From 960d4f73580348f73efa86fcf62f4cfa1e57b585 Mon Sep 17 00:00:00 2001 From: Dan Rose Date: Fri, 18 Oct 2019 20:04:24 -0500 Subject: [PATCH 01/13] Use PROJECT_NAME instead of CMAKE_PROJECT_NAME CMAKE_PROJECT_NAME refers to the top-level project name, not the most recent project. So any CMake project that pulls this in as a dependency was in for a nasty surprise. https://cmake.org/cmake/help/latest/variable/CMAKE_PROJECT_NAME.html Signed-off-by: Dan Rose --- CMakeLists.txt | 10 +++--- cmake/Modules/Packaging.cmake | 36 +++++++++---------- .../Modules/Packaging/PackageConfig.cmake.in | 2 +- .../Packaging/PackageConfigNoIdlc.cmake.in | 2 +- examples/CMakeLists.txt | 2 +- ports/freertos-posix/CMakeLists.txt | 4 +-- ports/freertos-posix/freertos-sim.cmake.in | 2 +- src/core/CMakeLists.txt | 4 +-- src/core/ddsc/cmake/ddsc_project.h.in | 8 ++--- src/core/ddsc/tests/CMakeLists.txt | 2 +- src/ddsrt/include/dds/version.h.in | 8 ++--- src/idlc/CMakeLists.txt | 6 ++-- .../org/eclipse/cyclonedds/Project.java.in | 4 +-- src/tools/CMakeLists.txt | 2 +- 14 files changed, 46 insertions(+), 46 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 2ca2613..7b20cc9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -10,6 +10,7 @@ # SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause # cmake_minimum_required(VERSION 3.7) +project(CycloneDDS VERSION 0.1.0) # Set a default build type if none was specified set(default_build_type "RelWithDebInfo") @@ -42,13 +43,12 @@ ENDFUNCTION(PREPEND) # Set module path before defining project so platform files will work. set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/cmake/Modules") -set(CMAKE_PROJECT_NAME_FULL "Eclipse Cyclone DDS") -project(CycloneDDS VERSION 0.1.0) +set(PROJECT_NAME_FULL "Eclipse Cyclone DDS") # Set some convenience variants of the project-name -string(REPLACE " " "-" CMAKE_PROJECT_NAME_DASHED "${CMAKE_PROJECT_NAME_FULL}") -string(TOUPPER ${CMAKE_PROJECT_NAME} CMAKE_PROJECT_NAME_CAPS) -string(TOLOWER ${CMAKE_PROJECT_NAME} CMAKE_PROJECT_NAME_SMALL) +string(REPLACE " " "-" PROJECT_NAME_DASHED "${PROJECT_NAME_FULL}") +string(TOUPPER ${PROJECT_NAME} PROJECT_NAME_CAPS) +string(TOLOWER ${PROJECT_NAME} PROJECT_NAME_SMALL) set(CMAKE_C_STANDARD 99) if(CMAKE_SYSTEM_NAME STREQUAL "VxWorks") diff --git a/cmake/Modules/Packaging.cmake b/cmake/Modules/Packaging.cmake index da2d7d6..b2d647c 100644 --- a/cmake/Modules/Packaging.cmake +++ b/cmake/Modules/Packaging.cmake @@ -18,39 +18,39 @@ include(CMakePackageConfigHelpers) include(GNUInstallDirs) set(PACKAGING_MODULE_DIR "${PROJECT_SOURCE_DIR}/cmake/Modules/Packaging") -set(CMAKE_INSTALL_CMAKEDIR "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}") +set(CMAKE_INSTALL_CMAKEDIR "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}") # Generates Config.cmake. if(BUILD_IDLC) configure_package_config_file( "${PACKAGING_MODULE_DIR}/PackageConfig.cmake.in" - "${CMAKE_PROJECT_NAME}Config.cmake" + "${PROJECT_NAME}Config.cmake" INSTALL_DESTINATION "${CMAKE_INSTALL_CMAKEDIR}") else() configure_package_config_file( "${PACKAGING_MODULE_DIR}/PackageConfigNoIdlc.cmake.in" - "${CMAKE_PROJECT_NAME}Config.cmake" + "${PROJECT_NAME}Config.cmake" INSTALL_DESTINATION "${CMAKE_INSTALL_CMAKEDIR}") endif() # Generates Version.cmake. write_basic_package_version_file( - "${CMAKE_PROJECT_NAME}Version.cmake" + "${PROJECT_NAME}Version.cmake" VERSION ${PROJECT_VERSION} COMPATIBILITY SameMajorVersion) install( - FILES "${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_PROJECT_NAME}Config.cmake" - "${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_PROJECT_NAME}Version.cmake" + FILES "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}Config.cmake" + "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}Version.cmake" DESTINATION "${CMAKE_INSTALL_CMAKEDIR}" COMPONENT dev) if((NOT DEFINED BUILD_SHARED_LIBS) OR BUILD_SHARED_LIBS) # Generates Targets.cmake file included by Config.cmake. # The files are placed in CMakeFiles/Export in the build tree. install( - EXPORT "${CMAKE_PROJECT_NAME}" - FILE "${CMAKE_PROJECT_NAME}Targets.cmake" - NAMESPACE "${CMAKE_PROJECT_NAME}::" + EXPORT "${PROJECT_NAME}" + FILE "${PROJECT_NAME}Targets.cmake" + NAMESPACE "${PROJECT_NAME}::" DESTINATION "${CMAKE_INSTALL_CMAKEDIR}" COMPONENT dev) endif() @@ -61,7 +61,7 @@ set(CPACK_PACKAGE_VERSION_PATCH ${PROJECT_VERSION_PATCH}) set(CPACK_PACKAGE_VERSION_TWEAK ${PROJECT_VERSION_TWEAK}) set(CPACK_PACKAGE_VERSION ${PROJECT_VERSION}) -set(CPACK_PACKAGE_NAME ${CMAKE_PROJECT_NAME}) +set(CPACK_PACKAGE_NAME ${PROJECT_NAME}) set(CPACK_PACKAGE_VENDOR "Eclipse Cyclone DDS project") set(CPACK_PACKAGE_CONTACT "https://github.com/eclipse-cyclonedds/cyclonedds") set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Implementation of the OMG DDS standard") @@ -84,10 +84,10 @@ set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_BINARY_DIR}/license.txt") # does help to clearify which settings are required for a platform. set(CPACK_COMPONENTS_ALL dev lib) -set(CPACK_COMPONENT_LIB_DISPLAY_NAME "${CMAKE_PROJECT_NAME_FULL} library") -set(CPACK_COMPONENT_LIB_DESCRIPTION "Library used to run programs with ${CMAKE_PROJECT_NAME_FULL}") -set(CPACK_COMPONENT_DEV_DISPLAY_NAME "${CMAKE_PROJECT_NAME_FULL} development") -set(CPACK_COMPONENT_DEV_DESCRIPTION "Development files for use with ${CMAKE_PROJECT_NAME_FULL}") +set(CPACK_COMPONENT_LIB_DISPLAY_NAME "${PROJECT_NAME_FULL} library") +set(CPACK_COMPONENT_LIB_DESCRIPTION "Library used to run programs with ${PROJECT_NAME_FULL}") +set(CPACK_COMPONENT_DEV_DISPLAY_NAME "${PROJECT_NAME_FULL} development") +set(CPACK_COMPONENT_DEV_DESCRIPTION "Development files for use with ${PROJECT_NAME_FULL}") if(WIN32 AND NOT UNIX) if(CMAKE_SIZEOF_VOID_P EQUAL 8) @@ -99,8 +99,8 @@ if(WIN32 AND NOT UNIX) set(CPACK_GENERATOR "WIX;ZIP;${CPACK_GENERATOR}" CACHE STRING "List of package generators") - set(CPACK_PACKAGE_FILE_NAME "${CMAKE_PROJECT_NAME}-${CPACK_PACKAGE_VERSION}-${__arch}") - set(CPACK_PACKAGE_INSTALL_DIRECTORY "${CMAKE_PROJECT_NAME_FULL}") + set(CPACK_PACKAGE_FILE_NAME "${PROJECT_NAME}-${CPACK_PACKAGE_VERSION}-${__arch}") + set(CPACK_PACKAGE_INSTALL_DIRECTORY "${PROJECT_NAME_FULL}") include(InstallRequiredSystemLibraries) elseif(CMAKE_SYSTEM_NAME MATCHES "Linux") @@ -123,7 +123,7 @@ elseif(CMAKE_SYSTEM_NAME MATCHES "Linux") set(CPACK_RPM_COMPONENT_INSTALL ON) # FIXME: The package file name must be updated to include the distribution. # See Fedora and Red Hat packaging guidelines for details. - set(CPACK_RPM_LIB_PACKAGE_NAME "${CMAKE_PROJECT_NAME_DASHED}") + set(CPACK_RPM_LIB_PACKAGE_NAME "${PROJECT_NAME_DASHED}") set(CPACK_RPM_LIB_FILE_NAME "${CPACK_RPM_LIB_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${__arch}.rpm") set(CPACK_RPM_DEV_PACKAGE_NAME "${CPACK_RPM_LIB_PACKAGE_NAME}-devel") set(CPACK_RPM_DEV_FILE_NAME "${CPACK_RPM_DEV_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${__arch}.rpm") @@ -138,7 +138,7 @@ elseif(CMAKE_SYSTEM_NAME MATCHES "Linux") set(CPACK_GENERATOR "DEB;TGZ;${CPACK_GENERATOR}" CACHE STRING "List of package generators") - string(TOLOWER "${CMAKE_PROJECT_NAME_DASHED}" CPACK_DEBIAN_LIB_PACKAGE_NAME) + string(TOLOWER "${PROJECT_NAME_DASHED}" CPACK_DEBIAN_LIB_PACKAGE_NAME) set(CPACK_DEBIAN_LIB_FILE_NAME "${CPACK_DEBIAN_LIB_PACKAGE_NAME}_${CPACK_PACKAGE_VERSION}_${__arch}.deb") set(CPACK_DEBIAN_DEV_PACKAGE_DEPENDS "${CPACK_DEBIAN_LIB_PACKAGE_NAME} (= ${CPACK_PACKAGE_VERSION}), libc6 (>= 2.23)") set(CPACK_DEBIAN_DEV_PACKAGE_NAME "${CPACK_DEBIAN_LIB_PACKAGE_NAME}-dev") diff --git a/cmake/Modules/Packaging/PackageConfig.cmake.in b/cmake/Modules/Packaging/PackageConfig.cmake.in index a1b8344..c8d6d78 100644 --- a/cmake/Modules/Packaging/PackageConfig.cmake.in +++ b/cmake/Modules/Packaging/PackageConfig.cmake.in @@ -11,5 +11,5 @@ # @PACKAGE_INIT@ -include("${CMAKE_CURRENT_LIST_DIR}/@CMAKE_PROJECT_NAME@Targets.cmake") +include("${CMAKE_CURRENT_LIST_DIR}/@PROJECT_NAME@Targets.cmake") include("${CMAKE_CURRENT_LIST_DIR}/idlc/IdlcGenerate.cmake") diff --git a/cmake/Modules/Packaging/PackageConfigNoIdlc.cmake.in b/cmake/Modules/Packaging/PackageConfigNoIdlc.cmake.in index 415b481..038e6f9 100644 --- a/cmake/Modules/Packaging/PackageConfigNoIdlc.cmake.in +++ b/cmake/Modules/Packaging/PackageConfigNoIdlc.cmake.in @@ -11,4 +11,4 @@ # @PACKAGE_INIT@ -include("${CMAKE_CURRENT_LIST_DIR}/@CMAKE_PROJECT_NAME@Targets.cmake") +include("${CMAKE_CURRENT_LIST_DIR}/@PROJECT_NAME@Targets.cmake") diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt index 2129d74..d78ff71 100644 --- a/examples/CMakeLists.txt +++ b/examples/CMakeLists.txt @@ -9,7 +9,7 @@ # # SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause # -set(CMAKE_INSTALL_EXAMPLESDIR "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}/examples") +set(CMAKE_INSTALL_EXAMPLESDIR "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}/examples") add_subdirectory(helloworld) add_subdirectory(roundtrip) diff --git a/ports/freertos-posix/CMakeLists.txt b/ports/freertos-posix/CMakeLists.txt index 005e13b..0c161ce 100644 --- a/ports/freertos-posix/CMakeLists.txt +++ b/ports/freertos-posix/CMakeLists.txt @@ -24,7 +24,7 @@ endif() # default system locations, i.e. /usr/lib and /usr/include on *NIX platforms. # The install prefix must therefore be postfixed with the project name. if(UNIX) - set(CMAKE_INSTALL_PREFIX "${CMAKE_INSTALL_PREFIX}/${CMAKE_PROJECT_NAME}") + set(CMAKE_INSTALL_PREFIX "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}") endif() set(ENTRYPOINT "real_main" @@ -119,7 +119,7 @@ install( install( TARGETS freertos-sim freertos-sim-loader - EXPORT "${CMAKE_PROJECT_NAME}" + EXPORT "${PROJECT_NAME}" RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}") diff --git a/ports/freertos-posix/freertos-sim.cmake.in b/ports/freertos-posix/freertos-sim.cmake.in index 73b85f2..3ad08f5 100644 --- a/ports/freertos-posix/freertos-sim.cmake.in +++ b/ports/freertos-posix/freertos-sim.cmake.in @@ -11,7 +11,7 @@ # # -# CMake toolchain file generated by @CMAKE_PROJECT_NAME@ +# CMake toolchain file generated by @PROJECT_NAME@ # set(CMAKE_C_COMPILER "@CMAKE_C_COMPILER@") diff --git a/src/core/CMakeLists.txt b/src/core/CMakeLists.txt index b29c53d..46506aa 100644 --- a/src/core/CMakeLists.txt +++ b/src/core/CMakeLists.txt @@ -70,11 +70,11 @@ set_target_properties(ddsc PROPERTIES VERSION ${PROJECT_VERSION} SOVERSION ${PRO # Create a pseudo-target that other targets (i.e. examples, tests) can depend # on and can also be provided as import-target by a package-file when building # those targets outside the regular Cyclone build-tree (i.e. the installed tree) -add_library(${CMAKE_PROJECT_NAME}::ddsc ALIAS ddsc) +add_library(${PROJECT_NAME}::ddsc ALIAS ddsc) install( TARGETS ddsc - EXPORT "${CMAKE_PROJECT_NAME}" + EXPORT "${PROJECT_NAME}" RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT lib LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib diff --git a/src/core/ddsc/cmake/ddsc_project.h.in b/src/core/ddsc/cmake/ddsc_project.h.in index 6eb3884..3b27447 100644 --- a/src/core/ddsc/cmake/ddsc_project.h.in +++ b/src/core/ddsc/cmake/ddsc_project.h.in @@ -17,9 +17,9 @@ #define DDSC_VERSION_MINOR @CycloneDDS_VERSION_MINOR@ #define DDSC_VERSION_PATCH @CycloneDDS_VERSION_PATCH@ #define DDSC_VERSION_TWEAK @CycloneDDS_VERSION_TWEAK@ -#define DDSC_PROJECT_NAME_NOSPACE_CAPS "@CMAKE_PROJECT_NAME_CAPS@" -#define DDSC_PROJECT_NAME_NOSPACE_SMALL "@CMAKE_PROJECT_NAME_SMALL@" -#define DDSC_PROJECT_NAME_NOSPACE "@CMAKE_PROJECT_NAME@" -#define DDSC_PROJECT_NAME "@CMAKE_PROJECT_NAME@" +#define DDSC_PROJECT_NAME_NOSPACE_CAPS "@PROJECT_NAME_CAPS@" +#define DDSC_PROJECT_NAME_NOSPACE_SMALL "@PROJECT_NAME_SMALL@" +#define DDSC_PROJECT_NAME_NOSPACE "@PROJECT_NAME@" +#define DDSC_PROJECT_NAME "@PROJECT_NAME@" #endif /* DDSC_PROJECT_H */ diff --git a/src/core/ddsc/tests/CMakeLists.txt b/src/core/ddsc/tests/CMakeLists.txt index a15d9b2..6c977a0 100644 --- a/src/core/ddsc/tests/CMakeLists.txt +++ b/src/core/ddsc/tests/CMakeLists.txt @@ -62,7 +62,7 @@ get_test_property(CUnit_ddsc_config_simple_udp ENVIRONMENT CUnit_ddsc_config_sim set(CUnit_ddsc_config_simple_udp_file "${CMAKE_CURRENT_LIST_DIR}/config_simple_udp.xml") set(CUnit_ddsc_config_simple_udp_uri "file://${CUnit_ddsc_config_simple_udp_file}") set(CUnit_ddsc_config_simple_udp_max_participants "0") -set(CUnit_ddsc_config_simple_udp_env "${CMAKE_PROJECT_NAME_CAPS}_URI=${CUnit_ddsc_config_simple_udp_uri};MAX_PARTICIPANTS=${CUnit_ddsc_config_simple_udp_max_participants};${CUnit_ddsc_config_simple_udp_env}") +set(CUnit_ddsc_config_simple_udp_env "${PROJECT_NAME_CAPS}_URI=${CUnit_ddsc_config_simple_udp_uri};MAX_PARTICIPANTS=${CUnit_ddsc_config_simple_udp_max_participants};${CUnit_ddsc_config_simple_udp_env}") set_tests_properties( CUnit_ddsc_config_simple_udp diff --git a/src/ddsrt/include/dds/version.h.in b/src/ddsrt/include/dds/version.h.in index 3bab290..6eb821c 100644 --- a/src/ddsrt/include/dds/version.h.in +++ b/src/ddsrt/include/dds/version.h.in @@ -17,10 +17,10 @@ #define DDS_VERSION_MINOR @CycloneDDS_VERSION_MINOR@ #define DDS_VERSION_PATCH @CycloneDDS_VERSION_PATCH@ #define DDS_VERSION_TWEAK @CycloneDDS_VERSION_TWEAK@ -#define DDS_PROJECT_NAME_NOSPACE_CAPS "@CMAKE_PROJECT_NAME_CAPS@" -#define DDS_PROJECT_NAME_NOSPACE_SMALL "@CMAKE_PROJECT_NAME_SMALL@" -#define DDS_PROJECT_NAME_NOSPACE "@CMAKE_PROJECT_NAME@" -#define DDS_PROJECT_NAME "@CMAKE_PROJECT_NAME@" +#define DDS_PROJECT_NAME_NOSPACE_CAPS "@PROJECT_NAME_CAPS@" +#define DDS_PROJECT_NAME_NOSPACE_SMALL "@PROJECT_NAME_SMALL@" +#define DDS_PROJECT_NAME_NOSPACE "@PROJECT_NAME@" +#define DDS_PROJECT_NAME "@PROJECT_NAME@" #define DDS_HOST_NAME "@CMAKE_HOST_SYSTEM_NAME@" #define DDS_TARGET_NAME "@CMAKE_SYSTEM_NAME@" diff --git a/src/idlc/CMakeLists.txt b/src/idlc/CMakeLists.txt index 417aa50..5616658 100644 --- a/src/idlc/CMakeLists.txt +++ b/src/idlc/CMakeLists.txt @@ -45,17 +45,17 @@ include(cmake/IdlcGenerate.cmake) install( FILES "cmake/IdlcGenerate.cmake" - DESTINATION "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}/idlc" + DESTINATION "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}/idlc" COMPONENT dev) install( FILES "${IDLC_SCRIPT_IN}" - DESTINATION "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}/idlc" + DESTINATION "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}/idlc" COMPONENT dev) install( FILES "${IDLC_JAR}" - DESTINATION "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}/idlc" + DESTINATION "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}/idlc" PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_WRITE GROUP_EXECUTE WORLD_READ WORLD_EXECUTE COMPONENT dev) diff --git a/src/idlc/src/org/eclipse/cyclonedds/Project.java.in b/src/idlc/src/org/eclipse/cyclonedds/Project.java.in index cce4f8d..bb01a3b 100644 --- a/src/idlc/src/org/eclipse/cyclonedds/Project.java.in +++ b/src/idlc/src/org/eclipse/cyclonedds/Project.java.in @@ -14,6 +14,6 @@ package org.eclipse.cyclonedds; public class Project { public static String version = "@PROJECT_VERSION@"; - public static String name = "@CMAKE_PROJECT_NAME@"; - public static String nameCaps = "@CMAKE_PROJECT_NAME_CAPS@"; + public static String name = "@PROJECT_NAME@"; + public static String nameCaps = "@PROJECT_NAME_CAPS@"; } diff --git a/src/tools/CMakeLists.txt b/src/tools/CMakeLists.txt index 3ba29bf..fe1e2a7 100644 --- a/src/tools/CMakeLists.txt +++ b/src/tools/CMakeLists.txt @@ -9,7 +9,7 @@ # # SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause # -set(CMAKE_INSTALL_TOOLSDIR "${CMAKE_INSTALL_DATADIR}/${CMAKE_PROJECT_NAME}/tools") +set(CMAKE_INSTALL_TOOLSDIR "${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME}/tools") add_subdirectory(pubsub) add_subdirectory(ddsls) if(BUILD_IDLC) From 418a70e7c37ff1710a561c4e46d37c9a0f02d070 Mon Sep 17 00:00:00 2001 From: Dan Rose Date: Fri, 18 Oct 2019 20:50:53 -0500 Subject: [PATCH 02/13] Fix CI not finding pip3 Signed-off-by: Dan Rose --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 30d38c2..08b30fa 100644 --- a/.travis.yml +++ b/.travis.yml @@ -81,7 +81,7 @@ osx_xcode10_3: &osx_xcode10_3 - eval "export COV_COMPTYPE=clang COV_PLATFORM=macOSX" - eval "export PATH=\"${PATH}:$(python3 -m site --user-base)/bin\"" install: - - pip3 install conan --upgrade --user + - python3 -m pip install conan --upgrade --user osx_xcode9: &osx_xcode9 <<: *osx_xcode10_3 From 98ce7d1971add163875fc08c9504ee2ff11ea7ce Mon Sep 17 00:00:00 2001 From: Dan Rose Date: Mon, 21 Oct 2019 22:35:35 -0500 Subject: [PATCH 03/13] Stylistic CMake changes No functional impact intended Signed-off-by: Dan Rose --- src/core/ddsc/CMakeLists.txt | 27 ++++++++------------------- src/core/ddsi/CMakeLists.txt | 2 +- src/ddsrt/CMakeLists.txt | 17 +++-------------- 3 files changed, 12 insertions(+), 34 deletions(-) diff --git a/src/core/ddsc/CMakeLists.txt b/src/core/ddsc/CMakeLists.txt index e10f21f..b28a481 100644 --- a/src/core/ddsc/CMakeLists.txt +++ b/src/core/ddsc/CMakeLists.txt @@ -87,11 +87,6 @@ generate_export_header( EXPORT_FILE_NAME "${CMAKE_CURRENT_BINARY_DIR}/include/dds/export.h" ) -target_include_directories( - ddsc PUBLIC - "$" - "$") - target_sources(ddsc PRIVATE ${srcs_ddsc} @@ -103,27 +98,21 @@ target_sources(ddsc target_include_directories(ddsc PUBLIC + "$" + "$" "$" PRIVATE - "${CMAKE_CURRENT_LIST_DIR}/src") - -target_include_directories(ddsc INTERFACE $) + "${CMAKE_CURRENT_LIST_DIR}/src" + INTERFACE + $) install( - DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/dds" + DIRECTORY + "${CMAKE_CURRENT_LIST_DIR}/include/" + "${CMAKE_CURRENT_BINARY_DIR}/include/" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" COMPONENT dev) -install( - DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/ddsc" - DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" - COMPONENT dev) - -install( - FILES "${CMAKE_CURRENT_BINARY_DIR}/include/dds/export.h" - DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/dds" - COMPONENT dev) - # TODO: improve test inclusion. if((BUILD_TESTING) AND ((NOT DEFINED MSVC_VERSION) OR (MSVC_VERSION GREATER "1800"))) add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/tests") diff --git a/src/core/ddsi/CMakeLists.txt b/src/core/ddsi/CMakeLists.txt index 8ba1f8f..abde8ad 100644 --- a/src/core/ddsi/CMakeLists.txt +++ b/src/core/ddsi/CMakeLists.txt @@ -125,7 +125,7 @@ target_include_directories(ddsc PRIVATE "${CMAKE_CURRENT_LIST_DIR}/include") install( - DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/dds" + DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/" DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" COMPONENT dev) diff --git a/src/ddsrt/CMakeLists.txt b/src/ddsrt/CMakeLists.txt index 32ab777..0b241d9 100644 --- a/src/ddsrt/CMakeLists.txt +++ b/src/ddsrt/CMakeLists.txt @@ -260,20 +260,9 @@ if(BUILD_TESTING) endif() install( - DIRECTORY "include/dds" + DIRECTORY + "include/" + ${CMAKE_CURRENT_BINARY_DIR}/include/ DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" COMPONENT dev FILES_MATCHING PATTERN "*.h") - -install( - FILES "${CMAKE_CURRENT_BINARY_DIR}/include/dds/version.h" - DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/dds" - COMPONENT dev) - -if(WIN32) - install( - FILES "${CMAKE_CURRENT_BINARY_DIR}/include/getopt.h" - DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" - COMPONENT dev) -endif() - From 94e4c0915de68e6d973e909fe5cdbd2ab91cd895 Mon Sep 17 00:00:00 2001 From: Scott K Logan Date: Mon, 21 Oct 2019 17:02:22 -0700 Subject: [PATCH 04/13] Skip some tests when BUILD_IDLC=OFF These tests use `idlc_generate`, which is not available when `BUILD_IDLC` is not `ON`. Signed-off-by: Scott K Logan --- src/core/ddsc/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/ddsc/CMakeLists.txt b/src/core/ddsc/CMakeLists.txt index b28a481..b32a4b5 100644 --- a/src/core/ddsc/CMakeLists.txt +++ b/src/core/ddsc/CMakeLists.txt @@ -114,7 +114,7 @@ install( COMPONENT dev) # TODO: improve test inclusion. -if((BUILD_TESTING) AND ((NOT DEFINED MSVC_VERSION) OR (MSVC_VERSION GREATER "1800"))) +if((BUILD_TESTING) AND (BUILD_IDLC) AND ((NOT DEFINED MSVC_VERSION) OR (MSVC_VERSION GREATER "1800"))) add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/tests") endif() From a3b35a2aa4fca28c75c1acc2c1d09529c1480470 Mon Sep 17 00:00:00 2001 From: Scott K Logan Date: Mon, 21 Oct 2019 17:26:27 -0700 Subject: [PATCH 05/13] Fix some unreliable STREQUAL calls in CMakeLists.txt These conditionals may fail if the variable they're checking isn't defined at all. Adding quotes makes the comparison against an empty string in this case, which avoids the syntax error. Signed-off-by: Scott K Logan --- CMakeLists.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 7b20cc9..f7aaa38 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -170,17 +170,17 @@ endif() # the address sanitizer for ordinary debug builds; gcc is giving some grief on # Travis, so don't enable it for gcc by default if(NOT USE_SANITIZER) - if(${CMAKE_BUILD_TYPE} STREQUAL "Debug" AND - NOT (${CMAKE_GENERATOR} STREQUAL "Xcode") AND - (${CMAKE_C_COMPILER_ID} STREQUAL "Clang" - OR ${CMAKE_C_COMPILER_ID} STREQUAL "AppleClang")) + if("${CMAKE_BUILD_TYPE}" STREQUAL "Debug" AND + NOT ("${CMAKE_GENERATOR}" STREQUAL "Xcode") AND + ("${CMAKE_C_COMPILER_ID}" STREQUAL "Clang" + OR "${CMAKE_C_COMPILER_ID}" STREQUAL "AppleClang")) message(STATUS "Enabling address sanitizer; set USE_SANITIZER=none to prevent this") set(USE_SANITIZER address) else() set(USE_SANITIZER none) endif() endif() -if(NOT (${USE_SANITIZER} STREQUAL "none")) +if(NOT ("${USE_SANITIZER}" STREQUAL "none")) message(STATUS "Sanitizer set to ${USE_SANITIZER}") add_compile_options(-fno-omit-frame-pointer -fsanitize=${USE_SANITIZER}) link_libraries(-fno-omit-frame-pointer -fsanitize=${USE_SANITIZER}) From 36b1b9da3d8d322cf494a4f6470b8964fdf756e7 Mon Sep 17 00:00:00 2001 From: Thijs Sassen Date: Tue, 22 Oct 2019 14:35:36 +0200 Subject: [PATCH 06/13] Adjusted mpt qos test includes to be in line with other tests Signed-off-by: Thijs Sassen --- src/mpt/tests/qos/CMakeLists.txt | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/mpt/tests/qos/CMakeLists.txt b/src/mpt/tests/qos/CMakeLists.txt index 0632570..d154298 100644 --- a/src/mpt/tests/qos/CMakeLists.txt +++ b/src/mpt/tests/qos/CMakeLists.txt @@ -11,14 +11,17 @@ # include(${MPT_CMAKE}) -add_compile_options("-I${PROJECT_SOURCE_DIR}/src/core/ddsi/include") - idlc_generate(mpt_rwdata_lib "procs/rwdata.idl") set(sources_qosmatch "procs/rw.c" "qosmatch.c") add_mpt_executable(mpt_qosmatch ${sources_qosmatch}) + +target_include_directories( +mpt_qosmatch PRIVATE +"$") + target_link_libraries(mpt_qosmatch PRIVATE mpt_rwdata_lib) set(sources_ppuserdata From 41d36d59b2504794fb0242ffd038183f44d4063c Mon Sep 17 00:00:00 2001 From: Martin Bremmer Date: Mon, 21 Oct 2019 09:48:57 +0200 Subject: [PATCH 07/13] Removed duplicate build from travis Signed-off-by: Martin Bremmer --- .travis.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 08b30fa..e60fe9a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -159,8 +159,6 @@ jobs: env: [ ARCH=x86_64, ASAN=none, BUILD_TYPE=Release, SSL=YES, GENERATOR="Unix Makefiles" ] - <<: *linux_gcc8 env: [ ARCH=x86_64, ASAN=none, BUILD_TYPE=Debug, SSL=NO, GENERATOR="Unix Makefiles" ] - - <<: *linux_gcc8 - env: [ ARCH=x86_64, ASAN=none, BUILD_TYPE=Release, SSL=YES, GENERATOR="Unix Makefiles" ] - <<: *linux_clang env: [ ARCH=x86_64, ASAN=address, BUILD_TYPE=Debug, SSL=YES, GENERATOR="Unix Makefiles" ] - <<: *linux_clang From 1cc6caff14ba79a817a4a266d561da23786e791e Mon Sep 17 00:00:00 2001 From: Scott K Logan Date: Tue, 22 Oct 2019 10:53:18 -0700 Subject: [PATCH 08/13] First check the CMake Package Registry for CUnit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is useful when building CycloneDDS on platforms that provide CMake configuration for CUnit outside of Conan. If no configuration is found in the system CMake registry the module continues as before. Co-authored-by: Steven! Ragnarök Signed-off-by: Scott K Logan --- cmake/Modules/FindCUnit.cmake | 44 ++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/cmake/Modules/FindCUnit.cmake b/cmake/Modules/FindCUnit.cmake index 518ed8a..c17b859 100644 --- a/cmake/Modules/FindCUnit.cmake +++ b/cmake/Modules/FindCUnit.cmake @@ -9,31 +9,37 @@ # # SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause # -set(CUNIT_HEADER "CUnit/CUnit.h") - -if(CONAN_INCLUDE_DIRS) - find_path(CUNIT_INCLUDE_DIR ${CUNIT_HEADER} HINTS ${CONAN_INCLUDE_DIRS}) +find_package(CUnit CONFIG QUIET) +if(CUnit_FOUND) + message(STATUS "Found CUnit via Config file: ${CUnit_DIR}") + set(CUNIT_FOUND ${CUnit_FOUND}) else() - find_path(CUNIT_INCLUDE_DIR ${CUNIT_HEADER}) -endif() + set(CUNIT_HEADER "CUnit/CUnit.h") -mark_as_advanced(CUNIT_INCLUDE_DIR) + if(CONAN_INCLUDE_DIRS) + find_path(CUNIT_INCLUDE_DIR ${CUNIT_HEADER} HINTS ${CONAN_INCLUDE_DIRS}) + else() + find_path(CUNIT_INCLUDE_DIR ${CUNIT_HEADER}) + endif() -if(CUNIT_INCLUDE_DIR AND EXISTS "${CUNIT_INCLUDE_DIR}/${CUNIT_HEADER}") - set(PATTERN "^#define CU_VERSION \"([0-9]+)\\.([0-9]+)\\-([0-9]+)\"$") - file(STRINGS "${CUNIT_INCLUDE_DIR}/${CUNIT_HEADER}" CUNIT_H REGEX "${PATTERN}") + mark_as_advanced(CUNIT_INCLUDE_DIR) - string(REGEX REPLACE "${PATTERN}" "\\1" CUNIT_VERSION_MAJOR "${CUNIT_H}") - string(REGEX REPLACE "${PATTERN}" "\\2" CUNIT_VERSION_MINOR "${CUNIT_H}") - string(REGEX REPLACE "${PATTERN}" "\\3" CUNIT_VERSION_PATCH "${CUNIT_H}") + if(CUNIT_INCLUDE_DIR AND EXISTS "${CUNIT_INCLUDE_DIR}/${CUNIT_HEADER}") + set(PATTERN "^#define CU_VERSION \"([0-9]+)\\.([0-9]+)\\-([0-9]+)\"$") + file(STRINGS "${CUNIT_INCLUDE_DIR}/${CUNIT_HEADER}" CUNIT_H REGEX "${PATTERN}") - set(CUNIT_VERSION "${CUNIT_VERSION_MAJOR}.${CUNIT_VERSION_MINOR}-${CUNIT_VERSION_PATCH}") -endif() + string(REGEX REPLACE "${PATTERN}" "\\1" CUNIT_VERSION_MAJOR "${CUNIT_H}") + string(REGEX REPLACE "${PATTERN}" "\\2" CUNIT_VERSION_MINOR "${CUNIT_H}") + string(REGEX REPLACE "${PATTERN}" "\\3" CUNIT_VERSION_PATCH "${CUNIT_H}") -if(CONAN_LIB_DIRS) - find_library(CUNIT_LIBRARY cunit HINTS ${CONAN_LIB_DIRS}) -else() - find_library(CUNIT_LIBRARY cunit) + set(CUNIT_VERSION "${CUNIT_VERSION_MAJOR}.${CUNIT_VERSION_MINOR}-${CUNIT_VERSION_PATCH}") + endif() + + if(CONAN_LIB_DIRS) + find_library(CUNIT_LIBRARY cunit HINTS ${CONAN_LIB_DIRS}) + else() + find_library(CUNIT_LIBRARY cunit) + endif() endif() include(FindPackageHandleStandardArgs) From 860a6aadae5c6e31456454496d5b918892434d18 Mon Sep 17 00:00:00 2001 From: Scott K Logan Date: Tue, 22 Oct 2019 11:49:47 -0700 Subject: [PATCH 09/13] Drop IDLC when building with colcon This will eliminate two large dependencies when building CycloneDDS with colcon for ROS 2, which doesn't appear to need the IDLC. Signed-off-by: Scott K Logan --- colcon.pkg | 3 +++ package.xml | 2 -- 2 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 colcon.pkg diff --git a/colcon.pkg b/colcon.pkg new file mode 100644 index 0000000..2d2a3ae --- /dev/null +++ b/colcon.pkg @@ -0,0 +1,3 @@ +{ + "cmake-args": [ "-DBUILD_IDLC=OFF" ] +} diff --git a/package.xml b/package.xml index 5b4b661..9d0980d 100644 --- a/package.xml +++ b/package.xml @@ -12,8 +12,6 @@ https://github.com/eclipse-cyclonedds/cyclonedds cmake - java - maven openssl libcunit-dev python3-sphinx From 76fa68808682a15dd8aff26da20622ac574fa1a1 Mon Sep 17 00:00:00 2001 From: Dan Rose Date: Tue, 22 Oct 2019 15:55:13 -0500 Subject: [PATCH 10/13] CMAKE_SOURCE_DIR -> CMAKE_CURRENT_SOURCE_DIR Signed-off-by: Dan Rose --- examples/helloworld/CMakeLists.export | 2 +- examples/roundtrip/CMakeLists.export | 2 +- examples/throughput/CMakeLists.export | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/helloworld/CMakeLists.export b/examples/helloworld/CMakeLists.export index 3fcb0af..5712559 100644 --- a/examples/helloworld/CMakeLists.export +++ b/examples/helloworld/CMakeLists.export @@ -3,7 +3,7 @@ cmake_minimum_required(VERSION 3.5) if (NOT TARGET CycloneDDS::ddsc) # Find the CycloneDDS package. If it is not in a default location, try # finding it relative to the example where it most likely resides. - find_package(CycloneDDS REQUIRED PATHS "${CMAKE_SOURCE_DIR}/../../") + find_package(CycloneDDS REQUIRED PATHS "${CMAKE_CURRENT_SOURCE_DIR}/../../") endif() # This is a convenience function, provided by the CycloneDDS package, diff --git a/examples/roundtrip/CMakeLists.export b/examples/roundtrip/CMakeLists.export index 58a36ac..9554013 100644 --- a/examples/roundtrip/CMakeLists.export +++ b/examples/roundtrip/CMakeLists.export @@ -14,7 +14,7 @@ cmake_minimum_required(VERSION 3.5) if (NOT TARGET CycloneDDS::ddsc) # Find the CycloneDDS package. If it is not in a default location, try # finding it relative to the example where it most likely resides. - find_package(CycloneDDS REQUIRED PATHS "${CMAKE_SOURCE_DIR}/../../") + find_package(CycloneDDS REQUIRED PATHS "${CMAKE_CURRENT_SOURCE_DIR}/../../") endif() # This is a convenience function, provided by the CycloneDDS package, diff --git a/examples/throughput/CMakeLists.export b/examples/throughput/CMakeLists.export index dfce4b4..52415e0 100644 --- a/examples/throughput/CMakeLists.export +++ b/examples/throughput/CMakeLists.export @@ -14,7 +14,7 @@ cmake_minimum_required(VERSION 3.5) if (NOT TARGET CycloneDDS::ddsc) # Find the CycloneDDS package. If it is not in a default location, try # finding it relative to the example where it most likely resides. - find_package(CycloneDDS REQUIRED PATHS "${CMAKE_SOURCE_DIR}/../../") + find_package(CycloneDDS REQUIRED PATHS "${CMAKE_CURRENT_SOURCE_DIR}/../../") endif() # This is a convenience function, provided by the CycloneDDS package, From c8aa6fee5a9bc1057e371e46362289bf78d66014 Mon Sep 17 00:00:00 2001 From: dennis-adlink <45659984+dennis-adlink@users.noreply.github.com> Date: Mon, 28 Oct 2019 15:03:46 +0100 Subject: [PATCH 11/13] Moved bswap functions to ddsrt (#297) * Moved bswap functions to ddsrt Moved the byte swapping functions from ddsi to ddsrt so that these can be re-used in e.g. the security plugins and tests. Signed-off-by: Dennis Potman * Moved decarations for bswap functions to ddsrt Signed-off-by: Dennis Potman --- src/core/ddsc/src/dds_sertopic_builtintopic.c | 1 - src/core/ddsc/src/dds_stream.c | 40 ++++----- src/core/ddsi/CMakeLists.txt | 1 - src/core/ddsi/include/dds/ddsi/q_bswap.h | 65 +------------- src/core/ddsi/src/ddsi_serdata_default.c | 4 +- src/core/ddsi/src/q_bswap.c | 21 +++-- src/core/ddsi/src/q_init.c | 2 +- src/core/ddsi/src/q_lease.c | 2 +- src/core/ddsi/src/q_pcap.c | 8 +- src/core/ddsi/src/q_plist.c | 22 ++--- src/core/ddsi/src/q_receive.c | 34 ++++---- src/core/ddsi/src/q_xevent.c | 2 +- src/core/ddsi/src/q_xmsg.c | 6 +- src/ddsrt/CMakeLists.txt | 1 + src/ddsrt/include/dds/ddsrt/bswap.h | 87 +++++++++++++++++++ .../q_bswap_inlines.c => ddsrt/src/bswap.c} | 16 ++-- 16 files changed, 170 insertions(+), 142 deletions(-) create mode 100644 src/ddsrt/include/dds/ddsrt/bswap.h rename src/{core/ddsi/src/q_bswap_inlines.c => ddsrt/src/bswap.c} (55%) diff --git a/src/core/ddsc/src/dds_sertopic_builtintopic.c b/src/core/ddsc/src/dds_sertopic_builtintopic.c index 3479fa4..07f730c 100644 --- a/src/core/ddsc/src/dds_sertopic_builtintopic.c +++ b/src/core/ddsc/src/dds_sertopic_builtintopic.c @@ -17,7 +17,6 @@ #include "dds/dds.h" #include "dds/ddsrt/heap.h" #include "dds/ddsrt/md5.h" -#include "dds/ddsi/q_bswap.h" #include "dds/ddsi/q_config.h" #include "dds/ddsi/q_freelist.h" #include "dds/ddsi/ddsi_sertopic.h" diff --git a/src/core/ddsc/src/dds_stream.c b/src/core/ddsc/src/dds_stream.c index 3f12777..9be8810 100644 --- a/src/core/ddsc/src/dds_stream.c +++ b/src/core/ddsc/src/dds_stream.c @@ -175,17 +175,17 @@ static void dds_os_put1be (dds_ostreamBE_t * __restrict s, uint8_t v) static void dds_os_put2be (dds_ostreamBE_t * __restrict s, uint16_t v) { - dds_os_put2 (&s->x, toBE2u (v)); + dds_os_put2 (&s->x, ddsrt_toBE2u (v)); } static void dds_os_put4be (dds_ostreamBE_t * __restrict s, uint32_t v) { - dds_os_put4 (&s->x, toBE4u (v)); + dds_os_put4 (&s->x, ddsrt_toBE4u (v)); } static void dds_os_put8be (dds_ostreamBE_t * __restrict s, uint64_t v) { - dds_os_put8 (&s->x, toBE8u (v)); + dds_os_put8 (&s->x, ddsrt_toBE8u (v)); } static void dds_os_put_bytes (dds_ostream_t * __restrict s, const void * __restrict b, uint32_t l) @@ -782,7 +782,7 @@ static bool normalize_uint16 (char * __restrict data, uint32_t * __restrict off, if ((*off = check_align_prim (*off, size, 1)) == UINT32_MAX) return false; if (bswap) - *((uint16_t *) (data + *off)) = bswap2u (*((uint16_t *) (data + *off))); + *((uint16_t *) (data + *off)) = ddsrt_bswap2u (*((uint16_t *) (data + *off))); (*off) += 2; return true; } @@ -792,7 +792,7 @@ static bool normalize_uint32 (char * __restrict data, uint32_t * __restrict off, if ((*off = check_align_prim (*off, size, 2)) == UINT32_MAX) return false; if (bswap) - *((uint32_t *) (data + *off)) = bswap4u (*((uint32_t *) (data + *off))); + *((uint32_t *) (data + *off)) = ddsrt_bswap4u (*((uint32_t *) (data + *off))); (*off) += 4; return true; } @@ -802,7 +802,7 @@ static bool read_and_normalize_uint32 (uint32_t * __restrict val, char * __restr if ((*off = check_align_prim (*off, size, 2)) == UINT32_MAX) return false; if (bswap) - *((uint32_t *) (data + *off)) = bswap4u (*((uint32_t *) (data + *off))); + *((uint32_t *) (data + *off)) = ddsrt_bswap4u (*((uint32_t *) (data + *off))); *val = *((uint32_t *) (data + *off)); (*off) += 4; return true; @@ -813,7 +813,7 @@ static bool normalize_uint64 (char * __restrict data, uint32_t * __restrict off, if ((*off = check_align_prim (*off, size, 3)) == UINT32_MAX) return false; if (bswap) - *((uint64_t *) (data + *off)) = bswap8u (*((uint64_t *) (data + *off))); + *((uint64_t *) (data + *off)) = ddsrt_bswap8u (*((uint64_t *) (data + *off))); (*off) += 8; return true; } @@ -847,7 +847,7 @@ static bool normalize_primarray (char * __restrict data, uint32_t * __restrict o { uint16_t *xs = (uint16_t *) (data + *off); for (uint32_t i = 0; i < num; i++) - xs[i] = bswap2u (xs[i]); + xs[i] = ddsrt_bswap2u (xs[i]); } *off += 2 * num; return true; @@ -858,7 +858,7 @@ static bool normalize_primarray (char * __restrict data, uint32_t * __restrict o { uint32_t *xs = (uint32_t *) (data + *off); for (uint32_t i = 0; i < num; i++) - xs[i] = bswap4u (xs[i]); + xs[i] = ddsrt_bswap4u (xs[i]); } *off += 4 * num; return true; @@ -869,7 +869,7 @@ static bool normalize_primarray (char * __restrict data, uint32_t * __restrict o { uint64_t *xs = (uint64_t *) (data + *off); for (uint32_t i = 0; i < num; i++) - xs[i] = bswap8u (xs[i]); + xs[i] = ddsrt_bswap8u (xs[i]); } *off += 8 * num; return true; @@ -956,7 +956,7 @@ static bool normalize_uni_disc (uint32_t * __restrict val, char * __restrict dat if ((*off = check_align_prim (*off, size, 1)) == UINT32_MAX) return false; if (bswap) - *((uint16_t *) (data + *off)) = bswap2u (*((uint16_t *) (data + *off))); + *((uint16_t *) (data + *off)) = ddsrt_bswap2u (*((uint16_t *) (data + *off))); *val = *((uint16_t *) (data + *off)); (*off) += 2; return true; @@ -964,7 +964,7 @@ static bool normalize_uni_disc (uint32_t * __restrict val, char * __restrict dat if ((*off = check_align_prim (*off, size, 2)) == UINT32_MAX) return false; if (bswap) - *((uint32_t *) (data + *off)) = bswap4u (*((uint32_t *) (data + *off))); + *((uint32_t *) (data + *off)) = ddsrt_bswap4u (*((uint32_t *) (data + *off))); *val = *((uint32_t *) (data + *off)); (*off) += 4; return true; @@ -1180,19 +1180,19 @@ static void dds_stream_swap_insitu (void * __restrict vbuf, uint32_t size, uint3 case 2: { uint16_t *buf = vbuf; for (uint32_t i = 0; i < num; i++) - buf[i] = bswap2u (buf[i]); + buf[i] = ddsrt_bswap2u (buf[i]); break; } case 4: { uint32_t *buf = vbuf; for (uint32_t i = 0; i < num; i++) - buf[i] = bswap4u (buf[i]); + buf[i] = ddsrt_bswap4u (buf[i]); break; } case 8: { uint64_t *buf = vbuf; for (uint32_t i = 0; i < num; i++) - buf[i] = bswap8u (buf[i]); + buf[i] = ddsrt_bswap8u (buf[i]); break; } } @@ -1294,21 +1294,21 @@ static void dds_stream_swap_copy (void * __restrict vdst, const void * __restric const uint16_t *src = vsrc; uint16_t *dst = vdst; for (uint32_t i = 0; i < num; i++) - dst[i] = bswap2u (src[i]); + dst[i] = ddsrt_bswap2u (src[i]); break; } case 4: { const uint32_t *src = vsrc; uint32_t *dst = vdst; for (uint32_t i = 0; i < num; i++) - dst[i] = bswap4u (src[i]); + dst[i] = ddsrt_bswap4u (src[i]); break; } case 8: { const uint64_t *src = vsrc; uint64_t *dst = vdst; for (uint32_t i = 0; i < num; i++) - dst[i] = bswap8u (src[i]); + dst[i] = ddsrt_bswap8u (src[i]); break; } } @@ -1943,7 +1943,7 @@ void dds_ostream_add_to_serdata_default (dds_ostream_t * __restrict s, struct dd (*d) = (void *) s->m_buffer; (*d)->pos = (s->m_index - (uint32_t) offsetof (struct ddsi_serdata_default, data)); (*d)->size = (s->m_size - (uint32_t) offsetof (struct ddsi_serdata_default, data)); - (*d)->hdr.options = toBE2u ((uint16_t) pad); + (*d)->hdr.options = ddsrt_toBE2u ((uint16_t) pad); } void dds_ostreamBE_from_serdata_default (dds_ostreamBE_t * __restrict s, struct ddsi_serdata_default * __restrict d) @@ -1966,5 +1966,5 @@ void dds_ostreamBE_add_to_serdata_default (dds_ostreamBE_t * __restrict s, struc (*d) = (void *) s->x.m_buffer; (*d)->pos = (s->x.m_index - (uint32_t) offsetof (struct ddsi_serdata_default, data)); (*d)->size = (s->x.m_size - (uint32_t) offsetof (struct ddsi_serdata_default, data)); - (*d)->hdr.options = toBE2u ((uint16_t) pad); + (*d)->hdr.options = ddsrt_toBE2u ((uint16_t) pad); } diff --git a/src/core/ddsi/CMakeLists.txt b/src/core/ddsi/CMakeLists.txt index abde8ad..9e8c6a7 100644 --- a/src/core/ddsi/CMakeLists.txt +++ b/src/core/ddsi/CMakeLists.txt @@ -30,7 +30,6 @@ PREPEND(srcs_ddsi "${CMAKE_CURRENT_LIST_DIR}/src" q_addrset.c q_bitset_inlines.c q_bswap.c - q_bswap_inlines.c q_config.c q_ddsi_discovery.c q_debmon.c diff --git a/src/core/ddsi/include/dds/ddsi/q_bswap.h b/src/core/ddsi/include/dds/ddsi/q_bswap.h index d7f058d..93a3706 100644 --- a/src/core/ddsi/include/dds/ddsi/q_bswap.h +++ b/src/core/ddsi/include/dds/ddsi/q_bswap.h @@ -14,7 +14,7 @@ #include -#include "dds/ddsrt/endian.h" +#include "dds/ddsrt/bswap.h" #include "dds/ddsrt/misc.h" #include "dds/ddsi/q_rtps.h" /* for nn_guid_t, nn_guid_prefix_t */ #include "dds/ddsi/q_protocol.h" /* for nn_sequence_number_t */ @@ -23,71 +23,12 @@ extern "C" { #endif -inline uint16_t bswap2u (uint16_t x) -{ - return (uint16_t) ((x >> 8) | (x << 8)); -} - -inline int16_t bswap2 (int16_t x) -{ - return (int16_t) bswap2u ((uint16_t) x); -} - -inline uint32_t bswap4u (uint32_t x) -{ - return (x >> 24) | ((x >> 8) & 0xff00) | ((x << 8) & 0xff0000) | (x << 24); -} - -inline int32_t bswap4 (int32_t x) -{ - return (int32_t) bswap4u ((uint32_t) x); -} - -inline uint64_t bswap8u (uint64_t x) -{ - const uint32_t newhi = bswap4u ((uint32_t) x); - const uint32_t newlo = bswap4u ((uint32_t) (x >> 32)); - return ((uint64_t) newhi << 32) | (uint64_t) newlo; -} - -inline int64_t bswap8 (int64_t x) -{ - return (int64_t) bswap8u ((uint64_t) x); -} - inline void bswapSN (nn_sequence_number_t *sn) { - sn->high = bswap4 (sn->high); - sn->low = bswap4u (sn->low); + sn->high = ddsrt_bswap4 (sn->high); + sn->low = ddsrt_bswap4u (sn->low); } -#if DDSRT_ENDIAN == DDSRT_LITTLE_ENDIAN -#define toBE2(x) bswap2 (x) -#define toBE2u(x) bswap2u (x) -#define toBE4(x) bswap4 (x) -#define toBE4u(x) bswap4u (x) -#define toBE8(x) bswap8 (x) -#define toBE8u(x) bswap8u (x) -#define fromBE2(x) bswap2 (x) -#define fromBE2u(x) bswap2u (x) -#define fromBE4(x) bswap4 (x) -#define fromBE4u(x) bswap4u (x) -#define fromBE8(x) bswap8 (x) -#define fromBE8u(x) bswap8u (x) -#else -#define toBE2u(x) (x) -#define toBE4(x) (x) -#define toBE4u(x) (x) -#define toBE8(x) (x) -#define toBE8u(x) (x) -#define fromBE2(x) (x) -#define fromBE2u(x) (x) -#define fromBE4(x) (x) -#define fromBE4u(x) (x) -#define fromBE8(x) (x) -#define fromBE8u(x) (x) -#endif - ddsi_guid_prefix_t nn_hton_guid_prefix (ddsi_guid_prefix_t p); ddsi_guid_prefix_t nn_ntoh_guid_prefix (ddsi_guid_prefix_t p); ddsi_entityid_t nn_hton_entityid (ddsi_entityid_t e); diff --git a/src/core/ddsi/src/ddsi_serdata_default.c b/src/core/ddsi/src/ddsi_serdata_default.c index 39879f4..666e0d3 100644 --- a/src/core/ddsi/src/ddsi_serdata_default.c +++ b/src/core/ddsi/src/ddsi_serdata_default.c @@ -296,7 +296,7 @@ static struct ddsi_serdata_default *serdata_default_from_ser_common (const struc const bool needs_bswap = (d->hdr.identifier != NATIVE_ENCODING); d->hdr.identifier = NATIVE_ENCODING; - const uint32_t pad = fromBE2u (d->hdr.options) & 2; + const uint32_t pad = ddsrt_fromBE2u (d->hdr.options) & 2; if (d->pos < pad) { ddsi_serdata_unref (&d->c); @@ -474,7 +474,7 @@ static struct ddsi_serdata *serdata_default_from_sample_plist (const struct ddsi ddsrt_md5_state_t md5st; ddsrt_md5_byte_t digest[16]; topic_name_sz = (uint32_t) strlen (topic_name) + 1; - topic_name_sz_BE = toBE4u (topic_name_sz); + topic_name_sz_BE = ddsrt_toBE4u (topic_name_sz); d->keyhash.m_set = 1; d->keyhash.m_iskey = 0; ddsrt_md5_init (&md5st); diff --git a/src/core/ddsi/src/q_bswap.c b/src/core/ddsi/src/q_bswap.c index 73e1778..c2d11c1 100644 --- a/src/core/ddsi/src/q_bswap.c +++ b/src/core/ddsi/src/q_bswap.c @@ -11,11 +11,13 @@ */ #include "dds/ddsi/q_bswap.h" +extern inline void bswapSN (nn_sequence_number_t *sn); + ddsi_guid_prefix_t nn_hton_guid_prefix (ddsi_guid_prefix_t p) { int i; for (i = 0; i < 3; i++) - p.u[i] = toBE4u (p.u[i]); + p.u[i] = ddsrt_toBE4u (p.u[i]); return p; } @@ -23,19 +25,19 @@ ddsi_guid_prefix_t nn_ntoh_guid_prefix (ddsi_guid_prefix_t p) { int i; for (i = 0; i < 3; i++) - p.u[i] = fromBE4u (p.u[i]); + p.u[i] = ddsrt_fromBE4u (p.u[i]); return p; } ddsi_entityid_t nn_hton_entityid (ddsi_entityid_t e) { - e.u = toBE4u (e.u); + e.u = ddsrt_toBE4u (e.u); return e; } ddsi_entityid_t nn_ntoh_entityid (ddsi_entityid_t e) { - e.u = fromBE4u (e.u); + e.u = ddsrt_fromBE4u (e.u); return e; } @@ -56,25 +58,26 @@ ddsi_guid_t nn_ntoh_guid (ddsi_guid_t g) void bswap_sequence_number_set_hdr (nn_sequence_number_set_header_t *snset) { bswapSN (&snset->bitmap_base); - snset->numbits = bswap4u (snset->numbits); + snset->numbits = ddsrt_bswap4u (snset->numbits); } void bswap_sequence_number_set_bitmap (nn_sequence_number_set_header_t *snset, uint32_t *bits) { const uint32_t n = (snset->numbits + 31) / 32; for (uint32_t i = 0; i < n; i++) - bits[i] = bswap4u (bits[i]); + bits[i] = ddsrt_bswap4u (bits[i]); } void bswap_fragment_number_set_hdr (nn_fragment_number_set_header_t *fnset) { - fnset->bitmap_base = bswap4u (fnset->bitmap_base); - fnset->numbits = bswap4u (fnset->numbits); + fnset->bitmap_base = ddsrt_bswap4u (fnset->bitmap_base); + fnset->numbits = ddsrt_bswap4u (fnset->numbits); } void bswap_fragment_number_set_bitmap (nn_fragment_number_set_header_t *fnset, uint32_t *bits) { const uint32_t n = (fnset->numbits + 31) / 32; for (uint32_t i = 0; i < n; i++) - bits[i] = bswap4u (bits[i]); + bits[i] = ddsrt_bswap4u (bits[i]); } + diff --git a/src/core/ddsi/src/q_init.c b/src/core/ddsi/src/q_init.c index f2bb0d9..c73a39e 100644 --- a/src/core/ddsi/src/q_init.c +++ b/src/core/ddsi/src/q_init.c @@ -1038,7 +1038,7 @@ int rtps_init (struct q_globals *gv) that won't repeat in the lifetime of the process. Seems like it ought to work to keep the risks of collisions low. */ { - uint64_t iid = toBE8u (ddsi_iid_gen ()); + uint64_t iid = ddsrt_toBE8u (ddsi_iid_gen ()); ddsrt_md5_state_t st; ddsrt_md5_byte_t digest[16]; ddsrt_md5_init (&st); diff --git a/src/core/ddsi/src/q_lease.c b/src/core/ddsi/src/q_lease.c index 4015085..e35abda 100644 --- a/src/core/ddsi/src/q_lease.c +++ b/src/core/ddsi/src/q_lease.c @@ -320,7 +320,7 @@ void handle_PMD (const struct receiver_state *rst, nn_wctime_t timestamp, uint32 const ParticipantMessageData_t *pmd = (ParticipantMessageData_t *) (data + 1); ddsi_guid_prefix_t p = nn_ntoh_guid_prefix (pmd->participantGuidPrefix); uint32_t kind = ntohl (pmd->kind); - uint32_t length = bswap ? bswap4u (pmd->length) : pmd->length; + uint32_t length = bswap ? ddsrt_bswap4u (pmd->length) : pmd->length; RSTTRACE (" pp %"PRIx32":%"PRIx32":%"PRIx32" kind %u data %u", p.u[0], p.u[1], p.u[2], kind, length); if (len - sizeof (struct CDRHeader) - offsetof (ParticipantMessageData_t, value) < length) debug_print_rawdata (rst->gv, " SHORT2", pmd->value, len - sizeof (struct CDRHeader) - offsetof (ParticipantMessageData_t, value)); diff --git a/src/core/ddsi/src/q_pcap.c b/src/core/ddsi/src/q_pcap.c index 3fb0e68..f588bbc 100644 --- a/src/core/ddsi/src/q_pcap.c +++ b/src/core/ddsi/src/q_pcap.c @@ -144,7 +144,7 @@ void write_pcap_received (struct q_globals *gv, nn_wctime_t tstamp, const struct pcap_hdr.incl_len = pcap_hdr.orig_len = (uint32_t) sz_iud; fwrite (&pcap_hdr, sizeof (pcap_hdr), 1, gv->pcap_fp); u.ipv4_hdr = ipv4_hdr_template; - u.ipv4_hdr.totallength = toBE2u ((unsigned short) sz_iud); + u.ipv4_hdr.totallength = ddsrt_toBE2u ((unsigned short) sz_iud); u.ipv4_hdr.ttl = 128; u.ipv4_hdr.srcip = ((struct sockaddr_in*) src)->sin_addr.s_addr; u.ipv4_hdr.dstip = ((struct sockaddr_in*) dst)->sin_addr.s_addr; @@ -152,7 +152,7 @@ void write_pcap_received (struct q_globals *gv, nn_wctime_t tstamp, const struct fwrite (&u.ipv4_hdr, sizeof (u.ipv4_hdr), 1, gv->pcap_fp); udp_hdr.srcport = ((struct sockaddr_in*) src)->sin_port; udp_hdr.dstport = ((struct sockaddr_in*) dst)->sin_port; - udp_hdr.length = toBE2u ((unsigned short) sz_ud); + udp_hdr.length = ddsrt_toBE2u ((unsigned short) sz_ud); udp_hdr.checksum = 0; /* don't have to compute a checksum for UDPv4 */ fwrite (&udp_hdr, sizeof (udp_hdr), 1, gv->pcap_fp); fwrite (buf, sz, 1, gv->pcap_fp); @@ -177,7 +177,7 @@ void write_pcap_sent (struct q_globals *gv, nn_wctime_t tstamp, const struct soc pcap_hdr.incl_len = pcap_hdr.orig_len = (uint32_t) sz_iud; fwrite (&pcap_hdr, sizeof (pcap_hdr), 1, gv->pcap_fp); u.ipv4_hdr = ipv4_hdr_template; - u.ipv4_hdr.totallength = toBE2u ((unsigned short) sz_iud); + u.ipv4_hdr.totallength = ddsrt_toBE2u ((unsigned short) sz_iud); u.ipv4_hdr.ttl = 255; u.ipv4_hdr.srcip = ((struct sockaddr_in*) src)->sin_addr.s_addr; u.ipv4_hdr.dstip = ((struct sockaddr_in*) hdr->msg_name)->sin_addr.s_addr; @@ -185,7 +185,7 @@ void write_pcap_sent (struct q_globals *gv, nn_wctime_t tstamp, const struct soc fwrite (&u.ipv4_hdr, sizeof (u.ipv4_hdr), 1, gv->pcap_fp); udp_hdr.srcport = ((struct sockaddr_in*) src)->sin_port; udp_hdr.dstport = ((struct sockaddr_in*) hdr->msg_name)->sin_port; - udp_hdr.length = toBE2u ((unsigned short) sz_ud); + udp_hdr.length = ddsrt_toBE2u ((unsigned short) sz_ud); udp_hdr.checksum = 0; /* don't have to compute a checksum for UDPv4 */ fwrite (&udp_hdr, sizeof (udp_hdr), 1, gv->pcap_fp); write_data (gv->pcap_fp, hdr, sz); diff --git a/src/core/ddsi/src/q_plist.c b/src/core/ddsi/src/q_plist.c index 50a9721..b11931e 100644 --- a/src/core/ddsi/src/q_plist.c +++ b/src/core/ddsi/src/q_plist.c @@ -163,7 +163,7 @@ static dds_return_t deser_uint32 (uint32_t *dst, const struct dd * __restrict dd return DDS_RETCODE_BAD_PARAMETER; tmp = *((uint32_t *) (dd->buf + off1)); if (dd->bswap) - tmp = bswap4u (tmp); + tmp = ddsrt_bswap4u (tmp); *dst = tmp; *off = off1 + 4; return 0; @@ -231,7 +231,7 @@ static dds_return_t deser_statusinfo (void * __restrict dst, size_t * __restrict /* status info is always in BE format (it is an array of 4 octets according to the spec) -- fortunately we have 4 byte alignment anyway -- and can have bits set we don't grok (which we discard) */ - *x = fromBE4u (*((uint32_t *) (dd->buf + srcoff1))) & NN_STATUSINFO_STANDARDIZED; + *x = ddsrt_fromBE4u (*((uint32_t *) (dd->buf + srcoff1))) & NN_STATUSINFO_STANDARDIZED; *dstoff += sizeof (*x); *srcoff = srcoff1 + 4; *flagset->present |= flag; @@ -242,7 +242,7 @@ static dds_return_t ser_statusinfo (struct nn_xmsg *xmsg, nn_parameterid_t pid, { uint32_t const * const x = deser_generic_src (src, &srcoff, alignof (uint32_t)); uint32_t * const p = nn_xmsg_addpar (xmsg, pid, sizeof (uint32_t)); - *p = toBE4u (*x); + *p = ddsrt_toBE4u (*x); return 0; } @@ -1876,8 +1876,8 @@ static dds_return_t do_locator (nn_locators_t *ls, uint64_t *present, uint64_t w memcpy (&loc, dd->buf, sizeof (loc)); if (dd->bswap) { - loc.kind = bswap4 (loc.kind); - loc.port = bswap4u (loc.port); + loc.kind = ddsrt_bswap4 (loc.kind); + loc.port = ddsrt_bswap4u (loc.port); } switch (loc.kind) { @@ -2031,7 +2031,7 @@ static dds_return_t do_port (nn_plist_t *dest, nn_ipaddress_params_tmp_t *dest_t } memcpy (p, dd->buf, sizeof (*p)); if (dd->bswap) - *p = bswap4u (*p); + *p = ddsrt_bswap4u (*p); if (*p <= 0 || *p > 65535) return DDS_RETCODE_BAD_PARAMETER; dest_tmp->present |= fl_tmp; @@ -2331,8 +2331,8 @@ dds_return_t nn_plist_init_frommsg (nn_plist_t *dest, char **nextafterplist, uin /* swapping header partially based on wireshark dissector output, partially on intuition, and in a small part based on the spec */ - pid = (nn_parameterid_t) (dd.bswap ? bswap2u (par->parameterid) : par->parameterid); - length = (uint16_t) (dd.bswap ? bswap2u (par->length) : par->length); + pid = (nn_parameterid_t) (dd.bswap ? ddsrt_bswap2u (par->parameterid) : par->parameterid); + length = (uint16_t) (dd.bswap ? ddsrt_bswap2u (par->length) : par->length); if (pid == PID_SENTINEL) { /* Sentinel terminates list, the length is ignored, DDSI 9.4.2.11. */ @@ -2450,8 +2450,8 @@ unsigned char *nn_plist_quickscan (struct nn_rsample_info *dest, const struct nn nn_parameter_t *par = (nn_parameter_t *) pl; nn_parameterid_t pid; uint16_t length; - pid = (nn_parameterid_t) (dest->bswap ? bswap2u (par->parameterid) : par->parameterid); - length = (uint16_t) (dest->bswap ? bswap2u (par->length) : par->length); + pid = (nn_parameterid_t) (dest->bswap ? ddsrt_bswap2u (par->parameterid) : par->parameterid); + length = (uint16_t) (dest->bswap ? ddsrt_bswap2u (par->length) : par->length); pl += sizeof (*par); if (pid == PID_SENTINEL) return (unsigned char *) pl; @@ -2482,7 +2482,7 @@ unsigned char *nn_plist_quickscan (struct nn_rsample_info *dest, const struct nn { /* can only represent 2 LSBs of statusinfo in "dest", so if others are set, mark it as a "complex_qos" and accept the hit of parsing the data completely. */ - uint32_t stinfo = fromBE4u (*((uint32_t *) pl)); + uint32_t stinfo = ddsrt_fromBE4u (*((uint32_t *) pl)); dest->statusinfo = stinfo & 3u; if ((stinfo & ~3u)) dest->complex_qos = 1; diff --git a/src/core/ddsi/src/q_receive.c b/src/core/ddsi/src/q_receive.c index ada45a0..6f4b7a8 100644 --- a/src/core/ddsi/src/q_receive.c +++ b/src/core/ddsi/src/q_receive.c @@ -145,7 +145,7 @@ static int valid_AckNack (const struct receiver_state *rst, AckNack_t *msg, size if (byteswap) { bswap_sequence_number_set_bitmap (&msg->readerSNState, msg->bits); - *count = bswap4 (*count); + *count = ddsrt_bswap4 (*count); } return 1; } @@ -199,8 +199,8 @@ static int valid_InfoTS (InfoTS_t *msg, size_t size, int byteswap) { if (byteswap) { - msg->time.seconds = bswap4 (msg->time.seconds); - msg->time.fraction = bswap4u (msg->time.fraction); + msg->time.seconds = ddsrt_bswap4 (msg->time.seconds); + msg->time.fraction = ddsrt_bswap4u (msg->time.fraction); } return valid_ddsi_timestamp (msg->time); } @@ -214,7 +214,7 @@ static int valid_Heartbeat (Heartbeat_t *msg, size_t size, int byteswap) { bswapSN (&msg->firstSN); bswapSN (&msg->lastSN); - msg->count = bswap4 (msg->count); + msg->count = ddsrt_bswap4 (msg->count); } msg->readerId = nn_ntoh_entityid (msg->readerId); msg->writerId = nn_ntoh_entityid (msg->writerId); @@ -231,8 +231,8 @@ static int valid_HeartbeatFrag (HeartbeatFrag_t *msg, size_t size, int byteswap) if (byteswap) { bswapSN (&msg->writerSN); - msg->lastFragmentNum = bswap4u (msg->lastFragmentNum); - msg->count = bswap4 (msg->count); + msg->lastFragmentNum = ddsrt_bswap4u (msg->lastFragmentNum); + msg->count = ddsrt_bswap4 (msg->count); } msg->readerId = nn_ntoh_entityid (msg->readerId); msg->writerId = nn_ntoh_entityid (msg->writerId); @@ -267,7 +267,7 @@ static int valid_NackFrag (NackFrag_t *msg, size_t size, int byteswap) if (byteswap) { bswap_fragment_number_set_bitmap (&msg->fragmentNumberState, msg->bits); - *count = bswap4 (*count); + *count = ddsrt_bswap4 (*count); } return 1; } @@ -292,8 +292,8 @@ static int valid_Data (const struct receiver_state *rst, struct nn_rmsg *rmsg, D return 0; if (byteswap) { - msg->x.extraFlags = bswap2u (msg->x.extraFlags); - msg->x.octetsToInlineQos = bswap2u (msg->x.octetsToInlineQos); + msg->x.extraFlags = ddsrt_bswap2u (msg->x.extraFlags); + msg->x.octetsToInlineQos = ddsrt_bswap2u (msg->x.octetsToInlineQos); bswapSN (&msg->x.writerSN); } msg->x.readerId = nn_ntoh_entityid (msg->x.readerId); @@ -400,13 +400,13 @@ static int valid_DataFrag (const struct receiver_state *rst, struct nn_rmsg *rms if (byteswap) { - msg->x.extraFlags = bswap2u (msg->x.extraFlags); - msg->x.octetsToInlineQos = bswap2u (msg->x.octetsToInlineQos); + msg->x.extraFlags = ddsrt_bswap2u (msg->x.extraFlags); + msg->x.octetsToInlineQos = ddsrt_bswap2u (msg->x.octetsToInlineQos); bswapSN (&msg->x.writerSN); - msg->fragmentStartingNum = bswap4u (msg->fragmentStartingNum); - msg->fragmentsInSubmessage = bswap2u (msg->fragmentsInSubmessage); - msg->fragmentSize = bswap2u (msg->fragmentSize); - msg->sampleSize = bswap4u (msg->sampleSize); + msg->fragmentStartingNum = ddsrt_bswap4u (msg->fragmentStartingNum); + msg->fragmentsInSubmessage = ddsrt_bswap2u (msg->fragmentsInSubmessage); + msg->fragmentSize = ddsrt_bswap2u (msg->fragmentSize); + msg->sampleSize = ddsrt_bswap4u (msg->sampleSize); } msg->x.readerId = nn_ntoh_entityid (msg->x.readerId); msg->x.writerId = nn_ntoh_entityid (msg->x.writerId); @@ -2662,7 +2662,7 @@ static int handle_submsg_sequence } if (byteswap) { - sm->smhdr.octetsToNextHeader = bswap2u (sm->smhdr.octetsToNextHeader); + sm->smhdr.octetsToNextHeader = ddsrt_bswap2u (sm->smhdr.octetsToNextHeader); } octetsToNextHeader = sm->smhdr.octetsToNextHeader; @@ -2929,7 +2929,7 @@ static bool do_packet (struct thread_state1 * const ts1, struct q_globals *gv, d } if (swap) { - ml->length = bswap4u (ml->length); + ml->length = ddsrt_bswap4u (ml->length); } if (ml->smhdr.submessageId != SMID_PT_MSG_LEN) diff --git a/src/core/ddsi/src/q_xevent.c b/src/core/ddsi/src/q_xevent.c index 9deee7a..775b2f4 100644 --- a/src/core/ddsi/src/q_xevent.c +++ b/src/core/ddsi/src/q_xevent.c @@ -1109,7 +1109,7 @@ static void write_pmd_message (struct thread_state1 * const ts1, struct nn_xpack } u.pmd.participantGuidPrefix = nn_hton_guid_prefix (pp->e.guid.prefix); - u.pmd.kind = toBE4u (pmd_kind); + u.pmd.kind = ddsrt_toBE4u (pmd_kind); u.pmd.length = PMD_DATA_LENGTH; memset (u.pmd.value, 0, u.pmd.length); diff --git a/src/core/ddsi/src/q_xmsg.c b/src/core/ddsi/src/q_xmsg.c index 28c6200..abb4685 100644 --- a/src/core/ddsi/src/q_xmsg.c +++ b/src/core/ddsi/src/q_xmsg.c @@ -786,7 +786,7 @@ void nn_xmsg_addpar_keyhash (struct nn_xmsg *m, const struct ddsi_serdata *serda static void nn_xmsg_addpar_BE4u (struct nn_xmsg *m, nn_parameterid_t pid, uint32_t x) { unsigned *p = nn_xmsg_addpar (m, pid, sizeof (x)); - *p = toBE4u (x); + *p = ddsrt_toBE4u (x); } void nn_xmsg_addpar_statusinfo (struct nn_xmsg *m, unsigned statusinfo) @@ -800,8 +800,8 @@ void nn_xmsg_addpar_statusinfo (struct nn_xmsg *m, unsigned statusinfo) assert ((statusinfo & ~NN_STATUSINFO_STANDARDIZED) == NN_STATUSINFO_OSPL_AUTO); if (statusinfo & NN_STATUSINFO_OSPL_AUTO) statusinfox |= NN_STATUSINFOX_OSPL_AUTO; - p[0] = toBE4u (statusinfo & NN_STATUSINFO_STANDARDIZED); - p[1] = toBE4u (statusinfox); + p[0] = ddsrt_toBE4u (statusinfo & NN_STATUSINFO_STANDARDIZED); + p[1] = ddsrt_toBE4u (statusinfox); } } diff --git a/src/ddsrt/CMakeLists.txt b/src/ddsrt/CMakeLists.txt index 0b241d9..19b99df 100644 --- a/src/ddsrt/CMakeLists.txt +++ b/src/ddsrt/CMakeLists.txt @@ -116,6 +116,7 @@ list(APPEND headers "${include_path}/dds/ddsrt/static_assert.h") list(APPEND sources + "${source_path}/bswap.c" "${source_path}/io.c" "${source_path}/log.c" "${source_path}/retcode.c" diff --git a/src/ddsrt/include/dds/ddsrt/bswap.h b/src/ddsrt/include/dds/ddsrt/bswap.h new file mode 100644 index 0000000..3e1ff56 --- /dev/null +++ b/src/ddsrt/include/dds/ddsrt/bswap.h @@ -0,0 +1,87 @@ +/* + * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ +#ifndef DDSRT_BSWAP_H +#define DDSRT_BSWAP_H + +#include +#include + +#include "dds/ddsrt/endian.h" + +#if defined (__cplusplus) +extern "C" { +#endif + +inline uint16_t ddsrt_bswap2u (uint16_t x) +{ + return (uint16_t) ((x >> 8) | (x << 8)); +} + +inline int16_t ddsrt_bswap2 (int16_t x) +{ + return (int16_t) ddsrt_bswap2u ((uint16_t) x); +} + +inline uint32_t ddsrt_bswap4u (uint32_t x) +{ + return (x >> 24) | ((x >> 8) & 0xff00) | ((x << 8) & 0xff0000) | (x << 24); +} + +inline int32_t ddsrt_bswap4 (int32_t x) +{ + return (int32_t) ddsrt_bswap4u ((uint32_t) x); +} + +inline uint64_t ddsrt_bswap8u (uint64_t x) +{ + const uint32_t newhi = ddsrt_bswap4u ((uint32_t) x); + const uint32_t newlo = ddsrt_bswap4u ((uint32_t) (x >> 32)); + return ((uint64_t) newhi << 32) | (uint64_t) newlo; +} + +inline int64_t ddsrt_bswap8 (int64_t x) +{ + return (int64_t) ddsrt_bswap8u ((uint64_t) x); +} + +#if DDSRT_ENDIAN == DDSRT_LITTLE_ENDIAN +#define ddsrt_toBE2(x) ddsrt_bswap2 (x) +#define ddsrt_toBE2u(x) ddsrt_bswap2u (x) +#define ddsrt_toBE4(x) ddsrt_bswap4 (x) +#define ddsrt_toBE4u(x) ddsrt_bswap4u (x) +#define ddsrt_toBE8(x) ddsrt_bswap8 (x) +#define ddsrt_toBE8u(x) ddsrt_bswap8u (x) +#define ddsrt_fromBE2(x) ddsrt_bswap2 (x) +#define ddsrt_fromBE2u(x) ddsrt_bswap2u (x) +#define ddsrt_fromBE4(x) ddsrt_bswap4 (x) +#define ddsrt_fromBE4u(x) ddsrt_bswap4u (x) +#define ddsrt_fromBE8(x) ddsrt_bswap8 (x) +#define ddsrt_fromBE8u(x) ddsrt_bswap8u (x) +#else +#define ddsrt_toBE2u(x) (x) +#define ddsrt_toBE4(x) (x) +#define ddsrt_toBE4u(x) (x) +#define ddsrt_toBE8(x) (x) +#define ddsrt_toBE8u(x) (x) +#define ddsrt_fromBE2(x) (x) +#define ddsrt_fromBE2u(x) (x) +#define ddsrt_fromBE4(x) (x) +#define ddsrt_fromBE4u(x) (x) +#define ddsrt_fromBE8(x) (x) +#define ddsrt_fromBE8u(x) (x) +#endif + +#if defined (__cplusplus) +} +#endif + +#endif /* DDSRT_BSWAP_H */ \ No newline at end of file diff --git a/src/core/ddsi/src/q_bswap_inlines.c b/src/ddsrt/src/bswap.c similarity index 55% rename from src/core/ddsi/src/q_bswap_inlines.c rename to src/ddsrt/src/bswap.c index 7d5f070..0423eab 100644 --- a/src/core/ddsi/src/q_bswap_inlines.c +++ b/src/ddsrt/src/bswap.c @@ -9,13 +9,11 @@ * * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause */ -#include "dds/ddsi/q_bswap.h" - -extern inline uint16_t bswap2u (uint16_t x); -extern inline uint32_t bswap4u (uint32_t x); -extern inline uint64_t bswap8u (uint64_t x); -extern inline int16_t bswap2 (int16_t x); -extern inline int32_t bswap4 (int32_t x); -extern inline int64_t bswap8 (int64_t x); -extern inline void bswapSN (nn_sequence_number_t *sn); +#include "dds/ddsrt/bswap.h" +extern inline uint16_t ddsrt_bswap2u (uint16_t x); +extern inline uint32_t ddsrt_bswap4u (uint32_t x); +extern inline uint64_t ddsrt_bswap8u (uint64_t x); +extern inline int16_t ddsrt_bswap2 (int16_t x); +extern inline int32_t ddsrt_bswap4 (int32_t x); +extern inline int64_t ddsrt_bswap8 (int64_t x); From 43ee3f87cac4ac0d1dd01059f0b7406c43927dc4 Mon Sep 17 00:00:00 2001 From: Marcel Jordense Date: Mon, 28 Oct 2019 10:52:15 +0100 Subject: [PATCH 12/13] use ddsrt_malloc for allocating iov array Signed-off-by: Marcel Jordense --- src/core/ddsi/src/q_xmsg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/ddsi/src/q_xmsg.c b/src/core/ddsi/src/q_xmsg.c index abb4685..5e704a3 100644 --- a/src/core/ddsi/src/q_xmsg.c +++ b/src/core/ddsi/src/q_xmsg.c @@ -1374,7 +1374,7 @@ int nn_xpack_addmsg (struct nn_xpack *xp, struct nn_xmsg *m, const uint32_t flag assert (m->refd_payload == NULL || (m->refd_payload_iov.iov_len % 4) == 0); if (xp->iov == NULL) - xp->iov = malloc (NN_XMSG_MAX_MESSAGE_IOVECS * sizeof (*xp->iov)); + xp->iov = ddsrt_malloc (NN_XMSG_MAX_MESSAGE_IOVECS * sizeof (*xp->iov)); if (!nn_xpack_mayaddmsg (xp, m, flags)) { From 2c1d3010d09a149ed7d1dbd65f3b8f8fd2446b23 Mon Sep 17 00:00:00 2001 From: Kurtulus Oksuztepe Date: Wed, 30 Oct 2019 11:41:00 +0100 Subject: [PATCH 13/13] Builtin authentication plugin for DDS Security Builtin authentication plugin of DDS Security implementation was added. This plugin is the first implementation and it also contains the functions that are used initially in the secure communication sequence. The builtin authentication plugin implements authentication using a trusted Certificate Authority (CA). It performs mutual authentication between discovered participants using the RSA or ECDSA Digital Signature Algorithms and establishes a shared secret using Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH) Key Agreement Methods. DDS Security core component is introduced with this commit. DDSI and other builtin plugins will also use the security core. Like all builtin plugins, dds security authentication plugin is a shared library for providing dynamic library loading on runtime. So that, dds participants can use different plugin implementations with different configurations. Authentication plugin uses ddsrt functions. ddsrt is not expected to be a shared library and statically adding ddsrt objects to authentication library produces linkage errors in windows. So, dynamically linking authentication plugin to ddc library is decided. Another decision should be taken for the platforms that are not supporting dynamic libraries later. Signed-off-by: Kurtulus Oksuztepe --- cmake/Modules/CUnit.cmake | 7 +- src/CMakeLists.txt | 2 +- src/core/CMakeLists.txt | 2 +- src/ddsrt/include/dds/ddsrt/time.h | 3 + src/ddsrt/src/dynlib/posix/dynlib.c | 94 +- src/ddsrt/src/dynlib/windows/dynlib.c | 3 +- src/security/CMakeLists.txt | 21 + src/security/api/CMakeLists.txt | 6 +- .../include/dds/security/dds_security_api.h | 2 +- .../dds_security_api_access_control.h | 2 +- .../dds_security_api_authentication.h | 2 +- .../security/dds_security_api_cryptography.h | 2 +- .../dds/security/dds_security_api_defs.h | 2 +- .../dds/security/dds_security_api_err.h | 10 +- .../dds/security/dds_security_api_types.h | 4 +- src/security/builtin_plugins/CMakeLists.txt | 19 + .../authentication/CMakeLists.txt | 65 + .../authentication/src/auth_utils.c | 1379 +++++++ .../authentication/src/auth_utils.h | 238 ++ .../authentication/src/authentication.c | 3513 +++++++++++++++++ .../authentication/src/authentication.h | 146 + .../builtin_plugins/tests/CMakeLists.txt | 51 + .../tests/common/src/handshake_helper.c | 579 +++ .../tests/common/src/handshake_helper.h | 90 + .../builtin_plugins/tests/common/src/loader.c | 222 ++ .../builtin_plugins/tests/common/src/loader.h | 34 + .../builtin_plugins/tests/config_env.h.in | 17 + ...thenticated_peer_credential_token_utests.c | 1648 ++++++++ .../etc/trusted_ca_dir/identity_ca | 22 + .../etc/trusted_ca_dir/remote_identity_ca.crt | 25 + .../etc/trusted_ca_dir/root_CA_RSA.crt | 28 + .../not_matching_trusted_ca.crt | 25 + .../src/process_handshake_utests.c | 2447 ++++++++++++ .../etc/trusted_ca_dir/identity_ca | 27 + .../etc/trusted_ca_dir/remote_ca.crt | 25 + .../etc/trusted_ca_dir/root_CA_RSA.crt | 28 + .../validate_begin_handshake_reply_utests.c | 2125 ++++++++++ .../validate_begin_handshake_request_utests.c | 828 ++++ .../etc/Alice_Test_2.crt | 25 + .../etc/Bob_Chain_Test.crt | 25 + .../etc/Identity_CA_Test2.crt | 25 + .../etc/Identity_CA_Test_With_Chain.crt | 25 + .../validate_local_identity/etc/alice.pem | 27 + .../tests/validate_local_identity/etc/bob.pem | 27 + .../etc/ec_identity_ca | 14 + .../etc/ec_identity_certificate | 50 + .../etc/ec_identity_certificate_unsupported | 14 + .../etc/ec_private_key | 5 + .../etc/ec_private_key_unsupported | 5 + .../etc/ec_private_key_w_password | 8 + .../validate_local_identity/etc/identity_ca | 27 + .../etc/identity_ca_private_key | 27 + .../etc/identity_certificate | 25 + .../etc/identity_certificate_1024key | 17 + .../etc/invalid_identity_ca | 22 + .../etc/invalid_identity_certificate | 20 + .../etc/invalid_private_key | 27 + .../etc/new/CHAM-577.crt | 25 + .../etc/new/identity_ca | 27 + .../etc/new/identity_ca_private_key | 27 + .../etc/new/identity_certificate | 25 + .../etc/new/private_key | 27 + .../etc/old/Alice_Test_2.crt | 25 + .../etc/old/Bob_Chain_Test.crt | 25 + .../etc/old/Identity_CA_Test2.crt | 25 + .../etc/old/Identity_CA_Test_With_Chain.crt | 25 + .../validate_local_identity/etc/old/alice.pem | 27 + .../validate_local_identity/etc/old/bob.pem | 27 + .../etc/old/ec_identity_ca | 14 + .../etc/old/ec_identity_certificate | 50 + .../old/ec_identity_certificate_unsupported | 14 + .../etc/old/ec_private_key | 5 + .../etc/old/ec_private_key_unsupported | 5 + .../etc/old/ec_private_key_w_password | 8 + .../etc/old/identity_ca | 22 + .../etc/old/identity_certificate | 20 + .../etc/old/identity_certificate_1024key | 17 + .../etc/old/invalid_identity_ca | 22 + .../etc/old/invalid_identity_certificate | 20 + .../etc/old/invalid_private_key | 27 + .../etc/old/private_key | 27 + .../etc/old/private_key_1024 | 15 + .../etc/old/private_key_not_matching | 48 + .../etc/old/private_key_w_password | 30 + .../validate_local_identity/etc/old/remote | 20 + .../etc/old/unrelated_identity_ca | 22 + .../validate_local_identity/etc/private_key | 27 + .../etc/private_key_1024 | 15 + .../etc/private_key_not_matching | 48 + .../etc/private_key_w_password | 30 + .../etc/trusted_ca_dir/identity_ca | 27 + .../etc/trusted_ca_dir/root_CA_RSA.crt | 28 + .../not_matching_trusted_ca.crt | 25 + .../etc/unrelated_identity_ca | 22 + .../tests/validate_local_identity/src/ca.crt | 22 + .../tests/validate_local_identity/src/id.crt | 20 + .../validate_local_identity/src/priv.pem | 27 + .../tests/validate_local_identity/src/remote | 20 + .../src/unrelated_identity_ca | 22 + .../src/validate_local_identity_utests.c | 2109 ++++++++++ .../src/validate_remote_identity_utests.c | 1140 ++++++ src/security/core/CMakeLists.txt | 57 + .../security/core/dds_security_serialize.h | 106 + .../dds/security/core/dds_security_types.h | 69 + .../dds/security/core/dds_security_utils.h | 391 ++ .../include/dds/security/core/shared_secret.h | 40 + .../core/src/dds_security_serialize.c | 813 ++++ src/security/core/src/dds_security_utils.c | 1134 ++++++ src/security/core/src/shared_secret.c | 43 + 109 files changed, 20998 insertions(+), 66 deletions(-) create mode 100644 src/security/CMakeLists.txt create mode 100644 src/security/builtin_plugins/CMakeLists.txt create mode 100644 src/security/builtin_plugins/authentication/CMakeLists.txt create mode 100644 src/security/builtin_plugins/authentication/src/auth_utils.c create mode 100644 src/security/builtin_plugins/authentication/src/auth_utils.h create mode 100644 src/security/builtin_plugins/authentication/src/authentication.c create mode 100644 src/security/builtin_plugins/authentication/src/authentication.h create mode 100644 src/security/builtin_plugins/tests/CMakeLists.txt create mode 100644 src/security/builtin_plugins/tests/common/src/handshake_helper.c create mode 100644 src/security/builtin_plugins/tests/common/src/handshake_helper.h create mode 100644 src/security/builtin_plugins/tests/common/src/loader.c create mode 100644 src/security/builtin_plugins/tests/common/src/loader.h create mode 100644 src/security/builtin_plugins/tests/config_env.h.in create mode 100644 src/security/builtin_plugins/tests/get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c create mode 100644 src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/identity_ca create mode 100644 src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/remote_identity_ca.crt create mode 100644 src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/root_CA_RSA.crt create mode 100644 src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt create mode 100644 src/security/builtin_plugins/tests/process_handshake/src/process_handshake_utests.c create mode 100644 src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/remote_ca.crt create mode 100644 src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/root_CA_RSA.crt create mode 100644 src/security/builtin_plugins/tests/validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c create mode 100644 src/security/builtin_plugins/tests/validate_begin_handshake_request/src/validate_begin_handshake_request_utests.c create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/Alice_Test_2.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/Bob_Chain_Test.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test2.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test_With_Chain.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/alice.pem create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/bob.pem create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate_unsupported create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_unsupported create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_w_password create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca_private_key create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate_1024key create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_certificate create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_private_key create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/new/CHAM-577.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca_private_key create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_certificate create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/new/private_key create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/Alice_Test_2.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/Bob_Chain_Test.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test2.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test_With_Chain.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/alice.pem create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/bob.pem create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate_unsupported create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_unsupported create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_w_password create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate_1024key create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_certificate create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_private_key create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_1024 create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_not_matching create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_w_password create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/remote create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/old/unrelated_identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/private_key create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_1024 create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_not_matching create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_w_password create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/root_CA_RSA.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/etc/unrelated_identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/src/ca.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/src/id.crt create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/src/priv.pem create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/src/remote create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/src/unrelated_identity_ca create mode 100644 src/security/builtin_plugins/tests/validate_local_identity/src/validate_local_identity_utests.c create mode 100644 src/security/builtin_plugins/tests/validate_remote_identity/src/validate_remote_identity_utests.c create mode 100644 src/security/core/CMakeLists.txt create mode 100644 src/security/core/include/dds/security/core/dds_security_serialize.h create mode 100644 src/security/core/include/dds/security/core/dds_security_types.h create mode 100644 src/security/core/include/dds/security/core/dds_security_utils.h create mode 100644 src/security/core/include/dds/security/core/shared_secret.h create mode 100644 src/security/core/src/dds_security_serialize.c create mode 100644 src/security/core/src/dds_security_utils.c create mode 100644 src/security/core/src/shared_secret.c diff --git a/cmake/Modules/CUnit.cmake b/cmake/Modules/CUnit.cmake index ac63690..1f118b6 100644 --- a/cmake/Modules/CUnit.cmake +++ b/cmake/Modules/CUnit.cmake @@ -281,12 +281,17 @@ function(add_cunit_executable TARGET) set_property( TEST ${ctest} PROPERTY ENVIRONMENT - "DYLD_LIBRARY_PATH=${CUNIT_LIBRARY_DIR}:$ENV{DYLD_LIBRARY_PATH}") + "DYLD_LIBRARY_PATH=${CUNIT_LIBRARY_DIR}:${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{DYLD_LIBRARY_PATH}") elseif(WIN32 AND ${CUNIT_LIBRARY_TYPE} STREQUAL "SHARED_LIBRARY") set_property( TEST ${ctest} PROPERTY ENVIRONMENT "PATH=${CUNIT_LIBRARY_DIR};$ENV{PATH}") + else() + set_property( + TEST ${ctest} + PROPERTY ENVIRONMENT + "LD_LIBRARY_PATH=${CMAKE_LIBRARY_OUTPUT_DIRECTORY}:$ENV{LD_LIBRARY_PATH}") endif() endforeach() diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 16179d9..c72721e 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -23,7 +23,7 @@ add_subdirectory(ddsrt) if(BUILD_IDLC) add_subdirectory(idlc) endif() -add_subdirectory(security/api) +add_subdirectory(security) add_subdirectory(core) add_subdirectory(tools) if(BUILD_TESTING AND HAVE_MULTI_PROCESS AND BUILD_IDLC) diff --git a/src/core/CMakeLists.txt b/src/core/CMakeLists.txt index e83acdc..6eb9b91 100644 --- a/src/core/CMakeLists.txt +++ b/src/core/CMakeLists.txt @@ -59,7 +59,7 @@ if(NOT ENABLE_SECURITY) message(STATUS "Building without OMG DDS Security support") else() add_definitions(-DDDSI_INCLUDE_SECURITY) - target_link_libraries(ddsc PRIVATE security_api) + target_link_libraries(ddsc PRIVATE security_core) target_include_directories( ddsc PUBLIC $>) diff --git a/src/ddsrt/include/dds/ddsrt/time.h b/src/ddsrt/include/dds/ddsrt/time.h index a474fb4..fb22669 100644 --- a/src/ddsrt/include/dds/ddsrt/time.h +++ b/src/ddsrt/include/dds/ddsrt/time.h @@ -59,6 +59,9 @@ typedef int64_t dds_duration_t; /** @name Infinite timeout for relative time */ #define DDS_INFINITY ((dds_duration_t) INT64_MAX) +/** @name Invalid time value for assigning to time output when something goes wrong */ +#define DDS_TIME_INVALID ((dds_time_t) INT64_MIN) + /** @name Macro definition for time conversion to nanoseconds @{**/ #define DDS_SECS(n) ((n) * DDS_NSECS_IN_SEC) diff --git a/src/ddsrt/src/dynlib/posix/dynlib.c b/src/ddsrt/src/dynlib/posix/dynlib.c index ec97397..4ee6bb7 100644 --- a/src/ddsrt/src/dynlib/posix/dynlib.c +++ b/src/ddsrt/src/dynlib/posix/dynlib.c @@ -18,78 +18,78 @@ #include "dds/ddsrt/io.h" dds_return_t ddsrt_dlopen(const char *name, bool translate, - ddsrt_dynlib_t *handle) { - dds_return_t retcode = DDS_RETCODE_OK; + ddsrt_dynlib_t *handle) { + dds_return_t retcode = DDS_RETCODE_OK; - assert( handle ); - *handle = NULL; + assert( handle ); + *handle = NULL; - if ((translate) && (strrchr(name, '/') == NULL )) { - /* Add lib and suffix to the name and try to open. */ + if ((translate) && (strrchr(name, '/') == NULL )) { + /* Add lib and suffix to the name and try to open. */ #if __APPLE__ - static const char suffix[] = ".dylib"; + static const char suffix[] = ".dylib"; #else - static const char suffix[] = ".so"; + static const char suffix[] = ".so"; #endif - char* libName; - ddsrt_asprintf( &libName, "lib%s%s", name, suffix); - *handle = dlopen(libName, RTLD_GLOBAL | RTLD_NOW); - ddsrt_free(libName); - } + char* libName; + ddsrt_asprintf( &libName, "lib%s%s", name, suffix); + *handle = dlopen(libName, RTLD_GLOBAL | RTLD_NOW); + ddsrt_free(libName); + } - if (*handle == NULL ) { - /* name contains a path, - * (auto)translate is disabled or - * dlopen on translated name failed. */ - *handle = dlopen(name, RTLD_GLOBAL | RTLD_NOW); - } + if (*handle == NULL ) { + /* name contains a path, + * (auto)translate is disabled or + * dlopen on translated name failed. */ + *handle = dlopen(name, RTLD_GLOBAL | RTLD_NOW); + } - if (*handle != NULL) { - retcode = DDS_RETCODE_OK; - } else { - retcode = DDS_RETCODE_ERROR; - } + if (*handle != NULL) { + retcode = DDS_RETCODE_OK; + } else { + retcode = DDS_RETCODE_ERROR; + } - return retcode; + return retcode; } dds_return_t ddsrt_dlclose(ddsrt_dynlib_t handle) { - assert ( handle ); - return (dlclose(handle) == 0) ? DDS_RETCODE_OK : DDS_RETCODE_ERROR; + assert ( handle ); + return (dlclose(handle) == 0) ? DDS_RETCODE_OK : DDS_RETCODE_ERROR; } dds_return_t ddsrt_dlsym(ddsrt_dynlib_t handle, const char *symbol, - void **address) { - dds_return_t retcode = DDS_RETCODE_OK; + void **address) { + dds_return_t retcode = DDS_RETCODE_OK; - assert( handle ); - assert( address ); - assert( symbol ); + assert( handle ); + assert( address ); + assert( symbol ); - *address = dlsym(handle, symbol); - if (*address == NULL) { - retcode = DDS_RETCODE_ERROR; - } + *address = dlsym(handle, symbol); + if (*address == NULL) { + retcode = DDS_RETCODE_ERROR; + } - return retcode; + return retcode; } dds_return_t ddsrt_dlerror(char *buf, size_t buflen) { - const char *err; - dds_return_t retcode = DDS_RETCODE_OK; + const char *err; + dds_return_t retcode = DDS_RETCODE_OK; - assert (buf ); + assert (buf ); - err = dlerror(); - if (err == NULL) { - retcode = DDS_RETCODE_NOT_FOUND; - } else { - snprintf(buf, buflen, "%s", err); - } + err = dlerror(); + if (err == NULL) { + retcode = DDS_RETCODE_NOT_FOUND; + } else { + snprintf(buf, buflen, "%s", err); + } - return retcode; + return retcode; } diff --git a/src/ddsrt/src/dynlib/windows/dynlib.c b/src/ddsrt/src/dynlib/windows/dynlib.c index 9a8eb46..7b48240 100644 --- a/src/ddsrt/src/dynlib/windows/dynlib.c +++ b/src/ddsrt/src/dynlib/windows/dynlib.c @@ -86,7 +86,8 @@ dds_return_t ddsrt_dlerror(char *buf, size_t buflen) { if ( err == 0 ) { retcode = DDS_RETCODE_NOT_FOUND; } else { - retcode = ddsrt_strerror_r(err, buf, buflen); + ddsrt_strerror_r(err, buf, buflen); + SetLastError(0); } return retcode; diff --git a/src/security/CMakeLists.txt b/src/security/CMakeLists.txt new file mode 100644 index 0000000..2d67ac3 --- /dev/null +++ b/src/security/CMakeLists.txt @@ -0,0 +1,21 @@ +# +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v. 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License +# v. 1.0 which is available at +# http://www.eclipse.org/org/documents/edl-v10.php. +# +# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause +# +cmake_minimum_required(VERSION 3.7) + +if( ENABLE_SECURITY ) + add_subdirectory(api) + add_subdirectory(core) + + if ( ENABLE_SSL) + add_subdirectory(builtin_plugins) + endif() +endif() \ No newline at end of file diff --git a/src/security/api/CMakeLists.txt b/src/security/api/CMakeLists.txt index 63caf64..02586c6 100644 --- a/src/security/api/CMakeLists.txt +++ b/src/security/api/CMakeLists.txt @@ -1,5 +1,5 @@ # -# Copyright(c) 2006 to 2018 ADLINK Technology Limited and others +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others # # This program and the accompanying materials are made available under the # terms of the Eclipse Public License v. 2.0 which is available at @@ -15,7 +15,9 @@ add_library(security_api INTERFACE) target_include_directories( security_api INTERFACE - "$") + "$" + "$" +) install( DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/" diff --git a/src/security/api/include/dds/security/dds_security_api.h b/src/security/api/include/dds/security/dds_security_api.h index 1304201..ba29184 100644 --- a/src/security/api/include/dds/security/dds_security_api.h +++ b/src/security/api/include/dds/security/dds_security_api.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at diff --git a/src/security/api/include/dds/security/dds_security_api_access_control.h b/src/security/api/include/dds/security/dds_security_api_access_control.h index 00ca926..8b908b5 100644 --- a/src/security/api/include/dds/security/dds_security_api_access_control.h +++ b/src/security/api/include/dds/security/dds_security_api_access_control.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at diff --git a/src/security/api/include/dds/security/dds_security_api_authentication.h b/src/security/api/include/dds/security/dds_security_api_authentication.h index ebcfa15..4913985 100644 --- a/src/security/api/include/dds/security/dds_security_api_authentication.h +++ b/src/security/api/include/dds/security/dds_security_api_authentication.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at diff --git a/src/security/api/include/dds/security/dds_security_api_cryptography.h b/src/security/api/include/dds/security/dds_security_api_cryptography.h index f082477..5203d3d 100644 --- a/src/security/api/include/dds/security/dds_security_api_cryptography.h +++ b/src/security/api/include/dds/security/dds_security_api_cryptography.