tls-test.c++ (49673B)
1 // Copyright (c) 2016 Sandstorm Development Group, Inc. and contributors 2 // Licensed under the MIT License: 3 // 4 // Permission is hereby granted, free of charge, to any person obtaining a copy 5 // of this software and associated documentation files (the "Software"), to deal 6 // in the Software without restriction, including without limitation the rights 7 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 8 // copies of the Software, and to permit persons to whom the Software is 9 // furnished to do so, subject to the following conditions: 10 // 11 // The above copyright notice and this permission notice shall be included in 12 // all copies or substantial portions of the Software. 13 // 14 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 17 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 18 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 19 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 20 // THE SOFTWARE. 21 22 #if KJ_HAS_OPENSSL 23 24 #if _WIN32 25 #include <kj/win32-api-version.h> 26 #endif 27 28 #include "tls.h" 29 30 #include <openssl/opensslv.h> 31 32 #include <stdlib.h> 33 34 #if _WIN32 35 #include <winsock2.h> 36 37 #include <kj/windows-sanity.h> 38 #else 39 #include <sys/socket.h> 40 #endif 41 42 #include <kj/async-io.h> 43 #include <kj/test.h> 44 45 namespace kj { 46 namespace { 47 48 // ======================================================================================= 49 // test data 50 // 51 // made with make-test-certs.sh 52 static constexpr char CA_CERT[] = 53 "-----BEGIN CERTIFICATE-----\n" 54 "MIIGMzCCBBugAwIBAgIUDxGXACZeJ0byrswV8gyWskZF2Q8wDQYJKoZIhvcNAQEL\n" 55 "BQAwgacxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH\n" 56 "DAlQYWxvIEFsdG8xFTATBgNVBAoMDFNhbmRzdG9ybS5pbzEbMBkGA1UECwwSVGVz\n" 57 "dGluZyBEZXBhcnRtZW50MRcwFQYDVQQDDA5jYS5leGFtcGxlLmNvbTEiMCAGCSqG\n" 58 "SIb3DQEJARYTZ2FycGx5QHNhbmRzdG9ybS5pbzAgFw0yMDA2MjcwMDQyNTJaGA8y\n" 59 "MTIwMDYwMzAwNDI1MlowgacxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y\n" 60 "bmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xFTATBgNVBAoMDFNhbmRzdG9ybS5pbzEb\n" 61 "MBkGA1UECwwSVGVzdGluZyBEZXBhcnRtZW50MRcwFQYDVQQDDA5jYS5leGFtcGxl\n" 62 "LmNvbTEiMCAGCSqGSIb3DQEJARYTZ2FycGx5QHNhbmRzdG9ybS5pbzCCAiIwDQYJ\n" 63 "KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKpp8VF/WDPw1V1aD36/uDWI4XRk9OaJ\n" 64 "i8tkAbTPutJ7NU4AWv9OzreKIR1PPhj0DtxVOj5KYRTwL1r4DsFWh6D0rBV7oz7o\n" 65 "zP8hWznVQBSa2BJ2E4uDD8p5oNz1+O+o4UgSBbOr83Gp5SZGw9KO7cgNql9Id/Ii\n" 66 "sHYxXdrYdAl6InuR6q52CJgcGqQgpFYG+KYqDiByfX52slyz5FA/dfZxsmoEVFLB\n" 67 "rgbeuhsJGIoasTkGIdCYJhYI7k2uWtvYNurnhgvlpfPHHuSnJ+aWVdKaQUthgbsy\n" 68 "T2XHuLYpWx7+B7kCF5B4eKtn3e7yzE7A8jn8Teq6yRNUh1PnM7CRMmz3g4UAxmJT\n" 69 "F5NyQd14IqveFuOk40Ba8wLoypll5We5tV7StUyvaOlAhi+gGPHfWKk4MGiBoaOV\n" 70 "52D1+/dkh/abokdKZtE59gJX0MrH6mihfc9KQs7N51IhSs4kG5zGIBdvgXtmP17H\n" 71 "hixUFi0Y85pqGidW4LLQ1pmK9k0U4gYlwHtqHh8an35/vp/mFhl2BDHcpuYKZ34U\n" 72 "ZDo9GglfCTVEsUvAnwfhuYN0e0kveSTuRCMltjGg0Fs1h9ljNNuc46W4qIx/d5ls\n" 73 "aMOTKc3PTtwtqgXOXRFn2U7AUXOgtEqyqpuj5ZcjH2YQ3BL24qAiYEHaBOHM+8qF\n" 74 "9JLZE64j5dnZAgMBAAGjUzBRMB0GA1UdDgQWBBTmqsbDUpi5hgPbcPESYR9t8jsD\n" 75 "7jAfBgNVHSMEGDAWgBTmqsbDUpi5hgPbcPESYR9t8jsD7jAPBgNVHRMBAf8EBTAD\n" 76 "AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQADdVBYClYWqNk1s2gamjGsyQ2r88TWTD6X\n" 77 "RySVnyQPATWuEctrr6+8qTrbqBP4bTPKE+uTzwk+o5SirdJJAkrcwEsSCFw7J/qf\n" 78 "5U/mXN+EUuqyiMHOS/vLe5X1enj0I6fqJY2mCGFD7Jr/+el1XXjzRZsLZHmqSxww\n" 79 "T+UjJP+ffvtq3pq4nMQowxXm+Wub0gFHj5wkKMTIDyqnbjzB9bdVd0crtA+EpYIi\n" 80 "f8y5WB46g1CngRnMzRQvg5FCmxg57i+mVgiUjUe54VenwK9aeeHIuOdLCZ0RmiNH\n" 81 "KHPUBct+S/AXx8DCoAdm51EahwMBnlUyISpwJ+LVMWA2R9DOxdhEF0tv5iBsD9rn\n" 82 "oKIWoa0t/Vwnd2n8wyLhuA7N4yzm0rdBjO/rU6n0atIab5+CEDyLeyWQBVwfCUF5\n" 83 "XYNxOBJgGfSgJa23KUtn15pS/nSTa6sOtS/Mryc4UuNzxn+3ebNOG4UPlH6miSMK\n" 84 "yA+5SCyKgrn3idifzrq+XafA2WUnxdBLgJMM4OIPAGNjCCW2P1cP/NVllUTjTy2y\n" 85 "AIKQ/D9V/DzlbIIT6F3CNnqa9xnrBWTKF1YH/zSB7Gh2xlr0WnOWJVQbNUYet982\n" 86 "JL5ibRhsiqBgltgQPhKhN/rGuh7Cb28679fQqLXKgOWvV2fC4b2y0v9dG78jGCEE\n" 87 "LBzBUUmunw==\n" 88 "-----END CERTIFICATE-----\n"; 89 90 static constexpr char INTERMEDIATE_CERT[] = 91 "-----BEGIN CERTIFICATE-----\n" 92 "MIIGETCCA/mgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAlVT\n" 93 "MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xFTATBgNV\n" 94 "BAoMDFNhbmRzdG9ybS5pbzEbMBkGA1UECwwSVGVzdGluZyBEZXBhcnRtZW50MRcw\n" 95 "FQYDVQQDDA5jYS5leGFtcGxlLmNvbTEiMCAGCSqGSIb3DQEJARYTZ2FycGx5QHNh\n" 96 "bmRzdG9ybS5pbzAgFw0yMDA2MjcwMDQyNTNaGA8yMTIwMDYwMzAwNDI1M1owgZcx\n" 97 "CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxTYW5k\n" 98 "c3Rvcm0uaW8xGzAZBgNVBAsMElRlc3RpbmcgRGVwYXJ0bWVudDEbMBkGA1UEAwwS\n" 99 "aW50LWNhLmV4YW1wbGUuY29tMSIwIAYJKoZIhvcNAQkBFhNnYXJwbHlAc2FuZHN0\n" 100 "b3JtLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvDRmV4e7F/1K\n" 101 "TaySC2xq00aYZfKJmwcvBvLM60xMrwDf5KlHWoYzog72q6qNb0TpvaeOlymU1IfR\n" 102 "DkRIMFz6qd4QpK3Ah0vDtqEsoYE6F7gr2QAAaB7HQhczClh6FFkMCygrHDRQlJcF\n" 103 "VseTKxnZBUAUhnG7OI8bHMZsprg31SNG1GCXq/CO/rkKIP1Pdwevr8DFHL3LFF03\n" 104 "vdeo6+f/3LjlsCzVCNsCcAYIScRSl1scj2QYcwP7tTmDRAmU9EZFv9MWSqRIMT4L\n" 105 "/4tP9AL/pWGdx8RRvbXoLJQf+hQW6YnSorRmIH/xYsvqMaan4P0hkomfIHP4nMYa\n" 106 "LgI8VsNhTeDZ7IvSF2F73baluTOHhUD5eE/WDffNeslaCoMbH/B3H6ks0zYt/mHG\n" 107 "mDaw3OxgMYep7TIE+SABOSJV+pbtQWNyM7u2+TYHm2DaxD3quf+BoYUZT01uDtN4\n" 108 "BSsR7XEzF25w/4lDxqBxGAZ0DzItK0kzqMykSWvDIjpSg/UjRj05sc+5zcgE4pX1\n" 109 "nOLD+FuB9jVqo6zCiIkHsSI0XHnm4D6awB1UyDwSh8mivfUDT53OpOIwOI3EB/4U\n" 110 "iZstUKgyXNrXsE6wS/3JfdDZ9xkw4dWV+0FWKJ4W6Y8UgKvQJRChpCUtcuxfaLjX\n" 111 "/ZIcMRYEFNjFppka/7frNT1VNnRvJ9cCAwEAAaNTMFEwHQYDVR0OBBYEFNnHDzWZ\n" 112 "NC5pP6njUnf1BMXuQKnnMB8GA1UdIwQYMBaAFOaqxsNSmLmGA9tw8RJhH23yOwPu\n" 113 "MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAG0ShYBIbwGMDUBj\n" 114 "9G2vxI4Nx7lip9/wO5NCC2biVxtcjNxwTuCcqCxeSGgdimo82vJTm9Wa1AkoawSv\n" 115 "+spoXJAeOL5dGmZX3IRD0KuDoabH7F6xbNOG3HphvwAJcKQOitPAgTt2eGXCaBqw\n" 116 "a1ivxPzchHVd3+LyjLMK5G3zzgW0tZhKp7IYE0eGoSGwrw10ox6ibyswe8evul1N\n" 117 "r7Z3zFSWqjy6mcyp7PvlImDMYzWHYYdncEaeBHd13TnTQ++AtY3Da2lu7WG5VlcV\n" 118 "vcRaNx8ZLIUpW7u76F9fH25GFnQdF87dgt/ufntts4NifwRRRdIDAgunQ0Nf/TDy\n" 119 "ow/P7dobloGl9c5xGyXk9EbYYiK/Iuga1yUKJP3UQhfOTNBsDkyUD/jLg+0bI8T+\n" 120 "Vv4hKNhzUObXjzA5P7+RoEqnPe8R5wjvea6OJc2MDm5GFrzZOdIEnW/iuaQTE3ol\n" 121 "PYZVDvgPB+l7IC0brwTvdnvXaGLFu8ICQtNoOuSkbEAysyBWCEGwloYLL3r/0ozb\n" 