25uvFEISdt9zoqbs4eLUbi/9RFYaL8U4r +E+FygZMi31N6PC/Q7/tJ4DG20K/V30Y1+ogvSfdJpWk9L/CJj0VrzqJTVaKBIFVV +6PtqHPZiKA== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/unrelated_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/unrelated_identity_ca new file mode 100644 index 0000000..52cf047 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/unrelated_identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w +DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy +MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx +GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32 +/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix +6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he +bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV +G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp +EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst +gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5 ++6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ +xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC +QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh +XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV ++1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0 +B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key new file mode 100644 index 0000000..06f57d1 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf +Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m +JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM +AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv +psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c +A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx +m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK +GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+ +BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2 +iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw +Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i +2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y +T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6 +D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB +Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG +eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ +2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV +0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt +O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+ +pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba +VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k +X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD +NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc +nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi +w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk= +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_1024 b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_1024 new file mode 100644 index 0000000..709bcd6 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_1024 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDS5w0h8L70hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLb +KT2eRViY/xPuPXQmfRim01QMsZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4Ih +NzEGs5v4pTJAOzraoZcVmXnfMr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQAB +AoGAQi7LijkYU3fJCsql2Vj8X2eogwJphHf5eHLR296U3QyxyxKOR6Q7d+1fDjQN +txeF2YYsND3hBFK+ENlm23eE7Z1tpWtnLNJ9OH84ZkPnqTnEcWsRddT/x9vKOPMz +eK8QNetD3AP5qXsjpIpgep1diWYHCyhMTAFISzvdtC7pvFECQQD2zoqwRtF26lzg +QPR02Z+L80R2VhpeLoqMIplT1bmlrPlDr/eIwvtu1eQFyGSASG2EFs1rucdJl7qu +SrJ+eyv1AkEA2sIjy8+RCk1uH8kEwYaMJ3dccqnpcMCZ1b3GncKl+ICmDCYcpfd5 +rP5tX+GL3RVw370pUApJvrVTgOpAVHYjdwJAOYz8BhLdcS9BLQG4fy7n50h4pGd7 +io6ru/Wtb0EdIybskP4NaJSe8L9rhnWuCcPZ1b1DdWVCtURuQYoliRzLqQJBAJWO +ZrSfKpS1jRVT89lu6ADPXLfTrBH2yvVS8ifG/HshUOQ7ZhidUWVQ6GvFoj46u1lr +VIQxFGu6QeV/wQ09W08CQHGkrZgu/FpS2tNvYmKNDHOna+dW452N5N81u5sRP1A8 +x9pYC9xoOGE2E8v1ocMJDPoMe0yk1QSX9mjhhwYOy28= +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_not_matching b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_not_matching new file mode 100644 index 0000000..735a9af --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_not_matching @@ -0,0 +1,48 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAz90I7hABwJ27DQ0ypKEOlO8ZPoMKVMUAkTxl+48Icqo2SJxF +vKOxVd8XflJ2jor3YqzPgbuLVGolTafxzuGDYQVTNrSUgaCZMdX8O8UFxsBrQ+m9 +0pJeg+1I0OHrn8Y7VHuh5IVHNqmqwsw9TA5aLjp1i9Gc9pvGzbXEfGfnol64bvht +p3k8xMG8DZKKJNg8GUcYlLvwY+jcE8yMvQzM+gya6Y7w1JVgj4wQNjWULgqTJlUq +q1Wch9o7/tp1wzX3E4B8AeTCEsYEL9tUASp6V6/4Yf/jbGM2/nfaczj8lW0Gez6a +xHkMBh22vqLzZvvOFTX6U46KG/iWZAehKdPJrwIDAQABAoIBAQDGvQsAsoU6aJSj +Ee9NwD903nZAcoG6MvEr65eGQWdOWre0DNYQWmH/PGH2AVohR3Tn/1oXK/03JJWt +/dkQeEVoyfKZ52Xl2mseXv3fF61CLk9gi2dWoWOEt6ZbMOZbyOiJCfvrxhIkjWwa ++7PPuBk5AePJXwy4LJCTtiq61418i2Bbl6JamytgxsiVK9kZXdN6JqEVYmweMpmR +T1mzi7lssyttBIXwG8ajStUteIYLyi8d+UX4S08EyV0VGL0p5+F8xTY1jVX/t6Y0 +KbANJdjEab9mbndzbxprJlS08KBLgdnAO4w0nmINiaO2isXOLoV8SU3tTqHC3W7c +CCSKJdGBAoGBAP9vCSP1AaEjYa6sfEUgThpCo7PhRuOMEDb+4ldv9O+hzXv5I8td +gbDs1g3jyhb0yhW9uV9NsuKBtsmv1zYFswZDNbdr2S1VZPMpAx+SeLHQWy6HbU/t +oHoOO+l8erFVvR2uqit5rBDzN6/lh4SoQzYE9JDAnXJp9W0rKAdtBSLRAoGBANBT +AIErbPo4EuU13DaEa+EfoU4Abktyi+L8dpdoXMq6sHg3Mlhifr+ryoybrMMA3tmT +6ekBCSVThF0/+HAFRAJthnyBgUd0D710JDHro47Mg37CxU+V8JYqZJGHUSfqng7/ +pM7LjM99VhigquH4PoDH4YpL8vnIeEMNmny4iER/AoGBAJj8k+jpUXSFkHfh7vwo +AR9RUmLmRmL6/KsztbTQ5U6xBjV+XqXq90ZUU1A2Yk+lhXPIEkK2crGfJy9dFfTR +LQxPLNkSyxyPzMqmgaxjOc6mEDap/hqlJDx2UgPh/kpAI+inOFyZnyj3wx6ixqv5 +a2frR996vdJNDCW6d1sbPLxBAoGBAMO66IN0UJy76Izw0Olr+4v10vFdmENM6T+o +IqhZBq33P+yDN8sxJ5NgjhsT/Pruq3LT9XbVYUlvsbKHcx2U5PQ/AZejedqvokZH +g+ZfVjnJz1ZfG1GOOBBu3jSZZdfSKRVAfhFJ0A/229ihxEwxmFAY/MCaYTzsbInb +kyXRnz5zAoGBAIT9Fuk7zhfubYvkzIQ0kj/IxL3QohVRKcoGapDMSwNjTvxZdKxF +WXkhhJT095QznHP1fhp90fBKlOdsReDWfZXMYtZTqo2+ezK8qb6xMlm+LE09y+Na +f7pp1EPnIqyEX27B4aQ81M8tkCqbdlv3CdjFSusp6SsWTGTjr/5SAMDS +-----END RSA PRIVATE KEY----- + +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_w_password b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_w_password new file mode 100644 index 0000000..ba09dc0 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_w_password @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,0C9C38C5678AECD200E024A9A5BC717A + +wbXYsR78o4DIaQbKsB4cwEFge79GMKbcMgIWK+9k86dPk09WZkj7JCSJXIxPLYOG +tFZrw/z86cakEhf90a4Moa1cwByrcFB+bpWoEqsx/C4javWxXMENbmQ5x8gDpmzT +qqLI7xnd2mYj7HcfE7eXi+Nub5w1tBxN0CWaxpR54ZVvfcPE6Od4SHGughdUN4AK +OdVIq5YuzMhuTDJKy+kGOtjH8pBWvo8S12T2UQEuusx5WUbEJ6m+E80aN7M6gCA+ +XmNTt3PsV9PfZPL2Off/90gqTBdMhwn+sEVlqYG0TAnXZQEI8ZNtAGy77CFplqdT +SmI3x8Sza7lchEMFhRiayX9pMBPUlwckVPrCoMQ4b4WkHYoGLO7dNVAA8Osud46+ +6MZKHStjdzwKz9MzWa7lXhXV+0sX5bcAzQexuE+wO8QQ/t5uwDmQHol0JVdRX8NB +/Exk6aT7mWajFvukXVirpUGWnEK2W+O8/VBzVZ7z69EjZ09Pu4Y/+cbX12LGSwMb +WVtnZY6BsrV++vikQuL3ByTBDPRHio2H8hThh1Kv8n5VEBUrk7tLUp3Z15cbfC6s +LDHX6kB2OKmmdqLOOMo4lToZfnrVK/dzeXFbtNH1POpR4/e5Nk0SyZrWo+E/AqIv +nLQ3fhLCPOB5rjAhuM8iXOwqn8HHNlv9j8mlgCcgwK7focYVc/IXARLOfFOjOA/s +EqMRbb/eKsC930NHBZkhlqRJKCwA37AMvnOhN4R0VOq/40K+62IUK9E1643KyWs0 +vWk0rFY0OKorQXzI33lbBYZ5zHt8oxGNx3us+6jGP85iv8UEaO6FpgajEUn6Gzp/ +wyvr1C/B/Hfr6eTbt4C6Fi5fMfZgM6VEcJuaFZnoC9tWdhlNsY1pwtPghMM7yBwc +1Ye0TxdF36exJWu1gXVTse1Vdc9i4QWpT2fbPQtcIgdtNk01K+2defie384IOnQQ +O8/SRsrnLRLV3IDFh/VBJS1ZVm8Zmt10yGgRwtYHntMkIopoFRWcm9/Gh3iBFKKH +OTVXxgKOUYk4qXG61N8k0M+TIdoOHZIha3Myis1tQVmA/b/4FRKPYgdrFijhXNLM +wwMHQOS14xBF2KBgaak7dMUWhGrClw1hc3HmMXuM+OLvxy+f8MC3JP2U5AuCs472 +hc41KWxioqNMPVXZgVnHf3aEec+hBFceqYnlzG+E/Gagiufu8WMySaZgzXMRb5aV +x2OVcakSKrTC5EKbLDlZ6+1NRJht7wdSefh0o/Crc9LzcFqBL0Qp3WCvyY8gDVkQ +EGqoVYOE6Hz/NX5/17F1+5VuWT7nBWABHKFFriOoJ3VR9sZhp0HiMznZEF1AwVuZ +xHtDWQemfBywEQG23qbr+o7mQASh1zki8b4fP1HQmbHhaJarjwGdiVNIgcF7s7Qk +NYNcgsc1l0KuNHvredTnYwPhv3C08IBfjtd2H9u0A+AWl5RlR4GDfv2Jzbe/F8U+ +0gxj8D2XWHlkbHIXKVk6jxj64xyNE1xB0Sv7gsDWpkaK6aw/zdsyxqiji4mThcYE +cRSl4y9CGZREaiyD8dk/uiqKfQ26c1gfOUDYS2fKjH5NKh4J80wQj0GvS6nHiDH4 +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/identity_ca new file mode 100644 index 0000000..7e2675c --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/identity_ca @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx +MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k +ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz +2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf +zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB +pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL +FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME +BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW +gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB +Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME +BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK +KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI +KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU +AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI +hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s +iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC +LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm +geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t +Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd +sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/root_CA_RSA.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/root_CA_RSA.crt new file mode 100644 index 0000000..61346df --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/root_CA_RSA.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEtjCCA56gAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMTAwMDAwMFoXDTI3MDYxMDIzNTk1OVowcjELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ +ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0 +ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANRf3XKmM6O+ +WoYPNpOAdkGKKZHLJ8ZuPxVVBMX6oJAlcOmkhLzfkHSA+gl/OWaMOXIEtN512gyL +YszBf1RImwVzRjJFwIxzGzVQ68jYNj+qBbsOt+IG+hs3wgVCLFkCh+J7hXUgvk8A +eRM/SRrI42dQfcgKUAMNi4/iX6Vs+FV9pHB63L4PiLA9hfUE25sH6EsIC7icvGDJ +6cGG94glVSHDI1NtXfsNHY+NGY/jYKtQZklqU3lew5I60aJIsea+Wk6PJiz4hyXv +XVVmrcNeG1g4OEFgiSXZC2XknDw8t9+ELprGNvuJvTFxwPMAgLeF4IhEQC9dQY2W +BRwUxtZBzukCAwEAAaOCAVUwggFRMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFER4 +R6N3MQ1Wl7gn+R8wwHloDCVZMB8GA1UdIwQYMBaAFER4R6N3MQ1Wl7gn+R8wwHlo +DCVZMA8GA1UdDwEB/wQFAwMH/4Awge8GA1UdJQEB/wSB5DCB4QYIKwYBBQUHAwEG +CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3 +AgEVBgorBgEEAYI3AgEWBgorBgEEAYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3 +CgMEBglghkgBhvhCBAEGCysGAQQBgjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYG +CCsGAQUFBwMHBggrBgEFBQgCAgYKKwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUF +BwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAwXuEWDG3 +aAyL+DsGr0B4YMLjHtx6FjzkJOpTtXQhkrtSMpD3Xytl7Wfz8lyWuTnbrk8F4gWO +IkJR/NdMGW27SmeYU0z7QAGRDwtHX6kqqizQbCwf4F6P/2QftcLp1VrlsIlb0gyx +gLjpGmn5TT7gj+ahW0iIRglOwhzCvkNu6agYpdGwVirSyLShy/Hq303DZSbVuktz +5/PmZKpufnoGqURNnJqbV4TQipE0FiDmp2o+gVgJ+DVRhiCdfk68Xp7+TlmxCDfZ +C3qb18qrwAZ4AL3T9/RlzfkXh4ME9V6wqa5Y6j7Vwx5Ef2OHL+mnMnoNSXDLRh6j +45ky66su5dROpA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt new file mode 100644 index 0000000..35506b8 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIBAjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMzAwMDAwMFoXDTI3MDYxMDIzNTk1OVowfTELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMSQwIgYDVQQDExtJ +ZGVudGl0eSBDQSBUZXN0IFdpdGggQ2hhaW4xJjAkBgkqhkiG9w0BCQEWF2luZm9A +aXN0LmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA1r8Q0V8ZVeBs8tPMF0N+JlBynl1Zn/89vwSsU4m7y6ixUcW/y3r12CMeA0cH +g6yOaOdHsZ8pRlPRwy9YmeOwLsMOUHAURP2uPiTjSf3pttUIf0jv602GyirNzoS7 +7mHiyTtV80ZMzZlLIJ3gaJJlG4DjitFuFcjv8sOmviFjkn1kOjkAz1nKgsCiHvvg +fcJlYPrtLfle9SzvZ3MTq4ob+/EFu9nt5bYYs7p7Br1TGWctUw98l2mSn/FhfDBw +9bb7ZhcKB7W6PGy2Os5AnkdTJKHoOQT+RmnHzPBhab0BoKuy8IhfW2GyqC8rL5Tm +/UVLUvnx4Zzqz//3IyA2FTb1HQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYD +VR0OBBYEFE1VQk0XOEk9F5hPhBLHp0rncJcJMB8GA1UdIwQYMBaAFER4R6N3MQ1W +l7gn+R8wwHloDCVZMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYB +BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggr +BgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEB +CwUAA4IBAQCbl7ed4p66G6WquxO7ceZFvYKn3kDErjCfXHcqHxBnA2xTpoZCGj95 +Qpirqo6N4UcLX5sn3CmgyVk0dYvlti/53FJgZ9XQDNxBuEYWPkY7vO+Uo0WdYpGz +ZDNIUQpiPMA7bHvwKldTIs77xxtnw9kbBU2k0xQyb2tdZNfD5YqSI1MeUtpEpNFW +sbC8+mQ3clzWpjF8eHH1fFSAmlJ+z1Uqmtt2FK0vRz+MQcpydwvpMnfqGdcwhGPQ +X4HZreLObjBA8KUEkUB3+rZXuELBgkk/c8/jRZl7QF5jJDLQCCLg7KoYBKN2GuTt +/dzeSnP7VZm/nTL8wpCvKgSOwOGgklf2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/unrelated_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/unrelated_identity_ca new file mode 100644 index 0000000..52cf047 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/unrelated_identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w +DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy +MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx +GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32 +/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix +6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he +bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV +G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp +EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst +gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5 ++6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ +xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC +QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh +XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV ++1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0 +B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/ca.crt b/src/security/builtin_plugins/tests/validate_local_identity/src/ca.crt new file mode 100644 index 0000000..426d312 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkTCCAnmgAwIBAgIJAJvGJOEKNct1MA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTAeFw0xODAy +MTIxNTA1MDVaFw0yMDEyMDIxNTA1MDVaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx +GDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAM/dCO4QAcCduw0NMqShDpTvGT6DClTFAJE8ZfuPCHKqNkicRbyj +sVXfF35Sdo6K92Ksz4G7i1RqJU2n8c7hg2EFUza0lIGgmTHV/DvFBcbAa0PpvdKS +XoPtSNDh65/GO1R7oeSFRzapqsLMPUwOWi46dYvRnPabxs21xHxn56JeuG74bad5 +PMTBvA2SiiTYPBlHGJS78GPo3BPMjL0MzPoMmumO8NSVYI+MEDY1lC4KkyZVKqtV +nIfaO/7adcM19xOAfAHkwhLGBC/bVAEqelev+GH/42xjNv532nM4/JVtBns+msR5 +DAYdtr6i82b7zhU1+lOOihv4lmQHoSnTya8CAwEAAaNQME4wHQYDVR0OBBYEFFYr +0CpiwxgFcZnW6IQEhxGv/vwiMB8GA1UdIwQYMBaAFFYr0CpiwxgFcZnW6IQEhxGv +/vwiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKbBt0ht72fdtxwm +Kr0pOsKyDW0Rd5Ca5aDK4qAhDL0AD5+O6ShGYCnFNDGk3J5Yzawp8VoKrhDZZyUt +z2b0jNucVapAvPMA4066QxeIfvFmWcS73l7vjjeUoKWmNNGWprTg3RLsacTorKuY +ZRL7wsThfrhvg4B/OOIWKp5MEwIrUfnQzUca8getF2eyTt6QcMtE29AW5+01QTzj +fxZgzkmJFYBE2K/TLMDBDd+bz/8XnmPrJ01VUntXiXenTGTcIbJerB6GYQojjvhy +ZrOeuHTON1ndFiQkpeZA67ByZjkKVoJG3I8fwBjzcLE7u/QAQptVPjJXXcSpL7fA +a1tOvqw= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/id.crt b/src/security/builtin_plugins/tests/validate_local_identity/src/id.crt new file mode 100644 index 0000000..7c03aae --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/id.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/priv.pem b/src/security/builtin_plugins/tests/validate_local_identity/src/priv.pem new file mode 100644 index 0000000..b560f66 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/priv.