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at diff --git a/src/security/api/include/dds/security/dds_security_api_defs.h b/src/security/api/include/dds/security/dds_security_api_defs.h index 82baa98..a0e6739 100644 --- a/src/security/api/include/dds/security/dds_security_api_defs.h +++ b/src/security/api/include/dds/security/dds_security_api_defs.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at diff --git a/src/security/api/include/dds/security/dds_security_api_err.h b/src/security/api/include/dds/security/dds_security_api_err.h index 8795a44..f4e8904 100644 --- a/src/security/api/include/dds/security/dds_security_api_err.h +++ b/src/security/api/include/dds/security/dds_security_api_err.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at @@ -47,13 +47,13 @@ extern "C" { #define DDS_SECURITY_ERR_INVALID_TRUSTED_CA_DIR_MESSAGE "Can not open trusted CA directory" #define DDS_SECURITY_ERR_CA_NOT_TRUSTED_CODE 121 #define DDS_SECURITY_ERR_CA_NOT_TRUSTED_MESSAGE "Identity CA is not trusted" -#define DDS_SECURITY_ERR_CERT_STARTDATE_INVALID_CODE 122 -#define DDS_SECURITY_ERR_CERT_STARTDATE_INVALID_MESSAGE "Certificate start date is in the future" +#define DDS_SECURITY_ERR_CERT_STARTDATE_IN_FUTURE_CODE 122 +#define DDS_SECURITY_ERR_CERT_STARTDATE_IN_FUTURE_MESSAGE "Certificate start date is in the future" #define DDS_SECURITY_ERR_CERT_EXPIRED_CODE 123 #define DDS_SECURITY_ERR_CERT_EXPIRED_MESSAGE "Certificate expired" #define DDS_SECURITY_ERR_INVALID_CRYPTO_RECEIVER_SIGN_CODE 124 -#define DDS_SECURITY_ERR_CERT_AUTHENTICATION_ALGO_KIND_UNKNOWN_CODE 125 -#define DDS_SECURITY_ERR_CERT_AUTHENTICATION_ALGO_KIND_UNKNOWN_MESSAGE "Certificate authentication algorithm unknown" +#define DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_CODE 125 +#define DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_MESSAGE "Certificate authentication algorithm unknown" #define DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE 126 #define DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE "Failed to allocate internal structure" #define DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE 127 diff --git a/src/security/api/include/dds/security/dds_security_api_types.h b/src/security/api/include/dds/security/dds_security_api_types.h index 4e669b4..2957251 100644 --- a/src/security/api/include/dds/security/dds_security_api_types.h +++ b/src/security/api/include/dds/security/dds_security_api_types.h @@ -1,5 +1,5 @@ /* - * Copyright(c) 2006 to 2018 ADLINK Technology Limited and others + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v. 2.0 which is available at @@ -20,8 +20,6 @@ extern "C" { #endif - - /************************************************************************** * * * Primitive types. * diff --git a/src/security/builtin_plugins/CMakeLists.txt b/src/security/builtin_plugins/CMakeLists.txt new file mode 100644 index 0000000..69e5aed --- /dev/null +++ b/src/security/builtin_plugins/CMakeLists.txt @@ -0,0 +1,19 @@ +# +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v. 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License +# v. 1.0 which is available at +# http://www.eclipse.org/org/documents/edl-v10.php. +# +# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause +# +cmake_minimum_required(VERSION 3.7) + +add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/authentication") + +# TODO: improve test inclusion. +if((BUILD_TESTING) AND ((NOT DEFINED MSVC_VERSION) OR (MSVC_VERSION GREATER "1800"))) + add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/tests") +endif() \ No newline at end of file diff --git a/src/security/builtin_plugins/authentication/CMakeLists.txt b/src/security/builtin_plugins/authentication/CMakeLists.txt new file mode 100644 index 0000000..f5f46a4 --- /dev/null +++ b/src/security/builtin_plugins/authentication/CMakeLists.txt @@ -0,0 +1,65 @@ +# +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v. 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License +# v. 1.0 which is available at +# http://www.eclipse.org/org/documents/edl-v10.php. +# +# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause +# +include (GenerateExportHeader) + +PREPEND(srcs_authentication "${CMAKE_CURRENT_LIST_DIR}/src" + authentication.c + auth_utils.c +) + +PREPEND(hdrs_private_authentication "${CMAKE_CURRENT_LIST_DIR}/src" + auth_defs.h + authentication.h + auth_utils.h + dds_security_core_if.h +) + +add_library(dds_security_auth SHARED "") + +generate_export_header( + dds_security_auth + BASE_NAME SECURITY + EXPORT_FILE_NAME "${CMAKE_CURRENT_BINARY_DIR}/include/dds/security/export.h" +) + + + +find_package(OpenSSL ) + +add_definitions(-DDDSI_INCLUDE_SSL) + +target_link_libraries(dds_security_auth PUBLIC ddsc) +target_link_libraries(dds_security_auth PUBLIC OpenSSL::SSL) + +target_sources(dds_security_auth + PRIVATE + ${srcs_authentication} + +) + +target_include_directories(dds_security_auth + PUBLIC + "$>" + "$>" + "$>" + "$" +) + +install( + TARGETS + EXPORT "${CMAKE_PROJECT_NAME}" + RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT lib + LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib + ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib +) + + diff --git a/src/security/builtin_plugins/authentication/src/auth_utils.c b/src/security/builtin_plugins/authentication/src/auth_utils.c new file mode 100644 index 0000000..57d5a3a --- /dev/null +++ b/src/security/builtin_plugins/authentication/src/auth_utils.c @@ -0,0 +1,1379 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER >= 0x1000200fL +#define AUTH_INCLUDE_EC +#include +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#define AUTH_INCLUDE_DH_ACCESSORS +#endif +#else +#error "OpenSSL version is not supported" +#endif +#include +#include "dds/ddsrt/time.h" +#include "dds/ddsrt/heap.h" +#include "dds/security/dds_security_api_defs.h" +#include "dds/security/core/dds_security_utils.h" +#include + + +/* There is a problem when compiling on windows w.r.t. X509_NAME. + * The windows api already defines the type X509_NAME which + * conficts with some openssl versions. The workaround is to + * undef the openssl X509_NAME + */ +#ifdef _WIN32 +#undef X509_NAME +#endif + +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/atomics.h" +#include "dds/ddsrt/string.h" +#include "dds/security/core/dds_security_utils.h" +#include +#include "auth_utils.h" + + +#define MAX_TRUSTED_CA 100 + +char * +get_openssl_error_message( + void) +{ + BIO *bio = BIO_new(BIO_s_mem()); + char *msg; + char *buf = NULL; + size_t len; /*BIO_get_mem_data requires long int */ + + if (bio) { + ERR_print_errors(bio); + len = (size_t)BIO_get_mem_data (bio, &buf); + msg = ddsrt_malloc(len + 1); + memcpy(msg, buf, len); + msg[len] = '\0'; + BIO_free(bio); + } else { + msg = ddsrt_strdup("BIO_new failed"); + } + + return msg; +} + +char * +get_certificate_subject_name( + const X509 *cert, + DDS_Security_SecurityException *ex) +{ + X509_NAME *name; + char *subject = NULL; + char *subject_openssl = NULL; + + assert(cert); + + name = X509_get_subject_name(cert); + if (!name) { + goto err_get_subject; + } + + subject_openssl = X509_NAME_oneline( name, NULL, 0 ); + subject = ddsrt_strdup( subject_openssl ); + OPENSSL_free( subject_openssl ); + + return subject; + +err_get_subject: + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "X509_get_subject_name failed : "); + return NULL; +} + +dds_time_t +get_certificate_expiry( + const X509 *cert) +{ + dds_time_t expiry = DDS_TIME_INVALID; + ASN1_TIME *asn1; + + assert(cert); + + asn1 = X509_get_notAfter(cert); + if (asn1 != NULL) { + int days; + int seconds; + if (ASN1_TIME_diff(&days, &seconds, NULL, asn1) == 1 ) { + static const dds_duration_t secs_in_day = 86400; + const dds_time_t now = dds_time(); + const int64_t max_valid_days_to_wait = (INT64_MAX - now) / DDS_NSECS_IN_SEC / secs_in_day; + + if ( days < max_valid_days_to_wait ){ + dds_duration_t delta = ((dds_duration_t)seconds + ((dds_duration_t)days * secs_in_day)) * DDS_NSECS_IN_SEC; + expiry = now + delta; + } else { + return DDS_NEVER; + } + } + } + + return expiry; +} + +DDS_Security_ValidationResult_t +get_subject_name_DER_encoded( + const X509 *cert, + unsigned char **buffer, + size_t *size, + DDS_Security_SecurityException *ex) +{ + unsigned char *tmp = NULL; + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_FAILED; + int32_t sz; + X509_NAME *name; + + assert(cert); + assert(buffer); + assert(size); + + *size = 0; + + name = X509_get_subject_name((X509 *)cert); + if (name) { + sz = i2d_X509_NAME(name, &tmp); + if (sz > 0) { + *size = (size_t)sz; + *buffer = ddsrt_malloc(*size); + memcpy(*buffer, tmp, *size); + OPENSSL_free(tmp); + result = DDS_SECURITY_VALIDATION_OK; + } else if (sz < 0) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "i2d_X509_NAME failed : "); + } + } else { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "X509_get_subject_name failed : "); + } + + return result; +} + + +static DDS_Security_ValidationResult_t +check_key_type_and_size( + EVP_PKEY *key, + int isPrivate, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + const char *sub = isPrivate ? "private key" : "certificate"; + + assert(key); + + switch (EVP_PKEY_id(key)) { + case EVP_PKEY_RSA: + if (EVP_PKEY_bits(key) != 2048) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "RSA %s has unsupported key size (%d)", sub, EVP_PKEY_bits(key)); + } else if (isPrivate) { + RSA *rsaKey = EVP_PKEY_get1_RSA(key); + if (rsaKey) { + if (RSA_check_key(rsaKey) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "RSA key not correct : "); + } + } + RSA_free(rsaKey); + } + break; + case EVP_PKEY_EC: + if (EVP_PKEY_bits(key) != 256) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "EC %s has unsupported key size (%d)", sub, EVP_PKEY_bits(key)); + } else { + EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(key); + if (ecKey) { + if (EC_KEY_check_key(ecKey) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "EC key not correct : "); + } + } + EC_KEY_free(ecKey); + } + break; + default: + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "%s has not supported type", sub); + break; + } + + return result; +} + +static DDS_Security_ValidationResult_t +check_certificate_type_and_size( + X509 *cert, + DDS_Security_SecurityException *ex) +{ + EVP_PKEY *pkey; + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + + assert(cert); + + pkey = X509_get_pubkey(cert); + if (pkey) { + result = check_key_type_and_size(pkey, false, ex); + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_get_pubkey failed"); + } + EVP_PKEY_free(pkey); + + return result; +} + +DDS_Security_ValidationResult_t +check_certificate_expiry( + const X509 *cert, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + + assert(cert); + + if( X509_cmp_current_time(X509_get_notBefore( cert )) == 0 ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERT_STARTDATE_IN_FUTURE_CODE, (int)result, DDS_SECURITY_ERR_CERT_STARTDATE_IN_FUTURE_MESSAGE); + + } + if( X509_cmp_current_time(X509_get_notAfter( cert )) == 0 ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERT_EXPIRED_CODE, (int)result, DDS_SECURITY_ERR_CERT_EXPIRED_MESSAGE); + + } + + return result; +} + + +DDS_Security_ValidationResult_t +load_X509_certificate_from_data( + const char *data, + int len, + X509 **x509Cert, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + BIO *bio; + + assert(data); + assert(len >= 0); + assert(x509Cert); + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((void *) data, len); + if (!bio) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "BIO_new_mem_buf failed"); + goto err_bio_alloc; + } + + *x509Cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + if (!(*x509Cert)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to parse certificate: "); + goto err_cert_read; + } + + /* check authentication algorithm */ + if( get_auhentication_algo_kind( *x509Cert ) == AUTH_ALGO_KIND_UNKNOWN ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_CODE, (int)result, + DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_MESSAGE); + X509_free(*x509Cert); + goto err_cert_read; + } + +err_cert_read: + BIO_free(bio); +err_bio_alloc: + return result; +} + + + +DDS_Security_ValidationResult_t +load_X509_certificate_from_file( + const char *filename, + X509 **x509Cert, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + FILE *file_ptr; + + assert(filename); + assert(x509Cert); + + /*check the file*/ + DDSRT_WARNING_MSVC_OFF(4996); + file_ptr = fopen( filename, "r"); + DDSRT_WARNING_MSVC_ON(4996); + + if( file_ptr == NULL ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, (int)result, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, filename); + goto err_invalid_path; + } + + /*load certificate from file*/ + *x509Cert = PEM_read_X509(file_ptr,NULL,NULL,NULL); + if (!(*x509Cert)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to parse certificate: "); + goto err_invalid_content; + } + + /* check authentication algorithm */ + if( get_auhentication_algo_kind( *x509Cert ) == AUTH_ALGO_KIND_UNKNOWN ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_CODE, (int)result, + DDS_SECURITY_ERR_CERT_AUTH_ALGO_KIND_UNKNOWN_MESSAGE); + X509_free(*x509Cert); + goto err_invalid_content; + } + + +err_invalid_content: + (void)fclose( file_ptr ); +err_invalid_path: + + return result; +} + +static DDS_Security_ValidationResult_t +load_private_key_from_data( + const char *data, + const char *password, + EVP_PKEY **privateKey, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + BIO *bio; + const char *pw = (password ? password : ""); + + assert(data); + assert(privateKey); + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((void *) data, -1); + if (!bio) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "BIO_new_mem_buf failed"); + goto err_bio_alloc; + } + + *privateKey = PEM_read_bio_PrivateKey(bio, NULL, NULL, (void *)pw); + if (!(*privateKey)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to parse private key: "); + goto err_key_read; + } + +err_key_read: + BIO_free(bio); +err_bio_alloc: + return result; +} + + +static DDS_Security_ValidationResult_t +load_private_key_from_file( + const char *filepath, + const char *password, + EVP_PKEY **privateKey, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + const char *pw = (password ? password : ""); + FILE *file_ptr; + + assert(filepath); + assert(privateKey); + + /*check the file*/ + DDSRT_WARNING_MSVC_OFF(4996); + file_ptr = fopen( filepath, "r"); + DDSRT_WARNING_MSVC_ON(4996); + + if( file_ptr == NULL ){ + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, (int)result, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, filepath); + goto err_invalid_path; + } + + /*load private key from file*/ + *privateKey = PEM_read_PrivateKey(file_ptr, NULL, NULL, (void *)pw); + if (!(*privateKey)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to parse certificate: "); + goto err_invalid_content; + } + +err_invalid_content: + (void)fclose( file_ptr ); +err_invalid_path: + + return result; +} + + +/* + * Gets the URI string (as referred in DDS Security spec) and returns the URI type + * data: data part of the URI. Typically It contains different format according to URI type. + */ +AuthConfItemPrefix_t +get_conf_item_type( + const char *str, + char **data) +{ + AuthConfItemPrefix_t kind = AUTH_CONF_ITEM_PREFIX_UNKNOWN; + const char *AUTH_CONF_FILE_PREFIX = "file:"; + const char *AUTH_CONF_DATA_PREFIX = "data:,"; + const char *AUTH_CONF_PKCS11_PREFIX = "pkcs11:"; + size_t AUTH_CONF_FILE_PREFIX_LEN = strlen(AUTH_CONF_FILE_PREFIX); + size_t AUTH_CONF_DATA_PREFIX_LEN = strlen(AUTH_CONF_DATA_PREFIX); + size_t AUTH_CONF_PKCS11_PREFIX_LEN = strlen(AUTH_CONF_PKCS11_PREFIX); + char *ptr; + + assert(str); + assert(data); + + ptr = ddssec_strchrs(str, " \t", false); + + if (strncmp(ptr, AUTH_CONF_FILE_PREFIX, AUTH_CONF_FILE_PREFIX_LEN) == 0) { + const char *DOUBLE_SLASH = "//"; + size_t DOUBLE_SLASH_LEN = 2; + if (strncmp(&(ptr[AUTH_CONF_FILE_PREFIX_LEN]), DOUBLE_SLASH, DOUBLE_SLASH_LEN) == 0) { + *data = ddsrt_strdup(&(ptr[AUTH_CONF_FILE_PREFIX_LEN + DOUBLE_SLASH_LEN])); + } else { + *data = ddsrt_strdup(&(ptr[AUTH_CONF_FILE_PREFIX_LEN])); + } + kind = AUTH_CONF_ITEM_PREFIX_FILE; + } else if (strncmp(ptr, AUTH_CONF_DATA_PREFIX, AUTH_CONF_DATA_PREFIX_LEN) == 0) { + kind = AUTH_CONF_ITEM_PREFIX_DATA; + *data = ddsrt_strdup(&(ptr[AUTH_CONF_DATA_PREFIX_LEN])); + } else if (strncmp(ptr, AUTH_CONF_PKCS11_PREFIX, AUTH_CONF_PKCS11_PREFIX_LEN) == 0) { + kind = AUTH_CONF_ITEM_PREFIX_PKCS11; + *data = ddsrt_strdup(&(ptr[AUTH_CONF_PKCS11_PREFIX_LEN])); + } + + return kind; +} + +DDS_Security_ValidationResult_t +load_X509_certificate( + const char *data, + X509 **x509Cert, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + char *contents = NULL; + + assert(data); + assert(x509Cert); + + switch (get_conf_item_type(data, &contents)) { + case AUTH_CONF_ITEM_PREFIX_FILE: + result = load_X509_certificate_from_file(contents, x509Cert, ex); + break; + case AUTH_CONF_ITEM_PREFIX_DATA: + result = load_X509_certificate_from_data(contents, (int)strlen(contents), x509Cert, ex); + break; + case AUTH_CONF_ITEM_PREFIX_PKCS11: + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Certificate pkcs11 format currently not supported:\n%s", data); + break; + default: + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Specified certificate has wrong format:\n%s", data); + break; + } + ddsrt_free(contents); + + if (result == DDS_SECURITY_VALIDATION_OK) { + if ( check_certificate_type_and_size(*x509Cert, ex) != DDS_SECURITY_VALIDATION_OK || + check_certificate_expiry(*x509Cert, ex) != DDS_SECURITY_VALIDATION_OK + ) { + result = DDS_SECURITY_VALIDATION_FAILED; + X509_free(*x509Cert); + } + } + return result; +} + +DDS_Security_ValidationResult_t +load_X509_private_key( + const char *data, + const char *password, + EVP_PKEY **privateKey, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + char *contents = NULL; + + assert(data); + assert(privateKey); + + switch (get_conf_item_type(data, &contents)) { + case AUTH_CONF_ITEM_PREFIX_FILE: + result = load_private_key_from_file(contents, password, privateKey, ex); + break; + case AUTH_CONF_ITEM_PREFIX_DATA: + result = load_private_key_from_data(contents, password, privateKey, ex); + break; + case AUTH_CONF_ITEM_PREFIX_PKCS11: + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "PrivateKey pkcs11 format currently not supported:\n%s", data); + break; + default: + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Specified PrivateKey has wrong format:\n%s", data); + break; + } + ddsrt_free(contents); + + if (result == DDS_SECURITY_VALIDATION_OK) { + if ((result = check_key_type_and_size(*privateKey, true, ex)) != DDS_SECURITY_VALIDATION_OK) { + EVP_PKEY_free(*privateKey); + } + } + + return result; +} + +DDS_Security_ValidationResult_t +verify_certificate( + X509 *identityCert, + X509 *identityCa, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + int r; + X509_STORE *store; + X509_STORE_CTX *ctx; + + + + assert(identityCert); + assert(identityCa); + + /* Currently only a self signed indentiyCa is supported */ + /* Verification of against a certificate chain is not yet supported */ + /* Verification of the certificate expiry using a CRL is not yet supported */ + + store = X509_STORE_new(); + + + if (!store) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_STORE_new failed : "); + goto err_store_new; + } + + if (X509_STORE_add_cert(store, identityCa) != 1) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_STORE_add_cert failed : "); + goto err_add_cert; + } + + ctx = X509_STORE_CTX_new(); + if (!ctx) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_STORE_CTX_new failed : "); + goto err_ctx_new; + } + + if (X509_STORE_CTX_init(ctx, store, identityCert, NULL) != 1) { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_STORE_CTX_init failed : "); + goto err_ctx_init; + } + + r = X509_verify_cert(ctx); + if (r != 1) { + const char *msg = X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)); + char *subject = NULL; + + result = DDS_SECURITY_VALIDATION_FAILED; + subject = get_certificate_subject_name(identityCert, NULL); + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Certificate not valid: error: %s subject: %s", msg, subject ? subject : "not found"); + ddsrt_free(subject); + } + +err_ctx_init: + X509_STORE_CTX_free(ctx); +err_ctx_new: +err_add_cert: + X509_STORE_free(store); +err_store_new: + return result; +} + +AuthenticationAlgoKind_t +get_auhentication_algo_kind( + X509 *cert) +{ + AuthenticationAlgoKind_t kind = AUTH_ALGO_KIND_UNKNOWN; + EVP_PKEY *pkey; + + assert(cert); + + pkey = X509_get_pubkey(cert); + + if (pkey) { + switch (EVP_PKEY_id(pkey)) { + case EVP_PKEY_RSA: + if (EVP_PKEY_bits(pkey) == 2048) { + kind = AUTH_ALGO_KIND_RSA_2048; + } + break; + case EVP_PKEY_EC: + if (EVP_PKEY_bits(pkey) == 256) { + kind = AUTH_ALGO_KIND_EC_PRIME256V1; + } + break; + default: + break; + } + EVP_PKEY_free(pkey); + } + + return kind; +} + +AuthenticationChallenge * +generate_challenge( + DDS_Security_SecurityException *ex) +{ + AuthenticationChallenge *result; + + result = ddsrt_malloc(sizeof(*result)); + if (RAND_bytes(result->value, sizeof(result->value)) < 0 ) { + + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "Failed to generate a 256 bit random number "); + ddsrt_free(result); + result = NULL; + } + + return result; +} + +DDS_Security_ValidationResult_t +get_certificate_contents( + X509 *cert, + unsigned char **data, + uint32_t *size, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + BIO *bio = NULL; + size_t sz; + char *ptr; + + if ((bio = BIO_new(BIO_s_mem())) == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "BIO_new_mem_buf failed"); + } else if (!PEM_write_bio_X509(bio, cert)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "PEM_write_bio_X509 failed: "); + } else { + sz = (size_t)BIO_get_mem_data(bio, &ptr); + *data = ddsrt_malloc(sz +1); + memcpy(*data, ptr, sz); + (*data)[sz] = '\0'; + *size = (uint32_t)sz; + } + + if (bio) BIO_free(bio); + + return result; +} + +static DDS_Security_ValidationResult_t +get_rsa_dh_parameters( + EVP_PKEY **params, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + DH *dh = NULL; + + *params = NULL; + + if ((*params = EVP_PKEY_new()) == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to allocate DH generation parameters: "); + } else if ((dh = DH_get_2048_256()) == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to allocate DH parameter using DH_get_2048_256: "); + } else if (EVP_PKEY_set1_DH(*params, dh) <= 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to set DH generation parameters using EVP_PKEY_set1_DH: "); + EVP_PKEY_free(*params); + } + + if (dh) DH_free(dh); + + return result; +} + +static DDS_Security_ValidationResult_t +get_ec_dh_parameters( + EVP_PKEY **params, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_PKEY_CTX *pctx = NULL; + + if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to allocate DH parameter context: "); + } else if (EVP_PKEY_paramgen_init(pctx) <= 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to initialize DH generation context: "); + } else if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1) <= 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to set DH generation parameter generation method: "); + } else if (EVP_PKEY_paramgen(pctx, params) <= 0) { + char *msg = get_openssl_error_message(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to generate DH parameters: "); + ddsrt_free(msg); + } + + if (pctx) EVP_PKEY_CTX_free(pctx); + + return result; +} + + +DDS_Security_ValidationResult_t +generate_dh_keys( + EVP_PKEY **dhkey, + AuthenticationAlgoKind_t authKind, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_FAILED; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *kctx = NULL; + + *dhkey = NULL; + + switch(authKind) { + case AUTH_ALGO_KIND_RSA_2048: + result = get_rsa_dh_parameters(¶ms, ex); + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = get_ec_dh_parameters(¶ms, ex); + break; + default: + assert(0); + break; + } + + if (result != DDS_SECURITY_VALIDATION_OK) { + return result; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to allocate DH generation context: "); + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to initialize DH generation context: "); + } else if (EVP_PKEY_keygen(kctx, dhkey) <= 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "Failed to generate DH key pair: "); + } + + if (kctx) EVP_PKEY_CTX_free(kctx); + if (params) EVP_PKEY_free(params); + + return result; +} + +static const BIGNUM * +dh_get_public_key( + DH *dhkey) +{ +#ifdef AUTH_INCLUDE_DH_ACCESSORS + const BIGNUM *pubkey, *privkey; + DH_get0_key(dhkey, &pubkey, &privkey); + return pubkey; +#else + return dhkey->pub_key; +#endif +} + +static int +dh_set_public_key( + DH *dhkey, + BIGNUM *pubkey) +{ +#ifdef AUTH_INCLUDE_DH_ACCESSORS + return DH_set0_key(dhkey, pubkey, NULL); +#else + dhkey->pub_key = pubkey; +#endif + return 1; +} + +static DDS_Security_ValidationResult_t +dh_public_key_to_oct_modp( + EVP_PKEY *pkey, + unsigned char **buffer, + uint32_t *length, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + DH *dhkey; + ASN1_INTEGER *asn1int; + + *buffer = NULL; + + dhkey = EVP_PKEY_get1_DH(pkey); + if (!dhkey) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get DH key from PKEY: "); + goto fail_get_dhkey; + } + + asn1int = BN_to_ASN1_INTEGER(dh_get_public_key(dhkey), NULL); + if (!asn1int) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert DH key to ASN1 integer: "); + goto fail_get_asn1int; + } + + *length = (uint32_t) i2d_ASN1_INTEGER(asn1int, buffer); + + ASN1_INTEGER_free(asn1int); + +fail_get_asn1int: + DH_free(dhkey); +fail_get_dhkey: + return result; +} + +static DDS_Security_ValidationResult_t +dh_public_key_to_oct_ecdh( + EVP_PKEY *pkey, + unsigned char **buffer, + uint32_t *length, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EC_KEY *eckey; + const EC_GROUP *group; + const EC_POINT *point; + size_t sz; + + eckey = EVP_PKEY_get1_EC_KEY(pkey); + if (!eckey) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get EC key from PKEY: "); + goto fail_get_eckey; + } + + point = EC_KEY_get0_public_key(eckey); + if (!point) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get public key from ECKEY: "); + goto fail_get_point; + } + + group = EC_KEY_get0_group(eckey); + if (!group) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get group from ECKEY: "); + goto fail_get_group; + } + + sz = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); + if (sz == 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to serialize public EC key: "); + goto fail_point2oct1; + } + + *buffer = ddsrt_malloc(sz); + + *length = (uint32_t)EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, *buffer, sz, NULL); + if (*length == 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to serialize public EC key: "); + goto fail_point2oct2; + } + + EC_KEY_free(eckey); + + return result; + +fail_point2oct2: + ddsrt_free(*buffer); +fail_point2oct1: +fail_get_group: +fail_get_point: +fail_get_eckey: + EC_KEY_free(eckey); + return result; +} + +DDS_Security_ValidationResult_t +dh_public_key_to_oct( + EVP_PKEY *pkey, + AuthenticationAlgoKind_t algo, + unsigned char **buffer, + uint32_t *length, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + + assert(pkey); + assert(buffer); + assert(length); + + switch (algo) { + case AUTH_ALGO_KIND_RSA_2048: + result = dh_public_key_to_oct_modp(pkey, buffer, length, ex); + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = dh_public_key_to_oct_ecdh(pkey, buffer, length, ex); + break; + default: + assert(0); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Invalid key algorithm specified"); + break; + } + + return result; +} + +static DDS_Security_ValidationResult_t +dh_oct_to_public_key_modp( + EVP_PKEY **pkey, + const unsigned char *keystr, + uint32_t size, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + DH *dhkey; + ASN1_INTEGER *asn1int; + BIGNUM *pubkey; + + *pkey = EVP_PKEY_new(); + if (!(*pkey)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert octet sequence to ASN1 integer: "); + goto fail_alloc_pkey; + } + + asn1int = d2i_ASN1_INTEGER(NULL, (const unsigned char **)&keystr, size); + if (!asn1int) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert octet sequence to ASN1 integer: "); + goto fail_get_asn1int; + } + + pubkey = ASN1_INTEGER_to_BN(asn1int, NULL); + if (!pubkey) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert ASN1 integer to BIGNUM: "); + goto fail_get_pubkey; + } + + dhkey = DH_get_2048_256(); + + if (dh_set_public_key(dhkey, pubkey) == 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to set DH public key: "); + } else if (EVP_PKEY_set1_DH(*pkey, dhkey) == 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert DH to PKEY: "); + } + + ASN1_INTEGER_free(asn1int); + DH_free(dhkey); + + return result; + +fail_get_pubkey: + ASN1_INTEGER_free(asn1int); +fail_get_asn1int: + EVP_PKEY_free(*pkey); +fail_alloc_pkey: + return result; +} + +static DDS_Security_ValidationResult_t +dh_oct_to_public_key_ecdh( + EVP_PKEY **pkey, + const unsigned char *keystr, + uint32_t size, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EC_KEY *eckey; + EC_GROUP *group; + EC_POINT *point; + + group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); + if (!group) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to allocate EC group: "); + goto fail_alloc_group; + } + + point = EC_POINT_new(group); + if (!point) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to allocate EC point: "); + goto fail_alloc_point; + } + + + if (EC_POINT_oct2point(group, point, keystr, size, NULL) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to deserialize EC public key to EC point: "); + goto fail_oct2point; + } + + eckey = EC_KEY_new(); + if (!eckey) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to allocate EC KEY: "); + goto fail_alloc_eckey; + } + + if (EC_KEY_set_group(eckey, group) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to convert octet sequence to ASN1 integer: "); + goto fail_eckey_set_group; + } + + if (EC_KEY_set_public_key(eckey, point) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to set EC public key: "); + goto fail_eckey_set_pubkey; + } + + *pkey = EVP_PKEY_new(); + if (!(*pkey)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to allocate EVP key: "); + goto fail_alloc_pkey; + } + + if (EVP_PKEY_set1_EC_KEY(*pkey, eckey) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to set EVP key to EC public key: "); + goto fail_pkey_set_eckey; + } + + EC_KEY_free(eckey); + EC_POINT_free(point); + EC_GROUP_free(group); + + return result; + +fail_pkey_set_eckey: + EVP_PKEY_free(*pkey); +fail_alloc_pkey: +fail_eckey_set_pubkey: +fail_eckey_set_group: + EC_KEY_free(eckey); +fail_alloc_eckey: +fail_oct2point: + EC_POINT_free(point); +fail_alloc_point: + EC_GROUP_free(group); +fail_alloc_group: + return result; +} + +DDS_Security_ValidationResult_t +dh_oct_to_public_key( + EVP_PKEY **data, + AuthenticationAlgoKind_t algo, + const unsigned char *str, + uint32_t size, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + + assert(data); + assert(str); + + switch (algo) { + case AUTH_ALGO_KIND_RSA_2048: + result = dh_oct_to_public_key_modp(data, str, size, ex); + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = dh_oct_to_public_key_ecdh(data, str, size, ex); + break; + default: + assert(0); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Invalid key algorithm specified"); + break; + } + + return result; +} + +/* + * Allocates and return a NULL terminated string from given char array with the given size. + */ +char * +string_from_data( + const unsigned char *data, + uint32_t size) +{ + char *str = NULL; + + if (size > 0 && data) { + str = ddsrt_malloc(size+1); + memcpy(str, data, size); + str[size] = '\0'; + } + + return str; +} + +void +free_ca_list_contents( X509Seq *ca_list) +{ + unsigned i; + if( ca_list->buffer != NULL && ca_list->length > 0){ + for (i = 0; i < ca_list->length; ++i) { + X509_free(ca_list->buffer[i]); + } + ddsrt_free ( ca_list->buffer ); + } + ca_list->buffer = NULL; + ca_list->length = 0; +} + +DDS_Security_ValidationResult_t +get_trusted_ca_list ( const char* trusted_ca_dir, + X509Seq *ca_list, + DDS_Security_SecurityException *ex){ + + + DDS_Security_ValidationResult_t loading_result = DDS_RETCODE_OK; + DDSRT_UNUSED_ARG( ca_list ); + DDSRT_UNUSED_ARG( trusted_ca_dir ); + DDSRT_UNUSED_ARG( ex ); +/* TODO: Trusted CA directory tracing function should be ported */ +/* TODO: MAX_TRUSTED_CA limitation will be removed */ +#ifdef TRUSTED_CA_LIST_IMPLEMENTED + + os_result r; + os_dirHandle d_descr; + struct os_dirent d_entry; + struct os_stat_s status; + char *full_file_path; + char *trusted_ca_dir_normalized; + + X509 *ca_buffer_array[MAX_TRUSTED_CA]; /*max trusted CA size */ + unsigned ca_buffer_array_size=0; + unsigned i; + trusted_ca_dir_normalized = os_fileNormalize(trusted_ca_dir); + + r = os_opendir(trusted_ca_dir_normalized, &d_descr); + ddsrt_free ( trusted_ca_dir_normalized ); + + if (r == os_resultSuccess && ca_buffer_array_size < MAX_TRUSTED_CA) { /* accessable */ + r = os_readdir(d_descr, &d_entry); + while (r == os_resultSuccess) { + full_file_path = (char*) ddsrt_malloc(strlen(trusted_ca_dir) + strlen(os_fileSep()) + strlen(d_entry.d_name) + strlen(os_fileSep()) + 1 ); + ddsrt_strcpy(full_file_path, trusted_ca_dir); + ddsrt_strcat(full_file_path, os_fileSep()); + ddsrt_strcat(full_file_path, d_entry.d_name); + + if (os_stat (full_file_path, &status) == os_resultSuccess) { /* accessable */ + if ((strcmp(d_entry.d_name, ".") != 0) && + (strcmp(d_entry.d_name, "..") != 0)) { + char * filename = os_fileNormalize(full_file_path); + + if(filename){ + X509 *identityCA; + loading_result = load_X509_certificate_from_file( filename, &identityCA, ex); + + ddsrt_free(filename); + + if( loading_result == DDS_SECURITY_VALIDATION_OK ){ + ca_buffer_array[ca_buffer_array_size] = identityCA; + ca_buffer_array_size++; + + } + } + } + } + r = os_readdir(d_descr, &d_entry); + + ddsrt_free(full_file_path); + } + + os_closedir (d_descr); + + /* deallocate given ca_list if it is not NULL */ + free_ca_list_contents(ca_list); + + /*copy CAs to out parameter as HASH*/ + if( ca_buffer_array_size > 0 ){ + ca_list->_buffer = ddsrt_malloc( ca_buffer_array_size * sizeof(X509 * ) ); + for (i = 0; i < ca_buffer_array_size; ++i) { + ca_list->_buffer[i] = ca_buffer_array[i]; + + } + + } + ca_list->_length = ca_buffer_array_size; + + return DDS_SECURITY_VALIDATION_OK; + + } + else{ + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_TRUSTED_CA_DIR_CODE, 0, DDS_SECURITY_ERR_INVALID_TRUSTED_CA_DIR_MESSAGE); + return DDS_SECURITY_VALIDATION_FAILED; + } +#endif + + return loading_result; +} + +DDS_Security_ValidationResult_t +create_asymmetrical_signature( + EVP_PKEY *pkey, + const unsigned char *data, + const size_t dataLen, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + if (!(mdctx = EVP_MD_CTX_create())) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to create signing context: "); + goto err_create_ctx; + } + + if (EVP_DigestSignInit(mdctx, &kctx, EVP_sha256(), NULL, pkey) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: "); + goto err_sign; + } + + if (EVP_PKEY_CTX_set_rsa_padding(kctx, RSA_PKCS1_PSS_PADDING) < 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: "); + goto err_sign; + } + + if (EVP_DigestSignUpdate(mdctx, data, dataLen) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to update signing context: "); + goto err_sign; + } + + if (EVP_DigestSignFinal(mdctx, NULL, signatureLen) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize signing context: "); + goto err_sign; + } + + *signature = ddsrt_malloc(sizeof(unsigned char) * (*signatureLen)); + assert(*signature != NULL); + if (EVP_DigestSignFinal(mdctx, *signature, signatureLen) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize signing context: "); + ddsrt_free(*signature); + } + +err_sign: + EVP_MD_CTX_destroy(mdctx); +err_create_ctx: + return result; +} + +DDS_Security_ValidationResult_t +validate_asymmetrical_signature( + EVP_PKEY *pkey, + const unsigned char *data, + const size_t dataLen, + const unsigned char *signature, + const size_t signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + if (!(mdctx = EVP_MD_CTX_create())) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to create verify context: "); + goto err_create_ctx; + } + + if (EVP_DigestVerifyInit(mdctx, &kctx, EVP_sha256(), NULL, pkey) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize verify context: "); + goto err_verify; + } + + if (EVP_PKEY_CTX_set_rsa_padding(kctx, RSA_PKCS1_PSS_PADDING) < 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: "); + goto err_verify; + } + + if (EVP_DigestVerifyUpdate(mdctx, data, dataLen) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to update verify context: "); + goto err_verify; + } + + if (EVP_DigestVerifyFinal(mdctx, signature, signatureLen) != 1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize verify context: "); + goto err_verify; + } + +err_verify: + EVP_MD_CTX_destroy(mdctx); +err_create_ctx: + return result; +} diff --git a/src/security/builtin_plugins/authentication/src/auth_utils.h b/src/security/builtin_plugins/authentication/src/auth_utils.h new file mode 100644 index 0000000..f9db31d --- /dev/null +++ b/src/security/builtin_plugins/authentication/src/auth_utils.h @@ -0,0 +1,238 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef AUTH_UTILS_H +#define AUTH_UTILS_H + +#include "dds/security/dds_security_api.h" +#include "dds/ddsrt/time.h" + +#define DDS_AUTH_PLUGIN_CONTEXT "Authentication" + +typedef enum { + AUTH_ALGO_KIND_UNKNOWN, + AUTH_ALGO_KIND_RSA_2048, + AUTH_ALGO_KIND_EC_PRIME256V1 +} AuthenticationAlgoKind_t; + +typedef enum { + AUTH_CONF_ITEM_PREFIX_UNKNOWN, + AUTH_CONF_ITEM_PREFIX_FILE, + AUTH_CONF_ITEM_PREFIX_DATA, + AUTH_CONF_ITEM_PREFIX_PKCS11 +} AuthConfItemPrefix_t; + + +typedef struct AuthenticationChallenge { + unsigned char value[DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE]; +} AuthenticationChallenge; + +typedef struct { + uint32_t length; + X509 **buffer; +} X509Seq; + +typedef unsigned char HashValue_t[SHA256_DIGEST_LENGTH]; +/*typedef struct HashValue { + unsigned char value[SHA256_DIGEST_LENGTH]; +} HashValue_t; +*/ + +/* Return a string that contains an openssl error description + * When a openssl function returns an error this function can be + * used to retrieve a descriptive error string. + * Note that the returned string should be freed. + */ +char * +get_openssl_error_message( + void); + +/* Return the subject name of contained in a X509 certificate + * Note that the returned string should be freed. + */ +char* +get_certificate_subject_name( + const X509 *cert, + DDS_Security_SecurityException *ex); + +/* Return the expiry date of contained in a X509 certificate + * + */ +dds_time_t +get_certificate_expiry( + const X509 *cert); + +/* Return the subject name of a X509 certificate DER + * encoded. The DER encoded subject name is returned in + * the provided buffer. The length of the allocated + * buffer is returned + * + * return length of allocated buffer or -1 on error + */ +DDS_Security_ValidationResult_t +get_subject_name_DER_encoded( + const X509 *cert, + unsigned char **buffer, + size_t *size, + DDS_Security_SecurityException *ex); + + +/* Load a X509 certificate for the provided data. + * + * data : certificate in PEM format + * x509Cert : the openssl X509 return value + */ +DDS_Security_ValidationResult_t +load_X509_certificate_from_data( + const char *data, + int len, + X509 **x509Cert, + DDS_Security_SecurityException *ex); + + +/* Load a X509 certificate for the provided data. + * + * data : URI of the certificate. URI format is defined in DDS Security spec 9.3.1 + + * x509Cert : the openssl X509 return value + */ +DDS_Security_ValidationResult_t +load_X509_certificate( + const char *data, + X509 **x509Cert, + DDS_Security_SecurityException *ex); + + +/* Load a X509 certificate for the provided file. + * + * filename : path of the file that contains PEM formatted certificate + * x509Cert : the openssl X509 return value + */ +DDS_Security_ValidationResult_t +load_X509_certificate_from_file( + const char *filename, + X509 **x509Cert, + DDS_Security_SecurityException *ex); + +/* Load a Private Key for the provided data. + * + * data : URI of the private key. URI format is defined in DDS Security spec 9.3.1 + * privateKey : the openssl EVP_PKEY return value + */ +DDS_Security_ValidationResult_t +load_X509_private_key( + const char *data, + const char *password, + EVP_PKEY **privateKey, + DDS_Security_SecurityException *ex); + + +/* Validate an identity certificate against the identityCA + * The provided identity certificate is checked if it is + * signed by the identity corresponding to the identityCA. + * + * Note: Currently only a self signed CA is supported + * The function does not yet check a CLR or ocsp + * for expiry of identity certificate. + */ +DDS_Security_ValidationResult_t +verify_certificate( + X509 *identityCert, + X509 *identityCa, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +check_certificate_expiry( + const X509 *cert, + DDS_Security_SecurityException *ex); + +AuthenticationAlgoKind_t +get_auhentication_algo_kind( + X509 *cert); + +AuthenticationChallenge * +generate_challenge( + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +get_certificate_contents( + X509 *cert, + unsigned char **data, + uint32_t *size, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +generate_dh_keys( + EVP_PKEY **dhkey, + AuthenticationAlgoKind_t authKind, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +dh_public_key_to_oct( + EVP_PKEY *pkey, + AuthenticationAlgoKind_t algo, + unsigned char **buffer, + uint32_t *length, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +dh_oct_to_public_key( + EVP_PKEY **data, + AuthenticationAlgoKind_t algo, + const unsigned char *str, + uint32_t size, + DDS_Security_SecurityException *ex); + + +AuthConfItemPrefix_t +get_conf_item_type( + const char *str, + char **data); + +/* + * Frees the contents of theCA list. + */ +void +free_ca_list_contents( + X509Seq *ca_list); + +DDS_Security_ValidationResult_t +get_trusted_ca_list ( + const char* trusted_ca_dir, + X509Seq *ca_list, + DDS_Security_SecurityException *ex); + +char * +string_from_data( + const unsigned char *data, + uint32_t size); + + +DDS_Security_ValidationResult_t +create_asymmetrical_signature( + EVP_PKEY *pkey, + const unsigned char *data, + const size_t dataLen, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +validate_asymmetrical_signature( + EVP_PKEY *pkey, + const unsigned char *data, + const size_t dataLen, + const unsigned char *signature, + const size_t signatureLen, + DDS_Security_SecurityException *ex); + +#endif /* AUTH_UTILS_H */ diff --git a/src/security/builtin_plugins/authentication/src/authentication.c b/src/security/builtin_plugins/authentication/src/authentication.c new file mode 100644 index 0000000..eb4117f --- /dev/null +++ b/src/security/builtin_plugins/authentication/src/authentication.c @@ -0,0 +1,3513 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + + +#include +#include +#include +#include +#include +#include +#include +#include +#include "authentication.h" +#include "dds/ddsrt/heap.h" +#include "dds/security/dds_security_api.h" + + +#if OPENSLL_VERSION_NUMBER >= 0x10002000L +#define AUTH_INCLUDE_EC +#include +#endif +#include + +/* There is a problem when compiling on windows w.r.t. X509_NAME. + * The windows api already defines the type X509_NAME which + * conficts with some openssl versions. The workaround is to + * undef the openssl X509_NAME + */ +#ifdef _WIN32 +#undef X509_NAME +#endif + +#include "dds/security/dds_security_api.h" +#include "dds/security/dds_security_api_types.h" +#include "dds/ddsrt/atomics.h" +#include "stdbool.h" +#include +#include "dds/ddsrt/string.h" +#include "dds/ddsrt/sync.h" +#include "dds/ddsrt/hopscotch.h" + +#include "dds/security/core/shared_secret.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/security/core/dds_security_serialize.h" +#include "auth_utils.h" +#include + +#ifndef EVP_PKEY_id +#define EVP_PKEY_id(k) ((k)->type) +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L +#define REMOVE_THREAD_STATE() ERR_remove_thread_state(NULL); +#elif OPENSSL_VERSION_NUMBER < 0x10000000L +#define REMOVE_THREAD_STATE() ERR_remove_state(0); +#else +#define REMOVE_THREAD_STATE() +#endif + + +#define HANDSHAKE_SIGNATURE_CONTENT_SIZE 6 + +static const char * AUTH_PROTOCOL_CLASS = "DDS:Auth:PKI-DH"; +static const unsigned AUTH_PROTOCOL_VERSION_MAJOR = 1; +static const unsigned AUTH_PROTOCOL_VERSION_MINOR = 0; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_PASSWORD = "dds.sec.auth.password"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; +static const char * PROPERTY_TRUSTED_CA_DIR = "dds.sec.auth.trusted_ca_dir"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * AUTH_HANDSHAKE_REQUEST_TOKEN_ID = "DDS:Auth:PKI-DH:1.0+Req"; +static const char * AUTH_HANDSHAKE_REPLY_TOKEN_ID = "DDS:Auth:PKI-DH:1.0+Reply"; + +static const char * AUTH_HANDSHAKE_FINAL_TOKEN_ID = "DDS:Auth:PKI-DH:1.0+Final"; + +static const char * AUTH_DSIG_ALGO_RSA_2048_SHA256_IDENT = "RSASSA-PSS-SHA256"; +static const char * AUTH_DSIG_ALGO_ECDSA_SHA256_IDENT = "ECDSA-SHA256"; +static const char * AUTH_KAGREE_ALGO_RSA_2048_SHA256_IDENT = "DH+MODP-2048-256"; +static const char * AUTH_KAGREE_ALGO_ECDH_PRIME256V1_IDENT = "ECDH+prime256v1-CEUM"; + + +static const char * ACCESS_PERMISSIONS_CREDENTIAL_TOKEN_ID = "DDS:Access:PermissionsCredential"; +static const char * ACCESS_PROPERTY_PERMISSION_DOCUMENT = "dds.perm.cert"; + + +/** + * Implementation structure for storing encapsulated members of the instance + * while giving only the interface definition to user + */ + +typedef enum { + SECURITY_OBJECT_KIND_UNKNOWN, + SECURITY_OBJECT_KIND_LOCAL_IDENTITY, + SECURITY_OBJECT_KIND_REMOTE_IDENTITY, + SECURITY_OBJECT_KIND_IDENTITY_RELATION, + SECURITY_OBJECT_KIND_HANDSHAKE +} SecurityObjectKind_t; + +typedef enum { + CREATEDREQUEST, + CREATEDREPLY + +} CreatedHandshakeStep_t; + +typedef struct SecurityObject SecurityObject; + +typedef void (*SecurityObjectDestructor)(SecurityObject *obj); + +struct SecurityObject { + int64_t handle; + SecurityObjectKind_t kind; + SecurityObjectDestructor destructor; +}; + + +#ifndef NDEBUG +#define CHECK_OBJECT_KIND(o,k) assert(security_object_valid((SecurityObject *)(o), k)) +#else +#define CHECK_OBJECT_KIND(o,k) +#endif + +#define SECURITY_OBJECT(o) ((SecurityObject *)(o)) +#define SECURITY_OBJECT_HANDLE(o) (SECURITY_OBJECT(o)->handle) +#define IDENTITY_HANDLE(o) ((DDS_Security_IdentityHandle) SECURITY_OBJECT_HANDLE(o)) +#define HANDSHAKE_HANDLE(o) ((DDS_Security_HandshakeHandle) SECURITY_OBJECT_HANDLE(o)) + +#define SECURITY_OBJECT_VALID(o,k) security_object_valid((SecurityObject *)(o), k) + + +typedef struct LocalIdentityInfo { + SecurityObject _parent; + DDS_Security_DomainId domainId; + DDS_Security_GUID_t candidateGUID; + DDS_Security_GUID_t adjustedGUID; + X509 *identityCert; + X509 *identityCA; + EVP_PKEY *privateKey; + DDS_Security_OctetSeq pdata; + AuthenticationAlgoKind_t dsignAlgoKind; + AuthenticationAlgoKind_t kagreeAlgoKind; + char *permissionsDocument; +} LocalIdentityInfo; + +typedef struct RemoteIdentityInfo { + SecurityObject _parent; + DDS_Security_GUID_t guid; + X509 *identityCert; + AuthenticationAlgoKind_t dsignAlgoKind; + AuthenticationAlgoKind_t kagreeAlgoKind; + DDS_Security_IdentityToken *remoteIdentityToken; + DDS_Security_OctetSeq pdata; + char *permissionsDocument; + struct ddsrt_hh *linkHash; /* contains the IdentityRelation objects */ +} RemoteIdentityInfo; + + +/* This structure contains the relation between a local and a remote identity + * The handle for this object is the same as the handle of the associated + * local identity object. The IdentityRelation object will be stored with the + * remote identity. + */ +typedef struct IdentityRelation { + SecurityObject _parent; + LocalIdentityInfo *localIdentity; + RemoteIdentityInfo *remoteIdentity; + AuthenticationChallenge *lchallenge; + AuthenticationChallenge *rchallenge; +} IdentityRelation; + +typedef struct HandshakeInfo { + SecurityObject _parent; + IdentityRelation *relation; + HashValue_t hash_c1; + HashValue_t hash_c2; + EVP_PKEY *ldh; + EVP_PKEY *rdh; + DDS_Security_SharedSecretHandleImpl *shared_secret_handle_impl; + CreatedHandshakeStep_t created_in; +} HandshakeInfo; + +typedef struct dds_security_authentication_impl { + dds_security_authentication base; + int id; //sample internal member + ddsrt_mutex_t lock; + struct ddsrt_hh *objectHash; + struct ddsrt_hh *remoteGuidHash; + struct ut_timed_dispatcher_t *timed_callbacks; + X509Seq trustedCAList; + + + +} dds_security_authentication_impl; + +/* data type for timer dispatcher */ +typedef struct { + dds_security_authentication_impl *auth; + DDS_Security_IdentityHandle hdl; +} validity_cb_info; + + +static bool +security_object_valid( + SecurityObject *obj, + SecurityObjectKind_t kind) +{ + if (!obj) return false; + if (obj->kind != kind) return false; + if (kind == SECURITY_OBJECT_KIND_IDENTITY_RELATION) { + IdentityRelation *relation = (IdentityRelation *)obj; + if (!relation->localIdentity || !relation->remoteIdentity || (ddsrt_address)obj->handle != (ddsrt_address)relation->localIdentity) { + return false; + } + } else if ((ddsrt_address)obj->handle != (ddsrt_address)obj) { + return false; + } + return true; +} + +static uint32_t +security_object_hash ( + const void *obj) +{ + const SecurityObject *object = obj; +#define UINT64_CONST(x, y, z) (((uint64_t) (x) * 1000000 + (y)) * 1000000 + (z)) + const uint64_t c = UINT64_CONST (16292676, 669999, 574021); +#undef UINT64_CONST + const uint32_t x = (uint32_t) object->handle; + return (unsigned) ((x * c) >> 32); +} + +static int +security_object_equal ( + const void *ha, + const void *hb) +{ + const SecurityObject *la = ha; + const SecurityObject *lb = hb; + + return la->handle == lb->handle; +} + +static SecurityObject * +security_object_find( + const struct ddsrt_hh *hh, + int64_t handle) +{ + struct SecurityObject template; + + template.handle = handle; + + return (SecurityObject *) ddsrt_hh_lookup(hh, &template);; +} + +static void +security_object_init( + SecurityObject *obj, + SecurityObjectKind_t kind, + SecurityObjectDestructor destructor) +{ + assert(obj); + + obj->kind = kind; + obj->handle = (int64_t)(ddsrt_address)obj; + obj->destructor = destructor; +} + +static void +security_object_deinit( + SecurityObject *obj) + +{ + assert(obj); + obj->handle = DDS_SECURITY_HANDLE_NIL; + obj->kind = SECURITY_OBJECT_KIND_UNKNOWN; + obj->destructor = NULL; +} + +static void +security_object_free( + SecurityObject *obj) +{ + assert(obj); + if (obj && obj->destructor) { + obj->destructor(obj); + } +} + +static void +localIdentityInfoFree( + SecurityObject *obj); + + + +static LocalIdentityInfo * +localIdentityInfoNew( + DDS_Security_DomainId domainId, + X509 *identityCert, + X509 *identityCa, + EVP_PKEY *privateKey, + const DDS_Security_GUID_t *candidate_participant_guid, + const DDS_Security_GUID_t *adjusted_participant_guid) +{ + LocalIdentityInfo *identity = NULL; + + assert(identityCert); + assert(identityCa); + assert(privateKey); + assert(candidate_participant_guid); + assert(adjusted_participant_guid); + assert(sizeof(DDS_Security_IdentityHandle) == 8); + + identity = ddsrt_malloc(sizeof(*identity)); + memset(identity, 0, sizeof(*identity)); + + security_object_init((SecurityObject *)identity, SECURITY_OBJECT_KIND_LOCAL_IDENTITY, localIdentityInfoFree); + + + + + identity->domainId = domainId; + identity->identityCert = identityCert; + identity->identityCA = identityCa; + identity->privateKey = privateKey; + identity->permissionsDocument = NULL; + identity->dsignAlgoKind = get_auhentication_algo_kind(identityCert); + identity->kagreeAlgoKind = AUTH_ALGO_KIND_EC_PRIME256V1; + + memcpy(&identity->candidateGUID, candidate_participant_guid, sizeof(DDS_Security_GUID_t)); + memcpy(&identity->adjustedGUID, adjusted_participant_guid, sizeof(DDS_Security_GUID_t)); + + return identity; +} + +static void +localIdentityInfoFree( + SecurityObject *obj) +{ + LocalIdentityInfo *identity = (LocalIdentityInfo *)obj; + + CHECK_OBJECT_KIND(obj, SECURITY_OBJECT_KIND_LOCAL_IDENTITY); + + if (identity) { + if (identity->identityCert) { + X509_free(identity->identityCert); + } + if (identity->identityCA) { + X509_free(identity->identityCA); + } + if (identity->privateKey) { + EVP_PKEY_free(identity->privateKey); + } + ddsrt_free(identity->pdata._buffer); + ddsrt_free(identity->permissionsDocument); + security_object_deinit((SecurityObject *)identity); + ddsrt_free(identity); + } +} + +static uint32_t +remote_guid_hash ( + const void *obj) +{ + const RemoteIdentityInfo *identity = obj; + uint32_t tmp[4]; + + memcpy(tmp, &identity->guid, sizeof(tmp)); + + return (tmp[0]^tmp[1]^tmp[2]^tmp[3]); +} + +static int +remote_guid_equal ( + const void *ha, + const void *hb) +{ + const RemoteIdentityInfo *la = ha; + const RemoteIdentityInfo *lb = hb; + + return memcmp(&la->guid, &lb->guid, sizeof(la->guid)) == 0; +} + +static RemoteIdentityInfo * +find_remote_identity_by_guid( + const struct ddsrt_hh *hh, + const DDS_Security_GUID_t *guid) +{ + struct RemoteIdentityInfo template; + + memcpy(&template.guid, guid, sizeof(*guid)); + + return (RemoteIdentityInfo *) ddsrt_hh_lookup(hh, &template); +} + +static void +remoteIdentityInfoFree( + SecurityObject *obj); + +static RemoteIdentityInfo * +remoteIdentityInfoNew( + const DDS_Security_GUID_t *guid, + const DDS_Security_IdentityToken *remote_identity_token) +{ + RemoteIdentityInfo *identity = NULL; + + assert(guid); + assert(remote_identity_token); + + identity = ddsrt_malloc(sizeof(*identity)); + memset(identity, 0, sizeof(*identity)); + + security_object_init((SecurityObject *)identity, SECURITY_OBJECT_KIND_REMOTE_IDENTITY, remoteIdentityInfoFree); + + memcpy(&identity->guid, guid, sizeof(DDS_Security_GUID_t)); + identity->remoteIdentityToken = DDS_Security_DataHolder_alloc(); + DDS_Security_DataHolder_copy(identity->remoteIdentityToken, remote_identity_token); + identity->identityCert = NULL; + identity->dsignAlgoKind = AUTH_ALGO_KIND_UNKNOWN; + identity->kagreeAlgoKind = AUTH_ALGO_KIND_UNKNOWN; + identity->permissionsDocument = ddsrt_strdup(""); + identity->linkHash = ddsrt_hh_new(32, security_object_hash, security_object_equal); + + return identity; +} + +static void +remoteIdentityInfoFree( + SecurityObject *obj) +{ + RemoteIdentityInfo *identity = (RemoteIdentityInfo *)obj; + + CHECK_OBJECT_KIND(obj, SECURITY_OBJECT_KIND_REMOTE_IDENTITY); + + if (identity) { + if (identity->identityCert) { + X509_free(identity->identityCert); + } + DDS_Security_DataHolder_free(identity->remoteIdentityToken); + + ddsrt_hh_free(identity->linkHash); + + ddsrt_free(identity->pdata._buffer); + ddsrt_free(identity->permissionsDocument); + security_object_deinit((SecurityObject *)identity); + ddsrt_free(identity); + } +} + +static void +identityRelationFree( + SecurityObject *obj); + +/* The IdentityRelation provides the association between a local and a remote + * identity. This object manages the challenges which are created for + * each association between a local and a remote identity. + * The lchallenge is the challenge associated with the local identity and + * may be set when a future challenge is communicated with the auth_request_message_token. + * The rchallenge is the challenge received from the remote identity it may be set when + * an auth_request_message_token is received from the remote identity, + */ +static IdentityRelation * +identityRelationNew( + LocalIdentityInfo *localIdentity, + RemoteIdentityInfo *remoteIdentity, + AuthenticationChallenge *lchallenge, + AuthenticationChallenge *rchallenge) +{ + IdentityRelation *relation; + + assert(localIdentity); + assert(remoteIdentity); + + relation = ddsrt_malloc(sizeof(*relation)); + memset(relation, 0, sizeof(*relation)); + + security_object_init((SecurityObject *)relation, SECURITY_OBJECT_KIND_IDENTITY_RELATION, identityRelationFree); + relation->_parent.handle = SECURITY_OBJECT_HANDLE(localIdentity); + + relation->localIdentity = localIdentity; + relation->remoteIdentity = remoteIdentity; + relation->lchallenge = lchallenge; + relation->rchallenge = rchallenge; + + return relation; +} + +static void +identityRelationFree( + SecurityObject *obj) +{ + IdentityRelation *relation = (IdentityRelation *)obj; + + CHECK_OBJECT_KIND(obj, SECURITY_OBJECT_KIND_IDENTITY_RELATION); + + if (relation) { + ddsrt_free(relation->lchallenge); + ddsrt_free(relation->rchallenge); + security_object_deinit((SecurityObject *)relation); + ddsrt_free(relation); + } +} + +static void +handshakeInfoFree( + SecurityObject *obj); + +static HandshakeInfo * +handshakeInfoNew( + LocalIdentityInfo *localIdentity, + RemoteIdentityInfo *remoteIdentity, + IdentityRelation *relation) +{ + HandshakeInfo *handshake; + + assert(localIdentity); + assert(remoteIdentity); + + DDSRT_UNUSED_ARG(localIdentity); + DDSRT_UNUSED_ARG(remoteIdentity); + handshake = ddsrt_malloc(sizeof(*handshake)); + memset(handshake, 0, sizeof(*handshake)); + + security_object_init((SecurityObject *)handshake, SECURITY_OBJECT_KIND_HANDSHAKE, handshakeInfoFree); + + handshake->relation = relation; + handshake->shared_secret_handle_impl = NULL; + + return handshake; +} + +static void +handshakeInfoFree( + SecurityObject *obj) +{ + HandshakeInfo *handshake = (HandshakeInfo *)obj; + + CHECK_OBJECT_KIND(obj, SECURITY_OBJECT_KIND_HANDSHAKE); + + if (handshake) { + if (handshake->ldh) { + EVP_PKEY_free(handshake->ldh); + } + if (handshake->rdh) { + EVP_PKEY_free(handshake->rdh); + } + if(handshake->shared_secret_handle_impl) { + ddsrt_free( handshake->shared_secret_handle_impl->shared_secret); + ddsrt_free( handshake->shared_secret_handle_impl ); + } + security_object_deinit((SecurityObject *)handshake); + ddsrt_free(handshake); + } +} + +static IdentityRelation * +find_identity_relation( + const RemoteIdentityInfo *remote, + int64_t lid) +{ + return (IdentityRelation *)security_object_find(remote->linkHash, lid); +} + +static void +remove_identity_relation( + RemoteIdentityInfo *remote, + IdentityRelation *relation) +{ + (void)ddsrt_hh_remove(remote->linkHash, relation); + security_object_free((SecurityObject *) relation); +} + +static HandshakeInfo * +find_handshake( + const dds_security_authentication_impl *auth, + int64_t localId, + int64_t remoteId) +{ + struct ddsrt_hh_iter it; + SecurityObject *obj; + IdentityRelation *relation; + HandshakeInfo *found = NULL; + + for (obj = ddsrt_hh_iter_first(auth->objectHash, &it); obj && !found; obj = ddsrt_hh_iter_next(&it)) { + if (obj->kind == SECURITY_OBJECT_KIND_HANDSHAKE) { + relation = ((HandshakeInfo *)obj)->relation; + assert(relation); + if ((SECURITY_OBJECT_HANDLE(relation->localIdentity) == localId) && + (SECURITY_OBJECT_HANDLE(relation->remoteIdentity) == remoteId)) { + found = (HandshakeInfo *)obj; + } + } + } + + return found; +} + +static char * +get_authentication_class_id( + void) +{ + char *classId; + size_t sz; + + sz = strlen(AUTH_PROTOCOL_CLASS) + 5; + + classId = ddsrt_malloc(sz); + snprintf(classId, sz, "%s:%1u.%1u", AUTH_PROTOCOL_CLASS, AUTH_PROTOCOL_VERSION_MAJOR, AUTH_PROTOCOL_VERSION_MINOR); + + return classId; +} + +static const char * +get_authentication_algo( + AuthenticationAlgoKind_t kind) +{ + const char *result; + switch (kind) { + case AUTH_ALGO_KIND_RSA_2048: + result = "RSA-2048"; + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = "EC-prime256v1"; + break; + default: + assert(0); + result = ""; + break; + } + + return result; +} + +static const char * +get_dsign_algo( + AuthenticationAlgoKind_t kind) +{ + const char *result; + switch (kind) { + case AUTH_ALGO_KIND_RSA_2048: + result = AUTH_DSIG_ALGO_RSA_2048_SHA256_IDENT; + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = AUTH_DSIG_ALGO_ECDSA_SHA256_IDENT; + break; + default: + assert(0); + result = ""; + break; + } + + return result; +} + +static const char * +get_kagree_algo( + AuthenticationAlgoKind_t kind) +{ + const char *result; + switch (kind) { + case AUTH_ALGO_KIND_RSA_2048: + result = AUTH_KAGREE_ALGO_RSA_2048_SHA256_IDENT; + break; + case AUTH_ALGO_KIND_EC_PRIME256V1: + result = AUTH_KAGREE_ALGO_ECDH_PRIME256V1_IDENT; + break; + default: + assert(0); + result = ""; + break; + } + + return result; +} + +static AuthenticationAlgoKind_t +get_dsign_algo_from_string( + const char *name) +{ + AuthenticationAlgoKind_t algoKind = AUTH_ALGO_KIND_UNKNOWN; + + if (name) { + if (strcmp(AUTH_DSIG_ALGO_RSA_2048_SHA256_IDENT, name) == 0) { + algoKind = AUTH_ALGO_KIND_RSA_2048; + } else if (strcmp(AUTH_DSIG_ALGO_ECDSA_SHA256_IDENT, name) == 0) { + algoKind = AUTH_ALGO_KIND_EC_PRIME256V1; + } + } + + return algoKind; +} + +static AuthenticationAlgoKind_t +get_kagree_algo_from_string( + const char *name) +{ + AuthenticationAlgoKind_t algoKind = AUTH_ALGO_KIND_UNKNOWN; + + if (name) { + if (strcmp(AUTH_KAGREE_ALGO_RSA_2048_SHA256_IDENT, name) == 0) { + algoKind = AUTH_ALGO_KIND_RSA_2048; + } else if (strcmp(AUTH_KAGREE_ALGO_ECDH_PRIME256V1_IDENT, name) == 0) { + algoKind = AUTH_ALGO_KIND_EC_PRIME256V1; + } + } + + return algoKind; +} + +static void +free_binary_properties( + DDS_Security_BinaryProperty_t *seq, + uint32_t length) +{ + uint32_t i; + + for (i = 0; i < length; i++) { + ddsrt_free(seq[i].name); + ddsrt_free(seq[i].value._buffer); + } + ddsrt_free(seq); +} + +static void +get_hash_binary_property_seq( + const DDS_Security_BinaryPropertySeq *seq, + unsigned char hash[SHA256_DIGEST_LENGTH]) +{ + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + serializer = DDS_Security_Serializer_new(4096, 4096); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, seq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, hash); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); +} + +static DDS_Security_ValidationResult_t +create_signature( + EVP_PKEY *pkey, + const DDS_Security_BinaryProperty_t **binary_properties, + const uint32_t binary_properties_length, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + serializer = DDS_Security_Serializer_new(4096, 4096); + + DDS_Security_Serialize_BinaryPropertyArray(serializer,binary_properties, binary_properties_length); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + + result = create_asymmetrical_signature(pkey, buffer, size, signature, signatureLen, ex); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + return result; +} + +static DDS_Security_ValidationResult_t +validate_signature( + EVP_PKEY *pkey, + const DDS_Security_BinaryProperty_t **properties, + const uint32_t properties_length, + unsigned char *signature, + size_t signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + serializer = DDS_Security_Serializer_new(4096, 4096); + + DDS_Security_Serialize_BinaryPropertyArray(serializer, properties, properties_length); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + + result = validate_asymmetrical_signature(pkey, buffer, size, signature, signatureLen, ex); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + return result; +} + +static DDS_Security_ValidationResult_t +compute_hash_value( + HashValue_t value, + const DDS_Security_BinaryProperty_t **properties, + const uint32_t properties_length, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + DDSRT_UNUSED_ARG(ex); + + serializer = DDS_Security_Serializer_new(4096, 4096); + + DDS_Security_Serialize_BinaryPropertyArray(serializer, properties, properties_length); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, value); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + return result; +} + +static DDS_Security_BinaryProperty_t * +hash_value_to_binary_property( + const char *name, + HashValue_t hash) +{ + DDS_Security_BinaryProperty_t *bp = DDS_Security_BinaryProperty_alloc(); + + DDS_Security_BinaryProperty_set_by_value(bp, name, hash, sizeof(HashValue_t)); + + return bp; +} + + +/* Will be enabled after timed callback feature implementation */ +#if TIMED_CALLBACK_IMPLEMENTED + +static void +validity_callback(struct ut_timed_dispatcher_t *d, + ut_timed_cb_kind kind, + void *listener, + void *arg) +{ + validity_cb_info *info = arg; + + assert(d); + assert(arg); + + if (kind == UT_TIMED_CB_KIND_TIMEOUT) { + assert(listener); + dds_security_authentication_listener *auth_listener = (dds_security_authentication_listener*)listener; + if (auth_listener->on_revoke_identity) { + auth_listener->on_revoke_identity(auth_listener, + (dds_security_authentication*)info->auth, + info->hdl); + + } + } + ddsrt_free(arg); +} + +#endif + +static void +add_validity_end_trigger(dds_security_authentication_impl *auth, + const DDS_Security_IdentityHandle identity_handle, + dds_time_t end) +{ + DDSRT_UNUSED_ARG( auth ); + DDSRT_UNUSED_ARG( identity_handle ); + DDSRT_UNUSED_ARG( end ); + /* Will be enabled after timed call back feature implementation */ + /* + validity_cb_info *arg = ddsrt_malloc(sizeof(validity_cb_info)); + arg->auth = auth; + arg->hdl = identity_handle; + ut_timed_dispatcher_add(auth->timed_callbacks, + validity_callback, + end, + (void*)arg); + */ +} + + + +#define ADJUSTED_GUID_PREFIX_FLAG 0x80 + +static DDS_Security_ValidationResult_t +get_adjusted_participant_guid( + X509 *cert, + const DDS_Security_GUID_t *candidate, + DDS_Security_GUID_t *adjusted, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_FAILED; + unsigned char high[SHA256_DIGEST_LENGTH], low[SHA256_DIGEST_LENGTH]; + unsigned char *subject = NULL; + size_t size=0; + + assert(cert); + assert(candidate); + assert(adjusted); + + result = get_subject_name_DER_encoded(cert, &subject, &size, ex); + if ( result == DDS_SECURITY_VALIDATION_OK ) { + DDS_Security_octet hb = ADJUSTED_GUID_PREFIX_FLAG; + int i; + + SHA256(subject, size, high); + SHA256(&candidate->prefix[0], sizeof(DDS_Security_GuidPrefix_t), low); + + adjusted->entityId = candidate->entityId; + for (i = 0; i < 6; i++) { + adjusted->prefix[i] = hb | high[i] >> 1; + hb = (DDS_Security_octet) (high[i] << 7); + } + for (i = 0; i < 6; i++) { + adjusted->prefix[i + 6] = low[i]; + } + ddsrt_free(subject); + } + + return result; +} +#undef ADJUSTED_GUID_PREFIX_FLAG + +DDS_Security_ValidationResult_t +validate_local_identity( + dds_security_authentication *instance, + DDS_Security_IdentityHandle *local_identity_handle, + DDS_Security_GUID_t *adjusted_participant_guid, + const DDS_Security_DomainId domain_id, + const DDS_Security_Qos *participant_qos, + const DDS_Security_GUID_t *candidate_participant_guid, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + dds_security_authentication_impl *implementation = (dds_security_authentication_impl *) instance; + LocalIdentityInfo *identity; + char *identityCertPEM; + char *identityCaPEM; + char *privateKeyPEM; + char *password; + X509 *identityCert; + X509 *identityCA; + EVP_PKEY *privateKey; + char *trusted_ca_dir; + unsigned i; + dds_time_t certExpiry = DDS_TIME_INVALID; + + /* validate provided arguments */ + if (!instance || !local_identity_handle || !adjusted_participant_guid || !participant_qos || !candidate_participant_guid) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "validate_local_identity: Invalid parameter provided"); + goto err_bad_param; + } + + implementation->id = 2; + + identityCertPEM = DDS_Security_Property_get_value(&participant_qos->property.value, PROPERTY_IDENTITY_CERT); + if (!identityCertPEM) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "validate_local_identity: missing property '%s'", PROPERTY_IDENTITY_CERT); + goto err_no_identity_cert; + } + + identityCaPEM = DDS_Security_Property_get_value(&participant_qos->property.value, PROPERTY_IDENTITY_CA); + if (!identityCaPEM) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "validate_local_identity: missing property '%s'", PROPERTY_IDENTITY_CA); + goto err_no_identity_ca; + } + + privateKeyPEM = DDS_Security_Property_get_value(&participant_qos->property.value, PROPERTY_PRIVATE_KEY); + if (!privateKeyPEM) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "validate_local_identity: missing property '%s'", PROPERTY_PRIVATE_KEY); + goto err_no_private_key; + } + + password = DDS_Security_Property_get_value(&participant_qos->property.value, PROPERTY_PASSWORD); + + + trusted_ca_dir = DDS_Security_Property_get_value(&participant_qos->property.value, PROPERTY_TRUSTED_CA_DIR); + + if( trusted_ca_dir ){ + result = get_trusted_ca_list(trusted_ca_dir, &(implementation->trustedCAList), ex ); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_trusted_ca_dir; + } + } + + + result = load_X509_certificate(identityCaPEM, &identityCA, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_ca; + } + + + /*check for CA if listed in trusted CA files*/ + if( implementation->trustedCAList.length != 0 ){ + const EVP_MD *digest = EVP_get_digestbyname("sha1"); + uint32_t size; + unsigned char hash_buffer[20]; + unsigned char hash_buffer_trusted[20]; + result = DDS_SECURITY_VALIDATION_FAILED; + X509_digest(identityCA, digest, hash_buffer, &size); + for (i = 0; i < implementation->trustedCAList.length; ++i) { + X509_digest(implementation->trustedCAList.buffer[i], digest, hash_buffer_trusted, &size); + if( memcmp( hash_buffer_trusted, hash_buffer,20 ) == 0){ + result = DDS_SECURITY_VALIDATION_OK; + break; + } + } + + if (result != DDS_SECURITY_VALIDATION_OK) { /*not trusted*/ + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CA_NOT_TRUSTED_CODE, (int)result, DDS_SECURITY_ERR_CA_NOT_TRUSTED_MESSAGE); + goto err_identity_ca_not_trusted; + } + } + result = load_X509_certificate(identityCertPEM, &identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_cert; + } + + result = load_X509_private_key(privateKeyPEM, password, &privateKey, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_private_key; + } + + result = verify_certificate(identityCert, identityCA, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_verification_failed; + } + + result = get_adjusted_participant_guid(identityCert, candidate_participant_guid, adjusted_participant_guid, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_adj_guid_failed; + } + + ddsrt_free(password); + ddsrt_free(privateKeyPEM); + ddsrt_free(identityCaPEM); + ddsrt_free(identityCertPEM); + ddsrt_free(trusted_ca_dir); + + identity = localIdentityInfoNew(domain_id, identityCert, identityCA, privateKey, candidate_participant_guid, adjusted_participant_guid); + + *local_identity_handle = IDENTITY_HANDLE(identity); + + /* setup expiry listener */ + certExpiry = get_certificate_expiry( identityCert ); + + if( certExpiry == DDS_TIME_INVALID ){ + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Expiry date of the certificate is invalid"); + goto err_verification_failed; + } else if ( certExpiry != DDS_NEVER ){ + add_validity_end_trigger( implementation, + *local_identity_handle, + certExpiry); + } + + + ddsrt_mutex_lock(&implementation->lock); + (void)ddsrt_hh_add(implementation->objectHash, identity); + + ddsrt_mutex_unlock(&implementation->lock); + + return result; + +err_adj_guid_failed: +err_verification_failed: + EVP_PKEY_free(privateKey); +err_inv_private_key: + X509_free(identityCert); +err_inv_identity_cert: +err_identity_ca_not_trusted: + X509_free(identityCA); +err_inv_identity_ca: +err_inv_trusted_ca_dir: + ddsrt_free(password); + ddsrt_free(privateKeyPEM); + ddsrt_free(trusted_ca_dir); +err_no_private_key: + ddsrt_free(identityCaPEM); +err_no_identity_ca: + ddsrt_free(identityCertPEM); +err_no_identity_cert: +err_bad_param: + return DDS_SECURITY_VALIDATION_FAILED; +} + +DDS_Security_boolean +get_identity_token(dds_security_authentication *instance, + DDS_Security_IdentityToken *identity_token, + const DDS_Security_IdentityHandle handle, + DDS_Security_SecurityException *ex) +{ + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + SecurityObject *obj; + LocalIdentityInfo *identity; + char *snCert, *snCA; + + memset(identity_token, 0, sizeof(*identity_token)); + + /* validate provided arguments */ + if (!instance || !identity_token) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_LOCAL_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid handle provided"); + goto err_inv_handle; + } + identity = (LocalIdentityInfo *)obj; + + snCert = get_certificate_subject_name(identity->identityCert, ex); + + if (!snCert) { + goto err_sn_cert; + } + + snCA = get_certificate_subject_name(identity->identityCA, ex); + if (!snCA) { + goto err_sn_ca; + } + + identity_token->class_id = get_authentication_class_id(); + identity_token->properties._length = 4; + identity_token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + identity_token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + identity_token->properties._buffer[0].value = snCert; + + identity_token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + identity_token->properties._buffer[1].value = ddsrt_strdup(get_authentication_algo(get_auhentication_algo_kind(identity->identityCert))); + + identity_token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + identity_token->properties._buffer[2].value = snCA; + + identity_token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + identity_token->properties._buffer[3].value = ddsrt_strdup(get_authentication_algo(get_auhentication_algo_kind(identity->identityCA))); + + ddsrt_mutex_unlock(&impl->lock); + + return true; + +err_sn_ca: + ddsrt_free(snCert); +err_sn_cert: +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return false; +} + +DDS_Security_boolean get_identity_status_token( + dds_security_authentication *instance, + DDS_Security_IdentityStatusToken *identity_status_token, + const DDS_Security_IdentityHandle handle, + DDS_Security_SecurityException *ex) +{ + DDSRT_UNUSED_ARG(identity_status_token); + DDSRT_UNUSED_ARG(handle); + DDSRT_UNUSED_ARG(ex); + DDSRT_UNUSED_ARG(instance); + + return true; +} + +DDS_Security_boolean +set_permissions_credential_and_token( + dds_security_authentication *instance, + const DDS_Security_IdentityHandle handle, + const DDS_Security_PermissionsCredentialToken *permissions_credential, + const DDS_Security_PermissionsToken *permissions_token, + DDS_Security_SecurityException *ex) +{ + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + LocalIdentityInfo *identity; + + /* validate provided arguments */ + if ((!instance) || + (handle == DDS_SECURITY_HANDLE_NIL) || + (!permissions_credential) || + (!permissions_token) ){ + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid parameter provided"); + return false; + } + + if (!permissions_credential->class_id || + (strcmp(permissions_credential->class_id, ACCESS_PERMISSIONS_CREDENTIAL_TOKEN_ID) != 0)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid parameter provided"); + return false; + } + + if ((permissions_credential->properties._length == 0) || + (permissions_credential->properties._buffer[0].name == NULL) || + (strcmp(permissions_credential->properties._buffer[0].name, ACCESS_PROPERTY_PERMISSION_DOCUMENT) != 0)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid parameter provided"); + return false; + } + + ddsrt_mutex_lock(&impl->lock); + + identity = (LocalIdentityInfo *)security_object_find(impl->objectHash, handle); + if (!identity || !SECURITY_OBJECT_VALID(identity, SECURITY_OBJECT_KIND_LOCAL_IDENTITY)) { + ddsrt_mutex_unlock(&impl->lock); + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_identity_token: Invalid handle provided"); + return false; + } + + if (permissions_credential->properties._buffer[0].value) { + identity->permissionsDocument = ddsrt_strdup(permissions_credential->properties._buffer[0].value); + } else { + identity->permissionsDocument = ddsrt_strdup(""); + } + + ddsrt_mutex_unlock(&impl->lock); + + return true; +} + + +static DDS_Security_ValidationResult_t +validate_remote_identity_token( + const LocalIdentityInfo *localIdent, + const DDS_Security_IdentityToken *token, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + + DDSRT_UNUSED_ARG(localIdent); + + if (token->class_id) { + size_t sz = strlen(AUTH_PROTOCOL_CLASS); + + if (strncmp(AUTH_PROTOCOL_CLASS, token->class_id, sz) == 0) { + char *ptr = &token->class_id[sz]; + char postfix[2]; + unsigned major, minor; + + DDSRT_WARNING_MSVC_OFF(4996); + if (sscanf(ptr, ":%u.%u%1s", &major, &minor, postfix) == 2) { + DDSRT_WARNING_MSVC_ON(4996); + if (major == AUTH_PROTOCOL_VERSION_MAJOR) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "remote identity token: version %u.