122 "k3z5mUZVBwhpQS/GEChfUKiLxk9rbDmnhKASa6FVtycSVfoW/Oh5M65ARf9CFIUv\n" 123 "cvDYLpQl7Ao8QiDqlQBvitNi665uucsZ/zOdFlTKKAellLASpB/q2Y6J4wkogFNa\n" 124 "dGRV0WpQkcuMjXK7bzSSLMo0nMCm\n" 125 "-----END CERTIFICATE-----\n"; 126 127 static constexpr char HOST_KEY[] = 128 "-----BEGIN RSA PRIVATE KEY-----\n" 129 "MIIJJwIBAAKCAgEAzO6/HGJ46PIogZJPxfSE6eHuqE1JvC8eaSCOKpqbfGsIHPfh\n" 130 "8d+TFatDe4GF4B6YYYmxpJUN85wZC+6GTA7xeM9UubssiwfACE/se5lJA0SSbXo9\n" 131 "SXkE5sI/LM7NA6+h3PTmoLlwduWHh6twHbcfcJUtSOSJemCLUqZOiSQ+CGW2RzEF\n" 132 "01SM/eOmpN9gtmVejD7wOxItbjX/DDE/IKv6xQ2G1RYxEpggCnNQjZj4R0uroN6L\n" 133 "tM7hiQebueXs3KfVIEcEV9oXfTf2tI4G3NTn9MJUvZQNIMUVOtjl8UmLHfk3T9Hc\n" 134 "eL/RM0svWIPWNoUJxA6m4u4g9D0eED2W0chKe86tF65RRYHvPNQXZf+tG7wyvRKP\n" 135 "ePWIlEzIAgXW2WwXEvzFvvRnfX1mYeWA7KhyRaVcCp9H0i5ZP0L8E2RsvYd+2QMm\n" 136 "zrxkeM01KMJSTAtUhqydNaH5dzlp8UXWvoTFLAh4F744OjdOyjHqoTZi1oh+iqsc\n" 137 "3o4tWQF3YzpjharP3mngGj+YDp/ZN6F8QdFQU+iNFKx6aDRgnKm+ri0/yTDMQ3G1\n" 138 "4bQ9FNmLRwB+W5UI9Oy931JxxcW7LxncbHgA326++bD1CdLXyxOvpHK40B5f9zsg\n" 139 "m980xdjBcLr2o0nGAsZ9V79a0BNqjvDA3DjmXBGTYxJSpMGfipP5KbP2hl0CAwEA\n" 140 "AQKCAgBSqV63EVVaCQujsCOzYn0WZgbBJmO+n3bxyqrtrm1XU0jzfl1KFfebPvi6\n" 141 "YbVhgJXQihz4mRMGl4lW0cCj/0cRhvfS7xf5gIfKEor+FAdqZQd3V15PO5xphCK9\n" 142 "bTEu8nIk0TgRzpr5qn3vkIxpwArTe6jHhT+a+ERaczCsiszm0DglITYLV0iDxIbc\n" 143 "bCnziJIJmf2Gpj9i/C7DeT3QbO56+4jOfOQQbwJFlNwCMZi8EV7KRdoudWBtyH7d\n" 144 "DkxreNsz6NFsqlDdNmyxybQk8VAa3yQVUBm3hSeaFBE0MYkG7xaLgMgggKbevM39\n" 145 "Mzh9x034IjzYvlrWiayNunoSZmr8KhYQUsgAE5F+khTLfheiGvXLkjTdBLIGG5q7\n" 146 "nb3G1la/jx0/0YpQvawNriovwii76cgHjmnEiNBJH685fvVP1y3bM/dJ62xdzFpw\n" 147 "7/1xrii1D9rSvrns037WOrv6VtdtNpJoLbUlNXU8CX9Oc7umbBLCLEp00+0DDctk\n" 148 "3KVX+sQc37w9KRURu8LqyFFx4VvyIQ+sJQKwVqFpaIkR7MzN6apkBCXwF+WtgtCz\n" 149 "7RGcu8V00yA0Rqqm1RVhPzbBU5UII0sRTYDacZFqzku8dVqEH0dUGlvtG2oIu0ed\n" 150 "OOv93q2EIyxmA88xcA2YFLI7P/qjYuhcUCd4QZb8S6/c71V+lQKCAQEA+fhQHE8j\n" 151 "Pp45zNZ9ITBTWqf0slC9iafpZ1qbnI60Sm1UigOD6Qzc5p6jdKggNr7VcQK+QyOo\n" 152 "pnM3qePHXgDzJZfdN7cXB9O7jZSTWUyTDc1C59b3H4ney/tIIj4FxCXBolkPrUOW\n" 153 "PE96i2PRQRGI1Pp5TFcFcaT5ZhX9WTPo/0fYBFEpof62mxGYRbQ8cEmRQYAXmlES\n" 154 "mqE9RwhwqTKy3VET0qDV5eq1EihMkWlDleyIUHF7Ra1ECzh8cbTx8NpS2Iu3BL5v\n" 155 "Sk6fGv8aegmf4DZcDU4eoZXBA9veAigT0X5cQH4HsAuppIOfRD8pFaJEe2K5EXXu\n" 156 "lDSlJk5BjSrARwKCAQEA0eBORzH+g2kB/I8JIMYqy4urI7mGU9xNSwF34HhlPURQ\n" 157 "NxPIByjUKrKZnCVaN2rEk8vRzY8EdsxRpKeGBYW1DZ/NL8nM7RHMKjGopf/n2JRk\n" 158 "7m1Mn6f4mLRIVzOID/eR2iGPvWNcKrJxgkGXNXlWEi0wasPwbVksV05uGd/5K/sT\n" 159 "cVVKkYLPhcGkYd7VvCfgF5x+5kPRLTrG8EKbePclUAVhs9huSRR9FAjSThpLyJZo\n" 160 "0/3WxPNm9FoPYGyAevvdPiF5f6yp1IdPDNZHx46WSVfkgqA5XICjanl5WCNHezDp\n" 161 "93r/Ix7zJ0Iyu9BxI2wJH3wGGqmsGveKOfZl90MaOwKCAQBCSGfluc5cslQdTtrL\n" 162 "TCcuKM8n4WUA9XdcopgUwXppKeh62EfIKlMBDBvHuTUhjyTF3LZa0z/LM04VTIL3\n" 163 "GEVhOI2+UlxXBPv8pOMVkMqFpGITW9sXj9V2PWF5Qv0AcAqSZA9WIE/cGi8iewtn\n" 164 "t6CS6P/1EDYvVlGTkk0ltDAaURCkxGjHveTp5ZZ9FTfZhohv1+lqUAkg25SGG2TU\n" 165 "WM85BGC/P0q4tq3g7LKw9DqprJjQy+amKTWbzBSjihmFhj7lkNas+VpFV+e0nuSE\n" 166 "a7zrFT7/gDF7I1yVC14pMDthF6Kar1CWi+El8Ijw7daVF/wUw67TRHRI9FS+fY3A\n" 167 "Qw/NAoIBAFbE7LgElFwSEu8u17BEHbdPhC7d6gpLv2zuK3iTbg+5aYyL0hwbpjQM\n" 168 "6PMkgjr9Gk6cap4YrdjLuklftUodMHB0i+lg/idZP1aGd1pCBcGGAICOkapEUMQZ\n" 169 "bPsYY/1t9k//piS/qoBAjCs1IOXLx2j2Y9kQLxuWTX2/AEgUUDj9sdkeURj9wvxi\n" 170 "xaps7WK//ablXZWnnhib/1mfwBVv4G5H+0/WgCoYnWmmCASgXIqOnMJgZOXCV+NY\n" 171 "RJkx4qB19s9UGZ5ObVxfoLAG+2AmtD2YZ/IVegGjcWx40lE9LLVi0KgvosILbq3h\n" 172 "cYYytEPXy6HHreJiGbSAeRZjp15l0LcCggEAWjeKaf61ogHq0uCwwipVdAGY4lNG\n" 173 "dAh2IjAWX0IvjBuRVuUNZyB8GApH3qilDsuzPLYtIhHtbuPrFjPyxMBoppk7hLJ+\n" 174 "ubzoHxMKeyKwlIi4jY+CXLaHtIV/hZFVYcdvr5A2zUrMgzEnDEEFn96+Dz0IdGrF\n" 175 "a37oDKDYpfK8EFk/jb2aAhIgYSHSUg4KKlQRuPfu0Vt/O8aasjmAQvfEmbx6c2C5\n" 176 "4q16Ky/ZM7mCqQNJAXgyPfOeJnX1PwCKntdEs2xtzXb7dEP9Yy9uAgmmVe7EzPCj\n" 177 "ml57PWxIJKtok73AHEat6qboncHvW1RPDAiQYmXdbe40v4wlPDrnWjUUiA==\n" 178 "-----END RSA PRIVATE KEY-----\n"; 179 180 static constexpr char VALID_CERT[] = 181 "-----BEGIN CERTIFICATE-----\n" 182 "MIIF+jCCA+KgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT\n" 183 "MRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxTYW5kc3Rvcm0uaW8xGzAZ\n" 184 "BgNVBAsMElRlc3RpbmcgRGVwYXJ0bWVudDEbMBkGA1UEAwwSaW50LWNhLmV4YW1w\n" 185 "bGUuY29tMSIwIAYJKoZIhvcNAQkBFhNnYXJwbHlAc2FuZHN0b3JtLmlvMCAXDTIw\n" 186 "MDYyNzAwNDI1M1oYDzIxMjAwNjI3MDA0MjUzWjCBkDELMAkGA1UEBhMCVVMxEzAR\n" 187 "BgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFNhbmRzdG9ybS5pbzEbMBkGA1UE\n" 188 "CwwSVGVzdGluZyBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxlLmNvbTEiMCAG\n" 189 "CSqGSIb3DQEJARYTZ2FycGx5QHNhbmRzdG9ybS5pbzCCAiIwDQYJKoZIhvcNAQEB\n" 190 "BQADggIPADCCAgoCggIBAMzuvxxieOjyKIGST8X0hOnh7qhNSbwvHmkgjiqam3xr\n" 191 "CBz34fHfkxWrQ3uBheAemGGJsaSVDfOcGQvuhkwO8XjPVLm7LIsHwAhP7HuZSQNE\n" 192 "km16PUl5BObCPyzOzQOvodz05qC5cHblh4ercB23H3CVLUjkiXpgi1KmTokkPghl\n" 193 "tkcxBdNUjP3jpqTfYLZlXow+8DsSLW41/wwxPyCr+sUNhtUWMRKYIApzUI2Y+EdL\n" 194 "q6Dei7TO4YkHm7nl7Nyn1SBHBFfaF3039rSOBtzU5/TCVL2UDSDFFTrY5fFJix35\n" 195 "N0/R3Hi/0TNLL1iD1jaFCcQOpuLuIPQ9HhA9ltHISnvOrReuUUWB7zzUF2X/rRu8\n" 196 "Mr0Sj3j1iJRMyAIF1tlsFxL8xb70Z319ZmHlgOyockWlXAqfR9IuWT9C/BNkbL2H\n" 197 "ftkDJs68ZHjNNSjCUkwLVIasnTWh+Xc5afFF1r6ExSwIeBe+ODo3Tsox6qE2YtaI\n" 198 "foqrHN6OLVkBd2M6Y4Wqz95p4Bo/mA6f2TehfEHRUFPojRSsemg0YJypvq4tP8kw\n" 199 "zENxteG0PRTZi0cAfluVCPTsvd9SccXFuy8Z3Gx4AN9uvvmw9QnS18sTr6RyuNAe\n" 200 "X/c7IJvfNMXYwXC69qNJxgLGfVe/WtATao7wwNw45lwRk2MSUqTBn4qT+Smz9oZd\n" 201 "AgMBAAGjUzBRMB0GA1UdDgQWBBRdpPVLjMnJFs7lCtMW6x39Wnwt3TAfBgNVHSME\n" 202 "GDAWgBTZxw81mTQuaT+p41J39QTF7kCp5zAPBgNVHRMBAf8EBTADAQH/MA0GCSqG\n" 203 "SIb3DQEBCwUAA4ICAQA2kid2fGqjeDRVuclfDRr0LhbFYfJJXxW7SPgcUpJYXeAz\n" 204 "LXotBm/Cc+K01nNtl0JYfJy4IkaQUYgfVsA5/FqTGnbRmpEd5XidiGE6PfkXZSNj\n" 205 "02v6Uv2bAs8NnJirS5F0JhWZ45xAOMbl04QPUdkISF1JzioCcCqWOggbIV7kzwrB\n" 206 "MTcsx8vuh04S9vB318pKli4uIjNdwu7HnoqbrqhSgTUK1aXS6sDQNN/nvR6F5TRL\n" 207 "MC0cCtIA6n04c09WRfHxl/YPQwayxGD23eQ9UC7Noe/R8B3K/+6XUYIEmXx6HpnP\n" 208 "yt/79iBPwLnaVjGDwKfI8EPuSo7AkDSO3uxMjf7eCL2sCzWlgsne9yOfYxGn+q9K\n" 209 "h3KTOR1b7EVU/G4h7JxlSHqf3Ii9qFba/HsUo1yMjVEraMNpxXCijGsN30fqUpLg\n" 210 "2g9lNKmIdyHuYdlZET082b1dvb7cfYChlqHvrPv5awbsc1Ka2pOFOMwnUi2w3cHc\n" 211 "TLq3SyipI+sgJg3HHSJ3zVHrgKUeDoQi52i5WedvIBPfHC4Ik4zEzlkCMDd3hoLe\n" 212 "THAsBGBBEICK+lLSo0Mst2kxhTHHK+PxmhorXXnGOpla2wbwzVZgxur45axCWVqH\n" 213 "cbdcVhzR2w4XhjaS74WGiHHn5mHb/uYZJiZGpFCNefU2WOBlRCX7hgAzlPa4ZQ==\n" 214 "-----END CERTIFICATE-----\n"; 215 216 static constexpr char HOST_KEY2[] = 217 "-----BEGIN RSA PRIVATE KEY-----\n" 218 "MIIJKgIBAAKCAgEAtpULbBVceP5UTP8Aq/qZ4zuws0mgfRazlFFDzn0SpxKRgfUR\n" 219 "OrDB8EMcffL+IxWYdzszYnm7R4p8udQHtqdX1m+JpWPIcEyOGuKEjEGGVBbfteiG\n" 220 "vCZaHmmhSGFuBuRQnsmOMN2sX4ATPgISeUpKz3YcEw5zbGV9XveQBCiCZYJOEY2R\n" 221 "qzuzfwmO76Nf/0pQtFaN6vjHOGOp5e6xEWUNMruliw83/BYmtOE0CH9QmLSi5d/s\n" 222 "OMsppXVduwUshHv2gwocXFik4FUhDMKjfzp71uvRLqAnpsf6u5uShXwqgamohQct\n" 223 "h9D0x5KMoTwlf7LnV52dJ4Fp0np4FYkNhJJxqMXjJuzW4HqHyt/zzelhXavKyPyf\n" 224 "XGmkRHzQLAaOzDN+3qXBvArubYapuy/CF1n/Dh9OvcGJ8vK2wtahGig2Wrwh5k0e\n" 225 "ZEiQfkFtXKhVmxNgcEEr6coIPAPe882F0HrWgM5h/huS50MC5OWyjnAySZ7L/Qj0\n" 226 "7jDfNcij1yajmv4ahsL8FI4hal8k3DSXe3MDnAwmBxKg+b/KUWNiucdInZUZ17c5\n" 227 "765aQoeIPZFVBoAQrgFFLPE31wC7SwrMuKMhy2UKbgXjcZ5MMkbS2WBSaqBFLSys\n" 228 "zHY0cFPCRh6K7d7vDvSG7lZT16lNFfagbvcO1uusQBD22gGvNOF2zZe377ECAwEA\n" 229 "AQKCAgA7Dm6JYUdt42XFGd5PwlkwRMhc1X3RuBwR5081ZQM5gyoJjQkroKy6WBrJ\n" 230 "KmXFV2DfgAiY26MV+tdpDAoKrIoe1CkDlAjrOffk/ku9Shx26oclwbaC+SzBFY2T\n" 231 "aeA63nKtSahyaeEtarHOpsDu9nbIL/3YtB3le9ZXd1/f2HKE/ubdipsJdeATQTY4\n" 232 "kPGmE5WTH0P8MsfNl38G3nPrmnHwbP2Ywy1qnoeajhVUgknBevwNuqYfoKcx24qb\n" 233 "yYqit63+qLCPtiRuY1qzU+mqZ3JTDCe3Gxp4OcsCD8oO3yConAXkMXQqsA3c16wh\n" 234 "IuFGMsndbx+7/YILEI3y+UekD/IvBmLAtX0X5fQEhHm/8SowHAe5XIOTWGnTjXrF\n" 235 "JhGwsRuQtSXJPhTVAeR07IrPAASVp0BeppBdHv0pUkOte/usYH3PhYGLuQJIbOHi\n" 236 "AvDZDE/6CVszXFU7Ry3QpIZ4aQQMGGOJg1LVhNnt7br7ZZJ2mU5BOOvgdcNACcR8\n" 237 "+sCD2DE3dD6Nxy5rGESHSqYDyedd3KJ7wPlBO6p6KUttgwWtZDXh940kGxcnEQtQ\n" 238 "HAnHOxCJU+cxj9ekxoNHcTjqCEGkL7jy013soG4yrw62vMsVKHxEUqo/uaBSI7Nd\n" 239 "h+JiHb/mQ/sGvQcaAlJTnX7kUfy+oPi0nL3Hz97CxwcWSFFmIQKCAQEA8AiKO13n\n" 240 "0FjMGZJHXeu73Rg/OvQBSSE8Fco/watnEKKzRPIXUdYgjxL8fH7jFwV7Ix941ddG\n" 241 "2RcY7zchbMAP95xfeYUlrHyxbgNjWWIFezaattrCn8Sw52SXNcsT2bGuaNmyVmHs\n" 242 "gwyIDCl+1cPArhcuCun8MszsSy5W0EPwsaCqDnPinTE0lSsj0MWpR4K7+m4OOmA1\n" 243 "zwqQ9j/pgvP8is7YeTEb1a7JtVAD+4nCd7XnzUuun2Qw5jaCGFJKZGEwqeSUQZS6\n" 244 "NAuQ0OTaw8m3qb7incS9tZahWLACLfT4Jrrfh9Is2pFVgQstzin9dpfLrWKeBRGP\n" 245 "D3ItA73haE/xjQKCAQEAwrova9Epg5ylKReKCTMZREDO1PTbHXRS7GrgNN1Sy1Ne\n" 246 "Ke3UjEowJMMINekYEJimuGLixl50K0a6T5lQoUQY6dYHeZEQ4YSN3lPWtgbuZEtI\n" 247 "OlSrsw9/duT55gVPiRsZTiHjM1mYVEtAeUxHH/PVoSjPY4V1OKWA3HJ/TtgP1JEN\n" 248 "scdIdIXP1HZnjxxN4juVHyr1+iC2KXbb/OajXFMUCPkp7YrlknDyYcgj2uXRqC3k\n" 249 "ju3oBplcEnNrWO6RfqQ+QYv87huPXV5sHXzjNBj9ssHwn+EYxwpne+LvMfg3E5l1\n" 250 "o7Yl40IfHKK85ts8qwjG6tJ3TUxAUrMPSKBLbbODtQKCAQEAxJWZ8Kkl8+LltYOx\n" 251 "41/vilITZwr0CpqnhQkRUmI4lM1LmQnUw3dlTwgztRqOjgo1ITzjT+9x3NYn27MB\n" 252 "MvnRme992h6MDkpJXlp0AX5gEttTtrJPd141rC0cEjhx13bH6qNwhYLJm0KmIZ/S\n" 253 "euxJX8soMFQV8t0WITSgcQ1TkYaOACw0ypzD/e9I8/EOhLyzi5SbHoAxUZHLy4Ho\n" 254 "kxGUIXLqo8bujwEJve78dAQNOtHGOMLlDzGVQtYdkiHDP5bBrkLAkT1nirx2LD9i\n" 255 "U7tfKixlmOTKom/tUJ9GCbF5ku61p50gkxk4N+mZ6CFHrtr/Os9rr6cDzZiq+UeH\n" 256 "1lCy+QKCAQEAhjYxTQyConWq2CGjQCf5+DL624hQJYLxTIV1Nrp8wCsbsaZ8Yp0X\n" 257 "hZ7u38lijr3H2zo8tyCOzO0YqJgxHJWE3lZoHH/BtM3Zwizixd8NHA9PHvUQyn+a\n" 258 "COZU3xc19He6/0EYCWJtPVwIehH6y6kRytwH5L4tRve7UzWPTVZZwtafK7MA218H\n" 259 "GZbqVZbaj10lsK+5jcZSB04m3a5RVebk3jJtlY2wITi7tm1tWQghctr+twx+aV32\n" 260 "OblXeZokqbamOiM0FyDjtSTJO6HCLzwyT6ygHnHU1Ar1vEtzNWuw+k9A5685eeMu\n" 261 "8luv+yWMMQ4BnAOnup0dkGJd3F6u3lNmKQKCAQEAkZKTi4g+AKGikU9JuKOTF2UH\n" 262 "DdolZK/pXfWRIzpyC5cxiwnHhpqtl4jRrNSVSXWo/ChdtxhGv+8FNO+G8wQr0I0K\n" 263 "iWF4qWU/q7vbjWuE8mDrWfaCWM3IwEoMQ7Ub+gTf2JzQG0t0oSgJ70uaYxxm2x7U\n" 264 "eBnblzZ6ODG7jgq2WX9S8/JzTvqrtlVDmdPUJlsIymRiDHt+zDAh4kv0aRUJQVWy\n" 265 "cCd1rWSl2BnCgrLi0Ez5k5EuOW7v3TIFWI6AXAa5kshG3Q5du/TtPLSyqJZu2UCx\n" 266 "3LprECmh9aJmE8KZL3R5ClSqkzVjuOUj56y63vSiV1B7kTbTnT7G+sJwwgxvyA==\n" 267 "-----END RSA PRIVATE KEY-----\n"; 268 269 static constexpr char VALID_CERT2[] = 270 "-----BEGIN CERTIFICATE-----\n" 271 "MIIF+jCCA+KgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT\n" 272 "MRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxTYW5kc3Rvcm0uaW8xGzAZ\n" 273 "BgNVBAsMElRlc3RpbmcgRGVwYXJ0bWVudDEbMBkGA1UEAwwSaW50LWNhLmV4YW1w\n" 274 "bGUuY29tMSIwIAYJKoZIhvcNAQkBFhNnYXJwbHlAc2FuZHN0b3JtLmlvMCAXDTIw\n" 275 "MDYyNzAwNDI1M1oYDzIxMjAwNjI3MDA0MjUzWjCBkDELMAkGA1UEBhMCVVMxEzAR\n" 276 "BgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFNhbmRzdG9ybS5pbzEbMBkGA1UE\n" 277 "CwwSVGVzdGluZyBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxlLm5ldDEiMCAG\n" 278 "CSqGSIb3DQEJARYTZ2FycGx5QHNhbmRzdG9ybS5pbzCCAiIwDQYJKoZIhvcNAQEB\n" 279 "BQADggIPADCCAgoCggIBALaVC2wVXHj+VEz/AKv6meM7sLNJoH0Ws5RRQ859EqcS\n" 280 "kYH1ETqwwfBDHH3y/iMVmHc7M2J5u0eKfLnUB7anV9ZviaVjyHBMjhrihIxBhlQW\n" 281 "37XohrwmWh5poUhhbgbkUJ7JjjDdrF+AEz4CEnlKSs92HBMOc2xlfV73kAQogmWC\n" 282 "ThGNkas7s38Jju+jX/9KULRWjer4xzhjqeXusRFlDTK7pYsPN/wWJrThNAh/UJi0\n" 283 "ouXf7DjLKaV1XbsFLIR79oMKHFxYpOBVIQzCo386e9br0S6gJ6bH+rubkoV8KoGp\n" 284 "qIUHLYfQ9MeSjKE8JX+y51ednSeBadJ6eBWJDYSScajF4ybs1uB6h8rf883pYV2r\n" 285 "ysj8n1xppER80CwGjswzft6lwbwK7m2GqbsvwhdZ/w4fTr3BifLytsLWoRooNlq8\n" 286 "IeZNHmRIkH5BbVyoVZsTYHBBK+nKCDwD3vPNhdB61oDOYf4bkudDAuTlso5wMkme\n" 287 "y/0I9O4w3zXIo9cmo5r+GobC/BSOIWpfJNw0l3tzA5wMJgcSoPm/ylFjYrnHSJ2V\n" 288 "Gde3Oe+uWkKHiD2RVQaAEK4BRSzxN9cAu0sKzLijIctlCm4F43GeTDJG0tlgUmqg\n" 289 "RS0srMx2NHBTwkYeiu3e7w70hu5WU9epTRX2oG73DtbrrEAQ9toBrzThds2Xt++x\n" 290 "AgMBAAGjUzBRMB0GA1UdDgQWBBSCVMitc7axjQ0JObyQ7SoZ15v41jAfBgNVHSME\n" 291 "GDAWgBTZxw81mTQuaT+p41J39QTF7kCp5zAPBgNVHRMBAf8EBTADAQH/MA0GCSqG\n" 292 "SIb3DQEBCwUAA4ICAQAGqI+GGbSHkV9C16OLKgujS17zAJDuMeUZVoUvsh0oj7hK\n" 293 "QwuJ6M6VIWZXk0Ccs/TbtQgyUtt98HY/M5LYjvuB3jb348TvYvBg1un6DC1LNFnw\n" 294 "x19eUvwxhoI0I9A/heD6251plaXl0rk+wmTn+gqHNswb0LZw7l8XclOQ8s13/Ei3\n" 295 "fD4P5N3LiXaPfcXzFtEvWJE1ONC/PvLfwWWE2T+/LabJ4I4iumX8oAJZyx9BCE09\n" 296 "54/0cV1V6xjp31/CS7vkYtDMeREnydwC3PsjjzO18nM0GVw6R2eok/yvD2Rg/pqJ\n" 297 "CiscKswcy0OR42pCzJyAwHaXV0KZEG9E97ukiqh3ByBUfR0ZwkKv7tDaL7UQiXdF\n" 298 "sheJ3l8TyQNcuWljjm1MWJt9ZzZt5zE4+yes4YVDNNe9l2jIoT8641pcy2MmPOdJ\n" 299 "8pEE3xJ2SAdeJKVXuHoi7glzmlK1O5nSNK3GIfKRwJ2hmIXSAoMPfpwtJWdJDNGZ\n" 300 "N2HThXDMleMrJqwsdToRCp0nBm40cKSDk/o7SfiE7z4e1EVDAFBlWl5SAq9Pqwh5\n" 301 "lBlsQXd5SbzWGyVk7BjtT3ttbXru9NEINo1l9Cw74GQuW40FsQf4drZVDVtaNWPd\n" 302 "IvZM211bcU/zZV44rkz3nc08jSGo2qP8bEcuYAlTneDLyrAmpisUXKYm1Q1SxA==\n" 303 "-----END CERTIFICATE-----\n"; 304 305 static constexpr char EXPIRED_CERT[] = 306 "-----BEGIN CERTIFICATE-----\n" 307 "MIIF+DCCA+CgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT\n" 