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Z5zZ1dz2a22cI8ZPnZEHDt6St8DL6AzQBzz4k310Vdioyx8 +bLiu8Ffhjx5l6Pe26LerwcTUDe4X8aAyy/igTvbN1fvDl+pTqxe4UOvuv6fRIEaM +jRqNtXiMxsHNjGiQCoyJjTGzOxQ074ZN7vlU0ybZZyryTNbYJ3GxGcES64v9jBAu +V0vzuRUE+AFz6wOm0XBjKglWLUNHIusHdfD3oAP60phkkX/0zneI2V5MXxw/mDpB +3Mcc/bF+Cp8joF2ZvIw3QXO68Yg3qfJCIy9OlbMyXqEK8Y7n/HDWbW6Jf+xAkuWj +NmDse7dA3P+tvVdkOcGkVQVecVQidAc1IfKyBQIDAQABAoIBAEddUpzUQTTS11Hq +5gVF7lpORYxH8KW+PLSPJtjdAduLjKFQ++tn1OcuhDRdfQSbkUIZhfgqMqerb6tr +ht+6fZlknR9E34pQ1LtjD/U83cOSNrhuTFudtrEZoZPpVzl+P8vXnNzdFs/+SSdi +6hV5/U8F4u4kyOkwG9cR9eF2wiI+oQ/RBKCXUo3OVs9K27A/OkKsb7coL7yBsgBj +lzorS9a/DyHT2eiMKjwCZFyG4A66EkLi6t9JLJ8oTkI2WskXYeVEAbEXE57RWm44 +2OgTI/Yc2yrtXq93KD17FN1m77dqp7EPAhjGnRHNq7+0Ykr1EO1nbDfqHG4gS+4o +lfP8iwECgYEA58da0R34l93yQnK0mAtoobwvsOjADnBVhBg9L4s2eDs8liUjf0zt +7hcMdUJaa7iMuNf3qGtnZtRURc3kSOE429Or7fCAYUr/AaA7+2ekPG1vjMb50tVv +se5rwb1hvgMYe2L5ktJJAg+RcmqpY+ncJ+hP/vWwZRxUKvXba50qqEkCgYEA54ZE +mJfSueGM/63xlhP71CM4OWtTqkQGp2OmgTOsBI5q/GUXr8vMR8sCEMHAc6HyXzmL +x/RnAoa/vTX58rXBk0QjfO9esIHa452697EIaJu5w8skCLDv2e/f+Jg7o/IDyUZs +5lqhiEuH9Qc3sx2nhnSYXMZWqwh8OchI7dCSE90CgYEAzrJ1JhpxUJYI7wM2VIWQ +GPQnH8BhTj8VtEidgCHJQK2rGUcjgepMIVECtiunUXtyW4GWBedKfmSKhvnXRLs9 +pqT9JaOeCaYFBiEsfMZvq8f4e/YSYtge1PIHvO40FWzTT23zneDUZPcXQY8nYsfy +otBFTt0yIumBkhJRTIYLvakCgYA+CcttvBj6OAcJJ/n5RgeP05QoRqsXj7zcs6YV +LtxkKClg0lHjiE+H2U0HYnOISJfijk/3V3UWxzavo7wDHlLtfC+qNZYA4/rcTRKh +dm2TYk8HuPJB5e+PTWiNe3VXu+zpzRY3L4fjNqIKtVFmjIasT6fYDEmC8PYgoZtx +JhdOfQKBgCD/bDkc+VI6lwQtoQQKiSfQjKGe+6Cw9K/obzWO0uJwBvZrGLXF8tTc +MOPIv9OILt7DYxpMXAiHv8HtzH5CFVrZ/nj63SRoka/j2yvUdBDrGhyIbsc4pDu+ +lCFa0ZiT/u5vRAiOkM6GuStH4HxnW9LtwBtiYXtfU7IPExJiAlsq +-----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/remote b/src/security/builtin_plugins/tests/validate_local_identity/src/remote new file mode 100644 index 0000000..195709a --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/remote @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMzCCAhsCCQDn8i4K9c4ErzANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMzIzMTIw +MTE5WhcNMjMxMDMxMTIwMTE5WjBYMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMREwDwYD +VQQDDAhDSEFNLTU3NzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcc +IMlRp2EnOC/UIIOF2gm+wtsikv5CscDuyq9DA2QgS5TTKqivDAdOSUIcbVn8qb6/ +77viarmRXml3VHJdhR2abtY6xYKYF2SCFiyoNk6ITq+YBrCfmMh/bCYTD6c5vnl4 +SKomIArU1g1YAxHxHqZRX1oonldUdP4lqq+Qt6fllYFhHNAl5JjrrCuPpXmAW3pC +z4b3HWP/6vnbOFFMYkwGprVoAljcnAG7C7zSjW2M3RN4xA/z6Lps8qrPFB2iAXaP +ZnST1rkqctf2IDWVwloG0uJnqiigcIz6+hvf5VMU0ax+CrYqFGav/uwvPCiHcUkF +3a/O3z+4xGHaBagfHukCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAXZlNPz6raCBp +F+iyNWTGy27OyM/TZNE9QTPI28TQEmLfqCrRfq+uHhBQ3U9TgS3xX/f5b+BPHuaD +N6vl/yECAQa+0r33EFdoe8rGa0Mr5VvADcqPmk/sp9K62fRcP4aCgliDi8g9G8q1 +XNgO/EA9HhFlFKPzLPFMhq7qqPOQWO/EddoxA/qCMGZtN+TAxqLKVB0lipJoSa0x +XqtYvNWiaShPceSk4SAjAdpdhvxOpA/25uvFEISdt9zoqbs4eLUbi/9RFYaL8U4r +E+FygZMi31N6PC/Q7/tJ4DG20K/V30Y1+ogvSfdJpWk9L/CJj0VrzqJTVaKBIFVV +6PtqHPZiKA== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/unrelated_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/src/unrelated_identity_ca new file mode 100644 index 0000000..f2bec0c --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/unrelated_identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w +DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy +MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx +GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32 +/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix +6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he +bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV +G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp +EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst +gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5 ++6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ +xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC +QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh +XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV ++1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0 +B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2 +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/validate_local_identity_utests.c b/src/security/builtin_plugins/tests/validate_local_identity/src/validate_local_identity_utests.c new file mode 100644 index 0000000..b4c7067 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/validate_local_identity_utests.c @@ -0,0 +1,2109 @@ +/** @file qos_utests.c + * @brief Unit tests for qos APIs + * + */ +/* CUnit includes. */ +#include +#include +#include "dds/ddsrt/environ.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" + + +/* Test helper includes. */ +#include "common/src/loader.h" + + +#include "dds/security/dds_security_api.h" +#include +#include +#include +#include + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_PASSWORD = "dds.sec.auth.password"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; +static const char * PROPERTY_TRUSTED_CA_DIR = "dds.sec.auth.trusted_ca_dir"; + +static const char *identity_certificate_filename = "identity_certificate"; +static const char *identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n" + "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n" + "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n" + "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n" + "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n" + "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n" + "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n" + "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n" + "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n" + "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n" + "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n" + "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n" + "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n" + "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n" + "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n" + "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n" + "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n" + "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n" + "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n" + "-----END CERTIFICATE-----\n"; + +static const char *identity_ca_filename = "identity_ca"; +static const char *identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n" + "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n" + "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n" + "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n" + "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n" + "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n" + "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n" + "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n" + "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n" + "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n" + "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n" + "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n" + "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n" + "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n" + "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n" + "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n" + "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n" + "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n" + "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n" + "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n" + "-----END CERTIFICATE-----\n"; + +static const char *private_key_filename = "private_key"; +static const char *private_key_pem = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n" + "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n" + "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n" + "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n" + "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n" + "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n" + "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n" + "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n" + "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n" + "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n" + "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n" + "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n" + "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n" + "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n" + "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n" + "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n" + "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n" + "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n" + "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n" + "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n" + "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n" + "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n" + "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n" + "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n" + "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n" + "-----END RSA PRIVATE KEY-----\n"; + +static const char *unrelated_identity_ca_filename = "unrelated_identity_ca"; +static const char *unrelated_identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV\n" + "BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w\n" + "DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy\n" + "MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI\n" + "DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx\n" + "GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" + "ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32\n" + "/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix\n" + "6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he\n" + "bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV\n" + "G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp\n" + "EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst\n" + "gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5\n" + "+6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB\n" + "CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ\n" + "xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC\n" + "QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh\n" + "XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV\n" + "+1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0\n" + "B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2\n" + "-----END CERTIFICATE-----\n"; + +static const char *invalid_identity_certificate_filename = "invalid_identity_certificate"; +static const char *invalid_identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO\n" + "TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\n" + "cyBQdHkgTHRkMRgwFgYDVTQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw\n" + "NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t\n" + "ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD\n" + "VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\n" + "AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo\n" + "97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M\n" + "aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr\n" + "A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg\n" + "XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629\n" + "V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr\n" + "ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT\n" + "liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD//\n" + "UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9\n" + "3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt\n" + "988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359\n" + "ihiEkx9zFUnPrdA=\n" + "-----END CERTIFICATE-----\n"; + +static const char *invalid_identity_ca_filename = "invalid_identity_ca"; +static const char *invalid_identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIDljCCAn6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UEBhMCTkwx\n" + "EzARBgNVBAgMCk92ZXJpanNzZWwxEDAOBgNVBAcMB0hlbmdlbG8xDzANBgNVBAoM\n" + "BkFETElOSzEYMBYGA1UEAwwPQ0hBTTUwMCBSb290IENBMB4XDTE4MDIwOTE2Mjky\n" + "MVoXDTI4MDIwNzE2MjkyMVowVTELMAkGA1UEBhMCTkwxEzARBgNVBAgMCk92ZXJp\n" + "anNzZWwxDzANBgNVBAoMBkFETElOSzEgMB4GA1UEAwwXQ0hBTTUwMCBJbnRlcm1l\n" + "ZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwucuU/L6N\n" + "iYxYJ7tyzcdzwXwYbr4GynZE4u2Sd7hcXrQGxTotm9BEhOZWscSGvH+UJSp0Vrb4\n" + "3zDppiJ76ys6PeSBw1PpxdO97fO+eAE5DoXRj0a9lmnjbsV6waZ2GxgYQNVmKqbI\n" + "uPDfW+jsmRcTO94s05GWQshHeiqxuEUAv3/Qe2vOhulrg4YDcXrIDWK93cr1EmRX\n" + "Eq3Ck+Fjwtk5wAk3TANv2XQkVfS80jYAurL8J+XC2kyYB7e8KO92zqlfVXXMC3NI\n" + "YDcq86bAI4NNMjVE2zIVheMLoOEXaV7KUTYfEQABZl76aWLDxjED9kf371tcrZzJ\n" + "6xZ1M/rPGNblAgMBAAGjZjBkMB0GA1UdDgQWBBQngrlZqhQptCR4p04zqHamYUx7\n" + "RTAfBgNVHSMEGDAWgBQrLYI+RHJtx1Pze8MSZbhaOful1DASBgNVHRMBAf8ECDAG\n" + "AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAfMmiQ0tv\n" + "o3K3xwSS621tsfkijUTx920hAe1XYY2XKrG7a/MJBhStex5A3AfqPOY9UMihkBl9\n" + "3hgxOaddX9SAf2eLk2JLhqxZi1U/GVzT5h10AKLA5WUXIK4UGz3JRqhEm7V39t/N\n" + "G0LCdpWOZueezkfO6eGcAvOKthdd32a3zbn+rzzDHdsjzxhEEv8d8x1Xf4xH2dgk\n" + "HlpmpvXMfG/1aCzIpWGEPdkB7WR694GiCmh7hnFBiY+h1GFj2l5dThd51QqAlncM\n" + "u+NmlPCrFZL0ulwRFeo80KOwDpxkqgavDlP9irdWqM9VHybjGu0xFHCeElz9M6od\n" + "ym/MCh4ax7jDxg==\n" + "-----END CERTIFICATE-----\n"; + +static const char *identity_certificate_1024key = + "-----BEGIN CERTIFICATE-----\n" + "MIICrjCCAZYCCQDn8i4K9c4ErjANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO\n" + "TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\n" + "cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjE2MTAy\n" + "MzM2WhcNMjMwODA5MTAyMzM2WjBXMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t\n" + "ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYD\n" + "VQQDDAdDSEFNNTY5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS5w0h8L70\n" + "hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLbKT2eRViY/xPuPXQmfRim01QM\n" + "sZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4IhNzEGs5v4pTJAOzraoZcVmXnf\n" + "Mr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB\n" + "AQBdZ2ijHYH8TkOGBqzsNwnNwPaDb/NA0vAO9T5kSOm8HA8vKHnNza+DeUJN+5P/\n" + "P4fLK7UZqpQN32MpvXL0068g99RLjAzAsEVn+0FTyc08r9p/KO/dxxdMKeET7Cpv\n" + "rMpu3W0A/EJptCQsTEZI0iqts7T2qQVXzoDlnUwEt3xdmKYJ9jbEq1UUCeexD3nP\n" + "LB+JtUtfGevVzIoBjHv0qA3ePA24jDUlx5bxFeoIDC4tEewvUG5ZekftsRdNe3fk\n" + "3LkwyK+4NN1ZCa2+S5SOAfjZA2o6qXiq/le0vWRgl7AHEgDr6w7xoRsw4K5dQ+0R\n" + "eKtsBC4XO1GqrNYdKuJb1MhI\n" + "-----END CERTIFICATE-----\n"; + +static const char *invalid_private_key_filename = "invalid_private_key"; +static const char *invalid_private_key = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEowIBAAKCAQEA0Z5zZ1dz2a22cI8ZPnZEHDt6St8DL6AzQBzz4k310Vdioyx8\n" + "bLiu8Ffhjx5l6Pe26LerwcTUDe4X8aAyy/igTvbN1fvDl+pTqxe4UOvuv6fRIEaM\n" + "jRqNtXiMxsHNjGiQCoyJjTGzOxQ074ZN7vlU0ybZZyryTNbYJ3GxGcES64v9jBAu\n" + "V0vzuRUE+AFz6wOm0XBjKglWLUNHIusHdfD3oAP60phkkX/0zneI2V5MXxw/mDpB\n" + "3Mcc/bF+Cp8joF2ZvIw3QXO68Yg3qfJCIy9OlbMyXqEK8Y7n/HDWbW6Jf+xAkuWj\n" + "NmDse7dA3P+tvVdkOcGkVQVecVQidAc1IfKyBQIDAQABAoIBAEddUpzUQTTS11Hq\n" + "5gVF7lpORYxH8KW+PLSPJtjdAduLjKAQ++tn1OcuhDRdfQSbkUIZhfgqMqerb6tr\n" + "ht+6fZlknR9E34pQ1LtjD/U83cOSNrhuTFudtrEZoZPpVzl+P8vXnNzdFs/+SSdi\n" + "6hV5/U8F4u4kyOkwG9cR9eF2wiI+oQ/RBKCXUo3OVs9K27A/OkKsb7coL7yBsgBj\n" + "lzorS9a/DyHT2eiMKjwCZFyG4A66EkLi6t9JLJ8oTkI2WskXYeVEAbEXE57RWm44\n" + "2OgTgfsgYgf2ftXq93KD17FN1m77dqp7EPAhjGnRHNq7+0Ykr1EO1nbDfqHG4gS+4o\n" + "lfP8iwECgYEA58da0R34l93yQnK0mAtoobwvsOjADnBVhBg9L4s2eDs8liUjf0zt\n" + "7hcMdUJaa7iMuNf3qGtnZtRURc3kSOE429Or7fCAYUr/AaA7+2ekPG1vjMb50tVv\n" + "se5rwb1hvgMYe2L5ktJJAg+RcmqpY+ncJ+hP/vWwZRxUKvXba50qqEkCgYEA54ZE\n" + "mJfSueGM/63xlhP71CM4OWtTqkQGp2OmgTOsBI5q/GUXr8vMR8sCEMHAc6HyXzmL\n" + "x/RnAoa/vTX58rXBk0QjfO9esIHa452697EIaJu5w8skCLDv2e/f+Jg7o/IDyUZs\n" + "5lqhiEuH9Qc3sx2nhnSYXMZWqwh8OchI7dCSE90CgYEAzrJ1JhpxUJYI7wM2VIWQ\n" + "GPQnH8BhTj8VtEidgCHJQK2rGUcjgepMIVECtiunUXtyW4GWBedKfmSKhvnXRLs9\n" + "pqT9JaOeCaYFBiEsfMZvqUY4e/YSYtge1PIHvO40FWzTT23zneDUZPcXQY8nYsfy\n" + "otBFTt0yIumBkhJRTIYLvakCgYA+CcttvBj6OAcJJ/n5RgeP05QoRqsXj7zcs6YV\n" + "LtxkKClg0lHjiE+H2U0HYnOISJfijk/3V3UWxzavo7wDHlLtfC+qNZYA4/rcTRKh\n" + "dm2TYk8HuPJB5e+PTWiNe3VXu+zpzRY3L4fjNqIKtVFmjIasT6fYDEmC8PYgoZtx\n" + "JhdOfQKBgCD/bDkc+VI6lwQtoQQKiSfQjKGe+6Cw9K/obzWO0uJwBvZrGLXF8tTc\n" + "MOPIv9OILt7DYxpMXAiHv8HtzH5CFVrZ/nj63Soka/j2yvUdBDrGhyIbsc4pDu+\n" + "lCFa0ZiT/u5vRAiOkM6GuStH4HxnW9LtwBtiYXtfU7IPExJiAlsq\n" + "-----END RSA PRIVATE KEY-----\n"; + +static const char *private_key_1024 = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQDS5w0h8L70hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLb\n" + "KT2eRViY/xPuPXQmfRim01QMsZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4Ih\n" + "NzEGs5v4pTJAOzraoZcVmXnfMr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQAB\n" + "AoGAQi7LijkYU3fJCsql2Vj8X2eogwJphHf5eHLR296U3QyxyxKOR6Q7d+1fDjQN\n" + "txeF2YYsND3hBFK+ENlm23eE7Z1tpWtnLNJ9OH84ZkPnqTnEcWsRddT/x9vKOPMz\n" + "eK8QNetD3AP5qXsjpIpgep1diWYHCyhMTAFISzvdtC7pvFECQQD2zoqwRtF26lzg\n" + "QPR02Z+L80R2VhpeLoqMIplT1bmlrPlDr/eIwvtu1eQFyGSASG2EFs1rucdJl7qu\n" + "SrJ+eyv1AkEA2sIjy8+RCk1uH8kEwYaMJ3dccqnpcMCZ1b3GncKl+ICmDCYcpfd5\n" + "rP5tX+GL3RVw370pUApJvrVTgOpAVHYjdwJAOYz8BhLdcS9BLQG4fy7n50h4pGd7\n" + "io6ru/Wtb0EdIybskP4NaJSe8L9rhnWuCcPZ1b1DdWVCtURuQYoliRzLqQJBAJWO\n" + "ZrSfKpS1jRVT89lu6ADPXLfTrBH2yvVS8ifG/HshUOQ7ZhidUWVQ6GvFoj46u1lr\n" + "VIQxFGu6QeV/wQ09W08CQHGkrZgu/FpS2tNvYmKNDHOna+dW452N5N81u5sRP1A8\n" + "x9pYC9xoOGE2E8v1ocMJDPoMe0yk1QSX9mjhhwYOy28=\n" + "-----END RSA PRIVATE KEY-----\n"; + +static const char *private_key_w_password_filename = "private_key_w_password"; +static const char *private_key_w_password = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "Proc-Type: 4,ENCRYPTED\n" + "DEK-Info: AES-256-CBC,0C9C38C5678AECD200E024A9A5BC717A\n" + "\n" + "wbXYsR78o4DIaQbKsB4cwEFge79GMKbcMgIWK+9k86dPk09WZkj7JCSJXIxPLYOG\n" + "tFZrw/z86cakEhf90a4Moa1cwByrcFB+bpWoEqsx/C4javWxXMENbmQ5x8gDpmzT\n" + "qqLI7xnd2mYj7HcfE7eXi+Nub5w1tBxN0CWaxpR54ZVvfcPE6Od4SHGughdUN4AK\n" + "OdVIq5YuzMhuTDJKy+kGOtjH8pBWvo8S12T2UQEuusx5WUbEJ6m+E80aN7M6gCA+\n" + "XmNTt3PsV9PfZPL2Off/90gqTBdMhwn+sEVlqYG0TAnXZQEI8ZNtAGy77CFplqdT\n" + "SmI3x8Sza7lchEMFhRiayX9pMBPUlwckVPrCoMQ4b4WkHYoGLO7dNVAA8Osud46+\n" + "6MZKHStjdzwKz9MzWa7lXhXV+0sX5bcAzQexuE+wO8QQ/t5uwDmQHol0JVdRX8NB\n" + "/Exk6aT7mWajFvukXVirpUGWnEK2W+O8/VBzVZ7z69EjZ09Pu4Y/+cbX12LGSwMb\n" + "WVtnZY6BsrV++vikQuL3ByTBDPRHio2H8hThh1Kv8n5VEBUrk7tLUp3Z15cbfC6s\n" + "LDHX6kB2OKmmdqLOOMo4lToZfnrVK/dzeXFbtNH1POpR4/e5Nk0SyZrWo+E/AqIv\n" + "nLQ3fhLCPOB5rjAhuM8iXOwqn8HHNlv9j8mlgCcgwK7focYVc/IXARLOfFOjOA/s\n" + "EqMRbb/eKsC930NHBZkhlqRJKCwA37AMvnOhN4R0VOq/40K+62IUK9E1643KyWs0\n" + "vWk0rFY0OKorQXzI33lbBYZ5zHt8oxGNx3us+6jGP85iv8UEaO6FpgajEUn6Gzp/\n" + "wyvr1C/B/Hfr6eTbt4C6Fi5fMfZgM6VEcJuaFZnoC9tWdhlNsY1pwtPghMM7yBwc\n" + "1Ye0TxdF36exJWu1gXVTse1Vdc9i4QWpT2fbPQtcIgdtNk01K+2defie384IOnQQ\n" + "O8/SRsrnLRLV3IDFh/VBJS1ZVm8Zmt10yGgRwtYHntMkIopoFRWcm9/Gh3iBFKKH\n" + "OTVXxgKOUYk4qXG61N8k0M+TIdoOHZIha3Myis1tQVmA/b/4FRKPYgdrFijhXNLM\n" + "wwMHQOS14xBF2KBgaak7dMUWhGrClw1hc3HmMXuM+OLvxy+f8MC3JP2U5AuCs472\n" + "hc41KWxioqNMPVXZgVnHf3aEec+hBFceqYnlzG+E/Gagiufu8WMySaZgzXMRb5aV\n" + "x2OVcakSKrTC5EKbLDlZ6+1NRJht7wdSefh0o/Crc9LzcFqBL0Qp3WCvyY8gDVkQ\n" + "EGqoVYOE6Hz/NX5/17F1+5VuWT7nBWABHKFFriOoJ3VR9sZhp0HiMznZEF1AwVuZ\n" + "xHtDWQemfBywEQG23qbr+o7mQASh1zki8b4fP1HQmbHhaJarjwGdiVNIgcF7s7Qk\n" + "NYNcgsc1l0KuNHvredTnYwPhv3C08IBfjtd2H9u0A+AWl5RlR4GDfv2Jzbe/F8U+\n" + "0gxj8D2XWHlkbHIXKVk6jxj64xyNE1xB0Sv7gsDWpkaK6aw/zdsyxqiji4mThcYE\n" + "cRSl4y9CGZREaiyD8dk/uiqKfQ26c1gfOUDYS2fKjH5NKh4J80wQj0GvS6nHiDH4\n" + "-----END