%u not supported", major, minor); + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "remote identity token: class_id has wrong format"); + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "remote identity token: class_id='%s' not supported", token->class_id); + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "remote identity token: class_id is empty"); + } + + return result; +} + +static DDS_Security_ValidationResult_t +validate_auth_request_token( + const DDS_Security_IdentityToken *token, + AuthenticationChallenge **challenge, + DDS_Security_SecurityException *ex) +{ + uint32_t index; + int found = 0; + + assert(token); + + if (!token->class_id) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: missing class_id"); + goto err_inv_token; + } + + if (strncmp(token->class_id, AUTH_REQUEST_TOKEN_CLASS_ID, strlen(AUTH_REQUEST_TOKEN_CLASS_ID)) != 0) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: class_id '%s' is invalid", token->class_id); + goto err_inv_token; + } + + if (!token->binary_properties._buffer) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: properties are missing"); + goto err_inv_token; + } + + for (index = 0; index < token->binary_properties._length; index++) { + size_t len = strlen(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + if (token->binary_properties._buffer[index].name && + (strncmp(token->binary_properties._buffer[index].name, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME, len) == 0)) { + found = 1; + break; + } + } + + if (!found) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: future_challenge not found"); + goto err_inv_token; + } + + if (token->binary_properties._buffer[index].value._length != sizeof(AuthenticationChallenge)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: future_challenge invalid size"); + goto err_inv_token; + } + + if (!token->binary_properties._buffer[index].value._buffer) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "AuthRequestMessageToken invalid: future_challenge invalid size"); + goto err_inv_token; + } + + if (challenge) { + *challenge = ddsrt_malloc(sizeof(AuthenticationChallenge)); + memcpy(*challenge, &token->binary_properties._buffer[index].value._buffer[0], sizeof(AuthenticationChallenge)); + } + + return DDS_SECURITY_VALIDATION_OK; + +err_inv_token: + return DDS_SECURITY_VALIDATION_FAILED; +} + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token, + AuthenticationChallenge *challenge) +{ + uint32_t len = sizeof(challenge->value); + + DDS_Security_DataHolder_deinit(token); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._length = len; + token->binary_properties._buffer->value._buffer = ddsrt_malloc(len); + memcpy(token->binary_properties._buffer->value._buffer, challenge->value, len); +} + +DDS_Security_ValidationResult_t +validate_remote_identity( + dds_security_authentication *instance, + DDS_Security_IdentityHandle *remote_identity_handle, + DDS_Security_AuthRequestMessageToken *local_auth_request_token, + const DDS_Security_AuthRequestMessageToken *remote_auth_request_token, + const DDS_Security_IdentityHandle local_identity_handle, + const DDS_Security_IdentityToken *remote_identity_token, + const DDS_Security_GUID_t *remote_participant_guid, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + SecurityObject *obj; + LocalIdentityInfo *localIdent; + RemoteIdentityInfo *remoteIdent; + IdentityRelation *relation; + AuthenticationChallenge *lchallenge = NULL, *rchallenge = NULL; + int r; + + /* validate provided arguments */ + if (!instance || !remote_identity_handle || !local_auth_request_token || !remote_identity_token || !remote_participant_guid) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "validate_remote_identity: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, local_identity_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_LOCAL_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "validate_remote_identity: Invalid handle provided"); + goto err_inv_handle; + } + localIdent = (LocalIdentityInfo *) obj; + + /* Check if the provided remote_identity_token is compatible */ + result = validate_remote_identity_token(localIdent, remote_identity_token, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_remote_identity_token; + } + + /* When the remote_auth_request_token is not null, check if it's contents is valid and + * set the futureChallenge from the data contained in the remote_auth_request_token. + */ + if (remote_auth_request_token) { + result = validate_auth_request_token(remote_auth_request_token, &rchallenge, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_auth_req_token; + } + } + + if ((lchallenge = generate_challenge(ex)) == NULL) { + goto err_alloc_challenge; + } + + /* The validate_remote_identity will also create a handshake structure which contains the + * relation between an local an remote identity. This handshake structure is inserted in + * the remote identity structure. + */ + + /* Check if the remote identity has already been validated by a previous validation request. */ + remoteIdent = find_remote_identity_by_guid(impl->remoteGuidHash, remote_participant_guid); + if (!remoteIdent) { + remoteIdent = remoteIdentityInfoNew(remote_participant_guid, remote_identity_token); + (void)ddsrt_hh_add(impl->objectHash, remoteIdent); + (void)ddsrt_hh_add(impl->remoteGuidHash, remoteIdent); + relation = identityRelationNew(localIdent, remoteIdent, lchallenge, rchallenge); + (void)ddsrt_hh_add(remoteIdent->linkHash, relation); + } else { + /* When the remote identity has already been validated before, + check if the remote identity token matches with the existing one + */ + if (!DDS_Security_DataHolder_equal(remoteIdent->remoteIdentityToken, remote_identity_token)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "validate_remote_identity: remote_identity_token does not match with previously received one"); + goto err_inv_duplicate; + } + + relation = find_identity_relation(remoteIdent, SECURITY_OBJECT_HANDLE(localIdent)); + if (!relation) { + relation = identityRelationNew(localIdent, remoteIdent, lchallenge, rchallenge); + r = ddsrt_hh_add(remoteIdent->linkHash, relation); + assert(r); + (void)r; + } else { + if (remote_auth_request_token) { + assert(rchallenge); + ddsrt_free(relation->rchallenge); + relation->rchallenge = rchallenge; + } + ddsrt_free(lchallenge); + } + } + + ddsrt_mutex_unlock(&impl->lock); + + if (!remote_auth_request_token) { + /* Create local_auth_request_token with contents set to the challenge */ + fill_auth_request_token(local_auth_request_token, relation->lchallenge); + } else { + /* Set local_auth_request token to TokenNil */ + DDS_Security_set_token_nil(local_auth_request_token); + } + + *remote_identity_handle = IDENTITY_HANDLE(remoteIdent);; + + if (memcmp(&localIdent->adjustedGUID, &remoteIdent->guid, sizeof(DDS_Security_GUID_t)) < 0) { + result = DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST; + } else { + result = DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE; + } + + return result; + +err_inv_duplicate: + ddsrt_free(lchallenge); +err_alloc_challenge: + ddsrt_free(rchallenge); +err_inv_auth_req_token: +err_remote_identity_token: +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return DDS_SECURITY_VALIDATION_FAILED; +} + +DDS_Security_ValidationResult_t +begin_handshake_request( + dds_security_authentication *instance, + DDS_Security_HandshakeHandle *handshake_handle, + DDS_Security_HandshakeMessageToken *handshake_message, + const DDS_Security_IdentityHandle initiator_identity_handle, + const DDS_Security_IdentityHandle replier_identity_handle, + const DDS_Security_OctetSeq *serialized_local_participant_data, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + HandshakeInfo *handshake = NULL; + IdentityRelation *relation = NULL; + SecurityObject *obj; + LocalIdentityInfo *localIdent; + RemoteIdentityInfo *remoteIdent; + EVP_PKEY *dhkey; + DDS_Security_BinaryProperty_t *tokens; + DDS_Security_BinaryProperty_t *c_id; + DDS_Security_BinaryProperty_t *c_perm; + DDS_Security_BinaryProperty_t *c_pdata; + DDS_Security_BinaryProperty_t *c_dsign_algo; + DDS_Security_BinaryProperty_t *c_kagree_algo; + DDS_Security_BinaryProperty_t *hash_c1; + DDS_Security_BinaryProperty_t *dh1; + DDS_Security_BinaryProperty_t *challenge; + unsigned char *certData; + unsigned char *dhPubKeyData = NULL; + uint32_t certDataSize, dhPubKeyDataSize; + int created = 0; + + /* validate provided arguments */ + if (!instance || !handshake_handle || !handshake_message || !serialized_local_participant_data) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_request: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, initiator_identity_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_LOCAL_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_request: Invalid initiator_identity_handle provided"); + goto err_inv_handle; + } + localIdent = (LocalIdentityInfo *) obj; + + obj = security_object_find(impl->objectHash, replier_identity_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_REMOTE_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_request: Invalid replier_identity_handle provided"); + goto err_inv_handle; + } + remoteIdent = (RemoteIdentityInfo *)obj; + + result = get_certificate_contents(localIdent->identityCert, &certData, &certDataSize, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_alloc_cid; + } + + handshake = find_handshake(impl, SECURITY_OBJECT_HANDLE(localIdent), SECURITY_OBJECT_HANDLE(remoteIdent)); + if (!handshake) { + relation = find_identity_relation(remoteIdent, SECURITY_OBJECT_HANDLE(localIdent)); + assert(relation); + handshake = handshakeInfoNew(localIdent, remoteIdent, relation); + handshake->created_in = CREATEDREQUEST; + (void)ddsrt_hh_add(impl->objectHash, handshake); + created = 1; + } else { + relation = handshake->relation; + assert(relation); + } + + if (!handshake->ldh) { + result = generate_dh_keys(&dhkey, localIdent->kagreeAlgoKind, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_gen_dh_keys; + } + + handshake->ldh = dhkey; + } + + result = dh_public_key_to_oct(handshake->ldh, localIdent->kagreeAlgoKind, &dhPubKeyData, &dhPubKeyDataSize, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_get_public_key; + } + + if (localIdent->pdata._length == 0) { + DDS_Security_OctetSeq_copy(&localIdent->pdata, serialized_local_participant_data); + } + + tokens = DDS_Security_BinaryPropertySeq_allocbuf(8); + c_id = &tokens[0]; + c_perm = &tokens[1]; + c_pdata = &tokens[2]; + c_dsign_algo = &tokens[3]; + c_kagree_algo = &tokens[4]; + hash_c1 = &tokens[5]; + dh1 = &tokens[6]; + challenge = &tokens[7]; + + /* Store the Identity Certificate associated with the local identify in c.id property */ + DDS_Security_BinaryProperty_set_by_ref(c_id, "c.id", certData, certDataSize); + + /* Store the permission document in the c.perm property */ + if (localIdent->permissionsDocument) { + DDS_Security_BinaryProperty_set_by_string(c_perm, "c.perm", localIdent->permissionsDocument); + } else { + DDS_Security_BinaryProperty_set_by_string(c_perm, "c.perm", ""); + } + + /* Store the provided local_participant_data in the c.pdata property */ + DDS_Security_BinaryProperty_set_by_value(c_pdata, "c.pdata", serialized_local_participant_data->_buffer, serialized_local_participant_data->_length); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + DDS_Security_BinaryProperty_set_by_string(c_dsign_algo, "c.dsign_algo", get_dsign_algo(localIdent->dsignAlgoKind)); + + /* Set the used key algorithm descriptor in c.kagree_algo */ + DDS_Security_BinaryProperty_set_by_string(c_kagree_algo, "c.kagree_algo", get_kagree_algo(localIdent->kagreeAlgoKind)); + + /* Calculate the hash_c1 */ + { + DDS_Security_BinaryPropertySeq bseq; + + bseq._length = 5; + bseq._buffer = tokens; + + get_hash_binary_property_seq(&bseq, handshake->hash_c1); + DDS_Security_BinaryProperty_set_by_value(hash_c1, "hash_c1", handshake->hash_c1, sizeof(HashValue_t)); + } + + /* Set the DH public key associated with the local participant in dh1 property */ + assert(dhPubKeyData); + assert(dhPubKeyDataSize < 1200); + DDS_Security_BinaryProperty_set_by_ref(dh1, "dh1", dhPubKeyData, dhPubKeyDataSize); + + /* Set the challenge in challenge1 property */ + DDS_Security_BinaryProperty_set_by_value(challenge, "challenge1", relation->lchallenge->value, sizeof(AuthenticationChallenge)); + + (void)ddsrt_hh_add(impl->objectHash, handshake); + + ddsrt_mutex_unlock(&impl->lock); + + handshake_message->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REQUEST_TOKEN_ID); + handshake_message->properties._length = 0; + handshake_message->properties._buffer = NULL; + handshake_message->binary_properties._length = 8; + handshake_message->binary_properties._buffer = tokens; + *handshake_handle = HANDSHAKE_HANDLE(handshake); + + return DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE; + +err_get_public_key: +err_gen_dh_keys: + if (created) { + (void)ddsrt_hh_remove(impl->objectHash, handshake); + security_object_free((SecurityObject *)handshake); + } +err_alloc_cid: + ddsrt_free(certData); +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return DDS_SECURITY_VALIDATION_FAILED; +} + +static DDS_Security_ValidationResult_t +validate_pdata( + const DDS_Security_OctetSeq *seq, + X509 *cert, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + DDS_Security_Deserializer deserializer; + DDS_Security_ParticipantBuiltinTopicData *pdata; + DDS_Security_GUID_t cguid, aguid; + + deserializer = DDS_Security_Deserializer_new(seq->_buffer, seq->_length); + if (!deserializer) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: c.pdata invalid encoding"); + goto err_invalid_data; + } + + pdata = DDS_Security_ParticipantBuiltinTopicData_alloc(); + + if (!DDD_Security_Deserialize_ParticipantBuiltinTopicData(deserializer, pdata, ex)) { + result = DDS_SECURITY_VALIDATION_FAILED; + goto err_incorrect_data; + } + + memset(&cguid, 0, sizeof(DDS_Security_GUID_t)); + result = get_adjusted_participant_guid(cert, &cguid, &aguid, ex); + if (result == DDS_SECURITY_VALIDATION_OK) { + DDS_Security_BuiltinTopicKey_t key; + DDD_Security_BuiltinTopicKeyBE(key, pdata->key); + if (memcmp(key, aguid.prefix, 6) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: c.pdata contains incorrect participant guid"); + } + } + +err_incorrect_data: + DDS_Security_ParticipantBuiltinTopicData_free(pdata); + DDS_Security_Deserializer_free(deserializer); +err_invalid_data: + return result; +} + +static DDS_Security_ValidationResult_t +validate_handshake_request_token( + const DDS_Security_HandshakeMessageToken *token, + HandshakeInfo *handshake, + X509Seq *trusted_ca_list, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + IdentityRelation *relation = handshake->relation; + X509 *identityCert; + const DDS_Security_BinaryProperty_t *c_id; + const DDS_Security_BinaryProperty_t *c_perm; + const DDS_Security_BinaryProperty_t *c_pdata; + const DDS_Security_BinaryProperty_t *c_dsign_algo; + const DDS_Security_BinaryProperty_t *c_kagree_algo; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *challenge; + const DDS_Security_BinaryProperty_t *hash_c1; + EVP_PKEY *pdhkey = NULL; + AuthenticationAlgoKind_t dsignAlgoKind; + AuthenticationAlgoKind_t kagreeAlgoKind; + unsigned i; + + assert(relation); + + /* Check class_id */ + if (!token->class_id || + (strncmp(AUTH_HANDSHAKE_REQUEST_TOKEN_ID, token->class_id, strlen(AUTH_HANDSHAKE_REQUEST_TOKEN_ID)) != 0)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken incorrect class_id: %s (expected %s)", token->class_id ? token->class_id: "NULL", AUTH_HANDSHAKE_REQUEST_TOKEN_ID); + goto err_inv_class_id; + } + + /* Check presents of mandatory properties + * - c.id + * - c.perm + * - c.pdata + * - c.dsign_algo + * - c.kagree_algo + * - dh1 + * - challenge1 + */ + c_id = DDS_Security_DataHolder_find_binary_property(token, "c.id"); + if (!c_id || (c_id->value._length == 0) || (c_id->value._buffer == NULL)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.id missing"); + goto err_no_c_id; + } + + result = load_X509_certificate_from_data((char*)c_id->value._buffer, (int)c_id->value._length, &identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_identity_cert_load; + } + + if( trusted_ca_list->length == 0 ){ //no trusted set. check with local CA + result = verify_certificate(identityCert, relation->localIdentity->identityCA, ex); + } + else{ + /* Make sure we have a clean exception, in case it was uninitialized. */ + DDS_Security_Exception_clean(ex); + for (i = 0; i < trusted_ca_list->length; ++i) { + /* We'll only return the exception of the last one, if it failed. */ + DDS_Security_Exception_reset(ex); + result = verify_certificate(identityCert, trusted_ca_list->buffer[i], ex); + if (result == DDS_SECURITY_VALIDATION_OK) { + break; + } + } + } + + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_cert; + } + + result = check_certificate_expiry( identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_cert; + } + + c_perm = DDS_Security_DataHolder_find_binary_property(token, "c.perm"); + if (!c_perm) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.perm missing"); + goto err_no_c_perm; + } + + if (c_perm->value._length > 0) { + ddsrt_free(relation->remoteIdentity->permissionsDocument); + relation->remoteIdentity->permissionsDocument = string_from_data(c_perm->value._buffer, c_perm->value._length); + } + + c_pdata = DDS_Security_DataHolder_find_binary_property(token, "c.pdata"); + if (!c_pdata) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.pdata missing"); + goto err_no_c_pdata; + } + + result = validate_pdata(&c_pdata->value, identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_pdata; + } + + c_dsign_algo = DDS_Security_DataHolder_find_binary_property(token, "c.dsign_algo"); + if (!c_dsign_algo) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.dsign_algo missing"); + goto err_no_c_dsign_algo; + } + + dsignAlgoKind = get_dsign_algo_from_string((const char *)c_dsign_algo->value._buffer); + if (dsignAlgoKind == AUTH_ALGO_KIND_UNKNOWN) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.dsign_algo not supported"); + goto err_no_c_dsign_algo; + } + + c_kagree_algo = DDS_Security_DataHolder_find_binary_property(token, "c.kagree_algo"); + if (!c_kagree_algo) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.kagree_algo missing"); + goto err_no_c_kagree_algo; + } + + kagreeAlgoKind = get_kagree_algo_from_string((const char *)c_kagree_algo->value._buffer); + if (kagreeAlgoKind == AUTH_ALGO_KIND_UNKNOWN) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property c.kagree_algo not support"); + goto err_no_c_kagree_algo; + } + + dh1 = DDS_Security_DataHolder_find_binary_property(token, "dh1"); + if (!dh1 || dh1->value._length == 0 || dh1->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property dh1 missing"); + goto err_no_dh; + } + + result = dh_oct_to_public_key(&pdhkey, kagreeAlgoKind, dh1->value._buffer, dh1->value._length, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_no_dh; + } + + challenge = DDS_Security_DataHolder_find_binary_property(token, "challenge1"); + if (!challenge) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property challenge1 missing"); + goto err_no_challenge; + } + + if (challenge->value._length != sizeof(AuthenticationChallenge) || challenge->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property challenge1 invalid"); + goto err_no_challenge; + } + + /* When validate_remote_identity was provided with a remote_auth_request_token + * then the future_challenge in the remote identity was set and the challenge1 + * property of the handshake_request_token should be the same as the + * future_challenge stored in the remote identity. + */ + if (relation->rchallenge) { + if (memcmp(relation->rchallenge->value, challenge->value._buffer, sizeof(AuthenticationChallenge)) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property challenge1 does not match future_challenge"); + goto err_no_challenge; + } + } else { + if (challenge->value._length == sizeof(relation->rchallenge->value)) { + relation->rchallenge = ddsrt_malloc(sizeof(AuthenticationChallenge)); + memcpy(relation->rchallenge, challenge->value._buffer, challenge->value._length); + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property challenge1 invalid (incorrect size)"); + goto err_no_challenge; + } + } + + /* Compute the hash_c1 value */ + { + const DDS_Security_BinaryProperty_t * binary_properties[5]; + + binary_properties[0] = c_id; + binary_properties[1] = c_perm; + binary_properties[2] = c_pdata; + binary_properties[3] = c_dsign_algo; + binary_properties[4] = c_kagree_algo; + + (void)compute_hash_value(&handshake->hash_c1[0], binary_properties, 5, NULL); + } + + hash_c1 = DDS_Security_DataHolder_find_binary_property(token, "hash_c1"); + if (hash_c1) { + if ((hash_c1->value._length == sizeof(HashValue_t)) && + (memcmp(hash_c1->value._buffer, &handshake->hash_c1, sizeof(HashValue_t)) == 0)) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property hash_c1 invalid (incorrect size)"); + goto err_inv_hash_c1; + } + } + + if (!relation->remoteIdentity->identityCert) { + relation->remoteIdentity->identityCert = identityCert; + } else { + X509_free(relation->remoteIdentity->identityCert); + relation->remoteIdentity->identityCert = identityCert; + } + + relation->remoteIdentity->dsignAlgoKind = dsignAlgoKind; + relation->remoteIdentity->kagreeAlgoKind = kagreeAlgoKind; + + DDS_Security_OctetSeq_copy(&relation->remoteIdentity->pdata, &c_pdata->value); + + handshake->rdh = pdhkey; + + return result; + +err_inv_hash_c1: +err_no_challenge: + EVP_PKEY_free(pdhkey); +err_no_dh: +err_no_c_kagree_algo: +err_no_c_dsign_algo: +err_inv_pdata: +err_no_c_pdata: +err_no_c_perm: +err_inv_identity_cert: + X509_free(identityCert); +err_identity_cert_load: +err_no_c_id: +err_inv_class_id: + return result; +} + + +static DDS_Security_ValidationResult_t +validate_handshake_reply_token( + const DDS_Security_HandshakeMessageToken *token, + HandshakeInfo *handshake, + EVP_PKEY **pdhkey, + X509Seq *trusted_ca_list, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + IdentityRelation *relation = handshake->relation; + X509 *identityCert; + EVP_PKEY *public_key; + const DDS_Security_BinaryProperty_t *c_id; + const DDS_Security_BinaryProperty_t *c_perm; + const DDS_Security_BinaryProperty_t *c_pdata; + const DDS_Security_BinaryProperty_t *c_dsign_algo; + const DDS_Security_BinaryProperty_t *c_kagree_algo; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *dh2; + const DDS_Security_BinaryProperty_t *hash_c1; + const DDS_Security_BinaryProperty_t *hash_c2; + const DDS_Security_BinaryProperty_t *challenge1; + const DDS_Security_BinaryProperty_t *challenge2; + const DDS_Security_BinaryProperty_t *signature; + AuthenticationAlgoKind_t dsignAlgoKind; + AuthenticationAlgoKind_t kagreeAlgoKind; + + unsigned i; + + assert(relation); + + /* Check class_id */ + if (!token->class_id || + (strncmp(AUTH_HANDSHAKE_REPLY_TOKEN_ID, token->class_id, strlen(AUTH_HANDSHAKE_REPLY_TOKEN_ID)) != 0)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken incorrect class_id: %s (expected %s)", token->class_id ? token->class_id: "NULL", AUTH_HANDSHAKE_REPLY_TOKEN_ID); + goto err_inv_class_id; + } + + /* Check presents of mandatory properties + * - c.id + * - c.perm + * - c.pdata + * - c.dsign_algo + * - c.kagree_algo + * - challenge1 + * - dh2 + * - challenge2 + * - signature + */ + c_id = DDS_Security_DataHolder_find_binary_property(token, "c.id"); + if (!c_id || (c_id->value._length == 0) || (c_id->value._buffer == NULL)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.id missing"); + goto err_no_c_id; + } + + /* Verify Identity Certificate */ + result = load_X509_certificate_from_data((char*)c_id->value._buffer, (int)c_id->value._length, &identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK ) { + goto err_identity_cert_load; + } + + if( trusted_ca_list->length == 0 ){ //no trusted set. check with local CA + result = verify_certificate(identityCert, relation->localIdentity->identityCA, ex); + } + else{ + /* Make sure we have a clean exception, in case it was uninitialized. */ + DDS_Security_Exception_clean(ex); + for (i = 0; i < trusted_ca_list->length; ++i) { + /* We'll only return the exception of the last one, if it failed. */ + DDS_Security_Exception_reset(ex); + result = verify_certificate(identityCert, trusted_ca_list->buffer[i], ex); + if (result == DDS_SECURITY_VALIDATION_OK) { + break; + } + } + } + + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_cert; + } + + result = check_certificate_expiry( identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_identity_cert; + } + + c_perm = DDS_Security_DataHolder_find_binary_property(token, "c.perm"); + if (!c_perm) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.perm missing"); + goto err_no_c_perm; + } + + if (c_perm->value._length > 0) { + ddsrt_free(relation->remoteIdentity->permissionsDocument); + relation->remoteIdentity->permissionsDocument = string_from_data(c_perm->value._buffer, c_perm->value._length); + } + + c_pdata = DDS_Security_DataHolder_find_binary_property(token, "c.pdata"); + if (!c_pdata) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.pdata missing"); + goto err_no_c_pdata; + } + + result = validate_pdata(&c_pdata->value, identityCert, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_pdata; + } + + c_dsign_algo = DDS_Security_DataHolder_find_binary_property(token, "c.dsign_algo"); + if (!c_dsign_algo) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.dsign_algo missing"); + goto err_no_c_dsign_algo; + } + + dsignAlgoKind = get_dsign_algo_from_string((const char *)c_dsign_algo->value._buffer); + if (dsignAlgoKind == AUTH_ALGO_KIND_UNKNOWN) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.dsign_algo not supported"); + goto err_no_c_dsign_algo; + } + + c_kagree_algo = DDS_Security_DataHolder_find_binary_property(token, "c.kagree_algo"); + if (!c_kagree_algo) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.kagree_algo missing"); + goto err_no_c_kagree_algo; + } + + kagreeAlgoKind = get_kagree_algo_from_string((const char *)c_kagree_algo->value._buffer); + if (kagreeAlgoKind == AUTH_ALGO_KIND_UNKNOWN) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property c.kagree_algo not support"); + goto err_no_c_kagree_algo; + } + + /* dh1 is optional */ + dh1 = DDS_Security_DataHolder_find_binary_property(token, "dh1"); + DDSRT_UNUSED_ARG(dh1); /*print it for integration purposes */ + + dh2 = DDS_Security_DataHolder_find_binary_property(token, "dh2"); + if (!dh2 || dh2->value._length == 0 || dh2->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property dh2 missing"); + goto err_no_dh; + } + + hash_c1 = DDS_Security_DataHolder_find_binary_property(token, "hash_c1"); + if (hash_c1) { + if ((hash_c1->value._length == sizeof(HashValue_t)) && + (memcmp(hash_c1->value._buffer, handshake->hash_c1, sizeof(HashValue_t)) == 0)) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property hash_c1 invalid"); + goto err_inv_hash_c1; + } + } + + /* Compute the hash_c2 value */ + { + const DDS_Security_BinaryProperty_t * binary_properties[5]; + + binary_properties[0] = c_id; + binary_properties[1] = c_perm; + binary_properties[2] = c_pdata; + binary_properties[3] = c_dsign_algo; + binary_properties[4] = c_kagree_algo; + + (void)compute_hash_value(&handshake->hash_c2[0], binary_properties, 5, NULL); + } + + hash_c2 = DDS_Security_DataHolder_find_binary_property(token, "hash_c2"); + if (hash_c2) { + if ((hash_c2->value._length == sizeof(HashValue_t)) && + (memcmp(hash_c2->value._buffer, handshake->hash_c2, sizeof(HashValue_t)) == 0)) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property hash_c2 invalid"); + goto err_inv_hash_c2; + } + } + + signature = DDS_Security_DataHolder_find_binary_property(token, "signature"); + if (!signature || signature->value._length == 0 || signature->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property signature missing"); + goto err_no_signature; + } + + *pdhkey = NULL; + result = dh_oct_to_public_key(pdhkey, kagreeAlgoKind, dh2->value._buffer, dh2->value._length, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_dh; + } + + challenge1 = DDS_Security_DataHolder_find_binary_property(token, "challenge1"); + if (!challenge1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 missing"); + goto err_no_challenge; + } + + if (challenge1->value._length != sizeof(AuthenticationChallenge) || challenge1->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 invalid"); + goto err_no_challenge; + } + + + challenge2 = DDS_Security_DataHolder_find_binary_property(token, "challenge2"); + if (!challenge2) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 missing"); + goto err_no_challenge; + } + + if (challenge2->value._length != sizeof(AuthenticationChallenge) || challenge2->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 invalid"); + goto err_no_challenge; + } + /* When validate_remote_identity was provided with a remote_auth_request_token + * then the future_challenge in the remote identity was set and the challenge2 + * property of the handshake_reply_token should be the same as the + * future_challenge stored in the remote identity. + */ + + + + if (relation->rchallenge) { + if (memcmp(relation->rchallenge->value, challenge2->value._buffer, sizeof(AuthenticationChallenge)) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 does not match future_challenge"); + goto err_no_challenge; + } + } else { + if (challenge2->value._length == sizeof(relation->rchallenge->value)) { + relation->rchallenge = ddsrt_malloc(sizeof(AuthenticationChallenge)); + memcpy(relation->rchallenge, challenge2->value._buffer, challenge2->value._length); + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 invalid (incorrect size)"); + goto err_no_challenge; + } + } + + + if (relation->lchallenge) { + if (memcmp(relation->lchallenge->value, challenge1->value._buffer, sizeof(AuthenticationChallenge)) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 does not match future_challenge"); + goto err_no_challenge; + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: No future challenge exists for this token"); + goto err_no_challenge; + } + + + /* TODO: check if an identity certificate was already associated with the remote identity and + * when that is the case both should be the same + */ + if (!relation->remoteIdentity->identityCert) { + relation->remoteIdentity->identityCert = identityCert; + } else { + X509_free(relation->remoteIdentity->identityCert); + relation->remoteIdentity->identityCert = identityCert; + } + + relation->remoteIdentity->dsignAlgoKind = dsignAlgoKind; + relation->remoteIdentity->kagreeAlgoKind = kagreeAlgoKind; + + + public_key = X509_get_pubkey(relation->remoteIdentity->identityCert); + if (public_key) { + /*prepare properties*/ + const DDS_Security_BinaryProperty_t *properties[HANDSHAKE_SIGNATURE_CONTENT_SIZE]; + DDS_Security_BinaryProperty_t *hash_c1_val = hash_value_to_binary_property("hash_c1", handshake->hash_c1); + DDS_Security_BinaryProperty_t *hash_c2_val = hash_value_to_binary_property("hash_c2", handshake->hash_c2); + + properties[0] = hash_c2_val; + properties[1] = challenge2; + properties[2] = dh2; + properties[3] = challenge1; + properties[4] = dh1; + properties[5] = hash_c1_val; + + result = validate_signature(public_key,properties, HANDSHAKE_SIGNATURE_CONTENT_SIZE, signature->value._buffer,signature->value._length, ex); + + EVP_PKEY_free(public_key); + DDS_Security_BinaryProperty_free(hash_c1_val); + DDS_Security_BinaryProperty_free(hash_c2_val); + + if( result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_signature; + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_get_pubkey failed"); + goto err_inv_identity_cert; + } + + + DDS_Security_OctetSeq_copy(&relation->remoteIdentity->pdata, &c_pdata->value); + + return result; + +err_inv_signature: +err_no_challenge: +err_inv_dh: +err_no_signature: +err_inv_hash_c2: +err_inv_hash_c1: +err_no_dh: +err_no_c_kagree_algo: +err_no_c_dsign_algo: +err_inv_pdata: +err_no_c_pdata: +err_no_c_perm: +err_inv_identity_cert: + X509_free(identityCert); +err_identity_cert_load: +err_no_c_id: +err_inv_class_id: + return result; +} + + +static DDS_Security_ValidationResult_t +validate_handshake_final_token( + const DDS_Security_HandshakeMessageToken *token, + HandshakeInfo *handshake, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + IdentityRelation *relation = handshake->relation; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *dh2; + const DDS_Security_BinaryProperty_t *hash_c1; + const DDS_Security_BinaryProperty_t *hash_c2; + const DDS_Security_BinaryProperty_t *challenge1; + const DDS_Security_BinaryProperty_t *challenge2; + const DDS_Security_BinaryProperty_t *signature; + EVP_PKEY *public_key; + + assert(relation); + + /* Check class_id */ + if (!token->class_id || + (strncmp(AUTH_HANDSHAKE_FINAL_TOKEN_ID, token->class_id, strlen(AUTH_HANDSHAKE_FINAL_TOKEN_ID)) != 0)) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken incorrect class_id: %s (expected %s)", token->class_id ? token->class_id: "NULL", AUTH_HANDSHAKE_FINAL_TOKEN_ID); + goto err_inv_class_id; + } + + /* Check presents of mandatory properties + * - challenge1 + * - challenge2 + * - signature + */ + + + /* dh1 is optional */ + dh1 = DDS_Security_DataHolder_find_binary_property(token, "dh1"); + + DDSRT_UNUSED_ARG(dh1); /*print it for integration purposes */ + + /* dh2 is optional */ + dh2 = DDS_Security_DataHolder_find_binary_property(token, "dh2"); + DDSRT_UNUSED_ARG(dh2); /*print it for integration purposes */ + + /* hash_c1 is optional */ + hash_c1 = DDS_Security_DataHolder_find_binary_property(token, "hash_c1"); + if (hash_c1) { + if ((hash_c1->value._length == sizeof(HashValue_t)) && + (memcmp(hash_c1->value._buffer, handshake->hash_c1, sizeof(HashValue_t)) == 0)) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property hash_c1 invalid"); + goto err_inv_hash_c1; + } + } + + /* hash_c2 is optional */ + hash_c2 = DDS_Security_DataHolder_find_binary_property(token, "hash_c2"); + if (hash_c2) { + if ((hash_c2->value._length == sizeof(HashValue_t)) && + (memcmp(hash_c2->value._buffer, handshake->hash_c2, sizeof(HashValue_t)) == 0)) { + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "begin_handshake_reply: HandshakeMessageToken property hash_c2 invalid"); + goto err_inv_hash_c2; + } + } + + challenge1 = DDS_Security_DataHolder_find_binary_property(token, "challenge1"); + if (!challenge1) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 missing"); + goto err_no_challenge; + } + + if (challenge1->value._length != sizeof(AuthenticationChallenge) || challenge1->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 invalid"); + goto err_no_challenge; + } + + + challenge2 = DDS_Security_DataHolder_find_binary_property(token, "challenge2"); + if (!challenge2) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 missing"); + goto err_no_challenge; + } + + if (challenge2->value._length != sizeof(AuthenticationChallenge) || challenge2->value._buffer == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 invalid"); + goto err_no_challenge; + } + + /* When validate_remote_identity was provided with a remote_auth_request_token + * then the future_challenge in the remote identity was set and the challenge1 + * property of the handshake_reply_token should be the same as the + * future_challenge stored in the remote identity. + */ + + + + if (relation->rchallenge) { + if (memcmp(relation->rchallenge->value, challenge1->value._buffer, sizeof(AuthenticationChallenge)) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge1 does not match future_challenge"); + goto err_no_challenge; + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: No challenge exists to check challenge1 in the token."); + goto err_no_challenge; + } + + if (relation->lchallenge) { + if (memcmp(relation->lchallenge->value, challenge2->value._buffer, sizeof(AuthenticationChallenge)) != 0) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property challenge2 does not match future_challenge"); + goto err_no_challenge; + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: No challenge exists to check challenge2 in the token."); + goto err_no_challenge; + } + + signature = DDS_Security_DataHolder_find_binary_property(token, "signature"); + if (!signature) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, + "process_handshake: HandshakeMessageToken property signature missing"); + goto err_no_challenge; + } + + /* Validate signature */ + public_key = X509_get_pubkey(relation->remoteIdentity->identityCert); + if (public_key) { + /*prepare properties*/ + const DDS_Security_BinaryProperty_t *properties[HANDSHAKE_SIGNATURE_CONTENT_SIZE]; + DDS_Security_BinaryProperty_t *hash_c1_val = hash_value_to_binary_property("hash_c1", handshake->hash_c1); + DDS_Security_BinaryProperty_t *hash_c2_val = hash_value_to_binary_property("hash_c2", handshake->hash_c2); + + properties[0] = hash_c1_val; + properties[1] = challenge1; + properties[2] = dh1; + properties[3] = challenge2; + properties[4] = dh2; + properties[5] = hash_c2_val; + + result = validate_signature(public_key,properties, HANDSHAKE_SIGNATURE_CONTENT_SIZE ,signature->value._buffer,signature->value._length,ex ); + + EVP_PKEY_free(public_key); + DDS_Security_BinaryProperty_free(hash_c1_val); + DDS_Security_BinaryProperty_free(hash_c2_val); + + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_signature; + } + } else { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "X509_get_pubkey failed"); + goto err_inv_identity_cert; + } + +err_inv_hash_c2: +err_inv_hash_c1: +err_no_challenge: +err_inv_class_id: +err_inv_identity_cert: +err_inv_signature: + return result; +} + +DDS_Security_ValidationResult_t +begin_handshake_reply( + dds_security_authentication *instance, + DDS_Security_HandshakeHandle *handshake_handle, + DDS_Security_HandshakeMessageToken *handshake_message_out, + const DDS_Security_HandshakeMessageToken *handshake_message_in, + const DDS_Security_IdentityHandle initiator_identity_handle, + const DDS_Security_IdentityHandle replier_identity_handle, + const DDS_Security_OctetSeq *serialized_local_participant_data, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + HandshakeInfo *handshake = NULL; + IdentityRelation *relation = NULL; + SecurityObject *obj; + LocalIdentityInfo *localIdent; + RemoteIdentityInfo *remoteIdent; + EVP_PKEY *dhkeyLocal = NULL; + DDS_Security_BinaryProperty_t *tokens; + DDS_Security_BinaryProperty_t *c_id; + DDS_Security_BinaryProperty_t *c_perm; + DDS_Security_BinaryProperty_t *c_pdata; + DDS_Security_BinaryProperty_t *c_dsign_algo; + DDS_Security_BinaryProperty_t *c_kagree_algo; + DDS_Security_BinaryProperty_t *hash_c1; + const DDS_Security_BinaryProperty_t *hash_c1_ref; + DDS_Security_BinaryProperty_t *hash_c2; + DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *dh1_ref; + DDS_Security_BinaryProperty_t *dh2; + DDS_Security_BinaryProperty_t *challenge1; + DDS_Security_BinaryProperty_t *challenge2; + DDS_Security_BinaryProperty_t *signature; + unsigned char *certData; + unsigned char *dhPubKeyData; + uint32_t certDataSize, dhPubKeyDataSize; + uint32_t tokenSize, idx; + int created = 0; + + /* validate provided arguments */ + if (!instance || !handshake_handle || !handshake_message_out || !handshake_message_in || !serialized_local_participant_data) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_reply: Invalid parameter provided"); + goto err_bad_param; + } + + if ((serialized_local_participant_data->_length == 0) || (serialized_local_participant_data->_buffer == NULL)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_reply: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, replier_identity_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_LOCAL_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_reply: Invalid replier_identity_handle provided"); + goto err_inv_handle; + } + localIdent = (LocalIdentityInfo *) obj; + + obj = security_object_find(impl->objectHash, initiator_identity_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_REMOTE_IDENTITY)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "begin_handshake_reply: Invalid initiator_identity_handle provided"); + goto err_inv_handle; + } + remoteIdent = (RemoteIdentityInfo *)obj; + + handshake = find_handshake(impl, SECURITY_OBJECT_HANDLE(localIdent), SECURITY_OBJECT_HANDLE(remoteIdent)); + if (!handshake) { + relation = find_identity_relation(remoteIdent, SECURITY_OBJECT_HANDLE(localIdent)); + assert(relation); + handshake = handshakeInfoNew(localIdent, remoteIdent, relation); + handshake->created_in = CREATEDREPLY; + (void)ddsrt_hh_add(impl->objectHash, handshake); + created = 1; + } else { + relation = handshake->relation; + assert(relation); + } + + result = validate_handshake_request_token(handshake_message_in, handshake, &(impl->trustedCAList), ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_token; + } + + result = get_certificate_contents(localIdent->identityCert, &certData, &certDataSize, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_alloc_cid; + } + + if (!handshake->ldh) { + result = generate_dh_keys(&dhkeyLocal, remoteIdent->kagreeAlgoKind, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_gen_dh_keys; + } + + handshake->ldh = dhkeyLocal; + EVP_PKEY_copy_parameters(handshake->rdh, handshake->ldh); + } + + result = dh_public_key_to_oct(handshake->ldh, remoteIdent->kagreeAlgoKind, &dhPubKeyData, &dhPubKeyDataSize, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_get_public_key; + } + + if (localIdent->pdata._length == 0) { + DDS_Security_OctetSeq_copy(&localIdent->pdata, serialized_local_participant_data); + } + + hash_c1_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "hash_c1"); + tokenSize = hash_c1_ref ? 12 : 11; + + tokens = DDS_Security_BinaryPropertySeq_allocbuf(tokenSize); + idx = 0; + c_id = &tokens[idx++]; + c_perm = &tokens[idx++]; + c_pdata = &tokens[idx++]; + c_dsign_algo = &tokens[idx++]; + c_kagree_algo = &tokens[idx++]; + signature = &tokens[idx++]; + hash_c2 = &tokens[idx++]; + challenge2 = &tokens[idx++]; + dh2 = &tokens[idx++]; + challenge1 = &tokens[idx++]; + dh1 = &tokens[idx++]; + hash_c1 = hash_c1_ref ? &tokens[idx++] : NULL; + + /* Store the Identity Certificate associated with the local identify in c.id property */ + DDS_Security_BinaryProperty_set_by_ref(c_id, "c.id", certData, certDataSize); + certData = NULL; + + /* Store the permission document in the c.perm property */ + if (localIdent->permissionsDocument) { + DDS_Security_BinaryProperty_set_by_string(c_perm, "c.perm", localIdent->permissionsDocument); + } else { + DDS_Security_BinaryProperty_set_by_string(c_perm, "c.perm", ""); + } + + /* Store the provided local_participant_data in the c.pdata property */ + DDS_Security_BinaryProperty_set_by_value(c_pdata, "c.pdata", serialized_local_participant_data->_buffer, serialized_local_participant_data->_length); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + DDS_Security_BinaryProperty_set_by_string(c_dsign_algo, "c.dsign_algo", get_dsign_algo(localIdent->dsignAlgoKind)); + + /* Set the used key algorithm descriptor in c.kagree_algo */ + DDS_Security_BinaryProperty_set_by_string(c_kagree_algo, "c.kagree_algo", get_kagree_algo(remoteIdent->kagreeAlgoKind)); + + /* Calculate the hash_c2 */ + { + DDS_Security_BinaryPropertySeq bseq; + + bseq._length = 5; + bseq._buffer = tokens; + + get_hash_binary_property_seq(&bseq, handshake->hash_c2); + DDS_Security_BinaryProperty_set_by_value(hash_c2, "hash_c2", handshake->hash_c2, sizeof(HashValue_t)); + } + + /* Set the DH public key associated with the local participant in dh2 property */ + DDS_Security_BinaryProperty_set_by_ref(dh2, "dh2", dhPubKeyData, dhPubKeyDataSize); + + /* Set the DH public key associated with the local participant in hash_c1 property */ + if (hash_c1) { + DDS_Security_BinaryProperty_set_by_value(hash_c1, "hash_c1", hash_c1_ref->value._buffer, hash_c1_ref->value._length); + } + + /* Set the DH public key associated with the local participant in dh1 property */ + if (dh1) { + dh1_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "dh1"); + if (dh1_ref) { + DDS_Security_BinaryProperty_set_by_value(dh1, "dh1", dh1_ref->value._buffer, dh1_ref->value._length); + } + } + + /* Set the challenge in challenge1 property */ + assert(relation->rchallenge); + DDS_Security_BinaryProperty_set_by_value(challenge1, "challenge1", relation->rchallenge->value, sizeof(AuthenticationChallenge)); + + /* Set the challenge in challenge2 property */ + assert(relation->lchallenge); + + DDS_Security_BinaryProperty_set_by_value(challenge2, "challenge2", relation->lchallenge->value, sizeof(AuthenticationChallenge)); + + /* Calculate the signature */ + { + unsigned char *sign; + size_t signlen; + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_CONTENT_SIZE ]; + DDS_Security_BinaryProperty_t *hash_c1_val = hash_value_to_binary_property("hash_c1", handshake->hash_c1); + DDS_Security_BinaryProperty_t *hash_c2_val = hash_value_to_binary_property("hash_c2", handshake->hash_c2); + + binary_properties[0] = hash_c2_val; + binary_properties[1] = challenge2; + binary_properties[2] = dh2; + binary_properties[3] = challenge1; + binary_properties[4] = dh1; + binary_properties[5] = hash_c1_val; + + result = create_signature(localIdent->privateKey, binary_properties, HANDSHAKE_SIGNATURE_CONTENT_SIZE , &sign, &signlen, ex); + + DDS_Security_BinaryProperty_free(hash_c1_val); + DDS_Security_BinaryProperty_free(hash_c2_val); + + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_signature; + } + DDS_Security_BinaryProperty_set_by_ref(signature, "signature", sign, (uint32_t)signlen); + } + + (void)ddsrt_hh_add(impl->objectHash, handshake); + + handshake_message_out->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REPLY_TOKEN_ID); + handshake_message_out->binary_properties._length = tokenSize; + handshake_message_out->binary_properties._buffer = tokens; + + ddsrt_mutex_unlock(&impl->lock); + + + *handshake_handle = HANDSHAKE_HANDLE(handshake); + + if (result == DDS_SECURITY_VALIDATION_OK) { + result = DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE; + } + + return result; + +err_signature: + free_binary_properties(tokens, tokenSize); +err_get_public_key: +err_gen_dh_keys: + ddsrt_free(certData); +err_alloc_cid: +err_inv_token: + if (created) { + (void)ddsrt_hh_remove(impl->objectHash, handshake); + security_object_free((SecurityObject *)handshake); + } +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return DDS_SECURITY_VALIDATION_FAILED; +} + + +static bool +generate_shared_secret( + const HandshakeInfo *handshake, + unsigned char **shared_secret, + DDS_Security_long *length, + DDS_Security_SecurityException *ex) +{ + bool result = false; + EVP_PKEY_CTX *ctx; + size_t skeylen; + unsigned char *secret = NULL; + + *shared_secret = NULL; + + ctx = EVP_PKEY_CTX_new( handshake->ldh, NULL /* no engine */); + if (!ctx) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Shared secret failed to create context: "); + goto fail_ctx_new; + } + + if (EVP_PKEY_derive_init(ctx) <= 0) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Shared secret failed to initialize context: "); + goto fail_derive; + } + if (EVP_PKEY_derive_set_peer(ctx, handshake->rdh) <= 0) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Shared secret failed to set peer key: "); + goto fail_derive; + } + + /* Determine buffer length */ + if (EVP_PKEY_derive(ctx, NULL, &skeylen) <= 0) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Shared secret failed to determine key length: "); + goto fail_derive; + } + + secret = ddsrt_malloc(skeylen); + if (EVP_PKEY_derive(ctx, secret, &skeylen) <= 0) + { + DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Could not compute the shared secret: "); + goto fail_derive; + } + + *shared_secret = ddsrt_malloc(SHA256_DIGEST_LENGTH); + *length = SHA256_DIGEST_LENGTH; + + SHA256(secret, skeylen, *shared_secret); + + result = true; + +fail_derive: + ddsrt_free(secret); + EVP_PKEY_CTX_free(ctx); +fail_ctx_new: + return result; +} + + + + +DDS_Security_ValidationResult_t +process_handshake( + dds_security_authentication *instance, + DDS_Security_HandshakeMessageToken *handshake_message_out, + const DDS_Security_HandshakeMessageToken *handshake_message_in, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + HandshakeInfo *handshake = NULL; + IdentityRelation *relation = NULL; + SecurityObject *obj; + EVP_PKEY *dhkeyRemote = NULL; + DDS_Security_BinaryProperty_t *tokens = NULL; + DDS_Security_BinaryProperty_t *hash_c1 = NULL; + const DDS_Security_BinaryProperty_t *hash_c1_ref; + const DDS_Security_BinaryProperty_t *hash_c2_ref; + const DDS_Security_BinaryProperty_t *challenge1_ref; + const DDS_Security_BinaryProperty_t *challenge2_ref; + const DDS_Security_BinaryProperty_t *dh1_ref; + const DDS_Security_BinaryProperty_t *dh2_ref; + DDS_Security_BinaryProperty_t *hash_c2 = NULL; + DDS_Security_BinaryProperty_t *dh1; + DDS_Security_BinaryProperty_t *dh2; + DDS_Security_BinaryProperty_t *challenge1; + DDS_Security_BinaryProperty_t *challenge2; + DDS_Security_BinaryProperty_t *signature; + uint32_t tokenSize=0, idx; + DDS_Security_octet * challenge1_ref_for_shared_secret, *challenge2_ref_for_shared_secret; + + /* validate provided arguments */ + if (!instance || !handshake_handle || !handshake_message_out || !handshake_message_in) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Invalid parameter provided"); + goto err_bad_param; + } + + memset(handshake_message_out, 0, sizeof(DDS_Security_HandshakeMessageToken)); + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, handshake_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_HANDSHAKE)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "process_handshake: Invalid replier_identity_handle provided"); + goto err_inv_handle; + } + handshake = (HandshakeInfo *) obj; + relation = handshake->relation; + assert(relation); + + /* check if the handle created by a handshake_request or handshake_reply */ + + switch (handshake->created_in) { + case CREATEDREQUEST: + /* The source of the handshake_handle is a begin_handshake_request function + * So, handshake_message_in should have been came from a remote begin_handshake_reply function + */ + /* Verify Message Token contents according to Spec 9.3.2.5.2 (Reply Message) */ + result = validate_handshake_reply_token(handshake_message_in, handshake, &dhkeyRemote, &(impl->trustedCAList), ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_token; + } + + /*set received remote DH (dh2) */ + handshake->rdh = dhkeyRemote; + + EVP_PKEY_copy_parameters(handshake->rdh, handshake->ldh); + + /* Prepare HandshakeFinalMessageToken */ + + /* Get references from message_in */ + hash_c1_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "hash_c1"); + hash_c2_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "hash_c2"); + dh1_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "dh1"); + dh2_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, "dh2"); + challenge1_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, + "challenge1"); + challenge2_ref = DDS_Security_DataHolder_find_binary_property(handshake_message_in, + "challenge2"); + + tokenSize = 3; /* challenge1, challenge2 and signature are already exist */ + if (hash_c1_ref) + tokenSize++; + if (hash_c2_ref) + tokenSize++; + if (dh1_ref) + tokenSize++; + if (dh2_ref) + tokenSize++; + + tokens = DDS_Security_BinaryPropertySeq_allocbuf(tokenSize); + idx = 0; + signature = &tokens[idx++]; + hash_c2 = hash_c2_ref ? &tokens[idx++] : NULL; + challenge2 = &tokens[idx++]; + dh2 = dh2_ref ? &tokens[idx++] : NULL; + challenge1 = &tokens[idx++]; + dh1 = dh1_ref ? &tokens[idx++] : NULL; + hash_c1 = hash_c1_ref ? &tokens[idx++] : NULL; + + if (hash_c1) { + DDS_Security_BinaryProperty_set_by_value(hash_c1, "hash_c1", hash_c1_ref->value._buffer, + hash_c1_ref->value._length); + } + if (hash_c2) { + DDS_Security_BinaryProperty_set_by_value(hash_c2, "hash_c2", hash_c2_ref->value._buffer, + hash_c2_ref->value._length); + } + if (dh1) { + DDS_Security_BinaryProperty_set_by_value(dh1, "dh1", dh1_ref->value._buffer, + dh1_ref->value._length); + } + if (dh2) { + DDS_Security_BinaryProperty_set_by_value(dh2, "dh2", dh2_ref->value._buffer, + dh2_ref->value._length); + } + assert(relation->lchallenge); + if (challenge1 && challenge1_ref) { + DDS_Security_BinaryProperty_set_by_value(challenge1, "challenge1", challenge1_ref->value._buffer, + challenge1_ref->value._length); + } + assert(relation->rchallenge); + if (challenge2 && challenge2_ref) { + DDS_Security_BinaryProperty_set_by_value(challenge2, "challenge2", challenge2_ref->value._buffer, + challenge2_ref->value._length); + } + + + /* Calculate the signature */ + { + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_CONTENT_SIZE ]; + DDS_Security_BinaryProperty_t *hash_c1_val = hash_value_to_binary_property("hash_c1", handshake->hash_c1); + DDS_Security_BinaryProperty_t *hash_c2_val = hash_value_to_binary_property("hash_c2", handshake->hash_c2); + unsigned char *sign; + size_t signlen; + + binary_properties[0] = hash_c1_val; + binary_properties[1] = challenge1; + binary_properties[2] = dh1; + binary_properties[3] = challenge2; + binary_properties[4] = dh2; + binary_properties[5] = hash_c2_val; + + result = create_signature(relation->localIdentity->privateKey, binary_properties, HANDSHAKE_SIGNATURE_CONTENT_SIZE, &sign, &signlen, ex); + + DDS_Security_BinaryProperty_free(hash_c1_val); + DDS_Security_BinaryProperty_free(hash_c2_val); + + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_signature; + } + + DDS_Security_BinaryProperty_set_by_ref(signature, "signature", sign, (uint32_t)signlen); + } + + handshake_message_out->class_id = ddsrt_strdup(AUTH_HANDSHAKE_FINAL_TOKEN_ID); + handshake_message_out->binary_properties._length = tokenSize; + handshake_message_out->binary_properties._buffer = tokens; + + challenge1_ref_for_shared_secret = (DDS_Security_octet*)(handshake->relation->lchallenge); + challenge2_ref_for_shared_secret = (DDS_Security_octet*)(handshake->relation->rchallenge); + + result = DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE; + + break; + case CREATEDREPLY: + /* The source of the handshake_handle is a begin_handshake_reply function + * So, handshake_message_in should have been came from a remote process_handshake function + */ + + /* Verify Message Token contents according to Spec 9.3.2.5.3 (Final Message) */ + result = validate_handshake_final_token(handshake_message_in, handshake, ex); + if (result != DDS_SECURITY_VALIDATION_OK) { + goto err_inv_token; + } + + + challenge2_ref_for_shared_secret = (DDS_Security_octet*)(handshake->relation->lchallenge); + challenge1_ref_for_shared_secret = (DDS_Security_octet*)(handshake->relation->rchallenge); + + result = DDS_SECURITY_VALIDATION_OK; + + break; + default: + ddsrt_mutex_unlock(&impl->lock); + goto err_bad_param; + } + + /* Compute shared secret */ + { + DDS_Security_long shared_secret_length; + unsigned char *shared_secret; + + if (!generate_shared_secret(handshake, &shared_secret, &shared_secret_length, ex)) { + goto err_openssl; + } + + handshake->shared_secret_handle_impl = ddsrt_malloc( sizeof(DDS_Security_SharedSecretHandleImpl)); + handshake->shared_secret_handle_impl->shared_secret = shared_secret; + handshake->shared_secret_handle_impl->shared_secret_size = shared_secret_length; + + /* put references to challenge1 and challenge2 into shared secret object */ + memcpy( handshake->shared_secret_handle_impl->challenge1, challenge1_ref_for_shared_secret, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); + memcpy( handshake->shared_secret_handle_impl->challenge2, challenge2_ref_for_shared_secret, DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE); + } + + { /* setup expiry listener */ + dds_time_t certExpiry = get_certificate_expiry( handshake->relation->remoteIdentity->identityCert ); + + if( certExpiry == DDS_TIME_INVALID ){ + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Expiry date of the certificate is invalid"); + goto err_invalid_expiry; + } else if( certExpiry != DDS_NEVER ){ + add_validity_end_trigger( impl, + IDENTITY_HANDLE( handshake->relation->remoteIdentity ), + certExpiry); + } + + } + + ddsrt_mutex_unlock(&impl->lock); + + return result; + +err_invalid_expiry: + ddsrt_free( handshake->shared_secret_handle_impl->shared_secret ); + ddsrt_free( handshake->shared_secret_handle_impl ); +err_openssl: +err_signature: + if (handshake_message_out->class_id) { + DDS_Security_DataHolder_deinit(handshake_message_out); + } +err_inv_token: +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return DDS_SECURITY_VALIDATION_FAILED; +} + +DDS_Security_SharedSecretHandle get_shared_secret( + dds_security_authentication *instance, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex) +{ + + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + SecurityObject *obj; + + /* validate provided arguments */ + if (!instance || !handshake_handle) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_handshake_handle: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + obj = security_object_find(impl->objectHash, handshake_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_HANDSHAKE)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_handshake_handle: Invalid handle provided"); + goto err_invalid_handle; + } + + ddsrt_mutex_unlock(&impl->lock); + return (DDS_Security_SharedSecretHandle)(ddsrt_address)((HandshakeInfo*)obj)->shared_secret_handle_impl; + + + err_invalid_handle: + ddsrt_mutex_unlock(&impl->lock); + err_bad_param: + return DDS_SECURITY_HANDLE_NIL; +} + +DDS_Security_boolean +get_authenticated_peer_credential_token( + dds_security_authentication *instance, + DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex) +{ + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + HandshakeInfo *handshake = NULL; + X509 *identity_cert; + char *permissions_doc; + unsigned char *cert_data; + uint32_t cert_data_size; + + /* validate provided arguments */ + if (!instance || !handshake_handle || !peer_credential_token) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, + DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE); + return false; + } + + ddsrt_mutex_lock(&impl->lock); + + handshake = (HandshakeInfo *) security_object_find(impl->objectHash, handshake_handle); + if (!handshake || !SECURITY_OBJECT_VALID(handshake, SECURITY_OBJECT_KIND_HANDSHAKE)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, + DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE); + goto err_inv_handle; + } + + identity_cert = handshake->relation->remoteIdentity->identityCert; + if (!identity_cert) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_OPERATION_NOT_PERMITTED_CODE, 0, + DDS_SECURITY_ERR_OPERATION_NOT_PERMITTED_MESSAGE); + goto err_missing_attr; + } + + permissions_doc = handshake->relation->remoteIdentity->permissionsDocument; + if (!permissions_doc) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, + DDS_SECURITY_ERR_MISSING_REMOTE_PERMISSIONS_DOCUMENT_CODE, 0, + DDS_SECURITY_ERR_MISSING_REMOTE_PERMISSIONS_DOCUMENT_MESSAGE); + goto err_missing_attr; + } + + if (get_certificate_contents(identity_cert, &cert_data, &cert_data_size, ex) != DDS_SECURITY_VALIDATION_OK) { + goto err_alloc_cid; + } + + memset(peer_credential_token, 0, sizeof(*peer_credential_token)); + + peer_credential_token->class_id = get_authentication_class_id(); + + peer_credential_token->properties._length = 2; + peer_credential_token->properties._buffer = DDS_Security_PropertySeq_allocbuf(peer_credential_token->properties._length); + + peer_credential_token->properties._buffer[0].name = ddsrt_strdup("c.id"); + peer_credential_token->properties._buffer[0].value = (char *)cert_data; + peer_credential_token->properties._buffer[0].propagate = false; + + peer_credential_token->properties._buffer[1].name = ddsrt_strdup("c.perm"); + peer_credential_token->properties._buffer[1].value = ddsrt_strdup(permissions_doc); + peer_credential_token->properties._buffer[1].propagate = false; + + ddsrt_mutex_unlock(&impl->lock); + + return true; + +err_alloc_cid: +err_missing_attr: +err_inv_handle: + ddsrt_mutex_unlock(&impl->lock); + return false; +} + +DDS_Security_boolean set_listener(dds_security_authentication *instance, + const dds_security_authentication_listener *listener, + DDS_Security_SecurityException *ex) +{ + dds_security_authentication_impl *auth = (dds_security_authentication_impl*)instance; + + DDSRT_UNUSED_ARG(auth); + DDSRT_UNUSED_ARG(listener); + DDSRT_UNUSED_ARG(ex); + + /* Will be enabled after timed call back feature implementation */ +#if TIMED_CALLBACK_IMPLEMENTED + if (listener) { + ut_timed_dispatcher_enable(auth->timed_callbacks, (void*)listener); + } else { + ut_timed_dispatcher_disable(auth->timed_callbacks); + } +#endif + return true; +} + +DDS_Security_boolean return_identity_token(dds_security_authentication *instance, + const DDS_Security_IdentityToken *token, + DDS_Security_SecurityException *ex) +{ + DDSRT_UNUSED_ARG(token); + DDSRT_UNUSED_ARG(ex); + DDSRT_UNUSED_ARG(instance); + + return true; +} + +DDS_Security_boolean return_identity_status_token( + dds_security_authentication *instance, + const DDS_Security_IdentityStatusToken *token, + DDS_Security_SecurityException *ex) +{ + DDSRT_UNUSED_ARG(token); + DDSRT_UNUSED_ARG(ex); + DDSRT_UNUSED_ARG(instance); + + return true; +} + +DDS_Security_boolean return_authenticated_peer_credential_token( + dds_security_authentication *instance, + const DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token, + DDS_Security_SecurityException *ex) +{ + if ((!instance) || (!peer_credential_token)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE); + return false; + } + + DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)peer_credential_token); + + return true; +} + +DDS_Security_boolean +return_handshake_handle(dds_security_authentication *instance, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex) +{ + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + SecurityObject *obj; + HandshakeInfo *handshake; + + /* validate provided arguments */ + if (!instance || !handshake_handle) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_handshake_handle: Invalid parameter provided"); + goto err_bad_param; + } + + ddsrt_mutex_lock(&impl->lock); + obj = security_object_find(impl->objectHash, handshake_handle); + if (!obj || !security_object_valid(obj, SECURITY_OBJECT_KIND_HANDSHAKE)) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_handshake_handle: Invalid handle provided"); + goto err_invalid_handle; + } + handshake = (HandshakeInfo *)obj; + + assert(handshake->relation); + + (void)ddsrt_hh_remove(impl->objectHash, obj); + security_object_free((SecurityObject *)handshake); + + ddsrt_mutex_unlock(&impl->lock); + + return true; + +err_invalid_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return false; +} + + +static void +invalidate_local_related_objects( + dds_security_authentication_impl *impl, + LocalIdentityInfo *localIdent) +{ + struct ddsrt_hh_iter it; + SecurityObject *obj; + + for (obj = ddsrt_hh_iter_first(impl->objectHash, &it); obj != NULL; obj = ddsrt_hh_iter_next(&it)) { + if (obj->kind == SECURITY_OBJECT_KIND_REMOTE_IDENTITY) { + RemoteIdentityInfo *remoteIdent = (RemoteIdentityInfo *)obj; + IdentityRelation *relation; + HandshakeInfo *handshake; + + handshake = find_handshake(impl, SECURITY_OBJECT_HANDLE(localIdent), SECURITY_OBJECT_HANDLE(remoteIdent)); + if (handshake) { + (void)ddsrt_hh_remove(impl->objectHash, handshake); + security_object_free((SecurityObject *) handshake); + } + + relation = find_identity_relation(remoteIdent, SECURITY_OBJECT_HANDLE(localIdent)); + if (relation) { + remove_identity_relation(remoteIdent, relation); + } + } + } +} + +static void +invalidate_remote_related_objects( + dds_security_authentication_impl *impl, + RemoteIdentityInfo *remoteIdentity) +{ + struct ddsrt_hh_iter it; + IdentityRelation *relation; + HandshakeInfo *handshake; + + for (relation = ddsrt_hh_iter_first(remoteIdentity->linkHash, &it); relation != NULL; relation = ddsrt_hh_iter_next(&it)) { + handshake = find_handshake(impl, SECURITY_OBJECT_HANDLE(relation->localIdentity), SECURITY_OBJECT_HANDLE(remoteIdentity)); + if (handshake) { + (void)ddsrt_hh_remove(impl->objectHash, handshake); + security_object_free((SecurityObject *) handshake); + } + + (void)ddsrt_hh_remove(remoteIdentity->linkHash, relation); + security_object_free((SecurityObject *) relation); + } +} + +DDS_Security_boolean +return_identity_handle( + dds_security_authentication *instance, + const DDS_Security_IdentityHandle identity_handle, + DDS_Security_SecurityException *ex) +{ + DDS_Security_boolean result = true; + dds_security_authentication_impl *impl = (dds_security_authentication_impl *) instance; + SecurityObject *obj; + LocalIdentityInfo *localIdent; + RemoteIdentityInfo *remoteIdent; + + /* validate provided arguments */ + if (!instance || !identity_handle) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_identity_handle: Invalid parameter provided"); + goto err_bad_param; + } + + /* Currently the implementation of the handle does not provide information + * about the kind of handle. In this case a valid handle could refer to a + * LocalIdentityObject or a RemoteIdentityObject + */ + + ddsrt_mutex_lock(&impl->lock); + + obj = security_object_find(impl->objectHash, identity_handle); + if (!obj) { + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_identity_handle: Invalid handle provided"); + goto err_invalid_handle; + } + + switch (obj->kind) { + case SECURITY_OBJECT_KIND_LOCAL_IDENTITY: + localIdent = (LocalIdentityInfo *) obj; + invalidate_local_related_objects(impl, localIdent); + (void)ddsrt_hh_remove(impl->objectHash, obj); + security_object_free(obj); + break; + case SECURITY_OBJECT_KIND_REMOTE_IDENTITY: + remoteIdent = (RemoteIdentityInfo *) obj; + invalidate_remote_related_objects(impl, remoteIdent); + (void)ddsrt_hh_remove(impl->remoteGuidHash, remoteIdent); + (void)ddsrt_hh_remove(impl->objectHash, obj); + security_object_free(obj); + break; + default: + DDS_Security_Exception_set(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "return_identity_handle: Invalid handle provided"); + result = false; + break; + } + + ddsrt_mutex_unlock(&impl->lock); + + return result; + +err_invalid_handle: + ddsrt_mutex_unlock(&impl->lock); +err_bad_param: + return false; +} + +DDS_Security_boolean return_sharedsecret_handle( + dds_security_authentication *instance, + const DDS_Security_SharedSecretHandle sharedsecret_handle, + DDS_Security_SecurityException *ex) +{ + DDSRT_UNUSED_ARG(sharedsecret_handle); + DDSRT_UNUSED_ARG(ex); + DDSRT_UNUSED_ARG(instance); + + return true; +} + +int32_t init_authentication( const char *argument, void **context) +{ + + dds_security_authentication_impl *authentication; + + DDSRT_UNUSED_ARG(argument); + + /* allocate implementation wrapper */ + authentication = (dds_security_authentication_impl*) ddsrt_malloc( + sizeof(dds_security_authentication_impl)); + memset(authentication, 0, sizeof(dds_security_authentication_impl)); + + /* assign dispatcher to be notified when a validity date ends */ + /* Disable it until timed callback is ready */ + /*authentication->timed_callbacks = ut_timed_dispatcher_new(); */ + + /* assign the interface functions */ + authentication->base.validate_local_identity = &validate_local_identity; + + authentication->base.get_identity_token = &get_identity_token; + + authentication->base.get_identity_status_token = &get_identity_status_token; + + authentication->base.set_permissions_credential_and_token = + &set_permissions_credential_and_token; + + authentication->base.validate_remote_identity = &validate_remote_identity; + + authentication->base.begin_handshake_request = &begin_handshake_request; + + authentication->base.begin_handshake_reply = &begin_handshake_reply; + + authentication->base.process_handshake = &process_handshake; + + authentication->base.get_shared_secret = &get_shared_secret; + + authentication->base.get_authenticated_peer_credential_token = + &get_authenticated_peer_credential_token; + + authentication->base.set_listener = &set_listener; + + authentication->base.return_identity_token = &return_identity_token; + + authentication->base.return_identity_status_token = + &return_identity_status_token; + + authentication->base.return_authenticated_peer_credential_token = + &return_authenticated_peer_credential_token; + + authentication->base.return_handshake_handle = &return_handshake_handle; + + authentication->base.return_identity_handle = &return_identity_handle; + + authentication->base.return_sharedsecret_handle = &return_sharedsecret_handle; + + //prepare implementation wrapper + authentication->id = 1; + + ddsrt_mutex_init(&authentication->lock); + + authentication->objectHash = ddsrt_hh_new(32, security_object_hash, security_object_equal); + authentication->remoteGuidHash = ddsrt_hh_new(32, remote_guid_hash, remote_guid_equal); + + memset( &authentication->trustedCAList, 0, sizeof(X509Seq)); + + + /* Initialize openssl */ + OpenSSL_add_all_algorithms(); + OpenSSL_add_all_ciphers(); + OpenSSL_add_all_digests(); + ERR_load_BIO_strings(); + ERR_load_crypto_strings(); + + //return the instance + *context = authentication; + return 0; + +/* we can not get ddsrt_mutex_init result. So ignore the lines below */ +#if MUTEX_INIT_RESULT_IMPLEMENTED +err_mutex_failed: + ddsrt_free(authentication); + return -1; +#endif +} + +int32_t finalize_authentication(void *instance) +{ + dds_security_authentication_impl *authentication = instance; + + if( authentication ){ + ddsrt_mutex_lock(&authentication->lock); + + /* Will be enabled after timed call back feature implementation */ + /* ut_timed_dispatcher_free(authentication->timed_callbacks); */ + if (authentication->remoteGuidHash) { + ddsrt_hh_free(authentication->remoteGuidHash); + } + + if (authentication->objectHash) { + struct ddsrt_hh_iter it; + SecurityObject *obj; + for (obj = ddsrt_hh_iter_first(authentication->objectHash, &it); obj != NULL; obj = ddsrt_hh_iter_next(&it)) { + security_object_free(obj); + } + ddsrt_hh_free(authentication->objectHash); + } + + free_ca_list_contents(&(authentication->trustedCAList)); + + ddsrt_mutex_unlock(&authentication->lock); + + ddsrt_mutex_destroy(&authentication->lock); + + ddsrt_free((dds_security_authentication_impl*) instance); + } + + RAND_cleanup(); + EVP_cleanup(); + CRYPTO_cleanup_all_ex_data(); + REMOVE_THREAD_STATE(); + ERR_free_strings(); + + return 0; +} diff --git a/src/security/builtin_plugins/authentication/src/authentication.h b/src/security/builtin_plugins/authentication/src/authentication.h new file mode 100644 index 0000000..dcbcfd6 --- /dev/null +++ b/src/security/builtin_plugins/authentication/src/authentication.h @@ -0,0 +1,146 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + + +#ifndef SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_ +#define SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_ + +#include "dds/ddsrt/atomics.h" +#include "dds/security/dds_security_api.h" +#include "dds/security/export.h" + +SECURITY_EXPORT int32_t +init_authentication(const char *argument, void **context); + +SECURITY_EXPORT int32_t +finalize_authentication(void *context); + + + + +DDS_Security_ValidationResult_t +validate_local_identity( + dds_security_authentication *instance, + DDS_Security_IdentityHandle *local_identity_handle, + DDS_Security_GUID_t *adjusted_participant_guid, + const DDS_Security_DomainId domain_id, + const DDS_Security_Qos *participant_qos, + const DDS_Security_GUID_t *candidate_participant_guid, + + DDS_Security_SecurityException *ex); +DDS_Security_boolean +get_identity_token(dds_security_authentication *instance, + DDS_Security_IdentityToken *identity_token, + const DDS_Security_IdentityHandle handle, + DDS_Security_SecurityException *ex); +DDS_Security_boolean +set_permissions_credential_and_token( + dds_security_authentication *instance, + const DDS_Security_IdentityHandle handle, + const DDS_Security_PermissionsCredentialToken *permissions_credential, + const DDS_Security_PermissionsToken *permissions_token, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +validate_remote_identity( + dds_security_authentication *instance, + DDS_Security_IdentityHandle *remote_identity_handle, + DDS_Security_AuthRequestMessageToken *local_auth_request_token, + const DDS_Security_AuthRequestMessageToken *remote_auth_request_token, + const DDS_Security_IdentityHandle local_identity_handle, + const DDS_Security_IdentityToken *remote_identity_token, + const DDS_Security_GUID_t *remote_participant_guid, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +begin_handshake_request( + dds_security_authentication *instance, + DDS_Security_HandshakeHandle *handshake_handle, + DDS_Security_HandshakeMessageToken *handshake_message, + const DDS_Security_IdentityHandle initiator_identity_handle, + const DDS_Security_IdentityHandle replier_identity_handle, + const DDS_Security_OctetSeq *serialized_local_participant_data, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +begin_handshake_reply( + dds_security_authentication *instance, + DDS_Security_HandshakeHandle *handshake_handle, + DDS_Security_HandshakeMessageToken *handshake_message_out, + const DDS_Security_HandshakeMessageToken *handshake_message_in, + const DDS_Security_IdentityHandle initiator_identity_handle, + const DDS_Security_IdentityHandle replier_identity_handle, + const DDS_Security_OctetSeq *serialized_local_participant_data, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +process_handshake( + dds_security_authentication *instance, + DDS_Security_HandshakeMessageToken *handshake_message_out, + const DDS_Security_HandshakeMessageToken *handshake_message_in, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex); + +DDS_Security_SharedSecretHandle get_shared_secret( + dds_security_authentication *instance, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean +get_authenticated_peer_credential_token( + dds_security_authentication *instance, + DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex); + + +DDS_Security_boolean get_identity_status_token( + dds_security_authentication *instance, + DDS_Security_IdentityStatusToken *identity_status_token, + const DDS_Security_IdentityHandle handle, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean set_listener(dds_security_authentication *instance, + const dds_security_authentication_listener *listener, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean return_identity_token(dds_security_authentication *instance, + const DDS_Security_IdentityToken *token, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean return_identity_status_token( + dds_security_authentication *instance, + const DDS_Security_IdentityStatusToken *token, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean return_authenticated_peer_credential_token( + dds_security_authentication *instance, + const DDS_Security_AuthenticatedPeerCredentialToken *peer_credential_token, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean +return_handshake_handle(dds_security_authentication *instance, + const DDS_Security_HandshakeHandle handshake_handle, + DDS_Security_SecurityException *ex); +DDS_Security_boolean +return_identity_handle( + dds_security_authentication *instance, + const DDS_Security_IdentityHandle identity_handle, + DDS_Security_SecurityException *ex); + +DDS_Security_boolean return_sharedsecret_handle( + dds_security_authentication *instance, + const DDS_Security_SharedSecretHandle sharedsecret_handle, + DDS_Security_SecurityException *ex); + + +#endif /* SECURITY_BUILTIN_PLUGINS_AUTHENTICATION_H_ */ diff --git a/src/security/builtin_plugins/tests/CMakeLists.txt b/src/security/builtin_plugins/tests/CMakeLists.txt new file mode 100644 index 0000000..7290ca4 --- /dev/null +++ b/src/security/builtin_plugins/tests/CMakeLists.txt @@ -0,0 +1,51 @@ + # +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v. 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License +# v. 1.0 which is available at +# http://www.eclipse.org/org/documents/edl-v10.php. +# +# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause +# +include(CUnit) + +set(security_auth_test_sources + "validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c" + "get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c" + "validate_local_identity/src/validate_local_identity_utests.c" + "validate_remote_identity/src/validate_remote_identity_utests.c" + "validate_begin_handshake_request/src/validate_begin_handshake_request_utests.c" + "process_handshake/src/process_handshake_utests.c" + "common/src/handshake_helper.c" + "common/src/loader.c") + +add_cunit_executable(cunit_security_plugins ${security_auth_test_sources}) +target_include_directories( + cunit_security_plugins PRIVATE + "$" + "$>" + "$>" + "$>" + "$" + "$" + ) + + +target_link_libraries(cunit_security_plugins PRIVATE ddsc security_api) + + +find_package(OpenSSL ) +if(OPENSSL_FOUND) + target_link_libraries(cunit_security_plugins PRIVATE OpenSSL::SSL) + +else() + message(FATAL_ERROR "To build without openssl support, set DDSC_ENABLE_OPENSSL to OFF") +endif() + +set(CUnit_builtin_plugins_tests_dir "${CMAKE_CURRENT_LIST_DIR}") + +configure_file("config_env.h.in" "config_env.h") + + diff --git a/src/security/builtin_plugins/tests/common/src/handshake_helper.c b/src/security/builtin_plugins/tests/common/src/handshake_helper.c new file mode 100644 index 0000000..2ff63bd --- /dev/null +++ b/src/security/builtin_plugins/tests/common/src/handshake_helper.c @@ -0,0 +1,579 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ +#include "handshake_helper.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/ddsrt/string.h" +#include "dds/ddsrt/heap.h" +#include +#include +#include "dds/ddsrt/environ.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" +#include "dds/ddsrt/misc.h" +#include "dds/security/core/shared_secret.h" + +#if OPENSSL_VERSION_NUMBER >= 0x1000200fL +#define AUTH_INCLUDE_EC +#include +#include + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#define AUTH_INCLUDE_DH_ACCESSORS +#endif +#else +#error "version not found" +#endif + + +const BIGNUM * +dh_get_public_key( + DH *dhkey) +{ +#ifdef AUTH_INCLUDE_DH_ACCESSORS + const BIGNUM *pubkey, *privkey; + DH_get0_key(dhkey, &pubkey, &privkey); + return pubkey; +#else + return dhkey->pub_key; +#endif +} + +int +dh_set_public_key( + DH *dhkey, + BIGNUM *pubkey) +{ +#ifdef AUTH_INCLUDE_DH_ACCESSORS + return DH_set0_key(dhkey, pubkey, NULL); +#else + dhkey->pub_key = pubkey; +#endif + return 1; +} + + +/* for DEBUG purposes */ +void print_binary_test( char* name, unsigned char *value, uint32_t size){ + uint32_t i; + printf("%s: ",name ); + for( i=0; i< size; i++) + { + printf("%x",value[i]); + } + printf("\n"); +} + +DDS_Security_BinaryProperty_t * +print_binary_properties_test( + DDS_Security_DataHolder *token) +{ + DDS_Security_BinaryProperty_t *result = NULL; + uint32_t i; + for (i = 0; i < token->binary_properties._length && !result; i++) { + print_binary_test( token->binary_properties._buffer[i].name, token->binary_properties._buffer[i].value._buffer, token->binary_properties._buffer[i].value._length); + } + + return result; +} + +DDS_Security_ValidationResult_t +create_signature_for_test( + EVP_PKEY *pkey, + const DDS_Security_BinaryProperty_t **binary_properties, + const uint32_t binary_properties_length, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + serializer = DDS_Security_Serializer_new(4096, 4096); + + DDS_Security_Serialize_BinaryPropertyArray(serializer,binary_properties, binary_properties_length); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + + result = create_asymmetrical_signature_for_test(pkey, buffer, size, signature, signatureLen, ex); + + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + return result; +} + +#if( AC_TESTS_IMPLEMENTED ) +static DDS_Security_ValidationResult_t +screate_asymmetrical_signature_for_test( + EVP_PKEY *pkey, + void *data, + size_t dataLen, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + if (!(mdctx = EVP_MD_CTX_create())) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to create signing context: %s", msg); + ddsrt_free(msg); + goto err_create_ctx; + } + + if (EVP_DigestSignInit(mdctx, &kctx, EVP_sha256(), NULL, pkey) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to initialize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_PKEY_CTX_set_rsa_padding(kctx, RSA_PKCS1_PSS_PADDING) < 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to initialize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_DigestSignUpdate(mdctx, data, dataLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to update signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_DigestSignFinal(mdctx, NULL, signatureLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to finalize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + //*signature = ddsrt_malloc(sizeof(unsigned char) * (*signatureLen)); + *signature = OPENSSL_malloc(*signatureLen); + if (EVP_DigestSignFinal(mdctx, *signature, signatureLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, result, "Failed to finalize signing context: %s", msg); + ddsrt_free(msg); + ddsrt_free(signature); + } + +err_sign: + EVP_MD_CTX_destroy(mdctx); +err_create_ctx: + return result; +} +#endif + + +char * +get_openssl_error_message_for_test( + void) +{ + BIO *bio = BIO_new(BIO_s_mem()); + char *msg; + char *buf = NULL; + size_t len; + + if (bio) { + ERR_print_errors(bio); + len = (size_t)BIO_get_mem_data (bio, &buf); + msg = ddsrt_malloc(len + 1); + memset(msg, 0, len+1); + memcpy(msg, buf, len); + BIO_free(bio); + } else { + msg = ddsrt_strdup("BIO_new failed"); + } + + return msg; +} + +DDS_Security_ValidationResult_t +validate_asymmetrical_signature_for_test( + EVP_PKEY *pkey, + void *data, + size_t dataLen, + unsigned char *signature, + size_t signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_MD_CTX *mdctx = NULL; + + if (!(mdctx = EVP_MD_CTX_create())) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to create verify context: %s", msg); + ddsrt_free(msg); + goto err_create_ctx; + } + + if (EVP_DigestVerifyInit(mdctx, NULL, EVP_sha256(), NULL, pkey) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize verify context: %s", msg); + ddsrt_free(msg); + goto err_verify; + } + + if (EVP_DigestVerifyUpdate(mdctx, data, dataLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to update verify context: %s", msg); + ddsrt_free(msg); + goto err_verify; + } + + if (EVP_DigestVerifyFinal(mdctx, signature, signatureLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize verify context: %s", msg); + ddsrt_free(msg); + goto err_verify; + } + +err_verify: + EVP_MD_CTX_destroy(mdctx); +err_create_ctx: + return result; +} + +DDS_Security_ValidationResult_t +get_public_key( + EVP_PKEY *pkey, + unsigned char **buffer, + size_t *length, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + BIO *bio = NULL; + char *ptr = NULL; + size_t sz; + + assert(pkey); + assert(buffer); + + *length = 0; + + bio = BIO_new(BIO_s_mem()); + + if ( bio == NULL) { + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get public key: BIO_new_mem_buf failed"); + } else if (!PEM_write_bio_PUBKEY(bio, pkey)) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to get public key: PEM_write_bio_PUBKEY failed: %s", msg); + ddsrt_free(msg); + } else { + sz = (size_t)BIO_get_mem_data(bio, &ptr); + *buffer = ddsrt_malloc(sz +1); + memcpy(*buffer, ptr, sz); + *length = sz; + } + + if (bio) BIO_free(bio); + + return result; +} + +static EVP_PKEY * +modp_data_to_pubkey( + const unsigned char *data, + uint32_t size) +{ + EVP_PKEY *pkey= NULL; + DH *dhkey = NULL; + ASN1_INTEGER *asni; + BIGNUM *bn = NULL; + + if (!(asni = d2i_ASN1_INTEGER(NULL, &data, size))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to decode DH public key: %s", msg); + ddsrt_free(msg); + goto fail_asni; + } + + if (!(bn = ASN1_INTEGER_to_BN(asni, NULL))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert to BIGNU<: %s", msg); + ddsrt_free(msg); + goto fail_bn; + } + + if (!(dhkey = DH_get_2048_256())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate dhkey: %s", msg); + ddsrt_free(msg); + goto fail_dhkey; + } + + dh_set_public_key(dhkey,bn); + + if (!