308 "MRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxTYW5kc3Rvcm0uaW8xGzAZ\n" 309 "BgNVBAsMElRlc3RpbmcgRGVwYXJ0bWVudDEbMBkGA1UEAwwSaW50LWNhLmV4YW1w\n" 310 "bGUuY29tMSIwIAYJKoZIhvcNAQkBFhNnYXJwbHlAc2FuZHN0b3JtLmlvMB4XDTE2\n" 311 "MDEwMTAwMDAwMFoXDTE2MDEwMTAwMDAwMFowgZAxCzAJBgNVBAYTAlVTMRMwEQYD\n" 312 "VQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxTYW5kc3Rvcm0uaW8xGzAZBgNVBAsM\n" 313 "ElRlc3RpbmcgRGVwYXJ0bWVudDEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkq\n" 314 "hkiG9w0BCQEWE2dhcnBseUBzYW5kc3Rvcm0uaW8wggIiMA0GCSqGSIb3DQEBAQUA\n" 315 "A4ICDwAwggIKAoICAQDM7r8cYnjo8iiBkk/F9ITp4e6oTUm8Lx5pII4qmpt8awgc\n" 316 "9+Hx35MVq0N7gYXgHphhibGklQ3znBkL7oZMDvF4z1S5uyyLB8AIT+x7mUkDRJJt\n" 317 "ej1JeQTmwj8szs0Dr6Hc9OaguXB25YeHq3Adtx9wlS1I5Il6YItSpk6JJD4IZbZH\n" 318 "MQXTVIz946ak32C2ZV6MPvA7Ei1uNf8MMT8gq/rFDYbVFjESmCAKc1CNmPhHS6ug\n" 319 "3ou0zuGJB5u55ezcp9UgRwRX2hd9N/a0jgbc1Of0wlS9lA0gxRU62OXxSYsd+TdP\n" 320 "0dx4v9EzSy9Yg9Y2hQnEDqbi7iD0PR4QPZbRyEp7zq0XrlFFge881Bdl/60bvDK9\n" 321 "Eo949YiUTMgCBdbZbBcS/MW+9Gd9fWZh5YDsqHJFpVwKn0fSLlk/QvwTZGy9h37Z\n" 322 "AybOvGR4zTUowlJMC1SGrJ01ofl3OWnxRda+hMUsCHgXvjg6N07KMeqhNmLWiH6K\n" 323 "qxzeji1ZAXdjOmOFqs/eaeAaP5gOn9k3oXxB0VBT6I0UrHpoNGCcqb6uLT/JMMxD\n" 324 "cbXhtD0U2YtHAH5blQj07L3fUnHFxbsvGdxseADfbr75sPUJ0tfLE6+kcrjQHl/3\n" 325 "OyCb3zTF2MFwuvajScYCxn1Xv1rQE2qO8MDcOOZcEZNjElKkwZ+Kk/kps/aGXQID\n" 326 "AQABo1MwUTAdBgNVHQ4EFgQUXaT1S4zJyRbO5QrTFusd/Vp8Ld0wHwYDVR0jBBgw\n" 327 "FoAU2ccPNZk0Lmk/qeNSd/UExe5AqecwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG\n" 328 "9w0BAQsFAAOCAgEAYRQazCV707BpbBo3j2PXfg4rmrm1GIA0JXFsY27CII0aSgTw\n" 329 "roMBnwp3sJ+UIxqddkwf/4Bn/kq8yHu8WMc1cb4bzsqgU4K2zGJcVF3i9Y4R6oE1\n" 330 "9Y6QM1db5HYiCdXSNW5uZUQGButyIXsUfPns0jMZfmEhsW4WrN3m2qE357FeBfCF\n" 331 "nP4Ij3sbUq01OoPBL6sWUbltfL5PgqKitE6UFu1/WFpBatP+8ITOOLhkGmJ70zb1\n" 332 "rY3jnwlEaRJVw8DmIkkabrgKu2gUZ3qKX9aeW9iJW524A2ZjEg1xoBRq9MVcfiRN\n" 333 "qAERaEd7MgjIFmOYR5O2juzR3eMrv+U+JsY6K5ItTwwE/MHKjYRM22CgmQahPfvo\n" 334 "o40qLUn/zJNJAN+1hrmOqFXpC5vmfKV9pcG7BOsuZ9V9gkssnJRosCuU8iIW3gyo\n" 335 "C6TFLIneStvBzokoCTv0Fxxh/vqfIWmHYr7nsFM8S/X2iDLuCoiB6qsRw5NaOIg6\n" 336 "QB7cEi3sgBZU+eJDmynR3waIU0HGmj9DK8Tc2TMd5wvkBpJBkqqQkICVQ/u/g7up\n" 337 "swvT5Iap509sI4nmKqe9meN6m3xBSJrCNPTbjUyu7PuC/rBe7lVwnP5/PN/aj6ZU\n" 338 "XGyLwArQ/5GgT2sy3aEQQTtb+kthnZo7NL8nmkpoTbrm84DJ4dwkD4qc+hs=\n" 339 "-----END CERTIFICATE-----\n"; 340 341 static constexpr char SELF_SIGNED_CERT[] = 342 "-----BEGIN CERTIFICATE-----\n" 343 "MIIGLTCCBBWgAwIBAgIUIGB2OqfFvs22f6uTwFJwWKaLH+kwDQYJKoZIhvcNAQEL\n" 344 "BQAwgaQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH\n" 345 "DAlQYWxvIEFsdG8xFTATBgNVBAoMDFNhbmRzdG9ybS5pbzEbMBkGA1UECwwSVGVz\n" 346 "dGluZyBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxlLmNvbTEiMCAGCSqGSIb3\n" 347 "DQEJARYTZ2FycGx5QHNhbmRzdG9ybS5pbzAgFw0yMDA2MjcwMDQyNTNaGA8yMTIw\n" 348 "MDYyNzAwNDI1M1owgaQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh\n" 349 "MRIwEAYDVQQHDAlQYWxvIEFsdG8xFTATBgNVBAoMDFNhbmRzdG9ybS5pbzEbMBkG\n" 350 "A1UECwwSVGVzdGluZyBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxlLmNvbTEi\n" 351 "MCAGCSqGSIb3DQEJARYTZ2FycGx5QHNhbmRzdG9ybS5pbzCCAiIwDQYJKoZIhvcN\n" 352 "AQEBBQADggIPADCCAgoCggIBAMzuvxxieOjyKIGST8X0hOnh7qhNSbwvHmkgjiqa\n" 353 "m3xrCBz34fHfkxWrQ3uBheAemGGJsaSVDfOcGQvuhkwO8XjPVLm7LIsHwAhP7HuZ\n" 354 "SQNEkm16PUl5BObCPyzOzQOvodz05qC5cHblh4ercB23H3CVLUjkiXpgi1KmTokk\n" 355 "PghltkcxBdNUjP3jpqTfYLZlXow+8DsSLW41/wwxPyCr+sUNhtUWMRKYIApzUI2Y\n" 356 "+EdLq6Dei7TO4YkHm7nl7Nyn1SBHBFfaF3039rSOBtzU5/TCVL2UDSDFFTrY5fFJ\n" 357 "ix35N0/R3Hi/0TNLL1iD1jaFCcQOpuLuIPQ9HhA9ltHISnvOrReuUUWB7zzUF2X/\n" 358 "rRu8Mr0Sj3j1iJRMyAIF1tlsFxL8xb70Z319ZmHlgOyockWlXAqfR9IuWT9C/BNk\n" 359 "bL2HftkDJs68ZHjNNSjCUkwLVIasnTWh+Xc5afFF1r6ExSwIeBe+ODo3Tsox6qE2\n" 360 "YtaIfoqrHN6OLVkBd2M6Y4Wqz95p4Bo/mA6f2TehfEHRUFPojRSsemg0YJypvq4t\n" 361 "P8kwzENxteG0PRTZi0cAfluVCPTsvd9SccXFuy8Z3Gx4AN9uvvmw9QnS18sTr6Ry\n" 362 "uNAeX/c7IJvfNMXYwXC69qNJxgLGfVe/WtATao7wwNw45lwRk2MSUqTBn4qT+Smz\n" 363 "9oZdAgMBAAGjUzBRMB0GA1UdDgQWBBRdpPVLjMnJFs7lCtMW6x39Wnwt3TAfBgNV\n" 364 "HSMEGDAWgBRdpPVLjMnJFs7lCtMW6x39Wnwt3TAPBgNVHRMBAf8EBTADAQH/MA0G\n" 365 "CSqGSIb3DQEBCwUAA4ICAQDEEnq3/Yg0UL3d8z0EWXGnj5hbc8Cf9hj8J918aift\n" 366 "XhqQ+EU6BV1V7IsrUZ07Wkws7hgd7HpBgmSNQu9cIoSyjiS9je8KL9TqwmBaPNg3\n" 367 "jE31maqLHdLQfR0USYo7wp8cE7w/tojLwyhuwVEJR4IpVlfAgmD5HMhCX4vwZTUB\n" 368 "bkzsRtY56JRhNDO2ExY7QPFF4FhXLf8eZGqqk09FTpQemJFwZ2+MYlSOILrP4RL3\n" 369 "T9LW0EgymAjDUHT047xr5xPAjRUEplqT90bEsAp5D199m/c143tq3Cke/eQDWAR7\n" 370 "HVYmRmuOhwyqhkKfssZZvuq7Shm0u2vuOvfGhcW7JmukalrCixjitQmbOv1EJT0F\n" 371 "tQN61nRTUpnC37DEgtYpV8n+GgT1hWXDzC/0UNVOFIR26eX0kxZmqU6v+Rqz/qYe\n" 372 "NA2TXZ4YvL081QvPFOWVpodM6LLYw2cSGBCdfAdRE1ECoqzk5EgRBH5SrZnuebMG\n" 373 "V8aJsIRMI011QDEz69YJFzefI9WaawcHqfTWZoCeCBDNm0pEVqRbBAQ8E7IXfQUu\n" 374 "WjPbENMyTTp6+uRmQkmNJjv9HcvFUu+wyhFODBrZ4LEwFP+oWBGWqru28Se7b66H\n" 375 "ZvzKfQVXzYpEmhHHK2n5X1hNwSr0kb3QffVpbz3/TBIgQcOyBp/RnOY38pngfRw1\n" 376 "SQ==\n" 377 "-----END CERTIFICATE-----\n"; 378 379 // ======================================================================================= 380 381 class ErrorNexus { 382 // Helper class that wraps various promises such that if one throws an exception, they all do. 383 384 public: 385 ErrorNexus(): ErrorNexus(kj::newPromiseAndFulfiller<void>()) {} 386 387 template <typename T> 388 kj::Promise<T> wrap(kj::Promise<T>&& promise) { 389 return promise.catch_([this](kj::Exception&& e) -> kj::Promise<T> { 390 fulfiller->reject(kj::cp(e)); 391 return kj::mv(e); 392 }).exclusiveJoin(failurePromise.addBranch().then([]() -> T { KJ_UNREACHABLE; })); 393 } 394 395 private: 396 kj::ForkedPromise<void> failurePromise; 397 kj::Own<kj::PromiseFulfiller<void>> fulfiller; 398 399 ErrorNexus(kj::PromiseFulfillerPair<void> paf) 400 : failurePromise(kj::mv(paf.promise).fork()), 401 fulfiller(kj::mv(paf.fulfiller)) {} 402 }; 403 404 struct TlsTest { 405 kj::AsyncIoContext io = setupAsyncIo(); 406 TlsContext tlsClient; 407 TlsContext tlsServer; 408 409 TlsTest(TlsContext::Options clientOpts = defaultClient(), 410 TlsContext::Options serverOpts = defaultServer()) 411 : tlsClient(kj::mv(clientOpts)), 412 tlsServer(kj::mv(serverOpts)) {} 413 414 static TlsContext::Options defaultServer() { 415 static TlsKeypair keypair = { 416 TlsPrivateKey(HOST_KEY), 417 TlsCertificate(kj::str(VALID_CERT, INTERMEDIATE_CERT)) 418 }; 419 TlsContext::Options options; 420 options.defaultKeypair = keypair; 421 return options; 422 } 423 424 static TlsContext::Options defaultClient() { 425 static TlsCertificate caCert(CA_CERT); 426 TlsContext::Options options; 427 options.useSystemTrustStore = false; 428 options.trustedCertificates = kj::arrayPtr(&caCert, 1); 429 return options; 430 } 431 432 Promise<void> writeToServer(AsyncIoStream& client) { 433 return client.write("foo", 4); 434 } 435 436 Promise<void> readFromClient(AsyncIoStream& server) { 437 auto buf = heapArray<char>(4); 438 439 auto readPromise = server.read(buf.begin(), buf.size()); 440 441 auto checkBuffer = [buf = kj::mv(buf)]() { 442 KJ_ASSERT(kj::StringPtr(buf.begin(), buf.end()-1) == kj::StringPtr("foo")); 443 }; 444 445 return readPromise.then(kj::mv(checkBuffer)); 446 } 447 448 void testConnection(AsyncIoStream& client, AsyncIoStream& server) { 449 auto writePromise = writeToServer(client); 450 auto readPromise = readFromClient(server); 451 452 writePromise.wait(io.waitScope); 453 readPromise.wait(io.waitScope); 454 }; 455 }; 456 457 KJ_TEST("TLS basics") { 458 TlsTest test; 459 ErrorNexus e; 460 461 auto pipe = test.io.provider->newTwoWayPipe(); 462 463 auto clientPromise = e.wrap(test.tlsClient.wrapClient(kj::mv(pipe.ends[0]), "example.com")); 464 auto serverPromise = e.wrap(test.tlsServer.wrapServer(kj::mv(pipe.ends[1]))); 465 466 auto client = clientPromise.wait(test.io.waitScope); 467 auto server = serverPromise.wait(test.io.waitScope); 468 469 test.testConnection(*client, *server); 470 } 471 472 KJ_TEST("TLS peer identity") { 473 TlsTest test; 474 ErrorNexus e; 475 476 auto pipe = test.io.provider->newTwoWayPipe(); 477 478 auto innerClientId = kj::LocalPeerIdentity::newInstance({}); 479 auto& innerClientIdRef = *innerClientId; 480 auto clientPromise = e.wrap(test.tlsClient.wrapClient( 481 kj::AuthenticatedStream { kj::mv(pipe.ends[0]), kj::mv(innerClientId) }, 482 "example.com")); 483 484 auto innerServerId = kj::LocalPeerIdentity::newInstance({}); 485 auto& innerServerIdRef = *innerServerId; 486 auto serverPromise = e.wrap(test.tlsServer.wrapServer( 487 kj::AuthenticatedStream { kj::mv(pipe.ends[1]), kj::mv(innerServerId) })); 488 489 auto client = clientPromise.wait(test.io.waitScope); 490 auto server = serverPromise.wait(test.io.waitScope); 491 492 { 493 auto id = client.peerIdentity.downcast<TlsPeerIdentity>(); 494 KJ_ASSERT(id->hasCertificate()); 495 KJ_EXPECT(id->getCommonName() == "example.com"); 496 KJ_EXPECT(&id->getNetworkIdentity() == &innerClientIdRef); 497 KJ_EXPECT(id->toString() == "example.com"); 498 } 499 500 { 501 auto id = server.peerIdentity.downcast<TlsPeerIdentity>(); 502 KJ_EXPECT(!id->hasCertificate()); 503 KJ_EXPECT_THROW_RECOVERABLE_MESSAGE( 504 "client did not provide a certificate", id->getCommonName()); 505 KJ_EXPECT(&id->getNetworkIdentity() == &innerServerIdRef); 506 KJ_EXPECT(id->toString() == "(anonymous client)"); 507 } 508 509 test.testConnection(*client.stream, *server.stream); 510 } 511 512 KJ_TEST("TLS multiple messages") { 513 TlsTest test; 514 ErrorNexus e; 515 516 auto pipe = test.io.provider->newTwoWayPipe(); 517 518 auto clientPromise = e.wrap(test.tlsClient.wrapClient(kj::mv(pipe.ends[0]), "example.com")); 519 auto serverPromise = e.wrap(test.tlsServer.wrapServer(kj::mv(pipe.ends[1]))); 520 521 auto client = clientPromise.wait(test.io.waitScope); 522 auto server = serverPromise.wait(test.io.waitScope); 523 524 auto writePromise = client->write("foo", 3) 525 .then([&]() { return client->write("bar", 3); }); 526 527 char buf[4]; 528 buf[3] = '\0'; 529 530 server->read(&buf, 3).wait(test.io.waitScope); 531 KJ_ASSERT(kj::StringPtr(buf) == "foo"); 532 533 writePromise = writePromise 534 .then([&]() { return client->write("baz", 3); }); 535 536 server->read(&buf, 3).wait(test.io.waitScope); 537 KJ_ASSERT(kj::StringPtr(buf) == "bar"); 538 539 server->read(&buf, 3).wait(test.io.waitScope); 540 KJ_ASSERT(kj::StringPtr(buf) == "baz"); 541 542 auto readPromise = server->read(&buf, 3); 543 KJ_EXPECT(!readPromise.poll(test.io.waitScope)); 544 545 writePromise = writePromise 546 .then([&]() { return client->write("qux", 3); }); 547 548 readPromise.wait(test.io.waitScope); 549 KJ_ASSERT(kj::StringPtr(buf) == "qux"); 550 } 551 552 KJ_TEST("TLS zero-sized write") { 553 TlsTest test; 554 ErrorNexus e; 555 556 auto pipe = test.io.provider->newTwoWayPipe(); 557 558 auto clientPromise = e.wrap(test.tlsClient.wrapClient(kj::mv(pipe.ends[0]), "example.com")); 559 auto serverPromise = e.wrap(test.tlsServer.wrapServer(kj::mv(pipe.ends[1]))); 560 561 auto client = clientPromise.wait(test.io.waitScope); 562 auto server = serverPromise.wait(test.io.waitScope); 563 564 char buf[7]; 565 auto readPromise = server->read(&buf, 6); 566 567 client->write("", 0).wait(test.io.waitScope); 568 client->write("foo", 3).wait(test.io.waitScope); 569 client->write("", 0).wait(test.io.waitScope); 570 client->write("bar", 3).wait(test.io.waitScope); 571 572 readPromise.wait(test.io.waitScope); 573 buf[6] = '\0'; 574 575 KJ_ASSERT(kj::StringPtr(buf) == "foobar"); 576 } 577 578 kj::Promise<void> writeN(kj::AsyncIoStream& stream, kj::StringPtr text, size_t count) { 579 if (count == 0) return kj::READY_NOW; 580 --count; 581 return stream.write(text.begin(), text.size()) 582 .then([&stream, text, count]() { 583 return writeN(stream, text, count); 584 }); 585 } 586 587 kj::Promise<void> readN(kj::AsyncIoStream& stream, kj::StringPtr text, size_t count) { 588 if (count == 0) return kj::READY_NOW; 589 --count; 590 auto buf = kj::heapString(text.size()); 591 auto promise = stream.read(buf.begin(), buf.size()); 592 return promise.then(kj::mvCapture(buf, [&stream, text, count](kj::String buf) { 593 KJ_ASSERT(buf == text, buf, text, count); 594 return readN(stream, text, count); 595 })); 596 } 597 598 KJ_TEST("TLS full duplex") { 599 TlsTest test; 600 ErrorNexus e; 601 602 auto pipe = test.io.provider->newTwoWayPipe(); 603 604 #if _WIN32 605 // On Windows we observe that `writeUp`, below, completes before the other end has started 606 // reading, failing the `!writeUp.poll()` expectation. I guess Windows has big buffers. We can 607 // fix this by requesting small buffers here. (Worth keeping in mind that Windows doesn't have 608 // socketpairs, so `newTwoWayPipe()` is implemented in terms of loopback TCP, ugh.) 609 uint small = 256; 610 pipe.ends[0]->setsockopt(SOL_SOCKET, SO_SNDBUF, &small, sizeof(small)); 