Add rustls builder integration tests (#48)

Co-authored-by: Tony Arcieri <bascule@gmail.com>

Author: pinkforest

tests/builder.rs

@@ -0,0 +1,83 @@
+use std::sync::Arc;
+
+use rustls::ClientConfig as RusTlsClientConfig;
+use rustls::ServerConfig as RusTlsServerConfig;
+
+use rustls_rustcrypto::provider as rustcrypto_provider;
+
+mod fake_time;
+use fake_time::FakeTime;
+
+mod fake_cert_server_verifier;
+use fake_cert_server_verifier::FakeServerCertVerifier;
+
+mod fake_cert_client_verifier;
+use fake_cert_client_verifier::FakeClientCertVerifier;
+
+mod fake_cert_server_resolver;
+use fake_cert_server_resolver::FakeServerCertResolver;
+
+// Test integration between rustls and rustls in Client builder context
+#[test]
+fn integrate_client_builder_with_details_fake() {
+    let provider = rustcrypto_provider();
+    let time_provider = FakeTime {};
+
+    let fake_server_cert_verifier = FakeServerCertVerifier {};
+
+    let builder_init =
+        RusTlsClientConfig::builder_with_details(Arc::new(provider), Arc::new(time_provider));
+
+    let builder_default_versions = builder_init
+        .with_safe_default_protocol_versions()
+        .expect("Default protocol versions error?");
+
+    let dangerous_verifier = builder_default_versions
+        .dangerous()
+        .with_custom_certificate_verifier(Arc::new(fake_server_cert_verifier));
+
+    // Out of scope
+    let rustls_client_config = dangerous_verifier.with_no_client_auth();
+
+    // RustCrypto is not fips
+    assert_eq!(rustls_client_config.fips(), false);
+}
+
+use rustls::DistinguishedName;
+
+// Test integration between rustls and rustls in Server builder context
+#[test]
+fn integrate_server_builder_with_details_fake() {
+    let provider = rustcrypto_provider();
+    let time_provider = FakeTime {};
+
+    let builder_init =
+        RusTlsServerConfig::builder_with_details(Arc::new(provider), Arc::new(time_provider));
+
+    let builder_default_versions = builder_init
+        .with_safe_default_protocol_versions()
+        .expect("Default protocol versions error?");
+
+    // A DistinguishedName is a Vec<u8> wrapped in internal types.
+    // DER or BER encoded Subject field from RFC 5280 for a single certificate.
+    // The Subject field is encoded as an RFC 5280 Name
+    //let b_wrap_in: &[u8] = b""; // TODO: should have constant somewhere
+
+    let dummy_entry: &[u8] = b"";
+
+    let client_dn = [DistinguishedName::in_sequence(dummy_entry)];
+
+    let client_cert_verifier = FakeClientCertVerifier { dn: client_dn };
+
+    let dangerous_verifier =
+        builder_default_versions.with_client_cert_verifier(Arc::new(client_cert_verifier));
+
+    let server_cert_resolver = FakeServerCertResolver {};
+
+    // Out of scope
+    let rustls_client_config =
+        dangerous_verifier.with_cert_resolver(Arc::new(server_cert_resolver));
+
+    // RustCrypto is not fips
+    assert_eq!(rustls_client_config.fips(), false);
+}