RSA PRIVATE KEY-----\n"; + +static const char *private_key_password ="CHAM569"; + +const char *ec_identity_certificate_filename = "ec_identity_certificate"; +const char *ec_identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIICOzCCAeGgAwIBAgICEAAwCgYIKoZIzj0EAwIwZTELMAkGA1UEBhMCTkwxEzAR\n" + "BgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIu\n" + "Vi4xIDAeBgNVBAMMF0NIQU1fNTcwIENBIGNlcnRpZmljYXRlMB4XDTE5MDIxODEw\n" + "NTI0MVoXDTQ2MDcwNjEwNTI0MVowazELMAkGA1UEBhMCTkwxEzARBgNVBAgMClNv\n" + "bWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIuVi4xJjAkBgNV\n" + "BAMMHUNIQU1fNTcwIElkZW50aXR5IGNlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYI\n" + "KoZIzj0DAQcDQgAEnbV79f5j2iTkDCbFMlVVs396YOoNViwKheBbhVoBG2n8I3mY\n" + "M9Zg1dmrHh16HsJfrTCbc0VAOdkH91mNRPZr46N7MHkwCQYDVR0TBAIwADAsBglg\n" + "hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O\n" + "BBYEFMZoftcgs1FL1FBUJhKGvpvqVaHqMB8GA1UdIwQYMBaAFHUuWr3OtGtMktK9\n" + "QnKSSydxn4ewMAoGCCqGSM49BAMCA0gAMEUCIQCyp777C9Tih7Asybj6ELAYS9xq\n" + "vFhV6CJGk9ixW1AXdwIgKs9CEPx+Ajk3RErPm6OaVcsVLRKGBn7UuCR6VxNItWk=\n" + "-----END CERTIFICATE-----\n"; + +const char *ec_private_key_filename = "ec_private_key"; +const char *ec_private_key = + "data:,-----BEGIN PRIVATE KEY-----\n" + "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP3SnBXzcCc0uUEiG\n" + "0CPNdcV0hBewOnVoh4d9q9E5U5ihRANCAASdtXv1/mPaJOQMJsUyVVWzf3pg6g1W\n" + "LAqF4FuFWgEbafwjeZgz1mDV2aseHXoewl+tMJtzRUA52Qf3WY1E9mvj\n" + "-----END PRIVATE KEY-----\n"; + +static const char *ec_password ="CHAM-570"; + +const char *ec_private_key_w_password_filename = "ec_private_key_w_password"; +const char *ec_private_key_w_password = + "data:,-----BEGIN EC PRIVATE KEY-----\n" + "Proc-Type: 4,ENCRYPTED\n" + "DEK-Info: AES-256-CBC,11055B75D406068EB1FF850646228EA9\n" + "\n" + "GUnwN8e2gvUkopN3ak+2dK1dSTSKSJguers3h5C+qQDq57By933ijCCjUTu2LY/F\n" + "ERH6m8UD6H5ij/QDsXLx6tH/dFQ7An+Zao3eD2N2zquGED/OfTQJFv3gBKs4RUtg\n" + "66dfuv9mNSXt7Rnu9uBNtodm5JGifczdmIPHn0mNY2g=\n" + "-----END EC PRIVATE KEY-----"; + +const char *ec_identity_ca_filename = "ec_identity_ca"; +const char *ec_identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIICEDCCAbegAwIBAgIJAPOifu8ejrRRMAoGCCqGSM49BAMCMGUxCzAJBgNVBAYT\n" + "Ak5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5v\n" + "bG9neSBCLlYuMSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTAeFw0x\n" + "OTAyMTgxMDQwMTZaFw00NjA3MDYxMDQwMTZaMGUxCzAJBgNVBAYTAk5MMRMwEQYD\n" + "VQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5vbG9neSBCLlYu\n" + "MSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEG\n" + "CCqGSM49AwEHA0IABMXCYXBHEryADoYXMEE0Jw9aHlA7p3KVFzuypxuez0n7rKoX\n" + "k9kanNtrw5o2X4WSWKM7zkH4I6AU7xSAQgJN+8GjUDBOMB0GA1UdDgQWBBR1Llq9\n" + "zrRrTJLSvUJykksncZ+HsDAfBgNVHSMEGDAWgBR1Llq9zrRrTJLSvUJykksncZ+H\n" + "sDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIHKRM3VeB2F7z3nJT752\n" + "gY5mNdj91ulmNX84TXA7UHNKAiA2ytpsV4OKURHkjyn1gnW48JDKtHGZF6/tMNvX\n" + "VrDITA==\n" + "-----END CERTIFICATE-----\n"; + + +const char *ec_identity_certificate_unsupported_filename = "ec_identity_certificate_unsupported"; +const char *ec_identity_certificate_unsupported = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIICFTCCAbygAwIBAgICEAEwCgYIKoZIzj0EAwIwWjELMAkGA1UEBhMCTkwxEzAR\n" + "BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5\n" + "IEx0ZDETMBEGA1UEAwwKQ0hBTTUwMF9DQTAeFw0xODAyMTkxMDMyMjRaFw0xOTAy\n" + "MTkxMDMyMjRaMGExCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\n" + "HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMMEUNIQU01\n" + "NjkgdW5zdXAga2V5MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEKt3HYPnDlEOS\n" + "zYqTzT2patyreLHN2Jty22KXwjaNAjgrwujdPr+MW38DsyBF5Yn9o3sweTAJBgNV\n" + "HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp\n" + "Y2F0ZTAdBgNVHQ4EFgQUG9MuQz3W/AKA98AyOKhI2af9I+0wHwYDVR0jBBgwFoAU\n" + "ACsYsaEsZfjfRVrj0IBmcsncVyMwCgYIKoZIzj0EAwIDRwAwRAIgfhisahVmgghI\n" + "GaaQavdKHpM/OTVODZPzYjky6Am+z08CIBidnuuznXrZtr78oy/tAES/7Lz8P5Iw\n" + "Q1y5Vo8CdXQQ\n" + "-----END CERTIFICATE-----\n"; + +const char *ec_private_key_unsupported_filename = "ec_private_key_unsupported"; +const char *ec_private_key_unsupported = + "data:,-----BEGIN PRIVATE KEY-----\n" + "MG8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEVTBTAgEBBBh8p6kwBS7jT86ctN33\n" + "Vs4vosHh7upPZBWhNAMyAAQq3cdg+cOUQ5LNipPNPalq3Kt4sc3Ym3LbYpfCNo0C\n" + "OCvC6N0+v4xbfwOzIEXlif0=\n" + "-----END PRIVATE KEY-----\n"; + + +const char *private_key_not_matching_filename = "private_key_not_matching"; +const char *private_key_not_matching = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEpgIBAAKCAQEAz90I7hABwJ27DQ0ypKEOlO8ZPoMKVMUAkTxl+48Icqo2SJxF\n" + "vKOxVd8XflJ2jor3YqzPgbuLVGolTafxzuGDYQVTNrSUgaCZMdX8O8UFxsBrQ+m9\n" + "0pJeg+1I0OHrn8Y7VHuh5IVHNqmqwsw9TA5aLjp1i9Gc9pvGzbXEfGfnol64bvht\n" + "p3k8xMG8DZKKJNg8GUcYlLvwY+jcE8yMvQzM+gya6Y7w1JVgj4wQNjWULgqTJlUq\n" + "q1Wch9o7/tp1wzX3E4B8AeTCEsYEL9tUASp6V6/4Yf/jbGM2/nfaczj8lW0Gez6a\n" + "xHkMBh22vqLzZvvOFTX6U46KG/iWZAehKdPJrwIDAQABAoIBAQDGvQsAsoU6aJSj\n" + "Ee9NwD903nZAcoG6MvEr65eGQWdOWre0DNYQWmH/PGH2AVohR3Tn/1oXK/03JJWt\n" + "/dkQeEVoyfKZ52Xl2mseXv3fF61CLk9gi2dWoWOEt6ZbMOZbyOiJCfvrxhIkjWwa\n" + "+7PPuBk5AePJXwy4LJCTtiq61418i2Bbl6JamytgxsiVK9kZXdN6JqEVYmweMpmR\n" + "T1mzi7lssyttBIXwG8ajStUteIYLyi8d+UX4S08EyV0VGL0p5+F8xTY1jVX/t6Y0\n" + "KbANJdjEab9mbndzbxprJlS08KBLgdnAO4w0nmINiaO2isXOLoV8SU3tTqHC3W7c\n" + "CCSKJdGBAoGBAP9vCSP1AaEjYa6sfEUgThpCo7PhRuOMEDb+4ldv9O+hzXv5I8td\n" + "gbDs1g3jyhb0yhW9uV9NsuKBtsmv1zYFswZDNbdr2S1VZPMpAx+SeLHQWy6HbU/t\n" + "oHoOO+l8erFVvR2uqit5rBDzN6/lh4SoQzYE9JDAnXJp9W0rKAdtBSLRAoGBANBT\n" + "AIErbPo4EuU13DaEa+EfoU4Abktyi+L8dpdoXMq6sHg3Mlhifr+ryoybrMMA3tmT\n" + "6ekBCSVThF0/+HAFRAJthnyBgUd0D710JDHro47Mg37CxU+V8JYqZJGHUSfqng7/\n" + "pM7LjM99VhigquH4PoDH4YpL8vnIeEMNmny4iER/AoGBAJj8k+jpUXSFkHfh7vwo\n" + "AR9RUmLmRmL6/KsztbTQ5U6xBjV+XqXq90ZUU1A2Yk+lhXPIEkK2crGfJy9dFfTR\n" + "LQxPLNkSyxyPzMqmgaxjOc6mEDap/hqlJDx2UgPh/kpAI+inOFyZnyj3wx6ixqv5\n" + "a2frR996vdJNDCW6d1sbPLxBAoGBAMO66IN0UJy76Izw0Olr+4v10vFdmENM6T+o\n" + "IqhZBq33P+yDN8sxJ5NgjhsT/Pruq3LT9XbVYUlvsbKHcx2U5PQ/AZejedqvokZH\n" + "g+ZfVjnJz1ZfG1GOOBBu3jSZZdfSKRVAfhFJ0A/229ihxEwxmFAY/MCaYTzsbInb\n" + "kyXRnz5zAoGBAIT9Fuk7zhfubYvkzIQ0kj/IxL3QohVRKcoGapDMSwNjTvxZdKxF\n" + "WXkhhJT095QznHP1fhp90fBKlOdsReDWfZXMYtZTqo2+ezK8qb6xMlm+LE09y+Na\n" + "f7pp1EPnIqyEX27B4aQ81M8tkCqbdlv3CdjFSusp6SsWTGTjr/5SAMDS\n" + "-----END RSA PRIVATE KEY-----\n"; + +static struct plugins_hdl *plugins = NULL; +static dds_security_authentication *auth = NULL; + + +CU_Init(ddssec_builtin_validate_local_identity) +{ + /* Only need the authentication plugin. */ + plugins = load_plugins(NULL /* Access Control */, + &auth /* Authentication */, + NULL /* Cryptograpy */); + return plugins ? 0 : -1; +} + + +CU_Clean(ddssec_builtin_validate_local_identity) +{ + unload_plugins(plugins); + return 0; +} + + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +print_guid( + const char *msg, + DDS_Security_GUID_t *guid) +{ + uint32_t i, j; + + printf("%s=", msg); + for (i = 0; i < 3; i++) { + for (j = 0; j < 4; j++) { + printf("%02x", guid->prefix[i*4+j]); + } + printf(":"); + } + for (i = 0; i < 3; i++) { + printf("%02x", guid->entityId.entityKey[i]); + } + printf(":%02x\n", guid->entityId.entityKind); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->code = 0; + ex->minor_code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static void fill_participant_qos(DDS_Security_Qos *participant_qos, + bool is_file_certificate, const char *certificate, + bool is_file_ca, const char *ca, + bool is_file_private_key, const char *private_key, + const char* password, + const char* trusted_ca_dir){ + + char identity_cert_path[1024]; + char identity_CA_path[1024]; + char private_key_path[1024]; + char trusted_ca_dir_path[1024]; + unsigned size = 3; + + password ? size++ : size; + trusted_ca_dir ? size++ : size; + + memset(participant_qos, 0, sizeof(*participant_qos)); + dds_security_property_init(&participant_qos->property.value, size); + + participant_qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + + + if( is_file_certificate){ +#ifdef WIN32 + snprintf(identity_cert_path, 1024, "file:%s\\validate_local_identity\\etc\\%s", CONFIG_ENV_TESTS_DIR, certificate); +#else + snprintf(identity_cert_path, 1024, "file:%s/validate_local_identity/etc/%s", CONFIG_ENV_TESTS_DIR, certificate); +#endif + participant_qos->property.value._buffer[0].value = ddsrt_strdup(identity_cert_path); + } + else{ + participant_qos->property.value._buffer[0].value = ddsrt_strdup(certificate); + } + + if( is_file_ca){ +#ifdef WIN32 + snprintf(identity_CA_path, 1024, "file:%s\\validate_local_identity\\etc\\%s", CONFIG_ENV_TESTS_DIR,ca); +#else + snprintf(identity_CA_path, 1024, "file:%s/validate_local_identity/etc/%s", CONFIG_ENV_TESTS_DIR,ca); +#endif + participant_qos->property.value._buffer[1].value = ddsrt_strdup(identity_CA_path); + } + else { + participant_qos->property.value._buffer[1].value = ddsrt_strdup(ca); + } + + if( is_file_private_key){ + #ifdef WIN32 + snprintf(private_key_path, 1024, "file:%s\\validate_local_identity\\etc\\%s", CONFIG_ENV_TESTS_DIR,private_key); + #else + snprintf(private_key_path, 1024, "file:%s/validate_local_identity/etc/%s", CONFIG_ENV_TESTS_DIR, private_key); + #endif + participant_qos->property.value._buffer[2].value = ddsrt_strdup(private_key_path); + } + else{ + participant_qos->property.value._buffer[2].value = ddsrt_strdup(private_key); + } + + if( password ){ + participant_qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PASSWORD); + participant_qos->property.value._buffer[3].value = ddsrt_strdup(password); + } + + if( trusted_ca_dir ){ + #ifdef WIN32 + snprintf(trusted_ca_dir_path, 1024, "%s\\validate_local_identity\\etc\\%s", CONFIG_ENV_TESTS_DIR,trusted_ca_dir); + #else + snprintf(trusted_ca_dir_path, 1024, "%s/validate_local_identity/etc/%s", CONFIG_ENV_TESTS_DIR, trusted_ca_dir); + #endif + participant_qos->property.value._buffer[size-1].name = ddsrt_strdup(PROPERTY_TRUSTED_CA_DIR); + participant_qos->property.value._buffer[size-1].value = ddsrt_strdup(trusted_ca_dir_path); + } + + +} + +CU_Test(ddssec_builtin_validate_local_identity,happy_day) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + DDS_Security_boolean success; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key_pem, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + /* validate with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, identity_certificate_filename, + true, identity_ca_filename, + true, private_key_filename, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + + + +} + +CU_Test(ddssec_builtin_validate_local_identity,invalid_certificate) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, invalid_identity_certificate, + false, identity_ca, + false, private_key_pem, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /* test with file */ + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, invalid_identity_certificate_filename, + false, identity_ca, + false, private_key_pem, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,invalid_root) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, invalid_identity_ca, + false, private_key_pem, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /* test with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + true, invalid_identity_ca_filename, + false, private_key_pem, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,invalid_chain) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, unrelated_identity_ca, + false, private_key_pem, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /* test with file input*/ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + true, unrelated_identity_ca_filename, + false, private_key_pem, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + +} + +CU_Test(ddssec_builtin_validate_local_identity,certificate_key_to_small) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate_1024key, + false, identity_ca, + false, private_key_pem, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,invalid_private_key) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, invalid_private_key, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /*test with file input */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + true, invalid_private_key_filename, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,private_key_to_small) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key_1024, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,missing_certificate_property) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup("dds.sec.auth.identity_cert"); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key_1024); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT_FATAL (exception.message != NULL); + CU_ASSERT(strcmp(exception.message, "validate_local_identity: missing property 'dds.sec.auth.identity_certificate'") == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,missing_ca_property) +{ + DDS_Security_ValidationResult_t result; + + /* Dummy (even un-initialized) data for now. */ + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup("dds.sec.auth.identit_ca"); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key_1024); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT_FATAL (exception.message != NULL); + CU_ASSERT(strcmp(exception.message, "validate_local_identity: missing property 'dds.sec.auth.identity_ca'") == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,missing_private_key_property) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 2); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT_FATAL (exception.message != NULL); + CU_ASSERT(strcmp(exception.message, "validate_local_identity: missing property 'dds.sec.auth.private_key'") == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,unsupported_certification_format) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + char *cert; + size_t len; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + len = strlen("uri:") + strlen(&identity_certificate[6]) + 1; + cert = ddsrt_malloc(len); + + snprintf(cert, len, "uri:%s", &identity_certificate[6]); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, cert, + false, identity_ca, + false, private_key_pem, + NULL, NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + ddsrt_free(cert); +} + +CU_Test(ddssec_builtin_validate_local_identity,encrypted_key) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key_w_password, + private_key_password, NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /* test with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + true, private_key_w_password_filename, + private_key_password, NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,encrypted_key_no_password) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key_w_password, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /*test with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + true, private_key_w_password_filename, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,encrypted_key_invalid_password) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key_w_password, + "invalid", + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /*test with file */ + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + true, private_key_w_password_filename, + "invalid", + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,happy_day_eliptic) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + DDS_Security_boolean success; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, ec_identity_certificate, + false, ec_identity_ca, + false, ec_private_key, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + /* test with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, ec_identity_certificate_filename, + true, ec_identity_ca_filename, + true, ec_private_key_filename, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + +} + + +CU_Test(ddssec_builtin_validate_local_identity,encrypted_ec_key) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, ec_identity_certificate, + false, ec_identity_ca, + false, ec_private_key_w_password, + ec_password, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT_FATAL (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /* test with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, ec_identity_certificate, + false, ec_identity_ca, + true, ec_private_key_w_password_filename, + ec_password, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,elliptic_unsupported_certificate) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(ec_identity_certificate_unsupported); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(ec_identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(ec_private_key); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,elliptic_unsupported_private_key) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(ec_identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(ec_identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(ec_private_key_unsupported); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,return_freed_handle) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + DDS_Security_boolean success; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key_pem); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_FATAL (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,no_file) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + /* validate with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, identity_certificate_filename, + false, identity_ca, + true, "invalid_filename", + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT_FATAL (local_identity_handle == DDS_SECURITY_HANDLE_NIL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, identity_certificate_filename, + true, "invalid_filename", + true, private_key_filename, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT_FATAL (local_identity_handle == DDS_SECURITY_HANDLE_NIL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, "invalid_filename", + true, identity_ca_filename, + false, private_key_pem, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT_FATAL (local_identity_handle == DDS_SECURITY_HANDLE_NIL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + +} + +/* TODO: Should be enabled after implementing trusted ca dir parsing*/ +#if(0) +CU _ Test(validate_local_identity,with_extended_certificate_check) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + DDS_Security_boolean success; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key, + NULL, + "trusted_ca_dir"); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + local_identity_handle = DDS_SECURITY_HANDLE_NIL; + reset_exception(&exception); + + /* validate with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, identity_certificate_filename, + true, identity_ca_filename, + true, private_key_filename, + NULL, + "trusted_ca_dir_not_matching"); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle == DDS_SECURITY_HANDLE_NIL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + +} +#endif \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_remote_identity/src/validate_remote_identity_utests.c b/src/security/builtin_plugins/tests/validate_remote_identity/src/validate_remote_identity_utests.c new file mode 100644 index 0000000..6cbb267 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_remote_identity/src/validate_remote_identity_utests.c @@ -0,0 +1,1140 @@ + +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/security/dds_security_api.h" +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/string.h" +#include +#include +#include "dds/ddsrt/environ.