(pkey = EVP_PKEY_new())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate pkey: %s", msg); + ddsrt_free(msg); + goto fail_pkey; + } + + if (!EVP_PKEY_set1_DH(pkey, dhkey)) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set public key: %s", msg); + ddsrt_free(msg); + EVP_PKEY_free(pkey); + pkey = NULL; + } + + ASN1_INTEGER_free(asni); + DH_free(dhkey); + + return pkey; + +fail_pkey: + DH_free(dhkey); +fail_dhkey: + BN_free(bn); +fail_bn: + ASN1_INTEGER_free(asni); +fail_asni: + return NULL; +} + +static EVP_PKEY * +ecdh_data_to_pubkey( + const unsigned char *data, + uint32_t size) +{ + EVP_PKEY *pkey = NULL; + EC_KEY *eckey = NULL; + EC_GROUP *group = NULL; + EC_POINT *point = NULL; + + if (!(group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EC group: %s", msg); + ddsrt_free(msg); + } else if (!(point = EC_POINT_new(group))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EC point: %s", msg); + ddsrt_free(msg); + } else if (EC_POINT_oct2point(group, point, data, size, NULL) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to deserialize EC public key to EC point: %s", msg); + ddsrt_free(msg); + } else if (!(eckey = EC_KEY_new())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EC KEY: %s", msg); + ddsrt_free(msg); + } else if (EC_KEY_set_group(eckey, group) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert octet sequence to ASN1 integer: %s", msg); + ddsrt_free(msg); + } else if (EC_KEY_set_public_key(eckey, point) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set EC public key: %s", msg); + ddsrt_free(msg); + } else if (!(pkey = EVP_PKEY_new())) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EVP key: %s", msg); + ddsrt_free(msg); + } else if (EVP_PKEY_set1_EC_KEY(pkey, eckey) != 1) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set EVP key to EC public key: %s", msg); + ddsrt_free(msg); + EVP_PKEY_free(pkey); + pkey = NULL; + } + + if (eckey) EC_KEY_free(eckey); + if (point) EC_POINT_free(point); + if (group) EC_GROUP_free(group); + + return pkey; +} + +int +check_shared_secret( + dds_security_authentication *auth, + int use_ecdh, + const DDS_Security_BinaryProperty_t *dh_remote, + EVP_PKEY *dh_local_private, + + DDS_Security_HandshakeHandle handshake_handle) + +{ +/* calculate shared secret with the other side */ + EVP_PKEY_CTX *ctx = NULL; + size_t skeylen; + EVP_PKEY *dh_remote_public = NULL; + DDS_Security_SharedSecretHandle shared_secret_local_handle; + DDS_Security_SecurityException exception; + DDS_Security_octet *shared_secret_local; + DDS_Security_octet shared_secret_remote[SHA256_DIGEST_LENGTH]; + DDS_Security_octet *secret; + int result; + + if (use_ecdh) { + dh_remote_public = ecdh_data_to_pubkey(dh_remote->value._buffer, dh_remote->value._length); + } else { + dh_remote_public = modp_data_to_pubkey(dh_remote->value._buffer, dh_remote->value._length); + } + + if (!dh_remote_public) { + CU_FAIL("Coud not decode DH public key"); + } + + ctx = EVP_PKEY_CTX_new(dh_local_private, NULL /* no engine */); + if (!ctx) + { + /* Error occurred */ + CU_FAIL("Coud not allocate CTX"); + } + + if (EVP_PKEY_derive_init(ctx) <= 0) + { + /* Error */ + CU_FAIL("Coud not init"); + } + result = EVP_PKEY_derive_set_peer(ctx, dh_remote_public) ; + if (result<= 0) + { + /* Error */ + char *msg = get_openssl_error_message_for_test(); + printf("DH remote public: %s\n",dh_remote->value._buffer); + printf("SSL Error: %s\n", msg); + ddsrt_free(msg); + CU_FAIL("Could not set peer"); + } + + /* Determine buffer length */ + result = EVP_PKEY_derive(ctx, NULL, &skeylen); + if (result <= 0) + { + /* Error */ + CU_FAIL("Could not set derive"); + } + + secret = ddsrt_malloc(skeylen+1); + + if (EVP_PKEY_derive(ctx, secret, &skeylen) <= 0) + { + /* Error */ + CU_FAIL("Could not set derive"); + } + + SHA256(secret, skeylen, shared_secret_remote); + + ddsrt_free(secret); + + /* get the secret handle */ + shared_secret_local_handle = auth->get_shared_secret( auth, handshake_handle, &exception); + + /* convert handle to object */ + shared_secret_local = ((DDS_Security_SharedSecretHandleImpl *)(shared_secret_local_handle))->shared_secret; + /*compare with remote. They should be same */ + + if (ctx) { + EVP_PKEY_CTX_free(ctx); + } + + if (dh_remote_public) { + EVP_PKEY_free(dh_remote_public); + } + + return memcmp(shared_secret_local, shared_secret_remote, SHA256_DIGEST_LENGTH); +} + + + +DDS_Security_ValidationResult_t +create_asymmetrical_signature_for_test( + EVP_PKEY *pkey, + void *data, + size_t dataLen, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex) +{ + DDS_Security_ValidationResult_t result = DDS_SECURITY_VALIDATION_OK; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + if (!(mdctx = EVP_MD_CTX_create())) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to create signing context: %s", msg); + ddsrt_free(msg); + goto err_create_ctx; + } + + if (EVP_DigestSignInit(mdctx, &kctx, EVP_sha256(), NULL, pkey) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_PKEY_CTX_set_rsa_padding(kctx, RSA_PKCS1_PSS_PADDING) < 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to initialize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_DigestSignUpdate(mdctx, data, dataLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to update signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + if (EVP_DigestSignFinal(mdctx, NULL, signatureLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize signing context: %s", msg); + ddsrt_free(msg); + goto err_sign; + } + + //*signature = os_malloc(sizeof(unsigned char) * (*signatureLen)); + *signature = OPENSSL_malloc(*signatureLen); + if (EVP_DigestSignFinal(mdctx, *signature, signatureLen) != 1) { + char *msg = get_openssl_error_message_for_test(); + result = DDS_SECURITY_VALIDATION_FAILED; + DDS_Security_Exception_set(ex, "Authentication", DDS_SECURITY_ERR_UNDEFINED_CODE, (int)result, "Failed to finalize signing context: %s", msg); + ddsrt_free(msg); + ddsrt_free(signature); + } + + err_sign: + EVP_MD_CTX_destroy(mdctx); + err_create_ctx: + return result; +} + + diff --git a/src/security/builtin_plugins/tests/common/src/handshake_helper.h b/src/security/builtin_plugins/tests/common/src/handshake_helper.h new file mode 100644 index 0000000..b6e2e38 --- /dev/null +++ b/src/security/builtin_plugins/tests/common/src/handshake_helper.h @@ -0,0 +1,90 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef DDS_SECURITY_BUITIN_TEST_HANDSHAKE_HELPER_H +#define DDS_SECURITY_BUITIN_TEST_HANDSHAKE_HELPER_H + +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_serialize.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +const BIGNUM * +dh_get_public_key( + DH *dhkey); + +int +dh_set_public_key( + DH *dhkey, + BIGNUM *pubkey); + +DDS_Security_ValidationResult_t +create_signature_for_test( + EVP_PKEY *pkey, + const DDS_Security_BinaryProperty_t **binary_properties, + const uint32_t binary_properties_length, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +create_asymmetrical_signature_for_test( + EVP_PKEY *pkey, + void *data, + size_t dataLen, + unsigned char **signature, + size_t *signatureLen, + DDS_Security_SecurityException *ex); + +char * +get_openssl_error_message_for_test( + void); + +DDS_Security_ValidationResult_t +validate_asymmetrical_signature_for_test( + EVP_PKEY *pkey, + void *data, + size_t dataLen, + unsigned char *signature, + size_t signatureLen, + DDS_Security_SecurityException *ex); + +DDS_Security_ValidationResult_t +get_public_key( + EVP_PKEY *pkey, + unsigned char **buffer, + size_t *length, + DDS_Security_SecurityException *ex); + +/* for DEBUG purposes */ +void print_binary_test( char* name, unsigned char *value, uint32_t size); + +DDS_Security_BinaryProperty_t * +print_binary_properties_test( + DDS_Security_DataHolder *token); + +int +check_shared_secret( + dds_security_authentication *auth, + int use_ecdh, + const DDS_Security_BinaryProperty_t *dh_remote, + EVP_PKEY *dh_local_private, + DDS_Security_HandshakeHandle handshake_handle); + +#endif \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/common/src/loader.c b/src/security/builtin_plugins/tests/common/src/loader.c new file mode 100644 index 0000000..c6584f2 --- /dev/null +++ b/src/security/builtin_plugins/tests/common/src/loader.c @@ -0,0 +1,222 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#include +#include +#include "loader.h" +#include "dds/ddsrt/dynlib.h" +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/string.h" +#include "sys/stat.h" +#include "assert.h" +#include "stdio.h" +#include "string.h" +#include "dds/security/core/dds_security_utils.h" + +struct plugin_info { + void *context; + ddsrt_dynlib_t lib_handle; + plugin_init func_init; + plugin_finalize func_fini; +}; + +struct plugins_hdl { + struct plugin_info plugin_ac; + struct plugin_info plugin_auth; + struct plugin_info plugin_crypto; +}; + +static void* +load_plugin( + struct plugin_info *info, + const char *name_lib, + const char *name_init, + const char *name_fini) +{ + dds_return_t result; + void *plugin = NULL; + assert(info); + + result = ddsrt_dlopen(name_lib, true, &info->lib_handle); + if (result == DDS_RETCODE_OK && info->lib_handle) { + + result = ddsrt_dlsym(info->lib_handle, name_init, (void **)&info->func_init); + if( result != DDS_RETCODE_OK || info->func_init == NULL) { + char buf[200]; + ddsrt_dlerror(buf, 200); + printf("ERROR: could not init %s\n. Invalid init function: %s: %s", name_lib, name_init, buf); + return plugin; + } + + result = ddsrt_dlsym(info->lib_handle, name_fini, (void **)&info->func_fini); + if( result != DDS_RETCODE_OK || info->func_fini == NULL ) { + printf("ERROR: could not init %s\n. Invalid fini function: %s", name_lib, name_fini); + return plugin; + } + + char * init_parameters = ""; + (void)info->func_init(init_parameters, &plugin); + if (plugin) { + info->context = plugin; + } else { + printf("ERROR: could not init %s\n", name_lib); + } + } else { + char buffer[300]; + ddsrt_dlerror(buffer,300); + printf("ERROR: could not load %s. %s\n", name_lib, buffer); + } + return plugin; +} + +struct plugins_hdl* +load_plugins( + dds_security_access_control **ac, + dds_security_authentication **auth, + dds_security_cryptography **crypto) +{ + struct plugins_hdl *plugins = ddsrt_malloc(sizeof(struct plugins_hdl)); + assert(plugins); + memset(plugins, 0, sizeof(struct plugins_hdl)); + if (ac) { + *ac = load_plugin(&(plugins->plugin_ac), + "dds_security_ac", + "init_access_control", + "finalize_access_control"); + if (!(*ac)) { + goto err; + } + } + if (auth) { + *auth = load_plugin(&(plugins->plugin_auth), + //"dds_security_auth", + "dds_security_auth", + "init_authentication", + "finalize_authentication"); + if (!(*auth)) { + goto err; + } + } + if (crypto) { + *crypto = load_plugin(&(plugins->plugin_crypto), + "dds_security_crypto", + "init_crypto", + "finalize_crypto"); + if (!(*crypto)) { + goto err; + } + } + return plugins; + +err: + unload_plugins(plugins); + return NULL; +} + +static void +unload_plugin( + struct plugin_info *info) +{ + dds_return_t result; + assert(info); + + if (info->lib_handle) { + if (info->func_fini && info->context) { + info->func_fini(info->context); + } + result = ddsrt_dlclose( info->lib_handle ); + if ( result != 0 ){ + printf( "Error occured while closing the library\n"); + } + } +} + +void +unload_plugins( + struct plugins_hdl *plugins) +{ + assert (plugins); + unload_plugin(&(plugins->plugin_ac)); + unload_plugin(&(plugins->plugin_auth)); + unload_plugin(&(plugins->plugin_crypto)); + ddsrt_free(plugins); +} + +static size_t +regular_file_size( + const char *filename) +{ + size_t sz = 0; + /* Provided? */ + if (filename) { + /* Accessible? */ +#if _WIN32 + struct _stat stat_info; + int ret = _stat( filename, &stat_info ); +#else + struct stat stat_info; + int ret = stat( filename, &stat_info ); +#endif + if ( ret == 0 ) { + /* Regular? */ +#ifdef WIN32 + if (stat_info.st_mode & _S_IFREG) { +#else + if (S_ISREG(stat_info.st_mode)) { +#endif + /* Yes, so get the size. */ + sz = ( size_t ) stat_info.st_size; + } + } + } + return sz; +} + +char * +load_file_contents( + const char *filename) +{ + char *document = NULL; + char *fname; + size_t sz, r; + FILE *fp; + + assert(filename); + + /* Get portable file name. */ + fname = DDS_Security_normalize_file( filename ); + if (fname) { + /* Get size if it is a accessible regular file (no dir or link). */ + sz = regular_file_size(fname); + if (sz > 0) { + /* Open the actual file. */ + DDSRT_WARNING_MSVC_OFF(4996); + fp = fopen(fname, "r"); + DDSRT_WARNING_MSVC_ON(4996); + if (fp) { + /* Read the content. */ + document = ddsrt_malloc(sz + 1); + r = fread(document, 1, sz, fp); + if (r == 0) { + ddsrt_free(document); + document = NULL; + } else { + document[r] = '\0'; + } + (void)fclose(fp); + } + } + ddsrt_free(fname); + } + + return document; +} diff --git a/src/security/builtin_plugins/tests/common/src/loader.h b/src/security/builtin_plugins/tests/common/src/loader.h new file mode 100644 index 0000000..305ac53 --- /dev/null +++ b/src/security/builtin_plugins/tests/common/src/loader.h @@ -0,0 +1,34 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef _DBT_SECURITY_PLUGINS_LOADER_H_ +#define _DBT_SECURITY_PLUGINS_LOADER_H_ + +#include "dds/security/dds_security_api.h" + +struct plugins_hdl; + +struct plugins_hdl* +load_plugins( + dds_security_access_control **ac, + dds_security_authentication **auth, + dds_security_cryptography **crypto); + +void +unload_plugins( + struct plugins_hdl *plugins); + +char* +load_file_contents( + const char *filename); + +#endif diff --git a/src/security/builtin_plugins/tests/config_env.h.in b/src/security/builtin_plugins/tests/config_env.h.in new file mode 100644 index 0000000..3f2b23a --- /dev/null +++ b/src/security/builtin_plugins/tests/config_env.h.in @@ -0,0 +1,17 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ +#ifndef CONFIG_ENV_H +#define CONFIG_ENV_H + +#define CONFIG_ENV_TESTS_DIR "@CUnit_builtin_plugins_tests_dir@" + +#endif /* CONFIG_ENV_H */ diff --git a/src/security/builtin_plugins/tests/get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c b/src/security/builtin_plugins/tests/get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c new file mode 100644 index 0000000..12216c5 --- /dev/null +++ b/src/security/builtin_plugins/tests/get_authenticated_peer_credential_token/src/get_authenticated_peer_credential_token_utests.c @@ -0,0 +1,1648 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +/* CUnit includes. */ + +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" +/* Test helper includes. */ +#include "common/src/loader.h" +#include "common/src/handshake_helper.h" + +#include "dds/security/dds_security_api.h" +#include +#include +#include +#include + +#include "dds/ddsrt/string.h" +#include "dds/ddsrt/heap.h" +#include +#include +#include "dds/ddsrt/environ.h" + +#include "dds/ddsrt/misc.h" +#include "dds/ddsrt/endian.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_utils.h" + +#define HANDSHAKE_SIGNATURE_SIZE 6 + +#if DDSRT_ENDIAN == DDSRT_LITTLE_ENDIAN +static unsigned bswap4u (unsigned x) +{ + return (x >> 24) | ((x >> 8) & 0xff00) | ((x << 8) & 0xff0000) | (x << 24); +} +#define toBE4u(x) bswap4u (x) +#define fromBE4u(x) bswap4u (x) +#else +#define toBE4u(x) (x) +#define fromBE4u(x) (x) +#endif + + +static const char * AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0"; +static const char * PERM_ACCESS_CLASS_ID = "DDS:Access:Permissions:1.0"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * PROPERTY_PERM_CA_SUBJECT_NAME = "ds.perm_ca.sn"; + +static const char * SUBJECT_NAME_IDENTITY_CERT = "CN=CHAM-574 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA = "CN=CHAM-574 authority,O=Some Company,ST=Some-State,C=NL"; + +static const char * RSA_2048_ALGORITHM_NAME = "RSA-2048"; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char * AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Req"; +static const char * AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Reply"; +static const char * AUTH_HANDSHAKE_FINAL_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Final"; + +static const char * PERMISSIONS_DOCUMENT = "permissions_document"; + +typedef enum { + HANDSHAKE_REQUEST, + HANDSHAKE_REPLY, + HANDSHAKE_FINAL +} HandshakeStep_t; + + +struct octet_seq { + unsigned char *data; + uint32_t length; +}; + +static const char * AUTH_DSIGN_ALGO_RSA_NAME = "RSASSA-PSS-SHA256"; +static const char * AUTH_KAGREE_ALGO_RSA_NAME = "DH+MODP-2048-256"; +static const char * AUTH_KAGREE_ALGO_ECDH_NAME = "ECDH+prime256v1-CEUM"; + + + +static const char *identity_certificate = + +"data:,-----BEGIN CERTIFICATE-----\n" +"MIIDYDCCAkigAwIBAgIBBDANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowdTELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMRAwDgYDVQQKEwdBRExpbmsgMREwDwYDVQQLEwhJU1Qg\n" +"VGVzdDETMBEGA1UEAxMKQWxpY2UgVGVzdDEfMB0GCSqGSIb3DQEJARYQYWxpY2VA\n" +"YWRsaW5rLmlzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBW+tEZ\n" +"Baw7EQCEXyzH9n7IkZ8PQIKe8hG1LAOGYOF/oUYQZJO/HxbWoC4rFqOC20+A6is6\n" +"kFwr1Zzp/Wurk9CrFXo5Nomi6ActH6LUM57nYqN68w6U38z/XkQxVY/ESZ5dySfD\n" +"9Q1C8R+zdE8gwbimdYmwX7ioz336nghM2CoAHPDRthQeJupl8x4V7isOltr9CGx8\n" +"+imJXbGr39OK6u87cNLeu23sUkOIC0lSRMIqIQK3oJtHS70J2qecXdqp9MhE7Xky\n" +"/GPlI8ptQ1gJ8A3cAOvtI9mtMJMszs2EKWTLfeTcmfJHKKhKjvCgDdh3Jan4x5YP\n" +"Yg7HG6H+ceOUkMMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAkvuqZzyJ3Nu4/Eo5\n" +"kD0nVgYGBUl7cspu+636q39zPSrxLEDMUWz+u8oXLpyGcgiZ8lZulPTV8dmOn+3C\n" +"Vg55c5C+gbnbX3MDyb3wB17296RmxYf6YNul4sFOmj6+g2i+Dw9WH0PBCVKbA84F\n" +"jR3Gx2Pfoifor3DvT0YFSsjNIRt090u4dQglbIb6cWEafC7O24t5jFhGPvJ7L9SE\n" +"gB0Drh/HmKTVuaqaRkoOKkKaKuWoXsszK1ZFda1DHommnR5LpYPsDRQ2fVM4EuBF\n" +"By03727uneuG8HLuNcLEV9H0i7LxtyfFkyCPUQvWG5jehb7xPOz/Ml26NAwwjlTJ\n" +"xEEFrw==\n" +"-----END CERTIFICATE-----\n"; + + +static const char *identity_ca = +"data:,-----BEGIN CERTIFICATE-----\n" +"MIIEKTCCAxGgAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcjELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ\n" +"ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0\n" +"ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANa/ENFfGVXg\n" +"bPLTzBdDfiZQcp5dWZ//Pb8ErFOJu8uosVHFv8t69dgjHgNHB4OsjmjnR7GfKUZT\n" +"0cMvWJnjsC7DDlBwFET9rj4k40n96bbVCH9I7+tNhsoqzc6Eu+5h4sk7VfNGTM2Z\n" +"SyCd4GiSZRuA44rRbhXI7/LDpr4hY5J9ZDo5AM9ZyoLAoh774H3CZWD67S35XvUs\n" +"72dzE6uKG/vxBbvZ7eW2GLO6ewa9UxlnLVMPfJdpkp/xYXwwcPW2+2YXCge1ujxs\n" +"tjrOQJ5HUySh6DkE/kZpx8zwYWm9AaCrsvCIX1thsqgvKy+U5v1FS1L58eGc6s//\n" +"9yMgNhU29R0CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRNVUJN\n" +"FzhJPReYT4QSx6dK53CXCTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX\n" +"CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF\n" +"BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG\n" +"AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAcOLF\n" +"ZYdJguj0uxeXB8v3xnUr1AWz9+gwg0URdfNLU2KvF2lsb/uznv6168b3/FcPgezN\n" +"Ihl9GqB+RvGwgXS/1UelCGbQiIUdsNxk246P4uOGPIyW32RoJcYPWZcpY+cw11tQ\n" +"NOnk994Y5/8ad1DmcxVLLqq5kwpXGWQufV1zOONq8B+mCvcVAmM4vkyF/de56Lwa\n" +"sAMpk1p77uhaDnuq2lIR4q3QHX2wGctFid5Q375DRscFQteY01r/dtwBBrMn0wuL\n" +"AMNx9ZGD+zAoOUaslpIlEQ+keAxk3jgGMWFMxF81YfhEnXzevSQXWpyek86XUyFL\n" +"O9IAQi5pa15gXjSbUg==\n" +"-----END CERTIFICATE-----\n"; + +static const char *REMOTE_IDENTITY_CERTIFICATE = +"-----BEGIN CERTIFICATE-----\n" +"MIIDcDCCAligAwIBAgIBBTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcDELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMQ8wDQYDVQQKEwZBRExpbmsxETAPBgNVBAsTCElTVCBU\n" +"ZXN0MREwDwYDVQQDEwhCb2IgVGVzdDEdMBsGCSqGSIb3DQEJARYOYm9iQGFkbGlu\n" +"ay5pc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqhuWnwhxXZ\n" +"qffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d4gVibBgx\n" +"5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNPfp5a4P+8\n" +"UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi5DOjf2/r\n" +"3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMql605xsms\n" +"d6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U5BUMtZ+P\n" +"2OBLk/CPAgMBAAGjEzARMA8GA1UdDwEB/wQFAwMH/4AwDQYJKoZIhvcNAQELBQAD\n" +"ggEBAJV71Ckf1zsks5mJXqdUb8bTVHg4hN32pwjCL5c6W2XHAv+YHwE/fN3C1VIY\n" +"bC8zjUC9dCOyC2AvOQyZQ1eC/WoK6FlXjHVX2upL4lXQ9WL9ztt1mgdRrhvUPuUn\n" +"aBE8VgNU0t4jl93xMIaU8hB0kQsV+kdcN0cWbrF3mT4s9njRvopJ8hS2UE60V2wA\n" +"ceUOazH+QGPh1k0jkynrTlVR9GrpebQwZ2UFeinVO0km17IAyQkz+OmPc4jQLJMl\n" +"CmkbmMwowdLMKC6r/HyE87dN7NvFnRM5iByJklRwN7WDYZrl72HoUOlgTZ7PjW2G\n" +"jTxK8xXtDCXC/3CNpe0YFnOga8g=\n" +"-----END CERTIFICATE-----\n"; + + +static const char *private_key = + +"data:,-----BEGIN RSA PRIVATE KEY-----\n" +"MIIEowIBAAKCAQEA0Fb60RkFrDsRAIRfLMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBk\n" +"k78fFtagLisWo4LbT4DqKzqQXCvVnOn9a6uT0KsVejk2iaLoBy0fotQznudio3rz\n" +"DpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2\n" +"FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf04rq7ztw0t67bexSQ4gLSVJEwiohAreg\n" +"m0dLvQnap5xd2qn0yETteTL8Y+Ujym1DWAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ\n" +"8kcoqEqO8KAN2HclqfjHlg9iDscbof5x45SQwwIDAQABAoIBAG0dYPeqd0IhHWJ7\n" +"8azufbchLMN1pX/D51xG2uptssfnpHuhkkufSZUYi4QipRS2ME6PYhWJ8pmTi6lH\n" +"E6cUkbI0KGd/F4U2gPdhNrR9Fxwea5bbifkVF7Gx/ZkRjZJiZ3w9+mCNTQbJDKhh\n" +"wITAzzT6WYznhvqbzzBX1fTa6kv0GAQtX7aHKM+XIwkhX2gzU5TU80bvH8aMrT05\n" +"tAMGQqkUeRnpo0yucBl4VmTZzd/+X/d2UyXR0my15jE5iH5o+p+E6qTRE9D+MGUd\n" +"MQ6Ftj0Untqy1lcog1ZLL6zPlnwcD4jgY5VCYDgvabnrSwymOJapPLsAEdWdq+U5\n" +"ec44BMECgYEA/+3qPUrd4XxA517qO3fCGBvf2Gkr7w5ZDeATOTHGuD8QZeK0nxPl\n" +"CWhRjdgkqo0fyf1cjczL5XgYayo+YxkO1Z4RUU+8lJAHlVx9izOQo+MTQfkwH4BK\n" +"LYlHxMoHJwAOXXoE+dmBaDh5xT0mDUGU750r763L6EFovE4qRBn9hxkCgYEA0GWz\n" +"rpOPNxb419WxG9npoQYdCZ5IbmEOGDH3ReggVzWHmW8sqtkqTZm5srcyDpqAc1Gu\n" +"paUveMblEBbU+NFJjLWOfwB5PCp8jsrqRgCQSxolShiVkc3Vu3oyzMus9PDge1eo\n" +"9mwVGO7ojQKWRu/WVAakENPaAjeyyhv4dqSNnjsCgYEAlwe8yszqoY1k8+U0T0G+\n" +"HeIdOCXgkmOiNCj+zyrLvaEhuS6PLq1b5TBVqGJcSPWdQ+MrglbQIKu9pUg5ptt7\n" +"wJ5WU+i9PeK9Ruxc/g/BFKYFkFJQjtZzb+nqm3wpul8zGwDN/O/ZiTqCyd3rHbmM\n" +"/dZ/viKPCZHIEBAEq0m3LskCgYBndzcAo+5k8ZjWwBfQth5SfhCIp/daJgGzbYtR\n" +"P/BenAsY2KOap3tjT8Fsw5usuHSxzIojX6H0Gvu7Qzq11mLn43Q+BeQrRQTWeFRc\n" +"MQdy4iZFZXNNEp7dF8yE9VKHwdgSJPGUdxD6chMvf2tRCN6mlS171VLV6wVvZvez\n" +"H/vX5QKBgD2Dq/NHpjCpAsECP9awmNF5Akn5WJbRGmegwXIih2mOtgtYYDeuQyxY\n" +"ZCrdJFfIUjUVPagshEmUklKhkYMYpzy2PQDVtaVcm6UNFroxT5h+J+KDs1LN1H8G\n" +"LsASrzyAg8EpRulwXEfLrWKiu9DKv8bMEgO4Ovgz8zTKJZIFhcac\n" +"-----END RSA PRIVATE KEY-----\n"; + + +static char *remote_private_key = +"-----BEGIN RSA PRIVATE KEY-----\n" +"MIIEowIBAAKCAQEAweb6oblp8IcV2an3z5n484Hu8PdaF+CEpW6CHwV6d7C49pqi\n" +"0rGIYATSQJ/xZdTmXhcNHeIFYmwYMeWXXI7Ivgpb2CvB+d+IkyXza4jMoYOJElsW\n" +"RdU4sX8NxUuy6oyhGOWTT36eWuD/vFL3qK2CbrK55b9Q4hemj4SUIfCetiem4cet\n" +"gzSzu3WWzdAVLJ1rcg3H4uQzo39v695UkX3nJ97ga9UGEWkuRa1fjEqBnIyNzO+Z\n" +"notU01Ke2E+GVkUeaylDKpetOcbJrHerKiWiqH2JsO8ArmlSfOqW/8PLK3XXSrdt\n" +"cVHkDTCp+PR+q2nszDhN1OQVDLWfj9jgS5PwjwIDAQABAoIBAHfgWhED9VgL29le\n" +"uGMzmPLK4LM+6Qcb+kXghTeyhl1a928WeRVzRpG+SVJEz9QaBHYlICnaY2PO2kJ2\n" +"49YIPFkpRFDn9JuLs/7tFonj4Eb2cBbWE3YG9W7e0t+oBiv1117yB9m8uSAMPG7s\n" +"iEpTQvE3M7CzT8kHwCS4XXCCN0z7LqKyZ1heScjdfhV3D2TnFFjdtQ/9KfQa3hIc\n" +"6ftbpi4EKbfasspyqfrJ/cqjHzse9iEXLOZJhs+atBAKe/uJ4Hc3LRPbX4MPniAp\n" +"JJrldXFK9p+HILlbXvu+5n+DSGbZmT1x9a/E9suGyoJiASDH2Ax4yCVTi+v8C1R2\n" +"aKdU1LkCgYEA/3dFuM6zIHwiJ0GKT0gtJL6J3m+i51SNcRIm8deXt6HULMpUNajj\n" +"vZ1bgQm/h+uRBlPV3swkaVxvPTIabOTY4gmCBSzvVCSIAKHVc/+5Nkl9KruwSq4G\n" +"tctmXZ7ymMDi+6QGCJTJkAx6jptXyrzC00HOjXOwyQ+iDipqgr3A8FsCgYEAwk7B\n" +"2/hi569EIHFRT6nz/JMqQVPZ/MJDKoKhffTbnjQ5OAzpiVN6cyThMM1iVJEBFNhx\n" +"OEacy60Qj0TtR1oYrQSRSLm58TTxiuB4Pohbmg3iU+kSM/eTq/ups/Ul1oCs2eAb\n" +"POfweD3c4d4i7sN8bUNQXehiE4MOlK9TYQy39t0CgYAJht0mwy6S644qgJsz0bE9\n" +"SY3Cqc8daV3M9axWIIAb7QEImpMBXUcA7zlWWpK18ub5oW68XEiPVU8grRmnLfGY\n" +"nFoo70ANlz8rJt3a8ZJqn9r3GQC+CDdf2DH9E8xgPfE5CSjgcQwDPzPi1ZA0k02A\n" +"q1eUltfk55xXguVt8r2bOQKBgQC7+kldr1yv20VDRZ1uPnMGRLE6Zg6bkqw78gid\n" +"vEbDNK6uZP+BlTr/LgyVk/yu52Fucz6FPPrvqEw+7mXHA4ifya1r+BHFIn0S57os\n" +"dOp5jTkKCI9NqxQ3683vhRjH/dA7L63qLFDdYqvP74FID+LOKbMURn6rdbyjZ0J4\n" +"vz8yGQKBgHIzcKlQosRxf+KptOPMGRs30L9PnH+sNmTo2SmEzAGkBkt1msGRh/2l\n" +"uT3hOEhUXL9knRyXwQSXgrIwr9QwI5rGS5FAgX26TgBtPBDs2NuyyhhS5yxsiEPT\n" +"BR+EjQFW9dzRkpRJgvsG4DcNAhFn7fQqFNcWXgFWuBXmGNkdtEGR\n" +"-----END RSA PRIVATE KEY-----"; + + + +static struct plugins_hdl *g_plugins = NULL; +static dds_security_authentication *g_auth = NULL; + +static DDS_Security_IdentityHandle g_local_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle g_remote_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_AuthRequestMessageToken g_remote_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static const DDS_Security_BinaryProperty_t *g_challenge1_predefined_glb = NULL; +static const DDS_Security_BinaryProperty_t *g_challenge2_predefined_glb = NULL; +static DDS_Security_OctetSeq g_serialized_participant_data = DDS_SECURITY_SEQUENCE_INIT; +static DDS_Security_ParticipantBuiltinTopicData *g_local_participant_data = NULL; + +static DDS_Security_ParticipantBuiltinTopicData *g_remote_participant_data1 = NULL; +static DDS_Security_ParticipantBuiltinTopicData *g_remote_participant_data2 = NULL; +static DDS_Security_GUID_t g_candidate_participant_guid; +static DDS_Security_GUID_t g_remote_participant_guid1; +static DDS_Security_GUID_t g_remote_participant_guid2; + +static EVP_PKEY *g_dh_modp_key = NULL; +static EVP_PKEY *g_dh_ecdh_key = NULL; +static struct octet_seq g_dh_modp_pub_key = {NULL, 0}; +static struct octet_seq g_dh_ecdh_pub_key = {NULL, 0}; + + +static void +octet_seq_init( + struct octet_seq *seq, + unsigned char *data, + uint32_t size) +{ + seq->data = ddsrt_malloc(size); + memcpy(seq->data, data, size); + seq->length = size; +} + +static void +octet_seq_deinit( + struct octet_seq *seq) +{ + ddsrt_free(seq->data); +} + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size); + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->minor_code = 0; + ex->code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static void +initialize_identity_token( + DDS_Security_IdentityToken *token, + const char *certAlgo, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CERT); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +initialize_permissions_token( + DDS_Security_PermissionsToken *token, + const char *caAlgo) +{ + token->class_id = ddsrt_strdup(PERM_ACCESS_CLASS_ID); + token->properties._length = 2; + token->properties._maximum = 2; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_PERM_CA_SUBJECT_NAME); + token->properties._buffer[1].value = ddsrt_strdup(caAlgo); +} + + + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token) +{ + uint32_t i; + size_t len = 32; + unsigned char *challenge; + + challenge = ddsrt_malloc(len); + + for (i = 0; i < len; i++) { + challenge[i] = (unsigned char)(0xFF - i); + } + + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._maximum = 1; + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._maximum = (DDS_Security_unsigned_long) len; + token->binary_properties._buffer->value._length = (DDS_Security_unsigned_long) len; + token->binary_properties._buffer->value._buffer = challenge; +} + + +static DDS_Security_BinaryProperty_t * +find_binary_property( + DDS_Security_DataHolder *token, + const char *name) +{ + DDS_Security_BinaryProperty_t *result = NULL; + uint32_t i; + + for (i = 0; i < token->binary_properties._length && !result; i++) { + if (token->binary_properties._buffer[i].name && (strcmp(token->binary_properties._buffer[i].name, name) == 0)) { + result = &token->binary_properties._buffer[i]; + } + } + + return result; +} + + +static DDS_Security_Property_t * +find_property( + DDS_Security_DataHolder *token, + const char *name) +{ + DDS_Security_Property_t *result = NULL; + uint32_t i; + + for (i = 0; i < token->properties._length && !result; i++) { + if (token->properties._buffer[i].name && (strcmp(token->properties._buffer[i].name, name) == 0)) { + result = &token->properties._buffer[i]; + } + } + + return result; +} + +static void +deinitialize_identity_token( + DDS_Security_IdentityToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + + +static int +validate_local_identity(void) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GUID_t local_participant_guid; + DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + unsigned char *sdata; + size_t sz; + + memset(&local_participant_guid, 0, sizeof(local_participant_guid)); + memcpy(&g_candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&g_candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key); + + /* Now call the function. */ + result = g_auth->validate_local_identity( + g_auth, + &g_local_identity_handle, + &local_participant_guid, + domain_id, + &participant_qos, + &g_candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + res = -1; + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + g_local_participant_data = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&g_local_participant_data->key[0], &local_participant_guid, 12); + /* convert from big-endian format to native format */ + g_local_participant_data->key[0] = fromBE4u(g_local_participant_data->key[0]); + g_local_participant_data->key[1] = fromBE4u(g_local_participant_data->key[1]); + g_local_participant_data->key[2] = fromBE4u(g_local_participant_data->key[2]); + + initialize_identity_token(&g_local_participant_data->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&g_local_participant_data->permissions_token, RSA_2048_ALGORITHM_NAME); + + g_local_participant_data->security_info.participant_security_attributes = 0x01; + g_local_participant_data->security_info.plugin_participant_security_attributes = 0x02; + + serializer_participant_data(g_local_participant_data, &sdata, &sz); + + g_serialized_participant_data._length = g_serialized_participant_data._maximum = (DDS_Security_unsigned_long) sz; + g_serialized_participant_data._buffer = sdata; + + return res; +} + +static void +release_local_identity(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (g_local_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = g_auth->return_identity_handle(g_auth, g_local_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + + DDS_Security_OctetSeq_deinit(&g_serialized_participant_data); + + if (g_local_participant_data) { + DDS_Security_ParticipantBuiltinTopicData_free(g_local_participant_data); + } +} + +static X509 * +load_certificate( + const char *data) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_mem_buf((void *) data, -1); + if (!bio) { + return NULL; + } + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + + BIO_free(bio); + + return cert; +} + +static int +get_adjusted_participant_guid( + X509 *cert, + const DDS_Security_GUID_t *candidate, + DDS_Security_GUID_t *adjusted) +{ + int result = 0; + unsigned char high[SHA256_DIGEST_LENGTH], low[SHA256_DIGEST_LENGTH]; + unsigned char *subject; + DDS_Security_octet hb = 0x80; + X509_NAME *name; + unsigned char *tmp = NULL; + int32_t i, size; + + name = X509_get_subject_name(cert); + size = i2d_X509_NAME(name, &tmp); + if (size > 0) { + subject = ddsrt_malloc((size_t) size); + memcpy(subject, tmp, (size_t)size); + OPENSSL_free(tmp); + + SHA256(subject, (size_t)size, high); + SHA256(&candidate->prefix[0], sizeof(DDS_Security_GuidPrefix_t), low); + + adjusted->entityId = candidate->entityId; + for (i = 0; i < 6; i++) { + adjusted->prefix[i] = hb | high[i]>>1; + hb = (unsigned char)( high[i]<<7 ); + } + for (i = 0; i < 6; i++) { + adjusted->prefix[i+6] = low[i]; + } + ddsrt_free(subject); + result = 1; + } + + return result; +} + +static int +create_dh_key_modp_2048( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *kctx = NULL; + DH *dh = NULL; + + *pkey = NULL; + + if ((params = EVP_PKEY_new()) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EVP_PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((dh = DH_get_2048_256()) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate DH parameter: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_set1_DH(params, dh) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set DH parameter to MODP_2048_256: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate KEY context %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize KEY context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate :MODP_2048_256 keys %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (params) EVP_PKEY_free(params); + if (kctx) EVP_PKEY_CTX_free(kctx); + if (dh) DH_free(dh); + + return r; +} + +static int +get_dh_public_key_modp_2048( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + int r = 0; + DH *dhkey; + unsigned char *buffer = NULL; + uint32_t size; + ASN1_INTEGER *asn1int; + + dhkey = EVP_PKEY_get1_DH(pkey); + if (!dhkey) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get DH key from PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + goto fail_get_dhkey; + } + + asn1int = BN_to_ASN1_INTEGER( dh_get_public_key(dhkey) , NULL); + if (!asn1int) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert DH key to ASN1 integer: %s", msg); + ddsrt_free(msg); + r = -1; + goto fail_get_pubkey; + } + + size = (uint32_t)i2d_ASN1_INTEGER(asn1int, &buffer); + octet_seq_init(pubkey, buffer, size); + + ASN1_INTEGER_free(asn1int); + OPENSSL_free(buffer); + +fail_get_pubkey: + DH_free(dhkey); +fail_get_dhkey: + return r; +} + +static int +create_dh_key_ecdh( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + *pkey = NULL; + + if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate DH parameter context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_paramgen_init(pctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize DH generation context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set DH generation parameter generation method: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_paramgen(pctx, ¶ms) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate DH parameters: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate KEY context %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize KEY context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate :MODP_2048_256 keys %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (kctx) EVP_PKEY_CTX_free(kctx); + if (params) EVP_PKEY_free(params); + if (pctx) EVP_PKEY_CTX_free(pctx); + + return r; +} + +static int +get_dh_public_key_ecdh( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + int r = 0; + EC_KEY *eckey = NULL; + const EC_GROUP *group = NULL; + const EC_POINT *point = NULL; + size_t sz; + + if (!(eckey = EVP_PKEY_get1_EC_KEY(pkey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get EC key from PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!(point = EC_KEY_get0_public_key(eckey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get public key from ECKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!(group = EC_KEY_get0_group(eckey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get group from ECKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((sz = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, NULL)) != 0) { + pubkey->data = ddsrt_malloc(sz); + pubkey->length = (uint32_t) EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, pubkey->data, sz, NULL); + if (pubkey->length == 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to serialize public EC key: %s", msg); + ddsrt_free(msg); + octet_seq_deinit(pubkey); + r = -1; + } + } else { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to serialize public EC key: %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (eckey) EC_KEY_free(eckey); + + return r; +} + +static int +validate_remote_identities (const char *remote_id_certificate) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityToken remote_identity_token; + static DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_GUID_t guid1; + DDS_Security_GUID_t guid2; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix1 = {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab}; + DDS_Security_GuidPrefix_t prefix2 = {0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + X509 *cert; + + memcpy(&guid1.prefix, &prefix1, sizeof(prefix1)); + memcpy(&guid1.entityId, &entityId, sizeof(entityId)); + memcpy(&guid2.prefix, &prefix2, sizeof(prefix2)); + memcpy(&guid2.entityId, &entityId, sizeof(entityId)); + + if (g_local_identity_handle == DDS_SECURITY_HANDLE_NIL) { + return -1; + } + + cert = load_certificate(remote_id_certificate); + if (!cert) { + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid1, &g_remote_participant_guid1)) { + X509_free(cert); + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid2, &g_remote_participant_guid2)) { + X509_free(cert); + return -1; + } + + X509_free(cert); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + + reset_exception(&exception); + + fill_auth_request_token(&g_remote_auth_request_token); + + result = g_auth->validate_remote_identity( + g_auth, + &g_remote_identity_handle, + &local_auth_request_token, + &g_remote_auth_request_token, + g_local_identity_handle, + &remote_identity_token, + &g_remote_participant_guid2, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + g_remote_participant_data1 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&g_remote_participant_data1->key[0], &g_remote_participant_guid1, 12); + g_remote_participant_data1->key[0] = fromBE4u(g_remote_participant_data1->key[0]); + g_remote_participant_data1->key[1] = fromBE4u(g_remote_participant_data1->key[1]); + g_remote_participant_data1->key[2] = fromBE4u(g_remote_participant_data1->key[2]); + + initialize_identity_token(&g_remote_participant_data1->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&g_remote_participant_data1->permissions_token, RSA_2048_ALGORITHM_NAME); + + g_remote_participant_data1->security_info.participant_security_attributes = 0x01; + g_remote_participant_data1->security_info.plugin_participant_security_attributes = 0x02; + + g_remote_participant_data2 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&g_remote_participant_data2->key[0], &g_remote_participant_guid2, 12); + g_remote_participant_data2->key[0] = fromBE4u(g_remote_participant_data2->key[0]); + g_remote_participant_data2->key[1] = fromBE4u(g_remote_participant_data2->key[1]); + g_remote_participant_data2->key[2] = fromBE4u(g_remote_participant_data2->key[2]); + + initialize_identity_token(&g_remote_participant_data2->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&g_remote_participant_data2->permissions_token, RSA_2048_ALGORITHM_NAME); + + g_remote_participant_data2->security_info.participant_security_attributes = 0x01; + g_remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + g_remote_participant_data2->security_info.participant_security_attributes = 0x01; + g_remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + g_challenge1_predefined_glb = find_binary_property(&g_remote_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + g_challenge2_predefined_glb = g_challenge1_predefined_glb; + + return res; +} + +static void +release_remote_identities(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (g_remote_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = g_auth->return_identity_handle(g_auth, g_remote_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + + DDS_Security_DataHolder_deinit(&g_remote_auth_request_token); + + DDS_Security_ParticipantBuiltinTopicData_free(g_remote_participant_data1); + DDS_Security_ParticipantBuiltinTopicData_free(g_remote_participant_data2); +} + +CU_Init(ddssec_builtin_get_authenticated_peer_credential) +{ + int result = 0; + + /* Only need the authentication plugin. */ + g_plugins = load_plugins(NULL /* Access Control */, + &g_auth /* Authentication */, + NULL /* Cryptograpy */); + if (g_plugins) { + result = validate_local_identity(); + if (result >= 0) { + result = validate_remote_identities( REMOTE_IDENTITY_CERTIFICATE ); + } + if (result >= 0) { + result = create_dh_key_modp_2048(&g_dh_modp_key); + } + if (result >= 0) { + result = get_dh_public_key_modp_2048(g_dh_modp_key, &g_dh_modp_pub_key); + } + if (result >= 0) { + result = create_dh_key_ecdh(&g_dh_ecdh_key); + } + if (result >= 0) { + result = get_dh_public_key_ecdh(g_dh_ecdh_key, &g_dh_ecdh_pub_key); + } + } else { + result = -1; + } + + + return result; +} + +CU_Clean(ddssec_builtin_get_authenticated_peer_credential) +{ + release_local_identity(); + release_remote_identities(); + unload_plugins(g_plugins); + octet_seq_deinit(&g_dh_modp_pub_key); + octet_seq_deinit(&g_dh_ecdh_pub_key); + if (g_dh_modp_key) { + EVP_PKEY_free(g_dh_modp_key); + } + if (g_dh_ecdh_key) { + EVP_PKEY_free(g_dh_ecdh_key); + } + return 0; +} + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size) +{ + DDS_Security_Serializer serializer; + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDD_Security_Serialize_ParticipantBuiltinTopicData(serializer, pdata); + DDS_Security_Serializer_buffer(serializer, buffer, size); + DDS_Security_Serializer_free(serializer); +} + + +static void +set_binary_property_value( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const unsigned char *data, + size_t length) +{ + assert(bp); + assert(name); + assert(data); + + bp->name = ddsrt_strdup(name); + bp->value._maximum = bp->value._length = (DDS_Security_unsigned_long) length; + if (length) { + bp->value._buffer = ddsrt_malloc(length); + memcpy(bp->value._buffer, data, length); + } else { + bp->value._buffer = NULL; + } +} + +static void +set_binary_property_string( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const char *data) +{ + uint32_t length; + + assert(bp); + assert(name); + assert(data); + + length = (uint32_t)strlen(data) + 1; + set_binary_property_value(bp, name, (const unsigned char *)data, length); +} + +static void +fill_handshake_message_token( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const char *certificate, + const char *dsign, + const char *kagree, + const struct octet_seq *diffie_hellman1, + const unsigned char *challengeData, + unsigned int challengeDataSize, + const struct octet_seq *diffie_hellman2, + const unsigned char *challengeData2, + unsigned int challengeDataSize2, + const DDS_Security_BinaryProperty_t *hash1_from_request, + const DDS_Security_BinaryProperty_t *hash2_from_reply, + HandshakeStep_t step) +{ + DDS_Security_BinaryProperty_t *tokens; + DDS_Security_BinaryProperty_t *c_id; + DDS_Security_BinaryProperty_t *c_perm; + DDS_Security_BinaryProperty_t *c_pdata; + DDS_Security_BinaryProperty_t *c_dsign_algo; + DDS_Security_BinaryProperty_t *c_kagree_algo; + DDS_Security_BinaryProperty_t *hash_c1; + DDS_Security_BinaryProperty_t *hash_c2; + DDS_Security_BinaryProperty_t *dh1; + DDS_Security_BinaryProperty_t *dh2; + DDS_Security_BinaryProperty_t *challenge1; + DDS_Security_BinaryProperty_t *challenge2; + DDS_Security_BinaryProperty_t *signature; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + unsigned idx; + unsigned char *serialized_local_participant_data; + size_t serialized_local_participant_data_size; + /*unsigned hash[32];*/ + + switch( step ) + { + + case HANDSHAKE_REQUEST: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(8); + c_id = &tokens[0]; + c_perm = &tokens[1]; + c_pdata = &tokens[2]; + c_dsign_algo = &tokens[3]; + c_kagree_algo = &tokens[4]; + hash_c1 = &tokens[5]; + dh1 = &tokens[6]; + challenge1 = &tokens[7]; + + serializer_participant_data(pdata, &serialized_local_participant_data, &serialized_local_participant_data_size); + + /* Store the Identity Certificate associated with the local identify in c.id property */ + if (certificate) { + set_binary_property_string(c_id, "c.id", certificate); + } else { + set_binary_property_string(c_id, "c.idx", "rubbish"); + } + + /* Store the permission document in the c.perm property */ + set_binary_property_string(c_perm, "c.perm", PERMISSIONS_DOCUMENT); + + /* Store the provided g_local_participant_data in the c.pdata property */ + set_binary_property_value(c_pdata, "c.pdata", serialized_local_participant_data, serialized_local_participant_data_size); + ddsrt_free(serialized_local_participant_data); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + if (dsign) { + set_binary_property_string(c_dsign_algo, "c.dsign_algo", dsign); + } else { + set_binary_property_string(c_dsign_algo, "c.dsign_algox", "rubbish"); + } + + /* Set the used key algorithm descriptor in c.kagree_algo */ + if (kagree) { + set_binary_property_string(c_kagree_algo, "c.kagree_algo", kagree); + } else { + set_binary_property_string(c_kagree_algo, "c.kagree_algox", "rubbish"); + } + + /* Calculate the hash_c1 */ + { + DDS_Security_BinaryPropertySeq bseq; + DDS_Security_Serializer serializer; + unsigned char hash1_sentrequest_arr[32]; + unsigned char *buffer; + size_t size; + + bseq._length = bseq._maximum = 5; + bseq._buffer = tokens; + + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, &bseq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, hash1_sentrequest_arr); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + set_binary_property_value(hash_c1, "hash_c1", hash1_sentrequest_arr, sizeof(hash1_sentrequest_arr)); + } + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", g_challenge1_predefined_glb->value._buffer, g_challenge1_predefined_glb->value._length); + } + + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 8; + token->binary_properties._buffer = tokens; + break; + + case HANDSHAKE_REPLY: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(12); + idx = 0; + c_id = &tokens[idx++]; + c_perm = &tokens[idx++]; + c_pdata = &tokens[idx++]; + c_dsign_algo = &tokens[idx++]; + c_kagree_algo = &tokens[idx++]; + hash_c2 = &tokens[idx++]; + challenge2 = &tokens[idx++]; + dh2 = &tokens[idx++]; + challenge1 = &tokens[idx++]; + dh1 = &tokens[idx++]; + hash_c1 = &tokens[idx++] ; + signature = &tokens[idx++]; + + serializer_participant_data(pdata, &serialized_local_participant_data, &serialized_local_participant_data_size); + + /* Store the Identity Certificate associated with the local identify in c.id property */ + if (certificate) { + set_binary_property_string(c_id, "c.id", certificate); + } else { + set_binary_property_string(c_id, "c.idx", "rubbish"); + } + + /* Store the permission document in the c.perm property */ + set_binary_property_string(c_perm, "c.perm", PERMISSIONS_DOCUMENT); + + /* Store the provided g_local_participant_data in the c.pdata property */ + set_binary_property_value(c_pdata, "c.pdata", serialized_local_participant_data, serialized_local_participant_data_size); + ddsrt_free(serialized_local_participant_data); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + if (dsign) { + set_binary_property_string(c_dsign_algo, "c.dsign_algo", dsign); + } else { + set_binary_property_string(c_dsign_algo, "c.dsign_algox", "rubbish"); + } + + /* Set the used key algorithm descriptor in c.kagree_algo */ + if (kagree) { + set_binary_property_string(c_kagree_algo, "c.kagree_algo", kagree); + } else { + set_binary_property_string(c_kagree_algo, "c.kagree_algox", "rubbish"); + } + + CU_ASSERT(hash1_from_request != NULL); + + set_binary_property_value(hash_c1, "hash_c1", hash1_from_request->value._buffer, hash1_from_request->value._length); + + /* Calculate the hash_c2 */ + { + DDS_Security_BinaryPropertySeq bseq; + DDS_Security_Serializer serializer; + unsigned char hash2_sentreply_arr[32]; + unsigned char *buffer; + size_t size; + + bseq._length = bseq._maximum = 5; + bseq._buffer = tokens; + + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, &bseq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, hash2_sentreply_arr); + + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + set_binary_property_value(hash_c2, "hash_c2", hash2_sentreply_arr, sizeof(hash2_sentreply_arr)); + } + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", challenge2->value._buffer, challenge2->value._length); + } + + /* Set the challenge in challenge2 property */ + if (challengeData2) { + set_binary_property_value(challenge2, "challenge2", challengeData2, challengeDataSize2); + } else { + set_binary_property_value(challenge2, "challenge2x", challenge2->value._buffer, challenge2->value._length); + } + + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the DH public key associated with the local participant in dh2 property */ + if (diffie_hellman2) { + set_binary_property_value(dh2, "dh2", diffie_hellman2->data, diffie_hellman2->length); + } else { + set_binary_property_string(dh2, "dh2x", "rubbish"); + } + + /* Calculate the signature */ + { + BIO *bio; + EVP_PKEY *private_key_x509; + unsigned char *sign; + size_t signlen; + + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_SIZE ]; + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((const char *) remote_private_key, -1); + assert( bio ); + private_key_x509 = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + assert (private_key_x509 ); + + binary_properties[0] = hash_c2; + binary_properties[1] = challenge2; + binary_properties[2] = dh2; + binary_properties[3] = challenge1; + binary_properties[4] = dh1; + binary_properties[5] = hash_c1; + + if (create_signature_for_test(private_key_x509, binary_properties, HANDSHAKE_SIGNATURE_SIZE , &sign, &signlen, &exception) != DDS_SECURITY_VALIDATION_OK) + { + printf("Exception: %s\n", exception.message); + } + set_binary_property_value(signature, "signature", sign, signlen); + + ddsrt_free(sign); + BIO_free(bio); + EVP_PKEY_free(private_key_x509); + } + + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 12; + token->binary_properties._buffer = tokens; + break; + + case HANDSHAKE_FINAL: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(7); + idx = 0; + signature = &tokens[idx++]; + hash_c1 = &tokens[idx++]; + challenge1 = &tokens[idx++]; + dh1 = &tokens[idx++]; + challenge2 = &tokens[idx++]; + dh2 = &tokens[idx++]; + hash_c2 = &tokens[idx++]; + + CU_ASSERT(hash1_from_request != NULL); + CU_ASSERT(hash2_from_reply != NULL); + + set_binary_property_value(hash_c1, "hash_c1", hash1_from_request->value._buffer, hash1_from_request->value._length); + set_binary_property_value(hash_c2, "hash_c2", hash2_from_reply->value._buffer, hash2_from_reply->value._length); + + printf("process: %s\n", hash_c1->name); + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", challenge2->value._buffer, challenge2->value._length); + } + + /* Set the challenge in challenge2 property */ + if (challengeData2) { + set_binary_property_value(challenge2, "challenge2", challengeData2, challengeDataSize2); + } else { + set_binary_property_value(challenge2, "challenge2x", challenge2->value._buffer, challenge2->value._length); + } + + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the DH public key associated with the local participant in dh2 property */ + if (diffie_hellman2) { + set_binary_property_value(dh2, "dh2", diffie_hellman2->data, diffie_hellman2->length); + } else { + set_binary_property_string(dh2, "dh2x", "rubbish"); + } + + /* Calculate the signature */ + { + BIO *bio; + EVP_PKEY *private_key_x509; + unsigned char *sign; + size_t signlen; + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_SIZE ]; + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((const char *) remote_private_key, -1); + assert( bio ); + private_key_x509 = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + assert (private_key_x509 ); + + binary_properties[0] = hash_c1; + binary_properties[1] = challenge1; + binary_properties[2] = dh1; + binary_properties[3] = challenge2; + binary_properties[4] = dh2; + binary_properties[5] = hash_c2; + + if (create_signature_for_test(private_key_x509, binary_properties, HANDSHAKE_SIGNATURE_SIZE, &sign, &signlen, &exception) != DDS_SECURITY_VALIDATION_OK) + { + printf("Exception: %s\n", exception.message); + } + set_binary_property_value(signature, "signature", sign, signlen); + + ddsrt_free(sign); + BIO_free(bio); + EVP_PKEY_free(private_key_x509); + } + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_FINAL_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 7; + token->binary_properties._buffer = tokens; + break; + } +} + +static void +fill_handshake_message_token_default( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const unsigned char *challengeData, + unsigned int challengeDataSize) +{ + fill_handshake_message_token( + token, pdata, REMOTE_IDENTITY_CERTIFICATE, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + &g_dh_modp_pub_key, challengeData, challengeDataSize, NULL, NULL, 0, NULL, NULL, HANDSHAKE_REQUEST); +} + +static void +handshake_message_deinit( + DDS_Security_HandshakeMessageToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +CU_Test(ddssec_builtin_get_authenticated_peer_credential,token_after_request ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_AuthenticatedPeerCredentialToken credential_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *challenge1_glb; + const DDS_Security_Property_t *c_id; + const DDS_Security_Property_t *c_perm; + struct octet_seq dh1_pub_key; + + CU_ASSERT_FATAL (g_auth != NULL); + CU_ASSERT_FATAL (g_local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (g_remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (g_auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (g_auth->process_handshake != NULL); + + /* simulate request */ + result = g_auth->begin_handshake_request( + g_auth, + &handshake_handle, + &handshake_token_out, + g_local_identity_handle, + g_remote_identity_handle, + &g_serialized_participant_data, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* mock reply */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + fill_handshake_message_token( + &handshake_reply_token_in, + g_remote_participant_data2, + REMOTE_IDENTITY_CERTIFICATE, + AUTH_DSIGN_ALGO_RSA_NAME, + AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, + challenge1_glb->value._buffer, + challenge1_glb->value._length, + &g_dh_ecdh_pub_key, + g_challenge2_predefined_glb->value._buffer, + g_challenge2_predefined_glb->value._length, + hash1_sentrequest, + NULL, + HANDSHAKE_REPLY); + handshake_message_deinit(&handshake_token_out); + + /* simulate process */ + result = g_auth->process_handshake( + g_auth, + &handshake_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE); + + /* + * Actual test. + */ + success = g_auth->get_authenticated_peer_credential_token( + g_auth, + &credential_token, + handshake_handle, + &exception); + + CU_ASSERT_TRUE (success); + + CU_ASSERT_FATAL(credential_token.class_id != NULL); + CU_ASSERT(strcmp(credential_token.class_id, AUTH_PROTOCOL_CLASS_ID) == 0); + CU_ASSERT(credential_token.properties._length == 2); + CU_ASSERT(credential_token.binary_properties._length == 0); + + c_id = find_property(&credential_token, "c.id"); + CU_ASSERT_FATAL(c_id != NULL); + CU_ASSERT_FATAL(c_id->value != NULL); + //printf("c_id->value: %s\n", c_id->value); + CU_ASSERT(strcmp(c_id->value, REMOTE_IDENTITY_CERTIFICATE) == 0); + + c_perm = find_property(&credential_token, "c.perm"); + CU_ASSERT_FATAL(c_perm != NULL); + CU_ASSERT_FATAL(c_perm->value != NULL); + //printf("c_perm->value: %s\n", c_perm->value); + CU_ASSERT(strcmp(c_perm->value, PERMISSIONS_DOCUMENT) == 0); + + success = g_auth->return_authenticated_peer_credential_token(g_auth, &credential_token, &exception); + CU_ASSERT_TRUE (success); + CU_ASSERT(credential_token.class_id == NULL); + CU_ASSERT(credential_token.properties._buffer == NULL); + CU_ASSERT(credential_token.properties._maximum == 0); + CU_ASSERT(credential_token.properties._length == 0); + CU_ASSERT(credential_token.binary_properties._buffer == NULL); + CU_ASSERT(credential_token.binary_properties._maximum == 0); + CU_ASSERT(credential_token.binary_properties._length == 0); + + success = g_auth->return_handshake_handle(g_auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_reply_token_in); + handshake_message_deinit(&handshake_token_out); +} + +CU_Test(ddssec_builtin_get_authenticated_peer_credential,token_after_reply ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_final_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_final_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_AuthenticatedPeerCredentialToken credential_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_boolean success; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *hash2_sentreply; + const DDS_Security_BinaryProperty_t *challenge2_glb; + const DDS_Security_BinaryProperty_t *dh2; + const DDS_Security_Property_t *c_id; + const DDS_Security_Property_t *c_perm; + struct octet_seq dh2_pub_key; + + CU_ASSERT_FATAL (g_auth->process_handshake != NULL); + + CU_ASSERT_FATAL (g_auth != NULL); + CU_ASSERT_FATAL (g_local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (g_remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (g_auth->begin_handshake_reply != NULL); + + /* simulate reply */ + fill_handshake_message_token_default( + &handshake_token_in, + g_remote_participant_data1, + g_challenge1_predefined_glb->value._buffer, + g_challenge1_predefined_glb->value._length); + + result = g_auth->begin_handshake_reply( + g_auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + g_remote_identity_handle, + g_local_identity_handle, + &g_serialized_participant_data, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* mock final */ + dh2 = find_binary_property(&handshake_token_out, "dh2"); + dh2_pub_key.data = dh2->value._buffer; + dh2_pub_key.length = dh2->value._length; + challenge2_glb = find_binary_property(&handshake_token_out, "challenge2"); + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + hash2_sentreply = find_binary_property(&handshake_token_out, "hash_c2"); + fill_handshake_message_token( + &handshake_final_token_in, + NULL, + REMOTE_IDENTITY_CERTIFICATE, + AUTH_DSIGN_ALGO_RSA_NAME, + AUTH_KAGREE_ALGO_ECDH_NAME, + &g_dh_modp_pub_key, + g_challenge1_predefined_glb->value._buffer, + g_challenge1_predefined_glb->value._length, + &dh2_pub_key, + challenge2_glb->value._buffer, + challenge2_glb->value._length, + hash1_sentrequest, + hash2_sentreply, + HANDSHAKE_FINAL); + + /* simulate process */ + result = g_auth->process_handshake( + g_auth, + &handshake_final_token_out, + &handshake_final_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_OK); + + /* + * Actual test. + */ + success = g_auth->get_authenticated_peer_credential_token( + g_auth, + &credential_token, + handshake_handle, + &exception); + + CU_ASSERT_TRUE (success); + + CU_ASSERT_FATAL(credential_token.class_id != NULL); + CU_ASSERT(strcmp(credential_token.class_id, AUTH_PROTOCOL_CLASS_ID) == 0); + CU_ASSERT(credential_token.properties._length == 2); + CU_ASSERT(credential_token.binary_properties._length == 0); + + c_id = find_property(&credential_token, "c.id"); + CU_ASSERT_FATAL(c_id != NULL); + CU_ASSERT_FATAL(c_id->value != NULL); + //printf("c_id->value: %s\n", c_id->value); + CU_ASSERT(strcmp(c_id->value, REMOTE_IDENTITY_CERTIFICATE) == 0); + + c_perm = find_property(&credential_token, "c.perm"); + CU_ASSERT_FATAL(c_perm != NULL); + CU_ASSERT_FATAL(c_perm->value != NULL); + //printf("c_perm->value: %s\n", c_perm->value); + CU_ASSERT(strcmp(c_perm->value, PERMISSIONS_DOCUMENT) == 0); + + + success = g_auth->return_authenticated_peer_credential_token(g_auth, &credential_token, &exception); + CU_ASSERT_TRUE (success); + CU_ASSERT(credential_token.class_id == NULL); + CU_ASSERT(credential_token.properties._buffer == NULL); + CU_ASSERT(credential_token.properties._maximum == 0); + CU_ASSERT(credential_token.properties._length == 0); + CU_ASSERT(credential_token.binary_properties._buffer == NULL); + CU_ASSERT(credential_token.binary_properties._maximum == 0); + CU_ASSERT(credential_token.binary_properties._length == 0); + + success = g_auth->return_handshake_handle(g_auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_final_token_in); + handshake_message_deinit(&handshake_final_token_out); +} + +CU_Test(ddssec_builtin_get_authenticated_peer_credential,token_invalid_arguments ) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_AuthenticatedPeerCredentialToken credential_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeHandle invalid_handle = 3; + DDS_Security_boolean success; + + success = g_auth->get_authenticated_peer_credential_token(g_auth, &credential_token, invalid_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); + + success = g_auth->get_authenticated_peer_credential_token(NULL, &credential_token, invalid_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); + + success = g_auth->get_authenticated_peer_credential_token(g_auth, NULL, invalid_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); + + success = g_auth->get_authenticated_peer_credential_token(g_auth, &credential_token, 0, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); + + success = g_auth->return_authenticated_peer_credential_token(NULL, &credential_token, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); + + success = g_auth->return_authenticated_peer_credential_token(g_auth, NULL, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT(exception.code != 0); + CU_ASSERT(exception.message != NULL); + reset_exception(&exception); +} diff --git a/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/identity_ca b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/identity_ca new file mode 100644 index 0000000..f003d92 --- /dev/null +++ b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkTCCAnmgAwIBAgIJAJvGJOEKNct1MA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTAeFw0xODAy +MTIxNTA1MDVaFw0yMDEyMDIxNTA1MDVaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx +GDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAM/dCO4QAcCduw0NMqShDpTvGT6DClTFAJE8ZfuPCHKqNkicRbyj +sVXfF35Sdo6K92Ksz4G7i1RqJU2n8c7hg2EFUza0lIGgmTHV/DvFBcbAa0PpvdKS +XoPtSNDh65/GO1R7oeSFRzapqsLMPUwOWi46dYvRnPabxs21xHxn56JeuG74bad5 +PMTBvA2SiiTYPBlHGJS78GPo3BPMjL0MzPoMmumO8NSVYI+MEDY1lC4KkyZVKqtV +nIfaO/7adcM19xOAfAHkwhLGBC/bVAEqelev+GH/42xjNv532nM4/JVtBns+msR5 +DAYdtr6i82b7zhU1+lOOihv4lmQHoSnTya8CAwEAAaNQME4wHQYDVR0OBBYEFFYr +0CpiwxgFcZnW6IQEhxGv/vwiMB8GA1UdIwQYMBaAFFYr0CpiwxgFcZnW6IQEhxGv +/vwiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKbBt0ht72fdtxwm +Kr0pOsKyDW0Rd5Ca5aDK4qAhDL0AD5+O6ShGYCnFNDGk3J5Yzawp8VoKrhDZZyUt +z2b0jNucVapAvPMA4066QxeIfvFmWcS73l7vjjeUoKWmNNGWprTg3RLsacTorKuY +ZRL7wsThfrhvg4B/OOIWKp5MEwIrUfnQzUca8getF2eyTt6QcMtE29AW5+01QTzj +fxZgzkmJFYBE2K/TLMDBDd+bz/8XnmPrJ01VUntXiXenTGTcIbJerB6GYQojjvhy +ZrOeuHTON1ndFiQkpeZA67ByZjkKVoJG3I8fwBjzcLE7u/QAQptVPjJXXcSpL7fA +a1tOvqw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/remote_identity_ca.crt b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/remote_identity_ca.crt new file mode 100644 index 0000000..6b096a0 --- /dev/null +++ b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/remote_identity_ca.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKTCCAxGgAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcjELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ +ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0 +ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANa/ENFfGVXg +bPLTzBdDfiZQcp5dWZ//Pb8ErFOJu8uosVHFv8t69dgjHgNHB4OsjmjnR7GfKUZT +0cMvWJnjsC7DDlBwFET9rj4k40n96bbVCH9I7+tNhsoqzc6Eu+5h4sk7VfNGTM2Z +SyCd4GiSZRuA44rRbhXI7/LDpr4hY5J9ZDo5AM9ZyoLAoh774H3CZWD67S35XvUs +72dzE6uKG/vxBbvZ7eW2GLO6ewa9UxlnLVMPfJdpkp/xYXwwcPW2+2YXCge1ujxs +tjrOQJ5HUySh6DkE/kZpx8zwYWm9AaCrsvCIX1thsqgvKy+U5v1FS1L58eGc6s// +9yMgNhU29R0CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRNVUJN +FzhJPReYT4QSx6dK53CXCTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX +CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF +BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG +AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAcOLF +ZYdJguj0uxeXB8v3xnUr1AWz9+gwg0URdfNLU2KvF2lsb/uznv6168b3/FcPgezN +Ihl9GqB+RvGwgXS/1UelCGbQiIUdsNxk246P4uOGPIyW32RoJcYPWZcpY+cw11tQ +NOnk994Y5/8ad1DmcxVLLqq5kwpXGWQufV1zOONq8B+mCvcVAmM4vkyF/de56Lwa +sAMpk1p77uhaDnuq2lIR4q3QHX2wGctFid5Q375DRscFQteY01r/dtwBBrMn0wuL +AMNx9ZGD+zAoOUaslpIlEQ+keAxk3jgGMWFMxF81YfhEnXzevSQXWpyek86XUyFL +O9IAQi5pa15gXjSbUg== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/root_CA_RSA.crt b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/root_CA_RSA.crt new file mode 100644 index 0000000..61346df --- /dev/null +++ b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir/root_CA_RSA.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEtjCCA56gAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMTAwMDAwMFoXDTI3MDYxMDIzNTk1OVowcjELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ +ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0 +ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANRf3XKmM6O+ +WoYPNpOAdkGKKZHLJ8ZuPxVVBMX6oJAlcOmkhLzfkHSA+gl/OWaMOXIEtN512gyL +YszBf1RImwVzRjJFwIxzGzVQ68jYNj+qBbsOt+IG+hs3wgVCLFkCh+J7hXUgvk8A +eRM/SRrI42dQfcgKUAMNi4/iX6Vs+FV9pHB63L4PiLA9hfUE25sH6EsIC7icvGDJ +6cGG94glVSHDI1NtXfsNHY+NGY/jYKtQZklqU3lew5I60aJIsea+Wk6PJiz4hyXv +XVVmrcNeG1g4OEFgiSXZC2XknDw8t9+ELprGNvuJvTFxwPMAgLeF4IhEQC9dQY2W +BRwUxtZBzukCAwEAAaOCAVUwggFRMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFER4 +R6N3MQ1Wl7gn+R8wwHloDCVZMB8GA1UdIwQYMBaAFER4R6N3MQ1Wl7gn+R8wwHlo +DCVZMA8GA1UdDwEB/wQFAwMH/4Awge8GA1UdJQEB/wSB5DCB4QYIKwYBBQUHAwEG +CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3 +AgEVBgorBgEEAYI3AgEWBgorBgEEAYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3 +CgMEBglghkgBhvhCBAEGCysGAQQBgjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYG +CCsGAQUFBwMHBggrBgEFBQgCAgYKKwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUF +BwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAwXuEWDG3 +aAyL+DsGr0B4YMLjHtx6FjzkJOpTtXQhkrtSMpD3Xytl7Wfz8lyWuTnbrk8F4gWO +IkJR/NdMGW27SmeYU0z7QAGRDwtHX6kqqizQbCwf4F6P/2QftcLp1VrlsIlb0gyx +gLjpGmn5TT7gj+ahW0iIRglOwhzCvkNu6agYpdGwVirSyLShy/Hq303DZSbVuktz +5/PmZKpufnoGqURNnJqbV4TQipE0FiDmp2o+gVgJ+DVRhiCdfk68Xp7+TlmxCDfZ +C3qb18qrwAZ4AL3T9/RlzfkXh4ME9V6wqa5Y6j7Vwx5Ef2OHL+mnMnoNSXDLRh6j +45ky66su5dROpA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt new file mode 100644 index 0000000..35506b8 --- /dev/null +++ b/src/security/builtin_plugins/tests/process_handshake/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIBAjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMzAwMDAwMFoXDTI3MDYxMDIzNTk1OVowfTELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMSQwIgYDVQQDExtJ +ZGVudGl0eSBDQSBUZXN0IFdpdGggQ2hhaW4xJjAkBgkqhkiG9w0BCQEWF2luZm9A +aXN0LmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA1r8Q0V8ZVeBs8tPMF0N+JlBynl1Zn/89vwSsU4m7y6ixUcW/y3r12CMeA0cH +g6yOaOdHsZ8pRlPRwy9YmeOwLsMOUHAURP2uPiTjSf3pttUIf0jv602GyirNzoS7 +7mHiyTtV80ZMzZlLIJ3gaJJlG4DjitFuFcjv8sOmviFjkn1kOjkAz1nKgsCiHvvg +fcJlYPrtLfle9SzvZ3MTq4ob+/EFu9nt5bYYs7p7Br1TGWctUw98l2mSn/FhfDBw +9bb7ZhcKB7W6PGy2Os5AnkdTJKHoOQT+RmnHzPBhab0BoKuy8IhfW2GyqC8rL5Tm +/UVLUvnx4Zzqz//3IyA2FTb1HQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYD +VR0OBBYEFE1VQk0XOEk9F5hPhBLHp0rncJcJMB8GA1UdIwQYMBaAFER4R6N3MQ1W +l7gn+R8wwHloDCVZMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYB +BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggr +BgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEB +CwUAA4IBAQCbl7ed4p66G6WquxO7ceZFvYKn3kDErjCfXHcqHxBnA2xTpoZCGj95 +Qpirqo6N4UcLX5sn3CmgyVk0dYvlti/53FJgZ9XQDNxBuEYWPkY7vO+Uo0WdYpGz +ZDNIUQpiPMA7bHvwKldTIs77xxtnw9kbBU2k0xQyb2tdZNfD5YqSI1MeUtpEpNFW +sbC8+mQ3clzWpjF8eHH1fFSAmlJ+z1Uqmtt2FK0vRz+MQcpydwvpMnfqGdcwhGPQ +X4HZreLObjBA8KUEkUB3+rZXuELBgkk/c8/jRZl7QF5jJDLQCCLg7KoYBKN2GuTt +/dzeSnP7VZm/nTL8wpCvKgSOwOGgklf2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/process_handshake/src/process_handshake_utests.c b/src/security/builtin_plugins/tests/process_handshake/src/process_handshake_utests.c new file mode 100644 index 0000000..e717e54 --- /dev/null +++ b/src/security/builtin_plugins/tests/process_handshake/src/process_handshake_utests.c @@ -0,0 +1,2447 @@ + + +/* CUnit includes. */ +#include "common/src/handshake_helper.h" + +/* Test helper includes. */ +#include "common/src/loader.h" + +/* Private header include */ +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/security/dds_security_api.h" +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/string.h" +#include "dds/ddsrt/endian.h" +#include +#include +#include "dds/ddsrt/environ.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" + +#include +#include +#include +#include +#include + + +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_utils.h" + +#define HANDSHAKE_SIGNATURE_SIZE 6 + +#if DDSRT_ENDIAN == DDSRT_LITTLE_ENDIAN +static unsigned bswap4u (unsigned x) +{ + return (x >> 24) | ((x >> 8) & 0xff00) | ((x << 8) & 0xff0000) | (x << 24); +} +#define toBE4u(x) bswap4u (x) +#define fromBE4u(x) bswap4u (x) +#else +#define toBE4u(x) (x) +#define fromBE4u(x) (x) +#endif + + +static const char * AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0"; +static const char * PERM_ACCESS_CLASS_ID = "DDS:Access:Permissions:1.0"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; +static const char * PROPERTY_TRUSTED_CA_DIR = "dds.sec.auth.trusted_ca_dir"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * PROPERTY_PERM_CA_SUBJECT_NAME = "ds.perm_ca.sn"; + +static const char * SUBJECT_NAME_IDENTITY_CERT = "CN=CHAM-574 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA = "CN=CHAM-574 authority,O=Some Company,ST=Some-State,C=NL"; + +static const char * RSA_2048_ALGORITHM_NAME = "RSA-2048"; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char * AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Req"; +static const char * AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Reply"; +static const char * AUTH_HANDSHAKE_FINAL_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Final"; + +typedef enum { + HANDSHAKE_REQUEST, + HANDSHAKE_REPLY, + HANDSHAKE_FINAL +} HandshakeStep_t; + + +struct octet_seq { + unsigned char *data; + uint32_t length; +}; + +static const char * AUTH_DSIGN_ALGO_RSA_NAME = "RSASSA-PSS-SHA256"; +static const char * AUTH_KAGREE_ALGO_RSA_NAME = "DH+MODP-2048-256"; +static const char * AUTH_KAGREE_ALGO_ECDH_NAME = "ECDH+prime256v1-CEUM"; + + + +static const char *identity_certificate = + +"data:,-----BEGIN CERTIFICATE-----\n" +"MIIDYDCCAkigAwIBAgIBBDANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowdTELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMRAwDgYDVQQKEwdBRExpbmsgMREwDwYDVQQLEwhJU1Qg\n" +"VGVzdDETMBEGA1UEAxMKQWxpY2UgVGVzdDEfMB0GCSqGSIb3DQEJARYQYWxpY2VA\n" +"YWRsaW5rLmlzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBW+tEZ\n" +"Baw7EQCEXyzH9n7IkZ8PQIKe8hG1LAOGYOF/oUYQZJO/HxbWoC4rFqOC20+A6is6\n" +"kFwr1Zzp/Wurk9CrFXo5Nomi6ActH6LUM57nYqN68w6U38z/XkQxVY/ESZ5dySfD\n" +"9Q1C8R+zdE8gwbimdYmwX7ioz336nghM2CoAHPDRthQeJupl8x4V7isOltr9CGx8\n" +"+imJXbGr39OK6u87cNLeu23sUkOIC0lSRMIqIQK3oJtHS70J2qecXdqp9MhE7Xky\n" +"/GPlI8ptQ1gJ8A3cAOvtI9mtMJMszs2EKWTLfeTcmfJHKKhKjvCgDdh3Jan4x5YP\n" +"Yg7HG6H+ceOUkMMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAkvuqZzyJ3Nu4/Eo5\n" +"kD0nVgYGBUl7cspu+636q39zPSrxLEDMUWz+u8oXLpyGcgiZ8lZulPTV8dmOn+3C\n" +"Vg55c5C+gbnbX3MDyb3wB17296RmxYf6YNul4sFOmj6+g2i+Dw9WH0PBCVKbA84F\n" +"jR3Gx2Pfoifor3DvT0YFSsjNIRt090u4dQglbIb6cWEafC7O24t5jFhGPvJ7L9SE\n" +"gB0Drh/HmKTVuaqaRkoOKkKaKuWoXsszK1ZFda1DHommnR5LpYPsDRQ2fVM4EuBF\n" +"By03727uneuG8HLuNcLEV9H0i7LxtyfFkyCPUQvWG5jehb7xPOz/Ml26NAwwjlTJ\n" +"xEEFrw==\n" +"-----END CERTIFICATE-----\n"; + + +static const char *identity_ca = +"data:,-----BEGIN CERTIFICATE-----\n" +"MIIEKTCCAxGgAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcjELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ\n" +"ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0\n" +"ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANa/ENFfGVXg\n" +"bPLTzBdDfiZQcp5dWZ//Pb8ErFOJu8uosVHFv8t69dgjHgNHB4OsjmjnR7GfKUZT\n" +"0cMvWJnjsC7DDlBwFET9rj4k40n96bbVCH9I7+tNhsoqzc6Eu+5h4sk7VfNGTM2Z\n" +"SyCd4GiSZRuA44rRbhXI7/LDpr4hY5J9ZDo5AM9ZyoLAoh774H3CZWD67S35XvUs\n" +"72dzE6uKG/vxBbvZ7eW2GLO6ewa9UxlnLVMPfJdpkp/xYXwwcPW2+2YXCge1ujxs\n" +"tjrOQJ5HUySh6DkE/kZpx8zwYWm9AaCrsvCIX1thsqgvKy+U5v1FS1L58eGc6s//\n" +"9yMgNhU29R0CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRNVUJN\n" +"FzhJPReYT4QSx6dK53CXCTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX\n" +"CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF\n" +"BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG\n" +"AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAcOLF\n" +"ZYdJguj0uxeXB8v3xnUr1AWz9+gwg0URdfNLU2KvF2lsb/uznv6168b3/FcPgezN\n" +"Ihl9GqB+RvGwgXS/1UelCGbQiIUdsNxk246P4uOGPIyW32RoJcYPWZcpY+cw11tQ\n" +"NOnk994Y5/8ad1DmcxVLLqq5kwpXGWQufV1zOONq8B+mCvcVAmM4vkyF/de56Lwa\n" +"sAMpk1p77uhaDnuq2lIR4q3QHX2wGctFid5Q375DRscFQteY01r/dtwBBrMn0wuL\n" +"AMNx9ZGD+zAoOUaslpIlEQ+keAxk3jgGMWFMxF81YfhEnXzevSQXWpyek86XUyFL\n" +"O9IAQi5pa15gXjSbUg==\n" +"-----END CERTIFICATE-----\n"; + +static const char *remote_identity_certificate = +"-----BEGIN CERTIFICATE-----\n" +"MIIDcDCCAligAwIBAgIBBTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" +"MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" +"aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" +"Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcDELMAkGA1UEBhMC\n" +"TkwxCzAJBgNVBAgTAk9WMQ8wDQYDVQQKEwZBRExpbmsxETAPBgNVBAsTCElTVCBU\n" +"ZXN0MREwDwYDVQQDEwhCb2IgVGVzdDEdMBsGCSqGSIb3DQEJARYOYm9iQGFkbGlu\n" +"ay5pc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqhuWnwhxXZ\n" +"qffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d4gVibBgx\n" +"5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNPfp5a4P+8\n" +"UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi5DOjf2/r\n" +"3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMql605xsms\n" +"d6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U5BUMtZ+P\n" +"2OBLk/CPAgMBAAGjEzARMA8GA1UdDwEB/wQFAwMH/4AwDQYJKoZIhvcNAQELBQAD\n" +"ggEBAJV71Ckf1zsks5mJXqdUb8bTVHg4hN32pwjCL5c6W2XHAv+YHwE/fN3C1VIY\n" +"bC8zjUC9dCOyC2AvOQyZQ1eC/WoK6FlXjHVX2upL4lXQ9WL9ztt1mgdRrhvUPuUn\n" +"aBE8VgNU0t4jl93xMIaU8hB0kQsV+kdcN0cWbrF3mT4s9njRvopJ8hS2UE60V2wA\n" +"ceUOazH+QGPh1k0jkynrTlVR9GrpebQwZ2UFeinVO0km17IAyQkz+OmPc4jQLJMl\n" +"CmkbmMwowdLMKC6r/HyE87dN7NvFnRM5iByJklRwN7WDYZrl72HoUOlgTZ7PjW2G\n" +"jTxK8xXtDCXC/3CNpe0YFnOga8g=\n" +"-----END CERTIFICATE-----\n"; + + +static const char *private_key = + +"data:,-----BEGIN RSA PRIVATE KEY-----\n" +"MIIEowIBAAKCAQEA0Fb60RkFrDsRAIRfLMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBk\n" +"k78fFtagLisWo4LbT4DqKzqQXCvVnOn9a6uT0KsVejk2iaLoBy0fotQznudio3rz\n" +"DpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2\n" +"FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf04rq7ztw0t67bexSQ4gLSVJEwiohAreg\n" +"m0dLvQnap5xd2qn0yETteTL8Y+Ujym1DWAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ\n" +"8kcoqEqO8KAN2HclqfjHlg9iDscbof5x45SQwwIDAQABAoIBAG0dYPeqd0IhHWJ7\n" +"8azufbchLMN1pX/D51xG2uptssfnpHuhkkufSZUYi4QipRS2ME6PYhWJ8pmTi6lH\n" +"E6cUkbI0KGd/F4U2gPdhNrR9Fxwea5bbifkVF7Gx/ZkRjZJiZ3w9+mCNTQbJDKhh\n" +"wITAzzT6WYznhvqbzzBX1fTa6kv0GAQtX7aHKM+XIwkhX2gzU5TU80bvH8aMrT05\n" +"tAMGQqkUeRnpo0yucBl4VmTZzd/+X/d2UyXR0my15jE5iH5o+p+E6qTRE9D+MGUd\n" +"MQ6Ftj0Untqy1lcog1ZLL6zPlnwcD4jgY5VCYDgvabnrSwymOJapPLsAEdWdq+U5\n" +"ec44BMECgYEA/+3qPUrd4XxA517qO3fCGBvf2Gkr7w5ZDeATOTHGuD8QZeK0nxPl\n" +"CWhRjdgkqo0fyf1cjczL5XgYayo+YxkO1Z4RUU+8lJAHlVx9izOQo+MTQfkwH4BK\n" +"LYlHxMoHJwAOXXoE+dmBaDh5xT0mDUGU750r763L6EFovE4qRBn9hxkCgYEA0GWz\n" +"rpOPNxb419WxG9npoQYdCZ5IbmEOGDH3ReggVzWHmW8sqtkqTZm5srcyDpqAc1Gu\n" +"paUveMblEBbU+NFJjLWOfwB5PCp8jsrqRgCQSxolShiVkc3Vu3oyzMus9PDge1eo\n" +"9mwVGO7ojQKWRu/WVAakENPaAjeyyhv4dqSNnjsCgYEAlwe8yszqoY1k8+U0T0G+\n" +"HeIdOCXgkmOiNCj+zyrLvaEhuS6PLq1b5TBVqGJcSPWdQ+MrglbQIKu9pUg5ptt7\n" +"wJ5WU+i9PeK9Ruxc/g/BFKYFkFJQjtZzb+nqm3wpul8zGwDN/O/ZiTqCyd3rHbmM\n" +"/dZ/viKPCZHIEBAEq0m3LskCgYBndzcAo+5k8ZjWwBfQth5SfhCIp/daJgGzbYtR\n" +"P/BenAsY2KOap3tjT8Fsw5usuHSxzIojX6H0Gvu7Qzq11mLn43Q+BeQrRQTWeFRc\n" +"MQdy4iZFZXNNEp7dF8yE9VKHwdgSJPGUdxD6chMvf2tRCN6mlS171VLV6wVvZvez\n" +"H/vX5QKBgD2Dq/NHpjCpAsECP9awmNF5Akn5WJbRGmegwXIih2mOtgtYYDeuQyxY\n" +"ZCrdJFfIUjUVPagshEmUklKhkYMYpzy2PQDVtaVcm6UNFroxT5h+J+KDs1LN1H8G\n" +"LsASrzyAg8EpRulwXEfLrWKiu9DKv8bMEgO4Ovgz8zTKJZIFhcac\n" +"-----END RSA PRIVATE KEY-----\n"; + + +static char *remote_private_key = +"-----BEGIN RSA PRIVATE KEY-----\n" +"MIIEowIBAAKCAQEAweb6oblp8IcV2an3z5n484Hu8PdaF+CEpW6CHwV6d7C49pqi\n" +"0rGIYATSQJ/xZdTmXhcNHeIFYmwYMeWXXI7Ivgpb2CvB+d+IkyXza4jMoYOJElsW\n" +"RdU4sX8NxUuy6oyhGOWTT36eWuD/vFL3qK2CbrK55b9Q4hemj4SUIfCetiem4cet\n" +"gzSzu3WWzdAVLJ1rcg3H4uQzo39v695UkX3nJ97ga9UGEWkuRa1fjEqBnIyNzO+Z\n" +"notU01Ke2E+GVkUeaylDKpetOcbJrHerKiWiqH2JsO8ArmlSfOqW/8PLK3XXSrdt\n" +"cVHkDTCp+PR+q2nszDhN1OQVDLWfj9jgS5PwjwIDAQABAoIBAHfgWhED9VgL29le\n" +"uGMzmPLK4LM+6Qcb+kXghTeyhl1a928WeRVzRpG+SVJEz9QaBHYlICnaY2PO2kJ2\n" +"49YIPFkpRFDn9JuLs/7tFonj4Eb2cBbWE3YG9W7e0t+oBiv1117yB9m8uSAMPG7s\n" +"iEpTQvE3M7CzT8kHwCS4XXCCN0z7LqKyZ1heScjdfhV3D2TnFFjdtQ/9KfQa3hIc\n" +"6ftbpi4EKbfasspyqfrJ/cqjHzse9iEXLOZJhs+atBAKe/uJ4Hc3LRPbX4MPniAp\n" +"JJrldXFK9p+HILlbXvu+5n+DSGbZmT1x9a/E9suGyoJiASDH2Ax4yCVTi+v8C1R2\n" +"aKdU1LkCgYEA/3dFuM6zIHwiJ0GKT0gtJL6J3m+i51SNcRIm8deXt6HULMpUNajj\n" +"vZ1bgQm/h+uRBlPV3swkaVxvPTIabOTY4gmCBSzvVCSIAKHVc/+5Nkl9KruwSq4G\n" +"tctmXZ7ymMDi+6QGCJTJkAx6jptXyrzC00HOjXOwyQ+iDipqgr3A8FsCgYEAwk7B\n" +"2/hi569EIHFRT6nz/JMqQVPZ/MJDKoKhffTbnjQ5OAzpiVN6cyThMM1iVJEBFNhx\n" +"OEacy60Qj0TtR1oYrQSRSLm58TTxiuB4Pohbmg3iU+kSM/eTq/ups/Ul1oCs2eAb\n" +"POfweD3c4d4i7sN8bUNQXehiE4MOlK9TYQy39t0CgYAJht0mwy6S644qgJsz0bE9\n" +"SY3Cqc8daV3M9axWIIAb7QEImpMBXUcA7zlWWpK18ub5oW68XEiPVU8grRmnLfGY\n" +"nFoo70ANlz8rJt3a8ZJqn9r3GQC+CDdf2DH9E8xgPfE5CSjgcQwDPzPi1ZA0k02A\n" +"q1eUltfk55xXguVt8r2bOQKBgQC7+kldr1yv20VDRZ1uPnMGRLE6Zg6bkqw78gid\n" +"vEbDNK6uZP+BlTr/LgyVk/yu52Fucz6FPPrvqEw+7mXHA4ifya1r+BHFIn0S57os\n" +"dOp5jTkKCI9NqxQ3683vhRjH/dA7L63qLFDdYqvP74FID+LOKbMURn6rdbyjZ0J4\n" +"vz8yGQKBgHIzcKlQosRxf+KptOPMGRs30L9PnH+sNmTo2SmEzAGkBkt1msGRh/2l\n" +"uT3hOEhUXL9knRyXwQSXgrIwr9QwI5rGS5FAgX26TgBtPBDs2NuyyhhS5yxsiEPT\n" +"BR+EjQFW9dzRkpRJgvsG4DcNAhFn7fQqFNcWXgFWuBXmGNkdtEGR\n" +"-----END RSA PRIVATE KEY-----"; + +static const char *unrelated_identity = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV\n" + "BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w\n" + "DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy\n" + "MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI\n" + "DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx\n" + "GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" + "ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32\n" + "/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix\n" + "6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he\n" + "bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV\n" + "G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp\n" + "EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst\n" + "gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5\n" + "+6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB\n" + "CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ\n" + "xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC\n" + "QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh\n" + "XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV\n" + "+1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0\n" + "B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2\n" + "-----END CERTIFICATE-----\n"; + + +static const char *remote_identity_trusted = + "-----BEGIN CERTIFICATE-----\n" + "MIIDcDCCAligAwIBAgIBBTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" + "aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" + "Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcDELMAkGA1UEBhMC\n" + "TkwxCzAJBgNVBAgTAk9WMQ8wDQYDVQQKEwZBRExpbmsxETAPBgNVBAsTCElTVCBU\n" + "ZXN0MREwDwYDVQQDEwhCb2IgVGVzdDEdMBsGCSqGSIb3DQEJARYOYm9iQGFkbGlu\n" + "ay5pc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqhuWnwhxXZ\n" + "qffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d4gVibBgx\n" + "5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNPfp5a4P+8\n" + "UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi5DOjf2/r\n" + "3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMql605xsms\n" + "d6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U5BUMtZ+P\n" + "2OBLk/CPAgMBAAGjEzARMA8GA1UdDwEB/wQFAwMH/4AwDQYJKoZIhvcNAQELBQAD\n" + "ggEBAJV71Ckf1zsks5mJXqdUb8bTVHg4hN32pwjCL5c6W2XHAv+YHwE/fN3C1VIY\n" + "bC8zjUC9dCOyC2AvOQyZQ1eC/WoK6FlXjHVX2upL4lXQ9WL9ztt1mgdRrhvUPuUn\n" + "aBE8VgNU0t4jl93xMIaU8hB0kQsV+kdcN0cWbrF3mT4s9njRvopJ8hS2UE60V2wA\n" + "ceUOazH+QGPh1k0jkynrTlVR9GrpebQwZ2UFeinVO0km17IAyQkz+OmPc4jQLJMl\n" + "CmkbmMwowdLMKC6r/HyE87dN7NvFnRM5iByJklRwN7WDYZrl72HoUOlgTZ7PjW2G\n" + "jTxK8xXtDCXC/3CNpe0YFnOga8g=\n" + "-----END CERTIFICATE-----\n"; + +static const char *remote_identity_untrusted = + "-----BEGIN