The advanced TLS features are tested in different stages. At stage 0, we establish a good connection between client and server. At stage 1, we change one factor(it could be we change the server's certificate, or custom verification function, etc), and test if the following connections would be dropp
(t *testing.T)
| 121 | // (could be change the client's trust certificate, or change custom |
| 122 | // verification function, etc) |
| 123 | func (s) TestEnd2End(t *testing.T) { |
| 124 | cs := &testutils.CertStore{} |
| 125 | if err := cs.LoadCerts(); err != nil { |
| 126 | t.Fatalf("cs.LoadCerts() failed, err: %v", err) |
| 127 | } |
| 128 | stage := &stageInfo{} |
| 129 | for _, test := range []struct { |
| 130 | desc string |
| 131 | clientCert []tls.Certificate |
| 132 | clientGetCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error) |
| 133 | clientRoot *x509.CertPool |
| 134 | clientGetRoot func(params *ConnectionInfo) (*RootCertificates, error) |
| 135 | clientVerifyFunc PostHandshakeVerificationFunc |
| 136 | clientVerificationType VerificationType |
| 137 | serverCert []tls.Certificate |
| 138 | serverGetCert func(*tls.ClientHelloInfo) ([]*tls.Certificate, error) |
| 139 | serverRoot *x509.CertPool |
| 140 | serverGetRoot func(params *ConnectionInfo) (*RootCertificates, error) |
| 141 | serverVerifyFunc PostHandshakeVerificationFunc |
| 142 | serverVerificationType VerificationType |
| 143 | }{ |
| 144 | // Test Scenarios: |
| 145 | // At initialization(stage = 0), client will be initialized with cert |
| 146 | // ClientCert1 and ClientTrust1, server with ServerCert1 and ServerTrust1. |
| 147 | // The mutual authentication works at the beginning, since ClientCert1 is |
| 148 | // trusted by ServerTrust1, and ServerCert1 by ClientTrust1. |
| 149 | // At stage 1, client changes ClientCert1 to ClientCert2. Since ClientCert2 |
| 150 | // is not trusted by ServerTrust1, following rpc calls are expected to |
| 151 | // fail, while the previous rpc calls are still good because those are |
| 152 | // already authenticated. |
| 153 | // At stage 2, the server changes ServerTrust1 to ServerTrust2, and we |
| 154 | // should see it again accepts the connection, since ClientCert2 is trusted |
| 155 | // by ServerTrust2. |
| 156 | { |
| 157 | desc: "test the reloading feature for client identity callback and server trust callback", |
| 158 | clientGetCert: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { |
| 159 | switch stage.read() { |
| 160 | case 0: |
| 161 | return &cs.ClientCert1, nil |
| 162 | default: |
| 163 | return &cs.ClientCert2, nil |
| 164 | } |
| 165 | }, |
| 166 | clientRoot: cs.ClientTrust1, |
| 167 | clientVerifyFunc: func(*HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) { |
| 168 | return &PostHandshakeVerificationResults{}, nil |
| 169 | }, |
| 170 | clientVerificationType: CertVerification, |
| 171 | serverCert: []tls.Certificate{cs.ServerCert1}, |
| 172 | serverGetRoot: func(*ConnectionInfo) (*RootCertificates, error) { |
| 173 | switch stage.read() { |
| 174 | case 0, 1: |
| 175 | return &RootCertificates{TrustCerts: cs.ServerTrust1}, nil |
| 176 | default: |
| 177 | return &RootCertificates{TrustCerts: cs.ServerTrust2}, nil |
| 178 | } |
| 179 | }, |
| 180 | serverVerifyFunc: func(*HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) { |
nothing calls this directly
no test coverage detected