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" + + +/* Test helper includes. */ +#include "common/src/loader.h" + +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_utils.h" + +static const char * AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * SUBJECT_NAME_IDENTITY_CERT = "CN=CHAM-574 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA = "CN=CHAM-574 authority,O=Some Company,ST=Some-State,C=NL"; + +static const char * SUBJECT_NAME_IDENTITY_CERT_2 = "CN=CHAM-574_1 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA_2 = "CN=CHAM-574_1 authority,O=Some Company,ST=Some-State,C=NL"; + + +static const char * RSA_2048_ALGORITHM_NAME = "RSA-2048"; +//static const char * EC_PRIME256V1_ALGORITHM_NAME = "EC-prime256v1"; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char *identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n" + "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n" + "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n" + "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n" + "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n" + "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n" + "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n" + "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n" + "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n" + "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n" + "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n" + "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n" + "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n" + "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n" + "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n" + "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n" + "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n" + "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n" + "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n" + "-----END CERTIFICATE-----\n"; + + +static const char *identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n" + "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n" + "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n" + "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n" + "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n" + "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n" + "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n" + "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n" + "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n" + "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n" + "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n" + "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n" + "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n" + "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n" + "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n" + "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n" + "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n" + "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n" + "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n" + "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n" + "-----END CERTIFICATE-----\n"; + + +static const char *private_key = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n" + "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n" + "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n" + "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n" + "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n" + "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n" + "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n" + "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n" + "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n" + "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n" + "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n" + "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n" + "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n" + "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n" + "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n" + "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n" + "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n" + "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n" + "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n" + "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n" + "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n" + "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n" + "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n" + "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n" + "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n" + "-----END RSA PRIVATE KEY-----\n"; + + + + + +static struct plugins_hdl *plugins = NULL; +static dds_security_authentication *auth = NULL; +static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_GUID_t local_participant_guid; + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->code = 0; + ex->minor_code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static void +initialize_identity_token( + DDS_Security_IdentityToken *token, + const char *certAlgo, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CERT); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +initialize_identity_token_w_sn( + DDS_Security_IdentityToken *token, + const char *certSubjName, + const char *certAlgo, + const char *caSubjName, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(certSubjName); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(caSubjName); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +deinitialize_identity_token( + DDS_Security_IdentityToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + + +static int +create_local_identity(void) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + + memset(&local_participant_guid, 0, sizeof(local_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &local_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + res = -1; + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + return res; +} + +static void +clear_local_identity(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (local_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } +} + +static int +check_auth_request_token( + DDS_Security_AuthRequestMessageToken *token, + int notNil) +{ + if (notNil) { + if (!token->class_id || + (strcmp(token->class_id, AUTH_REQUEST_TOKEN_CLASS_ID) != 0)) { + printf("AuthRequestMessageToken has invalid class_id\n"); + return 0; + } + + if (token->binary_properties._length != 1 || + token->binary_properties._buffer == NULL) { + printf("AuthRequestMessageToken has binary_properties\n"); + return 0; + } + + if (!token->binary_properties._buffer[0].name || + (strcmp(token->binary_properties._buffer[0].name, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME) != 0)) { + printf("AuthRequestMessageToken has invalid property name\n"); + return 0; + } + + if (token->binary_properties._buffer[0].value._length != 32 || + token->binary_properties._buffer[0].value._buffer == NULL) { + printf("AuthRequestMessageToken has invalid property value\n"); + return 0; + } + } else { + if ((strlen(token->class_id) != 0) || + (token->properties._length != 0) || + (token->properties._maximum != 0) || + (token->binary_properties._buffer != NULL) || + (token->binary_properties._length != 0) || + (token->binary_properties._maximum != 0) || + (token->binary_properties._buffer != NULL) ) { + printf("AuthRequestMessageToken is not a TokenNil\n"); + return 0; + } + } + return 1; +} + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token) +{ + uint32_t i; + uint32_t len = 32; + unsigned char *challenge; + + challenge = ddsrt_malloc(len); + + for (i = 0; i < len; i++) { + challenge[i] = (unsigned char)(0xFF - i); + } + + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._maximum = 1; + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._maximum = len; + token->binary_properties._buffer->value._length = len; + token->binary_properties._buffer->value._buffer = challenge; +} + + +static void +set_remote_participant_guid( + DDS_Security_GUID_t *guid, + int higher) +{ + int i; + + memcpy(guid, &local_participant_guid, sizeof(*guid)); + + for (i = 0; i < 12; i++) { + int index = (i + 4) % 12; + if (higher) { + if (guid->prefix[index] < 0xFF) { + guid->prefix[index]++; + /*NOTE: It was giving warning ("unsigned char from ‘int’ may alter its value") with below + guid->prefix[index] += 1; + */ + break; + } + } else { + if (guid->prefix[index] > 0) { + guid->prefix[index]--; + /*NOTE: It was giving warning ("unsigned char from ‘int’ may alter its value") with below + guid->prefix[index] -= 1; + */ + break; + } + } + } +} + + +CU_Init(ddssec_builtin_validate_remote_identity) +{ + int res = 0; + + /* Only need the authentication plugin. */ + plugins = load_plugins(NULL /* Access Control */, + &auth /* Authentication */, + NULL /* Cryptograpy */); + if (plugins) { + res = create_local_identity(); + } else { + res = -1; + } + return res; +} + +CU_Clean(ddssec_builtin_validate_remote_identity) +{ + clear_local_identity(); + unload_plugins(plugins); + return 0; +} + +CU_Test(ddssec_builtin_validate_remote_identity,happy_day_nil_auth_req ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT (auth != NULL); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT (auth->validate_remote_identity != NULL); + + if (local_identity_handle == DDS_SECURITY_HANDLE_NIL) { + return; + } + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + set_remote_participant_guid(&remote_participant_guid, 1); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + NULL, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST); + if (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) { + CU_ASSERT (remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT (check_auth_request_token(&local_auth_request_token, 1)); + } + + reset_exception(&exception); + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + if ((result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) || + (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + DDS_Security_boolean success = auth->return_identity_handle(auth, remote_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } +} + +CU_Test(ddssec_builtin_validate_remote_identity,happy_day_with_auth_req ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT (check_auth_request_token(&local_auth_request_token, 0)); + + reset_exception(&exception); + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + success = auth->return_identity_handle(auth, remote_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_remote_identity,invalid_parameters ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 1); + + result = auth->validate_remote_identity( + NULL, &remote_identity_handle, &local_auth_request_token, &remote_auth_request_token, + local_identity_handle, &remote_identity_token, &remote_participant_guid, &exception); + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->validate_remote_identity( + auth, NULL, &local_auth_request_token, &remote_auth_request_token, + local_identity_handle, &remote_identity_token, &remote_participant_guid, &exception); + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->validate_remote_identity( + auth, &remote_identity_handle, NULL, &remote_auth_request_token, + local_identity_handle, &remote_identity_token, &remote_participant_guid, &exception); + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->validate_remote_identity( + auth, &remote_identity_handle, &local_auth_request_token, &remote_auth_request_token, + local_identity_handle, NULL, &remote_participant_guid, &exception); + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->validate_remote_identity( + auth, &remote_identity_handle, &local_auth_request_token, &remote_auth_request_token, + local_identity_handle, &remote_identity_token, NULL, &exception); + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + DDS_Security_DataHolder_deinit(&remote_auth_request_token); + deinitialize_identity_token(&remote_identity_token); +} + +CU_Test(ddssec_builtin_validate_remote_identity,unknown_local_identity ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle unknown_identity_handle = 0x56; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + unknown_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); +} + + +CU_Test(ddssec_builtin_validate_remote_identity,invalid_remote_identity_token ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + ddsrt_free(remote_identity_token.class_id); + remote_identity_token.class_id = ddsrt_strdup("DDS:Auth:PKI-PH:1.0"); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + ddsrt_free(remote_identity_token.class_id); + remote_identity_token.class_id = ddsrt_strdup("DDS:Auth:PKI-DH:2.0"); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); +} + + +CU_Test(ddssec_builtin_validate_remote_identity,invalid_auth_req_token ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + unsigned char *futureChallenge; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + /* check invalid class_id (empty) string for class_id */ + ddsrt_free(remote_auth_request_token.class_id); + remote_auth_request_token.class_id = ddsrt_strdup(""); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check invalid class_id (NULL) string for class_id */ + ddsrt_free(remote_auth_request_token.class_id); + remote_auth_request_token.class_id = NULL; + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check invalid class_id string for class_id */ + remote_auth_request_token.class_id = ddsrt_strdup("DDS:Auth:PKI-DH:2.0+AuthReq"); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check invalid property name (empty) for future_challenge */ + ddsrt_free(remote_auth_request_token.class_id); + remote_auth_request_token.class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + ddsrt_free(remote_auth_request_token.binary_properties._buffer[0].name); + remote_auth_request_token.binary_properties._buffer[0].name = ddsrt_strdup(""); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check invalid property name (NULL) for future_challenge */ + ddsrt_free(remote_auth_request_token.binary_properties._buffer[0].name); + remote_auth_request_token.binary_properties._buffer[0].name = NULL; + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check invalid property name for future_challenge */ + ddsrt_free(remote_auth_request_token.binary_properties._buffer[0].name); + remote_auth_request_token.binary_properties._buffer[0].name = ddsrt_strdup("challenge"); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check missing future_challenge property*/ + ddsrt_free(remote_auth_request_token.binary_properties._buffer[0].name); + remote_auth_request_token.binary_properties._buffer[0].name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + futureChallenge = remote_auth_request_token.binary_properties._buffer[0].value._buffer; + remote_auth_request_token.binary_properties._buffer[0].value._buffer = NULL; + remote_auth_request_token.binary_properties._buffer[0].value._length = 0; + remote_auth_request_token.binary_properties._buffer[0].value._maximum = 0; + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check incorrect future_challenge property, too small */ + remote_auth_request_token.binary_properties._buffer[0].value._buffer = futureChallenge; + remote_auth_request_token.binary_properties._buffer[0].value._length = 16; + remote_auth_request_token.binary_properties._buffer[0].value._maximum = 32; + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check incorrect future_challenge property: value is NULL */ + remote_auth_request_token.binary_properties._buffer[0].value._buffer = NULL; + remote_auth_request_token.binary_properties._buffer[0].value._length = 32; + remote_auth_request_token.binary_properties._buffer[0].value._maximum = 32; + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + remote_auth_request_token.binary_properties._buffer[0].value._buffer = futureChallenge; + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); +} + +CU_Test(ddssec_builtin_validate_remote_identity,already_validated_same_token ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_IdentityHandle remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT (check_auth_request_token(&local_auth_request_token, 0)); + + reset_exception(&exception); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle2, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (remote_identity_handle == remote_identity_handle2); + CU_ASSERT (check_auth_request_token(&local_auth_request_token, 0)); + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + success = auth->return_identity_handle(auth, remote_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_remote_identity,already_validated_different_token ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_IdentityHandle remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_IdentityToken remote_identity_token2; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT_FATAL (remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT (check_auth_request_token(&local_auth_request_token, 0)); + + reset_exception(&exception); + + initialize_identity_token_w_sn( + &remote_identity_token2, + SUBJECT_NAME_IDENTITY_CERT_2, RSA_2048_ALGORITHM_NAME, + SUBJECT_NAME_IDENTITY_CA_2, RSA_2048_ALGORITHM_NAME); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle2, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token2, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + deinitialize_identity_token(&remote_identity_token2); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + success = auth->return_identity_handle(auth, remote_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); +} + diff --git a/src/security/core/CMakeLists.txt b/src/security/core/CMakeLists.txt new file mode 100644 index 0000000..69a2ba5 --- /dev/null +++ b/src/security/core/CMakeLists.txt @@ -0,0 +1,57 @@ +# +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v. 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License +# v. 1.0 which is available at +# http://www.eclipse.org/org/documents/edl-v10.php. +# +# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause +# +PREPEND(srcs_security_core "${CMAKE_CURRENT_LIST_DIR}/src" + dds_security_serialize.c + dds_security_utils.c + shared_secret.c +) + +PREPEND(hdrs_public_security_core "${CMAKE_CURRENT_LIST_DIR}/include/security/core" + dds_security_core_if.h + dds_security_serialize.h + dds_security_types.h + dds_security_utils.h + shared_secret.h +) + +set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC" ) +set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIC" ) +add_library(security_core INTERFACE) + + +target_sources(security_core + INTERFACE + ${srcs_security_core} + +) + +target_include_directories(security_core + INTERFACE + "$" + "$" + "$>" + "$>" +) +#target_link_libraries(security_core PRIVATE ddsrt security_api) + +install( + DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/dds/security/core/" + DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/dds/security/core/" + COMPONENT dev) + +#install( +# TARGETS security_core +# EXPORT "${CMAKE_PROJECT_NAME}" +# RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT lib +# LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib +# ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib +#) diff --git a/src/security/core/include/dds/security/core/dds_security_serialize.h b/src/security/core/include/dds/security/core/dds_security_serialize.h new file mode 100644 index 0000000..1454d9c --- /dev/null +++ b/src/security/core/include/dds/security/core/dds_security_serialize.h @@ -0,0 +1,106 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef DDS_SECURITY_CDR_SER_H +#define DDS_SECURITY_CDR_SER_H + +#include "dds/export.h" +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_types.h" +#include "stddef.h" + +#if defined (__cplusplus) +extern "C" { +#endif + + + +typedef struct DDS_Security_Serializer *DDS_Security_Serializer; +typedef struct DDS_Security_Deserializer *DDS_Security_Deserializer; + + +DDS_EXPORT DDS_Security_Serializer +DDS_Security_Serializer_new( + size_t size, + size_t increment); + +DDS_EXPORT void +DDS_Security_Serializer_free( + DDS_Security_Serializer serializer); + +DDS_EXPORT void +DDS_Security_Serializer_buffer( + DDS_Security_Serializer ser, + unsigned char **buffer, + size_t *size); + +DDS_EXPORT void +DDS_Security_Serialize_PropertySeq( + DDS_Security_Serializer serializer, + const DDS_Security_PropertySeq *seq); + +DDS_EXPORT void +DDS_Security_Serialize_BinaryPropertyArray( + DDS_Security_Serializer serializer, + const DDS_Security_BinaryProperty_t **properties, + const uint32_t length); + +DDS_EXPORT void +DDS_Security_Serialize_BinaryPropertySeq( + DDS_Security_Serializer serializer, + const DDS_Security_BinaryPropertySeq *seq); + +DDS_EXPORT void +DDS_Security_Serialize_DataHolderSeq( + DDS_Security_Serializer serializer, + const DDS_Security_DataHolderSeq *seq); + +DDS_EXPORT void +DDD_Security_Serialize_ParticipantBuiltinTopicData( + DDS_Security_Serializer ser, + DDS_Security_ParticipantBuiltinTopicData *pdata); + +DDS_EXPORT void +DDD_Security_Serialize_KeyMaterial_AES_GCM_GMAC( + DDS_Security_Serializer ser, + const DDS_Security_KeyMaterial_AES_GCM_GMAC *data); + +DDS_EXPORT DDS_Security_Deserializer +DDS_Security_Deserializer_new( + const unsigned char *data, + size_t size); + +DDS_EXPORT void +DDS_Security_Deserializer_free( + DDS_Security_Deserializer deserializer); + +DDS_EXPORT int +DDD_Security_Deserialize_ParticipantBuiltinTopicData( + DDS_Security_Deserializer deserializer, + DDS_Security_ParticipantBuiltinTopicData *pdata, + DDS_Security_SecurityException *ex); + +DDS_EXPORT void +DDD_Security_BuiltinTopicKeyBE( + DDS_Security_BuiltinTopicKey_t dst, + const DDS_Security_BuiltinTopicKey_t src); + +DDS_EXPORT int +DDD_Security_Deserialize_KeyMaterial_AES_GCM_GMAC( + DDS_Security_Deserializer dser, + DDS_Security_KeyMaterial_AES_GCM_GMAC *data); + +#if defined (__cplusplus) +} +#endif + +#endif /* DDS_SECURITY_CDR_SER_H */ diff --git a/src/security/core/include/dds/security/core/dds_security_types.h b/src/security/core/include/dds/security/core/dds_security_types.h new file mode 100644 index 0000000..e9748a5 --- /dev/null +++ b/src/security/core/include/dds/security/core/dds_security_types.h @@ -0,0 +1,69 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef DSS_SECURITY_PLUGIN_TYPES_H_ +#define DSS_SECURITY_PLUGIN_TYPES_H_ + +#include "dds/security/dds_security_api_types.h" + +typedef DDS_Security_octet DDS_Security_CryptoTransformKind[4]; +typedef DDS_Security_octet DDS_Security_CryptoTransformKeyId[4]; + +/* enumeration for CryptoTransformKind. + * ds_security_assign_CryptoTransformKind function should be used for assigning to CryptoTransformKind + */ +typedef enum +{ +/* No encryption, no authentication tag */ + CRYPTO_TRANSFORMATION_KIND_NONE = 0, + /* No encryption. + One AES128-GMAC authentication tag using the sender_key + Zero or more AES128-GMAC auth. tags with receiver specfic keys */ + CRYPTO_TRANSFORMATION_KIND_AES128_GMAC = 1, + /* Authenticated Encryption using AES-128 in Galois Counter Mode + (GCM) using the sender key. + The authentication tag using the sender_key obtained from GCM + Zero or more AES128-GMAC auth. tags with receiver specfic keys */ + CRYPTO_TRANSFORMATION_KIND_AES128_GCM = 2, + /* No encryption. + One AES256-GMAC authentication tag using the sender_key + Zero or more AES256-GMAC auth. tags with receiver specfic keys */ + CRYPTO_TRANSFORMATION_KIND_AES256_GMAC = 3, + /* Authenticated Encryption using AES-256 in Galois Counter Mode + (GCM) using the sender key. + The authentication tag using the sender_key obtained from GCM + Zero or more AES256-GMAC auth. tags with receiver specfic keys */ + CRYPTO_TRANSFORMATION_KIND_AES256_GCM = 4, + + /* INVALID ENUM*/ + CRYPTO_TRANSFORMATION_KIND_INVALID = 127, +} DDS_Security_CryptoTransformKind_Enum; + +typedef struct DDS_Security_KeyMaterial_AES_GCM_GMAC { + DDS_Security_CryptoTransformKind transformation_kind; + DDS_Security_OctetSeq master_salt; /*size shall be 32*/ + DDS_Security_CryptoTransformKeyId sender_key_id; + DDS_Security_OctetSeq master_sender_key; /*size shall be 32*/ + DDS_Security_CryptoTransformKeyId receiver_specific_key_id; + DDS_Security_OctetSeq master_receiver_specific_key; /*size shall be 32*/ +} DDS_Security_KeyMaterial_AES_GCM_GMAC; + +struct CryptoTransformIdentifier { + DDS_Security_CryptoTransformKind transformation_kind; + DDS_Security_CryptoTransformKeyId transformation_key_id; +}; + +/** temporary address decleration until it is ready in ddsrt */ +typedef uintptr_t ddsrt_address; /* word length of the platform */ + + +#endif /* DSS_SECURITY_PLUGIN_TYPES_H_ */ diff --git a/src/security/core/include/dds/security/core/dds_security_utils.h b/src/security/core/include/dds/security/core/dds_security_utils.h new file mode 100644 index 0000000..e2ade89 --- /dev/null +++ b/src/security/core/include/dds/security/core/dds_security_utils.h @@ -0,0 +1,391 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef DSCMN_SECURITY_UTILS_H_ +#define DSCMN_SECURITY_UTILS_H_ + +#include "dds/export.h" +#include +#include +#include +#include "dds/security/core/dds_security_types.h" +#include "dds/security/dds_security_api.h" + +typedef DDS_Security_long_long DDS_Security_Handle; +typedef DDS_Security_LongLongSeq DDS_Security_HandleSeq; + +#define DDS_SECURITY_SEQUENCE_INIT {0, 0, NULL} +#define DDS_SECURITY_TOKEN_INIT {NULL, DDS_SECURITY_SEQUENCE_INIT, DDS_SECURITY_SEQUENCE_INIT} + + +typedef enum { + DDS_SECURITY_CONFIG_ITEM_PREFIX_UNKNOWN, + DDS_SECURITY_CONFIG_ITEM_PREFIX_FILE, + DDS_SECURITY_CONFIG_ITEM_PREFIX_DATA, + DDS_SECURITY_CONFIG_ITEM_PREFIX_PKCS11 +} DDS_Security_config_item_prefix_t; + + +DDS_EXPORT DDS_Security_BinaryProperty_t * +DDS_Security_BinaryProperty_alloc( + void); + +DDS_EXPORT void +DDS_Security_BinaryProperty_deinit( + DDS_Security_BinaryProperty_t *p); + +DDS_EXPORT void +DDS_Security_BinaryProperty_free( + DDS_Security_BinaryProperty_t *p); + +DDS_EXPORT void +DDS_Security_BinaryProperty_copy( + DDS_Security_BinaryProperty_t *dst, + DDS_Security_BinaryProperty_t *src); + +DDS_EXPORT bool +DDS_Security_BinaryProperty_equal( + DDS_Security_BinaryProperty_t *pa, + DDS_Security_BinaryProperty_t *pb); + +DDS_EXPORT void +DDS_Security_BinaryProperty_set_by_value( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const unsigned char *data, + uint32_t length); + +DDS_EXPORT void +DDS_Security_BinaryProperty_set_by_string( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const char *data); + +DDS_EXPORT void +DDS_Security_BinaryProperty_set_by_ref( + DDS_Security_BinaryProperty_t *bp, + const char *name, + unsigned char *data, + uint32_t length); + +DDS_EXPORT DDS_Security_BinaryPropertySeq * +DDS_Security_BinaryPropertySeq_alloc( + void); + +DDS_EXPORT DDS_Security_BinaryProperty_t * +DDS_Security_BinaryPropertySeq_allocbuf( + DDS_Security_unsigned_long len); + +DDS_EXPORT void +DDS_Security_BinaryPropertySeq_deinit( + DDS_Security_BinaryPropertySeq *seq); + +DDS_EXPORT void +DDS_Security_BinaryPropertySeq_free( + DDS_Security_BinaryPropertySeq *seq); + +DDS_EXPORT DDS_Security_Property_t * +DDS_Security_Property_alloc( + void); + +DDS_EXPORT void +DDS_Security_Property_free( + DDS_Security_Property_t *p); + +DDS_EXPORT void +DDS_Security_Property_deinit( + DDS_Security_Property_t *p); + +DDS_EXPORT void +DDS_Security_Property_copy( + DDS_Security_Property_t *dst, + DDS_Security_Property_t *src); + +DDS_EXPORT bool +DDS_Security_Property_equal( + DDS_Security_Property_t *pa, + DDS_Security_Property_t *pb); + +DDS_EXPORT char * +DDS_Security_Property_get_value( + const DDS_Security_PropertySeq *properties, + const char *name); + +DDS_EXPORT DDS_Security_PropertySeq * +DDS_Security_PropertySeq_alloc( + void); + +DDS_EXPORT DDS_Security_Property_t * +DDS_Security_PropertySeq_allocbuf( + DDS_Security_unsigned_long len); + +DDS_EXPORT void +DDS_Security_PropertySeq_freebuf( + DDS_Security_PropertySeq *seq); + +DDS_EXPORT void +DDS_Security_PropertySeq_free( + DDS_Security_PropertySeq *seq); + +DDS_EXPORT void +DDS_Security_PropertySeq_deinit( + DDS_Security_PropertySeq *seq); + +DDS_EXPORT const DDS_Security_Property_t * +DDS_Security_PropertySeq_find_property ( + const DDS_Security_PropertySeq *property_seq, + const char *name ); + +DDS_EXPORT DDS_Security_DataHolder * +DDS_Security_DataHolder_alloc( + void); + +DDS_EXPORT void +DDS_Security_DataHolder_free( + DDS_Security_DataHolder *holder); + +DDS_EXPORT void +DDS_Security_DataHolder_deinit( + DDS_Security_DataHolder *holder); + +DDS_EXPORT void +DDS_Security_DataHolder_copy( + DDS_Security_DataHolder *dst, + const DDS_Security_DataHolder *src); + +DDS_EXPORT bool +DDS_Security_DataHolder_equal( + const DDS_Security_DataHolder *psa, + const DDS_Security_DataHolder *psb); + +DDS_EXPORT const DDS_Security_Property_t * +DDS_Security_DataHolder_find_property( + const DDS_Security_DataHolder *holder, + const char *name); + +DDS_EXPORT const DDS_Security_BinaryProperty_t * +DDS_Security_DataHolder_find_binary_property( + const DDS_Security_DataHolder *holder, + const char *name); + +DDS_EXPORT DDS_Security_DataHolderSeq * +DDS_Security_DataHolderSeq_alloc( + void); + +DDS_EXPORT DDS_Security_DataHolder * +DDS_Security_DataHolderSeq_allocbuf( + DDS_Security_unsigned_long len); + +DDS_EXPORT void +DDS_Security_DataHolderSeq_freebuf( + DDS_Security_DataHolderSeq *seq); + +DDS_EXPORT void +DDS_Security_DataHolderSeq_free( + DDS_Security_DataHolderSeq *seq); + +DDS_EXPORT void +DDS_Security_DataHolderSeq_deinit( + DDS_Security_DataHolderSeq *seq); + +DDS_EXPORT void +DDS_Security_DataHolderSeq_copy( + DDS_Security_DataHolderSeq *dst, + const DDS_Security_DataHolderSeq *src); + +DDS_EXPORT DDS_Security_ParticipantBuiltinTopicData * +DDS_Security_ParticipantBuiltinTopicData_alloc( + void); + +DDS_EXPORT void +DDS_Security_ParticipantBuiltinTopicData_free( + DDS_Security_ParticipantBuiltinTopicData *data); + +DDS_EXPORT void +DDS_Security_ParticipantBuiltinTopicData_deinit( + DDS_Security_ParticipantBuiltinTopicData *data); + +DDS_EXPORT DDS_Security_OctetSeq * +DDS_Security_OctetSeq_alloc( + void); + +DDS_EXPORT DDS_Security_octet * +DDS_Security_OctetSeq_allocbuf( + DDS_Security_unsigned_long len); + +DDS_EXPORT void +DDS_Security_OctetSeq_freebuf( + DDS_Security_OctetSeq *seq); + +DDS_EXPORT void +DDS_Security_OctetSeq_free( + DDS_Security_OctetSeq *seq); + +DDS_EXPORT void +DDS_Security_OctetSeq_deinit( + DDS_Security_OctetSeq *seq); + +DDS_EXPORT void +DDS_Security_OctetSeq_copy( + DDS_Security_OctetSeq *dst, + const DDS_Security_OctetSeq *src); + +DDS_EXPORT DDS_Security_HandleSeq * +DDS_Security_HandleSeq_alloc( + void); + +DDS_EXPORT DDS_Security_long_long * +DDS_Security_HandleSeq_allocbuf( + DDS_Security_unsigned_long length); + +DDS_EXPORT void +DDS_Security_HandleSeq_freebuf( + DDS_Security_HandleSeq *seq); + +DDS_EXPORT void +DDS_Security_HandleSeq_free( + DDS_Security_HandleSeq *seq); + +DDS_EXPORT void +DDS_Security_HandleSeq_deinit( + DDS_Security_HandleSeq *seq); + +DDS_EXPORT void +DDS_Security_Exception_set( + DDS_Security_SecurityException *ex, + const char *context, + int code, + int minor_code, + const char *fmt, + ...); + + +#if DDSI_INCLUDE_SSL +DDS_EXPORT void +DDS_Security_Exception_set_with_openssl_error( + DDS_Security_SecurityException *ex, + const char *context, + int code, + int minor_code, + const char *fmt); + +#endif + +DDS_EXPORT void +DDS_Security_Exception_reset( + DDS_Security_SecurityException *ex); + +DDS_EXPORT void +DDS_Security_Exception_clean( + DDS_Security_SecurityException *ex); + +DDS_EXPORT void +DDS_Security_PropertyQosPolicy_deinit( + DDS_Security_PropertyQosPolicy *policy); + +DDS_EXPORT void +DDS_Security_PropertyQosPolicy_free( + DDS_Security_PropertyQosPolicy *policy); + +DDS_EXPORT void +DDS_Security_set_token_nil( + DDS_Security_DataHolder *token); + +DDS_EXPORT void +DDS_Security_KeyMaterial_AES_GCM_GMAC_deinit( + DDS_Security_KeyMaterial_AES_GCM_GMAC *key_material); + +DDS_EXPORT DDS_Security_CryptoTransformKind_Enum +DDS_Security_basicprotectionkind2transformationkind( + const DDS_Security_PropertySeq *properties, + DDS_Security_BasicProtectionKind protection); + +DDS_EXPORT DDS_Security_CryptoTransformKind_Enum +DDS_Security_protectionkind2transformationkind( + const