611 pipe.ends[0]->setsockopt(SOL_SOCKET, SO_RCVBUF, &small, sizeof(small)); 612 #endif 613 614 auto clientPromise = e.wrap(test.tlsClient.wrapClient(kj::mv(pipe.ends[0]), "example.com")); 615 auto serverPromise = e.wrap(test.tlsServer.wrapServer(kj::mv(pipe.ends[1]))); 616 617 auto client = clientPromise.wait(test.io.waitScope); 618 auto server = serverPromise.wait(test.io.waitScope); 619 620 auto writeUp = writeN(*client, "foo", 10000); 621 auto readDown = readN(*client, "bar", 10000); 622 KJ_EXPECT(!writeUp.poll(test.io.waitScope)); 623 KJ_EXPECT(!readDown.poll(test.io.waitScope)); 624 625 auto writeDown = writeN(*server, "bar", 10000); 626 auto readUp = readN(*server, "foo", 10000); 627 628 readUp.wait(test.io.waitScope); 629 readDown.wait(test.io.waitScope); 630 writeUp.wait(test.io.waitScope); 631 writeDown.wait(test.io.waitScope); 632 } 633 634 class TestSniCallback: public TlsSniCallback { 635 public: 636 kj::Maybe<TlsKeypair> getKey(kj::StringPtr hostname) override { 637 ++callCount; 638 639 KJ_ASSERT(hostname == "example.com"); 640 return TlsKeypair { 641 TlsPrivateKey(HOST_KEY), 642 TlsCertificate(kj::str(VALID_CERT, INTERMEDIATE_CERT)) 643 }; 644 } 645 646 uint callCount = 0; 647 }; 648 649 KJ_TEST("TLS SNI") { 650 TlsContext::Options serverOptions; 651 TestSniCallback callback; 652 serverOptions.sniCallback = callback; 653 654 TlsTest test(TlsTest::defaultClient(), serverOptions); 655 ErrorNexus e; 656 657 auto pipe = test.io.provider->newTwoWayPipe(); 658 659 auto clientPromise = e.wrap(test.tlsClient.wrapClient(kj::mv(pipe.ends[0]), "example.com")); 660 auto serverPromise = e.wrap(test.tlsServer.wrapServer(kj::mv(pipe.ends[1]))); 661 662 auto client = clientPromise.wait(test.io.waitScope); 663 auto server = serverPromise.wait(test.io.waitScope); 664 665 test.testConnection(*client, *server); 666 667 KJ_ASSERT(callback.callCount == 1); 668 } 669 670 void expectInvalidCert(kj::StringPtr hostname, TlsCertificate cert, kj::StringPtr message) { 671 TlsKeypair keypair = { TlsPrivateKey(HOST_KEY), kj::mv(cert) }; 672 TlsContext::Options serverOpts; 673 serverOpts.defaultKeypair = keypair; 674 TlsTest test(TlsTest::defaultClient(), kj::mv(serverOpts)); 675 ErrorNexus e; 676 677 auto pipe = test.io.provider->newTwoWayPipe(); 678 679 auto clientPromise = e.wrap(test.tlsClient.wrapClient(kj::mv(pipe.ends[0]), hostname)); 680 auto serverPromise = e.wrap(test.tlsServer.wrapServer(kj::mv(pipe.ends[1]))); 681 682 KJ_EXPECT_THROW_MESSAGE(message, clientPromise.wait(test.io.waitScope)); 683 } 684 685 KJ_TEST("TLS certificate validation") { 686 expectInvalidCert("wrong.com", TlsCertificate(kj::str(VALID_CERT, INTERMEDIATE_CERT)), 687 "Hostname mismatch"); 688 expectInvalidCert("example.com", TlsCertificate(VALID_CERT), 689 "unable to get local issuer certificate"); 690 expectInvalidCert("example.com", TlsCertificate(kj::str(EXPIRED_CERT, INTERMEDIATE_CERT)), 691 "certificate has expired"); 692 expectInvalidCert("example.com", TlsCertificate(SELF_SIGNED_CERT), 693 "self signed certificate"); 694 } 695 696 // BoringSSL seems to print error messages differently. 697 #ifdef OPENSSL_IS_BORINGSSL 698 #define SSL_MESSAGE(interesting, boring) boring 699 #else 700 #define SSL_MESSAGE(interesting, boring) interesting 701 #endif 702 703 KJ_TEST("TLS client certificate verification") { 704 TlsContext::Options serverOptions = TlsTest::defaultServer(); 705 TlsContext::Options clientOptions = TlsTest::defaultClient(); 706 707 serverOptions.verifyClients = true; 708 serverOptions.trustedCertificates = clientOptions.trustedCertificates; 709 710 // No certificate loaded in the client: fail 711 { 712 TlsTest test(clientOptions, serverOptions); 713 714 auto pipe = test.io.provider->newTwoWayPipe(); 715 716 auto clientPromise = test.tlsClient.wrapClient(kj::mv(pipe.ends[0]), "example.com") 717 .then([](kj::Own<kj::AsyncIoStream> stream) { 718 auto promise = stream->readAllBytes(); 719 return promise.attach(kj::mv(stream)); 720 }); 721 auto serverPromise = test.tlsServer.wrapServer(kj::mv(pipe.ends[1])); 722 723 KJ_EXPECT_THROW_MESSAGE( 724 SSL_MESSAGE("peer did not return a certificate", 725 "PEER_DID_NOT_RETURN_A_CERTIFICATE"), 726 serverPromise.wait(test.io.waitScope)); 727 #if !KJ_NO_EXCEPTIONS // if exceptions are disabled, we're now in a bad state because 728 // KJ_EXPECT_THROW_MESSAGE() runs in a forked child process. 729 KJ_EXPECT_THROW_MESSAGE( 730 SSL_MESSAGE("alert", // "alert handshake failure" or "alert certificate required" 731 "ALERT"), // "ALERT_HANDSHAKE_FAILURE" or "ALERT_CERTIFICATE_REQUIRED" 732 clientPromise.wait(test.io.waitScope)); 733 #endif 734 } 735 736 // Self-signed certificate loaded in the client: fail 737 TlsKeypair selfSignedKeypair = { TlsPrivateKey(HOST_KEY), TlsCertificate(SELF_SIGNED_CERT) }; 738 clientOptions.defaultKeypair = selfSignedKeypair; 739 { 740 TlsTest test(clientOptions, serverOptions); 741 742 auto pipe = test.io.provider->newTwoWayPipe(); 743 744 auto clientPromise = test.tlsClient.wrapClient(kj::mv(pipe.ends[0]), "example.com") 745 .then([](kj::Own<kj::AsyncIoStream> stream) { 746 auto promise = stream->readAllBytes(); 747 return promise.attach(kj::mv(stream)); 748 }); 749 auto serverPromise = test.tlsServer.wrapServer(kj::mv(pipe.ends[1])); 750 751 KJ_EXPECT_THROW_MESSAGE( 752 SSL_MESSAGE("certificate verify failed", 753 "CERTIFICATE_VERIFY_FAILED"), 754 serverPromise.wait(test.io.waitScope)); 755 #if !KJ_NO_EXCEPTIONS // if exceptions are disabled, we're now in a bad state because 756 // KJ_EXPECT_THROW_MESSAGE() runs in a forked child process. 757 KJ_EXPECT_THROW_MESSAGE( 758 SSL_MESSAGE("alert unknown ca", 759 "TLSV1_ALERT_UNKNOWN_CA"), 760 clientPromise.wait(test.io.waitScope)); 761 #endif 762 } 763 764 // Trusted certificate loaded in the client: success. 765 TlsKeypair altKeypair = { 766 TlsPrivateKey(HOST_KEY2), 767 TlsCertificate(kj::str(VALID_CERT2, INTERMEDIATE_CERT)) 768 }; 769 clientOptions.defaultKeypair = altKeypair; 770 { 771 TlsTest test(clientOptions, serverOptions); 772 ErrorNexus e; 773 774 auto pipe = test.io.provider->newTwoWayPipe(); 775 776 auto clientPromise = e.wrap(test.tlsClient.wrapClient(kj::mv(pipe.ends[0]), "example.com")); 777 auto serverPromise = e.wrap(test.tlsServer.wrapServer( 778 kj::AuthenticatedStream { kj::mv(pipe.ends[1]), kj::UnknownPeerIdentity::newInstance() })); 779 780 auto client = clientPromise.wait(test.io.waitScope); 781 auto server = serverPromise.wait(test.io.waitScope); 782 783 auto id = server.peerIdentity.downcast<TlsPeerIdentity>(); 784 KJ_ASSERT(id->hasCertificate()); 785 KJ_EXPECT(id->getCommonName() == "example.net"); 786 787 test.testConnection(*client, *server.stream); 788 } 789 790 // If verifyClients is off, client certificate is ignored, even if trusted. 