tests/fake_cert_client_verifier.rs

@@ -0,0 +1,71 @@
+use rustls::DistinguishedName;
+use rustls::Error;
+
+use rustls::SignatureScheme;
+
+use rustls::pki_types::CertificateDer;
+use rustls::pki_types::UnixTime;
+use rustls::DigitallySignedStruct;
+
+use rustls::client::danger::HandshakeSignatureValid;
+use rustls::server::danger::ClientCertVerified;
+use rustls::server::danger::ClientCertVerifier;
+
+#[derive(Debug)]
+pub struct FakeClientCertVerifier {
+    pub dn: [DistinguishedName; 1],
+}
+
+impl ClientCertVerifier for FakeClientCertVerifier {
+    fn root_hint_subjects(&self) -> &[DistinguishedName] {
+        &self.dn
+    }
+    fn verify_client_cert(
+        &self,
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _now: UnixTime,
+    ) -> Result<ClientCertVerified, Error> {
+        Ok(ClientCertVerified::assertion())
+    }
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+        vec![
+            SignatureScheme::RSA_PKCS1_SHA1,
+            SignatureScheme::ECDSA_SHA1_Legacy,
+            SignatureScheme::RSA_PKCS1_SHA256,
+            SignatureScheme::ECDSA_NISTP256_SHA256,
+            SignatureScheme::RSA_PKCS1_SHA384,
+            SignatureScheme::ECDSA_NISTP384_SHA384,
+            SignatureScheme::RSA_PKCS1_SHA512,
+            SignatureScheme::ECDSA_NISTP521_SHA512,
+            SignatureScheme::RSA_PSS_SHA256,
+            SignatureScheme::RSA_PSS_SHA384,
+            SignatureScheme::RSA_PSS_SHA512,
+            SignatureScheme::ED25519,
+            SignatureScheme::ED448,
+            //SignatureScheme::Unknown(u16),
+        ]
+    }
+    fn offer_client_auth(&self) -> bool {
+        true
+    }
+    fn client_auth_mandatory(&self) -> bool {
+        false
+    }
+}

tests/fake_cert_server_resolver.rs

@@ -0,0 +1,15 @@
+use std::sync::Arc;
+
+use rustls::server::ClientHello;
+
+use rustls::server::ResolvesServerCert;
+use rustls::sign::CertifiedKey;
+
+#[derive(Debug)]
+pub struct FakeServerCertResolver;
+
+impl ResolvesServerCert for FakeServerCertResolver {
+    fn resolve(&self, _client_hello: ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
+        None
+    }
+}

tests/fake_cert_server_verifier.rs

@@ -0,0 +1,59 @@
+use rustls::client::danger::HandshakeSignatureValid;
+use rustls::client::danger::ServerCertVerified;
+use rustls::client::danger::ServerCertVerifier;
+use rustls::pki_types::CertificateDer;
+use rustls::pki_types::ServerName;
+use rustls::pki_types::UnixTime;
+use rustls::DigitallySignedStruct;
+use rustls::Error;
+use rustls::SignatureScheme;
+
+#[derive(Debug)]
+pub struct FakeServerCertVerifier;
+
+impl ServerCertVerifier for FakeServerCertVerifier {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _server_name: &ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: UnixTime,
+    ) -> Result<ServerCertVerified, Error> {
+        Ok(ServerCertVerified::assertion())
+    }
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+        vec![
+            SignatureScheme::RSA_PKCS1_SHA1,
+            SignatureScheme::ECDSA_SHA1_Legacy,
+            SignatureScheme::RSA_PKCS1_SHA256,
+            SignatureScheme::ECDSA_NISTP256_SHA256,
+            SignatureScheme::RSA_PKCS1_SHA384,
+            SignatureScheme::ECDSA_NISTP384_SHA384,
+            SignatureScheme::RSA_PKCS1_SHA512,
+            SignatureScheme::ECDSA_NISTP521_SHA512,
+            SignatureScheme::RSA_PSS_SHA256,
+            SignatureScheme::RSA_PSS_SHA384,
+            SignatureScheme::RSA_PSS_SHA512,
+            SignatureScheme::ED25519,
+            SignatureScheme::ED448,
+            //SignatureScheme::Unknown(u16),
+        ]
+    }
+}

tests/fake_time.rs

@@ -0,0 +1,11 @@
+use rustls::pki_types::UnixTime;
+use rustls::time_provider::TimeProvider;
+
+#[derive(Debug)]
+pub struct FakeTime;
+
+impl TimeProvider for FakeTime {
+    fn current_time(&self) -> Option<UnixTime> {
+        None
+    }
+}