DDS_Security_PropertySeq *properties, + DDS_Security_ProtectionKind protection); + +DDS_EXPORT DDS_Security_config_item_prefix_t +DDS_Security_get_conf_item_type( + const char *str, + char **data); + +DDS_EXPORT char * +DDS_Security_normalize_file( + const char *filepath); + +/** + * \brief Find first occurrence of character in null terminated string + * + * @param str String to search for given characters + * @param chrs Characters to search for in string + * @param inc true to find first character included in given characters, + * false to find first character not included. + * @return Pointer to first occurrence of character in string, or NULL + */ + +DDS_EXPORT char * +ddssec_strchrs ( + const char *str, + const char *chrs, + bool inc); + + +#define DDS_Security_ParticipantCryptoTokenSeq_alloc() \ + (DDS_Security_ParticipantCryptoTokenSeq *)DDS_Security_DataHolderSeq_alloc()) +#define DDS_Security_ParticipantCryptoTokenSeq_freebuf(s) \ + DDS_Security_DataHolderSeq_freebuf((DDS_Security_DataHolderSeq *)(s)) +#define DDS_Security_ParticipantCryptoTokenSeq_free(s) \ + DDS_Security_DataHolderSeq_free((DDS_Security_DataHolderSeq *)(s)) +#define DDS_Security_ParticipantCryptoTokenSeq_deinit(s) \ + DDS_Security_DataHolderSeq_deinit((DDS_Security_DataHolderSeq *)(s)) +#define DDS_Security_ParticipantCryptoTokenSeq_copy(d,s) \ + DDS_Security_DataHolderSeq_copy((DDS_Security_DataHolderSeq *)(d), (const DDS_Security_DataHolderSeq *)(s)) + + +#define DDS_Security_ParticipantCryptoHandleSeq_alloc() (DDS_Security_ParticipantCryptoHandleSeq*)DDS_Security_HandleSeq_alloc() +#define DDS_Security_ParticipantCryptoHandleSeq_allocbuf(l) DDS_Security_HandleSeq_allocbuf(l) +#define DDS_Security_ParticipantCryptoHandleSeq_freebuf(s) DDS_Security_HandleSeq_freebuf((DDS_Security_HandleSeq*)s) +#define DDS_Security_ParticipantCryptoHandleSeq_free(s) DDS_Security_HandleSeq_free((DDS_Security_HandleSeq*)s) +#define DDS_Security_ParticipantCryptoHandleSeq_deinit(s) DDS_Security_HandleSeq_deinit((DDS_Security_HandleSeq*)s) + +#define DDS_Security_DatawriterCryptoHandleSeq_alloc() (DDS_Security_DatawriterCryptoHandleSeq*)DDS_Security_HandleSeq_alloc() +#define DDS_Security_DatawriterCryptoHandleSeq_allocbuf(l) DDS_Security_HandleSeq_allocbuf(l) +#define DDS_Security_DatawriterCryptoHandleSeq_freebuf(s) DDS_Security_HandleSeq_freebuf((DDS_Security_HandleSeq*)s) +#define DDS_Security_DatawriterCryptoHandleSeq_free(s) DDS_Security_HandleSeq_free((DDS_Security_HandleSeq*)s) +#define DDS_Security_DatawriterCryptoHandleSeq_deinit(s) DDS_Security_HandleSeq_deinit((DDS_Security_HandleSeq*)s) + +#define DDS_Security_DatareaderCryptoHandleSeq_alloc() (DDS_Security_DatareaderCryptoHandleSeq*)DDS_Security_HandleSeq_alloc() +#define DDS_Security_DatareaderCryptoHandleSeq_allocbuf(l) DDS_Security_HandleSeq_allocbuf(l) +#define DDS_Security_DatareaderCryptoHandleSeq_freebuf(s) DDS_Security_HandleSeq_freebuf((DDS_Security_HandleSeq*)s) +#define DDS_Security_DatareaderCryptoHandleSeq_free(s) DDS_Security_HandleSeq_free((DDS_Security_HandleSeq*)s) +#define DDS_Security_DatareaderCryptoHandleSeq_deinit(s) DDS_Security_HandleSeq_deinit((DDS_Security_HandleSeq*)s) + +#define DDS_Security_CryptoTokenSeq_alloc() (DDS_Security_CryptoTokenSeq*)DDS_Security_DataHolderSeq_alloc() +#define DDS_Security_CryptoTokenSeq_allocbuf(l) DDS_Security_DataHolderSeq_allocbuf(l) +#define DDS_Security_CryptoTokenSeq_freebuf(s) DDS_Security_DataHolderSeq_freebuf((DDS_Security_CryptoTokenSeq*)s) +#define DDS_Security_CryptoTokenSeq_free(s) DDS_Security_DataHolderSeq_free((DDS_Security_CryptoTokenSeq*)s) + + +/* for DEBUG purposes */ +DDS_EXPORT void +print_binary_debug( + char* name, + unsigned char *value, + uint32_t size); + +DDS_EXPORT void +print_binary_properties_debug( + const DDS_Security_DataHolder *token); + + +#endif /* DSCMN_SECURITY_UTILS_H_ */ diff --git a/src/security/core/include/dds/security/core/shared_secret.h b/src/security/core/include/dds/security/core/shared_secret.h new file mode 100644 index 0000000..e0262d7 --- /dev/null +++ b/src/security/core/include/dds/security/core/shared_secret.h @@ -0,0 +1,40 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + + +#ifndef SRC_SECURITY_CORE_INCLUDE_SHARED_SECRET_HANDLE_H_ +#define SRC_SECURITY_CORE_INCLUDE_SHARED_SECRET_HANDLE_H_ + +#include "dds/export.h" +#include +#include "dds/security/dds_security_api.h" + + +typedef struct DDS_Security_SharedSecretHandleImpl { + + DDS_Security_octet* shared_secret; + DDS_Security_long shared_secret_size; + DDS_Security_octet challenge1[DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE]; + DDS_Security_octet challenge2[DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE]; + +} DDS_Security_SharedSecretHandleImpl; + +DDS_EXPORT const DDS_Security_octet* get_challenge1_from_secret_handle( DDS_Security_SharedSecretHandle handle); + +DDS_EXPORT const DDS_Security_octet* get_challenge2_from_secret_handle( DDS_Security_SharedSecretHandle handle ); + +DDS_EXPORT const DDS_Security_octet* get_secret_from_secret_handle( DDS_Security_SharedSecretHandle handle ); + +DDS_EXPORT int32_t get_secret_size_from_secret_handle( DDS_Security_SharedSecretHandle handle ); + +#endif /* SRC_SECURITY_CORE_INCLUDE_SHARED_SECRET_H_ */ + diff --git a/src/security/core/src/dds_security_serialize.c b/src/security/core/src/dds_security_serialize.c new file mode 100644 index 0000000..afa9733 --- /dev/null +++ b/src/security/core/src/dds_security_serialize.c @@ -0,0 +1,813 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + + +#include +#include +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/atomics.h" +#include "dds/ddsrt/string.h" + +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/ddsrt/endian.h" +#include "dds/ddsrt/bswap.h" + + +#define BYTE_ORDER_BIG_ENDIAN 0x02 +#define BYTE_ORDER_LITTLE_ENDIAN 0x03 + +#define PID_PAD 0x0u +#define PID_SENTINEL 0x1u +#define PID_USER_DATA 0x2cu +#define PID_TOPIC_NAME 0x5u +#define PID_TYPE_NAME 0x7u +#define PID_GROUP_DATA 0x2du +#define PID_TOPIC_DATA 0x2eu +#define PID_DURABILITY 0x1du +#define PID_DURABILITY_SERVICE 0x1eu +#define PID_DEADLINE 0x23u +#define PID_LATENCY_BUDGET 0x27u +#define PID_LIVELINESS 0x1bu +#define PID_RELIABILITY 0x1au +#define PID_LIFESPAN 0x2bu +#define PID_DESTINATION_ORDER 0x25u +#define PID_HISTORY 0x40u +#define PID_RESOURCE_LIMITS 0x41u +#define PID_OWNERSHIP 0x1fu +#define PID_OWNERSHIP_STRENGTH 0x6u +#define PID_PRESENTATION 0x21u +#define PID_PARTITION 0x29u +#define PID_TIME_BASED_FILTER 0x4u +#define PID_TRANSPORT_PRIORITY 0x49u +#define PID_PROTOCOL_VERSION 0x15u +#define PID_VENDORID 0x16u +#define PID_UNICAST_LOCATOR 0x2fu +#define PID_MULTICAST_LOCATOR 0x30u +#define PID_MULTICAST_IPADDRESS 0x11u +#define PID_DEFAULT_UNICAST_LOCATOR 0x31u +#define PID_DEFAULT_MULTICAST_LOCATOR 0x48u +#define PID_METATRAFFIC_UNICAST_LOCATOR 0x32u +#define PID_METATRAFFIC_MULTICAST_LOCATOR 0x33u +#define PID_DEFAULT_UNICAST_IPADDRESS 0xcu +#define PID_DEFAULT_UNICAST_PORT 0xeu +#define PID_METATRAFFIC_UNICAST_IPADDRESS 0x45u +#define PID_METATRAFFIC_UNICAST_PORT 0xdu +#define PID_METATRAFFIC_MULTICAST_IPADDRESS 0xbu +#define PID_METATRAFFIC_MULTICAST_PORT 0x46u +#define PID_EXPECTS_INLINE_QOS 0x43u +#define PID_PARTICIPANT_MANUAL_LIVELINESS_COUNT 0x34u +#define PID_PARTICIPANT_BUILTIN_ENDPOINTS 0x44u +#define PID_PARTICIPANT_LEASE_DURATION 0x2u +#define PID_CONTENT_FILTER_PROPERTY 0x35u +#define PID_PARTICIPANT_GUID 0x50u +#define PID_PARTICIPANT_ENTITYID 0x51u +#define PID_GROUP_GUID 0x52u +#define PID_GROUP_ENTITYID 0x53u +#define PID_BUILTIN_ENDPOINT_SET 0x58u +#define PID_PROPERTY_LIST 0x59u +#define PID_TYPE_MAX_SIZE_SERIALIZED 0x60u +#define PID_ENTITY_NAME 0x62u +#define PID_KEYHASH 0x70u +#define PID_STATUSINFO 0x71u +#define PID_CONTENT_FILTER_INFO 0x55u +#define PID_COHERENT_SET 0x56u +#define PID_DIRECTED_WRITE 0x57u +#define PID_ORIGINAL_WRITER_INFO 0x61u +#define PID_ENDPOINT_GUID 0x5au + +/* Security related PID values. */ +#define PID_IDENTITY_TOKEN 0x1001u +#define PID_PERMISSIONS_TOKEN 0x1002u +#define PID_ENDPOINT_SECURITY_INFO 0x1004u +#define PID_PARTICIPANT_SECURITY_INFO 0x1005u +#define PID_IDENTITY_STATUS_TOKEN 0x1006u + + +struct DDS_Security_Serializer { + unsigned char *buffer; + size_t size; + size_t offset; + size_t increment; + size_t marker; +}; + +struct DDS_Security_Deserializer { + const unsigned char *buffer; + const unsigned char *cursor; + size_t size; + size_t remain; +}; + + +static size_t +alignup_size ( + size_t x, + size_t a) +{ + size_t m = a-1; + return (x+m) & ~m; +} + +static size_t +alignup_ptr( + const unsigned char *ptr, + size_t a) +{ + size_t m = (a - 1); + size_t x = (size_t) ptr; + return ((x+m) & ~m) - x; +} + +DDS_Security_Serializer +DDS_Security_Serializer_new( + size_t size, + size_t increment) +{ + DDS_Security_Serializer serializer; + + serializer = ddsrt_malloc(sizeof(*serializer)); + serializer->buffer = ddsrt_malloc(size); + serializer->size = size; + serializer->increment = increment; + serializer->offset = 0; + + return serializer; +} + +void +DDS_Security_Serializer_free( + DDS_Security_Serializer ser) +{ + if (ser) { + ddsrt_free(ser->buffer); + ddsrt_free(ser); + } +} + +void +DDS_Security_Serializer_buffer( + DDS_Security_Serializer ser, + unsigned char **buffer, + size_t *size) +{ + assert(ser); + assert(buffer); + assert(size); + + *buffer = ser->buffer; + *size = ser->offset; + ser->buffer = NULL; +} + +static void +serbuffer_adjust_size( + DDS_Security_Serializer ser, + size_t needed) +{ + if (ser->size - ser->offset < needed) { + ser->buffer = ddsrt_realloc(ser->buffer, ser->size + needed + ser->increment); + ser->size += needed + ser->increment; + } +} + +static void +serbuffer_align( + DDS_Security_Serializer ser, + size_t alignment) +{ + size_t offset, i; + + offset = alignup_size(ser->offset, alignment); + serbuffer_adjust_size(ser, offset-ser->offset); + for (i = 0; i < offset - ser->offset; i++) { + ser->buffer[ser->offset+i] = 0; + } + ser->offset = offset; +} + +static void +DDS_Security_Serialize_mark_len( + DDS_Security_Serializer ser) +{ + serbuffer_align(ser, 2); + serbuffer_adjust_size(ser, 2); + ser->marker = ser->offset; + ser->offset += 2; +} + +static void +DDS_Security_Serialize_update_len( + DDS_Security_Serializer ser) +{ + unsigned short len; + + len = (unsigned short)(ser->offset - ser->marker - sizeof(unsigned short)); + *(unsigned short *)&(ser->buffer[ser->marker]) = ddsrt_toBE2u(len); +} + +static void +DDS_Security_Serialize_uint16( + DDS_Security_Serializer ser, + unsigned short value) +{ + serbuffer_align(ser, sizeof(unsigned short)); + serbuffer_adjust_size(ser, sizeof(unsigned short)); + + *(unsigned short *)&(ser->buffer[ser->offset]) = ddsrt_toBE2u(value); + ser->offset += sizeof(unsigned short); +} + +static void +DDS_Security_Serialize_uint32_t( + DDS_Security_Serializer ser, + uint32_t value) +{ + serbuffer_align(ser, sizeof(uint32_t)); + serbuffer_adjust_size(ser, sizeof(uint32_t)); + + *(uint32_t *)&(ser->buffer[ser->offset]) = ddsrt_toBE4u(value); + ser->offset += sizeof(uint32_t); +} + +static void +DDS_Security_Serialize_string( + DDS_Security_Serializer ser, + const char *str) +{ + size_t len; + + len = strlen(str) + 1; + + DDS_Security_Serialize_uint32_t(ser, (uint32_t)len); + serbuffer_adjust_size(ser, len ); + + memcpy(&(ser->buffer[ser->offset]), str, len); + ser->offset += len; + serbuffer_align(ser, sizeof(uint32_t)); +} + +static void +DDS_Security_Serialize_Property( + DDS_Security_Serializer ser, + const DDS_Security_Property_t *property) +{ + DDS_Security_Serialize_string(ser, property->name); + DDS_Security_Serialize_string(ser, property->value); +} + +static void +DDS_Security_Serialize_OctetSeq( + DDS_Security_Serializer ser, + const DDS_Security_OctetSeq *seq) +{ + DDS_Security_Serialize_uint32_t(ser, seq->_length); + serbuffer_adjust_size(ser, seq->_length); + memcpy(&(ser->buffer[ser->offset]), seq->_buffer, seq->_length); + ser->offset += seq->_length; +} + +static void +DDS_Security_Serialize_BinaryProperty( + DDS_Security_Serializer ser, + const DDS_Security_BinaryProperty_t *property) +{ + DDS_Security_Serialize_string(ser, property->name); + DDS_Security_Serialize_OctetSeq(ser, &property->value); +} + +void +DDS_Security_Serialize_PropertySeq( + DDS_Security_Serializer ser, + const DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + DDS_Security_Serialize_uint32_t(ser, seq->_length); + for (i = 0; i < seq->_length; i++) { + DDS_Security_Serialize_Property(ser, &seq->_buffer[i]); + } +} + +void +DDS_Security_Serialize_BinaryPropertyArray( + DDS_Security_Serializer serializer, + const DDS_Security_BinaryProperty_t **properties, + const uint32_t propertyLength) +{ + uint32_t i; + + DDS_Security_Serialize_uint32_t(serializer, propertyLength); + for (i = 0; i < propertyLength ; i++) { + DDS_Security_Serialize_BinaryProperty(serializer, properties[i]); + } +} + +void +DDS_Security_Serialize_BinaryPropertySeq( + DDS_Security_Serializer serializer, + const DDS_Security_BinaryPropertySeq *seq) +{ + uint32_t i; + + DDS_Security_Serialize_uint32_t(serializer, seq->_length); + for (i = 0; i < seq->_length; i++) { + DDS_Security_Serialize_BinaryProperty(serializer, &seq->_buffer[i]); + } +} + + +static void +DDS_Security_Serialize_DataHolder( + DDS_Security_Serializer ser, + const DDS_Security_DataHolder *holder) +{ + DDS_Security_Serialize_string(ser, holder->class_id); + DDS_Security_Serialize_PropertySeq(ser, &holder->properties); + DDS_Security_Serialize_BinaryPropertySeq(ser, &holder->binary_properties); +} + + +static void +DDS_Security_Serialize_BuiltinTopicKey( + DDS_Security_Serializer ser, + DDS_Security_BuiltinTopicKey_t key) +{ + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_PARTICIPANT_GUID); + DDS_Security_Serialize_uint16(ser, 16); + DDS_Security_Serialize_uint32_t(ser, key[0]); + DDS_Security_Serialize_uint32_t(ser, key[1]); + DDS_Security_Serialize_uint32_t(ser, key[2]); + /* 4 Bytes are expected for whatever reason (gid vs guid?). */ + DDS_Security_Serialize_uint32_t(ser, 0); +} + +static void +DDS_Security_Serialize_UserDataQosPolicy( + DDS_Security_Serializer ser, + DDS_Security_OctetSeq *seq) +{ + if (seq->_length > 0) { + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_USER_DATA); + DDS_Security_Serialize_uint16(ser, (unsigned short)seq->_length); + DDS_Security_Serialize_OctetSeq(ser, seq); + } +} + +static void +DDS_Security_Serialize_IdentityToken( + DDS_Security_Serializer ser, + DDS_Security_IdentityToken *token) +{ + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_IDENTITY_TOKEN); + DDS_Security_Serialize_mark_len(ser); + DDS_Security_Serialize_DataHolder(ser, token); + DDS_Security_Serialize_update_len(ser); +} + +static void +DDS_Security_Serialize_PermissionsToken( + DDS_Security_Serializer ser, + DDS_Security_PermissionsToken *token) +{ + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_PERMISSIONS_TOKEN); + DDS_Security_Serialize_mark_len(ser); + DDS_Security_Serialize_DataHolder(ser, token); + DDS_Security_Serialize_update_len(ser); +} + +static void +DDS_Security_Serialize_PropertyQosPolicy( + DDS_Security_Serializer ser, + DDS_Security_PropertyQosPolicy *policy) +{ + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_PROPERTY_LIST); + DDS_Security_Serialize_mark_len(ser); + DDS_Security_Serialize_PropertySeq(ser, &policy->value); + DDS_Security_Serialize_BinaryPropertySeq(ser, &policy->binary_value); + DDS_Security_Serialize_update_len(ser); +} + +static void +DDS_Security_Serialize_ParticipantSecurityInfo( + DDS_Security_Serializer ser, + DDS_Security_ParticipantSecurityInfo *info) +{ + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_PARTICIPANT_SECURITY_INFO); + DDS_Security_Serialize_uint16(ser, 8); + DDS_Security_Serialize_uint32_t(ser, info->participant_security_attributes); + DDS_Security_Serialize_uint32_t(ser, info->plugin_participant_security_attributes); +} + + +void +DDD_Security_Serialize_ParticipantBuiltinTopicData( + DDS_Security_Serializer ser, + DDS_Security_ParticipantBuiltinTopicData *pdata) +{ + DDS_Security_Serialize_BuiltinTopicKey(ser, pdata->key); + DDS_Security_Serialize_UserDataQosPolicy(ser, &pdata->user_data.value); + DDS_Security_Serialize_IdentityToken(ser, &pdata->identity_token); + DDS_Security_Serialize_PermissionsToken(ser, &pdata->permissions_token); + DDS_Security_Serialize_PropertyQosPolicy(ser, &pdata->property); + DDS_Security_Serialize_ParticipantSecurityInfo(ser, &pdata->security_info); + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_SENTINEL); + DDS_Security_Serialize_uint16(ser, 0); +} + +static void +DDD_Security_Serialize_OctetArray( + DDS_Security_Serializer ser, + const DDS_Security_octet *data, + uint32_t length) +{ + serbuffer_adjust_size(ser, length); + memcpy(&ser->buffer[ser->offset], data, length); + ser->offset += length; +} + +void +DDD_Security_Serialize_KeyMaterial_AES_GCM_GMAC( + DDS_Security_Serializer ser, + const DDS_Security_KeyMaterial_AES_GCM_GMAC *data) +{ + DDD_Security_Serialize_OctetArray(ser, data->transformation_kind, sizeof(data->transformation_kind)); + DDS_Security_Serialize_OctetSeq(ser, &data->master_salt); + DDD_Security_Serialize_OctetArray(ser, data->sender_key_id, sizeof(data->sender_key_id)); + DDS_Security_Serialize_OctetSeq(ser, &data->master_sender_key); + DDD_Security_Serialize_OctetArray(ser, data->receiver_specific_key_id, sizeof(data->receiver_specific_key_id)); + DDS_Security_Serialize_OctetSeq(ser, &data->master_receiver_specific_key); +} + + +DDS_Security_Deserializer +DDS_Security_Deserializer_new( + const unsigned char *data, + size_t size) +{ + DDS_Security_Deserializer deserializer; + + deserializer = ddsrt_malloc(sizeof(*deserializer)); + + deserializer->buffer = data; + deserializer->cursor = data; + deserializer->size = size; + deserializer->remain = size; + + return deserializer; +} + +void +DDS_Security_Deserializer_free( + DDS_Security_Deserializer dser) +{ + ddsrt_free(dser); +} + +static void +DDS_Security_Deserialize_align( + DDS_Security_Deserializer dser, + size_t size) +{ + size_t l = alignup_ptr(dser->cursor, size); + + if (dser->remain >= l) { + dser->cursor += l; + dser->remain -= l; + } else { + dser->remain = 0; + } +} + +static int +DDS_Security_Deserialize_uint16( + DDS_Security_Deserializer dser, + unsigned short *value) +{ + size_t l = sizeof(unsigned short); + + DDS_Security_Deserialize_align(dser, l); + + if (dser->remain < l) { + return 0; + } + *value = ddsrt_fromBE2u(*(unsigned short *)dser->cursor); + dser->cursor += l; + dser->remain -= l; + + return 1; +} + +static int +DDS_Security_Deserialize_uint32_t( + DDS_Security_Deserializer dser, + uint32_t *value) +{ + size_t l = sizeof(uint32_t); + + DDS_Security_Deserialize_align(dser, l); + + if (dser->remain < l) { + return 0; + } + *value = ddsrt_fromBE4u(*(uint32_t *)dser->cursor); + dser->cursor += l; + dser->remain -= l; + + return 1; +} + +static int +DDS_Security_Deserialize_string( + DDS_Security_Deserializer dser, + char **value) +{ + uint32_t len; + size_t sz; + + if (!DDS_Security_Deserialize_uint32_t(dser, &len)) { + return 0; + } + + sz = (size_t)len; + + if (dser->remain < sz) { + return 0; + } + + if (sz > 0 && (dser->cursor[sz-1] == 0)) { + *value = ddsrt_strdup((char *)dser->cursor); + /* Consider padding */ + sz = alignup_size(sz, sizeof(uint32_t)); + dser->cursor += sz; + dser->remain -= sz; + } else { + *value = ddsrt_strdup(""); + } + return 1; +} + +static int +DDS_Security_Deserialize_OctetArray( + DDS_Security_Deserializer dser, + unsigned char *arr, + uint32_t length) +{ + if (dser->remain < length) { + return 0; + } + memcpy(arr, dser->cursor, length); + dser->cursor += length; + dser->remain -= length; + + return 1; +} + +static int +DDS_Security_Deserialize_OctetSeq( + DDS_Security_Deserializer dser, + DDS_Security_OctetSeq *seq) +{ + if (!DDS_Security_Deserialize_uint32_t(dser, &seq->_length)) { + return 0; + } + + if (dser->remain < seq->_length) { + return 0; + } + + if (seq->_length > 0) { + /* Consider padding */ + size_t a_size = alignup_size(seq->_length, sizeof(uint32_t)); + seq->_buffer = ddsrt_malloc(seq->_length); + memcpy(seq->_buffer, dser->cursor, seq->_length); + dser->cursor += a_size; + dser->remain -= a_size; + } else { + seq->_buffer = NULL; + } + return 1; +} + +static int +DDS_Security_Deserialize_Property( + DDS_Security_Deserializer dser, + DDS_Security_Property_t *property) +{ + return DDS_Security_Deserialize_string(dser, &property->name) && + DDS_Security_Deserialize_string(dser, &property->value); +} + +static int +DDS_Security_Deserialize_BinaryProperty( + DDS_Security_Deserializer dser, + DDS_Security_BinaryProperty_t *property) +{ + return DDS_Security_Deserialize_string(dser, &property->name) && + DDS_Security_Deserialize_OctetSeq(dser, &property->value); +} + +static int +DDS_Security_Deserialize_PropertySeq( + DDS_Security_Deserializer dser, + DDS_Security_PropertySeq *seq) +{ + int r = 1; + uint32_t i; + + if (!DDS_Security_Deserialize_uint32_t(dser, &seq->_length)) { + return 0; + } + + if (seq->_length > 0) { + seq->_buffer = DDS_Security_PropertySeq_allocbuf(seq->_length); + for (i = 0; i < seq->_length && r; i++) { + r = DDS_Security_Deserialize_Property(dser, &seq->_buffer[i]); + } + } + + return r; +} + +static int +DDS_Security_Deserialize_BinaryPropertySeq( + DDS_Security_Deserializer dser, + DDS_Security_BinaryPropertySeq *seq) +{ + int r = 1; + uint32_t i; + + if (!DDS_Security_Deserialize_uint32_t(dser, &seq->_length)) { + return 0; + } + + if (seq->_length > 0) { + seq->_buffer = DDS_Security_BinaryPropertySeq_allocbuf(seq->_length); + for (i = 0; i < seq->_length && r; i++) { + r = DDS_Security_Deserialize_BinaryProperty(dser, &seq->_buffer[i]); + } + } + + return r; +} + +static int +DDS_Security_Deserialize_DataHolder( + DDS_Security_Deserializer dser, + DDS_Security_DataHolder *holder) +{ + return DDS_Security_Deserialize_string(dser, &holder->class_id) && + DDS_Security_Deserialize_PropertySeq(dser, &holder->properties) && + DDS_Security_Deserialize_BinaryPropertySeq(dser, &holder->binary_properties); +} + + +static int +DDS_Security_Deserialize_PropertyQosPolicy( + DDS_Security_Deserializer dser, + DDS_Security_PropertyQosPolicy *policy) +{ + return DDS_Security_Deserialize_PropertySeq(dser, &policy->value) && + DDS_Security_Deserialize_BinaryPropertySeq(dser, &policy->binary_value); +} + +static int +DDS_Security_Deserialize_BuiltinTopicKey( + DDS_Security_Deserializer dser, + DDS_Security_BuiltinTopicKey_t key) +{ + int r; + + r = DDS_Security_Deserialize_uint32_t(dser, (uint32_t *)&key[0]) && + DDS_Security_Deserialize_uint32_t(dser, (uint32_t *)&key[1]) && + DDS_Security_Deserialize_uint32_t(dser, (uint32_t *)&key[2]); + + /* guid is 16 bytes, so skip the last 4 bytes */ + dser->cursor += 4; + dser->remain -= 4; + + return r; +} + +static int +DDS_Security_Deserialize_ParticipantSecurityInfo( + DDS_Security_Deserializer dser, + DDS_Security_ParticipantSecurityInfo *info) +{ + int r; + + r = DDS_Security_Deserialize_uint32_t(dser, &info->participant_security_attributes) && + DDS_Security_Deserialize_uint32_t(dser, &info->plugin_participant_security_attributes); + + return r; +} + +int +DDD_Security_Deserialize_ParticipantBuiltinTopicData( + DDS_Security_Deserializer dser, + DDS_Security_ParticipantBuiltinTopicData *pdata, + DDS_Security_SecurityException *ex) +{ + unsigned short len=0; + unsigned short pid=0; + int r, ready = 0; + + do { + DDS_Security_Deserialize_align(dser, 4); + r = DDS_Security_Deserialize_uint16(dser, &pid) && + DDS_Security_Deserialize_uint16(dser, &len); + + if (r && (len <= dser->remain)) { + const unsigned char *next_cursor = dser->cursor + len; + + switch (pid) { + case PID_PARTICIPANT_GUID: + r = DDS_Security_Deserialize_BuiltinTopicKey(dser, pdata->key); + break; + case PID_USER_DATA: + r = DDS_Security_Deserialize_OctetSeq(dser, &pdata->user_data.value); + break; + case PID_IDENTITY_TOKEN: + r = DDS_Security_Deserialize_DataHolder(dser, &pdata->identity_token); + break; + case PID_PERMISSIONS_TOKEN: + r = DDS_Security_Deserialize_DataHolder(dser, &pdata->permissions_token); + break; + case PID_PROPERTY_LIST: + r = DDS_Security_Deserialize_PropertyQosPolicy(dser, &pdata->property); + break; + case PID_PARTICIPANT_SECURITY_INFO: + r = DDS_Security_Deserialize_ParticipantSecurityInfo(dser, &pdata->security_info); + break; + case PID_SENTINEL: + ready = 1; + break; + default: + dser->cursor += len; + dser->remain -= len; + break; + } + + if (r) { + if (dser->cursor != next_cursor) { + DDS_Security_Exception_set(ex, "Deserialization", DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "Deserialize PID 0x%x failed: internal_size %d != external_size %d", pid, (int)len + (int)(dser->cursor - next_cursor), (int)len); + r = 0; + } + } else { + DDS_Security_Exception_set(ex, "Deserialization", DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "Deserialize PID 0x%x failed: parsing failed", pid); + } + } else { + if (!r) { + DDS_Security_Exception_set(ex, "Deserialization", DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "Deserialize parameter header failed"); + } + } + } while (r && !ready && dser->remain > 0); + + return ready; +} + +void +DDD_Security_BuiltinTopicKeyBE( + DDS_Security_BuiltinTopicKey_t dst, + const DDS_Security_BuiltinTopicKey_t src) +{ + dst[0] = ddsrt_toBE4u(src[0]); + dst[1] = ddsrt_toBE4u(src[1]); + dst[2] = ddsrt_toBE4u(src[2]); +} + +int +DDD_Security_Deserialize_KeyMaterial_AES_GCM_GMAC( + DDS_Security_Deserializer dser, + DDS_Security_KeyMaterial_AES_GCM_GMAC *data) +{ + int r = 0; + + r = DDS_Security_Deserialize_OctetArray(dser, data->transformation_kind, sizeof(data->transformation_kind)) && + DDS_Security_Deserialize_OctetSeq(dser, &data->master_salt) && + DDS_Security_Deserialize_OctetArray(dser, data->sender_key_id, sizeof(data->sender_key_id)) && + DDS_Security_Deserialize_OctetSeq(dser, &data->master_sender_key) && + DDS_Security_Deserialize_OctetArray(dser, data->receiver_specific_key_id, sizeof(data->receiver_specific_key_id)) && + DDS_Security_Deserialize_OctetSeq(dser, &data->master_receiver_specific_key); + + return r; +} diff --git a/src/security/core/src/dds_security_utils.c b/src/security/core/src/dds_security_utils.c new file mode 100644 index 0000000..8e417e6 --- /dev/null +++ b/src/security/core/src/dds_security_utils.c @@ -0,0 +1,1134 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#include +#include +#include +#include +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/ddsrt/heap.h" +#include "stdlib.h" +#include "stdarg.h" +#include "dds/ddsrt/string.h" +#include "dds/ddsrt/misc.h" + +#if DDSI_INCLUDE_SSL +#include +#include +#endif + +DDS_Security_BinaryProperty_t * +DDS_Security_BinaryProperty_alloc (void) +{ + DDS_Security_BinaryProperty_t *property; + + property = ddsrt_malloc(sizeof(DDS_Security_BinaryProperty_t)); + memset(property, 0, sizeof(DDS_Security_BinaryProperty_t)); + return property; +} + +void +DDS_Security_BinaryProperty_deinit( + DDS_Security_BinaryProperty_t *p) +{ + if (!p) { + return; + } + + ddsrt_free(p->name); + ddsrt_free(p->value._buffer); +} + +void +DDS_Security_BinaryProperty_free( + DDS_Security_BinaryProperty_t *p) +{ + if (p) { + DDS_Security_BinaryProperty_deinit(p); + ddsrt_free(p); + } +} + +void +DDS_Security_BinaryProperty_copy( + DDS_Security_BinaryProperty_t *dst, + DDS_Security_BinaryProperty_t *src) +{ + dst->name = src->name ? ddsrt_strdup(src->name) : NULL; + dst->propagate = src->propagate; + dst->value._length = src->value._length; + dst->value._maximum = src->value._maximum; + + if (src->value._buffer) { + dst->value._buffer = ddsrt_malloc(src->value._length); + memcpy(dst->value._buffer, src->value._buffer, src->value._length); + } else { + dst->value._buffer = NULL; + } +} + +bool +DDS_Security_BinaryProperty_equal( + DDS_Security_BinaryProperty_t *pa, + DDS_Security_BinaryProperty_t *pb) +{ + uint32_t i; + + if (pa->name && pb->name) { + if (strcmp(pa->name, pb->name) != 0) { + return false; + } + } else if (pa->name || pb->name) { + return false; + } + + if (pa->value._length != pb->value._length) { + return false; + } + + for (i = 0; i < pa->value._length; i++) { + if (pa->value._buffer && pb->value._buffer) { + if (memcmp(pa->value._buffer, pb->value._buffer, pa->value._length) != 0) { + return false; + } + } else { + return false; + } + } + + return true; +} + +void +DDS_Security_BinaryProperty_set_by_value( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const unsigned char *data, + uint32_t length) +{ + assert(bp); + assert(name); + assert(data); + + bp->name = ddsrt_strdup(name); + bp->value._length = length; + bp->value._maximum = length; + if (length) { + bp->value._buffer = ddsrt_malloc(length); + memcpy(bp->value._buffer, data, length); + } else { + bp->value._buffer = NULL; + } +} + +void +DDS_Security_BinaryProperty_set_by_string( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const char *data) +{ + uint32_t length; + + assert(bp); + assert(name); + assert(data); + + length = (uint32_t) strlen(data) + 1; + DDS_Security_BinaryProperty_set_by_value(bp, name, (unsigned char *)data, length); +} + +void +DDS_Security_BinaryProperty_set_by_ref( + DDS_Security_BinaryProperty_t *bp, + const char *name, + unsigned char *data, + uint32_t length) +{ + assert(bp); + assert(name); + assert(data); + assert(length > 0); + + bp->name = ddsrt_strdup(name); + bp->value._length = length; + bp->value._maximum = length; + bp->value._buffer = data; +} + +DDS_Security_BinaryPropertySeq * +DDS_Security_BinaryPropertySeq_alloc (void) +{ + DDS_Security_BinaryPropertySeq *seq; + + seq = ddsrt_malloc(sizeof(DDS_Security_BinaryPropertySeq)); + memset(seq, 0, sizeof(DDS_Security_BinaryPropertySeq)); + return seq; +} + +DDS_Security_BinaryProperty_t * +DDS_Security_BinaryPropertySeq_allocbuf ( + DDS_Security_unsigned_long len) +{ + DDS_Security_BinaryProperty_t *buffer; + + buffer = ddsrt_malloc(len * sizeof(DDS_Security_BinaryProperty_t)); + memset(buffer, 0, len * sizeof(DDS_Security_BinaryProperty_t)); + return buffer; +} + +void +DDS_Security_BinaryPropertySeq_deinit( + DDS_Security_BinaryPropertySeq *seq) +{ + uint32_t i; + + if (!seq) { + return; + } + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + DDS_Security_OctetSeq_deinit(&seq->_buffer[i].value); + } +} + +void +DDS_Security_BinaryPropertySeq_free( + DDS_Security_BinaryPropertySeq *seq) +{ + DDS_Security_BinaryPropertySeq_deinit(seq); + ddsrt_free(seq); +} + + +DDS_Security_Property_t * +DDS_Security_Property_alloc (void) +{ + DDS_Security_Property_t *property; + + property = ddsrt_malloc(sizeof(DDS_Security_Property_t)); + memset(property, 0, sizeof(DDS_Security_Property_t)); + return property; +} + +void +DDS_Security_Property_free( + DDS_Security_Property_t *p) +{ + if (p) { + DDS_Security_Property_deinit(p); + ddsrt_free(p); + } +} + +void +DDS_Security_Property_deinit( + DDS_Security_Property_t *p) +{ + if (!p) { + return; + } + + ddsrt_free(p->name); + ddsrt_free(p->value); +} + +void +DDS_Security_Property_copy( + DDS_Security_Property_t *dst, + DDS_Security_Property_t *src) +{ + dst->name = src->name ? ddsrt_strdup(src->name) : NULL; + dst->value = src->value ? ddsrt_strdup(src->value) : NULL; + dst->propagate = src->propagate; +} + +bool +DDS_Security_Property_equal( + DDS_Security_Property_t *pa, + DDS_Security_Property_t *pb) +{ + if (pa->name && pb->name) { + if (strcmp(pa->name, pb->name) != 0) { + return false; + } + } else if (pa->name || pb->name) { + return false; + } + + if (pa->value && pb->value) { + if (strcmp(pa->value, pb->value) != 0) { + return false; + } + } else if (pa->value || pb->value) { + return false; + } + + return true; +} + +char * +DDS_Security_Property_get_value( + const DDS_Security_PropertySeq *properties, + const char *name) +{ + uint32_t i; + char *value = NULL; + + assert(properties); + assert(name); + + for (i = 0; !value && (i < properties->_length); i++) { + if (properties->_buffer[i].name && + (strcmp(name, properties->_buffer[i].name) == 0)) { + if (properties->_buffer[i].value) { + value = ddsrt_strdup(properties->_buffer[i].value); + } + } + } + + return value; +} + +DDS_Security_PropertySeq * +DDS_Security_PropertySeq_alloc (void) +{ + DDS_Security_PropertySeq *seq; + + seq = ddsrt_malloc(sizeof(DDS_Security_PropertySeq)); + memset(seq, 0, sizeof(DDS_Security_PropertySeq)); + return seq; +} + +DDS_Security_Property_t * +DDS_Security_PropertySeq_allocbuf ( + DDS_Security_unsigned_long len) +{ + DDS_Security_Property_t *buffer; + + buffer = ddsrt_malloc(len * sizeof(DDS_Security_Property_t)); + memset(buffer, 0, len * sizeof(DDS_Security_Property_t)); + + return buffer; +} + +void +DDS_Security_PropertySeq_freebuf( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + if (seq) { + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); + seq->_length = 0; + seq->_maximum = 0; + seq->_buffer = NULL; + } +} + +void +DDS_Security_PropertySeq_free( + DDS_Security_PropertySeq *seq) +{ + DDS_Security_PropertySeq_deinit(seq); + ddsrt_free(seq); +} + +void +DDS_Security_PropertySeq_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + if (!seq) { + return; + } + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +const DDS_Security_Property_t * +DDS_Security_PropertySeq_find_property ( + const DDS_Security_PropertySeq *property_seq, + const char *name ) +{ + + DDS_Security_Property_t *result = NULL; + unsigned i, len; + + assert(property_seq); + assert(name); + + len = (unsigned)strlen(name); + for (i = 0; !result && (i < property_seq->_length); i++) { + if (property_seq->_buffer[i].name && + (strncmp(name, property_seq->_buffer[i].name, len+ 1) == 0)) { + result = &property_seq->_buffer[i]; + } + } + + return result; +} + +DDS_Security_DataHolder * +DDS_Security_DataHolder_alloc(void) +{ + DDS_Security_DataHolder *holder; + holder = ddsrt_malloc(sizeof(*holder)); + memset(holder, 0, sizeof(*holder)); + return holder; +} + +void +DDS_Security_DataHolder_free( + DDS_Security_DataHolder *holder) +{ + if (!holder) { + return; + } + DDS_Security_DataHolder_deinit(holder); + ddsrt_free(holder); +} + +void +DDS_Security_DataHolder_deinit( + DDS_Security_DataHolder *holder) +{ + uint32_t i; + + if (!holder) { + return; + } + + ddsrt_free(holder->class_id); + + for (i = 0; i < holder->properties._length; i++) { + DDS_Security_Property_deinit(&holder->properties._buffer[i]); + } + ddsrt_free(holder->properties._buffer); + + for (i = 0; i < holder->binary_properties._length; i++) { + DDS_Security_BinaryProperty_deinit(&holder->binary_properties._buffer[i]); + } + ddsrt_free(holder->binary_properties._buffer); + + memset(holder, 0, sizeof(*holder)); +} + +void +DDS_Security_DataHolder_copy( + DDS_Security_DataHolder *dst, + const DDS_Security_DataHolder *src) +{ + uint32_t i; + + assert(dst); + assert(src); + + if (src->class_id) { + dst->class_id = ddsrt_strdup(src->class_id); + } else { + dst->class_id = NULL; + } + + dst->properties = src->properties; + if (src->properties._buffer) { + dst->properties._buffer = DDS_Security_PropertySeq_allocbuf(src->properties._length); + for (i = 0; i < src->properties._length; i++) { + DDS_Security_Property_copy(&dst->properties._buffer[i], &src->properties._buffer[i]); + } + } + + dst->binary_properties = src->binary_properties; + if (src->binary_properties._buffer) { + dst->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(src->binary_properties._length); + for (i = 0; i < src->binary_properties._length; i++) { + DDS_Security_BinaryProperty_copy(&dst->binary_properties._buffer[i], &src->binary_properties._buffer[i]); + } + } +} + +bool +DDS_Security_DataHolder_equal( + const DDS_Security_DataHolder *psa, + const DDS_Security_DataHolder *psb) +{ + uint32_t i; + + if (psa->class_id && psb->class_id) { + if (strcmp(psa->class_id, psb->class_id) != 0) { + return false; + } + } else if (psa->class_id || psb->class_id) { + return false; + } + + for (i = 0; i < psa->properties._length; i++) { + if (!DDS_Security_Property_equal(&psa->properties._buffer[i], &psb->properties._buffer[i])) { + return false; + } + } + + for (i = 0; i < psa->binary_properties._length; i++) { + if (!DDS_Security_BinaryProperty_equal(&psa->binary_properties._buffer[i], &psb->binary_properties._buffer[i])) { + return false; + } + } + + return true; +} + + +const DDS_Security_Property_t * +DDS_Security_DataHolder_find_property( + const DDS_Security_DataHolder *holder, + const char *name) +{ + + assert(holder); + assert(name); + + return DDS_Security_PropertySeq_find_property ( &(holder->properties), name ); +} + +const DDS_Security_BinaryProperty_t * +DDS_Security_DataHolder_find_binary_property( + const DDS_Security_DataHolder *holder, + const char *name) +{ + DDS_Security_BinaryProperty_t *result = NULL; + unsigned i, len; + + assert(holder); + assert(name); + + len = (unsigned)strlen(name); + + for (i = 0; !result && (i < holder->binary_properties._length); i++) { + if (holder->binary_properties._buffer[i].name && + (strncmp(name, holder->binary_properties._buffer[i].name, len+1) == 0)) { + result = &holder->binary_properties._buffer[i]; + } + } + + return result; +} + +DDS_Security_DataHolderSeq * +DDS_Security_DataHolderSeq_alloc (void) +{ + DDS_Security_DataHolderSeq *holder; + + holder = ddsrt_malloc(sizeof(DDS_Security_DataHolderSeq)); + memset(holder, 0, sizeof(DDS_Security_DataHolderSeq)); + return holder; +} + +DDS_Security_DataHolder * +DDS_Security_DataHolderSeq_allocbuf ( + DDS_Security_unsigned_long len) +{ + DDS_Security_DataHolder *buffer; + + buffer = ddsrt_malloc(len * sizeof(DDS_Security_DataHolder)); + memset(buffer, 0, len * sizeof(DDS_Security_DataHolder)); + return buffer; +} + +void +DDS_Security_DataHolderSeq_freebuf( + DDS_Security_DataHolderSeq *seq) +{ + uint32_t i; + + if (seq) { + for (i = 0; i < seq->_length; i++) { + DDS_Security_DataHolder_deinit(&seq->_buffer[i]); + } + ddsrt_free(seq->_buffer); + seq->_buffer = NULL; + seq->_length = 0; + seq->_maximum = 0; + } +} + +void +DDS_Security_DataHolderSeq_free( + DDS_Security_DataHolderSeq *seq) +{ + if (seq) { + DDS_Security_DataHolderSeq_freebuf(seq); + ddsrt_free(seq); + } +} + +void +DDS_Security_DataHolderSeq_deinit( + DDS_Security_DataHolderSeq *seq) +{ + if (seq) { + DDS_Security_DataHolderSeq_freebuf(seq); + } +} + +void +DDS_Security_DataHolderSeq_copy( + DDS_Security_DataHolderSeq *dst, + const DDS_Security_DataHolderSeq *src) +{ + uint32_t i; + + assert(dst); + assert(src); + + *dst = *src; + + if (src->_length) { + dst->_buffer = DDS_Security_DataHolderSeq_allocbuf(src->_length); + } + + for (i = 0; i < src->_length; i++) { + DDS_Security_DataHolder_copy(&dst->_buffer[i], &src->_buffer[i]); + } +} + +DDS_Security_ParticipantBuiltinTopicData * +DDS_Security_ParticipantBuiltinTopicData_alloc(void) +{ + DDS_Security_ParticipantBuiltinTopicData *result; + + result = ddsrt_malloc(sizeof(*result)); + memset(result, 0, sizeof(*result)); + + return result; +} + +void +DDS_Security_ParticipantBuiltinTopicData_free( + DDS_Security_ParticipantBuiltinTopicData *data) +{ + DDS_Security_ParticipantBuiltinTopicData_deinit(data); + ddsrt_free(data); +} + +void +DDS_Security_ParticipantBuiltinTopicData_deinit( + DDS_Security_ParticipantBuiltinTopicData *data) +{ + if (!data) { + return; + } + DDS_Security_DataHolder_deinit(&data->identity_token); + DDS_Security_DataHolder_deinit(&data->permissions_token); + DDS_Security_PropertyQosPolicy_deinit(&data->property); + DDS_Security_OctetSeq_deinit(&data->user_data.value); +} + +DDS_Security_OctetSeq * +DDS_Security_OctetSeq_alloc (void) +{ + return (DDS_Security_OctetSeq *)ddsrt_malloc(sizeof(DDS_Security_OctetSeq )); +} + +DDS_Security_octet * +DDS_Security_OctetSeq_allocbuf ( + DDS_Security_unsigned_long len) +{ + return (DDS_Security_octet*)ddsrt_malloc(sizeof(DDS_Security_octet)*len); +} + +void +DDS_Security_OctetSeq_freebuf( + DDS_Security_OctetSeq *seq) +{ + if (!seq) { + return; + } + ddsrt_free(seq->_buffer); + seq->_buffer = NULL; + seq->_length = 0; + seq->_maximum = 0; +} + +void +DDS_Security_OctetSeq_free( + DDS_Security_OctetSeq *seq) +{ + DDS_Security_OctetSeq_deinit(seq); + ddsrt_free(seq); +} + +void +DDS_Security_OctetSeq_deinit( + DDS_Security_OctetSeq *seq) +{ + DDS_Security_OctetSeq_freebuf(seq); +} + + +void +DDS_Security_OctetSeq_copy( + DDS_Security_OctetSeq *dst, + const DDS_Security_OctetSeq *src) +{ + if (dst->_length > 0) { + DDS_Security_OctetSeq_deinit(dst); + } + dst->_length = src->_length; + dst->_maximum = src->_maximum; + + if (src->_length) { + dst->_buffer = ddsrt_malloc(src->_length); + memcpy(dst->_buffer, src->_buffer, src->_length); + } else { + dst->_buffer = NULL; + } +} + +DDS_Security_HandleSeq * +DDS_Security_HandleSeq_alloc(void) +{ + DDS_Security_HandleSeq *seq; + + seq = ddsrt_malloc(sizeof(*seq)); + seq->_buffer = NULL; + seq->_length = 0; + seq->_maximum = 0; + + return seq; +} + +DDS_Security_long_long * +DDS_Security_HandleSeq_allocbuf( + DDS_Security_unsigned_long length) +{ + DDS_Security_long_long *buffer; + buffer = ddsrt_malloc(length * sizeof(DDS_Security_long_long)); + memset(buffer, 0, length * sizeof(DDS_Security_long_long)); + return buffer; +} + +void +DDS_Security_HandleSeq_freebuf( + DDS_Security_HandleSeq *seq) +{ + if (!seq) { + return; + } + ddsrt_free(seq->_buffer); + seq->_maximum = 0; + seq->_length = 0; +} + +void +DDS_Security_HandleSeq_free( + DDS_Security_HandleSeq *seq) +{ + if (!seq) { + return; + } + DDS_Security_HandleSeq_freebuf(seq); + ddsrt_free(seq); +} + +void +DDS_Security_HandleSeq_deinit( + DDS_Security_HandleSeq *seq) +{ + if (!seq) { + return; + } + DDS_Security_HandleSeq_freebuf(seq); +} + + + + +void +DDS_Security_Exception_set( + DDS_Security_SecurityException *ex, + const char *context, + int code, + int minor_code, + const char *fmt, + ...) +{ + int32_t ret; + size_t len; + char buf[1] = { '\0' }; + char *str = NULL; + va_list args1, args2; + + assert(context); + assert(fmt); + assert(ex); + DDSRT_UNUSED_ARG( context ); + + va_start(args1, fmt); + va_copy(args2, args1); + + if ((ret = vsnprintf(buf, sizeof(buf), fmt, args1)) >= 0) { + len = (size_t)ret; /* +1 for null byte */ + if ((str = ddsrt_malloc(len + 1)) == NULL) { + assert(false); + } else if ((ret = vsnprintf(str, len + 1, fmt, args2)) >= 0) { + assert((size_t) ret == len); + } else { + ddsrt_free(str); + str = NULL; + } + } + + va_end(args1); + va_end(args2); + + ex->message = str; + ex->code = code; + ex->minor_code = minor_code; +} + +#if DDSI_INCLUDE_SSL +DDS_EXPORT void +DDS_Security_Exception_set_with_openssl_error( + DDS_Security_SecurityException *ex, + const char *context, + int code, + int minor_code, + const char *error_area + ) +{ + + BIO *bio; + char *buf = NULL; + char *str; + size_t len; /*BIO_get_mem_data requires long int */ + assert(context); + assert(error_area); + assert(ex); + DDSRT_UNUSED_ARG( context ); + + bio = BIO_new(BIO_s_mem()); + + if (bio) { + size_t exception_msg_len; + ERR_print_errors(bio); + len = (size_t)BIO_get_mem_data (bio, &buf); + exception_msg_len = len + strlen(error_area) + 1; + str = ddsrt_malloc( exception_msg_len ); + + ddsrt_strlcpy(str, error_area, exception_msg_len); + memcpy(str + strlen(error_area), buf, len ); + str [ exception_msg_len -1 ] = '\0'; + //snprintf( str, exception_msg_len, "%s%s", error_area, buf ); + + ex->message = str; + ex->code = code; + ex->minor_code = minor_code; + + BIO_free(bio); + + } else { + DDS_Security_Exception_set(ex, context, code, minor_code, "BIO_new failed"); + } + +} +#endif + +void +DDS_Security_Exception_reset( + DDS_Security_SecurityException *ex) +{ + if (ex) { + if (ex->message) { + ddsrt_free(ex->message); + } + DDS_Security_Exception_clean(ex); + } +} + +void +DDS_Security_Exception_clean( + DDS_Security_SecurityException *ex) +{ + if (ex) { + memset(ex, 0, sizeof(DDS_Security_SecurityException)); + } +} + +void +DDS_Security_PropertyQosPolicy_deinit( + DDS_Security_PropertyQosPolicy *policy) +{ + if (!policy) { + return; + } + DDS_Security_PropertySeq_deinit(&policy->value); + DDS_Security_BinaryPropertySeq_deinit(&policy->binary_value); +} + +void +DDS_Security_PropertyQosPolicy_free( + DDS_Security_PropertyQosPolicy *policy) +{ + DDS_Security_PropertyQosPolicy_deinit(policy); + ddsrt_free(policy); +} + + +void +DDS_Security_set_token_nil( + DDS_Security_DataHolder *token) +{ + DDS_Security_DataHolder_deinit(token); + memset(token, 0, sizeof(*token)); + token->class_id = ddsrt_strdup(""); +} + +void +DDS_Security_KeyMaterial_AES_GCM_GMAC_deinit( + DDS_Security_KeyMaterial_AES_GCM_GMAC *key_material) +{ + if (key_material) { + if (key_material->master_receiver_specific_key._buffer != NULL) { + ddsrt_free(key_material->master_receiver_specific_key._buffer); + } + if( key_material->master_salt._buffer != NULL){ + ddsrt_free(key_material->master_salt._buffer); + } + if( key_material->master_sender_key._buffer != NULL){ + ddsrt_free(key_material->master_sender_key._buffer); + } + } +} + + +DDS_Security_CryptoTransformKind_Enum +DDS_Security_basicprotectionkind2transformationkind( + const DDS_Security_PropertySeq *properties, + DDS_Security_BasicProtectionKind protection) +{ + int keysize=256; + const DDS_Security_Property_t *key_size_property = NULL; + if( properties != NULL ){ + key_size_property = DDS_Security_PropertySeq_find_property( + properties, "dds.sec.crypto.keysize"); + + if (key_size_property != NULL) { + if (strcmp(key_size_property->value, "128") == 0) { + keysize = 128; + } + } + } + + switch (protection) { + case DDS_SECURITY_BASICPROTECTION_KIND_NONE: + return CRYPTO_TRANSFORMATION_KIND_NONE; + case DDS_SECURITY_BASICPROTECTION_KIND_SIGN: + if( keysize == 128 ){ + return CRYPTO_TRANSFORMATION_KIND_AES128_GMAC; + } else{ + return CRYPTO_TRANSFORMATION_KIND_AES256_GMAC; + } + case DDS_SECURITY_BASICPROTECTION_KIND_ENCRYPT: + if( keysize == 128 ){ + return CRYPTO_TRANSFORMATION_KIND_AES128_GCM; + } else{ + return CRYPTO_TRANSFORMATION_KIND_AES256_GCM; + } + default: + return CRYPTO_TRANSFORMATION_KIND_INVALID; + } +} + +DDS_Security_CryptoTransformKind_Enum +DDS_Security_protectionkind2transformationkind( + const DDS_Security_PropertySeq *properties, + DDS_Security_ProtectionKind protection) +{ + int keysize=256; + const DDS_Security_Property_t *key_size_property = NULL; + if( properties != NULL ){ + key_size_property = DDS_Security_PropertySeq_find_property( + properties, "dds.sec.crypto.keysize"); + if (key_size_property != NULL) { + if (strcmp(key_size_property->value, "128") == 0) { + keysize = 128; + } + } + } + + switch (protection) { + case DDS_SECURITY_PROTECTION_KIND_NONE: + return CRYPTO_TRANSFORMATION_KIND_NONE; + case DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION: + case DDS_SECURITY_PROTECTION_KIND_SIGN: + if( keysize == 128 ){ + return CRYPTO_TRANSFORMATION_KIND_AES128_GMAC; + } else{ + return CRYPTO_TRANSFORMATION_KIND_AES256_GMAC; + } + case DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION: + case DDS_SECURITY_PROTECTION_KIND_ENCRYPT: + if( keysize == 128 ){ + return CRYPTO_TRANSFORMATION_KIND_AES128_GCM; + } else { + return CRYPTO_TRANSFORMATION_KIND_AES256_GCM; + } + default: + return CRYPTO_TRANSFORMATION_KIND_INVALID; + } +} + +/* for DEBUG purposes */ +void +print_binary_debug( + char* name, + unsigned char *value, + uint32_t size) +{ + uint32_t i; + printf("%s: ",name ); + for( i=0; i< size; i++) + { + printf("%x",value[i]); + } + printf("\n"); +} + +void +print_binary_properties_debug( + const DDS_Security_DataHolder *token) +{ + uint32_t i; + for (i = 0; i < token->binary_properties._length ; i++) { + print_binary_debug( token->binary_properties._buffer[i].name, token->binary_properties._buffer[i].value._buffer, token->binary_properties._buffer[i].value._length); + } + +} + + + + +DDS_Security_config_item_prefix_t +DDS_Security_get_conf_item_type( + const char *str, + char **data) +{ + DDS_Security_config_item_prefix_t kind = DDS_SECURITY_CONFIG_ITEM_PREFIX_UNKNOWN; + const char *CONFIG_FILE_PREFIX = "file:"; + const char *CONFIG_DATA_PREFIX = "data:,"; + const char *CONFIG_PKCS11_PREFIX = "pkcs11:"; + size_t CONFIG_FILE_PREFIX_LEN = strlen(CONFIG_FILE_PREFIX); + size_t CONFIG_DATA_PREFIX_LEN = strlen(CONFIG_DATA_PREFIX); + size_t CONFIG_PKCS11_PREFIX_LEN = strlen(CONFIG_PKCS11_PREFIX); + char *ptr; + + assert(str); + assert(data); + DDSRT_UNUSED_ARG(str); + + ptr = ddssec_strchrs(str, " \t", false); + + if (strncmp(ptr, CONFIG_FILE_PREFIX, CONFIG_FILE_PREFIX_LEN) == 0) { + const char *DOUBLE_SLASH = "//"; + size_t DOUBLE_SLASH_LEN = 2; + if (strncmp(&(ptr[CONFIG_FILE_PREFIX_LEN]), DOUBLE_SLASH, DOUBLE_SLASH_LEN) == 0) { + *data = ddsrt_strdup(&(ptr[CONFIG_FILE_PREFIX_LEN + DOUBLE_SLASH_LEN])); + } else { + *data = ddsrt_strdup(&(ptr[CONFIG_FILE_PREFIX_LEN])); + } + kind = DDS_SECURITY_CONFIG_ITEM_PREFIX_FILE; + } else if (strncmp(ptr, CONFIG_DATA_PREFIX, CONFIG_DATA_PREFIX_LEN) == 0) { + kind = DDS_SECURITY_CONFIG_ITEM_PREFIX_DATA; + *data = ddsrt_strdup(&(ptr[CONFIG_DATA_PREFIX_LEN])); + } else if (strncmp(ptr, CONFIG_PKCS11_PREFIX, CONFIG_PKCS11_PREFIX_LEN) == 0) { + kind = DDS_SECURITY_CONFIG_ITEM_PREFIX_PKCS11; + *data = ddsrt_strdup(&(ptr[CONFIG_PKCS11_PREFIX_LEN])); + } + + return kind; +} + + +char * +ddssec_strchrs ( + const char *str, + const char *chrs, + bool inc) +{ + bool eq; + char *ptr = NULL; + size_t i, j; + + assert (str != NULL); + assert (chrs != NULL); + + for (i = 0; str[i] != '\0' && ptr == NULL; i++) { + for (j = 0, eq = false; chrs[j] != '\0' && eq == false; j++) { + if (str[i] == chrs[j]) { + eq = true; + } + } + if (eq == inc) { + ptr = (char *)str + i; + } + } + + return ptr; +} + + +/* The result of os_fileNormalize should be freed with os_free */ +char * +DDS_Security_normalize_file( + const char *filepath) +{ + char *norm; + const char *fpPtr; + char *normPtr; +#if _WIN32 + #define __FILESEPCHAR '\\' +#else + #define __FILESEPCHAR '/' +#endif + norm = NULL; + if ((filepath != NULL) && (*filepath != '\0')) { + norm = ddsrt_malloc(strlen(filepath) + 1); + /* replace any / or \ by OS_FILESEPCHAR */ + fpPtr = (char *) filepath; + normPtr = norm; + while (*fpPtr != '\0') { + *normPtr = *fpPtr; + if ((*fpPtr == '/') || (*fpPtr == '\\')) { + *normPtr = __FILESEPCHAR; + normPtr++; + } else { + if (*fpPtr != '\"') { + normPtr++; + } + } + fpPtr++; + } + *normPtr = '\0'; + } +#undef __FILESEPCHAR + return norm; + +} + diff --git a/src/security/core/src/shared_secret.c b/src/security/core/src/shared_secret.c new file mode 100644 index 0000000..7b1de75 --- /dev/null +++ b/src/security/core/src/shared_secret.c @@ -0,0 +1,43 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#include "dds/security/core/shared_secret.h" + +const DDS_Security_octet* +get_challenge1_from_secret_handle(DDS_Security_SharedSecretHandle handle) +{ + + DDS_Security_SharedSecretHandleImpl *secret = (DDS_Security_SharedSecretHandleImpl *)(uintptr_t)handle; + return secret->challenge1; +} + +const DDS_Security_octet* +get_challenge2_from_secret_handle(DDS_Security_SharedSecretHandle handle) +{ + DDS_Security_SharedSecretHandleImpl *secret = (DDS_Security_SharedSecretHandleImpl *)(uintptr_t)handle; + return secret->challenge2; +} + +const DDS_Security_octet* +get_secret_from_secret_handle(DDS_Security_SharedSecretHandle handle) +{ + DDS_Security_SharedSecretHandleImpl *secret = (DDS_Security_SharedSecretHandleImpl *)(uintptr_t)handle; + return secret->shared_secret; +} + + +int32_t +get_secret_size_from_secret_handle( DDS_Security_SharedSecretHandle handle ){ + DDS_Security_SharedSecretHandleImpl *secret = (DDS_Security_SharedSecretHandleImpl *)(uintptr_t)handle; + return secret->shared_secret_size; + +} diff --git a/src/tools/CMakeLists.txt b/src/tools/CMakeLists.txt index 3ba29bf..fe1e2a7 100644 --- a/src/tools/CMakeLists.txt +++ b/src/tools/CMakeLists.txt @@ -9,7 +9,7 @@ # # SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause # -set(CMAKE_INSTALL_TOOLSDIR "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}/tools") +set(CMAKE_INSTALL_TOOLSDIR "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}/tools") add_subdirectory(pubsub) add_subdirectory(ddsls) if(BUILD_IDLC)