791 serverOptions.verifyClients = false; 792 { 793 TlsTest test(clientOptions, serverOptions); 794 ErrorNexus e; 795 796 auto pipe = test.io.provider->newTwoWayPipe(); 797 798 auto clientPromise = e.wrap(test.tlsClient.wrapClient(kj::mv(pipe.ends[0]), "example.com")); 799 auto serverPromise = e.wrap(test.tlsServer.wrapServer( 800 kj::AuthenticatedStream { kj::mv(pipe.ends[1]), kj::UnknownPeerIdentity::newInstance() })); 801 802 auto client = clientPromise.wait(test.io.waitScope); 803 auto server = serverPromise.wait(test.io.waitScope); 804 805 auto id = server.peerIdentity.downcast<TlsPeerIdentity>(); 806 KJ_EXPECT(!id->hasCertificate()); 807 } 808 809 // Non-trusted keys are ignored too (not errors). 810 clientOptions.defaultKeypair = selfSignedKeypair; 811 { 812 TlsTest test(clientOptions, serverOptions); 813 ErrorNexus e; 814 815 auto pipe = test.io.provider->newTwoWayPipe(); 816 817 auto clientPromise = e.wrap(test.tlsClient.wrapClient(kj::mv(pipe.ends[0]), "example.com")); 818 auto serverPromise = e.wrap(test.tlsServer.wrapServer( 819 kj::AuthenticatedStream { kj::mv(pipe.ends[1]), kj::UnknownPeerIdentity::newInstance() })); 820 821 auto client = clientPromise.wait(test.io.waitScope); 822 auto server = serverPromise.wait(test.io.waitScope); 823 824 auto id = server.peerIdentity.downcast<TlsPeerIdentity>(); 825 KJ_EXPECT(!id->hasCertificate()); 826 } 827 } 828 829 class MockConnectionReceiver final: public ConnectionReceiver { 830 // This connection receiver allows mocked async connection establishment without the network. 831 832 struct ClientRequest { 833 Maybe<Exception> maybeException; 834 Own<PromiseFulfiller<Own<AsyncIoStream>>> clientFulfiller; 835 }; 836 837 public: 838 MockConnectionReceiver(AsyncIoProvider& provider): provider(provider) {} 839 840 Promise<Own<AsyncIoStream>> accept() override { 841 return acceptImpl(); 842 } 843 844 Promise<AuthenticatedStream> acceptAuthenticated() override { 845 return acceptImpl().then([](auto stream) -> AuthenticatedStream { 846 return { kj::mv(stream), LocalPeerIdentity::newInstance({}) }; 847 }); 848 } 849 850 uint getPort() override { 851 return 0; 852 } 853 void getsockopt(int, int, void*, uint*) override {} 854 void setsockopt(int, int, const void*, uint) override {} 855 856 Promise<Own<AsyncIoStream>> connect() { 857 // Mock a new successful connection to our receiver. 858 return connectImpl(); 859 } 860 861 Promise<void> badConnect() { 862 // Mock a new failed connection to our receiver. 863 return connectImpl(KJ_EXCEPTION(DISCONNECTED, "Pipes are leaky")).ignoreResult(); 864 } 865 866 private: 867 Promise<Own<AsyncIoStream>> acceptImpl() { 868 if (clientRequests.empty()) { 869 KJ_ASSERT(!serverFulfiller); 870 auto paf = newPromiseAndFulfiller<void>(); 871 serverFulfiller = kj::mv(paf.fulfiller); 872 return paf.promise.then([this] { 873 return acceptImpl(); 874 }); 875 } 876 877 // This is accepting in FILO order, it shouldn't matter in practice. 878 auto request = kj::mv(clientRequests.back()); 879 clientRequests.removeLast(); 880 881 KJ_IF_MAYBE(exception, kj::mv(request.maybeException)) { 882 request.clientFulfiller = nullptr; // The other end had an issue, break the promise. 883 return kj::mv(*exception); 884 } else { 885 auto pipe = provider.newTwoWayPipe(); 886 request.clientFulfiller->fulfill(kj::mv(pipe.ends[0])); 887 return kj::mv(pipe.ends[1]); 888 } 889 } 890 891 Promise<Own<AsyncIoStream>> connectImpl(Maybe<Exception> maybeException = nullptr) { 892 auto paf = newPromiseAndFulfiller<Own<AsyncIoStream>>(); 893 clientRequests.add(ClientRequest{ kj::mv(maybeException), kj::mv(paf.fulfiller) }); 894 895 if (auto fulfiller = kj::mv(serverFulfiller)) { 896 fulfiller->fulfill(); 897 } 898 899 return kj::mv(paf.promise); 900 } 901 902 AsyncIoProvider& provider; 903 904 Own<PromiseFulfiller<void>> serverFulfiller; 905 Vector<ClientRequest> clientRequests; 906 }; 907 908 class TlsReceiverTest final: public TlsTest { 909 // TlsReceiverTest augments TlsTest to test TlsConnectionReceiver. 910 public: 911 TlsReceiverTest(): TlsTest() { 912 auto baseReceiverPtr = kj::heap<MockConnectionReceiver>(*io.provider); 913 baseReceiver = baseReceiverPtr.get(); 914 receiver = tlsServer.wrapPort(kj::mv(baseReceiverPtr)); 915 } 916 917 TlsReceiverTest(TlsReceiverTest&&) = delete; 918 TlsReceiverTest(const TlsReceiverTest&) = delete; 919 TlsReceiverTest& operator=(TlsReceiverTest&&) = delete; 920 TlsReceiverTest& operator=(const TlsReceiverTest&) = delete; 921 922 Own<ConnectionReceiver> receiver; 923 MockConnectionReceiver* baseReceiver; 924 }; 925 926 KJ_TEST("TLS receiver basics") { 927 TlsReceiverTest test; 928 929 auto clientPromise = test.baseReceiver->connect().then([&](auto stream) { 930 return test.tlsClient.wrapClient(kj::mv(stream), "example.com"); 931 }); 932 auto serverPromise = test.receiver->accept(); 933 934 auto client = clientPromise.wait(test.io.waitScope); 935 auto server = serverPromise.wait(test.io.waitScope); 936 937 test.testConnection(*client, *server); 938 } 939 940 KJ_TEST("TLS receiver experiences pre-TLS error") { 941 TlsReceiverTest test; 942 943 KJ_LOG(INFO, "Accepting before a bad connect"); 944 auto promise = test.receiver->accept(); 945 946 KJ_LOG(INFO, "Disappointing our server"); 947 test.baseReceiver->badConnect(); 948 949 // Can't use KJ_EXPECT_THROW_RECOVERABLE_MESSAGE because wait() that returns a value can't throw 950 // recoverable exceptions. Can't use KJ_EXPECT_THROW_MESSAGE because non-recoverable exceptions 951 // will fork() in -fno-exception which screws up our state. 