CERTIFICATE-----\n" + "MIIELTCCAxWgAwIBAgIBATANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGzAZBgNVBAMTEkJvYiBU\n" + "ZXN0IFVudHJ1c3RlZDEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3QuYWRsaW5rdGVj\n" + "aC5jb20wHhcNMTgwNjIwMDAwMDAwWhcNMjcwNjE5MjM1OTU5WjB0MQswCQYDVQQG\n" + "EwJOTDELMAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGzAZBgNVBAMT\n" + "EkJvYiBUZXN0IFVudHJ1c3RlZDEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3QuYWRs\n" + "aW5rdGVjaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqh\n" + "uWnwhxXZqffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d\n" + "4gVibBgx5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNP\n" + "fp5a4P+8UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi\n" + "5DOjf2/r3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMq\n" + "l605xsmsd6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U\n" + "5BUMtZ+P2OBLk/CPAgMBAAGjgckwgcYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU\n" + "QpxLPHT5o/GQRwdBw2scINXnWlUwHwYDVR0jBBgwFoAUQpxLPHT5o/GQRwdBw2sc\n" + "INXnWlUwDwYDVR0PAQH/BAUDAwf/gDBlBgNVHSUBAf8EWzBZBggrBgEFBQcDAQYI\n" + "KwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJ\n" + "BggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEB\n" + "ABcyab7F7OAsjUSW0YWkVRX1SUMkW25xLLs8koXhHrdnBqgnmOur0xO72/fmTTX9\n" + "KnCUmQj+dAOmmZrAaIZzqLtMyp4ibHZPfOBwmM0MFnyuwyEnCEYvjPN3FTB0HEgS\n" + "vCoFH1001LVi4oC1mEMxYaNW4/5Tgl+DTqGF+tctJe3hvbxh+Uu5M0320VAvASjt\n" + "cJ0me6Ug1FJJ60tgXgZ+M/8V6AXhrQGNgN6WkPMFbbLi5IyEld186QPeLdZ8vCtz\n" + "StjIV9HZGR1XLotlXarbjVtjxavZJjtwiySeYkAgG7Zjy7LalPSJiIdAD3R/ny+S\n" + "9kXDKiw/HgYxb8xiy9gdlSc=\n" + "-----END CERTIFICATE-----\n"; + + +static const char *remote_identity_trusted_expired = + "-----BEGIN CERTIFICATE-----\n" + "MIIEKTCCAxGgAwIBAgIBBjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" + "aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" + "Y29tMB4XDTE4MDMwMTAwMDAwMFoXDTE4MDQyMzIzNTk1OVowcjELMAkGA1UEBhMC\n" + "TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBC\n" + "b2IgVGVzdCBFeHBpcmVkMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0\n" + "ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHm+qG5afCH\n" + "Fdmp98+Z+POB7vD3WhfghKVugh8FenewuPaaotKxiGAE0kCf8WXU5l4XDR3iBWJs\n" + "GDHll1yOyL4KW9grwfnfiJMl82uIzKGDiRJbFkXVOLF/DcVLsuqMoRjlk09+nlrg\n" + "/7xS96itgm6yueW/UOIXpo+ElCHwnrYnpuHHrYM0s7t1ls3QFSyda3INx+LkM6N/\n" + "b+veVJF95yfe4GvVBhFpLkWtX4xKgZyMjczvmZ6LVNNSnthPhlZFHmspQyqXrTnG\n" + "yax3qyoloqh9ibDvAK5pUnzqlv/Dyyt110q3bXFR5A0wqfj0fqtp7Mw4TdTkFQy1\n" + "n4/Y4EuT8I8CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRCnEs8\n" + "dPmj8ZBHB0HDaxwg1edaVTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX\n" + "CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF\n" + "BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG\n" + "AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAdY5n\n" + "5ElOhpHq/YPWUs68t8HNIhqfokqjLZAgzNyU5QFppb9tPpmFCugerfjlScNwp5HB\n" + "X6/WjK4runDrgzXfmrBogR4Kscb1KJSm8KAmnzXVUNr1iyASlHxI7241kYdQvTH2\n" + "LL6b0kjsD5lKAnNh4id0SDHfy/CKg5d7dUxxO1mX48jUiIZtmFqgjej8tFLHy/w/\n" + "usI5ErlI0qzI6lkoRxPCEWLbXWeBDm3/smHeDbYa/+Lw4Bid8U1+ZSAuC1CT7a7F\n" + "O3gAjPUL0jzRztp5Yj3dYPV8YyJHLEKr75IXNedV9YKhT4f6kTS3UEjMTqYbYsix\n" + "MtqgY283RjsExzjNvw==\n" + "-----END CERTIFICATE-----\n"; + +static struct plugins_hdl *plugins = NULL; +static dds_security_authentication *auth = NULL; +static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle1 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_AuthRequestMessageToken g_local_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static DDS_Security_AuthRequestMessageToken g_remote_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static const DDS_Security_BinaryProperty_t *challenge1_predefined_glb = NULL; +static const DDS_Security_BinaryProperty_t *challenge2_predefined_glb = NULL; +static DDS_Security_OctetSeq serialized_participant_data = DDS_SECURITY_SEQUENCE_INIT; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data1 = NULL; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data2 = NULL; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data3 = NULL; +static DDS_Security_GUID_t candidate_participant_guid; +static DDS_Security_GUID_t remote_participant_guid1; +static DDS_Security_GUID_t remote_participant_guid2; + +static EVP_PKEY *dh_modp_key = NULL; +static EVP_PKEY *dh_ecdh_key = NULL; +static struct octet_seq dh_modp_pub_key = {NULL, 0}; +static struct octet_seq dh_ecdh_pub_key = {NULL, 0}; +static struct octet_seq invalid_dh_pub_key = {NULL, 0}; + + +static void +octet_seq_init( + struct octet_seq *seq, + unsigned char *data, + uint32_t size) +{ + seq->data = ddsrt_malloc(size); + memcpy(seq->data, data, size); + seq->length = size; +} + +static void +octet_seq_deinit( + struct octet_seq *seq) +{ + ddsrt_free(seq->data); +} + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size); + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->minor_code = 0; + ex->code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static void +initialize_identity_token( + DDS_Security_IdentityToken *token, + const char *certAlgo, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CERT); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +initialize_permissions_token( + DDS_Security_PermissionsToken *token, + const char *caAlgo) +{ + token->class_id = ddsrt_strdup(PERM_ACCESS_CLASS_ID); + token->properties._length = 2; + token->properties._maximum = 2; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_PERM_CA_SUBJECT_NAME); + token->properties._buffer[1].value = ddsrt_strdup(caAlgo); +} + + + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token) +{ + uint32_t i; + uint32_t len = 32; + unsigned char *challenge; + + challenge = ddsrt_malloc(len); + + for (i = 0; i < len; i++) { + challenge[i] = (unsigned char)(0xFF - i); + } + + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._maximum = 1; + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._maximum = len; + token->binary_properties._buffer->value._length = len; + token->binary_properties._buffer->value._buffer = challenge; +} + + +static DDS_Security_BinaryProperty_t * +find_binary_property( + DDS_Security_DataHolder *token, + const char *name) +{ + DDS_Security_BinaryProperty_t *result = NULL; + uint32_t i; + + for (i = 0; i < token->binary_properties._length && !result; i++) { + if (token->binary_properties._buffer[i].name && (strcmp(token->binary_properties._buffer[i].name, name) == 0)) { + result = &token->binary_properties._buffer[i]; + } + } + + return result; +} + +static void +deinitialize_identity_token( + DDS_Security_IdentityToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +static int +validate_local_identity(const char* trusted_ca_dir) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GUID_t local_participant_guid; + DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + DDS_Security_ParticipantBuiltinTopicData *local_participant_data; + unsigned char *sdata; + size_t size; + + memset(&local_participant_guid, 0, sizeof(local_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + if( trusted_ca_dir != NULL){ + char trusted_ca_dir_path[1024]; + dds_security_property_init(&participant_qos.property.value, 4); +#ifdef WIN32 + snprintf(trusted_ca_dir_path, 1024, "%s\\testsuite\\dbt\\security_plugin\\tests\\validate_begin_handshake_reply\\etc\\%s", CONFIG_ENV_TESTS_DIR,trusted_ca_dir); +#else + snprintf(trusted_ca_dir_path, 1024, "%s/validate_begin_handshake_reply/etc/%s", CONFIG_ENV_TESTS_DIR, trusted_ca_dir); +#endif + participant_qos.property.value._buffer[3].name = ddsrt_strdup(PROPERTY_TRUSTED_CA_DIR); + participant_qos.property.value._buffer[3].value = ddsrt_strdup(trusted_ca_dir_path); + } + else{ + dds_security_property_init(&participant_qos.property.value, 3); + } + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &local_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + res = -1; + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + local_participant_data = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&local_participant_data->key[0], &local_participant_guid, 12); + /* convert from big-endian format to native format */ + local_participant_data->key[0] = fromBE4u(local_participant_data->key[0]); + local_participant_data->key[1] = fromBE4u(local_participant_data->key[1]); + local_participant_data->key[2] = fromBE4u(local_participant_data->key[2]); + + initialize_identity_token(&local_participant_data->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&local_participant_data->permissions_token, RSA_2048_ALGORITHM_NAME); + + local_participant_data->security_info.participant_security_attributes = 0x01; + local_participant_data->security_info.plugin_participant_security_attributes = 0x02; + + serializer_participant_data(local_participant_data, &sdata, &size); + + serialized_participant_data._length = serialized_participant_data._maximum = (DDS_Security_unsigned_long) size; + serialized_participant_data._buffer = sdata; + + DDS_Security_ParticipantBuiltinTopicData_free(local_participant_data); + + return res; +} + +static void +release_local_identity(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (local_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + + DDS_Security_OctetSeq_deinit(&serialized_participant_data); +} + +static X509 * +load_certificate( + const char *data) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_mem_buf((void *) data, -1); + if (!bio) { + return NULL; + } + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + + BIO_free(bio); + + return cert; +} + +static int +get_adjusted_participant_guid( + X509 *cert, + const DDS_Security_GUID_t *candidate, + DDS_Security_GUID_t *adjusted) +{ + int result = 0; + unsigned char high[SHA256_DIGEST_LENGTH], low[SHA256_DIGEST_LENGTH]; + unsigned char *subject; + DDS_Security_octet hb = 0x80; + X509_NAME *name; + unsigned char *tmp = NULL; + int i, sz; + + name = X509_get_subject_name(cert); + sz = i2d_X509_NAME(name, &tmp); + if (sz > 0) { + subject = ddsrt_malloc( (size_t)sz); + memcpy(subject, tmp, (size_t)sz); + OPENSSL_free(tmp); + + SHA256(subject, (size_t)sz, high); + SHA256(&candidate->prefix[0], sizeof(DDS_Security_GuidPrefix_t), low); + + adjusted->entityId = candidate->entityId; + for (i = 0; i < 6; i++) { + adjusted->prefix[i] = hb | high[i]>>1; + hb = (DDS_Security_octet)(high[i]<<7); + } + for (i = 0; i < 6; i++) { + adjusted->prefix[i+6] = low[i]; + } + ddsrt_free(subject); + result = 1; + } + + return result; +} + +static int +create_dh_key_modp_2048( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *kctx = NULL; + DH *dh = NULL; + + *pkey = NULL; + + if ((params = EVP_PKEY_new()) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate EVP_PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((dh = DH_get_2048_256()) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate DH parameter: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_set1_DH(params, dh) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set DH parameter to MODP_2048_256: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate KEY context %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize KEY context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate :MODP_2048_256 keys %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (params) EVP_PKEY_free(params); + if (kctx) EVP_PKEY_CTX_free(kctx); + if (dh) DH_free(dh); + + return r; +} + +static int +get_dh_public_key_modp_2048( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + int r = 0; + DH *dhkey; + unsigned char *buffer = NULL; + uint32_t size; + ASN1_INTEGER *asn1int; + + dhkey = EVP_PKEY_get1_DH(pkey); + if (!dhkey) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get DH key from PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + goto fail_get_dhkey; + } + + asn1int = BN_to_ASN1_INTEGER( dh_get_public_key(dhkey) , NULL); + if (!asn1int) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to convert DH key to ASN1 integer: %s", msg); + ddsrt_free(msg); + r = -1; + goto fail_get_pubkey; + } + + size = (uint32_t) i2d_ASN1_INTEGER(asn1int, &buffer); + octet_seq_init(pubkey, buffer, size); + + ASN1_INTEGER_free(asn1int); + OPENSSL_free(buffer); + +fail_get_pubkey: + DH_free(dhkey); +fail_get_dhkey: + return r; +} + +static int +create_dh_key_ecdh( + EVP_PKEY **pkey) +{ + int r = 0; + EVP_PKEY *params = NULL; + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY_CTX *kctx = NULL; + + *pkey = NULL; + + if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate DH parameter context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_paramgen_init(pctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize DH generation context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_X9_62_prime256v1) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to set DH generation parameter generation method: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_paramgen(pctx, ¶ms) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate DH parameters: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((kctx = EVP_PKEY_CTX_new(params, NULL)) == NULL) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to allocate KEY context %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen_init(kctx) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to initialize KEY context: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (EVP_PKEY_keygen(kctx, pkey) <= 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to generate :MODP_2048_256 keys %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (kctx) EVP_PKEY_CTX_free(kctx); + if (params) EVP_PKEY_free(params); + if (pctx) EVP_PKEY_CTX_free(pctx); + + return r; +} + +static int +get_dh_public_key_ecdh( + EVP_PKEY *pkey, + struct octet_seq *pubkey) +{ + int r = 0; + EC_KEY *eckey = NULL; + const EC_GROUP *group = NULL; + const EC_POINT *point = NULL; + size_t sz; + + if (!(eckey = EVP_PKEY_get1_EC_KEY(pkey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get EC key from PKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!(point = EC_KEY_get0_public_key(eckey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get public key from ECKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if (!(group = EC_KEY_get0_group(eckey))) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to get group from ECKEY: %s", msg); + ddsrt_free(msg); + r = -1; + } else if ((sz = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, NULL)) != 0) { + pubkey->data = ddsrt_malloc(sz); + pubkey->length = (uint32_t) EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, pubkey->data, sz, NULL); + if (pubkey->length == 0) { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to serialize public EC key: %s", msg); + ddsrt_free(msg); + octet_seq_deinit(pubkey); + r = -1; + } + } else { + char *msg = get_openssl_error_message_for_test(); + printf("Failed to serialize public EC key: %s", msg); + ddsrt_free(msg); + r = -1; + } + + if (eckey) EC_KEY_free(eckey); + + return r; +} + +static int +validate_remote_identities (const char *remote_id_certificate) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityToken remote_identity_token; + static DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_GUID_t guid1; + DDS_Security_GUID_t guid2; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix1 = {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab}; + DDS_Security_GuidPrefix_t prefix2 = {0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + X509 *cert; + + memcpy(&guid1.prefix, &prefix1, sizeof(prefix1)); + memcpy(&guid1.entityId, &entityId, sizeof(entityId)); + memcpy(&guid2.prefix, &prefix2, sizeof(prefix2)); + memcpy(&guid2.entityId, &entityId, sizeof(entityId)); + + if (local_identity_handle == DDS_SECURITY_HANDLE_NIL) { + return -1; + } + + cert = load_certificate(remote_id_certificate); + if (!cert) { + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid1, &remote_participant_guid1)) { + X509_free(cert); + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid2, &remote_participant_guid2)) { + X509_free(cert); + return -1; + } + + X509_free(cert); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle1, + &g_local_auth_request_token, + NULL, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid1, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + fill_auth_request_token(&g_remote_auth_request_token); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle2, + &local_auth_request_token, + &g_remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid2, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + remote_participant_data1 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data1->key[0], &remote_participant_guid1, 12); + remote_participant_data1->key[0] = fromBE4u(remote_participant_data1->key[0]); + remote_participant_data1->key[1] = fromBE4u(remote_participant_data1->key[1]); + remote_participant_data1->key[2] = fromBE4u(remote_participant_data1->key[2]); + + initialize_identity_token(&remote_participant_data1->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data1->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data1->security_info.participant_security_attributes = 0x01; + remote_participant_data1->security_info.plugin_participant_security_attributes = 0x02; + + remote_participant_data2 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data2->key[0], &remote_participant_guid2, 12); + remote_participant_data2->key[0] = fromBE4u(remote_participant_data2->key[0]); + remote_participant_data2->key[1] = fromBE4u(remote_participant_data2->key[1]); + remote_participant_data2->key[2] = fromBE4u(remote_participant_data2->key[2]); + + initialize_identity_token(&remote_participant_data2->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data2->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data2->security_info.participant_security_attributes = 0x01; + remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + remote_participant_data3 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data3->key[0], &candidate_participant_guid, 12); + + initialize_identity_token(&remote_participant_data3->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data3->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data2->security_info.participant_security_attributes = 0x01; + remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + challenge1_predefined_glb = find_binary_property(&g_remote_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + challenge2_predefined_glb = challenge1_predefined_glb; + + return res; +} + +static void +release_remote_identities(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle1, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + if (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle2, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + + DDS_Security_DataHolder_deinit(&g_local_auth_request_token); + DDS_Security_DataHolder_deinit(&g_remote_auth_request_token); + + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data1); + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data2); + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data3); +} + +CU_Init(ddssec_builtin_process_handshake) +{ + int result = 0; + + /* Only need the authentication plugin. */ + plugins = load_plugins(NULL /* Access Control */, + &auth /* Authentication */, + NULL /* Cryptograpy */); + if (plugins) { + result = validate_local_identity( NULL ); + if (result >= 0) { + result = validate_remote_identities( remote_identity_certificate ); + } + if (result >= 0) { + result = create_dh_key_modp_2048(&dh_modp_key); + } + if (result >= 0) { + result = get_dh_public_key_modp_2048(dh_modp_key, &dh_modp_pub_key); + } + if (result >= 0) { + result = create_dh_key_ecdh(&dh_ecdh_key); + } + if (result >= 0) { + result = get_dh_public_key_ecdh(dh_ecdh_key, &dh_ecdh_pub_key); + } + if (result >= 0) { + octet_seq_init(&invalid_dh_pub_key, dh_modp_pub_key.data, dh_modp_pub_key.length); + invalid_dh_pub_key.data[0] = 0x08; + } + } else { + result = -1; + } + + + return result; +} + +CU_Clean(ddssec_builtin_process_handshake) +{ + release_local_identity(); + release_remote_identities(); + unload_plugins(plugins); + octet_seq_deinit(&dh_modp_pub_key); + octet_seq_deinit(&dh_ecdh_pub_key); + octet_seq_deinit(&invalid_dh_pub_key); + if (dh_modp_key) { + EVP_PKEY_free(dh_modp_key); + } + if (dh_ecdh_key) { + EVP_PKEY_free(dh_ecdh_key); + } + return 0; +} + +static bool +compare_octet_seq( + const DDS_Security_OctetSeq *seq1, + const DDS_Security_OctetSeq *seq2) +{ + int r; + if (seq1 && seq2) { + r = (int)(seq2->_length - seq1->_length); + if (r == 0) { + r = memcmp(seq1->_buffer, seq2->_buffer, seq1->_length); + } + } else if (seq1 == seq2) { + r = 0; + } else { + r = (seq2 > seq1) ? 1 : -1; + } + return r; +} + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size) +{ + DDS_Security_Serializer serializer; + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDD_Security_Serialize_ParticipantBuiltinTopicData(serializer, pdata); + DDS_Security_Serializer_buffer(serializer, buffer, size); + DDS_Security_Serializer_free(serializer); +} + + +static void +set_binary_property_value( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const unsigned char *data, + uint32_t length) +{ + assert(bp); + assert(name); + assert(data); + + bp->name = ddsrt_strdup(name); + bp->value._maximum = bp->value._length = length; + if (length) { + bp->value._buffer = ddsrt_malloc(length); + memcpy(bp->value._buffer, data, length); + } else { + bp->value._buffer = NULL; + } +} + +static void +set_binary_property_string( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const char *data) +{ + uint32_t length; + + assert(bp); + assert(name); + assert(data); + + length = (uint32_t)strlen(data) + 1; + set_binary_property_value(bp, name, (const unsigned char *)data, length); +} + +static void +fill_handshake_message_token( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const char *certificate, + const char *dsign, + const char *kagree, + const struct octet_seq *diffie_hellman1, + const unsigned char *challengeData, + unsigned int challengeDataSize, + const struct octet_seq *diffie_hellman2, + const unsigned char *challengeData2, + unsigned int challengeDataSize2, + const DDS_Security_BinaryProperty_t *hash1_from_request, + const DDS_Security_BinaryProperty_t *hash2_from_reply, + HandshakeStep_t step) +{ + DDS_Security_BinaryProperty_t *tokens; + DDS_Security_BinaryProperty_t *c_id; + DDS_Security_BinaryProperty_t *c_perm; + DDS_Security_BinaryProperty_t *c_pdata; + DDS_Security_BinaryProperty_t *c_dsign_algo; + DDS_Security_BinaryProperty_t *c_kagree_algo; + DDS_Security_BinaryProperty_t *hash_c1; + DDS_Security_BinaryProperty_t *hash_c2; + DDS_Security_BinaryProperty_t *dh1; + DDS_Security_BinaryProperty_t *dh2; + DDS_Security_BinaryProperty_t *challenge1; + DDS_Security_BinaryProperty_t *challenge2; + DDS_Security_BinaryProperty_t *signature; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + unsigned idx; + unsigned char *serialized_local_participant_data; + size_t serialized_local_participant_data_size; + /*unsigned hash[32];*/ + + switch( step ) + { + + case HANDSHAKE_REQUEST: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(8); + c_id = &tokens[0]; + c_perm = &tokens[1]; + c_pdata = &tokens[2]; + c_dsign_algo = &tokens[3]; + c_kagree_algo = &tokens[4]; + hash_c1 = &tokens[5]; + dh1 = &tokens[6]; + challenge1 = &tokens[7]; + + serializer_participant_data(pdata, &serialized_local_participant_data, &serialized_local_participant_data_size); + + /* Store the Identity Certificate associated with the local identify in c.id property */ + if (certificate) { + set_binary_property_string(c_id, "c.id", certificate); + } else { + set_binary_property_string(c_id, "c.idx", "rubbish"); + } + + /* Store the permission document in the c.perm property */ + set_binary_property_string(c_perm, "c.perm", "permissions_document"); + + /* Store the provided local_participant_data in the c.pdata property */ + set_binary_property_value(c_pdata, "c.pdata", serialized_local_participant_data, (uint32_t)serialized_local_participant_data_size); + ddsrt_free(serialized_local_participant_data); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + if (dsign) { + set_binary_property_string(c_dsign_algo, "c.dsign_algo", dsign); + } else { + set_binary_property_string(c_dsign_algo, "c.dsign_algox", "rubbish"); + } + + /* Set the used key algorithm descriptor in c.kagree_algo */ + if (kagree) { + set_binary_property_string(c_kagree_algo, "c.kagree_algo", kagree); + } else { + set_binary_property_string(c_kagree_algo, "c.kagree_algox", "rubbish"); + } + + /* Calculate the hash_c1 */ + { + DDS_Security_BinaryPropertySeq bseq; + DDS_Security_Serializer serializer; + unsigned char hash1_sentrequest_arr[32]; + unsigned char *buffer; + size_t size; + + bseq._length = bseq._maximum = 5; + bseq._buffer = tokens; + + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, &bseq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, hash1_sentrequest_arr); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + set_binary_property_value(hash_c1, "hash_c1", hash1_sentrequest_arr, sizeof(hash1_sentrequest_arr)); + } + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length); + } + + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 8; + token->binary_properties._buffer = tokens; + break; + + case HANDSHAKE_REPLY: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(12); + idx = 0; + c_id = &tokens[idx++]; + c_perm = &tokens[idx++]; + c_pdata = &tokens[idx++]; + c_dsign_algo = &tokens[idx++]; + c_kagree_algo = &tokens[idx++]; + hash_c2 = &tokens[idx++]; + challenge2 = &tokens[idx++]; + dh2 = &tokens[idx++]; + challenge1 = &tokens[idx++]; + dh1 = &tokens[idx++]; + hash_c1 = &tokens[idx++] ; + signature = &tokens[idx++]; + + serializer_participant_data(pdata, &serialized_local_participant_data, &serialized_local_participant_data_size); + + /* Store the Identity Certificate associated with the local identify in c.id property */ + if (certificate) { + set_binary_property_string(c_id, "c.id", certificate); + } else { + set_binary_property_string(c_id, "c.idx", "rubbish"); + } + + /* Store the permission document in the c.perm property */ + set_binary_property_string(c_perm, "c.perm", "permissions_document"); + + /* Store the provided local_participant_data in the c.pdata property */ + set_binary_property_value(c_pdata, "c.pdata", serialized_local_participant_data, (uint32_t )serialized_local_participant_data_size); + ddsrt_free(serialized_local_participant_data); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + if (dsign) { + set_binary_property_string(c_dsign_algo, "c.dsign_algo", dsign); + } else { + set_binary_property_string(c_dsign_algo, "c.dsign_algox", "rubbish"); + } + + /* Set the used key algorithm descriptor in c.kagree_algo */ + if (kagree) { + set_binary_property_string(c_kagree_algo, "c.kagree_algo", kagree); + } else { + set_binary_property_string(c_kagree_algo, "c.kagree_algox", "rubbish"); + } + + CU_ASSERT(hash1_from_request != NULL); + + set_binary_property_value(hash_c1, "hash_c1", hash1_from_request->value._buffer, hash1_from_request->value._length); + + /* Calculate the hash_c2 */ + { + DDS_Security_BinaryPropertySeq bseq; + DDS_Security_Serializer serializer; + unsigned char hash2_sentreply_arr[32]; + unsigned char *buffer; + size_t size; + + bseq._length = bseq._maximum = 5; + bseq._buffer = tokens; + + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, &bseq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, hash2_sentreply_arr); + + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + set_binary_property_value(hash_c2, "hash_c2", hash2_sentreply_arr, sizeof(hash2_sentreply_arr)); + } + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", challenge2->value._buffer, challenge2->value._length); + } + + /* Set the challenge in challenge2 property */ + if (challengeData2) { + set_binary_property_value(challenge2, "challenge2", challengeData2, challengeDataSize2); + } else { + set_binary_property_value(challenge2, "challenge2x", challenge2->value._buffer, challenge2->value._length); + } + + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the DH public key associated with the local participant in dh2 property */ + if (diffie_hellman2) { + set_binary_property_value(dh2, "dh2", diffie_hellman2->data, diffie_hellman2->length); + } else { + set_binary_property_string(dh2, "dh2x", "rubbish"); + } + + /* Calculate the signature */ + { + BIO *bio; + EVP_PKEY *private_key_x509; + unsigned char *sign; + size_t signlen; + + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_SIZE ]; + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((const char *) remote_private_key, -1); + assert( bio ); + private_key_x509 = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + assert (private_key_x509 ); + + binary_properties[0] = hash_c2; + binary_properties[1] = challenge2; + binary_properties[2] = dh2; + binary_properties[3] = challenge1; + binary_properties[4] = dh1; + binary_properties[5] = hash_c1; + + if (create_signature_for_test(private_key_x509, binary_properties, HANDSHAKE_SIGNATURE_SIZE , &sign, &signlen, &exception) != DDS_SECURITY_VALIDATION_OK) + { + printf("Exception: %s\n", exception.message); + } + set_binary_property_value(signature, "signature", sign, (uint32_t ) signlen); + + ddsrt_free(sign); + EVP_PKEY_free(private_key_x509); + BIO_free(bio); + } + + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 12; + token->binary_properties._buffer = tokens; + break; + + case HANDSHAKE_FINAL: + tokens = DDS_Security_BinaryPropertySeq_allocbuf(7); + idx = 0; + signature = &tokens[idx++]; + hash_c1 = &tokens[idx++]; + challenge1 = &tokens[idx++]; + dh1 = &tokens[idx++]; + challenge2 = &tokens[idx++]; + dh2 = &tokens[idx++]; + hash_c2 = &tokens[idx++]; + + CU_ASSERT(hash1_from_request != NULL); + CU_ASSERT(hash2_from_reply != NULL); + + set_binary_property_value(hash_c1, "hash_c1", hash1_from_request->value._buffer, hash1_from_request->value._length); + set_binary_property_value(hash_c2, "hash_c2", hash2_from_reply->value._buffer, hash2_from_reply->value._length); + + printf("process: %s\n", hash_c1->name); + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge1, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge1, "challenge1x", challenge2->value._buffer, challenge2->value._length); + } + + /* Set the challenge in challenge2 property */ + if (challengeData2) { + set_binary_property_value(challenge2, "challenge2", challengeData2, challengeDataSize2); + } else { + set_binary_property_value(challenge2, "challenge2x", challenge2->value._buffer, challenge2->value._length); + } + + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman1) { + set_binary_property_value(dh1, "dh1", diffie_hellman1->data, diffie_hellman1->length); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the DH public key associated with the local participant in dh2 property */ + if (diffie_hellman2) { + set_binary_property_value(dh2, "dh2", diffie_hellman2->data, diffie_hellman2->length); + } else { + set_binary_property_string(dh2, "dh2x", "rubbish"); + } + + /* Calculate the signature */ + { + BIO *bio; + EVP_PKEY *private_key_x509; + unsigned char *sign; + size_t signlen; + const DDS_Security_BinaryProperty_t * binary_properties[ HANDSHAKE_SIGNATURE_SIZE ]; + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((const char *) remote_private_key, -1); + assert( bio ); + private_key_x509 = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + assert (private_key_x509 ); + + binary_properties[0] = hash_c1; + binary_properties[1] = challenge1; + binary_properties[2] = dh1; + binary_properties[3] = challenge2; + binary_properties[4] = dh2; + binary_properties[5] = hash_c2; + + if (create_signature_for_test(private_key_x509, binary_properties, HANDSHAKE_SIGNATURE_SIZE, &sign, &signlen, &exception) != DDS_SECURITY_VALIDATION_OK) + { + printf("Exception: %s\n", exception.message); + } + set_binary_property_value(signature, "signature", sign, (uint32_t) signlen); + + ddsrt_free(sign); + EVP_PKEY_free(private_key_x509); + BIO_free(bio); + } + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_FINAL_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 7; + token->binary_properties._buffer = tokens; + break; + } +} + +static void +fill_handshake_message_token_default( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const unsigned char *challengeData, + unsigned int challengeDataSize) +{ + fill_handshake_message_token( + token, pdata, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + &dh_modp_pub_key, challengeData, challengeDataSize, NULL, NULL, 0, NULL, NULL, HANDSHAKE_REQUEST); +} + +static void +handshake_message_deinit( + DDS_Security_HandshakeMessageToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +static bool +validate_handshake_token( + DDS_Security_HandshakeMessageToken *token, + const DDS_Security_OctetSeq *challenge1, + const DDS_Security_OctetSeq *challenge2, + HandshakeStep_t token_type) +{ + const DDS_Security_BinaryProperty_t *property; + const char * class_id; + + switch (token_type) + { + case HANDSHAKE_REQUEST: + class_id = AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID; + break; + case HANDSHAKE_REPLY: + class_id = AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID; + break; + case HANDSHAKE_FINAL: + class_id = AUTH_HANDSHAKE_FINAL_TOKEN_CLASS_ID; + break; + default: + class_id = NULL; + CU_FAIL("HandshakeMessageToken invalid token type"); + } + + if (!token->class_id || strcmp(token->class_id, class_id) != 0) { + CU_FAIL("HandshakeMessageToken incorrect class_id"); + } else if ((property = find_binary_property(token, "hash_c2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'hash_c2' not found"); + } else if ((property = find_binary_property(token, "dh2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'dh2' not found"); + } else if ((property = find_binary_property(token, "hash_c1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'hash_c1' not found"); + } else if ((property = find_binary_property(token, "dh1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'dh1' not found"); + } else if ((property = find_binary_property(token, "challenge1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' not found"); + } else if (challenge1 && compare_octet_seq(challenge1, &property->value) != 0) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' incorrect value"); + } else if ((property = find_binary_property(token, "challenge2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge2' not found"); + } else if (challenge2 && compare_octet_seq(challenge2, &property->value) != 0) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge2' incorrect value"); + } else { + return true; + } + + return false; +} + +CU_Test(ddssec_builtin_process_handshake,happy_day_after_request ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *challenge1_glb; + struct octet_seq dh1_pub_key; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + /* prepare reply */ + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_ecdh_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_reply_token_out, &challenge1_glb->value, &challenge2_predefined_glb->value, HANDSHAKE_FINAL)); + + CU_ASSERT( check_shared_secret(auth, 1, dh1, dh_ecdh_key, handshake_handle)== 0); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); + handshake_message_deinit(&handshake_reply_token_out); +} + +CU_Test(ddssec_builtin_process_handshake,happy_day_after_reply ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_final_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_final_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *hash2_sentreply; + const DDS_Security_BinaryProperty_t *challenge2_glb; + const DDS_Security_BinaryProperty_t *dh2; + struct octet_seq dh2_pub_key; + + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token_out, &challenge1_predefined_glb->value, NULL, HANDSHAKE_REPLY)); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + hash2_sentreply = find_binary_property(&handshake_token_out, "hash_c2"); + + /*Get DH2 value */ + dh2 = find_binary_property(&handshake_token_out, "dh2"); + + /* get challenge 2 from the message */ + challenge2_glb = find_binary_property(&handshake_token_out, "challenge2"); + + reset_exception(&exception); + + /* prepare final */ + dh2_pub_key.data = dh2->value._buffer; + dh2_pub_key.length = dh2->value._length; + + fill_handshake_message_token( + &handshake_final_token_in, NULL, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh_modp_pub_key, challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length, + &dh2_pub_key, challenge2_glb->value._buffer, challenge2_glb->value._length, hash1_sentrequest, hash2_sentreply, HANDSHAKE_FINAL); + + result = auth->process_handshake( + auth, + &handshake_final_token_out, + &handshake_final_token_in, + handshake_handle, + &exception); + + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_OK); + + CU_ASSERT( check_shared_secret(auth, 0, dh2, dh_modp_key, handshake_handle)== 0); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_final_token_in); + handshake_message_deinit(&handshake_final_token_out); +} + +CU_Test(ddssec_builtin_process_handshake,invalid_arguments ) +{ + + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_final_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *hash2_sentreply; + const DDS_Security_BinaryProperty_t *challenge2_glb; + const DDS_Security_BinaryProperty_t *dh2; + struct octet_seq dh2_pub_key; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token_out, &challenge1_predefined_glb->value, NULL, HANDSHAKE_REPLY)); + + /*Get DH2 value */ + dh2 = find_binary_property(&handshake_token_out, "dh2"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + hash2_sentreply = find_binary_property(&handshake_token_out, "hash_c2"); + + /* get challenge 2 from the message */ + challenge2_glb = find_binary_property(&handshake_token_out, "challenge2"); + + reset_exception(&exception); + + /* prepare final */ + dh2_pub_key.data = dh2->value._buffer; + dh2_pub_key.length = dh2->value._length; + + fill_handshake_message_token( + &handshake_final_token_in, NULL, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + &dh_modp_pub_key, challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length, + &dh2_pub_key, challenge2_glb->value._buffer, challenge2_glb->value._length, + hash1_sentrequest, hash2_sentreply, HANDSHAKE_FINAL); + + + result = auth->process_handshake( + auth, + NULL, + &handshake_final_token_in, + handshake_handle, + &exception); + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_token_out, + NULL, + handshake_handle, + &exception); + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_token_out, + &handshake_final_token_in, + 0, + &exception); + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_final_token_in); +} + + +CU_Test(ddssec_builtin_process_handshake,invalid_certificate ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *challenge1_glb; + const DDS_Security_BinaryProperty_t *dh1; + struct octet_seq dh1_pub_key; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + /* prepare reply */ + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, unrelated_identity, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_ecdh_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, + hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); +} + +CU_Test(ddssec_builtin_process_handshake,invalid_dsign_algo ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *challenge1_glb; + const DDS_Security_BinaryProperty_t *dh1; + struct octet_seq dh1_pub_key; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + /* prepare reply */ + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_certificate, + "RSASSA-PSS-SHA128", AUTH_KAGREE_ALGO_RSA_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_modp_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, + hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); +} + +CU_Test(ddssec_builtin_process_handshake,invalid_kagree_algo ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *challenge1_glb; + const DDS_Security_BinaryProperty_t *dh1; + struct octet_seq dh1_pub_key; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + /* prepare reply */ + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, "DH+MODP-2048-128", + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_modp_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, + hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); +} + +CU_Test(ddssec_builtin_process_handshake,invalid_diffie_hellman ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *challenge1_glb; + const DDS_Security_BinaryProperty_t *dh1; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + /* prepare reply */ + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + &invalid_dh_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_modp_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, + hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); +} + + +CU_Test(ddssec_builtin_process_handshake,return_handle) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge1_predefined_glb->value._buffer, challenge1_predefined_glb->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (handshake_handle != DDS_SECURITY_HANDLE_NIL); + + reset_exception(&exception); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); +} + + +CU_Test(ddssec_builtin_process_handshake,extended_certificate_check ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_reply_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + const DDS_Security_BinaryProperty_t *hash1_sentrequest; + const DDS_Security_BinaryProperty_t *dh1; + const DDS_Security_BinaryProperty_t *challenge1_glb; + struct octet_seq dh1_pub_key; + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_trusted ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + /* prepare reply */ + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_trusted, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_ecdh_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_OK_FINAL_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_reply_token_out, &challenge1_glb->value, &challenge2_predefined_glb->value, HANDSHAKE_FINAL)); + + CU_ASSERT( check_shared_secret(auth, 1, dh1, dh_ecdh_key, handshake_handle)== 0); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); + handshake_message_deinit(&handshake_reply_token_out); + + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_trusted_expired ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + /* prepare reply */ + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_trusted_expired, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_ecdh_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + + reset_exception(&exception); + + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); + handshake_message_deinit(&handshake_reply_token_out); + + + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_untrusted ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + CU_ASSERT_FATAL (auth->process_handshake != NULL); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token_out, + local_identity_handle, + remote_identity_handle2, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* get challenge 1 from the message */ + challenge1_glb = find_binary_property(&handshake_token_out, "challenge1"); + + /*Get DH1 value */ + dh1 = find_binary_property(&handshake_token_out, "dh1"); + + hash1_sentrequest = find_binary_property(&handshake_token_out, "hash_c1"); + + CU_ASSERT_FATAL(dh1 != NULL); + CU_ASSERT_FATAL(dh1->value._length > 0); + CU_ASSERT_FATAL(dh1->value._buffer != NULL); + + dh1_pub_key.data = dh1->value._buffer; + dh1_pub_key.length = dh1->value._length; + + /* prepare reply */ + fill_handshake_message_token( + &handshake_reply_token_in, remote_participant_data2, remote_identity_untrusted, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_ECDH_NAME, + &dh1_pub_key, challenge1_glb->value._buffer, challenge1_glb->value._length, + &dh_ecdh_pub_key, challenge2_predefined_glb->value._buffer, challenge2_predefined_glb->value._length, hash1_sentrequest, NULL, HANDSHAKE_REPLY); + + reset_exception(&exception); + + result = auth->process_handshake( + auth, + &handshake_reply_token_out, + &handshake_reply_token_in, + handshake_handle, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT_FATAL(exception.code != 0); + + + reset_exception(&exception); + + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + handshake_message_deinit(&handshake_reply_token_in); + handshake_message_deinit(&handshake_reply_token_out); + +} diff --git a/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/identity_ca b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/identity_ca new file mode 100644 index 0000000..7e2675c --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/identity_ca @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx +MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k +ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz +2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf +zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB +pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL +FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME +BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW +gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB +Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME +BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK +KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI +KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU +AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI +hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s +iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC +LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm +geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t +Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd +sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/remote_ca.crt b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/remote_ca.crt new file mode 100644 index 0000000..6b096a0 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/remote_ca.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKTCCAxGgAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcjELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ +ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0 +ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANa/ENFfGVXg +bPLTzBdDfiZQcp5dWZ//Pb8ErFOJu8uosVHFv8t69dgjHgNHB4OsjmjnR7GfKUZT +0cMvWJnjsC7DDlBwFET9rj4k40n96bbVCH9I7+tNhsoqzc6Eu+5h4sk7VfNGTM2Z +SyCd4GiSZRuA44rRbhXI7/LDpr4hY5J9ZDo5AM9ZyoLAoh774H3CZWD67S35XvUs +72dzE6uKG/vxBbvZ7eW2GLO6ewa9UxlnLVMPfJdpkp/xYXwwcPW2+2YXCge1ujxs +tjrOQJ5HUySh6DkE/kZpx8zwYWm9AaCrsvCIX1thsqgvKy+U5v1FS1L58eGc6s// +9yMgNhU29R0CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRNVUJN +FzhJPReYT4QSx6dK53CXCTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX +CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF +BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG +AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAcOLF +ZYdJguj0uxeXB8v3xnUr1AWz9+gwg0URdfNLU2KvF2lsb/uznv6168b3/FcPgezN +Ihl9GqB+RvGwgXS/1UelCGbQiIUdsNxk246P4uOGPIyW32RoJcYPWZcpY+cw11tQ +NOnk994Y5/8ad1DmcxVLLqq5kwpXGWQufV1zOONq8B+mCvcVAmM4vkyF/de56Lwa +sAMpk1p77uhaDnuq2lIR4q3QHX2wGctFid5Q375DRscFQteY01r/dtwBBrMn0wuL +AMNx9ZGD+zAoOUaslpIlEQ+keAxk3jgGMWFMxF81YfhEnXzevSQXWpyek86XUyFL +O9IAQi5pa15gXjSbUg== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/root_CA_RSA.crt b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/root_CA_RSA.crt new file mode 100644 index 0000000..61346df --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/etc/trusted_ca_dir/root_CA_RSA.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEtjCCA56gAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMTAwMDAwMFoXDTI3MDYxMDIzNTk1OVowcjELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ +ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0 +ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANRf3XKmM6O+ +WoYPNpOAdkGKKZHLJ8ZuPxVVBMX6oJAlcOmkhLzfkHSA+gl/OWaMOXIEtN512gyL +YszBf1RImwVzRjJFwIxzGzVQ68jYNj+qBbsOt+IG+hs3wgVCLFkCh+J7hXUgvk8A +eRM/SRrI42dQfcgKUAMNi4/iX6Vs+FV9pHB63L4PiLA9hfUE25sH6EsIC7icvGDJ +6cGG94glVSHDI1NtXfsNHY+NGY/jYKtQZklqU3lew5I60aJIsea+Wk6PJiz4hyXv +XVVmrcNeG1g4OEFgiSXZC2XknDw8t9+ELprGNvuJvTFxwPMAgLeF4IhEQC9dQY2W +BRwUxtZBzukCAwEAAaOCAVUwggFRMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFER4 +R6N3MQ1Wl7gn+R8wwHloDCVZMB8GA1UdIwQYMBaAFER4R6N3MQ1Wl7gn+R8wwHlo +DCVZMA8GA1UdDwEB/wQFAwMH/4Awge8GA1UdJQEB/wSB5DCB4QYIKwYBBQUHAwEG +CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3 +AgEVBgorBgEEAYI3AgEWBgorBgEEAYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3 +CgMEBglghkgBhvhCBAEGCysGAQQBgjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYG +CCsGAQUFBwMHBggrBgEFBQgCAgYKKwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUF +BwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAwXuEWDG3 +aAyL+DsGr0B4YMLjHtx6FjzkJOpTtXQhkrtSMpD3Xytl7Wfz8lyWuTnbrk8F4gWO +IkJR/NdMGW27SmeYU0z7QAGRDwtHX6kqqizQbCwf4F6P/2QftcLp1VrlsIlb0gyx +gLjpGmn5TT7gj+ahW0iIRglOwhzCvkNu6agYpdGwVirSyLShy/Hq303DZSbVuktz +5/PmZKpufnoGqURNnJqbV4TQipE0FiDmp2o+gVgJ+DVRhiCdfk68Xp7+TlmxCDfZ +C3qb18qrwAZ4AL3T9/RlzfkXh4ME9V6wqa5Y6j7Vwx5Ef2OHL+mnMnoNSXDLRh6j +45ky66su5dROpA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c new file mode 100644 index 0000000..3b2907e --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_begin_handshake_reply/src/validate_begin_handshake_reply_utests.c @@ -0,0 +1,2125 @@ + + + + +/* CUnit includes. */ + + +/* Test helper includes. */ +#include "common/src/loader.h" +#include "config_env.h" + +/* Private header include */ +#include +#include +#include +#include +#include +#include + +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/security/dds_security_api.h" +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/string.h" +#include +#include +#include "dds/ddsrt/environ.h" +#include "dds/ddsrt/endian.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" + + +#if DDSRT_ENDIAN == DDSRT_LITTLE_ENDIAN +unsigned bswap4u (unsigned x); +unsigned bswap4u (unsigned x) +{ + return (x >> 24) | ((x >> 8) & 0xff00) | ((x << 8) & 0xff0000) | (x << 24); +} +#define toBE4u(x) bswap4u (x) +#define fromBE4u(x) bswap4u (x) +#else +#define toBE4u(x) (x) +#define fromBE4u(x) (x) +#endif + + +static const char * AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0"; +static const char * PERM_ACCESS_CLASS_ID = "DDS:Access:Permissions:1.0"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; +static const char * PROPERTY_TRUSTED_CA_DIR = "dds.sec.auth.trusted_ca_dir"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * PROPERTY_PERM_CA_SUBJECT_NAME = "ds.perm_ca.sn"; + +static const char * SUBJECT_NAME_IDENTITY_CERT = "CN=CHAM-574 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA = "CN=CHAM-574 authority,O=Some Company,ST=Some-State,C=NL"; + +static const char * RSA_2048_ALGORITHM_NAME = "RSA-2048"; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char * AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Req"; +static const char * AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Reply"; + + +static const char * AUTH_DSIGN_ALGO_RSA_NAME = "RSASSA-PSS-SHA256"; +static const char * AUTH_KAGREE_ALGO_RSA_NAME = "DH+MODP-2048-256"; + +static unsigned char *dh_pubkey_modp_2048_value = NULL; +static unsigned char *invalid_dh_pubkey_modp_2048_value = NULL; +static size_t dh_pubkey_modp_2048_length = 0; + +static const char *identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n" + "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n" + "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n" + "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n" + "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n" + "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n" + "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n" + "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n" + "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n" + "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n" + "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n" + "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n" + "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n" + "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n" + "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n" + "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n" + "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n" + "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n" + "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n" + "-----END CERTIFICATE-----\n"; + + +static const char *remote_identity_certificate = + "-----BEGIN CERTIFICATE-----\n" + "MIIEPTCCAyWgAwIBAgIIRmtzSKaI+rowDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDMy\n" + "MzEyMDEwMFoYDzIyMjIwMjIyMjIyMjAwWjBYMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MREwDwYDVQQDEwhDSEFNLTU3NzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\n" + "ggEBAMKlWGK8f/AEjK7viu9CdydJmorKyk3oK8PWmZX3B+3k8eFW32NXv2+BK5vk\n" + "sAOhEcCAV2/125iAGvXs5vq5GshjgHXwJysKOFBwLiCPHzLaOX095ib6pgPejjgV\n" + "gGsGrRAKetCAqxv+pf1n4zD9VSLDrnHrxbzvosQdBCgSBPiTFK5qDAGhVGR48Pp9\n" + "gAqZPhdLfH47S/6scRJNywoXrIxp2CnuHd4fVvyQlPNLHwlX1nOr76bGOjGqFsFU\n" + "/mcPN7aGFIh4KQK9KvHt5+SApLgBBdrn9njgaIC7VN9ddSp2Jz2vHAPR52dqM0SW\n" + "dl7uyOiT/TK6q8f7aFKqk29r/OkCAwEAAaOCAQAwgf0wDAYDVR0PBAUDAwf/gDCB\n" + "7AYDVR0lBIHkMIHhBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEF\n" + "BQcDBAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcK\n" + "AwEGCisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEAQYLKwYBBAGCNwoD\n" + "BAEGCCsGAQUFBwMFBggrBgEFBQcDBgYIKwYBBQUHAwcGCCsGAQUFCAICBgorBgEE\n" + "AYI3FAICBggrBgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0G\n" + "CSqGSIb3DQEBCwUAA4IBAQAniERWU9f/ijm9t8xuyOujEKDJl0Ded4El9mM5UYPR\n" + "ZSnabPNKQjABBS4sVISIYVwfQxGkPgK0MeMBKqs/kWsZ4rp8h5hlZvxFX8H148mo\n" + "3apNgdc/VylDBW5Ltbrypn/dZh9hFZE8Y/Uvo9HPksVEkjYuFN5v7e8/mwxTcrZ1\n" + "BAZrTlDTiCR046NN1lUs/7oUaNCruFV7AU6RbGYnSzM6plPJHMRa9nzNeO0uPaHK\n" + "kNPe+/UGpMi7cpF9w0M5Z1wW+Nq45bBRejFLQkHSjOEeGL2zi7T1HFAHZQydd6Wo\n" + "zYffGTmyHqIjNArbOWEMYN6s1nqsQS+ifolr0MtfeHad\n" + "-----END CERTIFICATE-----\n"; + +static const char *identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n" + "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n" + "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n" + "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n" + "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n" + "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n" + "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n" + "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n" + "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n" + "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n" + "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n" + "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n" + "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n" + "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n" + "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n" + "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n" + "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n" + "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n" + "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n" + "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n" + "-----END CERTIFICATE-----\n"; + + +static const char *private_key = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n" + "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n" + "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n" + "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n" + "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n" + "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n" + "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n" + "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n" + "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n" + "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n" + "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n" + "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n" + "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n" + "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n" + "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n" + "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n" + "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n" + "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n" + "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n" + "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n" + "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n" + "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n" + "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n" + "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n" + "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n" + "-----END RSA PRIVATE KEY-----\n"; + + +static const char *diffie_hellman_pubkey = + "-----BEGIN PUBLIC KEY-----\n" + "MIICJDCCARcGCSqGSIb3DQEDATCCAQgCggEBAJxLLigSIC7JjO/kdQ7LT1v0FPvM\n" + "Cq4hZrg6cX1IKzinaJJai3CcWpjMxoJ+jDBh2iekZavJli9qa400FC94UchqsE8s\n" + "I68LRbSkocvSWHOyayGrn04XLvhZPwulZFfEZ0xmg+vcTt2xS5IvX0qC1nrMpVu9\n" + "d9A93n+PZqRWJcJThoApChRT0lVp6CC9dn7oVnIPWyGfUZH9UOzXrx8Rq6wKnWPs\n" + "G0Igaia4uLDIqGKJ1Nr2HmLY8exKcK539X38I2NokzQrwhKdBlIXF5yYGhH+ib0U\n" + "yrdbK1kJBiaXh2CMMPQ7skXZDeQ/ixgTI/cXwaMC3ddE+7l/GTHo/azJawsCAQID\n" + "ggEFAAKCAQB3SB4wP5voPc5YcUpFiJXXlQe7DQxfzo5Mq1A/e8Raw/qzCkJMkcoT\n" + "v656vj4s7PbmzWLDLs0mAD7lU4U+HSnhuBmP46aIZVZORZqQmhzn073iqPiRN8eC\n" + "XPXgsMc8sgpbOoUGo89nuMGaucu2i4ZpLdJTkoFfC6wE2wZg11mr/hfX7+KmKSSp\n" + "V/+h6wROt824MijsuDjxHgZJWuM1jqzFq5skMJ84uwBF5LG3A6sTFnobBQXily5H\n" + "vYh/wWf+lRxeoNRW6B0t7xukZ+a71gg2Fxtm1f3RkLh4IcWfuYAcn5R9Hvgvx7Ex\n" + "DrqVRGbTZZa7fgtiQjj7HF6Cg/btOz2T\n" + "-----END PUBLIC KEY-----\n"; + +static const char *unrelated_identity = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV\n" + "BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w\n" + "DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy\n" + "MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI\n" + "DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx\n" + "GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" + "ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32\n" + "/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix\n" + "6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he\n" + "bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV\n" + "G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp\n" + "EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst\n" + "gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5\n" + "+6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB\n" + "CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ\n" + "xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC\n" + "QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh\n" + "XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV\n" + "+1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0\n" + "B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2\n" + "-----END CERTIFICATE-----\n"; + +#ifdef TRUSTED_CA_DIR_IMPLEMENTED +static const char *remote_identity_trusted = + "-----BEGIN CERTIFICATE-----\n" + "MIIDcDCCAligAwIBAgIBBTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" + "aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" + "Y29tMB4XDTE4MDMxMjAwMDAwMFoXDTI3MDMxMTIzNTk1OVowcDELMAkGA1UEBhMC\n" + "TkwxCzAJBgNVBAgTAk9WMQ8wDQYDVQQKEwZBRExpbmsxETAPBgNVBAsTCElTVCBU\n" + "ZXN0MREwDwYDVQQDEwhCb2IgVGVzdDEdMBsGCSqGSIb3DQEJARYOYm9iQGFkbGlu\n" + "ay5pc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqhuWnwhxXZ\n" + "qffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d4gVibBgx\n" + "5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNPfp5a4P+8\n" + "UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi5DOjf2/r\n" + "3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMql605xsms\n" + "d6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U5BUMtZ+P\n" + "2OBLk/CPAgMBAAGjEzARMA8GA1UdDwEB/wQFAwMH/4AwDQYJKoZIhvcNAQELBQAD\n" + "ggEBAJV71Ckf1zsks5mJXqdUb8bTVHg4hN32pwjCL5c6W2XHAv+YHwE/fN3C1VIY\n" + "bC8zjUC9dCOyC2AvOQyZQ1eC/WoK6FlXjHVX2upL4lXQ9WL9ztt1mgdRrhvUPuUn\n" + "aBE8VgNU0t4jl93xMIaU8hB0kQsV+kdcN0cWbrF3mT4s9njRvopJ8hS2UE60V2wA\n" + "ceUOazH+QGPh1k0jkynrTlVR9GrpebQwZ2UFeinVO0km17IAyQkz+OmPc4jQLJMl\n" + "CmkbmMwowdLMKC6r/HyE87dN7NvFnRM5iByJklRwN7WDYZrl72HoUOlgTZ7PjW2G\n" + "jTxK8xXtDCXC/3CNpe0YFnOga8g=\n" + "-----END CERTIFICATE-----\n"; + +static const char *remote_identity_untrusted = + "-----BEGIN CERTIFICATE-----\n" + "MIIELTCCAxWgAwIBAgIBATANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGzAZBgNVBAMTEkJvYiBU\n" + "ZXN0IFVudHJ1c3RlZDEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3QuYWRsaW5rdGVj\n" + "aC5jb20wHhcNMTgwNjIwMDAwMDAwWhcNMjcwNjE5MjM1OTU5WjB0MQswCQYDVQQG\n" + "EwJOTDELMAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGzAZBgNVBAMT\n" + "EkJvYiBUZXN0IFVudHJ1c3RlZDEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3QuYWRs\n" + "aW5rdGVjaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB5vqh\n" + "uWnwhxXZqffPmfjzge7w91oX4ISlboIfBXp3sLj2mqLSsYhgBNJAn/Fl1OZeFw0d\n" + "4gVibBgx5Zdcjsi+ClvYK8H534iTJfNriMyhg4kSWxZF1Tixfw3FS7LqjKEY5ZNP\n" + "fp5a4P+8UveorYJusrnlv1DiF6aPhJQh8J62J6bhx62DNLO7dZbN0BUsnWtyDcfi\n" + "5DOjf2/r3lSRfecn3uBr1QYRaS5FrV+MSoGcjI3M75mei1TTUp7YT4ZWRR5rKUMq\n" + "l605xsmsd6sqJaKofYmw7wCuaVJ86pb/w8srdddKt21xUeQNMKn49H6raezMOE3U\n" + "5BUMtZ+P2OBLk/CPAgMBAAGjgckwgcYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU\n" + "QpxLPHT5o/GQRwdBw2scINXnWlUwHwYDVR0jBBgwFoAUQpxLPHT5o/GQRwdBw2sc\n" + "INXnWlUwDwYDVR0PAQH/BAUDAwf/gDBlBgNVHSUBAf8EWzBZBggrBgEFBQcDAQYI\n" + "KwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJ\n" + "BggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEB\n" + "ABcyab7F7OAsjUSW0YWkVRX1SUMkW25xLLs8koXhHrdnBqgnmOur0xO72/fmTTX9\n" + "KnCUmQj+dAOmmZrAaIZzqLtMyp4ibHZPfOBwmM0MFnyuwyEnCEYvjPN3FTB0HEgS\n" + "vCoFH1001LVi4oC1mEMxYaNW4/5Tgl+DTqGF+tctJe3hvbxh+Uu5M0320VAvASjt\n" + "cJ0me6Ug1FJJ60tgXgZ+M/8V6AXhrQGNgN6WkPMFbbLi5IyEld186QPeLdZ8vCtz\n" + "StjIV9HZGR1XLotlXarbjVtjxavZJjtwiySeYkAgG7Zjy7LalPSJiIdAD3R/ny+S\n" + "9kXDKiw/HgYxb8xiy9gdlSc=\n" + "-----END CERTIFICATE-----\n"; + +static const char *remote_identity_trusted_expired = + "-----BEGIN CERTIFICATE-----\n" + "MIIEKTCCAxGgAwIBAgIBBjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL\n" + "MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50\n" + "aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu\n" + "Y29tMB4XDTE4MDMwMTAwMDAwMFoXDTE4MDQyMzIzNTk1OVowcjELMAkGA1UEBhMC\n" + "TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBC\n" + "b2IgVGVzdCBFeHBpcmVkMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0\n" + "ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHm+qG5afCH\n" + "Fdmp98+Z+POB7vD3WhfghKVugh8FenewuPaaotKxiGAE0kCf8WXU5l4XDR3iBWJs\n" + "GDHll1yOyL4KW9grwfnfiJMl82uIzKGDiRJbFkXVOLF/DcVLsuqMoRjlk09+nlrg\n" + "/7xS96itgm6yueW/UOIXpo+ElCHwnrYnpuHHrYM0s7t1ls3QFSyda3INx+LkM6N/\n" + "b+veVJF95yfe4GvVBhFpLkWtX4xKgZyMjczvmZ6LVNNSnthPhlZFHmspQyqXrTnG\n" + "yax3qyoloqh9ibDvAK5pUnzqlv/Dyyt110q3bXFR5A0wqfj0fqtp7Mw4TdTkFQy1\n" + "n4/Y4EuT8I8CAwEAAaOByTCBxjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRCnEs8\n" + "dPmj8ZBHB0HDaxwg1edaVTAfBgNVHSMEGDAWgBRNVUJNFzhJPReYT4QSx6dK53CX\n" + "CTAPBgNVHQ8BAf8EBQMDB/+AMGUGA1UdJQEB/wRbMFkGCCsGAQUFBwMBBggrBgEF\n" + "BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkGCCsG\n" + "AQUFBwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAdY5n\n" + "5ElOhpHq/YPWUs68t8HNIhqfokqjLZAgzNyU5QFppb9tPpmFCugerfjlScNwp5HB\n" + "X6/WjK4runDrgzXfmrBogR4Kscb1KJSm8KAmnzXVUNr1iyASlHxI7241kYdQvTH2\n" + "LL6b0kjsD5lKAnNh4id0SDHfy/CKg5d7dUxxO1mX48jUiIZtmFqgjej8tFLHy/w/\n" + "usI5ErlI0qzI6lkoRxPCEWLbXWeBDm3/smHeDbYa/+Lw4Bid8U1+ZSAuC1CT7a7F\n" + "O3gAjPUL0jzRztp5Yj3dYPV8YyJHLEKr75IXNedV9YKhT4f6kTS3UEjMTqYbYsix\n" + "MtqgY283RjsExzjNvw==\n" + "-----END CERTIFICATE-----\n"; +#endif + +static struct plugins_hdl *plugins = NULL; +static dds_security_authentication *auth = NULL; +static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle1 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_AuthRequestMessageToken g_local_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static DDS_Security_AuthRequestMessageToken g_remote_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static const DDS_Security_BinaryProperty_t *challenge1 = NULL; +static const DDS_Security_BinaryProperty_t *challenge2 = NULL; +static DDS_Security_OctetSeq serialized_participant_data = DDS_SECURITY_SEQUENCE_INIT; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data1 = NULL; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data2 = NULL; +static DDS_Security_ParticipantBuiltinTopicData *remote_participant_data3 = NULL; +static DDS_Security_GUID_t candidate_participant_guid; +static DDS_Security_GUID_t remote_participant_guid1; +static DDS_Security_GUID_t remote_participant_guid2; +static bool future_challenge_done = false; + + +#if OPENSSL_VERSION_NUMBER >= 0x1000200fL +#define AUTH_INCLUDE_EC +#include +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#define AUTH_INCLUDE_DH_ACCESSORS +#endif +#else +#error "version not found" +#endif + + +static const BIGNUM * +dh_get_public_key( + DH *dhkey) +{ +#ifdef AUTH_INCLUDE_DH_ACCESSORS + const BIGNUM *pubkey, *privkey; + DH_get0_key(dhkey, &pubkey, &privkey); + return pubkey; +#else + return dhkey->pub_key; +#endif +} + + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size); + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->code = 0; + ex->minor_code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static char * +get_openssl_error( + void) +{ + BIO *bio = BIO_new(BIO_s_mem()); + char *msg; + char *buf = NULL; + size_t len; + + if (bio) { + ERR_print_errors(bio); + len = (size_t) BIO_get_mem_data (bio, &buf); + msg = (char *) ddsrt_malloc(len + 1); + memset(msg, 0, len+1); + memcpy(msg, buf, len); + BIO_free(bio); + } else { + msg = ddsrt_strdup("BIO_new failed"); + } + + return msg; +} + +static void +initialize_identity_token( + DDS_Security_IdentityToken *token, + const char *certAlgo, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CERT); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +initialize_permissions_token( + DDS_Security_PermissionsToken *token, + const char *caAlgo) +{ + token->class_id = ddsrt_strdup(PERM_ACCESS_CLASS_ID); + token->properties._length = 2; + token->properties._maximum = 2; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_PERM_CA_SUBJECT_NAME); + token->properties._buffer[1].value = ddsrt_strdup(caAlgo); +} + + + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token) +{ + uint32_t i; + uint32_t len = 32; + unsigned char *challenge; + + challenge = ddsrt_malloc(len); + + for (i = 0; i < len; i++) { + challenge[i] = (unsigned char)(0xFF - i); + } + + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._maximum = 1; + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._maximum = len; + token->binary_properties._buffer->value._length = len; + token->binary_properties._buffer->value._buffer = challenge; +} + +static DDS_Security_BinaryProperty_t * +find_binary_property( + DDS_Security_DataHolder *token, + const char *name) +{ + DDS_Security_BinaryProperty_t *result = NULL; + uint32_t i; + + for (i = 0; i < token->binary_properties._length && !result; i++) { + if (token->binary_properties._buffer[i].name && (strcmp(token->binary_properties._buffer[i].name, name) == 0)) { + result = &token->binary_properties._buffer[i]; + } + } + + return result; +} + + +static void +deinitialize_identity_token( + DDS_Security_IdentityToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +static int +validate_local_identity(const char* trusted_ca_dir) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GUID_t local_participant_guid; + DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + DDS_Security_ParticipantBuiltinTopicData *local_participant_data; + unsigned char *sdata; + size_t sz; + + memset(&local_participant_guid, 0, sizeof(local_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + if( trusted_ca_dir != NULL){ + char trusted_ca_dir_path[1024]; + dds_security_property_init(&participant_qos.property.value, 4); +#ifdef WIN32 + snprintf(trusted_ca_dir_path, 1024, "%s\\validate_begin_handshake_reply\\etc\\%s", CONFIG_ENV_TESTS_DIR,trusted_ca_dir); +#else + snprintf(trusted_ca_dir_path, 1024, "%s/validate_begin_handshake_reply/etc/%s", CONFIG_ENV_TESTS_DIR, trusted_ca_dir); +#endif + participant_qos.property.value._buffer[3].name = ddsrt_strdup(PROPERTY_TRUSTED_CA_DIR); + participant_qos.property.value._buffer[3].value = ddsrt_strdup(trusted_ca_dir_path); + } + else{ + dds_security_property_init(&participant_qos.property.value, 3); + } + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &local_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + res = -1; + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + local_participant_data = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&local_participant_data->key[0], &local_participant_guid, 12); + /* convert from big-endian format to native format */ + local_participant_data->key[0] = fromBE4u(local_participant_data->key[0]); + local_participant_data->key[1] = fromBE4u(local_participant_data->key[1]); + local_participant_data->key[2] = fromBE4u(local_participant_data->key[2]); + + initialize_identity_token(&local_participant_data->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&local_participant_data->permissions_token, RSA_2048_ALGORITHM_NAME); + + local_participant_data->security_info.participant_security_attributes = 0x01; + local_participant_data->security_info.plugin_participant_security_attributes = 0x02; + + serializer_participant_data(local_participant_data, &sdata, &sz); + + serialized_participant_data._length = serialized_participant_data._maximum = (uint32_t) sz; + serialized_participant_data._buffer = sdata; + + DDS_Security_ParticipantBuiltinTopicData_free(local_participant_data); + + return res; +} + +static void +release_local_identity(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (local_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + local_identity_handle = DDS_SECURITY_HANDLE_NIL; + } + DDS_Security_OctetSeq_deinit(&serialized_participant_data); +} + + +static X509 * +load_certificate( + const char *data) +{ + X509 *cert = NULL; + BIO *bio; + + bio = BIO_new_mem_buf((void *) data, -1); + if (!bio) { + return NULL; + } + + cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); + + BIO_free(bio); + + return cert; +} + +static int +get_adjusted_participant_guid( + X509 *cert, + const DDS_Security_GUID_t *candidate, + DDS_Security_GUID_t *adjusted) +{ + int result = 0; + unsigned char high[SHA256_DIGEST_LENGTH], low[SHA256_DIGEST_LENGTH]; + unsigned char *subject; + DDS_Security_octet hb = 0x80; + X509_NAME *name; + unsigned char *tmp = NULL; + int i; + size_t sz; + + name = X509_get_subject_name(cert); + sz = (size_t) i2d_X509_NAME(name, &tmp); + if (sz > 0) { + subject = ddsrt_malloc( sz); + memcpy(subject, tmp, sz); + OPENSSL_free(tmp); + + SHA256(subject, sz, high); + SHA256(&candidate->prefix[0], sizeof(DDS_Security_GuidPrefix_t), low); + + adjusted->entityId = candidate->entityId; + for (i = 0; i < 6; i++) { + adjusted->prefix[i] = hb | high[i]>>1; + hb = (unsigned char) ( high[i]<<7 ); + } + for (i = 0; i < 6; i++) { + adjusted->prefix[i+6] = low[i]; + } + ddsrt_free(subject); + result = 1; + } + + return result; +} + +static int +set_dh_public_key( + const char *keystr, + unsigned char **pubkey, + size_t *size) +{ + int r = 0; + BIO *bio = NULL; + EVP_PKEY *pkey; + DH *dhkey; + unsigned char *buffer = NULL; + ASN1_INTEGER *asn1int; + + *pubkey = NULL; + + + /* load certificate in buffer */ + bio = BIO_new_mem_buf((void *) keystr, -1); + if (!bio) { + char *msg = get_openssl_error(); + r = -1; + printf("BIO_new_mem_buf failed: %s", msg); + ddsrt_free(msg); + goto fail_alloc_bio; + } + + pkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL); + if (!pkey) { + char *msg = get_openssl_error(); + r = -1; + printf("Failed to read public key: %s", msg); + ddsrt_free(msg); + goto fail_key_read; + } + + dhkey = EVP_PKEY_get1_DH(pkey); + if (!dhkey) { + char *msg = get_openssl_error(); + r = -1; + printf("Failed to get DH key from PKEY: %s", msg); + ddsrt_free(msg); + goto fail_get_dhkey; + } + + asn1int = BN_to_ASN1_INTEGER(dh_get_public_key(dhkey), NULL); + + if (!asn1int) { + char *msg = get_openssl_error(); + r = -1; + printf("Failed to convert DH key to ASN1 integer: %s", msg); + ddsrt_free(msg); + goto fail_get_pubkey; + } + + *size = (size_t)i2d_ASN1_INTEGER(asn1int, &buffer); + + *pubkey = ddsrt_malloc(*size); + memcpy(*pubkey, buffer, *size); + ddsrt_free(buffer); + + ASN1_INTEGER_free(asn1int); + +fail_get_pubkey: + DH_free(dhkey); +fail_get_dhkey: + EVP_PKEY_free(pkey); +fail_key_read: + BIO_free(bio); +fail_alloc_bio: + return r; +} + + +static int +set_dh_keys(void) +{ + int r; + + r = set_dh_public_key(diffie_hellman_pubkey, &dh_pubkey_modp_2048_value, &dh_pubkey_modp_2048_length); + if (r) { + invalid_dh_pubkey_modp_2048_value = ddsrt_malloc(dh_pubkey_modp_2048_length); + memcpy(invalid_dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length); + invalid_dh_pubkey_modp_2048_value[0] = 0x8; + } + return r; +} + + +static int +validate_remote_identities (const char *remote_id_certificate) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityToken remote_identity_token; + static DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_GUID_t guid1; + DDS_Security_GUID_t guid2; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix1 = {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab}; + DDS_Security_GuidPrefix_t prefix2 = {0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + X509 *cert; + + memcpy(&guid1.prefix, &prefix1, sizeof(prefix1)); + memcpy(&guid1.entityId, &entityId, sizeof(entityId)); + memcpy(&guid2.prefix, &prefix2, sizeof(prefix2)); + memcpy(&guid2.entityId, &entityId, sizeof(entityId)); + + if (local_identity_handle == DDS_SECURITY_HANDLE_NIL) { + return -1; + } + + cert = load_certificate(remote_id_certificate); + if (!cert) { + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid1, &remote_participant_guid1)) { + X509_free(cert); + return -1; + } + + if (!get_adjusted_participant_guid(cert, &guid2, &remote_participant_guid2)) { + X509_free(cert); + return -1; + } + + X509_free(cert); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle1, + &g_local_auth_request_token, + NULL, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid1, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + res = -1; + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + fill_auth_request_token(&g_remote_auth_request_token); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle2, + &local_auth_request_token, + &g_remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid2, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + res = -1; + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + remote_participant_data1 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data1->key[0], &remote_participant_guid1, 12); + remote_participant_data1->key[0] = fromBE4u(remote_participant_data1->key[0]); + remote_participant_data1->key[1] = fromBE4u(remote_participant_data1->key[1]); + remote_participant_data1->key[2] = fromBE4u(remote_participant_data1->key[2]); + + + initialize_identity_token(&remote_participant_data1->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data1->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data1->security_info.participant_security_attributes = 0x01; + remote_participant_data1->security_info.plugin_participant_security_attributes = 0x02; + + remote_participant_data2 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data2->key[0], &remote_participant_guid2, 12); + remote_participant_data2->key[0] = fromBE4u(remote_participant_data2->key[0]); + remote_participant_data2->key[1] = fromBE4u(remote_participant_data2->key[1]); + remote_participant_data2->key[2] = fromBE4u(remote_participant_data2->key[2]); + + initialize_identity_token(&remote_participant_data2->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data2->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data2->security_info.participant_security_attributes = 0x01; + remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + remote_participant_data3 = DDS_Security_ParticipantBuiltinTopicData_alloc(); + memcpy(&remote_participant_data3->key[0], &candidate_participant_guid, 12); + + initialize_identity_token(&remote_participant_data3->identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + initialize_permissions_token(&remote_participant_data3->permissions_token, RSA_2048_ALGORITHM_NAME); + + remote_participant_data2->security_info.participant_security_attributes = 0x01; + remote_participant_data2->security_info.plugin_participant_security_attributes = 0x02; + + challenge1 = find_binary_property(&g_local_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + challenge2 = find_binary_property(&g_remote_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + return res; +} + +static void +release_remote_identities(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle1, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + remote_identity_handle1 = DDS_SECURITY_HANDLE_NIL; + } + if (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle2, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; + } + + DDS_Security_DataHolder_deinit(&g_local_auth_request_token); + DDS_Security_DataHolder_deinit(&g_remote_auth_request_token); + + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data1); + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data2); + DDS_Security_ParticipantBuiltinTopicData_free(remote_participant_data3); + remote_participant_data1 = NULL; + remote_participant_data2 = NULL; + remote_participant_data3 = NULL; +} + +static void init_testcase(void) +{ + + int res = 0; + /* Only need the authentication plugin. */ + plugins = load_plugins(NULL /* Access Control */, + &auth /* Authentication */, + NULL /* Cryptograpy */); + + if (plugins) { + res = validate_local_identity( NULL ); + if (res == 0) { + res = validate_remote_identities( remote_identity_certificate ); + } + if (res == 0){ + res = set_dh_keys(); + } + } else { + res = -1; + } + + CU_ASSERT_FATAL( res == 0 ); +} + +static void fini_testcase(void) +{ + release_local_identity(); + release_remote_identities(); + unload_plugins(plugins); + ddsrt_free(invalid_dh_pubkey_modp_2048_value); + ddsrt_free(dh_pubkey_modp_2048_value); + +} + + + + +static bool +compare_octet_seq( + const DDS_Security_OctetSeq *seq1, + const DDS_Security_OctetSeq *seq2) +{ + int r; + if (seq1 && seq2) { + r = (int)(seq2->_length - seq1->_length); + if (r == 0) { + r = memcmp(seq1->_buffer, seq2->_buffer, seq1->_length); + } + } else if (seq1 == seq2) { + r = 0; + } else { + r = (seq2 > seq1) ? 