TestServerCredsHandshakeFailure verifies the case where the server-side credentials uses a root certificate which does not match the certificate presented by the client, and hence the handshake must fail.
(t *testing.T)
| 274 | // credentials uses a root certificate which does not match the certificate |
| 275 | // presented by the client, and hence the handshake must fail. |
| 276 | func (s) TestServerCredsHandshakeFailure(t *testing.T) { |
| 277 | opts := ServerOptions{FallbackCreds: &errorCreds{}} |
| 278 | creds, err := NewServerCredentials(opts) |
| 279 | if err != nil { |
| 280 | t.Fatalf("NewServerCredentials(%v) failed: %v", opts, err) |
| 281 | } |
| 282 | ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout) |
| 283 | defer cancel() |
| 284 | |
| 285 | // Create a test server which uses the xDS server credentials created above |
| 286 | // to perform TLS handshake on incoming connections. |
| 287 | ts := newTestServerWithHandshakeFunc(ctx, func(rawConn net.Conn) handshakeResult { |
| 288 | // Create a HandshakeInfo which has a root provider which does not match |
| 289 | // the certificate sent by the client. |
| 290 | hi := xdsinternal.NewHandshakeInfo(makeRootProvider(t, "x509/server_ca_cert.pem"), makeIdentityProvider(t, "x509/client2_cert.pem", "x509/client2_key.pem"), nil, true, "", false, false) |
| 291 | |
| 292 | // Create a wrapped conn which can return the HandshakeInfo and |
| 293 | // configured deadline to the xDS credentials' ServerHandshake() |
| 294 | // method. |
| 295 | conn := newWrappedConn(rawConn, hi, time.Now().Add(defaultTestTimeout)) |
| 296 | |
| 297 | // ServerHandshake() on the xDS credentials is expected to fail. |
| 298 | if _, _, err := creds.ServerHandshake(conn); err == nil { |
| 299 | return handshakeResult{err: errors.New("ServerHandshake() succeeded when expected to fail")} |
| 300 | } |
| 301 | return handshakeResult{} |
| 302 | }) |
| 303 | defer ts.stop() |
| 304 | |
| 305 | // Dial the test server, and trigger the TLS handshake. |
| 306 | rawConn, err := net.Dial("tcp", ts.address) |
| 307 | if err != nil { |
| 308 | t.Fatalf("net.Dial(%s) failed: %v", ts.address, err) |
| 309 | } |
| 310 | defer rawConn.Close() |
| 311 | tlsConn := tls.Client(rawConn, makeClientTLSConfig(t, true)) |
| 312 | tlsConn.SetDeadline(time.Now().Add(defaultTestTimeout)) |
| 313 | if err := tlsConn.Handshake(); err != nil { |
| 314 | t.Fatal(err) |
| 315 | } |
| 316 | |
| 317 | // Read handshake result from the testServer which will return an error if |
| 318 | // the handshake succeeded. |
| 319 | val, err := ts.hsResult.Receive(ctx) |
| 320 | if err != nil { |
| 321 | t.Fatalf("testServer failed to return handshake result: %v", err) |
| 322 | } |
| 323 | hsr := val.(handshakeResult) |
| 324 | if hsr.err != nil { |
| 325 | t.Fatalf("testServer handshake failure: %v", hsr.err) |
| 326 | } |
| 327 | } |
| 328 | |
| 329 | // TestServerCredsHandshakeSuccess verifies success handshake cases. |
| 330 | func (s) TestServerCredsHandshakeSuccess(t *testing.T) { |
nothing calls this directly
no test coverage detected