952 promise.then([](auto) { 953 KJ_FAIL_EXPECT("expected exception"); 954 }, [](kj::Exception&& e) { 955 KJ_EXPECT(e.getDescription() == "Pipes are leaky"); 956 }).wait(test.io.waitScope); 957 958 KJ_LOG(INFO, "Trying to load a promise after failure"); 959 test.receiver->accept().then([](auto) { 960 KJ_FAIL_EXPECT("expected exception"); 961 }, [](kj::Exception&& e) { 962 KJ_EXPECT(e.getDescription() == "Pipes are leaky"); 963 }).wait(test.io.waitScope); 964 } 965 966 KJ_TEST("TLS receiver accepts multiple clients") { 967 TlsReceiverTest test; 968 969 auto wrapClient = [&](auto stream) { 970 return test.tlsClient.wrapClient(kj::mv(stream), "example.com"); 971 }; 972 973 auto writeToServer = [&](auto client) { 974 return test.writeToServer(*client).attach(kj::mv(client)); 975 }; 976 977 auto readFromClient = [&](auto server) { 978 return test.readFromClient(*server).attach(kj::mv(server)); 979 }; 980 981 KJ_LOG(INFO, "Requesting a bunch of client connects"); 982 constexpr auto kClientCount = 20; 983 auto clientPromises = Vector<Promise<void>>(); 984 for (auto i = 0; i < kClientCount; ++i) { 985 auto clientPromise = test.baseReceiver->connect().then(wrapClient).then(writeToServer); 986 clientPromises.add(kj::mv(clientPromise)); 987 } 988 989 KJ_LOG(INFO, "Requesting and resolving a bunch of server accepts in sequence"); 990 for (auto i = 0; i < kClientCount; ++i) { 991 // Resolve each receive in sequence like the Supervisor/Network. 992 test.receiver->accept().then(readFromClient).wait(test.io.waitScope); 993 } 994 995 KJ_LOG(INFO, "Resolving all of our client connects in parallel"); 996 joinPromises(clientPromises.releaseAsArray()).wait(test.io.waitScope); 997 998 KJ_LOG(INFO, "Requesting one last server accept that we'll never resolve"); 999 auto extraAcceptPromise = test.receiver->accept().then(readFromClient); 1000 KJ_EXPECT(!extraAcceptPromise.poll(test.io.waitScope)); 1001 } 1002 1003 KJ_TEST("TLS receiver does not stall on client that disconnects before ssl handshake") { 1004 TlsReceiverTest test; 1005 1006 auto wrapClient = [&](auto stream) { 1007 return test.tlsClient.wrapClient(kj::mv(stream), "example.com"); 1008 }; 1009 1010 auto writeToServer = [&](auto client) { 1011 return test.writeToServer(*client).attach(kj::mv(client)); 1012 }; 1013 1014 auto readFromClient = [&](auto server) { 1015 return test.readFromClient(*server).attach(kj::mv(server)); 1016 }; 1017 1018 constexpr auto kClientCount = 20; 1019 auto clientPromises = Vector<Promise<void>>(); 1020 1021 KJ_LOG(INFO, "Requesting the first batch of client connects in parallel"); 1022 for (auto i = 0; i < kClientCount / 2; ++i) { 1023 auto clientPromise = test.baseReceiver->connect().then(wrapClient).then(writeToServer); 1024 clientPromises.add(kj::mv(clientPromise)); 1025 } 1026 1027 KJ_LOG(INFO, "Requesting and resolving a client connect that hangs up before ssl connect"); 1028 KJ_ASSERT(test.baseReceiver->connect().wait(test.io.waitScope)); 1029 1030 KJ_LOG(INFO, "Requesting the second batch of client connects in parallel"); 1031 for (auto i = 0; i < kClientCount / 2; ++i) { 1032 auto clientPromise = test.baseReceiver->connect().then(wrapClient).then(writeToServer); 1033 clientPromises.add(kj::mv(clientPromise)); 1034 } 1035 1036 KJ_LOG(INFO, "Requesting and resolving a bunch of server accepts in sequence"); 1037 for (auto i = 0; i < kClientCount; ++i) { 1038 test.receiver->accept().then(readFromClient).wait(test.io.waitScope); 1039 } 1040 1041 KJ_LOG(INFO, "Resolving all of our client connects in parallel"); 1042 joinPromises(clientPromises.releaseAsArray()).wait(test.io.waitScope); 1043 1044 KJ_LOG(INFO, "Requesting one last server accept that we'll never resolve"); 1045 auto extraAcceptPromise = test.receiver->accept().then(readFromClient); 1046 KJ_EXPECT(!extraAcceptPromise.poll(test.io.waitScope)); 1047 } 1048 1049 KJ_TEST("TLS receiver does not stall on hung client") { 1050 TlsReceiverTest test; 1051 1052 auto wrapClient = [&](auto stream) { 1053 return test.tlsClient.wrapClient(kj::mv(stream), "example.com"); 1054 }; 1055 1056 auto writeToServer = [&](auto client) { 1057 return test.writeToServer(*client).attach(kj::mv(client)); 1058 }; 1059 1060 auto readFromClient = [&](auto server) { 1061 return test.readFromClient(*server).attach(kj::mv(server)); 1062 }; 1063 1064 constexpr auto kClientCount = 20; 1065 auto clientPromises = Vector<Promise<void>>(); 1066 1067 KJ_LOG(INFO, "Requesting the first batch of client connects in parallel"); 1068 for (auto i = 0; i < kClientCount / 2; ++i) { 1069 auto clientPromise = test.baseReceiver->connect().then(wrapClient).then(writeToServer); 1070 clientPromises.add(kj::mv(clientPromise)); 1071 } 1072 1073 KJ_LOG(INFO, "Requesting and resolving a client connect that never does ssl connect"); 1074 auto hungClient = test.baseReceiver->connect().wait(test.io.waitScope); 1075 KJ_ASSERT(hungClient); 1076 1077 KJ_LOG(INFO, "Requesting the second batch of client connects in parallel"); 1078 for (auto i = 0; i < kClientCount / 2; ++i) { 1079 auto clientPromise = test.baseReceiver->connect().then(wrapClient).then(writeToServer); 1080 clientPromises.add(kj::mv(clientPromise)); 1081 } 1082 1083 KJ_LOG(INFO, "Requesting and resolving a bunch of server accepts in sequence"); 1084 for (auto i = 0; i < kClientCount; ++i) { 1085 test.receiver->accept().then(readFromClient).wait(test.io.waitScope); 1086 } 1087 1088 KJ_LOG(INFO, "Resolving all of our client connects in parallel"); 1089 joinPromises(clientPromises.releaseAsArray()).wait(test.io.waitScope); 1090 1091 KJ_LOG(INFO, "Releasing the hung client"); 1092 hungClient = {}; 1093 1094 KJ_LOG(INFO, "Requesting one last server accept that we'll never resolve"); 1095 auto extraAcceptPromise = test.receiver->accept().then(readFromClient); 1096 KJ_EXPECT(!extraAcceptPromise.poll(test.io.waitScope)); 1097 } 1098 1099 #ifdef KJ_EXTERNAL_TESTS 1100 KJ_TEST("TLS to capnproto.org") { 1101 kj::AsyncIoContext io = setupAsyncIo(); 1102 TlsContext tls; 1103 1104 auto network = tls.wrapNetwork(io.provider->getNetwork()); 1105 auto addr = network->parseAddress("capnproto.org", 443).wait(io.waitScope); 1106 auto stream = addr->connect().wait(io.waitScope); 1107 1108 kj::StringPtr request = 1109 "HEAD / HTTP/1.1\r\n" 1110 "Host: capnproto.org\r\n" 1111 "Connection: close\r\n" 1112 "User-Agent: capnp-test/0.6\r\n" 1113 "\r\n"; 1114 1115 stream->write(request.begin(), request.size()).wait(io.waitScope); 1116 1117 char buffer[4096]; 1118 size_t n = stream->tryRead(buffer, sizeof(buffer) - 1, sizeof(buffer) - 1).wait(io.waitScope); 1119 buffer[n] = '\0'; 1120 kj::StringPtr response(buffer, n); 1121 1122 KJ_ASSERT(response.startsWith("HTTP/1.1 200 OK\r\n")); 1123 } 1124 #endif 1125 1126 } // namespace 1127 } // namespace kj 1128 1129 #endif // KJ_HAS_OPENSSL