1 : -1; + } + return r; +} + +static bool +valid_c_id_property( + const char *certificate, + const DDS_Security_OctetSeq *value) +{ + if (value->_length == 0) { + CU_FAIL("c.id has no value"); + return false; + } + if (strncmp(certificate, (const char *)value->_buffer, value->_length) != 0) { + return false; + } + return true; +} + +static bool +valid_string_value( + const char *expected, + const DDS_Security_OctetSeq *value) +{ + size_t len = strlen(expected) + 1; + + if (strncmp(expected, (const char *)value->_buffer, len) != 0) { + return false; + } + + return true; +} + +static void +serializer_participant_data( + DDS_Security_ParticipantBuiltinTopicData *pdata, + unsigned char **buffer, + size_t *size) +{ + DDS_Security_Serializer serializer; + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDD_Security_Serialize_ParticipantBuiltinTopicData(serializer, pdata); + DDS_Security_Serializer_buffer(serializer, buffer, size); + DDS_Security_Serializer_free(serializer); +} + + +static void +set_binary_property_value( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const unsigned char *data, + size_t length) +{ + assert(bp); + assert(name); + assert(data); + + bp->name = ddsrt_strdup(name); + bp->value._maximum = bp->value._length = (DDS_Security_unsigned_long) length; + if (length) { + bp->value._buffer = ddsrt_malloc(length); + memcpy(bp->value._buffer, data, length); + } else { + bp->value._buffer = NULL; + } +} + +static void +set_binary_property_string( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const char *data) +{ + size_t length; + + assert(bp); + assert(name); + assert(data); + + length = strlen(data) + 1; + set_binary_property_value(bp, name, (const unsigned char *)data, length); +} + +static void +fill_handshake_message_token( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const char *certificate, + const char *dsign, + const char *kagree, + const unsigned char *diffie_hellman, + const size_t diffie_hellman_size, + const unsigned char *challengeData, + size_t challengeDataSize) +{ + DDS_Security_BinaryProperty_t *tokens; + DDS_Security_BinaryProperty_t *c_id; + DDS_Security_BinaryProperty_t *c_perm; + DDS_Security_BinaryProperty_t *c_pdata; + DDS_Security_BinaryProperty_t *c_dsign_algo; + DDS_Security_BinaryProperty_t *c_kagree_algo; + DDS_Security_BinaryProperty_t *hash_c1; + DDS_Security_BinaryProperty_t *dh1; + DDS_Security_BinaryProperty_t *challenge; + unsigned char *serialized_local_participant_data; + size_t serialized_local_participant_data_size; + unsigned char hash[32]; + + serializer_participant_data(pdata, &serialized_local_participant_data, &serialized_local_participant_data_size); + + tokens = DDS_Security_BinaryPropertySeq_allocbuf(8); + c_id = &tokens[0]; + c_perm = &tokens[1]; + c_pdata = &tokens[2]; + c_dsign_algo = &tokens[3]; + c_kagree_algo = &tokens[4]; + hash_c1 = &tokens[5]; + dh1 = &tokens[6]; + challenge = &tokens[7]; + + /* Store the Identity Certificate associated with the local identify in c.id property */ + if (certificate) { + set_binary_property_string(c_id, "c.id", certificate); + } else { + set_binary_property_string(c_id, "c.idx", "rubbish"); + } + + /* Store the permission document in the c.perm property */ + set_binary_property_string(c_perm, "c.perm", "permissions_document"); + + /* Store the provided local_participant_data in the c.pdata property */ + set_binary_property_value(c_pdata, "c.pdata", serialized_local_participant_data, serialized_local_participant_data_size); + + /* Set the used signing algorithm descriptor in c.dsign_algo */ + if (dsign) { + set_binary_property_string(c_dsign_algo, "c.dsign_algo", dsign); + } else { + set_binary_property_string(c_dsign_algo, "c.dsign_algox", "rubbish"); + } + + /* Set the used key algorithm descriptor in c.kagree_algo */ + if (kagree) { + set_binary_property_string(c_kagree_algo, "c.kagree_algo", kagree); + } else { + set_binary_property_string(c_kagree_algo, "c.kagree_algox", "rubbish"); + } + + /* Calculate the hash_c1 */ + { + DDS_Security_BinaryPropertySeq bseq; + DDS_Security_Serializer serializer; + unsigned char *buffer; + size_t size; + + bseq._length = bseq._maximum = 5; + bseq._buffer = tokens; + + serializer = DDS_Security_Serializer_new(1024, 1024); + + DDS_Security_Serialize_BinaryPropertySeq(serializer, &bseq); + DDS_Security_Serializer_buffer(serializer, &buffer, &size); + SHA256(buffer, size, (unsigned char *)&hash); + ddsrt_free(buffer); + DDS_Security_Serializer_free(serializer); + + set_binary_property_value(hash_c1, "hash_c1", (const unsigned char *) &hash, sizeof(hash)); + } + + /* Set the DH public key associated with the local participant in dh1 property */ + if (diffie_hellman) { + set_binary_property_value(dh1, "dh1", diffie_hellman, diffie_hellman_size); + } else { + set_binary_property_string(dh1, "dh1x", "rubbish"); + } + + /* Set the challenge in challenge1 property */ + if (challengeData) { + set_binary_property_value(challenge, "challenge1", challengeData, challengeDataSize); + } else { + set_binary_property_value(challenge, "challenge1x", challenge2->value._buffer, challenge2->value._length); + } + + token->class_id = ddsrt_strdup(AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._length = token->binary_properties._maximum = 8; + token->binary_properties._buffer = tokens; + + ddsrt_free(serialized_local_participant_data); +} + +static void +fill_handshake_message_token_default( + DDS_Security_HandshakeMessageToken *token, + DDS_Security_ParticipantBuiltinTopicData *pdata, + const unsigned char *challengeData, + unsigned int challengeDataSize) +{ + fill_handshake_message_token( + token, pdata, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challengeData, challengeDataSize); +} + +static void +handshake_message_deinit( + DDS_Security_HandshakeMessageToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +static bool +validate_handshake_token( + DDS_Security_HandshakeMessageToken *token, + const DDS_Security_OctetSeq *challenge_1, + const DDS_Security_OctetSeq *challenge_2) +{ + const DDS_Security_BinaryProperty_t *property; + + if (!token->class_id || strcmp(token->class_id, AUTH_HANDSHAKE_REPLY_TOKEN_CLASS_ID) != 0) { + CU_FAIL("HandshakeMessageToken incorrect class_id"); + } else if ((property = find_binary_property(token, "c.id")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.id' not found"); + } else if (!valid_c_id_property(&identity_certificate[6], &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.id' value is invalid"); + } else if ((property = find_binary_property(token, "c.pdata")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.pdata' not found"); + } else if ((property = find_binary_property(token, "c.dsign_algo")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.dsign_algo' not found"); + } else if (!valid_string_value(AUTH_DSIGN_ALGO_RSA_NAME, &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.dsign_algo' incorrect value"); + } else if ((property = find_binary_property(token, "c.kagree_algo")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.kagree_algo' not found"); + } else if (!valid_string_value(AUTH_KAGREE_ALGO_RSA_NAME, &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.kagree_algo' incorrect value"); + } else if ((property = find_binary_property(token, "hash_c2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'hash_c2' not found"); + } else if ((property = find_binary_property(token, "dh2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'dh2' not found"); + } else if ((property = find_binary_property(token, "hash_c1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'hash_c1' not found"); + } else if ((property = find_binary_property(token, "dh1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'dh1' not found"); + } else if ((property = find_binary_property(token, "challenge1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' not found"); + } else if (challenge_1 && compare_octet_seq(challenge_1, &property->value) != 0) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' incorrect value"); + } else if ((property = find_binary_property(token, "challenge2")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge2' not found"); + } else if (challenge_2 && compare_octet_seq(challenge_2, &property->value) != 0) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge2' incorrect value"); + } else { + return true; + } + + return false; +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply, happy_day, .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token_out, &challenge2->value, NULL)); + + reset_exception(&exception); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,future_challenge, .init = init_testcase, .fini = fini_testcase) + +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data2, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token_out, &challenge2->value, &challenge1->value)); + + reset_exception(&exception); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + + future_challenge_done = true; +} + + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_arguments, .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_OctetSeq serdata = DDS_SECURITY_SEQUENCE_INIT; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge1->value._buffer, challenge1->value._length); + + result = auth->begin_handshake_reply( + auth, + NULL, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + NULL, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + NULL, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + 0, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + 0, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + NULL, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serdata, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_certificate, .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, unrelated_identity, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, NULL, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_participant_data , .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_BinaryProperty_t *property; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data3, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + property = find_binary_property(&handshake_token_in, "c.pdata"); + CU_ASSERT_FATAL(property != NULL); + + ddsrt_free(property->name); + property->name = ddsrt_strdup("c.pdatax"); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_dsign_algo , .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + "RSASSA-PSS-SHA128", AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + NULL, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_kagree_algo , .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, "DH+MODP-2048-128", + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, NULL, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_diffie_hellman , .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + invalid_dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + NULL, 0, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,invalid_challenge , .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data2, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge1->value._buffer, challenge1->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_certificate, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, NULL, 0); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result == DDS_SECURITY_VALIDATION_OK) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); +} + + +CU_Test(ddssec_builtin_validate_begin_handshake_reply,return_handle, .init = init_testcase, .fini = fini_testcase) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + fill_handshake_message_token_default(&handshake_token_in, remote_participant_data1, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle1, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (handshake_handle != DDS_SECURITY_HANDLE_NIL); + + reset_exception(&exception); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT ( success == false ); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + +} + +/*TODO: test is waiting for Trusted CA parsing function */ + +#if(0) +CU _ Test(validate_begin_handshake_reply,extended_certificate_check ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token_in = DDS_SECURITY_TOKEN_INIT; + DDS_Security_HandshakeMessageToken handshake_token_out = DDS_SECURITY_TOKEN_INIT; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_trusted ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_trusted, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_reply failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token_out, &challenge2->value, NULL)); + + reset_exception(&exception); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_untrusted ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_untrusted, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT_FATAL( exception.code != 0 ); + + reset_exception(&exception); + + auth->return_handshake_handle(auth, handshake_handle, &exception); + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + reset_exception(&exception); + + + release_local_identity(); + release_remote_identities(); + + CU_ASSERT_FATAL( !validate_local_identity("trusted_ca_dir") ); + CU_ASSERT_FATAL( !validate_remote_identities( remote_identity_trusted_expired ) ); + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_reply != NULL); + + + fill_handshake_message_token( + &handshake_token_in, remote_participant_data1, remote_identity_trusted_expired, + AUTH_DSIGN_ALGO_RSA_NAME, AUTH_KAGREE_ALGO_RSA_NAME, + dh_pubkey_modp_2048_value, dh_pubkey_modp_2048_length, challenge2->value._buffer, challenge2->value._length); + + result = auth->begin_handshake_reply( + auth, + &handshake_handle, + &handshake_token_out, + &handshake_token_in, + remote_identity_handle2, + local_identity_handle, + &serialized_participant_data, + &exception); + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT_FATAL( exception.code != 0 ); + + reset_exception(&exception); + + + auth->return_handshake_handle(auth, handshake_handle, &exception); + handshake_message_deinit(&handshake_token_in); + handshake_message_deinit(&handshake_token_out); + reset_exception(&exception); +} +#endif diff --git a/src/security/builtin_plugins/tests/validate_begin_handshake_request/src/validate_begin_handshake_request_utests.c b/src/security/builtin_plugins/tests/validate_begin_handshake_request/src/validate_begin_handshake_request_utests.c new file mode 100644 index 0000000..5137565 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_begin_handshake_request/src/validate_begin_handshake_request_utests.c @@ -0,0 +1,828 @@ + + + + +/* CUnit includes. */ +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/security/dds_security_api.h" +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/string.h" +#include +#include +#include "dds/ddsrt/environ.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" + + +/* Test helper includes. */ +#include "common/src/loader.h" + +/* Private header include */ + +#include + +static const char * AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * SUBJECT_NAME_IDENTITY_CERT = "CN=CHAM-574 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA = "CN=CHAM-574 authority,O=Some Company,ST=Some-State,C=NL"; + +static const char * RSA_2048_ALGORITHM_NAME = "RSA-2048"; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char * AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+Req"; + +static const char * AUTH_DSIGN_ALGO_RSA_NAME = "RSASSA-PSS-SHA256"; +static const char * AUTH_KAGREE_ALGO_ECDH_NAME = "ECDH+prime256v1-CEUM"; +/* static const char * AUTH_KAGREE_ALGO_RSA_NAME = "DH+MODP-2048-256"; */ + + + +static const char *identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n" + "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n" + "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n" + "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n" + "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n" + "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n" + "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n" + "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n" + "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n" + "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n" + "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n" + "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n" + "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n" + "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n" + "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n" + "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n" + "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n" + "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n" + "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n" + "-----END CERTIFICATE-----\n"; + + +static const char *identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n" + "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n" + "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n" + "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n" + "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n" + "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n" + "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n" + "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n" + "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n" + "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n" + "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n" + "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n" + "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n" + "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n" + "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n" + "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n" + "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n" + "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n" + "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n" + "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n" + "-----END CERTIFICATE-----\n"; + + +static const char *private_key = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n" + "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n" + "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n" + "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n" + "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n" + "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n" + "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n" + "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n" + "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n" + "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n" + "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n" + "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n" + "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n" + "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n" + "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n" + "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n" + "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n" + "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n" + "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n" + "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n" + "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n" + "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n" + "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n" + "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n" + "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n" + "-----END RSA PRIVATE KEY-----\n"; + + + +static struct plugins_hdl *plugins = NULL; +static dds_security_authentication *auth = NULL; +static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle1 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_IdentityHandle remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_AuthRequestMessageToken g_local_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static DDS_Security_AuthRequestMessageToken g_remote_auth_request_token = DDS_SECURITY_TOKEN_INIT; +static const DDS_Security_BinaryProperty_t *challenge1 = NULL; +static const DDS_Security_BinaryProperty_t *challenge2 = NULL; + + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->minor_code = 0; + ex->code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static void +initialize_identity_token( + DDS_Security_IdentityToken *token, + const char *certAlgo, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CERT); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token) +{ + uint32_t i; + uint32_t len = 32; + unsigned char *challenge; + + challenge = ddsrt_malloc(len); + + for (i = 0; i < len; i++) { + challenge[i] = (unsigned char)(0xFF - i); + } + + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._maximum = 1; + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._maximum = len; + token->binary_properties._buffer->value._length = len; + token->binary_properties._buffer->value._buffer = challenge; +} + +static const DDS_Security_BinaryProperty_t * +find_binary_property( + DDS_Security_DataHolder *token, + const char *name) +{ + const DDS_Security_BinaryProperty_t *result = NULL; + uint32_t i; + + for (i = 0; i < token->binary_properties._length && !result; i++) { + if (token->binary_properties._buffer[i].name && (strcmp(token->binary_properties._buffer[i].name, name) == 0)) { + result = &token->binary_properties._buffer[i]; + } + } + + return result; +} + + +static void +deinitialize_identity_token( + DDS_Security_IdentityToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + +static int +validate_local_identity(void) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GUID_t local_participant_guid; + DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + + memset(&local_participant_guid, 0, sizeof(local_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &local_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + res = -1; + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + return res; +} + +static void +release_local_identity(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (local_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } +} + +static int +validate_remote_identities (void) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityToken remote_identity_token; + static DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_GUID_t remote_participant_guid1; + DDS_Security_GUID_t remote_participant_guid2; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix1 = {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, 0xa9, 0xaa, 0xab}; + DDS_Security_GuidPrefix_t prefix2 = {0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + + memcpy(&remote_participant_guid1.prefix, &prefix1, sizeof(prefix1)); + memcpy(&remote_participant_guid1.entityId, &entityId, sizeof(entityId)); + memcpy(&remote_participant_guid2.prefix, &prefix2, sizeof(prefix2)); + memcpy(&remote_participant_guid2.entityId, &entityId, sizeof(entityId)); + + if (local_identity_handle == DDS_SECURITY_HANDLE_NIL) { + return -1; + } + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle1, + &g_local_auth_request_token, + NULL, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid1, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + fill_auth_request_token(&g_remote_auth_request_token); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle2, + &local_auth_request_token, + &g_remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid2, + &exception); + + if ((result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) && + (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + challenge1 = find_binary_property(&g_local_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + challenge2 = find_binary_property(&g_remote_auth_request_token, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + return res; +} + +static void +release_remote_identities(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle1, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + if (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, remote_identity_handle2, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } + + DDS_Security_DataHolder_deinit(&g_local_auth_request_token); + DDS_Security_DataHolder_deinit(&g_remote_auth_request_token); +} + +static void +fill_local_participant_data( + DDS_Security_OctetSeq *pdata, + uint32_t length) +{ + uint32_t i; + + pdata->_length = pdata->_maximum = length; + pdata->_buffer = ddsrt_malloc(length); + + for (i = 0; i < length; i++) { + pdata->_buffer[i] = (unsigned char)(i % 256); + } +} + +static void +release_local_participant_data( + DDS_Security_OctetSeq *pdata) +{ + if (pdata) { + ddsrt_free(pdata->_buffer); + } +} + +CU_Init(ddssec_builtin_validate_begin_handshake_request) +{ + int res = 0; + + /* Only need the authentication plugin. */ + plugins = load_plugins(NULL /* Access Control */, + &auth /* Authentication */, + NULL /* Cryptograpy */); + if (plugins) { + res = validate_local_identity(); + if (res >= 0) { + res = validate_remote_identities(); + } + } else { + res = -1; + } + + return res; +} + +CU_Clean(ddssec_builtin_validate_begin_handshake_request) +{ + release_local_identity(); + release_remote_identities(); + unload_plugins(plugins); + return 0; +} + +static bool +compare_octet_seq( + const DDS_Security_OctetSeq *seq1, + const DDS_Security_OctetSeq *seq2) +{ + int r; + if (seq1 && seq2) { + r = (int)(seq2->_length - seq1->_length); + if (r == 0) { + r = memcmp(seq1->_buffer, seq2->_buffer, seq1->_length); + } + } else if (seq1 == seq2) { + r = 0; + } else { + r = (seq2 > seq1) ? 1 : -1; + } + return r; +} + +static bool +valid_c_id_property( + const char *certificate, + const DDS_Security_OctetSeq *value) +{ + if (value->_length == 0) { + CU_FAIL("c.id has no value"); + return false; + } + if (strncmp(certificate, (const char *)value->_buffer, value->_length) != 0) { + return false; + } + return true; +} + +static bool +valid_string_value( + const char *expected, + const DDS_Security_OctetSeq *value) +{ + size_t len = strlen(expected) + 1; + + if (strncmp(expected, (const char *)value->_buffer, len) != 0) { + return false; + } + + return true; +} + + + +static bool +validate_handshake_token( + DDS_Security_HandshakeMessageToken *token, + const DDS_Security_OctetSeq *challenge) +{ + const DDS_Security_BinaryProperty_t *property; + + if (!token->class_id || strcmp(token->class_id, AUTH_HANDSHAKE_REQUEST_TOKEN_CLASS_ID) != 0) { + CU_FAIL("HandshakeMessageToken incorrect class_id"); + } else if ((property = find_binary_property(token, "c.id")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.id' not found"); + } else if (!valid_c_id_property(&identity_certificate[6], &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.id' value is invalid"); + } else if ((property = find_binary_property(token, "c.pdata")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.pdata' not found"); + } else if ((property = find_binary_property(token, "c.dsign_algo")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.dsign_algo' not found"); + } else if (!valid_string_value(AUTH_DSIGN_ALGO_RSA_NAME, &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.dsign_algo' incorrect value"); + } else if ((property = find_binary_property(token, "c.kagree_algo")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.kagree_algo' not found"); + } else if (!valid_string_value(AUTH_KAGREE_ALGO_ECDH_NAME, &property->value)) { + CU_FAIL("HandshakeMessageToken incorrect property 'c.kagree_algo' incorrect value"); + } else if ((property = find_binary_property(token, "hash_c1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'hash_c1' not found"); + } else if ((property = find_binary_property(token, "dh1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'dh1' not found"); + } else if ((property = find_binary_property(token, "challenge1")) == NULL) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' not found"); + } else if (challenge && compare_octet_seq(challenge, &property->value) != 0) { + CU_FAIL("HandshakeMessageToken incorrect property 'challenge1' incorrect value"); + } else { + return true; + } + + return false; +} + + + +CU_Test(ddssec_builtin_validate_begin_handshake_request,happy_day_challenge) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_OctetSeq local_participant_data; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + + fill_local_participant_data(&local_participant_data, 82); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + local_identity_handle, + remote_identity_handle2, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token, NULL)); + + reset_exception(&exception); + + release_local_participant_data(&local_participant_data); + + success= auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + DDS_Security_DataHolder_deinit(&handshake_token); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_request,happy_day_future_challenge) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_OctetSeq local_participant_data; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + + fill_local_participant_data(&local_participant_data, 82); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + local_identity_handle, + remote_identity_handle1, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL(result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT(handshake_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT(validate_handshake_token(&handshake_token, &challenge1->value)); + + reset_exception(&exception); + + release_local_participant_data(&local_participant_data); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + DDS_Security_DataHolder_deinit(&handshake_token); +} + + +CU_Test(ddssec_builtin_validate_begin_handshake_request,invalid_arguments) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_OctetSeq local_participant_data; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + + fill_local_participant_data(&local_participant_data, 82); + + result = auth->begin_handshake_request( + auth, + NULL, + &handshake_token, + local_identity_handle, + remote_identity_handle1, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + NULL, + local_identity_handle, + remote_identity_handle1, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + 0x1234598, + remote_identity_handle1, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + local_identity_handle, + 0x1234598, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + local_identity_handle, + remote_identity_handle1, + NULL, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + release_local_participant_data(&local_participant_data); +} + +CU_Test(ddssec_builtin_validate_begin_handshake_request,return_handle) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_HandshakeHandle handshake_handle; + DDS_Security_HandshakeMessageToken handshake_token; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_OctetSeq local_participant_data; + DDS_Security_boolean success; + + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle1 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (remote_identity_handle2 != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->begin_handshake_request != NULL); + + fill_local_participant_data(&local_participant_data, 82); + + result = auth->begin_handshake_request( + auth, + &handshake_handle, + &handshake_token, + local_identity_handle, + remote_identity_handle2, + &local_participant_data, + &exception); + + if (result != DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE) { + printf("begin_handshake_request failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (handshake_handle != DDS_SECURITY_HANDLE_NIL); + + reset_exception(&exception); + + release_local_participant_data(&local_participant_data); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + success = auth->return_handshake_handle(auth, handshake_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + if (!success) { + printf("return_handshake_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + DDS_Security_DataHolder_deinit(&handshake_token); +} diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/Alice_Test_2.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/Alice_Test_2.crt new file mode 100644 index 0000000..f5f77eb --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/Alice_Test_2.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJTCCAw2gAwIBAgIBFzANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGjAYBgNVBAMTEUlkZW50 +aXR5IENBIFRlc3QyMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0ZWNo +LmNvbTAeFw0xODA3MjAwMDAwMDBaFw0yNzA3MTkyMzU5NTlaMG0xCzAJBgNVBAYT +Ak5MMQswCQYDVQQIEwJPVjETMBEGA1UEChMKQURMaW5rIElTVDEUMBIGA1UEAxML +QWxpY2UgVGVzdDIxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Fb60RkFrDsRAIRf +LMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBkk78fFtagLisWo4LbT4DqKzqQXCvVnOn9 +a6uT0KsVejk2iaLoBy0fotQznudio3rzDpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0 +TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf +04rq7ztw0t67bexSQ4gLSVJEwiohAregm0dLvQnap5xd2qn0yETteTL8Y+Ujym1D +WAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ8kcoqEqO8KAN2HclqfjHlg9iDscbof5x +45SQwwIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFL66FT0vnlFE ++PKrtV+KhJoLsCOWMB8GA1UdIwQYMBaAFIFGyWkPWvNkBD2SCYj9H+NfnlOLMA8G +A1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYBBQUHAwEGCCsGAQUFBwMC +BggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDCQYIKwYBBQUH +Aw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEBCwUAA4IBAQCsBINpBXSp +Xe3f5MMObeUXE2VhWZWIjMdDQRFDDjq6u1YR7rbffsCReiCX5zviU2dtVV8VN3MQ +k7wp8qEDKwP1ToMIwZGwT4Hfwei1eueJ1vuotgiGe0Gm3otXlGsb0C5otnsu63MM +OeFgkpZde3VpIqK9EmhgjWOD8TXc8Me7zBlYSEIaXkkwP0jAKRf5vFgz0WfE5ITx +SDKUO0OrcN789flO/OKLAHZ4cqNcxNPkMz7h9VBSgRRRk115HEa8Fe46nl1YpwRG +0urHlyAKoUV+J+I3Qy4+SwIDwix978hgGN3bKVyv9q0yAQRzpZ54EJOj4C7lNEpB +roGVpY4yYP/B +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/Bob_Chain_Test.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/Bob_Chain_Test.crt new file mode 100644 index 0000000..e980af3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/Bob_Chain_Test.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJDCCAwygAwIBAgIBAzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxJDAiBgNVBAMTG0lkZW50 +aXR5IENBIFRlc3QgV2l0aCBDaGFpbjEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3Qu +YWRsaW5rdGVjaC5jb20wHhcNMTgwNjEzMDAwMDAwWhcNMjcwNjEwMjM1OTU5WjBw +MQswCQYDVQQGEwJOTDELMAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1Qx +FzAVBgNVBAMTDkJvYiBDaGFpbiBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlz +dC5hZGxpbmt0ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMHm+qG5afCHFdmp98+Z+POB7vD3WhfghKVugh8FenewuPaaotKxiGAE0kCf8WXU +5l4XDR3iBWJsGDHll1yOyL4KW9grwfnfiJMl82uIzKGDiRJbFkXVOLF/DcVLsuqM +oRjlk09+nlrg/7xS96itgm6yueW/UOIXpo+ElCHwnrYnpuHHrYM0s7t1ls3QFSyd +a3INx+LkM6N/b+veVJF95yfe4GvVBhFpLkWtX4xKgZyMjczvmZ6LVNNSnthPhlZF +HmspQyqXrTnGyax3qyoloqh9ibDvAK5pUnzqlv/Dyyt110q3bXFR5A0wqfj0fqtp +7Mw4TdTkFQy1n4/Y4EuT8I8CAwEAAaOBuzCBuDAdBgNVHQ4EFgQUQpxLPHT5o/GQ +RwdBw2scINXnWlUwHwYDVR0jBBgwFoAUTVVCTRc4ST0XmE+EEsenSudwlwkwDwYD +VR0PAQH/BAUDAwf/gDBlBgNVHSUBAf8EWzBZBggrBgEFBQcDAQYIKwYBBQUHAwIG +CCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBggrBgEFBQcD +DQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAJwd60WigqbB +/6CT0ekvXZdvIV5IaIKiy6KYU0/0ebPVXn0YKp9LQTE6lYCr6hZUcEjBfkFBZhAy +KJJOb2sUXAnYqnX/mIipiNb7oHsCHxVCKAwEcmxsS3tGl2CXgpKL8EQQFKJgSrC/ +uzhf2QESQ0T5Mgni1jXXGf6SAwFAjk+mAM9bMdrtLOX39e5aKrgpZOHmdFke+m/K +upxP/M0/omTNNQaSfWDmfDvpdsRD9+mFG12Kzgpue2jut1qeICvSmcQsu2OBYG/Q +ZXMx8e8azoX0KB+njf826UcVgDkDmfwN9taOU2lFsmZAvYhpIslNwtH/Htu3zJWO +vQxyIh+kxFQ= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test2.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test2.crt new file mode 100644 index 0000000..592eea3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test2.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKzCCAxOgAwIBAgIBFjANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGjAYBgNVBAMTEUlkZW50 +aXR5IENBIFRlc3QyMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0ZWNo +LmNvbTAeFw0xODA3MjAwMDAwMDBaFw0yNzA3MTkyMzU5NTlaMHMxCzAJBgNVBAYT +Ak5MMQswCQYDVQQIEwJPVjETMBEGA1UEChMKQURMaW5rIElTVDEaMBgGA1UEAxMR +SWRlbnRpdHkgQ0EgVGVzdDIxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlu +a3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyIweDOdB +xotexcDiUdbIdDLu9A6/KSpkxUJnYb2iRhBonmCNFvErEokso/Dga6QT3rg83UCg +GMJBSJSZhq/j+eZweHoXS8Ccet/aF2iNj5A5Uhn476M3zMg+rCoos2yKlpZLOz1x +QjrRJfeOoBHvkHkxBeupnnQPx4oAro7zoXMIO83NKLwCROC/kGq1ktW8fbKa5THQ +z0QfZG3zAeD93N+dTAqA+jkCfzbrQepF243Tu4cLaGwVALZ/8cZ7sky8+OOmKnBU +P9r+U/4L62DVJYnYkTGnYEwqXcM1b8/JHasmKEaHXgAu/UI5i/SZfRPZUyC1ERSv +tX6k7sBxZZSPLQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIFG +yWkPWvNkBD2SCYj9H+NfnlOLMB8GA1UdIwQYMBaAFIFGyWkPWvNkBD2SCYj9H+Nf +nlOLMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYBBQUHAwEGCCsG +AQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDCQYI +KwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEBCwUAA4IBAQCK +SkemYQIvsslkMc8PNHSk2om4xk7hUXkatAZPN9dvRravu3PJqMWxpQ0TWbddrkBL +he7/ARC2G9vVUwQl2b8K1Rjt/nZ3j+NPvhCDzcPyxjornyN8IG1NJQVH18fTxR23 +6PvDBE0H2trA3WJgKo6Wlxo6CHWts8ulFWWXBE1nNQw30hU49FDsFn3nz6Gry4ti +/ouAvbz+UXSsT9R+zkci3A394sEsOCZSStgAnXsejU45pCt6OtCGaLfDvEPp21az +OEjuIaj6Kbd+MHeLyPoe+d1Bkl39OnAUEJ8q2HdwvIg2ZqP6h0agm5gpZo/ALDWn +9P3owIGVsHFGkYqhHc+K +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test_With_Chain.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test_With_Chain.crt new file mode 100644 index 0000000..35506b8 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/Identity_CA_Test_With_Chain.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIBAjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMzAwMDAwMFoXDTI3MDYxMDIzNTk1OVowfTELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMSQwIgYDVQQDExtJ +ZGVudGl0eSBDQSBUZXN0IFdpdGggQ2hhaW4xJjAkBgkqhkiG9w0BCQEWF2luZm9A +aXN0LmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA1r8Q0V8ZVeBs8tPMF0N+JlBynl1Zn/89vwSsU4m7y6ixUcW/y3r12CMeA0cH +g6yOaOdHsZ8pRlPRwy9YmeOwLsMOUHAURP2uPiTjSf3pttUIf0jv602GyirNzoS7 +7mHiyTtV80ZMzZlLIJ3gaJJlG4DjitFuFcjv8sOmviFjkn1kOjkAz1nKgsCiHvvg +fcJlYPrtLfle9SzvZ3MTq4ob+/EFu9nt5bYYs7p7Br1TGWctUw98l2mSn/FhfDBw +9bb7ZhcKB7W6PGy2Os5AnkdTJKHoOQT+RmnHzPBhab0BoKuy8IhfW2GyqC8rL5Tm +/UVLUvnx4Zzqz//3IyA2FTb1HQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYD +VR0OBBYEFE1VQk0XOEk9F5hPhBLHp0rncJcJMB8GA1UdIwQYMBaAFER4R6N3MQ1W +l7gn+R8wwHloDCVZMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYB +BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggr +BgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEB +CwUAA4IBAQCbl7ed4p66G6WquxO7ceZFvYKn3kDErjCfXHcqHxBnA2xTpoZCGj95 +Qpirqo6N4UcLX5sn3CmgyVk0dYvlti/53FJgZ9XQDNxBuEYWPkY7vO+Uo0WdYpGz +ZDNIUQpiPMA7bHvwKldTIs77xxtnw9kbBU2k0xQyb2tdZNfD5YqSI1MeUtpEpNFW +sbC8+mQ3clzWpjF8eHH1fFSAmlJ+z1Uqmtt2FK0vRz+MQcpydwvpMnfqGdcwhGPQ +X4HZreLObjBA8KUEkUB3+rZXuELBgkk/c8/jRZl7QF5jJDLQCCLg7KoYBKN2GuTt +/dzeSnP7VZm/nTL8wpCvKgSOwOGgklf2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/alice.pem b/src/security/builtin_plugins/tests/validate_local_identity/etc/alice.pem new file mode 100644 index 0000000..07a5977 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/alice.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Fb60RkFrDsRAIRfLMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBk +k78fFtagLisWo4LbT4DqKzqQXCvVnOn9a6uT0KsVejk2iaLoBy0fotQznudio3rz +DpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2 +FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf04rq7ztw0t67bexSQ4gLSVJEwiohAreg +m0dLvQnap5xd2qn0yETteTL8Y+Ujym1DWAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ +8kcoqEqO8KAN2HclqfjHlg9iDscbof5x45SQwwIDAQABAoIBAG0dYPeqd0IhHWJ7 +8azufbchLMN1pX/D51xG2uptssfnpHuhkkufSZUYi4QipRS2ME6PYhWJ8pmTi6lH +E6cUkbI0KGd/F4U2gPdhNrR9Fxwea5bbifkVF7Gx/ZkRjZJiZ3w9+mCNTQbJDKhh +wITAzzT6WYznhvqbzzBX1fTa6kv0GAQtX7aHKM+XIwkhX2gzU5TU80bvH8aMrT05 +tAMGQqkUeRnpo0yucBl4VmTZzd/+X/d2UyXR0my15jE5iH5o+p+E6qTRE9D+MGUd +MQ6Ftj0Untqy1lcog1ZLL6zPlnwcD4jgY5VCYDgvabnrSwymOJapPLsAEdWdq+U5 +ec44BMECgYEA/+3qPUrd4XxA517qO3fCGBvf2Gkr7w5ZDeATOTHGuD8QZeK0nxPl +CWhRjdgkqo0fyf1cjczL5XgYayo+YxkO1Z4RUU+8lJAHlVx9izOQo+MTQfkwH4BK +LYlHxMoHJwAOXXoE+dmBaDh5xT0mDUGU750r763L6EFovE4qRBn9hxkCgYEA0GWz +rpOPNxb419WxG9npoQYdCZ5IbmEOGDH3ReggVzWHmW8sqtkqTZm5srcyDpqAc1Gu +paUveMblEBbU+NFJjLWOfwB5PCp8jsrqRgCQSxolShiVkc3Vu3oyzMus9PDge1eo +9mwVGO7ojQKWRu/WVAakENPaAjeyyhv4dqSNnjsCgYEAlwe8yszqoY1k8+U0T0G+ +HeIdOCXgkmOiNCj+zyrLvaEhuS6PLq1b5TBVqGJcSPWdQ+MrglbQIKu9pUg5ptt7 +wJ5WU+i9PeK9Ruxc/g/BFKYFkFJQjtZzb+nqm3wpul8zGwDN/O/ZiTqCyd3rHbmM +/dZ/viKPCZHIEBAEq0m3LskCgYBndzcAo+5k8ZjWwBfQth5SfhCIp/daJgGzbYtR +P/BenAsY2KOap3tjT8Fsw5usuHSxzIojX6H0Gvu7Qzq11mLn43Q+BeQrRQTWeFRc +MQdy4iZFZXNNEp7dF8yE9VKHwdgSJPGUdxD6chMvf2tRCN6mlS171VLV6wVvZvez +H/vX5QKBgD2Dq/NHpjCpAsECP9awmNF5Akn5WJbRGmegwXIih2mOtgtYYDeuQyxY +ZCrdJFfIUjUVPagshEmUklKhkYMYpzy2PQDVtaVcm6UNFroxT5h+J+KDs1LN1H8G +LsASrzyAg8EpRulwXEfLrWKiu9DKv8bMEgO4Ovgz8zTKJZIFhcac +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/bob.pem b/src/security/builtin_plugins/tests/validate_local_identity/etc/bob.pem new file mode 100644 index 0000000..cf62cc3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/bob.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAweb6oblp8IcV2an3z5n484Hu8PdaF+CEpW6CHwV6d7C49pqi +0rGIYATSQJ/xZdTmXhcNHeIFYmwYMeWXXI7Ivgpb2CvB+d+IkyXza4jMoYOJElsW +RdU4sX8NxUuy6oyhGOWTT36eWuD/vFL3qK2CbrK55b9Q4hemj4SUIfCetiem4cet +gzSzu3WWzdAVLJ1rcg3H4uQzo39v695UkX3nJ97ga9UGEWkuRa1fjEqBnIyNzO+Z +notU01Ke2E+GVkUeaylDKpetOcbJrHerKiWiqH2JsO8ArmlSfOqW/8PLK3XXSrdt +cVHkDTCp+PR+q2nszDhN1OQVDLWfj9jgS5PwjwIDAQABAoIBAHfgWhED9VgL29le +uGMzmPLK4LM+6Qcb+kXghTeyhl1a928WeRVzRpG+SVJEz9QaBHYlICnaY2PO2kJ2 +49YIPFkpRFDn9JuLs/7tFonj4Eb2cBbWE3YG9W7e0t+oBiv1117yB9m8uSAMPG7s +iEpTQvE3M7CzT8kHwCS4XXCCN0z7LqKyZ1heScjdfhV3D2TnFFjdtQ/9KfQa3hIc +6ftbpi4EKbfasspyqfrJ/cqjHzse9iEXLOZJhs+atBAKe/uJ4Hc3LRPbX4MPniAp +JJrldXFK9p+HILlbXvu+5n+DSGbZmT1x9a/E9suGyoJiASDH2Ax4yCVTi+v8C1R2 +aKdU1LkCgYEA/3dFuM6zIHwiJ0GKT0gtJL6J3m+i51SNcRIm8deXt6HULMpUNajj +vZ1bgQm/h+uRBlPV3swkaVxvPTIabOTY4gmCBSzvVCSIAKHVc/+5Nkl9KruwSq4G +tctmXZ7ymMDi+6QGCJTJkAx6jptXyrzC00HOjXOwyQ+iDipqgr3A8FsCgYEAwk7B +2/hi569EIHFRT6nz/JMqQVPZ/MJDKoKhffTbnjQ5OAzpiVN6cyThMM1iVJEBFNhx +OEacy60Qj0TtR1oYrQSRSLm58TTxiuB4Pohbmg3iU+kSM/eTq/ups/Ul1oCs2eAb +POfweD3c4d4i7sN8bUNQXehiE4MOlK9TYQy39t0CgYAJht0mwy6S644qgJsz0bE9 +SY3Cqc8daV3M9axWIIAb7QEImpMBXUcA7zlWWpK18ub5oW68XEiPVU8grRmnLfGY +nFoo70ANlz8rJt3a8ZJqn9r3GQC+CDdf2DH9E8xgPfE5CSjgcQwDPzPi1ZA0k02A +q1eUltfk55xXguVt8r2bOQKBgQC7+kldr1yv20VDRZ1uPnMGRLE6Zg6bkqw78gid +vEbDNK6uZP+BlTr/LgyVk/yu52Fucz6FPPrvqEw+7mXHA4ifya1r+BHFIn0S57os +dOp5jTkKCI9NqxQ3683vhRjH/dA7L63qLFDdYqvP74FID+LOKbMURn6rdbyjZ0J4 +vz8yGQKBgHIzcKlQosRxf+KptOPMGRs30L9PnH+sNmTo2SmEzAGkBkt1msGRh/2l +uT3hOEhUXL9knRyXwQSXgrIwr9QwI5rGS5FAgX26TgBtPBDs2NuyyhhS5yxsiEPT +BR+EjQFW9dzRkpRJgvsG4DcNAhFn7fQqFNcWXgFWuBXmGNkdtEGR +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_ca new file mode 100644 index 0000000..cfd24b6 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_ca @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICEDCCAbegAwIBAgIJAPOifu8ejrRRMAoGCCqGSM49BAMCMGUxCzAJBgNVBAYT +Ak5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5v +bG9neSBCLlYuMSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTAeFw0x +OTAyMTgxMDQwMTZaFw00NjA3MDYxMDQwMTZaMGUxCzAJBgNVBAYTAk5MMRMwEQYD +VQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5vbG9neSBCLlYu +MSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABMXCYXBHEryADoYXMEE0Jw9aHlA7p3KVFzuypxuez0n7rKoX +k9kanNtrw5o2X4WSWKM7zkH4I6AU7xSAQgJN+8GjUDBOMB0GA1UdDgQWBBR1Llq9 +zrRrTJLSvUJykksncZ+HsDAfBgNVHSMEGDAWgBR1Llq9zrRrTJLSvUJykksncZ+H +sDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIHKRM3VeB2F7z3nJT752 +gY5mNdj91ulmNX84TXA7UHNKAiA2ytpsV4OKURHkjyn1gnW48JDKtHGZF6/tMNvX +VrDITA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate new file mode 100644 index 0000000..5c29b6e --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate @@ -0,0 +1,50 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4096 (0x1000) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=NL, ST=Some-State, O=ADLINK Technology B.V., CN=CHAM_570 CA certificate + Validity + Not Before: Feb 18 10:52:41 2019 GMT + Not After : Jul 6 10:52:41 2046 GMT + Subject: C=NL, ST=Some-State, O=ADLINK Technology B.V., CN=CHAM_570 Identity certificate + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:9d:b5:7b:f5:fe:63:da:24:e4:0c:26:c5:32:55: + 55:b3:7f:7a:60:ea:0d:56:2c:0a:85:e0:5b:85:5a: + 01:1b:69:fc:23:79:98:33:d6:60:d5:d9:ab:1e:1d: + 7a:1e:c2:5f:ad:30:9b:73:45:40:39:d9:07:f7:59: + 8d:44:f6:6b:e3 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Basic Constraints: + CA:false + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + C6:68:7E:D7:20:B3:51:4B:D4:50:54:26:12:86:BE:9B:EA:55:A1:EA + X509v3 Authority Key Identifier: + keyid:75:2E:5A:BD:CE:B4:6B:4C:92:D2:BD:42:72:92:4B:27:71:9F:87:B0 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:b2:a7:be:fb:0b:d4:e2:87:b0:2c:c9:b8:fa: + 10:b0:18:4b:dc:6a:bc:58:55:e8:22:46:93:d8:b1:5b:50:17: + 77:02:20:2a:cf:42:10:fc:7e:02:39:37:44:4a:cf:9b:a3:9a: + 55:cb:15:2d:12:86:06:7e:d4:b8:24:7a:57:13:48:b5:69 +-----BEGIN CERTIFICATE----- +MIICOzCCAeGgAwIBAgICEAAwCgYIKoZIzj0EAwIwZTELMAkGA1UEBhMCTkwxEzAR +BgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIu +Vi4xIDAeBgNVBAMMF0NIQU1fNTcwIENBIGNlcnRpZmljYXRlMB4XDTE5MDIxODEw +NTI0MVoXDTQ2MDcwNjEwNTI0MVowazELMAkGA1UEBhMCTkwxEzARBgNVBAgMClNv +bWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIuVi4xJjAkBgNV +BAMMHUNIQU1fNTcwIElkZW50aXR5IGNlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEnbV79f5j2iTkDCbFMlVVs396YOoNViwKheBbhVoBG2n8I3mY +M9Zg1dmrHh16HsJfrTCbc0VAOdkH91mNRPZr46N7MHkwCQYDVR0TBAIwADAsBglg +hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O +BBYEFMZoftcgs1FL1FBUJhKGvpvqVaHqMB8GA1UdIwQYMBaAFHUuWr3OtGtMktK9 +QnKSSydxn4ewMAoGCCqGSM49BAMCA0gAMEUCIQCyp777C9Tih7Asybj6ELAYS9xq +vFhV6CJGk9ixW1AXdwIgKs9CEPx+Ajk3RErPm6OaVcsVLRKGBn7UuCR6VxNItWk= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate_unsupported b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate_unsupported new file mode 100644 index 0000000..220abcf --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_identity_certificate_unsupported @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICFTCCAbygAwIBAgICEAEwCgYIKoZIzj0EAwIwWjELMAkGA1UEBhMCTkwxEzAR +BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5 +IEx0ZDETMBEGA1UEAwwKQ0hBTTUwMF9DQTAeFw0xODAyMTkxMDMyMjRaFw0xOTAy +MTkxMDMyMjRaMGExCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMMEUNIQU01 +NjkgdW5zdXAga2V5MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEKt3HYPnDlEOS +zYqTzT2patyreLHN2Jty22KXwjaNAjgrwujdPr+MW38DsyBF5Yn9o3sweTAJBgNV +HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp +Y2F0ZTAdBgNVHQ4EFgQUG9MuQz3W/AKA98AyOKhI2af9I+0wHwYDVR0jBBgwFoAU +ACsYsaEsZfjfRVrj0IBmcsncVyMwCgYIKoZIzj0EAwIDRwAwRAIgfhisahVmgghI +GaaQavdKHpM/OTVODZPzYjky6Am+z08CIBidnuuznXrZtr78oy/tAES/7Lz8P5Iw +Q1y5Vo8CdXQQ +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key new file mode 100644 index 0000000..214e2dd --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP3SnBXzcCc0uUEiG +0CPNdcV0hBewOnVoh4d9q9E5U5ihRANCAASdtXv1/mPaJOQMJsUyVVWzf3pg6g1W +LAqF4FuFWgEbafwjeZgz1mDV2aseHXoewl+tMJtzRUA52Qf3WY1E9mvj +-----END PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_unsupported b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_unsupported new file mode 100644 index 0000000..421d9a3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_unsupported @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MG8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEVTBTAgEBBBh8p6kwBS7jT86ctN33 +Vs4vosHh7upPZBWhNAMyAAQq3cdg+cOUQ5LNipPNPalq3Kt4sc3Ym3LbYpfCNo0C +OCvC6N0+v4xbfwOzIEXlif0= +-----END PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_w_password b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_w_password new file mode 100644 index 0000000..f1f6e13 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/ec_private_key_w_password @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,11055B75D406068EB1FF850646228EA9 + +GUnwN8e2gvUkopN3ak+2dK1dSTSKSJguers3h5C+qQDq57By933ijCCjUTu2LY/F +ERH6m8UD6H5ij/QDsXLx6tH/dFQ7An+Zao3eD2N2zquGED/OfTQJFv3gBKs4RUtg +66dfuv9mNSXt7Rnu9uBNtodm5JGifczdmIPHn0mNY2g= +-----END EC PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca new file mode 100644 index 0000000..7e2675c --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx +MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k +ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz +2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf +zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB +pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL +FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME +BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW +gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB +Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME +BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK +KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI +KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU +AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI +hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s +iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC +LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm +geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t +Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd +sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca_private_key new file mode 100644 index 0000000..eb4f6fc --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_ca_private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAuhWt04Xi/lK3WQqfRoVP9lm53j9rf2r1Gt5rsA7bT8XiNl1P +ZGYwUfeZgF5nuEj1x5OfmAzd9fQKiI3t6Coc5Mv54Lyh9hpKCSmMVp7gwXzBB3VY +s9kPf8bKNmbx+dLpMFmtKX8dvxFVdcEcXkHEXf1FX6tykyYsxtDPPJjmLxhAMNyx +X83n+5NWgrjqH0Jgby7pFLnXGKTM38hxae5UKlOAnK60eUbZn4lH61n3Ri3mtojw +waSYDfBEjjMBB7TkxAQ3JWJx/S+Lewh0M/n110uSFhbAyvXwjEI58Q7A1Xjazc02 +CxWmazIPUuiFEAhLEFrJ6ucHkvKJjqVS1JvZJQIDAQABAoIBAFktMHtw60J0A3fB +dmkGVDa78y4F+I88g6/XrYXW6NUHAQyKlRSJQFjXrpFtLImNNXPqVA47BFftFusw +ETY0kFo5QkuoOnnFSXuwlJeiVhWDosHfQ54UxK+4ZYnCte3CXIwWPbzoNSoutWTU +IbMuE1vzlz5s3GCWZ9jzkoz4vT8NrkucEQ2sxvAVWk2//SoQljN+b4BLDdsWl3Bq +l+9JR2EzROXrPH5voYUZV17LbnCOmU+6ucxlGu704oqLJBxtNyYKsSEh4KMo4lX4 +bOZVSct3LXifj5BQmF9vbi5FiJqFGtoY4iBw0IUq05CJ4nsQuW1ZLucXaw1tBRKn +S1l/C0ECgYEA9zWVLQtWGrOZ7we7dTbF5ghZ541NjR9NmBFET5lNRU5yDG0poRdh +WD2qioGJigV6ZaEoXny0jFqqqqPM5S/sDRtoicK+XlFuhURw0CZCAsisjVhCDGXU ++FJRbR+As7NFvb/9itvNE+PD4p39UXObePzM9JnlHSP7Ml0KdJqcQHUCgYEAwLOp +Sp9k0CbFy/lQCSBbBiiu6ol/OxSzOBuZsFIbV8ILcn8v5NWdrcArssJBMdLTIaHN +nrTxKOOAzFnPW6DeRmWM/NnwizB/a6uo34q6ywmXmgFSQPX86XTVZCdD96nNik0C +KaEY2SqJxrnYstVApWRJAwy7T2jxJEj0aEZBH/ECgYEAmYyTuyXWdsFl9N2lp1m9 +NHOtfDD9oZF2/eSDvLlpEIp4NpW7jM7b7RZojp2FU9CxRN0EGSR2dNOAPHt/sj/A +7CdBGIh4/FayQl7Pf8qzp80DuMvAQrkhvphK8W/m3jeVMxZEovKCAD+yFVmy1dvs +DwtfNvM8J4yI47B85Q5/zV0CgYArxGKN/VfjYvsH0e9Ys02ZP4JC6MnJ/HCcLMCi +aHOnYf5BmhuhqNbwULZcGny+OTkU6XAPPN+NPubRAxDyqb3yVTxJbaKRqok2Rj3L +z/GPDfWt1+D7uiMgTxXscnKgfKOfZtA37kv7fwrd5PYP4BmXtwhSNgERDy+94wgH +6vT9sQKBgBqsTsdDmBmKLQM/JzQC2AeQo0/ZFZIXdsiCShMbo2XALlaxZDYDu1it +M/zkpmWmHncrBnnW3h6ME1ZZj2HGTowDuJvQqR7cZW5jWY3uLpOnEAGeOoKPhfOP +IW2pVPZXq3Zl1yn86oG7C7poPRq0PRu+q2HtHP6/M0NgtGBx8F9M +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate new file mode 100644 index 0000000..6d3379d --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy +MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v +gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD +3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk +ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox +qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn +ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH +/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI +KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE +AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB +gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK +KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID +BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7 +Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG +yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE +I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35 +iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl +nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate_1024key b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate_1024key new file mode 100644 index 0000000..9384833 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/identity_certificate_1024key @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrjCCAZYCCQDn8i4K9c4ErjANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjE2MTAy +MzM2WhcNMjMwODA5MTAyMzM2WjBXMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYD +VQQDDAdDSEFNNTY5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS5w0h8L70 +hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLbKT2eRViY/xPuPXQmfRim01QM +sZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4IhNzEGs5v4pTJAOzraoZcVmXnf +Mr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB +AQBdZ2ijHYH8TkOGBqzsNwnNwPaDb/NA0vAO9T5kSOm8HA8vKHnNza+DeUJN+5P/ +P4fLK7UZqpQN32MpvXL0068g99RLjAzAsEVn+0FTyc08r9p/KO/dxxdMKeET7Cpv +rMpu3W0A/EJptCQsTEZI0iqts7T2qQVXzoDlnUwEt3xdmKYJ9jbEq1UUCeexD3nP +LB+JtUtfGevVzIoBjHv0qA3ePA24jDUlx5bxFeoIDC4tEewvUG5ZekftsRdNe3fk +3LkwyK+4NN1ZCa2+S5SOAfjZA2o6qXiq/le0vWRgl7AHEgDr6w7xoRsw4K5dQ+0R +eKtsBC4XO1GqrNYdKuJb1MhI +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_ca new file mode 100644 index 0000000..b7b7678 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDljCCAn6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UEBhMCTkwx +EzARBgNVBAgMCk92ZXJpanNzZWwxEDAOBgNVBAcMB0hlbmdlbG8xDzANBgNVBAoM +BkFETElOSzEYMBYGA1UEAwwPQ0hBTTUwMCBSb290IENBMB4XDTE4MDIwOTE2Mjky +MVoXDTI4MDIwNzE2MjkyMVowVTELMAkGA1UEBhMCTkwxEzARBgNVBAgMCk92ZXJp +anNzZWwxDzANBgNVBAoMBkFETElOSzEgMB4GA1UEAwwXQ0hBTTUwMCBJbnRlcm1l +ZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwucuU/L6N +iYxYJ7tyzcdzwXwYbr4GynZE4u2Sd7hcXrQGxTotm9BEhOZWscSGvH+UJSp0Vrb4 +3zDppiJ76ys6PeSBw1PpxdO97fO+eAE5DoXRj0a9lmnjbsV6waZ2GxgYQNVmKqbI +uPDfW+jsmRcTO94s05GWQshHeiqxuEUAv3/Qe2vOhulrg4YDcXrIDWK93cr1EmRX +Eq3Ck+Fjwtk5wAk3TANv2XQkVfS80jYAurL8J+XC2kyYB7e8KO92zqlfVXXMC3NI +YDcq86bAI4NNMjVE2zIVheMLoOEXaV7KUTYfEQABZl76aWLDxjED9kf371tcrZzJ +6xZ1M/rPGNblAgMBAAGjZjBkMB0GA1UdDgQWBBQngrlZqhQptCR4p04zqHamYUx7 +RTAfBgNVHSMEGDAWgBQrLYI+RHJtx1Pze8MSZbhaOful1DASBgNVHRMBAf8ECDAG +AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAfMmiQ0tv +o3K3xwSS621tsfkijUTx920hAe1XYY2XKrG7a/MJBhStex5A3AfqPOY9UMihkBl9 +3hgxOaddX9SAf2eLk2JLhqxZi1U/GVzT5h10AKLA5WUXIK4UGz3JRqhEm7V39t/N +G0LCdpWOZueezkfO6eGcAvOKthdd32a3zbn+rzzDHdsjzxhEEv8d8x1Xf4xH2dgk +HlpmpvXMfG/1aCzIpWGEPdkB7WR694GiCmh7hnFBiY+h1GFj2l5dThd51QqAlncM +u+NmlPCrFZL0ulwRFeo80KOwDpxkqgavDlP9irdWqM9VHybjGu0xFHCeElz9M6od +ym/MCh4ax7jDxg== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_certificate new file mode 100644 index 0000000..453f1fd --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_identity_certificate @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVTQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_private_key new file mode 100644 index 0000000..2672622 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/invalid_private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Z5zZ1dz2a22cI8ZPnZEHDt6St8DL6AzQBzz4k310Vdioyx8 +bLiu8Ffhjx5l6Pe26LerwcTUDe4X8aAyy/igTvbN1fvDl+pTqxe4UOvuv6fRIEaM +jRqNtXiMxsHNjGiQCoyJjTGzOxQ074ZN7vlU0ybZZyryTNbYJ3GxGcES64v9jBAu +V0vzuRUE+AFz6wOm0XBjKglWLUNHIusHdfD3oAP60phkkX/0zneI2V5MXxw/mDpB +3Mcc/bF+Cp8joF2ZvIw3QXO68Yg3qfJCIy9OlbMyXqEK8Y7n/HDWbW6Jf+xAkuWj +NmDse7dA3P+tvVdkOcGkVQVecVQidAc1IfKyBQIDAQABAoIBAEddUpzUQTTS11Hq +5gVF7lpORYxH8KW+PLSPJtjdAduLjKAQ++tn1OcuhDRdfQSbkUIZhfgqMqerb6tr +ht+6fZlknR9E34pQ1LtjD/U83cOSNrhuTFudtrEZoZPpVzl+P8vXnNzdFs/+SSdi +6hV5/U8F4u4kyOkwG9cR9eF2wiI+oQ/RBKCXUo3OVs9K27A/OkKsb7coL7yBsgBj +lzorS9a/DyHT2eiMKjwCZFyG4A66EkLi6t9JLJ8oTkI2WskXYeVEAbEXE57RWm44 +2OgTgfsgYgf2ftXq93KD17FN1m77dqp7EPAhjGnRHNq7+0Ykr1EO1nbDfqHG4gS+4o +lfP8iwECgYEA58da0R34l93yQnK0mAtoobwvsOjADnBVhBg9L4s2eDs8liUjf0zt +7hcMdUJaa7iMuNf3qGtnZtRURc3kSOE429Or7fCAYUr/AaA7+2ekPG1vjMb50tVv +se5rwb1hvgMYe2L5ktJJAg+RcmqpY+ncJ+hP/vWwZRxUKvXba50qqEkCgYEA54ZE +mJfSueGM/63xlhP71CM4OWtTqkQGp2OmgTOsBI5q/GUXr8vMR8sCEMHAc6HyXzmL +x/RnAoa/vTX58rXBk0QjfO9esIHa452697EIaJu5w8skCLDv2e/f+Jg7o/IDyUZs +5lqhiEuH9Qc3sx2nhnSYXMZWqwh8OchI7dCSE90CgYEAzrJ1JhpxUJYI7wM2VIWQ +GPQnH8BhTj8VtEidgCHJQK2rGUcjgepMIVECtiunUXtyW4GWBedKfmSKhvnXRLs9 +pqT9JaOeCaYFBiEsfMZvqUY4e/YSYtge1PIHvO40FWzTT23zneDUZPcXQY8nYsfy +otBFTt0yIumBkhJRTIYLvakCgYA+CcttvBj6OAcJJ/n5RgeP05QoRqsXj7zcs6YV +LtxkKClg0lHjiE+H2U0HYnOISJfijk/3V3UWxzavo7wDHlLtfC+qNZYA4/rcTRKh +dm2TYk8HuPJB5e+PTWiNe3VXu+zpzRY3L4fjNqIKtVFmjIasT6fYDEmC8PYgoZtx +JhdOfQKBgCD/bDkc+VI6lwQtoQQKiSfQjKGe+6Cw9K/obzWO0uJwBvZrGLXF8tTc +MOPIv9OILt7DYxpMXAiHv8HtzH5CFVrZ/nj63Soka/j2yvUdBDrGhyIbsc4pDu+ +lCFa0ZiT/u5vRAiOkM6GuStH4HxnW9LtwBtiYXtfU7IPExJiAlsq +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/new/CHAM-577.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/CHAM-577.crt new file mode 100644 index 0000000..3b30c97 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/CHAM-577.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEPTCCAyWgAwIBAgIIRmtzSKaI+rowDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDMy +MzEyMDEwMFoYDzIyMjIwMjIyMjIyMjAwWjBYMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MREwDwYDVQQDEwhDSEFNLTU3NzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMKlWGK8f/AEjK7viu9CdydJmorKyk3oK8PWmZX3B+3k8eFW32NXv2+BK5vk +sAOhEcCAV2/125iAGvXs5vq5GshjgHXwJysKOFBwLiCPHzLaOX095ib6pgPejjgV +gGsGrRAKetCAqxv+pf1n4zD9VSLDrnHrxbzvosQdBCgSBPiTFK5qDAGhVGR48Pp9 +gAqZPhdLfH47S/6scRJNywoXrIxp2CnuHd4fVvyQlPNLHwlX1nOr76bGOjGqFsFU +/mcPN7aGFIh4KQK9KvHt5+SApLgBBdrn9njgaIC7VN9ddSp2Jz2vHAPR52dqM0SW +dl7uyOiT/TK6q8f7aFKqk29r/OkCAwEAAaOCAQAwgf0wDAYDVR0PBAUDAwf/gDCB +7AYDVR0lBIHkMIHhBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEF +BQcDBAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcK +AwEGCisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEAQYLKwYBBAGCNwoD +BAEGCCsGAQUFBwMFBggrBgEFBQcDBgYIKwYBBQUHAwcGCCsGAQUFCAICBgorBgEE +AYI3FAICBggrBgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0G +CSqGSIb3DQEBCwUAA4IBAQAniERWU9f/ijm9t8xuyOujEKDJl0Ded4El9mM5UYPR +ZSnabPNKQjABBS4sVISIYVwfQxGkPgK0MeMBKqs/kWsZ4rp8h5hlZvxFX8H148mo +3apNgdc/VylDBW5Ltbrypn/dZh9hFZE8Y/Uvo9HPksVEkjYuFN5v7e8/mwxTcrZ1 +BAZrTlDTiCR046NN1lUs/7oUaNCruFV7AU6RbGYnSzM6plPJHMRa9nzNeO0uPaHK +kNPe+/UGpMi7cpF9w0M5Z1wW+Nq45bBRejFLQkHSjOEeGL2zi7T1HFAHZQydd6Wo +zYffGTmyHqIjNArbOWEMYN6s1nqsQS+ifolr0MtfeHad +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca new file mode 100644 index 0000000..7e2675c --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx +MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k +ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz +2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf +zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB +pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL +FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME +BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW +gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB +Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME +BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK +KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI +KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU +AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI +hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s +iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC +LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm +geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t +Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd +sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca_private_key new file mode 100644 index 0000000..eb4f6fc --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_ca_private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAuhWt04Xi/lK3WQqfRoVP9lm53j9rf2r1Gt5rsA7bT8XiNl1P +ZGYwUfeZgF5nuEj1x5OfmAzd9fQKiI3t6Coc5Mv54Lyh9hpKCSmMVp7gwXzBB3VY +s9kPf8bKNmbx+dLpMFmtKX8dvxFVdcEcXkHEXf1FX6tykyYsxtDPPJjmLxhAMNyx +X83n+5NWgrjqH0Jgby7pFLnXGKTM38hxae5UKlOAnK60eUbZn4lH61n3Ri3mtojw +waSYDfBEjjMBB7TkxAQ3JWJx/S+Lewh0M/n110uSFhbAyvXwjEI58Q7A1Xjazc02 +CxWmazIPUuiFEAhLEFrJ6ucHkvKJjqVS1JvZJQIDAQABAoIBAFktMHtw60J0A3fB +dmkGVDa78y4F+I88g6/XrYXW6NUHAQyKlRSJQFjXrpFtLImNNXPqVA47BFftFusw +ETY0kFo5QkuoOnnFSXuwlJeiVhWDosHfQ54UxK+4ZYnCte3CXIwWPbzoNSoutWTU +IbMuE1vzlz5s3GCWZ9jzkoz4vT8NrkucEQ2sxvAVWk2//SoQljN+b4BLDdsWl3Bq +l+9JR2EzROXrPH5voYUZV17LbnCOmU+6ucxlGu704oqLJBxtNyYKsSEh4KMo4lX4 +bOZVSct3LXifj5BQmF9vbi5FiJqFGtoY4iBw0IUq05CJ4nsQuW1ZLucXaw1tBRKn +S1l/C0ECgYEA9zWVLQtWGrOZ7we7dTbF5ghZ541NjR9NmBFET5lNRU5yDG0poRdh +WD2qioGJigV6ZaEoXny0jFqqqqPM5S/sDRtoicK+XlFuhURw0CZCAsisjVhCDGXU ++FJRbR+As7NFvb/9itvNE+PD4p39UXObePzM9JnlHSP7Ml0KdJqcQHUCgYEAwLOp +Sp9k0CbFy/lQCSBbBiiu6ol/OxSzOBuZsFIbV8ILcn8v5NWdrcArssJBMdLTIaHN +nrTxKOOAzFnPW6DeRmWM/NnwizB/a6uo34q6ywmXmgFSQPX86XTVZCdD96nNik0C +KaEY2SqJxrnYstVApWRJAwy7T2jxJEj0aEZBH/ECgYEAmYyTuyXWdsFl9N2lp1m9 +NHOtfDD9oZF2/eSDvLlpEIp4NpW7jM7b7RZojp2FU9CxRN0EGSR2dNOAPHt/sj/A +7CdBGIh4/FayQl7Pf8qzp80DuMvAQrkhvphK8W/m3jeVMxZEovKCAD+yFVmy1dvs +DwtfNvM8J4yI47B85Q5/zV0CgYArxGKN/VfjYvsH0e9Ys02ZP4JC6MnJ/HCcLMCi +aHOnYf5BmhuhqNbwULZcGny+OTkU6XAPPN+NPubRAxDyqb3yVTxJbaKRqok2Rj3L +z/GPDfWt1+D7uiMgTxXscnKgfKOfZtA37kv7fwrd5PYP4BmXtwhSNgERDy+94wgH +6vT9sQKBgBqsTsdDmBmKLQM/JzQC2AeQo0/ZFZIXdsiCShMbo2XALlaxZDYDu1it +M/zkpmWmHncrBnnW3h6ME1ZZj2HGTowDuJvQqR7cZW5jWY3uLpOnEAGeOoKPhfOP +IW2pVPZXq3Zl1yn86oG7C7poPRq0PRu+q2HtHP6/M0NgtGBx8F9M +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_certificate new file mode 100644 index 0000000..6d3379d --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/identity_certificate @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy +MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v +gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD +3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk +ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox +qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn +ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH +/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI +KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE +AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB +gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK +KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID +BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7 +Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG +yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE +I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35 +iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl +nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/new/private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/private_key new file mode 100644 index 0000000..06f57d1 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/new/private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf +Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m +JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM +AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv +psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c +A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx +m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK +GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+ +BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2 +iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw +Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i +2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y +T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6 +D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB +Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG +eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ +2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV +0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt +O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+ +pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba +VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k +X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD +NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc +nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi +w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk= +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Alice_Test_2.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Alice_Test_2.crt new file mode 100644 index 0000000..f5f77eb --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Alice_Test_2.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJTCCAw2gAwIBAgIBFzANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGjAYBgNVBAMTEUlkZW50 +aXR5IENBIFRlc3QyMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0ZWNo +LmNvbTAeFw0xODA3MjAwMDAwMDBaFw0yNzA3MTkyMzU5NTlaMG0xCzAJBgNVBAYT +Ak5MMQswCQYDVQQIEwJPVjETMBEGA1UEChMKQURMaW5rIElTVDEUMBIGA1UEAxML +QWxpY2UgVGVzdDIxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Fb60RkFrDsRAIRf +LMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBkk78fFtagLisWo4LbT4DqKzqQXCvVnOn9 +a6uT0KsVejk2iaLoBy0fotQznudio3rzDpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0 +TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf +04rq7ztw0t67bexSQ4gLSVJEwiohAregm0dLvQnap5xd2qn0yETteTL8Y+Ujym1D +WAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ8kcoqEqO8KAN2HclqfjHlg9iDscbof5x +45SQwwIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFL66FT0vnlFE ++PKrtV+KhJoLsCOWMB8GA1UdIwQYMBaAFIFGyWkPWvNkBD2SCYj9H+NfnlOLMA8G +A1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYBBQUHAwEGCCsGAQUFBwMC +BggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDCQYIKwYBBQUH +Aw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEBCwUAA4IBAQCsBINpBXSp +Xe3f5MMObeUXE2VhWZWIjMdDQRFDDjq6u1YR7rbffsCReiCX5zviU2dtVV8VN3MQ +k7wp8qEDKwP1ToMIwZGwT4Hfwei1eueJ1vuotgiGe0Gm3otXlGsb0C5otnsu63MM +OeFgkpZde3VpIqK9EmhgjWOD8TXc8Me7zBlYSEIaXkkwP0jAKRf5vFgz0WfE5ITx +SDKUO0OrcN789flO/OKLAHZ4cqNcxNPkMz7h9VBSgRRRk115HEa8Fe46nl1YpwRG +0urHlyAKoUV+J+I3Qy4+SwIDwix978hgGN3bKVyv9q0yAQRzpZ54EJOj4C7lNEpB +roGVpY4yYP/B +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Bob_Chain_Test.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Bob_Chain_Test.crt new file mode 100644 index 0000000..e980af3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Bob_Chain_Test.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJDCCAwygAwIBAgIBAzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxJDAiBgNVBAMTG0lkZW50 +aXR5IENBIFRlc3QgV2l0aCBDaGFpbjEmMCQGCSqGSIb3DQEJARYXaW5mb0Bpc3Qu +YWRsaW5rdGVjaC5jb20wHhcNMTgwNjEzMDAwMDAwWhcNMjcwNjEwMjM1OTU5WjBw +MQswCQYDVQQGEwJOTDELMAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1Qx +FzAVBgNVBAMTDkJvYiBDaGFpbiBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlz +dC5hZGxpbmt0ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMHm+qG5afCHFdmp98+Z+POB7vD3WhfghKVugh8FenewuPaaotKxiGAE0kCf8WXU +5l4XDR3iBWJsGDHll1yOyL4KW9grwfnfiJMl82uIzKGDiRJbFkXVOLF/DcVLsuqM +oRjlk09+nlrg/7xS96itgm6yueW/UOIXpo+ElCHwnrYnpuHHrYM0s7t1ls3QFSyd +a3INx+LkM6N/b+veVJF95yfe4GvVBhFpLkWtX4xKgZyMjczvmZ6LVNNSnthPhlZF +HmspQyqXrTnGyax3qyoloqh9ibDvAK5pUnzqlv/Dyyt110q3bXFR5A0wqfj0fqtp +7Mw4TdTkFQy1n4/Y4EuT8I8CAwEAAaOBuzCBuDAdBgNVHQ4EFgQUQpxLPHT5o/GQ +RwdBw2scINXnWlUwHwYDVR0jBBgwFoAUTVVCTRc4ST0XmE+EEsenSudwlwkwDwYD +VR0PAQH/BAUDAwf/gDBlBgNVHSUBAf8EWzBZBggrBgEFBQcDAQYIKwYBBQUHAwIG +CCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBggrBgEFBQcD +DQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAJwd60WigqbB +/6CT0ekvXZdvIV5IaIKiy6KYU0/0ebPVXn0YKp9LQTE6lYCr6hZUcEjBfkFBZhAy +KJJOb2sUXAnYqnX/mIipiNb7oHsCHxVCKAwEcmxsS3tGl2CXgpKL8EQQFKJgSrC/ +uzhf2QESQ0T5Mgni1jXXGf6SAwFAjk+mAM9bMdrtLOX39e5aKrgpZOHmdFke+m/K +upxP/M0/omTNNQaSfWDmfDvpdsRD9+mFG12Kzgpue2jut1qeICvSmcQsu2OBYG/Q +ZXMx8e8azoX0KB+njf826UcVgDkDmfwN9taOU2lFsmZAvYhpIslNwtH/Htu3zJWO +vQxyIh+kxFQ= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test2.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test2.crt new file mode 100644 index 0000000..592eea3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test2.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKzCCAxOgAwIBAgIBFjANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGjAYBgNVBAMTEUlkZW50 +aXR5IENBIFRlc3QyMSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0ZWNo +LmNvbTAeFw0xODA3MjAwMDAwMDBaFw0yNzA3MTkyMzU5NTlaMHMxCzAJBgNVBAYT +Ak5MMQswCQYDVQQIEwJPVjETMBEGA1UEChMKQURMaW5rIElTVDEaMBgGA1UEAxMR +SWRlbnRpdHkgQ0EgVGVzdDIxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlu +a3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyIweDOdB +xotexcDiUdbIdDLu9A6/KSpkxUJnYb2iRhBonmCNFvErEokso/Dga6QT3rg83UCg +GMJBSJSZhq/j+eZweHoXS8Ccet/aF2iNj5A5Uhn476M3zMg+rCoos2yKlpZLOz1x +QjrRJfeOoBHvkHkxBeupnnQPx4oAro7zoXMIO83NKLwCROC/kGq1ktW8fbKa5THQ +z0QfZG3zAeD93N+dTAqA+jkCfzbrQepF243Tu4cLaGwVALZ/8cZ7sky8+OOmKnBU +P9r+U/4L62DVJYnYkTGnYEwqXcM1b8/JHasmKEaHXgAu/UI5i/SZfRPZUyC1ERSv +tX6k7sBxZZSPLQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIFG +yWkPWvNkBD2SCYj9H+NfnlOLMB8GA1UdIwQYMBaAFIFGyWkPWvNkBD2SCYj9H+Nf +nlOLMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYBBQUHAwEGCCsG +AQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDCQYI +KwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEBCwUAA4IBAQCK +SkemYQIvsslkMc8PNHSk2om4xk7hUXkatAZPN9dvRravu3PJqMWxpQ0TWbddrkBL +he7/ARC2G9vVUwQl2b8K1Rjt/nZ3j+NPvhCDzcPyxjornyN8IG1NJQVH18fTxR23 +6PvDBE0H2trA3WJgKo6Wlxo6CHWts8ulFWWXBE1nNQw30hU49FDsFn3nz6Gry4ti +/ouAvbz+UXSsT9R+zkci3A394sEsOCZSStgAnXsejU45pCt6OtCGaLfDvEPp21az +OEjuIaj6Kbd+MHeLyPoe+d1Bkl39OnAUEJ8q2HdwvIg2ZqP6h0agm5gpZo/ALDWn +9P3owIGVsHFGkYqhHc+K +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test_With_Chain.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test_With_Chain.crt new file mode 100644 index 0000000..35506b8 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/Identity_CA_Test_With_Chain.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIBAjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMzAwMDAwMFoXDTI3MDYxMDIzNTk1OVowfTELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMSQwIgYDVQQDExtJ +ZGVudGl0eSBDQSBUZXN0IFdpdGggQ2hhaW4xJjAkBgkqhkiG9w0BCQEWF2luZm9A +aXN0LmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA1r8Q0V8ZVeBs8tPMF0N+JlBynl1Zn/89vwSsU4m7y6ixUcW/y3r12CMeA0cH +g6yOaOdHsZ8pRlPRwy9YmeOwLsMOUHAURP2uPiTjSf3pttUIf0jv602GyirNzoS7 +7mHiyTtV80ZMzZlLIJ3gaJJlG4DjitFuFcjv8sOmviFjkn1kOjkAz1nKgsCiHvvg +fcJlYPrtLfle9SzvZ3MTq4ob+/EFu9nt5bYYs7p7Br1TGWctUw98l2mSn/FhfDBw +9bb7ZhcKB7W6PGy2Os5AnkdTJKHoOQT+RmnHzPBhab0BoKuy8IhfW2GyqC8rL5Tm +/UVLUvnx4Zzqz//3IyA2FTb1HQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYD +VR0OBBYEFE1VQk0XOEk9F5hPhBLHp0rncJcJMB8GA1UdIwQYMBaAFER4R6N3MQ1W +l7gn+R8wwHloDCVZMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYB +BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggr +BgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEB +CwUAA4IBAQCbl7ed4p66G6WquxO7ceZFvYKn3kDErjCfXHcqHxBnA2xTpoZCGj95 +Qpirqo6N4UcLX5sn3CmgyVk0dYvlti/53FJgZ9XQDNxBuEYWPkY7vO+Uo0WdYpGz +ZDNIUQpiPMA7bHvwKldTIs77xxtnw9kbBU2k0xQyb2tdZNfD5YqSI1MeUtpEpNFW +sbC8+mQ3clzWpjF8eHH1fFSAmlJ+z1Uqmtt2FK0vRz+MQcpydwvpMnfqGdcwhGPQ +X4HZreLObjBA8KUEkUB3+rZXuELBgkk/c8/jRZl7QF5jJDLQCCLg7KoYBKN2GuTt +/dzeSnP7VZm/nTL8wpCvKgSOwOGgklf2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/alice.pem b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/alice.pem new file mode 100644 index 0000000..07a5977 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/alice.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Fb60RkFrDsRAIRfLMf2fsiRnw9Agp7yEbUsA4Zg4X+hRhBk +k78fFtagLisWo4LbT4DqKzqQXCvVnOn9a6uT0KsVejk2iaLoBy0fotQznudio3rz +DpTfzP9eRDFVj8RJnl3JJ8P1DULxH7N0TyDBuKZ1ibBfuKjPffqeCEzYKgAc8NG2 +FB4m6mXzHhXuKw6W2v0IbHz6KYldsavf04rq7ztw0t67bexSQ4gLSVJEwiohAreg +m0dLvQnap5xd2qn0yETteTL8Y+Ujym1DWAnwDdwA6+0j2a0wkyzOzYQpZMt95NyZ +8kcoqEqO8KAN2HclqfjHlg9iDscbof5x45SQwwIDAQABAoIBAG0dYPeqd0IhHWJ7 +8azufbchLMN1pX/D51xG2uptssfnpHuhkkufSZUYi4QipRS2ME6PYhWJ8pmTi6lH +E6cUkbI0KGd/F4U2gPdhNrR9Fxwea5bbifkVF7Gx/ZkRjZJiZ3w9+mCNTQbJDKhh +wITAzzT6WYznhvqbzzBX1fTa6kv0GAQtX7aHKM+XIwkhX2gzU5TU80bvH8aMrT05 +tAMGQqkUeRnpo0yucBl4VmTZzd/+X/d2UyXR0my15jE5iH5o+p+E6qTRE9D+MGUd +MQ6Ftj0Untqy1lcog1ZLL6zPlnwcD4jgY5VCYDgvabnrSwymOJapPLsAEdWdq+U5 +ec44BMECgYEA/+3qPUrd4XxA517qO3fCGBvf2Gkr7w5ZDeATOTHGuD8QZeK0nxPl +CWhRjdgkqo0fyf1cjczL5XgYayo+YxkO1Z4RUU+8lJAHlVx9izOQo+MTQfkwH4BK +LYlHxMoHJwAOXXoE+dmBaDh5xT0mDUGU750r763L6EFovE4qRBn9hxkCgYEA0GWz +rpOPNxb419WxG9npoQYdCZ5IbmEOGDH3ReggVzWHmW8sqtkqTZm5srcyDpqAc1Gu +paUveMblEBbU+NFJjLWOfwB5PCp8jsrqRgCQSxolShiVkc3Vu3oyzMus9PDge1eo +9mwVGO7ojQKWRu/WVAakENPaAjeyyhv4dqSNnjsCgYEAlwe8yszqoY1k8+U0T0G+ +HeIdOCXgkmOiNCj+zyrLvaEhuS6PLq1b5TBVqGJcSPWdQ+MrglbQIKu9pUg5ptt7 +wJ5WU+i9PeK9Ruxc/g/BFKYFkFJQjtZzb+nqm3wpul8zGwDN/O/ZiTqCyd3rHbmM +/dZ/viKPCZHIEBAEq0m3LskCgYBndzcAo+5k8ZjWwBfQth5SfhCIp/daJgGzbYtR +P/BenAsY2KOap3tjT8Fsw5usuHSxzIojX6H0Gvu7Qzq11mLn43Q+BeQrRQTWeFRc +MQdy4iZFZXNNEp7dF8yE9VKHwdgSJPGUdxD6chMvf2tRCN6mlS171VLV6wVvZvez +H/vX5QKBgD2Dq/NHpjCpAsECP9awmNF5Akn5WJbRGmegwXIih2mOtgtYYDeuQyxY +ZCrdJFfIUjUVPagshEmUklKhkYMYpzy2PQDVtaVcm6UNFroxT5h+J+KDs1LN1H8G +LsASrzyAg8EpRulwXEfLrWKiu9DKv8bMEgO4Ovgz8zTKJZIFhcac +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/bob.pem b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/bob.pem new file mode 100644 index 0000000..cf62cc3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/bob.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAweb6oblp8IcV2an3z5n484Hu8PdaF+CEpW6CHwV6d7C49pqi +0rGIYATSQJ/xZdTmXhcNHeIFYmwYMeWXXI7Ivgpb2CvB+d+IkyXza4jMoYOJElsW +RdU4sX8NxUuy6oyhGOWTT36eWuD/vFL3qK2CbrK55b9Q4hemj4SUIfCetiem4cet +gzSzu3WWzdAVLJ1rcg3H4uQzo39v695UkX3nJ97ga9UGEWkuRa1fjEqBnIyNzO+Z +notU01Ke2E+GVkUeaylDKpetOcbJrHerKiWiqH2JsO8ArmlSfOqW/8PLK3XXSrdt +cVHkDTCp+PR+q2nszDhN1OQVDLWfj9jgS5PwjwIDAQABAoIBAHfgWhED9VgL29le +uGMzmPLK4LM+6Qcb+kXghTeyhl1a928WeRVzRpG+SVJEz9QaBHYlICnaY2PO2kJ2 +49YIPFkpRFDn9JuLs/7tFonj4Eb2cBbWE3YG9W7e0t+oBiv1117yB9m8uSAMPG7s +iEpTQvE3M7CzT8kHwCS4XXCCN0z7LqKyZ1heScjdfhV3D2TnFFjdtQ/9KfQa3hIc +6ftbpi4EKbfasspyqfrJ/cqjHzse9iEXLOZJhs+atBAKe/uJ4Hc3LRPbX4MPniAp +JJrldXFK9p+HILlbXvu+5n+DSGbZmT1x9a/E9suGyoJiASDH2Ax4yCVTi+v8C1R2 +aKdU1LkCgYEA/3dFuM6zIHwiJ0GKT0gtJL6J3m+i51SNcRIm8deXt6HULMpUNajj +vZ1bgQm/h+uRBlPV3swkaVxvPTIabOTY4gmCBSzvVCSIAKHVc/+5Nkl9KruwSq4G +tctmXZ7ymMDi+6QGCJTJkAx6jptXyrzC00HOjXOwyQ+iDipqgr3A8FsCgYEAwk7B +2/hi569EIHFRT6nz/JMqQVPZ/MJDKoKhffTbnjQ5OAzpiVN6cyThMM1iVJEBFNhx +OEacy60Qj0TtR1oYrQSRSLm58TTxiuB4Pohbmg3iU+kSM/eTq/ups/Ul1oCs2eAb +POfweD3c4d4i7sN8bUNQXehiE4MOlK9TYQy39t0CgYAJht0mwy6S644qgJsz0bE9 +SY3Cqc8daV3M9axWIIAb7QEImpMBXUcA7zlWWpK18ub5oW68XEiPVU8grRmnLfGY +nFoo70ANlz8rJt3a8ZJqn9r3GQC+CDdf2DH9E8xgPfE5CSjgcQwDPzPi1ZA0k02A +q1eUltfk55xXguVt8r2bOQKBgQC7+kldr1yv20VDRZ1uPnMGRLE6Zg6bkqw78gid +vEbDNK6uZP+BlTr/LgyVk/yu52Fucz6FPPrvqEw+7mXHA4ifya1r+BHFIn0S57os +dOp5jTkKCI9NqxQ3683vhRjH/dA7L63qLFDdYqvP74FID+LOKbMURn6rdbyjZ0J4 +vz8yGQKBgHIzcKlQosRxf+KptOPMGRs30L9PnH+sNmTo2SmEzAGkBkt1msGRh/2l +uT3hOEhUXL9knRyXwQSXgrIwr9QwI5rGS5FAgX26TgBtPBDs2NuyyhhS5yxsiEPT +BR+EjQFW9dzRkpRJgvsG4DcNAhFn7fQqFNcWXgFWuBXmGNkdtEGR +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_ca new file mode 100644 index 0000000..cfd24b6 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_ca @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICEDCCAbegAwIBAgIJAPOifu8ejrRRMAoGCCqGSM49BAMCMGUxCzAJBgNVBAYT +Ak5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5v +bG9neSBCLlYuMSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTAeFw0x +OTAyMTgxMDQwMTZaFw00NjA3MDYxMDQwMTZaMGUxCzAJBgNVBAYTAk5MMRMwEQYD +VQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5vbG9neSBCLlYu +MSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABMXCYXBHEryADoYXMEE0Jw9aHlA7p3KVFzuypxuez0n7rKoX +k9kanNtrw5o2X4WSWKM7zkH4I6AU7xSAQgJN+8GjUDBOMB0GA1UdDgQWBBR1Llq9 +zrRrTJLSvUJykksncZ+HsDAfBgNVHSMEGDAWgBR1Llq9zrRrTJLSvUJykksncZ+H +sDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIHKRM3VeB2F7z3nJT752 +gY5mNdj91ulmNX84TXA7UHNKAiA2ytpsV4OKURHkjyn1gnW48JDKtHGZF6/tMNvX +VrDITA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate new file mode 100644 index 0000000..5c29b6e --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate @@ -0,0 +1,50 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4096 (0x1000) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=NL, ST=Some-State, O=ADLINK Technology B.V., CN=CHAM_570 CA certificate + Validity + Not Before: Feb 18 10:52:41 2019 GMT + Not After : Jul 6 10:52:41 2046 GMT + Subject: C=NL, ST=Some-State, O=ADLINK Technology B.V., CN=CHAM_570 Identity certificate + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:9d:b5:7b:f5:fe:63:da:24:e4:0c:26:c5:32:55: + 55:b3:7f:7a:60:ea:0d:56:2c:0a:85:e0:5b:85:5a: + 01:1b:69:fc:23:79:98:33:d6:60:d5:d9:ab:1e:1d: + 7a:1e:c2:5f:ad:30:9b:73:45:40:39:d9:07:f7:59: + 8d:44:f6:6b:e3 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Basic Constraints: + CA:false + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + C6:68:7E:D7:20:B3:51:4B:D4:50:54:26:12:86:BE:9B:EA:55:A1:EA + X509v3 Authority Key Identifier: + keyid:75:2E:5A:BD:CE:B4:6B:4C:92:D2:BD:42:72:92:4B:27:71:9F:87:B0 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:b2:a7:be:fb:0b:d4:e2:87:b0:2c:c9:b8:fa: + 10:b0:18:4b:dc:6a:bc:58:55:e8:22:46:93:d8:b1:5b:50:17: + 77:02:20:2a:cf:42:10:fc:7e:02:39:37:44:4a:cf:9b:a3:9a: + 55:cb:15:2d:12:86:06:7e:d4:b8:24:7a:57:13:48:b5:69 +-----BEGIN CERTIFICATE----- +MIICOzCCAeGgAwIBAgICEAAwCgYIKoZIzj0EAwIwZTELMAkGA1UEBhMCTkwxEzAR +BgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIu +Vi4xIDAeBgNVBAMMF0NIQU1fNTcwIENBIGNlcnRpZmljYXRlMB4XDTE5MDIxODEw +NTI0MVoXDTQ2MDcwNjEwNTI0MVowazELMAkGA1UEBhMCTkwxEzARBgNVBAgMClNv +bWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIuVi4xJjAkBgNV +BAMMHUNIQU1fNTcwIElkZW50aXR5IGNlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEnbV79f5j2iTkDCbFMlVVs396YOoNViwKheBbhVoBG2n8I3mY +M9Zg1dmrHh16HsJfrTCbc0VAOdkH91mNRPZr46N7MHkwCQYDVR0TBAIwADAsBglg +hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O +BBYEFMZoftcgs1FL1FBUJhKGvpvqVaHqMB8GA1UdIwQYMBaAFHUuWr3OtGtMktK9 +QnKSSydxn4ewMAoGCCqGSM49BAMCA0gAMEUCIQCyp777C9Tih7Asybj6ELAYS9xq +vFhV6CJGk9ixW1AXdwIgKs9CEPx+Ajk3RErPm6OaVcsVLRKGBn7UuCR6VxNItWk= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate_unsupported b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate_unsupported new file mode 100644 index 0000000..220abcf --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_identity_certificate_unsupported @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICFTCCAbygAwIBAgICEAEwCgYIKoZIzj0EAwIwWjELMAkGA1UEBhMCTkwxEzAR +BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5 +IEx0ZDETMBEGA1UEAwwKQ0hBTTUwMF9DQTAeFw0xODAyMTkxMDMyMjRaFw0xOTAy +MTkxMDMyMjRaMGExCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMMEUNIQU01 +NjkgdW5zdXAga2V5MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEKt3HYPnDlEOS +zYqTzT2patyreLHN2Jty22KXwjaNAjgrwujdPr+MW38DsyBF5Yn9o3sweTAJBgNV +HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp +Y2F0ZTAdBgNVHQ4EFgQUG9MuQz3W/AKA98AyOKhI2af9I+0wHwYDVR0jBBgwFoAU +ACsYsaEsZfjfRVrj0IBmcsncVyMwCgYIKoZIzj0EAwIDRwAwRAIgfhisahVmgghI +GaaQavdKHpM/OTVODZPzYjky6Am+z08CIBidnuuznXrZtr78oy/tAES/7Lz8P5Iw +Q1y5Vo8CdXQQ +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key new file mode 100644 index 0000000..214e2dd --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP3SnBXzcCc0uUEiG +0CPNdcV0hBewOnVoh4d9q9E5U5ihRANCAASdtXv1/mPaJOQMJsUyVVWzf3pg6g1W +LAqF4FuFWgEbafwjeZgz1mDV2aseHXoewl+tMJtzRUA52Qf3WY1E9mvj +-----END PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_unsupported b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_unsupported new file mode 100644 index 0000000..421d9a3 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_unsupported @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MG8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEVTBTAgEBBBh8p6kwBS7jT86ctN33 +Vs4vosHh7upPZBWhNAMyAAQq3cdg+cOUQ5LNipPNPalq3Kt4sc3Ym3LbYpfCNo0C +OCvC6N0+v4xbfwOzIEXlif0= +-----END PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_w_password b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_w_password new file mode 100644 index 0000000..f1f6e13 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/ec_private_key_w_password @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,11055B75D406068EB1FF850646228EA9 + +GUnwN8e2gvUkopN3ak+2dK1dSTSKSJguers3h5C+qQDq57By933ijCCjUTu2LY/F +ERH6m8UD6H5ij/QDsXLx6tH/dFQ7An+Zao3eD2N2zquGED/OfTQJFv3gBKs4RUtg +66dfuv9mNSXt7Rnu9uBNtodm5JGifczdmIPHn0mNY2g= +-----END EC PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_ca new file mode 100644 index 0000000..f003d92 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkTCCAnmgAwIBAgIJAJvGJOEKNct1MA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTAeFw0xODAy +MTIxNTA1MDVaFw0yMDEyMDIxNTA1MDVaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx +GDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAM/dCO4QAcCduw0NMqShDpTvGT6DClTFAJE8ZfuPCHKqNkicRbyj +sVXfF35Sdo6K92Ksz4G7i1RqJU2n8c7hg2EFUza0lIGgmTHV/DvFBcbAa0PpvdKS +XoPtSNDh65/GO1R7oeSFRzapqsLMPUwOWi46dYvRnPabxs21xHxn56JeuG74bad5 +PMTBvA2SiiTYPBlHGJS78GPo3BPMjL0MzPoMmumO8NSVYI+MEDY1lC4KkyZVKqtV +nIfaO/7adcM19xOAfAHkwhLGBC/bVAEqelev+GH/42xjNv532nM4/JVtBns+msR5 +DAYdtr6i82b7zhU1+lOOihv4lmQHoSnTya8CAwEAAaNQME4wHQYDVR0OBBYEFFYr +0CpiwxgFcZnW6IQEhxGv/vwiMB8GA1UdIwQYMBaAFFYr0CpiwxgFcZnW6IQEhxGv +/vwiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKbBt0ht72fdtxwm +Kr0pOsKyDW0Rd5Ca5aDK4qAhDL0AD5+O6ShGYCnFNDGk3J5Yzawp8VoKrhDZZyUt +z2b0jNucVapAvPMA4066QxeIfvFmWcS73l7vjjeUoKWmNNGWprTg3RLsacTorKuY +ZRL7wsThfrhvg4B/OOIWKp5MEwIrUfnQzUca8getF2eyTt6QcMtE29AW5+01QTzj +fxZgzkmJFYBE2K/TLMDBDd+bz/8XnmPrJ01VUntXiXenTGTcIbJerB6GYQojjvhy +ZrOeuHTON1ndFiQkpeZA67ByZjkKVoJG3I8fwBjzcLE7u/QAQptVPjJXXcSpL7fA +a1tOvqw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate new file mode 100644 index 0000000..7c03aae --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate_1024key b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate_1024key new file mode 100644 index 0000000..9384833 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/identity_certificate_1024key @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrjCCAZYCCQDn8i4K9c4ErjANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjE2MTAy +MzM2WhcNMjMwODA5MTAyMzM2WjBXMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYD +VQQDDAdDSEFNNTY5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS5w0h8L70 +hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLbKT2eRViY/xPuPXQmfRim01QM +sZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4IhNzEGs5v4pTJAOzraoZcVmXnf +Mr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB +AQBdZ2ijHYH8TkOGBqzsNwnNwPaDb/NA0vAO9T5kSOm8HA8vKHnNza+DeUJN+5P/ +P4fLK7UZqpQN32MpvXL0068g99RLjAzAsEVn+0FTyc08r9p/KO/dxxdMKeET7Cpv +rMpu3W0A/EJptCQsTEZI0iqts7T2qQVXzoDlnUwEt3xdmKYJ9jbEq1UUCeexD3nP +LB+JtUtfGevVzIoBjHv0qA3ePA24jDUlx5bxFeoIDC4tEewvUG5ZekftsRdNe3fk +3LkwyK+4NN1ZCa2+S5SOAfjZA2o6qXiq/le0vWRgl7AHEgDr6w7xoRsw4K5dQ+0R +eKtsBC4XO1GqrNYdKuJb1MhI +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_ca new file mode 100644 index 0000000..b7b7678 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDljCCAn6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UEBhMCTkwx +EzARBgNVBAgMCk92ZXJpanNzZWwxEDAOBgNVBAcMB0hlbmdlbG8xDzANBgNVBAoM +BkFETElOSzEYMBYGA1UEAwwPQ0hBTTUwMCBSb290IENBMB4XDTE4MDIwOTE2Mjky +MVoXDTI4MDIwNzE2MjkyMVowVTELMAkGA1UEBhMCTkwxEzARBgNVBAgMCk92ZXJp +anNzZWwxDzANBgNVBAoMBkFETElOSzEgMB4GA1UEAwwXQ0hBTTUwMCBJbnRlcm1l +ZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwucuU/L6N +iYxYJ7tyzcdzwXwYbr4GynZE4u2Sd7hcXrQGxTotm9BEhOZWscSGvH+UJSp0Vrb4 +3zDppiJ76ys6PeSBw1PpxdO97fO+eAE5DoXRj0a9lmnjbsV6waZ2GxgYQNVmKqbI +uPDfW+jsmRcTO94s05GWQshHeiqxuEUAv3/Qe2vOhulrg4YDcXrIDWK93cr1EmRX +Eq3Ck+Fjwtk5wAk3TANv2XQkVfS80jYAurL8J+XC2kyYB7e8KO92zqlfVXXMC3NI +YDcq86bAI4NNMjVE2zIVheMLoOEXaV7KUTYfEQABZl76aWLDxjED9kf371tcrZzJ +6xZ1M/rPGNblAgMBAAGjZjBkMB0GA1UdDgQWBBQngrlZqhQptCR4p04zqHamYUx7 +RTAfBgNVHSMEGDAWgBQrLYI+RHJtx1Pze8MSZbhaOful1DASBgNVHRMBAf8ECDAG +AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAfMmiQ0tv +o3K3xwSS621tsfkijUTx920hAe1XYY2XKrG7a/MJBhStex5A3AfqPOY9UMihkBl9 +3hgxOaddX9SAf2eLk2JLhqxZi1U/GVzT5h10AKLA5WUXIK4UGz3JRqhEm7V39t/N +G0LCdpWOZueezkfO6eGcAvOKthdd32a3zbn+rzzDHdsjzxhEEv8d8x1Xf4xH2dgk +HlpmpvXMfG/1aCzIpWGEPdkB7WR694GiCmh7hnFBiY+h1GFj2l5dThd51QqAlncM +u+NmlPCrFZL0ulwRFeo80KOwDpxkqgavDlP9irdWqM9VHybjGu0xFHCeElz9M6od +ym/MCh4ax7jDxg== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_certificate b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_certificate new file mode 100644 index 0000000..453f1fd --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_identity_certificate @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVTQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_private_key new file mode 100644 index 0000000..2672622 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/invalid_private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Z5zZ1dz2a22cI8ZPnZEHDt6St8DL6AzQBzz4k310Vdioyx8 +bLiu8Ffhjx5l6Pe26LerwcTUDe4X8aAyy/igTvbN1fvDl+pTqxe4UOvuv6fRIEaM +jRqNtXiMxsHNjGiQCoyJjTGzOxQ074ZN7vlU0ybZZyryTNbYJ3GxGcES64v9jBAu +V0vzuRUE+AFz6wOm0XBjKglWLUNHIusHdfD3oAP60phkkX/0zneI2V5MXxw/mDpB +3Mcc/bF+Cp8joF2ZvIw3QXO68Yg3qfJCIy9OlbMyXqEK8Y7n/HDWbW6Jf+xAkuWj +NmDse7dA3P+tvVdkOcGkVQVecVQidAc1IfKyBQIDAQABAoIBAEddUpzUQTTS11Hq +5gVF7lpORYxH8KW+PLSPJtjdAduLjKAQ++tn1OcuhDRdfQSbkUIZhfgqMqerb6tr +ht+6fZlknR9E34pQ1LtjD/U83cOSNrhuTFudtrEZoZPpVzl+P8vXnNzdFs/+SSdi +6hV5/U8F4u4kyOkwG9cR9eF2wiI+oQ/RBKCXUo3OVs9K27A/OkKsb7coL7yBsgBj +lzorS9a/DyHT2eiMKjwCZFyG4A66EkLi6t9JLJ8oTkI2WskXYeVEAbEXE57RWm44 +2OgTgfsgYgf2ftXq93KD17FN1m77dqp7EPAhjGnRHNq7+0Ykr1EO1nbDfqHG4gS+4o +lfP8iwECgYEA58da0R34l93yQnK0mAtoobwvsOjADnBVhBg9L4s2eDs8liUjf0zt +7hcMdUJaa7iMuNf3qGtnZtRURc3kSOE429Or7fCAYUr/AaA7+2ekPG1vjMb50tVv +se5rwb1hvgMYe2L5ktJJAg+RcmqpY+ncJ+hP/vWwZRxUKvXba50qqEkCgYEA54ZE +mJfSueGM/63xlhP71CM4OWtTqkQGp2OmgTOsBI5q/GUXr8vMR8sCEMHAc6HyXzmL +x/RnAoa/vTX58rXBk0QjfO9esIHa452697EIaJu5w8skCLDv2e/f+Jg7o/IDyUZs +5lqhiEuH9Qc3sx2nhnSYXMZWqwh8OchI7dCSE90CgYEAzrJ1JhpxUJYI7wM2VIWQ +GPQnH8BhTj8VtEidgCHJQK2rGUcjgepMIVECtiunUXtyW4GWBedKfmSKhvnXRLs9 +pqT9JaOeCaYFBiEsfMZvqUY4e/YSYtge1PIHvO40FWzTT23zneDUZPcXQY8nYsfy +otBFTt0yIumBkhJRTIYLvakCgYA+CcttvBj6OAcJJ/n5RgeP05QoRqsXj7zcs6YV +LtxkKClg0lHjiE+H2U0HYnOISJfijk/3V3UWxzavo7wDHlLtfC+qNZYA4/rcTRKh +dm2TYk8HuPJB5e+PTWiNe3VXu+zpzRY3L4fjNqIKtVFmjIasT6fYDEmC8PYgoZtx +JhdOfQKBgCD/bDkc+VI6lwQtoQQKiSfQjKGe+6Cw9K/obzWO0uJwBvZrGLXF8tTc +MOPIv9OILt7DYxpMXAiHv8HtzH5CFVrZ/nj63Soka/j2yvUdBDrGhyIbsc4pDu+ +lCFa0ZiT/u5vRAiOkM6GuStH4HxnW9LtwBtiYXtfU7IPExJiAlsq +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key new file mode 100644 index 0000000..e21560b --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Z5zZ1dz2a22cI8ZPnZEHDt6St8DL6AzQBzz4k310Vdioyx8 +bLiu8Ffhjx5l6Pe26LerwcTUDe4X8aAyy/igTvbN1fvDl+pTqxe4UOvuv6fRIEaM +jRqNtXiMxsHNjGiQCoyJjTGzOxQ074ZN7vlU0ybZZyryTNbYJ3GxGcES64v9jBAu +V0vzuRUE+AFz6wOm0XBjKglWLUNHIusHdfD3oAP60phkkX/0zneI2V5MXxw/mDpB +3Mcc/bF+Cp8joF2ZvIw3QXO68Yg3qfJCIy9OlbMyXqEK8Y7n/HDWbW6Jf+xAkuWj +NmDse7dA3P+tvVdkOcGkVQVecVQidAc1IfKyBQIDAQABAoIBAEddUpzUQTTS11Hq +5gVF7lpORYxH8KW+PLSPJtjdAduLjKFQ++tn1OcuhDRdfQSbkUIZhfgqMqerb6tr +ht+6fZlknR9E34pQ1LtjD/U83cOSNrhuTFudtrEZoZPpVzl+P8vXnNzdFs/+SSdi +6hV5/U8F4u4kyOkwG9cR9eF2wiI+oQ/RBKCXUo3OVs9K27A/OkKsb7coL7yBsgBj +lzorS9a/DyHT2eiMKjwCZFyG4A66EkLi6t9JLJ8oTkI2WskXYeVEAbEXE57RWm44 +2OgTI/Yc2yrtXq93KD17FN1m77dqp7EPAhjGnRHNq7+0Ykr1EO1nbDfqHG4gS+4o +lfP8iwECgYEA58da0R34l93yQnK0mAtoobwvsOjADnBVhBg9L4s2eDs8liUjf0zt +7hcMdUJaa7iMuNf3qGtnZtRURc3kSOE429Or7fCAYUr/AaA7+2ekPG1vjMb50tVv +se5rwb1hvgMYe2L5ktJJAg+RcmqpY+ncJ+hP/vWwZRxUKvXba50qqEkCgYEA54ZE +mJfSueGM/63xlhP71CM4OWtTqkQGp2OmgTOsBI5q/GUXr8vMR8sCEMHAc6HyXzmL +x/RnAoa/vTX58rXBk0QjfO9esIHa452697EIaJu5w8skCLDv2e/f+Jg7o/IDyUZs +5lqhiEuH9Qc3sx2nhnSYXMZWqwh8OchI7dCSE90CgYEAzrJ1JhpxUJYI7wM2VIWQ +GPQnH8BhTj8VtEidgCHJQK2rGUcjgepMIVECtiunUXtyW4GWBedKfmSKhvnXRLs9 +pqT9JaOeCaYFBiEsfMZvq8f4e/YSYtge1PIHvO40FWzTT23zneDUZPcXQY8nYsfy +otBFTt0yIumBkhJRTIYLvakCgYA+CcttvBj6OAcJJ/n5RgeP05QoRqsXj7zcs6YV +LtxkKClg0lHjiE+H2U0HYnOISJfijk/3V3UWxzavo7wDHlLtfC+qNZYA4/rcTRKh +dm2TYk8HuPJB5e+PTWiNe3VXu+zpzRY3L4fjNqIKtVFmjIasT6fYDEmC8PYgoZtx +JhdOfQKBgCD/bDkc+VI6lwQtoQQKiSfQjKGe+6Cw9K/obzWO0uJwBvZrGLXF8tTc +MOPIv9OILt7DYxpMXAiHv8HtzH5CFVrZ/nj63SRoka/j2yvUdBDrGhyIbsc4pDu+ +lCFa0ZiT/u5vRAiOkM6GuStH4HxnW9LtwBtiYXtfU7IPExJiAlsq +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_1024 b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_1024 new file mode 100644 index 0000000..709bcd6 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_1024 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDS5w0h8L70hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLb +KT2eRViY/xPuPXQmfRim01QMsZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4Ih +NzEGs5v4pTJAOzraoZcVmXnfMr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQAB +AoGAQi7LijkYU3fJCsql2Vj8X2eogwJphHf5eHLR296U3QyxyxKOR6Q7d+1fDjQN +txeF2YYsND3hBFK+ENlm23eE7Z1tpWtnLNJ9OH84ZkPnqTnEcWsRddT/x9vKOPMz +eK8QNetD3AP5qXsjpIpgep1diWYHCyhMTAFISzvdtC7pvFECQQD2zoqwRtF26lzg +QPR02Z+L80R2VhpeLoqMIplT1bmlrPlDr/eIwvtu1eQFyGSASG2EFs1rucdJl7qu +SrJ+eyv1AkEA2sIjy8+RCk1uH8kEwYaMJ3dccqnpcMCZ1b3GncKl+ICmDCYcpfd5 +rP5tX+GL3RVw370pUApJvrVTgOpAVHYjdwJAOYz8BhLdcS9BLQG4fy7n50h4pGd7 +io6ru/Wtb0EdIybskP4NaJSe8L9rhnWuCcPZ1b1DdWVCtURuQYoliRzLqQJBAJWO +ZrSfKpS1jRVT89lu6ADPXLfTrBH2yvVS8ifG/HshUOQ7ZhidUWVQ6GvFoj46u1lr +VIQxFGu6QeV/wQ09W08CQHGkrZgu/FpS2tNvYmKNDHOna+dW452N5N81u5sRP1A8 +x9pYC9xoOGE2E8v1ocMJDPoMe0yk1QSX9mjhhwYOy28= +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_not_matching b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_not_matching new file mode 100644 index 0000000..735a9af --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_not_matching @@ -0,0 +1,48 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAz90I7hABwJ27DQ0ypKEOlO8ZPoMKVMUAkTxl+48Icqo2SJxF +vKOxVd8XflJ2jor3YqzPgbuLVGolTafxzuGDYQVTNrSUgaCZMdX8O8UFxsBrQ+m9 +0pJeg+1I0OHrn8Y7VHuh5IVHNqmqwsw9TA5aLjp1i9Gc9pvGzbXEfGfnol64bvht +p3k8xMG8DZKKJNg8GUcYlLvwY+jcE8yMvQzM+gya6Y7w1JVgj4wQNjWULgqTJlUq +q1Wch9o7/tp1wzX3E4B8AeTCEsYEL9tUASp6V6/4Yf/jbGM2/nfaczj8lW0Gez6a +xHkMBh22vqLzZvvOFTX6U46KG/iWZAehKdPJrwIDAQABAoIBAQDGvQsAsoU6aJSj +Ee9NwD903nZAcoG6MvEr65eGQWdOWre0DNYQWmH/PGH2AVohR3Tn/1oXK/03JJWt +/dkQeEVoyfKZ52Xl2mseXv3fF61CLk9gi2dWoWOEt6ZbMOZbyOiJCfvrxhIkjWwa ++7PPuBk5AePJXwy4LJCTtiq61418i2Bbl6JamytgxsiVK9kZXdN6JqEVYmweMpmR +T1mzi7lssyttBIXwG8ajStUteIYLyi8d+UX4S08EyV0VGL0p5+F8xTY1jVX/t6Y0 +KbANJdjEab9mbndzbxprJlS08KBLgdnAO4w0nmINiaO2isXOLoV8SU3tTqHC3W7c +CCSKJdGBAoGBAP9vCSP1AaEjYa6sfEUgThpCo7PhRuOMEDb+4ldv9O+hzXv5I8td +gbDs1g3jyhb0yhW9uV9NsuKBtsmv1zYFswZDNbdr2S1VZPMpAx+SeLHQWy6HbU/t +oHoOO+l8erFVvR2uqit5rBDzN6/lh4SoQzYE9JDAnXJp9W0rKAdtBSLRAoGBANBT +AIErbPo4EuU13DaEa+EfoU4Abktyi+L8dpdoXMq6sHg3Mlhifr+ryoybrMMA3tmT +6ekBCSVThF0/+HAFRAJthnyBgUd0D710JDHro47Mg37CxU+V8JYqZJGHUSfqng7/ +pM7LjM99VhigquH4PoDH4YpL8vnIeEMNmny4iER/AoGBAJj8k+jpUXSFkHfh7vwo +AR9RUmLmRmL6/KsztbTQ5U6xBjV+XqXq90ZUU1A2Yk+lhXPIEkK2crGfJy9dFfTR +LQxPLNkSyxyPzMqmgaxjOc6mEDap/hqlJDx2UgPh/kpAI+inOFyZnyj3wx6ixqv5 +a2frR996vdJNDCW6d1sbPLxBAoGBAMO66IN0UJy76Izw0Olr+4v10vFdmENM6T+o +IqhZBq33P+yDN8sxJ5NgjhsT/Pruq3LT9XbVYUlvsbKHcx2U5PQ/AZejedqvokZH +g+ZfVjnJz1ZfG1GOOBBu3jSZZdfSKRVAfhFJ0A/229ihxEwxmFAY/MCaYTzsbInb +kyXRnz5zAoGBAIT9Fuk7zhfubYvkzIQ0kj/IxL3QohVRKcoGapDMSwNjTvxZdKxF +WXkhhJT095QznHP1fhp90fBKlOdsReDWfZXMYtZTqo2+ezK8qb6xMlm+LE09y+Na +f7pp1EPnIqyEX27B4aQ81M8tkCqbdlv3CdjFSusp6SsWTGTjr/5SAMDS +-----END RSA PRIVATE KEY----- + +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_w_password b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_w_password new file mode 100644 index 0000000..ba09dc0 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/private_key_w_password @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,0C9C38C5678AECD200E024A9A5BC717A + +wbXYsR78o4DIaQbKsB4cwEFge79GMKbcMgIWK+9k86dPk09WZkj7JCSJXIxPLYOG +tFZrw/z86cakEhf90a4Moa1cwByrcFB+bpWoEqsx/C4javWxXMENbmQ5x8gDpmzT +qqLI7xnd2mYj7HcfE7eXi+Nub5w1tBxN0CWaxpR54ZVvfcPE6Od4SHGughdUN4AK +OdVIq5YuzMhuTDJKy+kGOtjH8pBWvo8S12T2UQEuusx5WUbEJ6m+E80aN7M6gCA+ +XmNTt3PsV9PfZPL2Off/90gqTBdMhwn+sEVlqYG0TAnXZQEI8ZNtAGy77CFplqdT +SmI3x8Sza7lchEMFhRiayX9pMBPUlwckVPrCoMQ4b4WkHYoGLO7dNVAA8Osud46+ +6MZKHStjdzwKz9MzWa7lXhXV+0sX5bcAzQexuE+wO8QQ/t5uwDmQHol0JVdRX8NB +/Exk6aT7mWajFvukXVirpUGWnEK2W+O8/VBzVZ7z69EjZ09Pu4Y/+cbX12LGSwMb +WVtnZY6BsrV++vikQuL3ByTBDPRHio2H8hThh1Kv8n5VEBUrk7tLUp3Z15cbfC6s +LDHX6kB2OKmmdqLOOMo4lToZfnrVK/dzeXFbtNH1POpR4/e5Nk0SyZrWo+E/AqIv +nLQ3fhLCPOB5rjAhuM8iXOwqn8HHNlv9j8mlgCcgwK7focYVc/IXARLOfFOjOA/s +EqMRbb/eKsC930NHBZkhlqRJKCwA37AMvnOhN4R0VOq/40K+62IUK9E1643KyWs0 +vWk0rFY0OKorQXzI33lbBYZ5zHt8oxGNx3us+6jGP85iv8UEaO6FpgajEUn6Gzp/ +wyvr1C/B/Hfr6eTbt4C6Fi5fMfZgM6VEcJuaFZnoC9tWdhlNsY1pwtPghMM7yBwc +1Ye0TxdF36exJWu1gXVTse1Vdc9i4QWpT2fbPQtcIgdtNk01K+2defie384IOnQQ +O8/SRsrnLRLV3IDFh/VBJS1ZVm8Zmt10yGgRwtYHntMkIopoFRWcm9/Gh3iBFKKH +OTVXxgKOUYk4qXG61N8k0M+TIdoOHZIha3Myis1tQVmA/b/4FRKPYgdrFijhXNLM +wwMHQOS14xBF2KBgaak7dMUWhGrClw1hc3HmMXuM+OLvxy+f8MC3JP2U5AuCs472 +hc41KWxioqNMPVXZgVnHf3aEec+hBFceqYnlzG+E/Gagiufu8WMySaZgzXMRb5aV +x2OVcakSKrTC5EKbLDlZ6+1NRJht7wdSefh0o/Crc9LzcFqBL0Qp3WCvyY8gDVkQ +EGqoVYOE6Hz/NX5/17F1+5VuWT7nBWABHKFFriOoJ3VR9sZhp0HiMznZEF1AwVuZ +xHtDWQemfBywEQG23qbr+o7mQASh1zki8b4fP1HQmbHhaJarjwGdiVNIgcF7s7Qk +NYNcgsc1l0KuNHvredTnYwPhv3C08IBfjtd2H9u0A+AWl5RlR4GDfv2Jzbe/F8U+ +0gxj8D2XWHlkbHIXKVk6jxj64xyNE1xB0Sv7gsDWpkaK6aw/zdsyxqiji4mThcYE +cRSl4y9CGZREaiyD8dk/uiqKfQ26c1gfOUDYS2fKjH5NKh4J80wQj0GvS6nHiDH4 +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/remote b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/remote new file mode 100644 index 0000000..195709a --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/remote @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMzCCAhsCCQDn8i4K9c4ErzANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMzIzMTIw +MTE5WhcNMjMxMDMxMTIwMTE5WjBYMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMREwDwYD +VQQDDAhDSEFNLTU3NzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcc +IMlRp2EnOC/UIIOF2gm+wtsikv5CscDuyq9DA2QgS5TTKqivDAdOSUIcbVn8qb6/ +77viarmRXml3VHJdhR2abtY6xYKYF2SCFiyoNk6ITq+YBrCfmMh/bCYTD6c5vnl4 +SKomIArU1g1YAxHxHqZRX1oonldUdP4lqq+Qt6fllYFhHNAl5JjrrCuPpXmAW3pC +z4b3HWP/6vnbOFFMYkwGprVoAljcnAG7C7zSjW2M3RN4xA/z6Lps8qrPFB2iAXaP +ZnST1rkqctf2IDWVwloG0uJnqiigcIz6+hvf5VMU0ax+CrYqFGav/uwvPCiHcUkF +3a/O3z+4xGHaBagfHukCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAXZlNPz6raCBp +F+iyNWTGy27OyM/TZNE9QTPI28TQEmLfqCrRfq+uHhBQ3U9TgS3xX/f5b+BPHuaD +N6vl/yECAQa+0r33EFdoe8rGa0Mr5VvADcqPmk/sp9K62fRcP4aCgliDi8g9G8q1 +XNgO/EA9HhFlFKPzLPFMhq7qqPOQWO/EddoxA/qCMGZtN+TAxqLKVB0lipJoSa0x +XqtYvNWiaShPceSk4SAjAdpdhvxOpA/25uvFEISdt9zoqbs4eLUbi/9RFYaL8U4r +E+FygZMi31N6PC/Q7/tJ4DG20K/V30Y1+ogvSfdJpWk9L/CJj0VrzqJTVaKBIFVV +6PtqHPZiKA== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/old/unrelated_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/unrelated_identity_ca new file mode 100644 index 0000000..52cf047 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/old/unrelated_identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w +DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy +MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx +GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32 +/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix +6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he +bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV +G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp +EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst +gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5 ++6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ +xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC +QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh +XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV ++1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0 +B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key new file mode 100644 index 0000000..06f57d1 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf +Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m +JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM +AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv +psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c +A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx +m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK +GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+ +BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2 +iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw +Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i +2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y +T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6 +D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB +Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG +eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ +2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV +0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt +O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+ +pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba +VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k +X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD +NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc +nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi +w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk= +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_1024 b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_1024 new file mode 100644 index 0000000..709bcd6 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_1024 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDS5w0h8L70hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLb +KT2eRViY/xPuPXQmfRim01QMsZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4Ih +NzEGs5v4pTJAOzraoZcVmXnfMr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQAB +AoGAQi7LijkYU3fJCsql2Vj8X2eogwJphHf5eHLR296U3QyxyxKOR6Q7d+1fDjQN +txeF2YYsND3hBFK+ENlm23eE7Z1tpWtnLNJ9OH84ZkPnqTnEcWsRddT/x9vKOPMz +eK8QNetD3AP5qXsjpIpgep1diWYHCyhMTAFISzvdtC7pvFECQQD2zoqwRtF26lzg +QPR02Z+L80R2VhpeLoqMIplT1bmlrPlDr/eIwvtu1eQFyGSASG2EFs1rucdJl7qu +SrJ+eyv1AkEA2sIjy8+RCk1uH8kEwYaMJ3dccqnpcMCZ1b3GncKl+ICmDCYcpfd5 +rP5tX+GL3RVw370pUApJvrVTgOpAVHYjdwJAOYz8BhLdcS9BLQG4fy7n50h4pGd7 +io6ru/Wtb0EdIybskP4NaJSe8L9rhnWuCcPZ1b1DdWVCtURuQYoliRzLqQJBAJWO +ZrSfKpS1jRVT89lu6ADPXLfTrBH2yvVS8ifG/HshUOQ7ZhidUWVQ6GvFoj46u1lr +VIQxFGu6QeV/wQ09W08CQHGkrZgu/FpS2tNvYmKNDHOna+dW452N5N81u5sRP1A8 +x9pYC9xoOGE2E8v1ocMJDPoMe0yk1QSX9mjhhwYOy28= +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_not_matching b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_not_matching new file mode 100644 index 0000000..735a9af --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_not_matching @@ -0,0 +1,48 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAz90I7hABwJ27DQ0ypKEOlO8ZPoMKVMUAkTxl+48Icqo2SJxF +vKOxVd8XflJ2jor3YqzPgbuLVGolTafxzuGDYQVTNrSUgaCZMdX8O8UFxsBrQ+m9 +0pJeg+1I0OHrn8Y7VHuh5IVHNqmqwsw9TA5aLjp1i9Gc9pvGzbXEfGfnol64bvht +p3k8xMG8DZKKJNg8GUcYlLvwY+jcE8yMvQzM+gya6Y7w1JVgj4wQNjWULgqTJlUq +q1Wch9o7/tp1wzX3E4B8AeTCEsYEL9tUASp6V6/4Yf/jbGM2/nfaczj8lW0Gez6a +xHkMBh22vqLzZvvOFTX6U46KG/iWZAehKdPJrwIDAQABAoIBAQDGvQsAsoU6aJSj +Ee9NwD903nZAcoG6MvEr65eGQWdOWre0DNYQWmH/PGH2AVohR3Tn/1oXK/03JJWt +/dkQeEVoyfKZ52Xl2mseXv3fF61CLk9gi2dWoWOEt6ZbMOZbyOiJCfvrxhIkjWwa ++7PPuBk5AePJXwy4LJCTtiq61418i2Bbl6JamytgxsiVK9kZXdN6JqEVYmweMpmR +T1mzi7lssyttBIXwG8ajStUteIYLyi8d+UX4S08EyV0VGL0p5+F8xTY1jVX/t6Y0 +KbANJdjEab9mbndzbxprJlS08KBLgdnAO4w0nmINiaO2isXOLoV8SU3tTqHC3W7c +CCSKJdGBAoGBAP9vCSP1AaEjYa6sfEUgThpCo7PhRuOMEDb+4ldv9O+hzXv5I8td +gbDs1g3jyhb0yhW9uV9NsuKBtsmv1zYFswZDNbdr2S1VZPMpAx+SeLHQWy6HbU/t +oHoOO+l8erFVvR2uqit5rBDzN6/lh4SoQzYE9JDAnXJp9W0rKAdtBSLRAoGBANBT +AIErbPo4EuU13DaEa+EfoU4Abktyi+L8dpdoXMq6sHg3Mlhifr+ryoybrMMA3tmT +6ekBCSVThF0/+HAFRAJthnyBgUd0D710JDHro47Mg37CxU+V8JYqZJGHUSfqng7/ +pM7LjM99VhigquH4PoDH4YpL8vnIeEMNmny4iER/AoGBAJj8k+jpUXSFkHfh7vwo +AR9RUmLmRmL6/KsztbTQ5U6xBjV+XqXq90ZUU1A2Yk+lhXPIEkK2crGfJy9dFfTR +LQxPLNkSyxyPzMqmgaxjOc6mEDap/hqlJDx2UgPh/kpAI+inOFyZnyj3wx6ixqv5 +a2frR996vdJNDCW6d1sbPLxBAoGBAMO66IN0UJy76Izw0Olr+4v10vFdmENM6T+o +IqhZBq33P+yDN8sxJ5NgjhsT/Pruq3LT9XbVYUlvsbKHcx2U5PQ/AZejedqvokZH +g+ZfVjnJz1ZfG1GOOBBu3jSZZdfSKRVAfhFJ0A/229ihxEwxmFAY/MCaYTzsbInb +kyXRnz5zAoGBAIT9Fuk7zhfubYvkzIQ0kj/IxL3QohVRKcoGapDMSwNjTvxZdKxF +WXkhhJT095QznHP1fhp90fBKlOdsReDWfZXMYtZTqo2+ezK8qb6xMlm+LE09y+Na +f7pp1EPnIqyEX27B4aQ81M8tkCqbdlv3CdjFSusp6SsWTGTjr/5SAMDS +-----END RSA PRIVATE KEY----- + +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_w_password b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_w_password new file mode 100644 index 0000000..ba09dc0 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/private_key_w_password @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,0C9C38C5678AECD200E024A9A5BC717A + +wbXYsR78o4DIaQbKsB4cwEFge79GMKbcMgIWK+9k86dPk09WZkj7JCSJXIxPLYOG +tFZrw/z86cakEhf90a4Moa1cwByrcFB+bpWoEqsx/C4javWxXMENbmQ5x8gDpmzT +qqLI7xnd2mYj7HcfE7eXi+Nub5w1tBxN0CWaxpR54ZVvfcPE6Od4SHGughdUN4AK +OdVIq5YuzMhuTDJKy+kGOtjH8pBWvo8S12T2UQEuusx5WUbEJ6m+E80aN7M6gCA+ +XmNTt3PsV9PfZPL2Off/90gqTBdMhwn+sEVlqYG0TAnXZQEI8ZNtAGy77CFplqdT +SmI3x8Sza7lchEMFhRiayX9pMBPUlwckVPrCoMQ4b4WkHYoGLO7dNVAA8Osud46+ +6MZKHStjdzwKz9MzWa7lXhXV+0sX5bcAzQexuE+wO8QQ/t5uwDmQHol0JVdRX8NB +/Exk6aT7mWajFvukXVirpUGWnEK2W+O8/VBzVZ7z69EjZ09Pu4Y/+cbX12LGSwMb +WVtnZY6BsrV++vikQuL3ByTBDPRHio2H8hThh1Kv8n5VEBUrk7tLUp3Z15cbfC6s +LDHX6kB2OKmmdqLOOMo4lToZfnrVK/dzeXFbtNH1POpR4/e5Nk0SyZrWo+E/AqIv +nLQ3fhLCPOB5rjAhuM8iXOwqn8HHNlv9j8mlgCcgwK7focYVc/IXARLOfFOjOA/s +EqMRbb/eKsC930NHBZkhlqRJKCwA37AMvnOhN4R0VOq/40K+62IUK9E1643KyWs0 +vWk0rFY0OKorQXzI33lbBYZ5zHt8oxGNx3us+6jGP85iv8UEaO6FpgajEUn6Gzp/ +wyvr1C/B/Hfr6eTbt4C6Fi5fMfZgM6VEcJuaFZnoC9tWdhlNsY1pwtPghMM7yBwc +1Ye0TxdF36exJWu1gXVTse1Vdc9i4QWpT2fbPQtcIgdtNk01K+2defie384IOnQQ +O8/SRsrnLRLV3IDFh/VBJS1ZVm8Zmt10yGgRwtYHntMkIopoFRWcm9/Gh3iBFKKH +OTVXxgKOUYk4qXG61N8k0M+TIdoOHZIha3Myis1tQVmA/b/4FRKPYgdrFijhXNLM +wwMHQOS14xBF2KBgaak7dMUWhGrClw1hc3HmMXuM+OLvxy+f8MC3JP2U5AuCs472 +hc41KWxioqNMPVXZgVnHf3aEec+hBFceqYnlzG+E/Gagiufu8WMySaZgzXMRb5aV +x2OVcakSKrTC5EKbLDlZ6+1NRJht7wdSefh0o/Crc9LzcFqBL0Qp3WCvyY8gDVkQ +EGqoVYOE6Hz/NX5/17F1+5VuWT7nBWABHKFFriOoJ3VR9sZhp0HiMznZEF1AwVuZ +xHtDWQemfBywEQG23qbr+o7mQASh1zki8b4fP1HQmbHhaJarjwGdiVNIgcF7s7Qk +NYNcgsc1l0KuNHvredTnYwPhv3C08IBfjtd2H9u0A+AWl5RlR4GDfv2Jzbe/F8U+ +0gxj8D2XWHlkbHIXKVk6jxj64xyNE1xB0Sv7gsDWpkaK6aw/zdsyxqiji4mThcYE +cRSl4y9CGZREaiyD8dk/uiqKfQ26c1gfOUDYS2fKjH5NKh4J80wQj0GvS6nHiDH4 +-----END RSA PRIVATE KEY----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/identity_ca new file mode 100644 index 0000000..7e2675c --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/identity_ca @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE +BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp +ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx +MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k +ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz +2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf +zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB +pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL +FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME +BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW +gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB +Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME +BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK +KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI +KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU +AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI +hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s +iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC +LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm +geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t +Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd +sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw= +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/root_CA_RSA.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/root_CA_RSA.crt new file mode 100644 index 0000000..61346df --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir/root_CA_RSA.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEtjCCA56gAwIBAgIBATANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMTAwMDAwMFoXDTI3MDYxMDIzNTk1OVowcjELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMRkwFwYDVQQDExBJ +ZGVudGl0eSBDQSBUZXN0MSYwJAYJKoZIhvcNAQkBFhdpbmZvQGlzdC5hZGxpbmt0 +ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANRf3XKmM6O+ +WoYPNpOAdkGKKZHLJ8ZuPxVVBMX6oJAlcOmkhLzfkHSA+gl/OWaMOXIEtN512gyL +YszBf1RImwVzRjJFwIxzGzVQ68jYNj+qBbsOt+IG+hs3wgVCLFkCh+J7hXUgvk8A +eRM/SRrI42dQfcgKUAMNi4/iX6Vs+FV9pHB63L4PiLA9hfUE25sH6EsIC7icvGDJ +6cGG94glVSHDI1NtXfsNHY+NGY/jYKtQZklqU3lew5I60aJIsea+Wk6PJiz4hyXv +XVVmrcNeG1g4OEFgiSXZC2XknDw8t9+ELprGNvuJvTFxwPMAgLeF4IhEQC9dQY2W +BRwUxtZBzukCAwEAAaOCAVUwggFRMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFER4 +R6N3MQ1Wl7gn+R8wwHloDCVZMB8GA1UdIwQYMBaAFER4R6N3MQ1Wl7gn+R8wwHlo +DCVZMA8GA1UdDwEB/wQFAwMH/4Awge8GA1UdJQEB/wSB5DCB4QYIKwYBBQUHAwEG +CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3 +AgEVBgorBgEEAYI3AgEWBgorBgEEAYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3 +CgMEBglghkgBhvhCBAEGCysGAQQBgjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYG +CCsGAQUFBwMHBggrBgEFBQgCAgYKKwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUF +BwMNBggrBgEFBQcDDgYHKwYBBQIDBTANBgkqhkiG9w0BAQsFAAOCAQEAwXuEWDG3 +aAyL+DsGr0B4YMLjHtx6FjzkJOpTtXQhkrtSMpD3Xytl7Wfz8lyWuTnbrk8F4gWO +IkJR/NdMGW27SmeYU0z7QAGRDwtHX6kqqizQbCwf4F6P/2QftcLp1VrlsIlb0gyx +gLjpGmn5TT7gj+ahW0iIRglOwhzCvkNu6agYpdGwVirSyLShy/Hq303DZSbVuktz +5/PmZKpufnoGqURNnJqbV4TQipE0FiDmp2o+gVgJ+DVRhiCdfk68Xp7+TlmxCDfZ +C3qb18qrwAZ4AL3T9/RlzfkXh4ME9V6wqa5Y6j7Vwx5Ef2OHL+mnMnoNSXDLRh6j +45ky66su5dROpA== +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt new file mode 100644 index 0000000..35506b8 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/trusted_ca_dir_not_matching/not_matching_trusted_ca.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIBAjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJOTDEL +MAkGA1UECBMCT1YxEzARBgNVBAoTCkFETGluayBJU1QxGTAXBgNVBAMTEElkZW50 +aXR5IENBIFRlc3QxJjAkBgkqhkiG9w0BCQEWF2luZm9AaXN0LmFkbGlua3RlY2gu +Y29tMB4XDTE4MDYxMzAwMDAwMFoXDTI3MDYxMDIzNTk1OVowfTELMAkGA1UEBhMC +TkwxCzAJBgNVBAgTAk9WMRMwEQYDVQQKEwpBRExpbmsgSVNUMSQwIgYDVQQDExtJ +ZGVudGl0eSBDQSBUZXN0IFdpdGggQ2hhaW4xJjAkBgkqhkiG9w0BCQEWF2luZm9A +aXN0LmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA1r8Q0V8ZVeBs8tPMF0N+JlBynl1Zn/89vwSsU4m7y6ixUcW/y3r12CMeA0cH +g6yOaOdHsZ8pRlPRwy9YmeOwLsMOUHAURP2uPiTjSf3pttUIf0jv602GyirNzoS7 +7mHiyTtV80ZMzZlLIJ3gaJJlG4DjitFuFcjv8sOmviFjkn1kOjkAz1nKgsCiHvvg +fcJlYPrtLfle9SzvZ3MTq4ob+/EFu9nt5bYYs7p7Br1TGWctUw98l2mSn/FhfDBw +9bb7ZhcKB7W6PGy2Os5AnkdTJKHoOQT+RmnHzPBhab0BoKuy8IhfW2GyqC8rL5Tm +/UVLUvnx4Zzqz//3IyA2FTb1HQIDAQABo4HJMIHGMAwGA1UdEwQFMAMBAf8wHQYD +VR0OBBYEFE1VQk0XOEk9F5hPhBLHp0rncJcJMB8GA1UdIwQYMBaAFER4R6N3MQ1W +l7gn+R8wwHloDCVZMA8GA1UdDwEB/wQFAwMH/4AwZQYDVR0lAQH/BFswWQYIKwYB +BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggr +BgEFBQcDCQYIKwYBBQUHAw0GCCsGAQUFBwMOBgcrBgEFAgMFMA0GCSqGSIb3DQEB +CwUAA4IBAQCbl7ed4p66G6WquxO7ceZFvYKn3kDErjCfXHcqHxBnA2xTpoZCGj95 +Qpirqo6N4UcLX5sn3CmgyVk0dYvlti/53FJgZ9XQDNxBuEYWPkY7vO+Uo0WdYpGz +ZDNIUQpiPMA7bHvwKldTIs77xxtnw9kbBU2k0xQyb2tdZNfD5YqSI1MeUtpEpNFW +sbC8+mQ3clzWpjF8eHH1fFSAmlJ+z1Uqmtt2FK0vRz+MQcpydwvpMnfqGdcwhGPQ +X4HZreLObjBA8KUEkUB3+rZXuELBgkk/c8/jRZl7QF5jJDLQCCLg7KoYBKN2GuTt +/dzeSnP7VZm/nTL8wpCvKgSOwOGgklf2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/etc/unrelated_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/etc/unrelated_identity_ca new file mode 100644 index 0000000..52cf047 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/etc/unrelated_identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w +DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy +MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx +GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32 +/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix +6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he +bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV +G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp +EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst +gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5 ++6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ +xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC +QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh +XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV ++1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0 +B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2 +-----END CERTIFICATE----- diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/ca.crt b/src/security/builtin_plugins/tests/validate_local_identity/src/ca.crt new file mode 100644 index 0000000..426d312 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkTCCAnmgAwIBAgIJAJvGJOEKNct1MA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTAeFw0xODAy +MTIxNTA1MDVaFw0yMDEyMDIxNTA1MDVaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx +GDAWBgNVBAMMD0NIQU01MDAgcm9vdCBjYTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAM/dCO4QAcCduw0NMqShDpTvGT6DClTFAJE8ZfuPCHKqNkicRbyj +sVXfF35Sdo6K92Ksz4G7i1RqJU2n8c7hg2EFUza0lIGgmTHV/DvFBcbAa0PpvdKS +XoPtSNDh65/GO1R7oeSFRzapqsLMPUwOWi46dYvRnPabxs21xHxn56JeuG74bad5 +PMTBvA2SiiTYPBlHGJS78GPo3BPMjL0MzPoMmumO8NSVYI+MEDY1lC4KkyZVKqtV +nIfaO/7adcM19xOAfAHkwhLGBC/bVAEqelev+GH/42xjNv532nM4/JVtBns+msR5 +DAYdtr6i82b7zhU1+lOOihv4lmQHoSnTya8CAwEAAaNQME4wHQYDVR0OBBYEFFYr +0CpiwxgFcZnW6IQEhxGv/vwiMB8GA1UdIwQYMBaAFFYr0CpiwxgFcZnW6IQEhxGv +/vwiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKbBt0ht72fdtxwm +Kr0pOsKyDW0Rd5Ca5aDK4qAhDL0AD5+O6ShGYCnFNDGk3J5Yzawp8VoKrhDZZyUt +z2b0jNucVapAvPMA4066QxeIfvFmWcS73l7vjjeUoKWmNNGWprTg3RLsacTorKuY +ZRL7wsThfrhvg4B/OOIWKp5MEwIrUfnQzUca8getF2eyTt6QcMtE29AW5+01QTzj +fxZgzkmJFYBE2K/TLMDBDd+bz/8XnmPrJ01VUntXiXenTGTcIbJerB6GYQojjvhy +ZrOeuHTON1ndFiQkpeZA67ByZjkKVoJG3I8fwBjzcLE7u/QAQptVPjJXXcSpL7fA +a1tOvqw= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/id.crt b/src/security/builtin_plugins/tests/validate_local_identity/src/id.crt new file mode 100644 index 0000000..7c03aae --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/id.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw +NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD +VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo +97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M +aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr +A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg +XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629 +V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr +ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT +liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD// +UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9 +3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt +988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359 +ihiEkx9zFUnPrdA= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/priv.pem b/src/security/builtin_plugins/tests/validate_local_identity/src/priv.pem new file mode 100644 index 0000000..b560f66 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/priv.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0Z5zZ1dz2a22cI8ZPnZEHDt6St8DL6AzQBzz4k310Vdioyx8 +bLiu8Ffhjx5l6Pe26LerwcTUDe4X8aAyy/igTvbN1fvDl+pTqxe4UOvuv6fRIEaM +jRqNtXiMxsHNjGiQCoyJjTGzOxQ074ZN7vlU0ybZZyryTNbYJ3GxGcES64v9jBAu +V0vzuRUE+AFz6wOm0XBjKglWLUNHIusHdfD3oAP60phkkX/0zneI2V5MXxw/mDpB +3Mcc/bF+Cp8joF2ZvIw3QXO68Yg3qfJCIy9OlbMyXqEK8Y7n/HDWbW6Jf+xAkuWj +NmDse7dA3P+tvVdkOcGkVQVecVQidAc1IfKyBQIDAQABAoIBAEddUpzUQTTS11Hq +5gVF7lpORYxH8KW+PLSPJtjdAduLjKFQ++tn1OcuhDRdfQSbkUIZhfgqMqerb6tr +ht+6fZlknR9E34pQ1LtjD/U83cOSNrhuTFudtrEZoZPpVzl+P8vXnNzdFs/+SSdi +6hV5/U8F4u4kyOkwG9cR9eF2wiI+oQ/RBKCXUo3OVs9K27A/OkKsb7coL7yBsgBj +lzorS9a/DyHT2eiMKjwCZFyG4A66EkLi6t9JLJ8oTkI2WskXYeVEAbEXE57RWm44 +2OgTI/Yc2yrtXq93KD17FN1m77dqp7EPAhjGnRHNq7+0Ykr1EO1nbDfqHG4gS+4o +lfP8iwECgYEA58da0R34l93yQnK0mAtoobwvsOjADnBVhBg9L4s2eDs8liUjf0zt +7hcMdUJaa7iMuNf3qGtnZtRURc3kSOE429Or7fCAYUr/AaA7+2ekPG1vjMb50tVv +se5rwb1hvgMYe2L5ktJJAg+RcmqpY+ncJ+hP/vWwZRxUKvXba50qqEkCgYEA54ZE +mJfSueGM/63xlhP71CM4OWtTqkQGp2OmgTOsBI5q/GUXr8vMR8sCEMHAc6HyXzmL +x/RnAoa/vTX58rXBk0QjfO9esIHa452697EIaJu5w8skCLDv2e/f+Jg7o/IDyUZs +5lqhiEuH9Qc3sx2nhnSYXMZWqwh8OchI7dCSE90CgYEAzrJ1JhpxUJYI7wM2VIWQ +GPQnH8BhTj8VtEidgCHJQK2rGUcjgepMIVECtiunUXtyW4GWBedKfmSKhvnXRLs9 +pqT9JaOeCaYFBiEsfMZvq8f4e/YSYtge1PIHvO40FWzTT23zneDUZPcXQY8nYsfy +otBFTt0yIumBkhJRTIYLvakCgYA+CcttvBj6OAcJJ/n5RgeP05QoRqsXj7zcs6YV +LtxkKClg0lHjiE+H2U0HYnOISJfijk/3V3UWxzavo7wDHlLtfC+qNZYA4/rcTRKh +dm2TYk8HuPJB5e+PTWiNe3VXu+zpzRY3L4fjNqIKtVFmjIasT6fYDEmC8PYgoZtx +JhdOfQKBgCD/bDkc+VI6lwQtoQQKiSfQjKGe+6Cw9K/obzWO0uJwBvZrGLXF8tTc +MOPIv9OILt7DYxpMXAiHv8HtzH5CFVrZ/nj63SRoka/j2yvUdBDrGhyIbsc4pDu+ +lCFa0ZiT/u5vRAiOkM6GuStH4HxnW9LtwBtiYXtfU7IPExJiAlsq +-----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/remote b/src/security/builtin_plugins/tests/validate_local_identity/src/remote new file mode 100644 index 0000000..195709a --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/remote @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMzCCAhsCCQDn8i4K9c4ErzANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO +TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMzIzMTIw +MTE5WhcNMjMxMDMxMTIwMTE5WjBYMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMREwDwYD +VQQDDAhDSEFNLTU3NzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcc +IMlRp2EnOC/UIIOF2gm+wtsikv5CscDuyq9DA2QgS5TTKqivDAdOSUIcbVn8qb6/ +77viarmRXml3VHJdhR2abtY6xYKYF2SCFiyoNk6ITq+YBrCfmMh/bCYTD6c5vnl4 +SKomIArU1g1YAxHxHqZRX1oonldUdP4lqq+Qt6fllYFhHNAl5JjrrCuPpXmAW3pC +z4b3HWP/6vnbOFFMYkwGprVoAljcnAG7C7zSjW2M3RN4xA/z6Lps8qrPFB2iAXaP +ZnST1rkqctf2IDWVwloG0uJnqiigcIz6+hvf5VMU0ax+CrYqFGav/uwvPCiHcUkF +3a/O3z+4xGHaBagfHukCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAXZlNPz6raCBp +F+iyNWTGy27OyM/TZNE9QTPI28TQEmLfqCrRfq+uHhBQ3U9TgS3xX/f5b+BPHuaD +N6vl/yECAQa+0r33EFdoe8rGa0Mr5VvADcqPmk/sp9K62fRcP4aCgliDi8g9G8q1 +XNgO/EA9HhFlFKPzLPFMhq7qqPOQWO/EddoxA/qCMGZtN+TAxqLKVB0lipJoSa0x +XqtYvNWiaShPceSk4SAjAdpdhvxOpA/25uvFEISdt9zoqbs4eLUbi/9RFYaL8U4r +E+FygZMi31N6PC/Q7/tJ4DG20K/V30Y1+ogvSfdJpWk9L/CJj0VrzqJTVaKBIFVV +6PtqHPZiKA== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/unrelated_identity_ca b/src/security/builtin_plugins/tests/validate_local_identity/src/unrelated_identity_ca new file mode 100644 index 0000000..f2bec0c --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/unrelated_identity_ca @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w +DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy +MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI +DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx +GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32 +/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix +6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he +bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV +G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp +EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst +gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5 ++6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ +xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC +QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh +XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV ++1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0 +B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2 +-----END CERTIFICATE----- \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_local_identity/src/validate_local_identity_utests.c b/src/security/builtin_plugins/tests/validate_local_identity/src/validate_local_identity_utests.c new file mode 100644 index 0000000..b4c7067 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_local_identity/src/validate_local_identity_utests.c @@ -0,0 +1,2109 @@ +/** @file qos_utests.c + * @brief Unit tests for qos APIs + * + */ +/* CUnit includes. */ +#include +#include +#include "dds/ddsrt/environ.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" + + +/* Test helper includes. */ +#include "common/src/loader.h" + + +#include "dds/security/dds_security_api.h" +#include +#include +#include +#include + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_PASSWORD = "dds.sec.auth.password"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; +static const char * PROPERTY_TRUSTED_CA_DIR = "dds.sec.auth.trusted_ca_dir"; + +static const char *identity_certificate_filename = "identity_certificate"; +static const char *identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n" + "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n" + "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n" + "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n" + "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n" + "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n" + "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n" + "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n" + "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n" + "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n" + "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n" + "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n" + "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n" + "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n" + "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n" + "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n" + "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n" + "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n" + "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n" + "-----END CERTIFICATE-----\n"; + +static const char *identity_ca_filename = "identity_ca"; +static const char *identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n" + "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n" + "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n" + "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n" + "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n" + "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n" + "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n" + "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n" + "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n" + "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n" + "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n" + "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n" + "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n" + "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n" + "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n" + "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n" + "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n" + "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n" + "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n" + "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n" + "-----END CERTIFICATE-----\n"; + +static const char *private_key_filename = "private_key"; +static const char *private_key_pem = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n" + "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n" + "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n" + "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n" + "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n" + "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n" + "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n" + "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n" + "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n" + "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n" + "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n" + "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n" + "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n" + "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n" + "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n" + "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n" + "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n" + "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n" + "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n" + "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n" + "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n" + "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n" + "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n" + "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n" + "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n" + "-----END RSA PRIVATE KEY-----\n"; + +static const char *unrelated_identity_ca_filename = "unrelated_identity_ca"; +static const char *unrelated_identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIDpDCCAoygAwIBAgIJALE5lRKfYHAaMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV\n" + "BAYTAk5MMRMwEQYDVQQIDApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8w\n" + "DQYDVQQKDAZBRExJTksxGDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTAeFw0xODAy\n" + "MDkxNjIwNDNaFw0zODAyMDQxNjIwNDNaMF8xCzAJBgNVBAYTAk5MMRMwEQYDVQQI\n" + "DApPdmVyaWpzc2VsMRAwDgYDVQQHDAdIZW5nZWxvMQ8wDQYDVQQKDAZBRExJTksx\n" + "GDAWBgNVBAMMD0NIQU01MDAgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" + "ADCCAQoCggEBAN9/NbpJDHQYHh3cEByRxnHffxEe9Sapn08Ty5xYO8LDJ4V7vU32\n" + "/7291fITiHaovOoCRHAbKTaTtqJO56aGY45HON6KIqxljLQJJVGW/Nf2PNSHmFix\n" + "6D6bsoSOTPyKYqBNT6lB7NMn4QBTcsiE61El8p9WLQZHoYQJK5Psf7wkBqGBz8he\n" + "bcDWXFn7kIgnsaLrh77w2wi/y0MqpPwyeRInoZfYknzVNdxCPgq7csBYDoMgOgkV\n" + "G60ECXojHKz1HI4n0V8L8lZluSSVRNR0xvPFgBqO7b+Re7xb6iO9TNsFeoiMMNyp\n" + "EwM99CqPO0RRrAPiC7IDgcNGjxhne9EJFGsCAwEAAaNjMGEwHQYDVR0OBBYEFCst\n" + "gj5Ecm3HU/N7wxJluFo5+6XUMB8GA1UdIwQYMBaAFCstgj5Ecm3HU/N7wxJluFo5\n" + "+6XUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB\n" + "CwUAA4IBAQCWibvYuPLpoNcsUdHbE7SnBbEQnDfBxBZN8xeWHwwAPEB+8eHhmIdZ\n" + "xDtCN61xr5QR+KzlEYFwKyHMp9GN3OPU1RndJrzaXz2ddAZVkBIvnQZ4JvFd+sBC\n" + "QQgEvL8GcwZPxnad/TRylM4ON3Kh0X9vfyrmWEoHephiE1LcENaFqcYr9xg3DJNh\n" + "XSrigMGZJ7IOHkvgaoneICOcYI42ZHS0fnt1G+01VKJXm3ndi5NL25GnOmlvV6yV\n" + "+1vcmdQc6YS8K8vHmrH4lX9iPfsOak6WSzzsXdqgpvyxtGJggcFaDTtmbWCAkJj0\n" + "B7DMeaVlLClGQaKZZ7aexEx9se+IyLn2\n" + "-----END CERTIFICATE-----\n"; + +static const char *invalid_identity_certificate_filename = "invalid_identity_certificate"; +static const char *invalid_identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIDNzCCAh8CCQDn8i4K9c4ErDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO\n" + "TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\n" + "cyBQdHkgTHRkMRgwFgYDVTQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjEyMTUw\n" + "NjUxWhcNMTkwNjI3MTUwNjUxWjBcMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t\n" + "ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRUwEwYD\n" + "VQQDDAxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\n" + "AQDRnnNnV3PZrbZwjxk+dkQcO3pK3wMvoDNAHPPiTfXRV2KjLHxsuK7wV+GPHmXo\n" + "97bot6vBxNQN7hfxoDLL+KBO9s3V+8OX6lOrF7hQ6+6/p9EgRoyNGo21eIzGwc2M\n" + "aJAKjImNMbM7FDTvhk3u+VTTJtlnKvJM1tgncbEZwRLri/2MEC5XS/O5FQT4AXPr\n" + "A6bRcGMqCVYtQ0ci6wd18PegA/rSmGSRf/TOd4jZXkxfHD+YOkHcxxz9sX4KnyOg\n" + "XZm8jDdBc7rxiDep8kIjL06VszJeoQrxjuf8cNZtbol/7ECS5aM2YOx7t0Dc/629\n" + "V2Q5waRVBV5xVCJ0BzUh8rIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGlkxYLr\n" + "ZI/XNjDC6RFfSFRoDc+Xpcg+GsJKKbw2+btZvAD8z7ofL01yGru9oi6u2Yy/ZDKT\n" + "liZ+gtsD8uVyRkS2skq7BvPzvoYErLmSqwlrcCbeX8uHiN7C76ll9PFtSjnwPD//\n" + "UaNyZM5dJB2eBh4/prclix+RR/FWQzkPqEVLwMcFBmnPZ0mvR2tncjpZq476Qyl9\n" + "3jcmfms9qBfBPPjCdXqGEDgsTd2PpYRD2WDj/Ctl4rV7B2jnByullLUYIWGu0rYt\n" + "988waU5i8ie4t/TorBBLqQo/NO9jSXfEqcAnILPnv1QZanKzAAxSg7+FgFrsn359\n" + "ihiEkx9zFUnPrdA=\n" + "-----END CERTIFICATE-----\n"; + +static const char *invalid_identity_ca_filename = "invalid_identity_ca"; +static const char *invalid_identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIDljCCAn6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UEBhMCTkwx\n" + "EzARBgNVBAgMCk92ZXJpanNzZWwxEDAOBgNVBAcMB0hlbmdlbG8xDzANBgNVBAoM\n" + "BkFETElOSzEYMBYGA1UEAwwPQ0hBTTUwMCBSb290IENBMB4XDTE4MDIwOTE2Mjky\n" + "MVoXDTI4MDIwNzE2MjkyMVowVTELMAkGA1UEBhMCTkwxEzARBgNVBAgMCk92ZXJp\n" + "anNzZWwxDzANBgNVBAoMBkFETElOSzEgMB4GA1UEAwwXQ0hBTTUwMCBJbnRlcm1l\n" + "ZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwucuU/L6N\n" + "iYxYJ7tyzcdzwXwYbr4GynZE4u2Sd7hcXrQGxTotm9BEhOZWscSGvH+UJSp0Vrb4\n" + "3zDppiJ76ys6PeSBw1PpxdO97fO+eAE5DoXRj0a9lmnjbsV6waZ2GxgYQNVmKqbI\n" + "uPDfW+jsmRcTO94s05GWQshHeiqxuEUAv3/Qe2vOhulrg4YDcXrIDWK93cr1EmRX\n" + "Eq3Ck+Fjwtk5wAk3TANv2XQkVfS80jYAurL8J+XC2kyYB7e8KO92zqlfVXXMC3NI\n" + "YDcq86bAI4NNMjVE2zIVheMLoOEXaV7KUTYfEQABZl76aWLDxjED9kf371tcrZzJ\n" + "6xZ1M/rPGNblAgMBAAGjZjBkMB0GA1UdDgQWBBQngrlZqhQptCR4p04zqHamYUx7\n" + "RTAfBgNVHSMEGDAWgBQrLYI+RHJtx1Pze8MSZbhaOful1DASBgNVHRMBAf8ECDAG\n" + "AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAfMmiQ0tv\n" + "o3K3xwSS621tsfkijUTx920hAe1XYY2XKrG7a/MJBhStex5A3AfqPOY9UMihkBl9\n" + "3hgxOaddX9SAf2eLk2JLhqxZi1U/GVzT5h10AKLA5WUXIK4UGz3JRqhEm7V39t/N\n" + "G0LCdpWOZueezkfO6eGcAvOKthdd32a3zbn+rzzDHdsjzxhEEv8d8x1Xf4xH2dgk\n" + "HlpmpvXMfG/1aCzIpWGEPdkB7WR694GiCmh7hnFBiY+h1GFj2l5dThd51QqAlncM\n" + "u+NmlPCrFZL0ulwRFeo80KOwDpxkqgavDlP9irdWqM9VHybjGu0xFHCeElz9M6od\n" + "ym/MCh4ax7jDxg==\n" + "-----END CERTIFICATE-----\n"; + +static const char *identity_certificate_1024key = + "-----BEGIN CERTIFICATE-----\n" + "MIICrjCCAZYCCQDn8i4K9c4ErjANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJO\n" + "TDETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\n" + "cyBQdHkgTHRkMRgwFgYDVQQDDA9DSEFNNTAwIHJvb3QgY2EwHhcNMTgwMjE2MTAy\n" + "MzM2WhcNMjMwODA5MTAyMzM2WjBXMQswCQYDVQQGEwJOTDETMBEGA1UECAwKU29t\n" + "ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYD\n" + "VQQDDAdDSEFNNTY5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS5w0h8L70\n" + "hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLbKT2eRViY/xPuPXQmfRim01QM\n" + "sZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4IhNzEGs5v4pTJAOzraoZcVmXnf\n" + "Mr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB\n" + "AQBdZ2ijHYH8TkOGBqzsNwnNwPaDb/NA0vAO9T5kSOm8HA8vKHnNza+DeUJN+5P/\n" + "P4fLK7UZqpQN32MpvXL0068g99RLjAzAsEVn+0FTyc08r9p/KO/dxxdMKeET7Cpv\n" + "rMpu3W0A/EJptCQsTEZI0iqts7T2qQVXzoDlnUwEt3xdmKYJ9jbEq1UUCeexD3nP\n" + "LB+JtUtfGevVzIoBjHv0qA3ePA24jDUlx5bxFeoIDC4tEewvUG5ZekftsRdNe3fk\n" + "3LkwyK+4NN1ZCa2+S5SOAfjZA2o6qXiq/le0vWRgl7AHEgDr6w7xoRsw4K5dQ+0R\n" + "eKtsBC4XO1GqrNYdKuJb1MhI\n" + "-----END CERTIFICATE-----\n"; + +static const char *invalid_private_key_filename = "invalid_private_key"; +static const char *invalid_private_key = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEowIBAAKCAQEA0Z5zZ1dz2a22cI8ZPnZEHDt6St8DL6AzQBzz4k310Vdioyx8\n" + "bLiu8Ffhjx5l6Pe26LerwcTUDe4X8aAyy/igTvbN1fvDl+pTqxe4UOvuv6fRIEaM\n" + "jRqNtXiMxsHNjGiQCoyJjTGzOxQ074ZN7vlU0ybZZyryTNbYJ3GxGcES64v9jBAu\n" + "V0vzuRUE+AFz6wOm0XBjKglWLUNHIusHdfD3oAP60phkkX/0zneI2V5MXxw/mDpB\n" + "3Mcc/bF+Cp8joF2ZvIw3QXO68Yg3qfJCIy9OlbMyXqEK8Y7n/HDWbW6Jf+xAkuWj\n" + "NmDse7dA3P+tvVdkOcGkVQVecVQidAc1IfKyBQIDAQABAoIBAEddUpzUQTTS11Hq\n" + "5gVF7lpORYxH8KW+PLSPJtjdAduLjKAQ++tn1OcuhDRdfQSbkUIZhfgqMqerb6tr\n" + "ht+6fZlknR9E34pQ1LtjD/U83cOSNrhuTFudtrEZoZPpVzl+P8vXnNzdFs/+SSdi\n" + "6hV5/U8F4u4kyOkwG9cR9eF2wiI+oQ/RBKCXUo3OVs9K27A/OkKsb7coL7yBsgBj\n" + "lzorS9a/DyHT2eiMKjwCZFyG4A66EkLi6t9JLJ8oTkI2WskXYeVEAbEXE57RWm44\n" + "2OgTgfsgYgf2ftXq93KD17FN1m77dqp7EPAhjGnRHNq7+0Ykr1EO1nbDfqHG4gS+4o\n" + "lfP8iwECgYEA58da0R34l93yQnK0mAtoobwvsOjADnBVhBg9L4s2eDs8liUjf0zt\n" + "7hcMdUJaa7iMuNf3qGtnZtRURc3kSOE429Or7fCAYUr/AaA7+2ekPG1vjMb50tVv\n" + "se5rwb1hvgMYe2L5ktJJAg+RcmqpY+ncJ+hP/vWwZRxUKvXba50qqEkCgYEA54ZE\n" + "mJfSueGM/63xlhP71CM4OWtTqkQGp2OmgTOsBI5q/GUXr8vMR8sCEMHAc6HyXzmL\n" + "x/RnAoa/vTX58rXBk0QjfO9esIHa452697EIaJu5w8skCLDv2e/f+Jg7o/IDyUZs\n" + "5lqhiEuH9Qc3sx2nhnSYXMZWqwh8OchI7dCSE90CgYEAzrJ1JhpxUJYI7wM2VIWQ\n" + "GPQnH8BhTj8VtEidgCHJQK2rGUcjgepMIVECtiunUXtyW4GWBedKfmSKhvnXRLs9\n" + "pqT9JaOeCaYFBiEsfMZvqUY4e/YSYtge1PIHvO40FWzTT23zneDUZPcXQY8nYsfy\n" + "otBFTt0yIumBkhJRTIYLvakCgYA+CcttvBj6OAcJJ/n5RgeP05QoRqsXj7zcs6YV\n" + "LtxkKClg0lHjiE+H2U0HYnOISJfijk/3V3UWxzavo7wDHlLtfC+qNZYA4/rcTRKh\n" + "dm2TYk8HuPJB5e+PTWiNe3VXu+zpzRY3L4fjNqIKtVFmjIasT6fYDEmC8PYgoZtx\n" + "JhdOfQKBgCD/bDkc+VI6lwQtoQQKiSfQjKGe+6Cw9K/obzWO0uJwBvZrGLXF8tTc\n" + "MOPIv9OILt7DYxpMXAiHv8HtzH5CFVrZ/nj63Soka/j2yvUdBDrGhyIbsc4pDu+\n" + "lCFa0ZiT/u5vRAiOkM6GuStH4HxnW9LtwBtiYXtfU7IPExJiAlsq\n" + "-----END RSA PRIVATE KEY-----\n"; + +static const char *private_key_1024 = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQDS5w0h8L70hkreKchVbTzfz4CrBLY4iADNSqPx9uW7DxjeHyLb\n" + "KT2eRViY/xPuPXQmfRim01QMsZWKvFr6k9WMsJ6ItNtCyKS/beONqvXOddIu+4Ih\n" + "NzEGs5v4pTJAOzraoZcVmXnfMr9G/baMYfMG47JR5HaSHDI5esa2STHt4wIDAQAB\n" + "AoGAQi7LijkYU3fJCsql2Vj8X2eogwJphHf5eHLR296U3QyxyxKOR6Q7d+1fDjQN\n" + "txeF2YYsND3hBFK+ENlm23eE7Z1tpWtnLNJ9OH84ZkPnqTnEcWsRddT/x9vKOPMz\n" + "eK8QNetD3AP5qXsjpIpgep1diWYHCyhMTAFISzvdtC7pvFECQQD2zoqwRtF26lzg\n" + "QPR02Z+L80R2VhpeLoqMIplT1bmlrPlDr/eIwvtu1eQFyGSASG2EFs1rucdJl7qu\n" + "SrJ+eyv1AkEA2sIjy8+RCk1uH8kEwYaMJ3dccqnpcMCZ1b3GncKl+ICmDCYcpfd5\n" + "rP5tX+GL3RVw370pUApJvrVTgOpAVHYjdwJAOYz8BhLdcS9BLQG4fy7n50h4pGd7\n" + "io6ru/Wtb0EdIybskP4NaJSe8L9rhnWuCcPZ1b1DdWVCtURuQYoliRzLqQJBAJWO\n" + "ZrSfKpS1jRVT89lu6ADPXLfTrBH2yvVS8ifG/HshUOQ7ZhidUWVQ6GvFoj46u1lr\n" + "VIQxFGu6QeV/wQ09W08CQHGkrZgu/FpS2tNvYmKNDHOna+dW452N5N81u5sRP1A8\n" + "x9pYC9xoOGE2E8v1ocMJDPoMe0yk1QSX9mjhhwYOy28=\n" + "-----END RSA PRIVATE KEY-----\n"; + +static const char *private_key_w_password_filename = "private_key_w_password"; +static const char *private_key_w_password = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "Proc-Type: 4,ENCRYPTED\n" + "DEK-Info: AES-256-CBC,0C9C38C5678AECD200E024A9A5BC717A\n" + "\n" + "wbXYsR78o4DIaQbKsB4cwEFge79GMKbcMgIWK+9k86dPk09WZkj7JCSJXIxPLYOG\n" + "tFZrw/z86cakEhf90a4Moa1cwByrcFB+bpWoEqsx/C4javWxXMENbmQ5x8gDpmzT\n" + "qqLI7xnd2mYj7HcfE7eXi+Nub5w1tBxN0CWaxpR54ZVvfcPE6Od4SHGughdUN4AK\n" + "OdVIq5YuzMhuTDJKy+kGOtjH8pBWvo8S12T2UQEuusx5WUbEJ6m+E80aN7M6gCA+\n" + "XmNTt3PsV9PfZPL2Off/90gqTBdMhwn+sEVlqYG0TAnXZQEI8ZNtAGy77CFplqdT\n" + "SmI3x8Sza7lchEMFhRiayX9pMBPUlwckVPrCoMQ4b4WkHYoGLO7dNVAA8Osud46+\n" + "6MZKHStjdzwKz9MzWa7lXhXV+0sX5bcAzQexuE+wO8QQ/t5uwDmQHol0JVdRX8NB\n" + "/Exk6aT7mWajFvukXVirpUGWnEK2W+O8/VBzVZ7z69EjZ09Pu4Y/+cbX12LGSwMb\n" + "WVtnZY6BsrV++vikQuL3ByTBDPRHio2H8hThh1Kv8n5VEBUrk7tLUp3Z15cbfC6s\n" + "LDHX6kB2OKmmdqLOOMo4lToZfnrVK/dzeXFbtNH1POpR4/e5Nk0SyZrWo+E/AqIv\n" + "nLQ3fhLCPOB5rjAhuM8iXOwqn8HHNlv9j8mlgCcgwK7focYVc/IXARLOfFOjOA/s\n" + "EqMRbb/eKsC930NHBZkhlqRJKCwA37AMvnOhN4R0VOq/40K+62IUK9E1643KyWs0\n" + "vWk0rFY0OKorQXzI33lbBYZ5zHt8oxGNx3us+6jGP85iv8UEaO6FpgajEUn6Gzp/\n" + "wyvr1C/B/Hfr6eTbt4C6Fi5fMfZgM6VEcJuaFZnoC9tWdhlNsY1pwtPghMM7yBwc\n" + "1Ye0TxdF36exJWu1gXVTse1Vdc9i4QWpT2fbPQtcIgdtNk01K+2defie384IOnQQ\n" + "O8/SRsrnLRLV3IDFh/VBJS1ZVm8Zmt10yGgRwtYHntMkIopoFRWcm9/Gh3iBFKKH\n" + "OTVXxgKOUYk4qXG61N8k0M+TIdoOHZIha3Myis1tQVmA/b/4FRKPYgdrFijhXNLM\n" + "wwMHQOS14xBF2KBgaak7dMUWhGrClw1hc3HmMXuM+OLvxy+f8MC3JP2U5AuCs472\n" + "hc41KWxioqNMPVXZgVnHf3aEec+hBFceqYnlzG+E/Gagiufu8WMySaZgzXMRb5aV\n" + "x2OVcakSKrTC5EKbLDlZ6+1NRJht7wdSefh0o/Crc9LzcFqBL0Qp3WCvyY8gDVkQ\n" + "EGqoVYOE6Hz/NX5/17F1+5VuWT7nBWABHKFFriOoJ3VR9sZhp0HiMznZEF1AwVuZ\n" + "xHtDWQemfBywEQG23qbr+o7mQASh1zki8b4fP1HQmbHhaJarjwGdiVNIgcF7s7Qk\n" + "NYNcgsc1l0KuNHvredTnYwPhv3C08IBfjtd2H9u0A+AWl5RlR4GDfv2Jzbe/F8U+\n" + "0gxj8D2XWHlkbHIXKVk6jxj64xyNE1xB0Sv7gsDWpkaK6aw/zdsyxqiji4mThcYE\n" + "cRSl4y9CGZREaiyD8dk/uiqKfQ26c1gfOUDYS2fKjH5NKh4J80wQj0GvS6nHiDH4\n" + "-----END RSA PRIVATE KEY-----\n"; + +static const char *private_key_password ="CHAM569"; + +const char *ec_identity_certificate_filename = "ec_identity_certificate"; +const char *ec_identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIICOzCCAeGgAwIBAgICEAAwCgYIKoZIzj0EAwIwZTELMAkGA1UEBhMCTkwxEzAR\n" + "BgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIu\n" + "Vi4xIDAeBgNVBAMMF0NIQU1fNTcwIENBIGNlcnRpZmljYXRlMB4XDTE5MDIxODEw\n" + "NTI0MVoXDTQ2MDcwNjEwNTI0MVowazELMAkGA1UEBhMCTkwxEzARBgNVBAgMClNv\n" + "bWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2d5IEIuVi4xJjAkBgNV\n" + "BAMMHUNIQU1fNTcwIElkZW50aXR5IGNlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYI\n" + "KoZIzj0DAQcDQgAEnbV79f5j2iTkDCbFMlVVs396YOoNViwKheBbhVoBG2n8I3mY\n" + "M9Zg1dmrHh16HsJfrTCbc0VAOdkH91mNRPZr46N7MHkwCQYDVR0TBAIwADAsBglg\n" + "hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O\n" + "BBYEFMZoftcgs1FL1FBUJhKGvpvqVaHqMB8GA1UdIwQYMBaAFHUuWr3OtGtMktK9\n" + "QnKSSydxn4ewMAoGCCqGSM49BAMCA0gAMEUCIQCyp777C9Tih7Asybj6ELAYS9xq\n" + "vFhV6CJGk9ixW1AXdwIgKs9CEPx+Ajk3RErPm6OaVcsVLRKGBn7UuCR6VxNItWk=\n" + "-----END CERTIFICATE-----\n"; + +const char *ec_private_key_filename = "ec_private_key"; +const char *ec_private_key = + "data:,-----BEGIN PRIVATE KEY-----\n" + "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP3SnBXzcCc0uUEiG\n" + "0CPNdcV0hBewOnVoh4d9q9E5U5ihRANCAASdtXv1/mPaJOQMJsUyVVWzf3pg6g1W\n" + "LAqF4FuFWgEbafwjeZgz1mDV2aseHXoewl+tMJtzRUA52Qf3WY1E9mvj\n" + "-----END PRIVATE KEY-----\n"; + +static const char *ec_password ="CHAM-570"; + +const char *ec_private_key_w_password_filename = "ec_private_key_w_password"; +const char *ec_private_key_w_password = + "data:,-----BEGIN EC PRIVATE KEY-----\n" + "Proc-Type: 4,ENCRYPTED\n" + "DEK-Info: AES-256-CBC,11055B75D406068EB1FF850646228EA9\n" + "\n" + "GUnwN8e2gvUkopN3ak+2dK1dSTSKSJguers3h5C+qQDq57By933ijCCjUTu2LY/F\n" + "ERH6m8UD6H5ij/QDsXLx6tH/dFQ7An+Zao3eD2N2zquGED/OfTQJFv3gBKs4RUtg\n" + "66dfuv9mNSXt7Rnu9uBNtodm5JGifczdmIPHn0mNY2g=\n" + "-----END EC PRIVATE KEY-----"; + +const char *ec_identity_ca_filename = "ec_identity_ca"; +const char *ec_identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIICEDCCAbegAwIBAgIJAPOifu8ejrRRMAoGCCqGSM49BAMCMGUxCzAJBgNVBAYT\n" + "Ak5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5v\n" + "bG9neSBCLlYuMSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTAeFw0x\n" + "OTAyMTgxMDQwMTZaFw00NjA3MDYxMDQwMTZaMGUxCzAJBgNVBAYTAk5MMRMwEQYD\n" + "VQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVjaG5vbG9neSBCLlYu\n" + "MSAwHgYDVQQDDBdDSEFNXzU3MCBDQSBjZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEG\n" + "CCqGSM49AwEHA0IABMXCYXBHEryADoYXMEE0Jw9aHlA7p3KVFzuypxuez0n7rKoX\n" + "k9kanNtrw5o2X4WSWKM7zkH4I6AU7xSAQgJN+8GjUDBOMB0GA1UdDgQWBBR1Llq9\n" + "zrRrTJLSvUJykksncZ+HsDAfBgNVHSMEGDAWgBR1Llq9zrRrTJLSvUJykksncZ+H\n" + "sDAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIHKRM3VeB2F7z3nJT752\n" + "gY5mNdj91ulmNX84TXA7UHNKAiA2ytpsV4OKURHkjyn1gnW48JDKtHGZF6/tMNvX\n" + "VrDITA==\n" + "-----END CERTIFICATE-----\n"; + + +const char *ec_identity_certificate_unsupported_filename = "ec_identity_certificate_unsupported"; +const char *ec_identity_certificate_unsupported = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIICFTCCAbygAwIBAgICEAEwCgYIKoZIzj0EAwIwWjELMAkGA1UEBhMCTkwxEzAR\n" + "BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5\n" + "IEx0ZDETMBEGA1UEAwwKQ0hBTTUwMF9DQTAeFw0xODAyMTkxMDMyMjRaFw0xOTAy\n" + "MTkxMDMyMjRaMGExCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\n" + "HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMMEUNIQU01\n" + "NjkgdW5zdXAga2V5MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEKt3HYPnDlEOS\n" + "zYqTzT2patyreLHN2Jty22KXwjaNAjgrwujdPr+MW38DsyBF5Yn9o3sweTAJBgNV\n" + "HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp\n" + "Y2F0ZTAdBgNVHQ4EFgQUG9MuQz3W/AKA98AyOKhI2af9I+0wHwYDVR0jBBgwFoAU\n" + "ACsYsaEsZfjfRVrj0IBmcsncVyMwCgYIKoZIzj0EAwIDRwAwRAIgfhisahVmgghI\n" + "GaaQavdKHpM/OTVODZPzYjky6Am+z08CIBidnuuznXrZtr78oy/tAES/7Lz8P5Iw\n" + "Q1y5Vo8CdXQQ\n" + "-----END CERTIFICATE-----\n"; + +const char *ec_private_key_unsupported_filename = "ec_private_key_unsupported"; +const char *ec_private_key_unsupported = + "data:,-----BEGIN PRIVATE KEY-----\n" + "MG8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEVTBTAgEBBBh8p6kwBS7jT86ctN33\n" + "Vs4vosHh7upPZBWhNAMyAAQq3cdg+cOUQ5LNipPNPalq3Kt4sc3Ym3LbYpfCNo0C\n" + "OCvC6N0+v4xbfwOzIEXlif0=\n" + "-----END PRIVATE KEY-----\n"; + + +const char *private_key_not_matching_filename = "private_key_not_matching"; +const char *private_key_not_matching = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEpgIBAAKCAQEAz90I7hABwJ27DQ0ypKEOlO8ZPoMKVMUAkTxl+48Icqo2SJxF\n" + "vKOxVd8XflJ2jor3YqzPgbuLVGolTafxzuGDYQVTNrSUgaCZMdX8O8UFxsBrQ+m9\n" + "0pJeg+1I0OHrn8Y7VHuh5IVHNqmqwsw9TA5aLjp1i9Gc9pvGzbXEfGfnol64bvht\n" + "p3k8xMG8DZKKJNg8GUcYlLvwY+jcE8yMvQzM+gya6Y7w1JVgj4wQNjWULgqTJlUq\n" + "q1Wch9o7/tp1wzX3E4B8AeTCEsYEL9tUASp6V6/4Yf/jbGM2/nfaczj8lW0Gez6a\n" + "xHkMBh22vqLzZvvOFTX6U46KG/iWZAehKdPJrwIDAQABAoIBAQDGvQsAsoU6aJSj\n" + "Ee9NwD903nZAcoG6MvEr65eGQWdOWre0DNYQWmH/PGH2AVohR3Tn/1oXK/03JJWt\n" + "/dkQeEVoyfKZ52Xl2mseXv3fF61CLk9gi2dWoWOEt6ZbMOZbyOiJCfvrxhIkjWwa\n" + "+7PPuBk5AePJXwy4LJCTtiq61418i2Bbl6JamytgxsiVK9kZXdN6JqEVYmweMpmR\n" + "T1mzi7lssyttBIXwG8ajStUteIYLyi8d+UX4S08EyV0VGL0p5+F8xTY1jVX/t6Y0\n" + "KbANJdjEab9mbndzbxprJlS08KBLgdnAO4w0nmINiaO2isXOLoV8SU3tTqHC3W7c\n" + "CCSKJdGBAoGBAP9vCSP1AaEjYa6sfEUgThpCo7PhRuOMEDb+4ldv9O+hzXv5I8td\n" + "gbDs1g3jyhb0yhW9uV9NsuKBtsmv1zYFswZDNbdr2S1VZPMpAx+SeLHQWy6HbU/t\n" + "oHoOO+l8erFVvR2uqit5rBDzN6/lh4SoQzYE9JDAnXJp9W0rKAdtBSLRAoGBANBT\n" + "AIErbPo4EuU13DaEa+EfoU4Abktyi+L8dpdoXMq6sHg3Mlhifr+ryoybrMMA3tmT\n" + "6ekBCSVThF0/+HAFRAJthnyBgUd0D710JDHro47Mg37CxU+V8JYqZJGHUSfqng7/\n" + "pM7LjM99VhigquH4PoDH4YpL8vnIeEMNmny4iER/AoGBAJj8k+jpUXSFkHfh7vwo\n" + "AR9RUmLmRmL6/KsztbTQ5U6xBjV+XqXq90ZUU1A2Yk+lhXPIEkK2crGfJy9dFfTR\n" + "LQxPLNkSyxyPzMqmgaxjOc6mEDap/hqlJDx2UgPh/kpAI+inOFyZnyj3wx6ixqv5\n" + "a2frR996vdJNDCW6d1sbPLxBAoGBAMO66IN0UJy76Izw0Olr+4v10vFdmENM6T+o\n" + "IqhZBq33P+yDN8sxJ5NgjhsT/Pruq3LT9XbVYUlvsbKHcx2U5PQ/AZejedqvokZH\n" + "g+ZfVjnJz1ZfG1GOOBBu3jSZZdfSKRVAfhFJ0A/229ihxEwxmFAY/MCaYTzsbInb\n" + "kyXRnz5zAoGBAIT9Fuk7zhfubYvkzIQ0kj/IxL3QohVRKcoGapDMSwNjTvxZdKxF\n" + "WXkhhJT095QznHP1fhp90fBKlOdsReDWfZXMYtZTqo2+ezK8qb6xMlm+LE09y+Na\n" + "f7pp1EPnIqyEX27B4aQ81M8tkCqbdlv3CdjFSusp6SsWTGTjr/5SAMDS\n" + "-----END RSA PRIVATE KEY-----\n"; + +static struct plugins_hdl *plugins = NULL; +static dds_security_authentication *auth = NULL; + + +CU_Init(ddssec_builtin_validate_local_identity) +{ + /* Only need the authentication plugin. */ + plugins = load_plugins(NULL /* Access Control */, + &auth /* Authentication */, + NULL /* Cryptograpy */); + return plugins ? 0 : -1; +} + + +CU_Clean(ddssec_builtin_validate_local_identity) +{ + unload_plugins(plugins); + return 0; +} + + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +print_guid( + const char *msg, + DDS_Security_GUID_t *guid) +{ + uint32_t i, j; + + printf("%s=", msg); + for (i = 0; i < 3; i++) { + for (j = 0; j < 4; j++) { + printf("%02x", guid->prefix[i*4+j]); + } + printf(":"); + } + for (i = 0; i < 3; i++) { + printf("%02x", guid->entityId.entityKey[i]); + } + printf(":%02x\n", guid->entityId.entityKind); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->code = 0; + ex->minor_code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static void fill_participant_qos(DDS_Security_Qos *participant_qos, + bool is_file_certificate, const char *certificate, + bool is_file_ca, const char *ca, + bool is_file_private_key, const char *private_key, + const char* password, + const char* trusted_ca_dir){ + + char identity_cert_path[1024]; + char identity_CA_path[1024]; + char private_key_path[1024]; + char trusted_ca_dir_path[1024]; + unsigned size = 3; + + password ? size++ : size; + trusted_ca_dir ? size++ : size; + + memset(participant_qos, 0, sizeof(*participant_qos)); + dds_security_property_init(&participant_qos->property.value, size); + + participant_qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + + + if( is_file_certificate){ +#ifdef WIN32 + snprintf(identity_cert_path, 1024, "file:%s\\validate_local_identity\\etc\\%s", CONFIG_ENV_TESTS_DIR, certificate); +#else + snprintf(identity_cert_path, 1024, "file:%s/validate_local_identity/etc/%s", CONFIG_ENV_TESTS_DIR, certificate); +#endif + participant_qos->property.value._buffer[0].value = ddsrt_strdup(identity_cert_path); + } + else{ + participant_qos->property.value._buffer[0].value = ddsrt_strdup(certificate); + } + + if( is_file_ca){ +#ifdef WIN32 + snprintf(identity_CA_path, 1024, "file:%s\\validate_local_identity\\etc\\%s", CONFIG_ENV_TESTS_DIR,ca); +#else + snprintf(identity_CA_path, 1024, "file:%s/validate_local_identity/etc/%s", CONFIG_ENV_TESTS_DIR,ca); +#endif + participant_qos->property.value._buffer[1].value = ddsrt_strdup(identity_CA_path); + } + else { + participant_qos->property.value._buffer[1].value = ddsrt_strdup(ca); + } + + if( is_file_private_key){ + #ifdef WIN32 + snprintf(private_key_path, 1024, "file:%s\\validate_local_identity\\etc\\%s", CONFIG_ENV_TESTS_DIR,private_key); + #else + snprintf(private_key_path, 1024, "file:%s/validate_local_identity/etc/%s", CONFIG_ENV_TESTS_DIR, private_key); + #endif + participant_qos->property.value._buffer[2].value = ddsrt_strdup(private_key_path); + } + else{ + participant_qos->property.value._buffer[2].value = ddsrt_strdup(private_key); + } + + if( password ){ + participant_qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PASSWORD); + participant_qos->property.value._buffer[3].value = ddsrt_strdup(password); + } + + if( trusted_ca_dir ){ + #ifdef WIN32 + snprintf(trusted_ca_dir_path, 1024, "%s\\validate_local_identity\\etc\\%s", CONFIG_ENV_TESTS_DIR,trusted_ca_dir); + #else + snprintf(trusted_ca_dir_path, 1024, "%s/validate_local_identity/etc/%s", CONFIG_ENV_TESTS_DIR, trusted_ca_dir); + #endif + participant_qos->property.value._buffer[size-1].name = ddsrt_strdup(PROPERTY_TRUSTED_CA_DIR); + participant_qos->property.value._buffer[size-1].value = ddsrt_strdup(trusted_ca_dir_path); + } + + +} + +CU_Test(ddssec_builtin_validate_local_identity,happy_day) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + DDS_Security_boolean success; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key_pem, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + /* validate with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, identity_certificate_filename, + true, identity_ca_filename, + true, private_key_filename, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + + + +} + +CU_Test(ddssec_builtin_validate_local_identity,invalid_certificate) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, invalid_identity_certificate, + false, identity_ca, + false, private_key_pem, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /* test with file */ + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, invalid_identity_certificate_filename, + false, identity_ca, + false, private_key_pem, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,invalid_root) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, invalid_identity_ca, + false, private_key_pem, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /* test with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + true, invalid_identity_ca_filename, + false, private_key_pem, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,invalid_chain) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, unrelated_identity_ca, + false, private_key_pem, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /* test with file input*/ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + true, unrelated_identity_ca_filename, + false, private_key_pem, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + +} + +CU_Test(ddssec_builtin_validate_local_identity,certificate_key_to_small) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate_1024key, + false, identity_ca, + false, private_key_pem, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,invalid_private_key) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, invalid_private_key, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /*test with file input */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + true, invalid_private_key_filename, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,private_key_to_small) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key_1024, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,missing_certificate_property) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup("dds.sec.auth.identity_cert"); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key_1024); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT_FATAL (exception.message != NULL); + CU_ASSERT(strcmp(exception.message, "validate_local_identity: missing property 'dds.sec.auth.identity_certificate'") == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,missing_ca_property) +{ + DDS_Security_ValidationResult_t result; + + /* Dummy (even un-initialized) data for now. */ + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup("dds.sec.auth.identit_ca"); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key_1024); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT_FATAL (exception.message != NULL); + CU_ASSERT(strcmp(exception.message, "validate_local_identity: missing property 'dds.sec.auth.identity_ca'") == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,missing_private_key_property) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 2); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT_FATAL (exception.message != NULL); + CU_ASSERT(strcmp(exception.message, "validate_local_identity: missing property 'dds.sec.auth.private_key'") == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,unsupported_certification_format) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + char *cert; + size_t len; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + len = strlen("uri:") + strlen(&identity_certificate[6]) + 1; + cert = ddsrt_malloc(len); + + snprintf(cert, len, "uri:%s", &identity_certificate[6]); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, cert, + false, identity_ca, + false, private_key_pem, + NULL, NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + ddsrt_free(cert); +} + +CU_Test(ddssec_builtin_validate_local_identity,encrypted_key) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key_w_password, + private_key_password, NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /* test with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + true, private_key_w_password_filename, + private_key_password, NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,encrypted_key_no_password) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key_w_password, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /*test with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + true, private_key_w_password_filename, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,encrypted_key_invalid_password) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key_w_password, + "invalid", + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /*test with file */ + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + true, private_key_w_password_filename, + "invalid", + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,happy_day_eliptic) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + DDS_Security_boolean success; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, ec_identity_certificate, + false, ec_identity_ca, + false, ec_private_key, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + /* test with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, ec_identity_certificate_filename, + true, ec_identity_ca_filename, + true, ec_private_key_filename, + NULL, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + +} + + +CU_Test(ddssec_builtin_validate_local_identity,encrypted_ec_key) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, ec_identity_certificate, + false, ec_identity_ca, + false, ec_private_key_w_password, + ec_password, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT_FATAL (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + /* test with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, ec_identity_certificate, + false, ec_identity_ca, + true, ec_private_key_w_password_filename, + ec_password, + NULL); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,elliptic_unsupported_certificate) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(ec_identity_certificate_unsupported); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(ec_identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(ec_private_key); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,elliptic_unsupported_private_key) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(ec_identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(ec_identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(ec_private_key_unsupported); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); +} + +CU_Test(ddssec_builtin_validate_local_identity,return_freed_handle) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + DDS_Security_boolean success; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key_pem); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_FATAL (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_FALSE (success); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_local_identity,no_file) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + /* validate with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, identity_certificate_filename, + false, identity_ca, + true, "invalid_filename", + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT_FATAL (local_identity_handle == DDS_SECURITY_HANDLE_NIL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, identity_certificate_filename, + true, "invalid_filename", + true, private_key_filename, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT_FATAL (local_identity_handle == DDS_SECURITY_HANDLE_NIL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, "invalid_filename", + true, identity_ca_filename, + false, private_key_pem, + NULL, + NULL); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT_FATAL (local_identity_handle == DDS_SECURITY_HANDLE_NIL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + +} + +/* TODO: Should be enabled after implementing trusted ca dir parsing*/ +#if(0) +CU _ Test(validate_local_identity,with_extended_certificate_check) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_GUID_t adjusted_participant_guid; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb}; + DDS_Security_EntityId_t entityId = {{0xa0,0xa1,0xa2},0x1}; + DDS_Security_boolean success; + + /* Check if we actually have the validate_local_identity() function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (auth->validate_local_identity != NULL); + + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, false, identity_certificate, + false, identity_ca, + false, private_key, + NULL, + "trusted_ca_dir"); + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + + print_guid("adjusted_participant_guid", &adjusted_participant_guid); + CU_ASSERT (memcmp(&adjusted_participant_guid.entityId, &entityId, sizeof(entityId)) == 0); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + local_identity_handle = DDS_SECURITY_HANDLE_NIL; + reset_exception(&exception); + + /* validate with file */ + memset(&adjusted_participant_guid, 0, sizeof(adjusted_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + fill_participant_qos(&participant_qos, true, identity_certificate_filename, + true, identity_ca_filename, + true, private_key_filename, + NULL, + "trusted_ca_dir_not_matching"); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &adjusted_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + + /* We expected the validation to have succeeded. */ + CU_ASSERT_FATAL (result != DDS_SECURITY_VALIDATION_OK); + CU_ASSERT (local_identity_handle == DDS_SECURITY_HANDLE_NIL); + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + +} +#endif \ No newline at end of file diff --git a/src/security/builtin_plugins/tests/validate_remote_identity/src/validate_remote_identity_utests.c b/src/security/builtin_plugins/tests/validate_remote_identity/src/validate_remote_identity_utests.c new file mode 100644 index 0000000..6cbb267 --- /dev/null +++ b/src/security/builtin_plugins/tests/validate_remote_identity/src/validate_remote_identity_utests.c @@ -0,0 +1,1140 @@ + +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/security/dds_security_api.h" +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/string.h" +#include +#include +#include "dds/ddsrt/environ.h" +#include "CUnit/CUnit.h" +#include "CUnit/Test.h" +#include "assert.h" + + +/* Test helper includes. */ +#include "common/src/loader.h" + +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_utils.h" + +static const char * AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0"; + +static const char * PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca"; +static const char * PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key"; +static const char * PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate"; + +static const char * PROPERTY_CERT_SUBJECT_NAME = "dds.cert.sn"; +static const char * PROPERTY_CERT_ALGORITHM = "dds.cert.algo"; +static const char * PROPERTY_CA_SUBJECT_NAME = "dds.ca.sn"; +static const char * PROPERTY_CA_ALGORITHM = "dds.ca.aglo"; + +static const char * SUBJECT_NAME_IDENTITY_CERT = "CN=CHAM-574 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA = "CN=CHAM-574 authority,O=Some Company,ST=Some-State,C=NL"; + +static const char * SUBJECT_NAME_IDENTITY_CERT_2 = "CN=CHAM-574_1 client,O=Some Company,ST=Some-State,C=NL"; +static const char * SUBJECT_NAME_IDENTITY_CA_2 = "CN=CHAM-574_1 authority,O=Some Company,ST=Some-State,C=NL"; + + +static const char * RSA_2048_ALGORITHM_NAME = "RSA-2048"; +//static const char * EC_PRIME256V1_ALGORITHM_NAME = "EC-prime256v1"; + +static const char * AUTH_REQUEST_TOKEN_CLASS_ID = "DDS:Auth:PKI-DH:1.0+AuthReq"; +static const char * AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME = "future_challenge"; + +static const char *identity_certificate = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n" + "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n" + "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n" + "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n" + "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n" + "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n" + "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n" + "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n" + "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n" + "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n" + "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n" + "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n" + "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n" + "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n" + "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n" + "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n" + "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n" + "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n" + "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n" + "-----END CERTIFICATE-----\n"; + + +static const char *identity_ca = + "data:,-----BEGIN CERTIFICATE-----\n" + "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n" + "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n" + "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n" + "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n" + "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n" + "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n" + "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n" + "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n" + "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n" + "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n" + "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n" + "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n" + "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n" + "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n" + "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n" + "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n" + "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n" + "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n" + "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n" + "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n" + "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n" + "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n" + "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n" + "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n" + "-----END CERTIFICATE-----\n"; + + +static const char *private_key = + "data:,-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n" + "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n" + "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n" + "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n" + "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n" + "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n" + "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n" + "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n" + "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n" + "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n" + "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n" + "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n" + "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n" + "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n" + "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n" + "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n" + "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n" + "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n" + "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n" + "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n" + "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n" + "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n" + "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n" + "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n" + "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n" + "-----END RSA PRIVATE KEY-----\n"; + + + + + +static struct plugins_hdl *plugins = NULL; +static dds_security_authentication *auth = NULL; +static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL; +static DDS_Security_GUID_t local_participant_guid; + +static void +dds_security_property_init( + DDS_Security_PropertySeq *seq, + DDS_Security_unsigned_long size) +{ + seq->_length = size; + seq->_maximum = size; + seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t)); + memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t)); +} + +static void +dds_security_property_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +static void +reset_exception( + DDS_Security_SecurityException *ex) +{ + ex->code = 0; + ex->minor_code = 0; + ddsrt_free(ex->message); + ex->message = NULL; +} + +static void +initialize_identity_token( + DDS_Security_IdentityToken *token, + const char *certAlgo, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CERT); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(SUBJECT_NAME_IDENTITY_CA); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +initialize_identity_token_w_sn( + DDS_Security_IdentityToken *token, + const char *certSubjName, + const char *certAlgo, + const char *caSubjName, + const char *caAlgo) +{ + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID); + token->properties._maximum = 4; + token->properties._length = 4; + token->properties._buffer = DDS_Security_PropertySeq_allocbuf(4); + + token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_CERT_SUBJECT_NAME); + token->properties._buffer[0].value = ddsrt_strdup(certSubjName); + token->properties._buffer[0].propagate = true; + + token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_CERT_ALGORITHM); + token->properties._buffer[1].value = ddsrt_strdup(certAlgo); + token->properties._buffer[1].propagate = true; + + token->properties._buffer[2].name = ddsrt_strdup(PROPERTY_CA_SUBJECT_NAME); + token->properties._buffer[2].value = ddsrt_strdup(caSubjName); + token->properties._buffer[2].propagate = true; + + token->properties._buffer[3].name = ddsrt_strdup(PROPERTY_CA_ALGORITHM); + token->properties._buffer[3].value = ddsrt_strdup(caAlgo); + token->properties._buffer[3].propagate = true; +} + +static void +deinitialize_identity_token( + DDS_Security_IdentityToken *token) +{ + DDS_Security_DataHolder_deinit(token); +} + + +static int +create_local_identity(void) +{ + int res = 0; + DDS_Security_ValidationResult_t result; + DDS_Security_DomainId domain_id = 0; + DDS_Security_Qos participant_qos; + DDS_Security_GUID_t candidate_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb}; + DDS_Security_EntityId_t entityId = {{0xb0,0xb1,0xb2},0x1}; + + memset(&local_participant_guid, 0, sizeof(local_participant_guid)); + memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix)); + memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId)); + + memset(&participant_qos, 0, sizeof(participant_qos)); + dds_security_property_init(&participant_qos.property.value, 3); + participant_qos.property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT); + participant_qos.property.value._buffer[0].value = ddsrt_strdup(identity_certificate); + participant_qos.property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA); + participant_qos.property.value._buffer[1].value = ddsrt_strdup(identity_ca); + participant_qos.property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY); + participant_qos.property.value._buffer[2].value = ddsrt_strdup(private_key); + + /* Now call the function. */ + result = auth->validate_local_identity( + auth, + &local_identity_handle, + &local_participant_guid, + domain_id, + &participant_qos, + &candidate_participant_guid, + &exception); + + if (result != DDS_SECURITY_VALIDATION_OK) { + res = -1; + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + dds_security_property_deinit(&participant_qos.property.value); + reset_exception(&exception); + + return res; +} + +static void +clear_local_identity(void) +{ + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + if (local_identity_handle != DDS_SECURITY_HANDLE_NIL) { + success = auth->return_identity_handle(auth, local_identity_handle, &exception); + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } +} + +static int +check_auth_request_token( + DDS_Security_AuthRequestMessageToken *token, + int notNil) +{ + if (notNil) { + if (!token->class_id || + (strcmp(token->class_id, AUTH_REQUEST_TOKEN_CLASS_ID) != 0)) { + printf("AuthRequestMessageToken has invalid class_id\n"); + return 0; + } + + if (token->binary_properties._length != 1 || + token->binary_properties._buffer == NULL) { + printf("AuthRequestMessageToken has binary_properties\n"); + return 0; + } + + if (!token->binary_properties._buffer[0].name || + (strcmp(token->binary_properties._buffer[0].name, AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME) != 0)) { + printf("AuthRequestMessageToken has invalid property name\n"); + return 0; + } + + if (token->binary_properties._buffer[0].value._length != 32 || + token->binary_properties._buffer[0].value._buffer == NULL) { + printf("AuthRequestMessageToken has invalid property value\n"); + return 0; + } + } else { + if ((strlen(token->class_id) != 0) || + (token->properties._length != 0) || + (token->properties._maximum != 0) || + (token->binary_properties._buffer != NULL) || + (token->binary_properties._length != 0) || + (token->binary_properties._maximum != 0) || + (token->binary_properties._buffer != NULL) ) { + printf("AuthRequestMessageToken is not a TokenNil\n"); + return 0; + } + } + return 1; +} + +static void +fill_auth_request_token( + DDS_Security_AuthRequestMessageToken *token) +{ + uint32_t i; + uint32_t len = 32; + unsigned char *challenge; + + challenge = ddsrt_malloc(len); + + for (i = 0; i < len; i++) { + challenge[i] = (unsigned char)(0xFF - i); + } + + memset(token, 0, sizeof(*token)); + + token->class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + token->binary_properties._maximum = 1; + token->binary_properties._length = 1; + token->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(1); + token->binary_properties._buffer->name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + + token->binary_properties._buffer->value._maximum = len; + token->binary_properties._buffer->value._length = len; + token->binary_properties._buffer->value._buffer = challenge; +} + + +static void +set_remote_participant_guid( + DDS_Security_GUID_t *guid, + int higher) +{ + int i; + + memcpy(guid, &local_participant_guid, sizeof(*guid)); + + for (i = 0; i < 12; i++) { + int index = (i + 4) % 12; + if (higher) { + if (guid->prefix[index] < 0xFF) { + guid->prefix[index]++; + /*NOTE: It was giving warning ("unsigned char from ‘int’ may alter its value") with below + guid->prefix[index] += 1; + */ + break; + } + } else { + if (guid->prefix[index] > 0) { + guid->prefix[index]--; + /*NOTE: It was giving warning ("unsigned char from ‘int’ may alter its value") with below + guid->prefix[index] -= 1; + */ + break; + } + } + } +} + + +CU_Init(ddssec_builtin_validate_remote_identity) +{ + int res = 0; + + /* Only need the authentication plugin. */ + plugins = load_plugins(NULL /* Access Control */, + &auth /* Authentication */, + NULL /* Cryptograpy */); + if (plugins) { + res = create_local_identity(); + } else { + res = -1; + } + return res; +} + +CU_Clean(ddssec_builtin_validate_remote_identity) +{ + clear_local_identity(); + unload_plugins(plugins); + return 0; +} + +CU_Test(ddssec_builtin_validate_remote_identity,happy_day_nil_auth_req ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT (auth != NULL); + CU_ASSERT (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT (auth->validate_remote_identity != NULL); + + if (local_identity_handle == DDS_SECURITY_HANDLE_NIL) { + return; + } + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + set_remote_participant_guid(&remote_participant_guid, 1); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + NULL, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST); + if (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) { + CU_ASSERT (remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT (check_auth_request_token(&local_auth_request_token, 1)); + } + + reset_exception(&exception); + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + if ((result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_REQUEST) || + (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE)) { + DDS_Security_boolean success = auth->return_identity_handle(auth, remote_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); + } +} + +CU_Test(ddssec_builtin_validate_remote_identity,happy_day_with_auth_req ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT (check_auth_request_token(&local_auth_request_token, 0)); + + reset_exception(&exception); + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + success = auth->return_identity_handle(auth, remote_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_remote_identity,invalid_parameters ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 1); + + result = auth->validate_remote_identity( + NULL, &remote_identity_handle, &local_auth_request_token, &remote_auth_request_token, + local_identity_handle, &remote_identity_token, &remote_participant_guid, &exception); + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->validate_remote_identity( + auth, NULL, &local_auth_request_token, &remote_auth_request_token, + local_identity_handle, &remote_identity_token, &remote_participant_guid, &exception); + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->validate_remote_identity( + auth, &remote_identity_handle, NULL, &remote_auth_request_token, + local_identity_handle, &remote_identity_token, &remote_participant_guid, &exception); + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->validate_remote_identity( + auth, &remote_identity_handle, &local_auth_request_token, &remote_auth_request_token, + local_identity_handle, NULL, &remote_participant_guid, &exception); + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + result = auth->validate_remote_identity( + auth, &remote_identity_handle, &local_auth_request_token, &remote_auth_request_token, + local_identity_handle, &remote_identity_token, NULL, &exception); + if (result != DDS_SECURITY_VALIDATION_OK) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + reset_exception(&exception); + + DDS_Security_DataHolder_deinit(&remote_auth_request_token); + deinitialize_identity_token(&remote_identity_token); +} + +CU_Test(ddssec_builtin_validate_remote_identity,unknown_local_identity ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle unknown_identity_handle = 0x56; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + unknown_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_remote_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); +} + + +CU_Test(ddssec_builtin_validate_remote_identity,invalid_remote_identity_token ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + ddsrt_free(remote_identity_token.class_id); + remote_identity_token.class_id = ddsrt_strdup("DDS:Auth:PKI-PH:1.0"); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + ddsrt_free(remote_identity_token.class_id); + remote_identity_token.class_id = ddsrt_strdup("DDS:Auth:PKI-DH:2.0"); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); +} + + +CU_Test(ddssec_builtin_validate_remote_identity,invalid_auth_req_token ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + unsigned char *futureChallenge; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + /* check invalid class_id (empty) string for class_id */ + ddsrt_free(remote_auth_request_token.class_id); + remote_auth_request_token.class_id = ddsrt_strdup(""); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check invalid class_id (NULL) string for class_id */ + ddsrt_free(remote_auth_request_token.class_id); + remote_auth_request_token.class_id = NULL; + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check invalid class_id string for class_id */ + remote_auth_request_token.class_id = ddsrt_strdup("DDS:Auth:PKI-DH:2.0+AuthReq"); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check invalid property name (empty) for future_challenge */ + ddsrt_free(remote_auth_request_token.class_id); + remote_auth_request_token.class_id = ddsrt_strdup(AUTH_REQUEST_TOKEN_CLASS_ID); + ddsrt_free(remote_auth_request_token.binary_properties._buffer[0].name); + remote_auth_request_token.binary_properties._buffer[0].name = ddsrt_strdup(""); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check invalid property name (NULL) for future_challenge */ + ddsrt_free(remote_auth_request_token.binary_properties._buffer[0].name); + remote_auth_request_token.binary_properties._buffer[0].name = NULL; + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check invalid property name for future_challenge */ + ddsrt_free(remote_auth_request_token.binary_properties._buffer[0].name); + remote_auth_request_token.binary_properties._buffer[0].name = ddsrt_strdup("challenge"); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check missing future_challenge property*/ + ddsrt_free(remote_auth_request_token.binary_properties._buffer[0].name); + remote_auth_request_token.binary_properties._buffer[0].name = ddsrt_strdup(AUTH_REQUEST_TOKEN_FUTURE_PROP_NAME); + futureChallenge = remote_auth_request_token.binary_properties._buffer[0].value._buffer; + remote_auth_request_token.binary_properties._buffer[0].value._buffer = NULL; + remote_auth_request_token.binary_properties._buffer[0].value._length = 0; + remote_auth_request_token.binary_properties._buffer[0].value._maximum = 0; + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check incorrect future_challenge property, too small */ + remote_auth_request_token.binary_properties._buffer[0].value._buffer = futureChallenge; + remote_auth_request_token.binary_properties._buffer[0].value._length = 16; + remote_auth_request_token.binary_properties._buffer[0].value._maximum = 32; + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + /* check incorrect future_challenge property: value is NULL */ + remote_auth_request_token.binary_properties._buffer[0].value._buffer = NULL; + remote_auth_request_token.binary_properties._buffer[0].value._length = 32; + remote_auth_request_token.binary_properties._buffer[0].value._maximum = 32; + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + remote_auth_request_token.binary_properties._buffer[0].value._buffer = futureChallenge; + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); +} + +CU_Test(ddssec_builtin_validate_remote_identity,already_validated_same_token ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_IdentityHandle remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT (check_auth_request_token(&local_auth_request_token, 0)); + + reset_exception(&exception); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle2, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT (remote_identity_handle == remote_identity_handle2); + CU_ASSERT (check_auth_request_token(&local_auth_request_token, 0)); + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + success = auth->return_identity_handle(auth, remote_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); +} + + +CU_Test(ddssec_builtin_validate_remote_identity,already_validated_different_token ) +{ + DDS_Security_ValidationResult_t result; + DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL; + DDS_Security_IdentityHandle remote_identity_handle2 = DDS_SECURITY_HANDLE_NIL; + DDS_Security_AuthRequestMessageToken local_auth_request_token = DDS_SECURITY_TOKEN_INIT; + DDS_Security_AuthRequestMessageToken remote_auth_request_token; + DDS_Security_IdentityToken remote_identity_token; + DDS_Security_IdentityToken remote_identity_token2; + DDS_Security_GUID_t remote_participant_guid; + DDS_Security_SecurityException exception = {NULL, 0, 0}; + DDS_Security_boolean success; + + /* Check if we actually have validate_local_identity function. */ + CU_ASSERT_FATAL (auth != NULL); + CU_ASSERT_FATAL (local_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT_FATAL (auth->validate_remote_identity != NULL); + + initialize_identity_token(&remote_identity_token, RSA_2048_ALGORITHM_NAME, RSA_2048_ALGORITHM_NAME); + fill_auth_request_token(&remote_auth_request_token); + set_remote_participant_guid(&remote_participant_guid, 0); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT_FATAL (result == DDS_SECURITY_VALIDATION_PENDING_HANDSHAKE_MESSAGE); + CU_ASSERT_FATAL (remote_identity_handle != DDS_SECURITY_HANDLE_NIL); + CU_ASSERT (check_auth_request_token(&local_auth_request_token, 0)); + + reset_exception(&exception); + + initialize_identity_token_w_sn( + &remote_identity_token2, + SUBJECT_NAME_IDENTITY_CERT_2, RSA_2048_ALGORITHM_NAME, + SUBJECT_NAME_IDENTITY_CA_2, RSA_2048_ALGORITHM_NAME); + + result = auth->validate_remote_identity( + auth, + &remote_identity_handle2, + &local_auth_request_token, + &remote_auth_request_token, + local_identity_handle, + &remote_identity_token2, + &remote_participant_guid, + &exception); + + if (result == DDS_SECURITY_VALIDATION_FAILED) { + printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + + CU_ASSERT (result == DDS_SECURITY_VALIDATION_FAILED); + CU_ASSERT (exception.minor_code != 0); + CU_ASSERT (exception.message != NULL); + + reset_exception(&exception); + + deinitialize_identity_token(&remote_identity_token); + deinitialize_identity_token(&remote_identity_token2); + DDS_Security_DataHolder_deinit(&remote_auth_request_token); + DDS_Security_DataHolder_deinit(&local_auth_request_token); + + success = auth->return_identity_handle(auth, remote_identity_handle, &exception); + CU_ASSERT_TRUE (success); + + if (!success) { + printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing"); + } + reset_exception(&exception); +} + diff --git a/src/security/core/CMakeLists.txt b/src/security/core/CMakeLists.txt new file mode 100644 index 0000000..69a2ba5 --- /dev/null +++ b/src/security/core/CMakeLists.txt @@ -0,0 +1,57 @@ +# +# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v. 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License +# v. 1.0 which is available at +# http://www.eclipse.org/org/documents/edl-v10.php. +# +# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause +# +PREPEND(srcs_security_core "${CMAKE_CURRENT_LIST_DIR}/src" + dds_security_serialize.c + dds_security_utils.c + shared_secret.c +) + +PREPEND(hdrs_public_security_core "${CMAKE_CURRENT_LIST_DIR}/include/security/core" + dds_security_core_if.h + dds_security_serialize.h + dds_security_types.h + dds_security_utils.h + shared_secret.h +) + +set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC" ) +set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIC" ) +add_library(security_core INTERFACE) + + +target_sources(security_core + INTERFACE + ${srcs_security_core} + +) + +target_include_directories(security_core + INTERFACE + "$" + "$" + "$>" + "$>" +) +#target_link_libraries(security_core PRIVATE ddsrt security_api) + +install( + DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/include/dds/security/core/" + DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/dds/security/core/" + COMPONENT dev) + +#install( +# TARGETS security_core +# EXPORT "${CMAKE_PROJECT_NAME}" +# RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT lib +# LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib +# ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib +#) diff --git a/src/security/core/include/dds/security/core/dds_security_serialize.h b/src/security/core/include/dds/security/core/dds_security_serialize.h new file mode 100644 index 0000000..1454d9c --- /dev/null +++ b/src/security/core/include/dds/security/core/dds_security_serialize.h @@ -0,0 +1,106 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef DDS_SECURITY_CDR_SER_H +#define DDS_SECURITY_CDR_SER_H + +#include "dds/export.h" +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_types.h" +#include "stddef.h" + +#if defined (__cplusplus) +extern "C" { +#endif + + + +typedef struct DDS_Security_Serializer *DDS_Security_Serializer; +typedef struct DDS_Security_Deserializer *DDS_Security_Deserializer; + + +DDS_EXPORT DDS_Security_Serializer +DDS_Security_Serializer_new( + size_t size, + size_t increment); + +DDS_EXPORT void +DDS_Security_Serializer_free( + DDS_Security_Serializer serializer); + +DDS_EXPORT void +DDS_Security_Serializer_buffer( + DDS_Security_Serializer ser, + unsigned char **buffer, + size_t *size); + +DDS_EXPORT void +DDS_Security_Serialize_PropertySeq( + DDS_Security_Serializer serializer, + const DDS_Security_PropertySeq *seq); + +DDS_EXPORT void +DDS_Security_Serialize_BinaryPropertyArray( + DDS_Security_Serializer serializer, + const DDS_Security_BinaryProperty_t **properties, + const uint32_t length); + +DDS_EXPORT void +DDS_Security_Serialize_BinaryPropertySeq( + DDS_Security_Serializer serializer, + const DDS_Security_BinaryPropertySeq *seq); + +DDS_EXPORT void +DDS_Security_Serialize_DataHolderSeq( + DDS_Security_Serializer serializer, + const DDS_Security_DataHolderSeq *seq); + +DDS_EXPORT void +DDD_Security_Serialize_ParticipantBuiltinTopicData( + DDS_Security_Serializer ser, + DDS_Security_ParticipantBuiltinTopicData *pdata); + +DDS_EXPORT void +DDD_Security_Serialize_KeyMaterial_AES_GCM_GMAC( + DDS_Security_Serializer ser, + const DDS_Security_KeyMaterial_AES_GCM_GMAC *data); + +DDS_EXPORT DDS_Security_Deserializer +DDS_Security_Deserializer_new( + const unsigned char *data, + size_t size); + +DDS_EXPORT void +DDS_Security_Deserializer_free( + DDS_Security_Deserializer deserializer); + +DDS_EXPORT int +DDD_Security_Deserialize_ParticipantBuiltinTopicData( + DDS_Security_Deserializer deserializer, + DDS_Security_ParticipantBuiltinTopicData *pdata, + DDS_Security_SecurityException *ex); + +DDS_EXPORT void +DDD_Security_BuiltinTopicKeyBE( + DDS_Security_BuiltinTopicKey_t dst, + const DDS_Security_BuiltinTopicKey_t src); + +DDS_EXPORT int +DDD_Security_Deserialize_KeyMaterial_AES_GCM_GMAC( + DDS_Security_Deserializer dser, + DDS_Security_KeyMaterial_AES_GCM_GMAC *data); + +#if defined (__cplusplus) +} +#endif + +#endif /* DDS_SECURITY_CDR_SER_H */ diff --git a/src/security/core/include/dds/security/core/dds_security_types.h b/src/security/core/include/dds/security/core/dds_security_types.h new file mode 100644 index 0000000..e9748a5 --- /dev/null +++ b/src/security/core/include/dds/security/core/dds_security_types.h @@ -0,0 +1,69 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef DSS_SECURITY_PLUGIN_TYPES_H_ +#define DSS_SECURITY_PLUGIN_TYPES_H_ + +#include "dds/security/dds_security_api_types.h" + +typedef DDS_Security_octet DDS_Security_CryptoTransformKind[4]; +typedef DDS_Security_octet DDS_Security_CryptoTransformKeyId[4]; + +/* enumeration for CryptoTransformKind. + * ds_security_assign_CryptoTransformKind function should be used for assigning to CryptoTransformKind + */ +typedef enum +{ +/* No encryption, no authentication tag */ + CRYPTO_TRANSFORMATION_KIND_NONE = 0, + /* No encryption. + One AES128-GMAC authentication tag using the sender_key + Zero or more AES128-GMAC auth. tags with receiver specfic keys */ + CRYPTO_TRANSFORMATION_KIND_AES128_GMAC = 1, + /* Authenticated Encryption using AES-128 in Galois Counter Mode + (GCM) using the sender key. + The authentication tag using the sender_key obtained from GCM + Zero or more AES128-GMAC auth. tags with receiver specfic keys */ + CRYPTO_TRANSFORMATION_KIND_AES128_GCM = 2, + /* No encryption. + One AES256-GMAC authentication tag using the sender_key + Zero or more AES256-GMAC auth. tags with receiver specfic keys */ + CRYPTO_TRANSFORMATION_KIND_AES256_GMAC = 3, + /* Authenticated Encryption using AES-256 in Galois Counter Mode + (GCM) using the sender key. + The authentication tag using the sender_key obtained from GCM + Zero or more AES256-GMAC auth. tags with receiver specfic keys */ + CRYPTO_TRANSFORMATION_KIND_AES256_GCM = 4, + + /* INVALID ENUM*/ + CRYPTO_TRANSFORMATION_KIND_INVALID = 127, +} DDS_Security_CryptoTransformKind_Enum; + +typedef struct DDS_Security_KeyMaterial_AES_GCM_GMAC { + DDS_Security_CryptoTransformKind transformation_kind; + DDS_Security_OctetSeq master_salt; /*size shall be 32*/ + DDS_Security_CryptoTransformKeyId sender_key_id; + DDS_Security_OctetSeq master_sender_key; /*size shall be 32*/ + DDS_Security_CryptoTransformKeyId receiver_specific_key_id; + DDS_Security_OctetSeq master_receiver_specific_key; /*size shall be 32*/ +} DDS_Security_KeyMaterial_AES_GCM_GMAC; + +struct CryptoTransformIdentifier { + DDS_Security_CryptoTransformKind transformation_kind; + DDS_Security_CryptoTransformKeyId transformation_key_id; +}; + +/** temporary address decleration until it is ready in ddsrt */ +typedef uintptr_t ddsrt_address; /* word length of the platform */ + + +#endif /* DSS_SECURITY_PLUGIN_TYPES_H_ */ diff --git a/src/security/core/include/dds/security/core/dds_security_utils.h b/src/security/core/include/dds/security/core/dds_security_utils.h new file mode 100644 index 0000000..e2ade89 --- /dev/null +++ b/src/security/core/include/dds/security/core/dds_security_utils.h @@ -0,0 +1,391 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#ifndef DSCMN_SECURITY_UTILS_H_ +#define DSCMN_SECURITY_UTILS_H_ + +#include "dds/export.h" +#include +#include +#include +#include "dds/security/core/dds_security_types.h" +#include "dds/security/dds_security_api.h" + +typedef DDS_Security_long_long DDS_Security_Handle; +typedef DDS_Security_LongLongSeq DDS_Security_HandleSeq; + +#define DDS_SECURITY_SEQUENCE_INIT {0, 0, NULL} +#define DDS_SECURITY_TOKEN_INIT {NULL, DDS_SECURITY_SEQUENCE_INIT, DDS_SECURITY_SEQUENCE_INIT} + + +typedef enum { + DDS_SECURITY_CONFIG_ITEM_PREFIX_UNKNOWN, + DDS_SECURITY_CONFIG_ITEM_PREFIX_FILE, + DDS_SECURITY_CONFIG_ITEM_PREFIX_DATA, + DDS_SECURITY_CONFIG_ITEM_PREFIX_PKCS11 +} DDS_Security_config_item_prefix_t; + + +DDS_EXPORT DDS_Security_BinaryProperty_t * +DDS_Security_BinaryProperty_alloc( + void); + +DDS_EXPORT void +DDS_Security_BinaryProperty_deinit( + DDS_Security_BinaryProperty_t *p); + +DDS_EXPORT void +DDS_Security_BinaryProperty_free( + DDS_Security_BinaryProperty_t *p); + +DDS_EXPORT void +DDS_Security_BinaryProperty_copy( + DDS_Security_BinaryProperty_t *dst, + DDS_Security_BinaryProperty_t *src); + +DDS_EXPORT bool +DDS_Security_BinaryProperty_equal( + DDS_Security_BinaryProperty_t *pa, + DDS_Security_BinaryProperty_t *pb); + +DDS_EXPORT void +DDS_Security_BinaryProperty_set_by_value( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const unsigned char *data, + uint32_t length); + +DDS_EXPORT void +DDS_Security_BinaryProperty_set_by_string( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const char *data); + +DDS_EXPORT void +DDS_Security_BinaryProperty_set_by_ref( + DDS_Security_BinaryProperty_t *bp, + const char *name, + unsigned char *data, + uint32_t length); + +DDS_EXPORT DDS_Security_BinaryPropertySeq * +DDS_Security_BinaryPropertySeq_alloc( + void); + +DDS_EXPORT DDS_Security_BinaryProperty_t * +DDS_Security_BinaryPropertySeq_allocbuf( + DDS_Security_unsigned_long len); + +DDS_EXPORT void +DDS_Security_BinaryPropertySeq_deinit( + DDS_Security_BinaryPropertySeq *seq); + +DDS_EXPORT void +DDS_Security_BinaryPropertySeq_free( + DDS_Security_BinaryPropertySeq *seq); + +DDS_EXPORT DDS_Security_Property_t * +DDS_Security_Property_alloc( + void); + +DDS_EXPORT void +DDS_Security_Property_free( + DDS_Security_Property_t *p); + +DDS_EXPORT void +DDS_Security_Property_deinit( + DDS_Security_Property_t *p); + +DDS_EXPORT void +DDS_Security_Property_copy( + DDS_Security_Property_t *dst, + DDS_Security_Property_t *src); + +DDS_EXPORT bool +DDS_Security_Property_equal( + DDS_Security_Property_t *pa, + DDS_Security_Property_t *pb); + +DDS_EXPORT char * +DDS_Security_Property_get_value( + const DDS_Security_PropertySeq *properties, + const char *name); + +DDS_EXPORT DDS_Security_PropertySeq * +DDS_Security_PropertySeq_alloc( + void); + +DDS_EXPORT DDS_Security_Property_t * +DDS_Security_PropertySeq_allocbuf( + DDS_Security_unsigned_long len); + +DDS_EXPORT void +DDS_Security_PropertySeq_freebuf( + DDS_Security_PropertySeq *seq); + +DDS_EXPORT void +DDS_Security_PropertySeq_free( + DDS_Security_PropertySeq *seq); + +DDS_EXPORT void +DDS_Security_PropertySeq_deinit( + DDS_Security_PropertySeq *seq); + +DDS_EXPORT const DDS_Security_Property_t * +DDS_Security_PropertySeq_find_property ( + const DDS_Security_PropertySeq *property_seq, + const char *name ); + +DDS_EXPORT DDS_Security_DataHolder * +DDS_Security_DataHolder_alloc( + void); + +DDS_EXPORT void +DDS_Security_DataHolder_free( + DDS_Security_DataHolder *holder); + +DDS_EXPORT void +DDS_Security_DataHolder_deinit( + DDS_Security_DataHolder *holder); + +DDS_EXPORT void +DDS_Security_DataHolder_copy( + DDS_Security_DataHolder *dst, + const DDS_Security_DataHolder *src); + +DDS_EXPORT bool +DDS_Security_DataHolder_equal( + const DDS_Security_DataHolder *psa, + const DDS_Security_DataHolder *psb); + +DDS_EXPORT const DDS_Security_Property_t * +DDS_Security_DataHolder_find_property( + const DDS_Security_DataHolder *holder, + const char *name); + +DDS_EXPORT const DDS_Security_BinaryProperty_t * +DDS_Security_DataHolder_find_binary_property( + const DDS_Security_DataHolder *holder, + const char *name); + +DDS_EXPORT DDS_Security_DataHolderSeq * +DDS_Security_DataHolderSeq_alloc( + void); + +DDS_EXPORT DDS_Security_DataHolder * +DDS_Security_DataHolderSeq_allocbuf( + DDS_Security_unsigned_long len); + +DDS_EXPORT void +DDS_Security_DataHolderSeq_freebuf( + DDS_Security_DataHolderSeq *seq); + +DDS_EXPORT void +DDS_Security_DataHolderSeq_free( + DDS_Security_DataHolderSeq *seq); + +DDS_EXPORT void +DDS_Security_DataHolderSeq_deinit( + DDS_Security_DataHolderSeq *seq); + +DDS_EXPORT void +DDS_Security_DataHolderSeq_copy( + DDS_Security_DataHolderSeq *dst, + const DDS_Security_DataHolderSeq *src); + +DDS_EXPORT DDS_Security_ParticipantBuiltinTopicData * +DDS_Security_ParticipantBuiltinTopicData_alloc( + void); + +DDS_EXPORT void +DDS_Security_ParticipantBuiltinTopicData_free( + DDS_Security_ParticipantBuiltinTopicData *data); + +DDS_EXPORT void +DDS_Security_ParticipantBuiltinTopicData_deinit( + DDS_Security_ParticipantBuiltinTopicData *data); + +DDS_EXPORT DDS_Security_OctetSeq * +DDS_Security_OctetSeq_alloc( + void); + +DDS_EXPORT DDS_Security_octet * +DDS_Security_OctetSeq_allocbuf( + DDS_Security_unsigned_long len); + +DDS_EXPORT void +DDS_Security_OctetSeq_freebuf( + DDS_Security_OctetSeq *seq); + +DDS_EXPORT void +DDS_Security_OctetSeq_free( + DDS_Security_OctetSeq *seq); + +DDS_EXPORT void +DDS_Security_OctetSeq_deinit( + DDS_Security_OctetSeq *seq); + +DDS_EXPORT void +DDS_Security_OctetSeq_copy( + DDS_Security_OctetSeq *dst, + const DDS_Security_OctetSeq *src); + +DDS_EXPORT DDS_Security_HandleSeq * +DDS_Security_HandleSeq_alloc( + void); + +DDS_EXPORT DDS_Security_long_long * +DDS_Security_HandleSeq_allocbuf( + DDS_Security_unsigned_long length); + +DDS_EXPORT void +DDS_Security_HandleSeq_freebuf( + DDS_Security_HandleSeq *seq); + +DDS_EXPORT void +DDS_Security_HandleSeq_free( + DDS_Security_HandleSeq *seq); + +DDS_EXPORT void +DDS_Security_HandleSeq_deinit( + DDS_Security_HandleSeq *seq); + +DDS_EXPORT void +DDS_Security_Exception_set( + DDS_Security_SecurityException *ex, + const char *context, + int code, + int minor_code, + const char *fmt, + ...); + + +#if DDSI_INCLUDE_SSL +DDS_EXPORT void +DDS_Security_Exception_set_with_openssl_error( + DDS_Security_SecurityException *ex, + const char *context, + int code, + int minor_code, + const char *fmt); + +#endif + +DDS_EXPORT void +DDS_Security_Exception_reset( + DDS_Security_SecurityException *ex); + +DDS_EXPORT void +DDS_Security_Exception_clean( + DDS_Security_SecurityException *ex); + +DDS_EXPORT void +DDS_Security_PropertyQosPolicy_deinit( + DDS_Security_PropertyQosPolicy *policy); + +DDS_EXPORT void +DDS_Security_PropertyQosPolicy_free( + DDS_Security_PropertyQosPolicy *policy); + +DDS_EXPORT void +DDS_Security_set_token_nil( + DDS_Security_DataHolder *token); + +DDS_EXPORT void +DDS_Security_KeyMaterial_AES_GCM_GMAC_deinit( + DDS_Security_KeyMaterial_AES_GCM_GMAC *key_material); + +DDS_EXPORT DDS_Security_CryptoTransformKind_Enum +DDS_Security_basicprotectionkind2transformationkind( + const DDS_Security_PropertySeq *properties, + DDS_Security_BasicProtectionKind protection); + +DDS_EXPORT DDS_Security_CryptoTransformKind_Enum +DDS_Security_protectionkind2transformationkind( + const DDS_Security_PropertySeq *properties, + DDS_Security_ProtectionKind protection); + +DDS_EXPORT DDS_Security_config_item_prefix_t +DDS_Security_get_conf_item_type( + const char *str, + char **data); + +DDS_EXPORT char * +DDS_Security_normalize_file( + const char *filepath); + +/** + * \brief Find first occurrence of character in null terminated string + * + * @param str String to search for given characters + * @param chrs Characters to search for in string + * @param inc true to find first character included in given characters, + * false to find first character not included. + * @return Pointer to first occurrence of character in string, or NULL + */ + +DDS_EXPORT char * +ddssec_strchrs ( + const char *str, + const char *chrs, + bool inc); + + +#define DDS_Security_ParticipantCryptoTokenSeq_alloc() \ + (DDS_Security_ParticipantCryptoTokenSeq *)DDS_Security_DataHolderSeq_alloc()) +#define DDS_Security_ParticipantCryptoTokenSeq_freebuf(s) \ + DDS_Security_DataHolderSeq_freebuf((DDS_Security_DataHolderSeq *)(s)) +#define DDS_Security_ParticipantCryptoTokenSeq_free(s) \ + DDS_Security_DataHolderSeq_free((DDS_Security_DataHolderSeq *)(s)) +#define DDS_Security_ParticipantCryptoTokenSeq_deinit(s) \ + DDS_Security_DataHolderSeq_deinit((DDS_Security_DataHolderSeq *)(s)) +#define DDS_Security_ParticipantCryptoTokenSeq_copy(d,s) \ + DDS_Security_DataHolderSeq_copy((DDS_Security_DataHolderSeq *)(d), (const DDS_Security_DataHolderSeq *)(s)) + + +#define DDS_Security_ParticipantCryptoHandleSeq_alloc() (DDS_Security_ParticipantCryptoHandleSeq*)DDS_Security_HandleSeq_alloc() +#define DDS_Security_ParticipantCryptoHandleSeq_allocbuf(l) DDS_Security_HandleSeq_allocbuf(l) +#define DDS_Security_ParticipantCryptoHandleSeq_freebuf(s) DDS_Security_HandleSeq_freebuf((DDS_Security_HandleSeq*)s) +#define DDS_Security_ParticipantCryptoHandleSeq_free(s) DDS_Security_HandleSeq_free((DDS_Security_HandleSeq*)s) +#define DDS_Security_ParticipantCryptoHandleSeq_deinit(s) DDS_Security_HandleSeq_deinit((DDS_Security_HandleSeq*)s) + +#define DDS_Security_DatawriterCryptoHandleSeq_alloc() (DDS_Security_DatawriterCryptoHandleSeq*)DDS_Security_HandleSeq_alloc() +#define DDS_Security_DatawriterCryptoHandleSeq_allocbuf(l) DDS_Security_HandleSeq_allocbuf(l) +#define DDS_Security_DatawriterCryptoHandleSeq_freebuf(s) DDS_Security_HandleSeq_freebuf((DDS_Security_HandleSeq*)s) +#define DDS_Security_DatawriterCryptoHandleSeq_free(s) DDS_Security_HandleSeq_free((DDS_Security_HandleSeq*)s) +#define DDS_Security_DatawriterCryptoHandleSeq_deinit(s) DDS_Security_HandleSeq_deinit((DDS_Security_HandleSeq*)s) + +#define DDS_Security_DatareaderCryptoHandleSeq_alloc() (DDS_Security_DatareaderCryptoHandleSeq*)DDS_Security_HandleSeq_alloc() +#define DDS_Security_DatareaderCryptoHandleSeq_allocbuf(l) DDS_Security_HandleSeq_allocbuf(l) +#define DDS_Security_DatareaderCryptoHandleSeq_freebuf(s) DDS_Security_HandleSeq_freebuf((DDS_Security_HandleSeq*)s) +#define DDS_Security_DatareaderCryptoHandleSeq_free(s) DDS_Security_HandleSeq_free((DDS_Security_HandleSeq*)s) +#define DDS_Security_DatareaderCryptoHandleSeq_deinit(s) DDS_Security_HandleSeq_deinit((DDS_Security_HandleSeq*)s) + +#define DDS_Security_CryptoTokenSeq_alloc() (DDS_Security_CryptoTokenSeq*)DDS_Security_DataHolderSeq_alloc() +#define DDS_Security_CryptoTokenSeq_allocbuf(l) DDS_Security_DataHolderSeq_allocbuf(l) +#define DDS_Security_CryptoTokenSeq_freebuf(s) DDS_Security_DataHolderSeq_freebuf((DDS_Security_CryptoTokenSeq*)s) +#define DDS_Security_CryptoTokenSeq_free(s) DDS_Security_DataHolderSeq_free((DDS_Security_CryptoTokenSeq*)s) + + +/* for DEBUG purposes */ +DDS_EXPORT void +print_binary_debug( + char* name, + unsigned char *value, + uint32_t size); + +DDS_EXPORT void +print_binary_properties_debug( + const DDS_Security_DataHolder *token); + + +#endif /* DSCMN_SECURITY_UTILS_H_ */ diff --git a/src/security/core/include/dds/security/core/shared_secret.h b/src/security/core/include/dds/security/core/shared_secret.h new file mode 100644 index 0000000..e0262d7 --- /dev/null +++ b/src/security/core/include/dds/security/core/shared_secret.h @@ -0,0 +1,40 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + + +#ifndef SRC_SECURITY_CORE_INCLUDE_SHARED_SECRET_HANDLE_H_ +#define SRC_SECURITY_CORE_INCLUDE_SHARED_SECRET_HANDLE_H_ + +#include "dds/export.h" +#include +#include "dds/security/dds_security_api.h" + + +typedef struct DDS_Security_SharedSecretHandleImpl { + + DDS_Security_octet* shared_secret; + DDS_Security_long shared_secret_size; + DDS_Security_octet challenge1[DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE]; + DDS_Security_octet challenge2[DDS_SECURITY_AUTHENTICATION_CHALLENGE_SIZE]; + +} DDS_Security_SharedSecretHandleImpl; + +DDS_EXPORT const DDS_Security_octet* get_challenge1_from_secret_handle( DDS_Security_SharedSecretHandle handle); + +DDS_EXPORT const DDS_Security_octet* get_challenge2_from_secret_handle( DDS_Security_SharedSecretHandle handle ); + +DDS_EXPORT const DDS_Security_octet* get_secret_from_secret_handle( DDS_Security_SharedSecretHandle handle ); + +DDS_EXPORT int32_t get_secret_size_from_secret_handle( DDS_Security_SharedSecretHandle handle ); + +#endif /* SRC_SECURITY_CORE_INCLUDE_SHARED_SECRET_H_ */ + diff --git a/src/security/core/src/dds_security_serialize.c b/src/security/core/src/dds_security_serialize.c new file mode 100644 index 0000000..afa9733 --- /dev/null +++ b/src/security/core/src/dds_security_serialize.c @@ -0,0 +1,813 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + + +#include +#include +#include "dds/ddsrt/heap.h" +#include "dds/ddsrt/atomics.h" +#include "dds/ddsrt/string.h" + +#include "dds/security/core/dds_security_serialize.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/ddsrt/endian.h" +#include "dds/ddsrt/bswap.h" + + +#define BYTE_ORDER_BIG_ENDIAN 0x02 +#define BYTE_ORDER_LITTLE_ENDIAN 0x03 + +#define PID_PAD 0x0u +#define PID_SENTINEL 0x1u +#define PID_USER_DATA 0x2cu +#define PID_TOPIC_NAME 0x5u +#define PID_TYPE_NAME 0x7u +#define PID_GROUP_DATA 0x2du +#define PID_TOPIC_DATA 0x2eu +#define PID_DURABILITY 0x1du +#define PID_DURABILITY_SERVICE 0x1eu +#define PID_DEADLINE 0x23u +#define PID_LATENCY_BUDGET 0x27u +#define PID_LIVELINESS 0x1bu +#define PID_RELIABILITY 0x1au +#define PID_LIFESPAN 0x2bu +#define PID_DESTINATION_ORDER 0x25u +#define PID_HISTORY 0x40u +#define PID_RESOURCE_LIMITS 0x41u +#define PID_OWNERSHIP 0x1fu +#define PID_OWNERSHIP_STRENGTH 0x6u +#define PID_PRESENTATION 0x21u +#define PID_PARTITION 0x29u +#define PID_TIME_BASED_FILTER 0x4u +#define PID_TRANSPORT_PRIORITY 0x49u +#define PID_PROTOCOL_VERSION 0x15u +#define PID_VENDORID 0x16u +#define PID_UNICAST_LOCATOR 0x2fu +#define PID_MULTICAST_LOCATOR 0x30u +#define PID_MULTICAST_IPADDRESS 0x11u +#define PID_DEFAULT_UNICAST_LOCATOR 0x31u +#define PID_DEFAULT_MULTICAST_LOCATOR 0x48u +#define PID_METATRAFFIC_UNICAST_LOCATOR 0x32u +#define PID_METATRAFFIC_MULTICAST_LOCATOR 0x33u +#define PID_DEFAULT_UNICAST_IPADDRESS 0xcu +#define PID_DEFAULT_UNICAST_PORT 0xeu +#define PID_METATRAFFIC_UNICAST_IPADDRESS 0x45u +#define PID_METATRAFFIC_UNICAST_PORT 0xdu +#define PID_METATRAFFIC_MULTICAST_IPADDRESS 0xbu +#define PID_METATRAFFIC_MULTICAST_PORT 0x46u +#define PID_EXPECTS_INLINE_QOS 0x43u +#define PID_PARTICIPANT_MANUAL_LIVELINESS_COUNT 0x34u +#define PID_PARTICIPANT_BUILTIN_ENDPOINTS 0x44u +#define PID_PARTICIPANT_LEASE_DURATION 0x2u +#define PID_CONTENT_FILTER_PROPERTY 0x35u +#define PID_PARTICIPANT_GUID 0x50u +#define PID_PARTICIPANT_ENTITYID 0x51u +#define PID_GROUP_GUID 0x52u +#define PID_GROUP_ENTITYID 0x53u +#define PID_BUILTIN_ENDPOINT_SET 0x58u +#define PID_PROPERTY_LIST 0x59u +#define PID_TYPE_MAX_SIZE_SERIALIZED 0x60u +#define PID_ENTITY_NAME 0x62u +#define PID_KEYHASH 0x70u +#define PID_STATUSINFO 0x71u +#define PID_CONTENT_FILTER_INFO 0x55u +#define PID_COHERENT_SET 0x56u +#define PID_DIRECTED_WRITE 0x57u +#define PID_ORIGINAL_WRITER_INFO 0x61u +#define PID_ENDPOINT_GUID 0x5au + +/* Security related PID values. */ +#define PID_IDENTITY_TOKEN 0x1001u +#define PID_PERMISSIONS_TOKEN 0x1002u +#define PID_ENDPOINT_SECURITY_INFO 0x1004u +#define PID_PARTICIPANT_SECURITY_INFO 0x1005u +#define PID_IDENTITY_STATUS_TOKEN 0x1006u + + +struct DDS_Security_Serializer { + unsigned char *buffer; + size_t size; + size_t offset; + size_t increment; + size_t marker; +}; + +struct DDS_Security_Deserializer { + const unsigned char *buffer; + const unsigned char *cursor; + size_t size; + size_t remain; +}; + + +static size_t +alignup_size ( + size_t x, + size_t a) +{ + size_t m = a-1; + return (x+m) & ~m; +} + +static size_t +alignup_ptr( + const unsigned char *ptr, + size_t a) +{ + size_t m = (a - 1); + size_t x = (size_t) ptr; + return ((x+m) & ~m) - x; +} + +DDS_Security_Serializer +DDS_Security_Serializer_new( + size_t size, + size_t increment) +{ + DDS_Security_Serializer serializer; + + serializer = ddsrt_malloc(sizeof(*serializer)); + serializer->buffer = ddsrt_malloc(size); + serializer->size = size; + serializer->increment = increment; + serializer->offset = 0; + + return serializer; +} + +void +DDS_Security_Serializer_free( + DDS_Security_Serializer ser) +{ + if (ser) { + ddsrt_free(ser->buffer); + ddsrt_free(ser); + } +} + +void +DDS_Security_Serializer_buffer( + DDS_Security_Serializer ser, + unsigned char **buffer, + size_t *size) +{ + assert(ser); + assert(buffer); + assert(size); + + *buffer = ser->buffer; + *size = ser->offset; + ser->buffer = NULL; +} + +static void +serbuffer_adjust_size( + DDS_Security_Serializer ser, + size_t needed) +{ + if (ser->size - ser->offset < needed) { + ser->buffer = ddsrt_realloc(ser->buffer, ser->size + needed + ser->increment); + ser->size += needed + ser->increment; + } +} + +static void +serbuffer_align( + DDS_Security_Serializer ser, + size_t alignment) +{ + size_t offset, i; + + offset = alignup_size(ser->offset, alignment); + serbuffer_adjust_size(ser, offset-ser->offset); + for (i = 0; i < offset - ser->offset; i++) { + ser->buffer[ser->offset+i] = 0; + } + ser->offset = offset; +} + +static void +DDS_Security_Serialize_mark_len( + DDS_Security_Serializer ser) +{ + serbuffer_align(ser, 2); + serbuffer_adjust_size(ser, 2); + ser->marker = ser->offset; + ser->offset += 2; +} + +static void +DDS_Security_Serialize_update_len( + DDS_Security_Serializer ser) +{ + unsigned short len; + + len = (unsigned short)(ser->offset - ser->marker - sizeof(unsigned short)); + *(unsigned short *)&(ser->buffer[ser->marker]) = ddsrt_toBE2u(len); +} + +static void +DDS_Security_Serialize_uint16( + DDS_Security_Serializer ser, + unsigned short value) +{ + serbuffer_align(ser, sizeof(unsigned short)); + serbuffer_adjust_size(ser, sizeof(unsigned short)); + + *(unsigned short *)&(ser->buffer[ser->offset]) = ddsrt_toBE2u(value); + ser->offset += sizeof(unsigned short); +} + +static void +DDS_Security_Serialize_uint32_t( + DDS_Security_Serializer ser, + uint32_t value) +{ + serbuffer_align(ser, sizeof(uint32_t)); + serbuffer_adjust_size(ser, sizeof(uint32_t)); + + *(uint32_t *)&(ser->buffer[ser->offset]) = ddsrt_toBE4u(value); + ser->offset += sizeof(uint32_t); +} + +static void +DDS_Security_Serialize_string( + DDS_Security_Serializer ser, + const char *str) +{ + size_t len; + + len = strlen(str) + 1; + + DDS_Security_Serialize_uint32_t(ser, (uint32_t)len); + serbuffer_adjust_size(ser, len ); + + memcpy(&(ser->buffer[ser->offset]), str, len); + ser->offset += len; + serbuffer_align(ser, sizeof(uint32_t)); +} + +static void +DDS_Security_Serialize_Property( + DDS_Security_Serializer ser, + const DDS_Security_Property_t *property) +{ + DDS_Security_Serialize_string(ser, property->name); + DDS_Security_Serialize_string(ser, property->value); +} + +static void +DDS_Security_Serialize_OctetSeq( + DDS_Security_Serializer ser, + const DDS_Security_OctetSeq *seq) +{ + DDS_Security_Serialize_uint32_t(ser, seq->_length); + serbuffer_adjust_size(ser, seq->_length); + memcpy(&(ser->buffer[ser->offset]), seq->_buffer, seq->_length); + ser->offset += seq->_length; +} + +static void +DDS_Security_Serialize_BinaryProperty( + DDS_Security_Serializer ser, + const DDS_Security_BinaryProperty_t *property) +{ + DDS_Security_Serialize_string(ser, property->name); + DDS_Security_Serialize_OctetSeq(ser, &property->value); +} + +void +DDS_Security_Serialize_PropertySeq( + DDS_Security_Serializer ser, + const DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + DDS_Security_Serialize_uint32_t(ser, seq->_length); + for (i = 0; i < seq->_length; i++) { + DDS_Security_Serialize_Property(ser, &seq->_buffer[i]); + } +} + +void +DDS_Security_Serialize_BinaryPropertyArray( + DDS_Security_Serializer serializer, + const DDS_Security_BinaryProperty_t **properties, + const uint32_t propertyLength) +{ + uint32_t i; + + DDS_Security_Serialize_uint32_t(serializer, propertyLength); + for (i = 0; i < propertyLength ; i++) { + DDS_Security_Serialize_BinaryProperty(serializer, properties[i]); + } +} + +void +DDS_Security_Serialize_BinaryPropertySeq( + DDS_Security_Serializer serializer, + const DDS_Security_BinaryPropertySeq *seq) +{ + uint32_t i; + + DDS_Security_Serialize_uint32_t(serializer, seq->_length); + for (i = 0; i < seq->_length; i++) { + DDS_Security_Serialize_BinaryProperty(serializer, &seq->_buffer[i]); + } +} + + +static void +DDS_Security_Serialize_DataHolder( + DDS_Security_Serializer ser, + const DDS_Security_DataHolder *holder) +{ + DDS_Security_Serialize_string(ser, holder->class_id); + DDS_Security_Serialize_PropertySeq(ser, &holder->properties); + DDS_Security_Serialize_BinaryPropertySeq(ser, &holder->binary_properties); +} + + +static void +DDS_Security_Serialize_BuiltinTopicKey( + DDS_Security_Serializer ser, + DDS_Security_BuiltinTopicKey_t key) +{ + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_PARTICIPANT_GUID); + DDS_Security_Serialize_uint16(ser, 16); + DDS_Security_Serialize_uint32_t(ser, key[0]); + DDS_Security_Serialize_uint32_t(ser, key[1]); + DDS_Security_Serialize_uint32_t(ser, key[2]); + /* 4 Bytes are expected for whatever reason (gid vs guid?). */ + DDS_Security_Serialize_uint32_t(ser, 0); +} + +static void +DDS_Security_Serialize_UserDataQosPolicy( + DDS_Security_Serializer ser, + DDS_Security_OctetSeq *seq) +{ + if (seq->_length > 0) { + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_USER_DATA); + DDS_Security_Serialize_uint16(ser, (unsigned short)seq->_length); + DDS_Security_Serialize_OctetSeq(ser, seq); + } +} + +static void +DDS_Security_Serialize_IdentityToken( + DDS_Security_Serializer ser, + DDS_Security_IdentityToken *token) +{ + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_IDENTITY_TOKEN); + DDS_Security_Serialize_mark_len(ser); + DDS_Security_Serialize_DataHolder(ser, token); + DDS_Security_Serialize_update_len(ser); +} + +static void +DDS_Security_Serialize_PermissionsToken( + DDS_Security_Serializer ser, + DDS_Security_PermissionsToken *token) +{ + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_PERMISSIONS_TOKEN); + DDS_Security_Serialize_mark_len(ser); + DDS_Security_Serialize_DataHolder(ser, token); + DDS_Security_Serialize_update_len(ser); +} + +static void +DDS_Security_Serialize_PropertyQosPolicy( + DDS_Security_Serializer ser, + DDS_Security_PropertyQosPolicy *policy) +{ + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_PROPERTY_LIST); + DDS_Security_Serialize_mark_len(ser); + DDS_Security_Serialize_PropertySeq(ser, &policy->value); + DDS_Security_Serialize_BinaryPropertySeq(ser, &policy->binary_value); + DDS_Security_Serialize_update_len(ser); +} + +static void +DDS_Security_Serialize_ParticipantSecurityInfo( + DDS_Security_Serializer ser, + DDS_Security_ParticipantSecurityInfo *info) +{ + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_PARTICIPANT_SECURITY_INFO); + DDS_Security_Serialize_uint16(ser, 8); + DDS_Security_Serialize_uint32_t(ser, info->participant_security_attributes); + DDS_Security_Serialize_uint32_t(ser, info->plugin_participant_security_attributes); +} + + +void +DDD_Security_Serialize_ParticipantBuiltinTopicData( + DDS_Security_Serializer ser, + DDS_Security_ParticipantBuiltinTopicData *pdata) +{ + DDS_Security_Serialize_BuiltinTopicKey(ser, pdata->key); + DDS_Security_Serialize_UserDataQosPolicy(ser, &pdata->user_data.value); + DDS_Security_Serialize_IdentityToken(ser, &pdata->identity_token); + DDS_Security_Serialize_PermissionsToken(ser, &pdata->permissions_token); + DDS_Security_Serialize_PropertyQosPolicy(ser, &pdata->property); + DDS_Security_Serialize_ParticipantSecurityInfo(ser, &pdata->security_info); + serbuffer_align(ser, sizeof(uint32_t)); + DDS_Security_Serialize_uint16(ser, PID_SENTINEL); + DDS_Security_Serialize_uint16(ser, 0); +} + +static void +DDD_Security_Serialize_OctetArray( + DDS_Security_Serializer ser, + const DDS_Security_octet *data, + uint32_t length) +{ + serbuffer_adjust_size(ser, length); + memcpy(&ser->buffer[ser->offset], data, length); + ser->offset += length; +} + +void +DDD_Security_Serialize_KeyMaterial_AES_GCM_GMAC( + DDS_Security_Serializer ser, + const DDS_Security_KeyMaterial_AES_GCM_GMAC *data) +{ + DDD_Security_Serialize_OctetArray(ser, data->transformation_kind, sizeof(data->transformation_kind)); + DDS_Security_Serialize_OctetSeq(ser, &data->master_salt); + DDD_Security_Serialize_OctetArray(ser, data->sender_key_id, sizeof(data->sender_key_id)); + DDS_Security_Serialize_OctetSeq(ser, &data->master_sender_key); + DDD_Security_Serialize_OctetArray(ser, data->receiver_specific_key_id, sizeof(data->receiver_specific_key_id)); + DDS_Security_Serialize_OctetSeq(ser, &data->master_receiver_specific_key); +} + + +DDS_Security_Deserializer +DDS_Security_Deserializer_new( + const unsigned char *data, + size_t size) +{ + DDS_Security_Deserializer deserializer; + + deserializer = ddsrt_malloc(sizeof(*deserializer)); + + deserializer->buffer = data; + deserializer->cursor = data; + deserializer->size = size; + deserializer->remain = size; + + return deserializer; +} + +void +DDS_Security_Deserializer_free( + DDS_Security_Deserializer dser) +{ + ddsrt_free(dser); +} + +static void +DDS_Security_Deserialize_align( + DDS_Security_Deserializer dser, + size_t size) +{ + size_t l = alignup_ptr(dser->cursor, size); + + if (dser->remain >= l) { + dser->cursor += l; + dser->remain -= l; + } else { + dser->remain = 0; + } +} + +static int +DDS_Security_Deserialize_uint16( + DDS_Security_Deserializer dser, + unsigned short *value) +{ + size_t l = sizeof(unsigned short); + + DDS_Security_Deserialize_align(dser, l); + + if (dser->remain < l) { + return 0; + } + *value = ddsrt_fromBE2u(*(unsigned short *)dser->cursor); + dser->cursor += l; + dser->remain -= l; + + return 1; +} + +static int +DDS_Security_Deserialize_uint32_t( + DDS_Security_Deserializer dser, + uint32_t *value) +{ + size_t l = sizeof(uint32_t); + + DDS_Security_Deserialize_align(dser, l); + + if (dser->remain < l) { + return 0; + } + *value = ddsrt_fromBE4u(*(uint32_t *)dser->cursor); + dser->cursor += l; + dser->remain -= l; + + return 1; +} + +static int +DDS_Security_Deserialize_string( + DDS_Security_Deserializer dser, + char **value) +{ + uint32_t len; + size_t sz; + + if (!DDS_Security_Deserialize_uint32_t(dser, &len)) { + return 0; + } + + sz = (size_t)len; + + if (dser->remain < sz) { + return 0; + } + + if (sz > 0 && (dser->cursor[sz-1] == 0)) { + *value = ddsrt_strdup((char *)dser->cursor); + /* Consider padding */ + sz = alignup_size(sz, sizeof(uint32_t)); + dser->cursor += sz; + dser->remain -= sz; + } else { + *value = ddsrt_strdup(""); + } + return 1; +} + +static int +DDS_Security_Deserialize_OctetArray( + DDS_Security_Deserializer dser, + unsigned char *arr, + uint32_t length) +{ + if (dser->remain < length) { + return 0; + } + memcpy(arr, dser->cursor, length); + dser->cursor += length; + dser->remain -= length; + + return 1; +} + +static int +DDS_Security_Deserialize_OctetSeq( + DDS_Security_Deserializer dser, + DDS_Security_OctetSeq *seq) +{ + if (!DDS_Security_Deserialize_uint32_t(dser, &seq->_length)) { + return 0; + } + + if (dser->remain < seq->_length) { + return 0; + } + + if (seq->_length > 0) { + /* Consider padding */ + size_t a_size = alignup_size(seq->_length, sizeof(uint32_t)); + seq->_buffer = ddsrt_malloc(seq->_length); + memcpy(seq->_buffer, dser->cursor, seq->_length); + dser->cursor += a_size; + dser->remain -= a_size; + } else { + seq->_buffer = NULL; + } + return 1; +} + +static int +DDS_Security_Deserialize_Property( + DDS_Security_Deserializer dser, + DDS_Security_Property_t *property) +{ + return DDS_Security_Deserialize_string(dser, &property->name) && + DDS_Security_Deserialize_string(dser, &property->value); +} + +static int +DDS_Security_Deserialize_BinaryProperty( + DDS_Security_Deserializer dser, + DDS_Security_BinaryProperty_t *property) +{ + return DDS_Security_Deserialize_string(dser, &property->name) && + DDS_Security_Deserialize_OctetSeq(dser, &property->value); +} + +static int +DDS_Security_Deserialize_PropertySeq( + DDS_Security_Deserializer dser, + DDS_Security_PropertySeq *seq) +{ + int r = 1; + uint32_t i; + + if (!DDS_Security_Deserialize_uint32_t(dser, &seq->_length)) { + return 0; + } + + if (seq->_length > 0) { + seq->_buffer = DDS_Security_PropertySeq_allocbuf(seq->_length); + for (i = 0; i < seq->_length && r; i++) { + r = DDS_Security_Deserialize_Property(dser, &seq->_buffer[i]); + } + } + + return r; +} + +static int +DDS_Security_Deserialize_BinaryPropertySeq( + DDS_Security_Deserializer dser, + DDS_Security_BinaryPropertySeq *seq) +{ + int r = 1; + uint32_t i; + + if (!DDS_Security_Deserialize_uint32_t(dser, &seq->_length)) { + return 0; + } + + if (seq->_length > 0) { + seq->_buffer = DDS_Security_BinaryPropertySeq_allocbuf(seq->_length); + for (i = 0; i < seq->_length && r; i++) { + r = DDS_Security_Deserialize_BinaryProperty(dser, &seq->_buffer[i]); + } + } + + return r; +} + +static int +DDS_Security_Deserialize_DataHolder( + DDS_Security_Deserializer dser, + DDS_Security_DataHolder *holder) +{ + return DDS_Security_Deserialize_string(dser, &holder->class_id) && + DDS_Security_Deserialize_PropertySeq(dser, &holder->properties) && + DDS_Security_Deserialize_BinaryPropertySeq(dser, &holder->binary_properties); +} + + +static int +DDS_Security_Deserialize_PropertyQosPolicy( + DDS_Security_Deserializer dser, + DDS_Security_PropertyQosPolicy *policy) +{ + return DDS_Security_Deserialize_PropertySeq(dser, &policy->value) && + DDS_Security_Deserialize_BinaryPropertySeq(dser, &policy->binary_value); +} + +static int +DDS_Security_Deserialize_BuiltinTopicKey( + DDS_Security_Deserializer dser, + DDS_Security_BuiltinTopicKey_t key) +{ + int r; + + r = DDS_Security_Deserialize_uint32_t(dser, (uint32_t *)&key[0]) && + DDS_Security_Deserialize_uint32_t(dser, (uint32_t *)&key[1]) && + DDS_Security_Deserialize_uint32_t(dser, (uint32_t *)&key[2]); + + /* guid is 16 bytes, so skip the last 4 bytes */ + dser->cursor += 4; + dser->remain -= 4; + + return r; +} + +static int +DDS_Security_Deserialize_ParticipantSecurityInfo( + DDS_Security_Deserializer dser, + DDS_Security_ParticipantSecurityInfo *info) +{ + int r; + + r = DDS_Security_Deserialize_uint32_t(dser, &info->participant_security_attributes) && + DDS_Security_Deserialize_uint32_t(dser, &info->plugin_participant_security_attributes); + + return r; +} + +int +DDD_Security_Deserialize_ParticipantBuiltinTopicData( + DDS_Security_Deserializer dser, + DDS_Security_ParticipantBuiltinTopicData *pdata, + DDS_Security_SecurityException *ex) +{ + unsigned short len=0; + unsigned short pid=0; + int r, ready = 0; + + do { + DDS_Security_Deserialize_align(dser, 4); + r = DDS_Security_Deserialize_uint16(dser, &pid) && + DDS_Security_Deserialize_uint16(dser, &len); + + if (r && (len <= dser->remain)) { + const unsigned char *next_cursor = dser->cursor + len; + + switch (pid) { + case PID_PARTICIPANT_GUID: + r = DDS_Security_Deserialize_BuiltinTopicKey(dser, pdata->key); + break; + case PID_USER_DATA: + r = DDS_Security_Deserialize_OctetSeq(dser, &pdata->user_data.value); + break; + case PID_IDENTITY_TOKEN: + r = DDS_Security_Deserialize_DataHolder(dser, &pdata->identity_token); + break; + case PID_PERMISSIONS_TOKEN: + r = DDS_Security_Deserialize_DataHolder(dser, &pdata->permissions_token); + break; + case PID_PROPERTY_LIST: + r = DDS_Security_Deserialize_PropertyQosPolicy(dser, &pdata->property); + break; + case PID_PARTICIPANT_SECURITY_INFO: + r = DDS_Security_Deserialize_ParticipantSecurityInfo(dser, &pdata->security_info); + break; + case PID_SENTINEL: + ready = 1; + break; + default: + dser->cursor += len; + dser->remain -= len; + break; + } + + if (r) { + if (dser->cursor != next_cursor) { + DDS_Security_Exception_set(ex, "Deserialization", DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "Deserialize PID 0x%x failed: internal_size %d != external_size %d", pid, (int)len + (int)(dser->cursor - next_cursor), (int)len); + r = 0; + } + } else { + DDS_Security_Exception_set(ex, "Deserialization", DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "Deserialize PID 0x%x failed: parsing failed", pid); + } + } else { + if (!r) { + DDS_Security_Exception_set(ex, "Deserialization", DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, + "Deserialize parameter header failed"); + } + } + } while (r && !ready && dser->remain > 0); + + return ready; +} + +void +DDD_Security_BuiltinTopicKeyBE( + DDS_Security_BuiltinTopicKey_t dst, + const DDS_Security_BuiltinTopicKey_t src) +{ + dst[0] = ddsrt_toBE4u(src[0]); + dst[1] = ddsrt_toBE4u(src[1]); + dst[2] = ddsrt_toBE4u(src[2]); +} + +int +DDD_Security_Deserialize_KeyMaterial_AES_GCM_GMAC( + DDS_Security_Deserializer dser, + DDS_Security_KeyMaterial_AES_GCM_GMAC *data) +{ + int r = 0; + + r = DDS_Security_Deserialize_OctetArray(dser, data->transformation_kind, sizeof(data->transformation_kind)) && + DDS_Security_Deserialize_OctetSeq(dser, &data->master_salt) && + DDS_Security_Deserialize_OctetArray(dser, data->sender_key_id, sizeof(data->sender_key_id)) && + DDS_Security_Deserialize_OctetSeq(dser, &data->master_sender_key) && + DDS_Security_Deserialize_OctetArray(dser, data->receiver_specific_key_id, sizeof(data->receiver_specific_key_id)) && + DDS_Security_Deserialize_OctetSeq(dser, &data->master_receiver_specific_key); + + return r; +} diff --git a/src/security/core/src/dds_security_utils.c b/src/security/core/src/dds_security_utils.c new file mode 100644 index 0000000..8e417e6 --- /dev/null +++ b/src/security/core/src/dds_security_utils.c @@ -0,0 +1,1134 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#include +#include +#include +#include +#include "dds/security/dds_security_api.h" +#include "dds/security/core/dds_security_utils.h" +#include "dds/ddsrt/heap.h" +#include "stdlib.h" +#include "stdarg.h" +#include "dds/ddsrt/string.h" +#include "dds/ddsrt/misc.h" + +#if DDSI_INCLUDE_SSL +#include +#include +#endif + +DDS_Security_BinaryProperty_t * +DDS_Security_BinaryProperty_alloc (void) +{ + DDS_Security_BinaryProperty_t *property; + + property = ddsrt_malloc(sizeof(DDS_Security_BinaryProperty_t)); + memset(property, 0, sizeof(DDS_Security_BinaryProperty_t)); + return property; +} + +void +DDS_Security_BinaryProperty_deinit( + DDS_Security_BinaryProperty_t *p) +{ + if (!p) { + return; + } + + ddsrt_free(p->name); + ddsrt_free(p->value._buffer); +} + +void +DDS_Security_BinaryProperty_free( + DDS_Security_BinaryProperty_t *p) +{ + if (p) { + DDS_Security_BinaryProperty_deinit(p); + ddsrt_free(p); + } +} + +void +DDS_Security_BinaryProperty_copy( + DDS_Security_BinaryProperty_t *dst, + DDS_Security_BinaryProperty_t *src) +{ + dst->name = src->name ? ddsrt_strdup(src->name) : NULL; + dst->propagate = src->propagate; + dst->value._length = src->value._length; + dst->value._maximum = src->value._maximum; + + if (src->value._buffer) { + dst->value._buffer = ddsrt_malloc(src->value._length); + memcpy(dst->value._buffer, src->value._buffer, src->value._length); + } else { + dst->value._buffer = NULL; + } +} + +bool +DDS_Security_BinaryProperty_equal( + DDS_Security_BinaryProperty_t *pa, + DDS_Security_BinaryProperty_t *pb) +{ + uint32_t i; + + if (pa->name && pb->name) { + if (strcmp(pa->name, pb->name) != 0) { + return false; + } + } else if (pa->name || pb->name) { + return false; + } + + if (pa->value._length != pb->value._length) { + return false; + } + + for (i = 0; i < pa->value._length; i++) { + if (pa->value._buffer && pb->value._buffer) { + if (memcmp(pa->value._buffer, pb->value._buffer, pa->value._length) != 0) { + return false; + } + } else { + return false; + } + } + + return true; +} + +void +DDS_Security_BinaryProperty_set_by_value( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const unsigned char *data, + uint32_t length) +{ + assert(bp); + assert(name); + assert(data); + + bp->name = ddsrt_strdup(name); + bp->value._length = length; + bp->value._maximum = length; + if (length) { + bp->value._buffer = ddsrt_malloc(length); + memcpy(bp->value._buffer, data, length); + } else { + bp->value._buffer = NULL; + } +} + +void +DDS_Security_BinaryProperty_set_by_string( + DDS_Security_BinaryProperty_t *bp, + const char *name, + const char *data) +{ + uint32_t length; + + assert(bp); + assert(name); + assert(data); + + length = (uint32_t) strlen(data) + 1; + DDS_Security_BinaryProperty_set_by_value(bp, name, (unsigned char *)data, length); +} + +void +DDS_Security_BinaryProperty_set_by_ref( + DDS_Security_BinaryProperty_t *bp, + const char *name, + unsigned char *data, + uint32_t length) +{ + assert(bp); + assert(name); + assert(data); + assert(length > 0); + + bp->name = ddsrt_strdup(name); + bp->value._length = length; + bp->value._maximum = length; + bp->value._buffer = data; +} + +DDS_Security_BinaryPropertySeq * +DDS_Security_BinaryPropertySeq_alloc (void) +{ + DDS_Security_BinaryPropertySeq *seq; + + seq = ddsrt_malloc(sizeof(DDS_Security_BinaryPropertySeq)); + memset(seq, 0, sizeof(DDS_Security_BinaryPropertySeq)); + return seq; +} + +DDS_Security_BinaryProperty_t * +DDS_Security_BinaryPropertySeq_allocbuf ( + DDS_Security_unsigned_long len) +{ + DDS_Security_BinaryProperty_t *buffer; + + buffer = ddsrt_malloc(len * sizeof(DDS_Security_BinaryProperty_t)); + memset(buffer, 0, len * sizeof(DDS_Security_BinaryProperty_t)); + return buffer; +} + +void +DDS_Security_BinaryPropertySeq_deinit( + DDS_Security_BinaryPropertySeq *seq) +{ + uint32_t i; + + if (!seq) { + return; + } + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + DDS_Security_OctetSeq_deinit(&seq->_buffer[i].value); + } +} + +void +DDS_Security_BinaryPropertySeq_free( + DDS_Security_BinaryPropertySeq *seq) +{ + DDS_Security_BinaryPropertySeq_deinit(seq); + ddsrt_free(seq); +} + + +DDS_Security_Property_t * +DDS_Security_Property_alloc (void) +{ + DDS_Security_Property_t *property; + + property = ddsrt_malloc(sizeof(DDS_Security_Property_t)); + memset(property, 0, sizeof(DDS_Security_Property_t)); + return property; +} + +void +DDS_Security_Property_free( + DDS_Security_Property_t *p) +{ + if (p) { + DDS_Security_Property_deinit(p); + ddsrt_free(p); + } +} + +void +DDS_Security_Property_deinit( + DDS_Security_Property_t *p) +{ + if (!p) { + return; + } + + ddsrt_free(p->name); + ddsrt_free(p->value); +} + +void +DDS_Security_Property_copy( + DDS_Security_Property_t *dst, + DDS_Security_Property_t *src) +{ + dst->name = src->name ? ddsrt_strdup(src->name) : NULL; + dst->value = src->value ? ddsrt_strdup(src->value) : NULL; + dst->propagate = src->propagate; +} + +bool +DDS_Security_Property_equal( + DDS_Security_Property_t *pa, + DDS_Security_Property_t *pb) +{ + if (pa->name && pb->name) { + if (strcmp(pa->name, pb->name) != 0) { + return false; + } + } else if (pa->name || pb->name) { + return false; + } + + if (pa->value && pb->value) { + if (strcmp(pa->value, pb->value) != 0) { + return false; + } + } else if (pa->value || pb->value) { + return false; + } + + return true; +} + +char * +DDS_Security_Property_get_value( + const DDS_Security_PropertySeq *properties, + const char *name) +{ + uint32_t i; + char *value = NULL; + + assert(properties); + assert(name); + + for (i = 0; !value && (i < properties->_length); i++) { + if (properties->_buffer[i].name && + (strcmp(name, properties->_buffer[i].name) == 0)) { + if (properties->_buffer[i].value) { + value = ddsrt_strdup(properties->_buffer[i].value); + } + } + } + + return value; +} + +DDS_Security_PropertySeq * +DDS_Security_PropertySeq_alloc (void) +{ + DDS_Security_PropertySeq *seq; + + seq = ddsrt_malloc(sizeof(DDS_Security_PropertySeq)); + memset(seq, 0, sizeof(DDS_Security_PropertySeq)); + return seq; +} + +DDS_Security_Property_t * +DDS_Security_PropertySeq_allocbuf ( + DDS_Security_unsigned_long len) +{ + DDS_Security_Property_t *buffer; + + buffer = ddsrt_malloc(len * sizeof(DDS_Security_Property_t)); + memset(buffer, 0, len * sizeof(DDS_Security_Property_t)); + + return buffer; +} + +void +DDS_Security_PropertySeq_freebuf( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + if (seq) { + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); + seq->_length = 0; + seq->_maximum = 0; + seq->_buffer = NULL; + } +} + +void +DDS_Security_PropertySeq_free( + DDS_Security_PropertySeq *seq) +{ + DDS_Security_PropertySeq_deinit(seq); + ddsrt_free(seq); +} + +void +DDS_Security_PropertySeq_deinit( + DDS_Security_PropertySeq *seq) +{ + uint32_t i; + + if (!seq) { + return; + } + for (i = 0; i < seq->_length; i++) { + ddsrt_free(seq->_buffer[i].name); + ddsrt_free(seq->_buffer[i].value); + } + ddsrt_free(seq->_buffer); +} + +const DDS_Security_Property_t * +DDS_Security_PropertySeq_find_property ( + const DDS_Security_PropertySeq *property_seq, + const char *name ) +{ + + DDS_Security_Property_t *result = NULL; + unsigned i, len; + + assert(property_seq); + assert(name); + + len = (unsigned)strlen(name); + for (i = 0; !result && (i < property_seq->_length); i++) { + if (property_seq->_buffer[i].name && + (strncmp(name, property_seq->_buffer[i].name, len+ 1) == 0)) { + result = &property_seq->_buffer[i]; + } + } + + return result; +} + +DDS_Security_DataHolder * +DDS_Security_DataHolder_alloc(void) +{ + DDS_Security_DataHolder *holder; + holder = ddsrt_malloc(sizeof(*holder)); + memset(holder, 0, sizeof(*holder)); + return holder; +} + +void +DDS_Security_DataHolder_free( + DDS_Security_DataHolder *holder) +{ + if (!holder) { + return; + } + DDS_Security_DataHolder_deinit(holder); + ddsrt_free(holder); +} + +void +DDS_Security_DataHolder_deinit( + DDS_Security_DataHolder *holder) +{ + uint32_t i; + + if (!holder) { + return; + } + + ddsrt_free(holder->class_id); + + for (i = 0; i < holder->properties._length; i++) { + DDS_Security_Property_deinit(&holder->properties._buffer[i]); + } + ddsrt_free(holder->properties._buffer); + + for (i = 0; i < holder->binary_properties._length; i++) { + DDS_Security_BinaryProperty_deinit(&holder->binary_properties._buffer[i]); + } + ddsrt_free(holder->binary_properties._buffer); + + memset(holder, 0, sizeof(*holder)); +} + +void +DDS_Security_DataHolder_copy( + DDS_Security_DataHolder *dst, + const DDS_Security_DataHolder *src) +{ + uint32_t i; + + assert(dst); + assert(src); + + if (src->class_id) { + dst->class_id = ddsrt_strdup(src->class_id); + } else { + dst->class_id = NULL; + } + + dst->properties = src->properties; + if (src->properties._buffer) { + dst->properties._buffer = DDS_Security_PropertySeq_allocbuf(src->properties._length); + for (i = 0; i < src->properties._length; i++) { + DDS_Security_Property_copy(&dst->properties._buffer[i], &src->properties._buffer[i]); + } + } + + dst->binary_properties = src->binary_properties; + if (src->binary_properties._buffer) { + dst->binary_properties._buffer = DDS_Security_BinaryPropertySeq_allocbuf(src->binary_properties._length); + for (i = 0; i < src->binary_properties._length; i++) { + DDS_Security_BinaryProperty_copy(&dst->binary_properties._buffer[i], &src->binary_properties._buffer[i]); + } + } +} + +bool +DDS_Security_DataHolder_equal( + const DDS_Security_DataHolder *psa, + const DDS_Security_DataHolder *psb) +{ + uint32_t i; + + if (psa->class_id && psb->class_id) { + if (strcmp(psa->class_id, psb->class_id) != 0) { + return false; + } + } else if (psa->class_id || psb->class_id) { + return false; + } + + for (i = 0; i < psa->properties._length; i++) { + if (!DDS_Security_Property_equal(&psa->properties._buffer[i], &psb->properties._buffer[i])) { + return false; + } + } + + for (i = 0; i < psa->binary_properties._length; i++) { + if (!DDS_Security_BinaryProperty_equal(&psa->binary_properties._buffer[i], &psb->binary_properties._buffer[i])) { + return false; + } + } + + return true; +} + + +const DDS_Security_Property_t * +DDS_Security_DataHolder_find_property( + const DDS_Security_DataHolder *holder, + const char *name) +{ + + assert(holder); + assert(name); + + return DDS_Security_PropertySeq_find_property ( &(holder->properties), name ); +} + +const DDS_Security_BinaryProperty_t * +DDS_Security_DataHolder_find_binary_property( + const DDS_Security_DataHolder *holder, + const char *name) +{ + DDS_Security_BinaryProperty_t *result = NULL; + unsigned i, len; + + assert(holder); + assert(name); + + len = (unsigned)strlen(name); + + for (i = 0; !result && (i < holder->binary_properties._length); i++) { + if (holder->binary_properties._buffer[i].name && + (strncmp(name, holder->binary_properties._buffer[i].name, len+1) == 0)) { + result = &holder->binary_properties._buffer[i]; + } + } + + return result; +} + +DDS_Security_DataHolderSeq * +DDS_Security_DataHolderSeq_alloc (void) +{ + DDS_Security_DataHolderSeq *holder; + + holder = ddsrt_malloc(sizeof(DDS_Security_DataHolderSeq)); + memset(holder, 0, sizeof(DDS_Security_DataHolderSeq)); + return holder; +} + +DDS_Security_DataHolder * +DDS_Security_DataHolderSeq_allocbuf ( + DDS_Security_unsigned_long len) +{ + DDS_Security_DataHolder *buffer; + + buffer = ddsrt_malloc(len * sizeof(DDS_Security_DataHolder)); + memset(buffer, 0, len * sizeof(DDS_Security_DataHolder)); + return buffer; +} + +void +DDS_Security_DataHolderSeq_freebuf( + DDS_Security_DataHolderSeq *seq) +{ + uint32_t i; + + if (seq) { + for (i = 0; i < seq->_length; i++) { + DDS_Security_DataHolder_deinit(&seq->_buffer[i]); + } + ddsrt_free(seq->_buffer); + seq->_buffer = NULL; + seq->_length = 0; + seq->_maximum = 0; + } +} + +void +DDS_Security_DataHolderSeq_free( + DDS_Security_DataHolderSeq *seq) +{ + if (seq) { + DDS_Security_DataHolderSeq_freebuf(seq); + ddsrt_free(seq); + } +} + +void +DDS_Security_DataHolderSeq_deinit( + DDS_Security_DataHolderSeq *seq) +{ + if (seq) { + DDS_Security_DataHolderSeq_freebuf(seq); + } +} + +void +DDS_Security_DataHolderSeq_copy( + DDS_Security_DataHolderSeq *dst, + const DDS_Security_DataHolderSeq *src) +{ + uint32_t i; + + assert(dst); + assert(src); + + *dst = *src; + + if (src->_length) { + dst->_buffer = DDS_Security_DataHolderSeq_allocbuf(src->_length); + } + + for (i = 0; i < src->_length; i++) { + DDS_Security_DataHolder_copy(&dst->_buffer[i], &src->_buffer[i]); + } +} + +DDS_Security_ParticipantBuiltinTopicData * +DDS_Security_ParticipantBuiltinTopicData_alloc(void) +{ + DDS_Security_ParticipantBuiltinTopicData *result; + + result = ddsrt_malloc(sizeof(*result)); + memset(result, 0, sizeof(*result)); + + return result; +} + +void +DDS_Security_ParticipantBuiltinTopicData_free( + DDS_Security_ParticipantBuiltinTopicData *data) +{ + DDS_Security_ParticipantBuiltinTopicData_deinit(data); + ddsrt_free(data); +} + +void +DDS_Security_ParticipantBuiltinTopicData_deinit( + DDS_Security_ParticipantBuiltinTopicData *data) +{ + if (!data) { + return; + } + DDS_Security_DataHolder_deinit(&data->identity_token); + DDS_Security_DataHolder_deinit(&data->permissions_token); + DDS_Security_PropertyQosPolicy_deinit(&data->property); + DDS_Security_OctetSeq_deinit(&data->user_data.value); +} + +DDS_Security_OctetSeq * +DDS_Security_OctetSeq_alloc (void) +{ + return (DDS_Security_OctetSeq *)ddsrt_malloc(sizeof(DDS_Security_OctetSeq )); +} + +DDS_Security_octet * +DDS_Security_OctetSeq_allocbuf ( + DDS_Security_unsigned_long len) +{ + return (DDS_Security_octet*)ddsrt_malloc(sizeof(DDS_Security_octet)*len); +} + +void +DDS_Security_OctetSeq_freebuf( + DDS_Security_OctetSeq *seq) +{ + if (!seq) { + return; + } + ddsrt_free(seq->_buffer); + seq->_buffer = NULL; + seq->_length = 0; + seq->_maximum = 0; +} + +void +DDS_Security_OctetSeq_free( + DDS_Security_OctetSeq *seq) +{ + DDS_Security_OctetSeq_deinit(seq); + ddsrt_free(seq); +} + +void +DDS_Security_OctetSeq_deinit( + DDS_Security_OctetSeq *seq) +{ + DDS_Security_OctetSeq_freebuf(seq); +} + + +void +DDS_Security_OctetSeq_copy( + DDS_Security_OctetSeq *dst, + const DDS_Security_OctetSeq *src) +{ + if (dst->_length > 0) { + DDS_Security_OctetSeq_deinit(dst); + } + dst->_length = src->_length; + dst->_maximum = src->_maximum; + + if (src->_length) { + dst->_buffer = ddsrt_malloc(src->_length); + memcpy(dst->_buffer, src->_buffer, src->_length); + } else { + dst->_buffer = NULL; + } +} + +DDS_Security_HandleSeq * +DDS_Security_HandleSeq_alloc(void) +{ + DDS_Security_HandleSeq *seq; + + seq = ddsrt_malloc(sizeof(*seq)); + seq->_buffer = NULL; + seq->_length = 0; + seq->_maximum = 0; + + return seq; +} + +DDS_Security_long_long * +DDS_Security_HandleSeq_allocbuf( + DDS_Security_unsigned_long length) +{ + DDS_Security_long_long *buffer; + buffer = ddsrt_malloc(length * sizeof(DDS_Security_long_long)); + memset(buffer, 0, length * sizeof(DDS_Security_long_long)); + return buffer; +} + +void +DDS_Security_HandleSeq_freebuf( + DDS_Security_HandleSeq *seq) +{ + if (!seq) { + return; + } + ddsrt_free(seq->_buffer); + seq->_maximum = 0; + seq->_length = 0; +} + +void +DDS_Security_HandleSeq_free( + DDS_Security_HandleSeq *seq) +{ + if (!seq) { + return; + } + DDS_Security_HandleSeq_freebuf(seq); + ddsrt_free(seq); +} + +void +DDS_Security_HandleSeq_deinit( + DDS_Security_HandleSeq *seq) +{ + if (!seq) { + return; + } + DDS_Security_HandleSeq_freebuf(seq); +} + + + + +void +DDS_Security_Exception_set( + DDS_Security_SecurityException *ex, + const char *context, + int code, + int minor_code, + const char *fmt, + ...) +{ + int32_t ret; + size_t len; + char buf[1] = { '\0' }; + char *str = NULL; + va_list args1, args2; + + assert(context); + assert(fmt); + assert(ex); + DDSRT_UNUSED_ARG( context ); + + va_start(args1, fmt); + va_copy(args2, args1); + + if ((ret = vsnprintf(buf, sizeof(buf), fmt, args1)) >= 0) { + len = (size_t)ret; /* +1 for null byte */ + if ((str = ddsrt_malloc(len + 1)) == NULL) { + assert(false); + } else if ((ret = vsnprintf(str, len + 1, fmt, args2)) >= 0) { + assert((size_t) ret == len); + } else { + ddsrt_free(str); + str = NULL; + } + } + + va_end(args1); + va_end(args2); + + ex->message = str; + ex->code = code; + ex->minor_code = minor_code; +} + +#if DDSI_INCLUDE_SSL +DDS_EXPORT void +DDS_Security_Exception_set_with_openssl_error( + DDS_Security_SecurityException *ex, + const char *context, + int code, + int minor_code, + const char *error_area + ) +{ + + BIO *bio; + char *buf = NULL; + char *str; + size_t len; /*BIO_get_mem_data requires long int */ + assert(context); + assert(error_area); + assert(ex); + DDSRT_UNUSED_ARG( context ); + + bio = BIO_new(BIO_s_mem()); + + if (bio) { + size_t exception_msg_len; + ERR_print_errors(bio); + len = (size_t)BIO_get_mem_data (bio, &buf); + exception_msg_len = len + strlen(error_area) + 1; + str = ddsrt_malloc( exception_msg_len ); + + ddsrt_strlcpy(str, error_area, exception_msg_len); + memcpy(str + strlen(error_area), buf, len ); + str [ exception_msg_len -1 ] = '\0'; + //snprintf( str, exception_msg_len, "%s%s", error_area, buf ); + + ex->message = str; + ex->code = code; + ex->minor_code = minor_code; + + BIO_free(bio); + + } else { + DDS_Security_Exception_set(ex, context, code, minor_code, "BIO_new failed"); + } + +} +#endif + +void +DDS_Security_Exception_reset( + DDS_Security_SecurityException *ex) +{ + if (ex) { + if (ex->message) { + ddsrt_free(ex->message); + } + DDS_Security_Exception_clean(ex); + } +} + +void +DDS_Security_Exception_clean( + DDS_Security_SecurityException *ex) +{ + if (ex) { + memset(ex, 0, sizeof(DDS_Security_SecurityException)); + } +} + +void +DDS_Security_PropertyQosPolicy_deinit( + DDS_Security_PropertyQosPolicy *policy) +{ + if (!policy) { + return; + } + DDS_Security_PropertySeq_deinit(&policy->value); + DDS_Security_BinaryPropertySeq_deinit(&policy->binary_value); +} + +void +DDS_Security_PropertyQosPolicy_free( + DDS_Security_PropertyQosPolicy *policy) +{ + DDS_Security_PropertyQosPolicy_deinit(policy); + ddsrt_free(policy); +} + + +void +DDS_Security_set_token_nil( + DDS_Security_DataHolder *token) +{ + DDS_Security_DataHolder_deinit(token); + memset(token, 0, sizeof(*token)); + token->class_id = ddsrt_strdup(""); +} + +void +DDS_Security_KeyMaterial_AES_GCM_GMAC_deinit( + DDS_Security_KeyMaterial_AES_GCM_GMAC *key_material) +{ + if (key_material) { + if (key_material->master_receiver_specific_key._buffer != NULL) { + ddsrt_free(key_material->master_receiver_specific_key._buffer); + } + if( key_material->master_salt._buffer != NULL){ + ddsrt_free(key_material->master_salt._buffer); + } + if( key_material->master_sender_key._buffer != NULL){ + ddsrt_free(key_material->master_sender_key._buffer); + } + } +} + + +DDS_Security_CryptoTransformKind_Enum +DDS_Security_basicprotectionkind2transformationkind( + const DDS_Security_PropertySeq *properties, + DDS_Security_BasicProtectionKind protection) +{ + int keysize=256; + const DDS_Security_Property_t *key_size_property = NULL; + if( properties != NULL ){ + key_size_property = DDS_Security_PropertySeq_find_property( + properties, "dds.sec.crypto.keysize"); + + if (key_size_property != NULL) { + if (strcmp(key_size_property->value, "128") == 0) { + keysize = 128; + } + } + } + + switch (protection) { + case DDS_SECURITY_BASICPROTECTION_KIND_NONE: + return CRYPTO_TRANSFORMATION_KIND_NONE; + case DDS_SECURITY_BASICPROTECTION_KIND_SIGN: + if( keysize == 128 ){ + return CRYPTO_TRANSFORMATION_KIND_AES128_GMAC; + } else{ + return CRYPTO_TRANSFORMATION_KIND_AES256_GMAC; + } + case DDS_SECURITY_BASICPROTECTION_KIND_ENCRYPT: + if( keysize == 128 ){ + return CRYPTO_TRANSFORMATION_KIND_AES128_GCM; + } else{ + return CRYPTO_TRANSFORMATION_KIND_AES256_GCM; + } + default: + return CRYPTO_TRANSFORMATION_KIND_INVALID; + } +} + +DDS_Security_CryptoTransformKind_Enum +DDS_Security_protectionkind2transformationkind( + const DDS_Security_PropertySeq *properties, + DDS_Security_ProtectionKind protection) +{ + int keysize=256; + const DDS_Security_Property_t *key_size_property = NULL; + if( properties != NULL ){ + key_size_property = DDS_Security_PropertySeq_find_property( + properties, "dds.sec.crypto.keysize"); + if (key_size_property != NULL) { + if (strcmp(key_size_property->value, "128") == 0) { + keysize = 128; + } + } + } + + switch (protection) { + case DDS_SECURITY_PROTECTION_KIND_NONE: + return CRYPTO_TRANSFORMATION_KIND_NONE; + case DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION: + case DDS_SECURITY_PROTECTION_KIND_SIGN: + if( keysize == 128 ){ + return CRYPTO_TRANSFORMATION_KIND_AES128_GMAC; + } else{ + return CRYPTO_TRANSFORMATION_KIND_AES256_GMAC; + } + case DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION: + case DDS_SECURITY_PROTECTION_KIND_ENCRYPT: + if( keysize == 128 ){ + return CRYPTO_TRANSFORMATION_KIND_AES128_GCM; + } else { + return CRYPTO_TRANSFORMATION_KIND_AES256_GCM; + } + default: + return CRYPTO_TRANSFORMATION_KIND_INVALID; + } +} + +/* for DEBUG purposes */ +void +print_binary_debug( + char* name, + unsigned char *value, + uint32_t size) +{ + uint32_t i; + printf("%s: ",name ); + for( i=0; i< size; i++) + { + printf("%x",value[i]); + } + printf("\n"); +} + +void +print_binary_properties_debug( + const DDS_Security_DataHolder *token) +{ + uint32_t i; + for (i = 0; i < token->binary_properties._length ; i++) { + print_binary_debug( token->binary_properties._buffer[i].name, token->binary_properties._buffer[i].value._buffer, token->binary_properties._buffer[i].value._length); + } + +} + + + + +DDS_Security_config_item_prefix_t +DDS_Security_get_conf_item_type( + const char *str, + char **data) +{ + DDS_Security_config_item_prefix_t kind = DDS_SECURITY_CONFIG_ITEM_PREFIX_UNKNOWN; + const char *CONFIG_FILE_PREFIX = "file:"; + const char *CONFIG_DATA_PREFIX = "data:,"; + const char *CONFIG_PKCS11_PREFIX = "pkcs11:"; + size_t CONFIG_FILE_PREFIX_LEN = strlen(CONFIG_FILE_PREFIX); + size_t CONFIG_DATA_PREFIX_LEN = strlen(CONFIG_DATA_PREFIX); + size_t CONFIG_PKCS11_PREFIX_LEN = strlen(CONFIG_PKCS11_PREFIX); + char *ptr; + + assert(str); + assert(data); + DDSRT_UNUSED_ARG(str); + + ptr = ddssec_strchrs(str, " \t", false); + + if (strncmp(ptr, CONFIG_FILE_PREFIX, CONFIG_FILE_PREFIX_LEN) == 0) { + const char *DOUBLE_SLASH = "//"; + size_t DOUBLE_SLASH_LEN = 2; + if (strncmp(&(ptr[CONFIG_FILE_PREFIX_LEN]), DOUBLE_SLASH, DOUBLE_SLASH_LEN) == 0) { + *data = ddsrt_strdup(&(ptr[CONFIG_FILE_PREFIX_LEN + DOUBLE_SLASH_LEN])); + } else { + *data = ddsrt_strdup(&(ptr[CONFIG_FILE_PREFIX_LEN])); + } + kind = DDS_SECURITY_CONFIG_ITEM_PREFIX_FILE; + } else if (strncmp(ptr, CONFIG_DATA_PREFIX, CONFIG_DATA_PREFIX_LEN) == 0) { + kind = DDS_SECURITY_CONFIG_ITEM_PREFIX_DATA; + *data = ddsrt_strdup(&(ptr[CONFIG_DATA_PREFIX_LEN])); + } else if (strncmp(ptr, CONFIG_PKCS11_PREFIX, CONFIG_PKCS11_PREFIX_LEN) == 0) { + kind = DDS_SECURITY_CONFIG_ITEM_PREFIX_PKCS11; + *data = ddsrt_strdup(&(ptr[CONFIG_PKCS11_PREFIX_LEN])); + } + + return kind; +} + + +char * +ddssec_strchrs ( + const char *str, + const char *chrs, + bool inc) +{ + bool eq; + char *ptr = NULL; + size_t i, j; + + assert (str != NULL); + assert (chrs != NULL); + + for (i = 0; str[i] != '\0' && ptr == NULL; i++) { + for (j = 0, eq = false; chrs[j] != '\0' && eq == false; j++) { + if (str[i] == chrs[j]) { + eq = true; + } + } + if (eq == inc) { + ptr = (char *)str + i; + } + } + + return ptr; +} + + +/* The result of os_fileNormalize should be freed with os_free */ +char * +DDS_Security_normalize_file( + const char *filepath) +{ + char *norm; + const char *fpPtr; + char *normPtr; +#if _WIN32 + #define __FILESEPCHAR '\\' +#else + #define __FILESEPCHAR '/' +#endif + norm = NULL; + if ((filepath != NULL) && (*filepath != '\0')) { + norm = ddsrt_malloc(strlen(filepath) + 1); + /* replace any / or \ by OS_FILESEPCHAR */ + fpPtr = (char *) filepath; + normPtr = norm; + while (*fpPtr != '\0') { + *normPtr = *fpPtr; + if ((*fpPtr == '/') || (*fpPtr == '\\')) { + *normPtr = __FILESEPCHAR; + normPtr++; + } else { + if (*fpPtr != '\"') { + normPtr++; + } + } + fpPtr++; + } + *normPtr = '\0'; + } +#undef __FILESEPCHAR + return norm; + +} + diff --git a/src/security/core/src/shared_secret.c b/src/security/core/src/shared_secret.c new file mode 100644 index 0000000..7b1de75 --- /dev/null +++ b/src/security/core/src/shared_secret.c @@ -0,0 +1,43 @@ +/* + * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v. 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License + * v. 1.0 which is available at + * http://www.eclipse.org/org/documents/edl-v10.php. + * + * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause + */ + +#include "dds/security/core/shared_secret.h" + +const DDS_Security_octet* +get_challenge1_from_secret_handle(DDS_Security_SharedSecretHandle handle) +{ + + DDS_Security_SharedSecretHandleImpl *secret = (DDS_Security_SharedSecretHandleImpl *)(uintptr_t)handle; + return secret->challenge1; +} + +const DDS_Security_octet* +get_challenge2_from_secret_handle(DDS_Security_SharedSecretHandle handle) +{ + DDS_Security_SharedSecretHandleImpl *secret = (DDS_Security_SharedSecretHandleImpl *)(uintptr_t)handle; + return secret->challenge2; +} + +const DDS_Security_octet* +get_secret_from_secret_handle(DDS_Security_SharedSecretHandle handle) +{ + DDS_Security_SharedSecretHandleImpl *secret = (DDS_Security_SharedSecretHandleImpl *)(uintptr_t)handle; + return secret->shared_secret; +} + + +int32_t +get_secret_size_from_secret_handle( DDS_Security_SharedSecretHandle handle ){ + DDS_Security_SharedSecretHandleImpl *secret = (DDS_Security_SharedSecretHandleImpl *)(uintptr_t)handle; + return secret->shared_secret_size; + +}