e2e_tests: Add handshake tests

gowthamsk-arm · gowthamsk-arm · commit b56b248e9a30 · 2024-04-22T17:18:01.000+01:00
The tests currently perform TLS handshake under various conditions.
Currently the setup works with the default provider and future commits
will add support for parsec provider.

Signed-off-by: Gowtham Suresh Kumar &lt;gowtham.sureshkumar@arm.com&gt;
diff --git a/parsec-openssl-provider-shared/e2e_tests/tests/handshake.rs b/parsec-openssl-provider-shared/e2e_tests/tests/handshake.rs
@@ -0,0 +1,153 @@
+// Copyright 2024 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+use e2e_tests::*;
+
+#[test]
+fn test_handshake_no_authentication() {
+    let listener = TcpListener::bind("127.0.0.1:0").unwrap();
+    let addr = listener.local_addr().unwrap();
+
+    let server = Server::new(
+        Some(String::from("../../tests/tls/server/server_cert.pem")),
+        Some(String::from("../../tests/tls/server/server_priv_key.pem")),
+        Some(String::from("../../tests/tls/ca/ca_cert.pem")),
+        SslVerifyMode::NONE,
+    );
+    server.accept(listener);
+
+    let client = Client::new(None, None, None, SslVerifyMode::NONE);
+    client.connect(addr);
+}
+
+#[should_panic]
+#[test]
+fn test_handshake_server_authentication_no_client_ca() {
+    let listener = TcpListener::bind("127.0.0.1:0").unwrap();
+    let addr = listener.local_addr().unwrap();
+
+    let server = Server::new(
+        Some(String::from("../../tests/tls/server/server_cert.pem")),
+        Some(String::from("../../tests/tls/server/server_priv_key.pem")),
+        Some(String::from("../../tests/tls/ca/ca_cert.pem")),
+        SslVerifyMode::NONE,
+    );
+    server.accept(listener);
+
+    let client = Client::new(None, None, None, SslVerifyMode::PEER);
+    client.connect(addr);
+}
+
+#[test]
+fn test_handshake_server_authentication_with_client_ca() {
+    let listener = TcpListener::bind("127.0.0.1:0").unwrap();
+    let addr = listener.local_addr().unwrap();
+
+    let server = Server::new(
+        Some(String::from("../../tests/tls/server/server_cert.pem")),
+        Some(String::from("../../tests/tls/server/server_priv_key.pem")),
+        Some(String::from("../../tests/tls/ca/ca_cert.pem")),
+        SslVerifyMode::NONE,
+    );
+    server.accept(listener);
+
+    let client = Client::new(
+        None,
+        None,
+        Some(String::from("../../tests/tls/ca/ca_cert.pem")),
+        SslVerifyMode::PEER,
+    );
+    client.connect(addr);
+}
+
+#[should_panic]
+#[test]
+fn test_handshake_client_authentication_with_no_client_settings() {
+    let listener = TcpListener::bind("127.0.0.1:0").unwrap();
+    let addr = listener.local_addr().unwrap();
+
+    let server = Server::new(
+        Some(String::from("../../tests/tls/server/server_cert.pem")),
+        Some(String::from("../../tests/tls/server/server_priv_key.pem")),
+        Some(String::from("../../tests/tls/ca/ca_cert.pem")),
+        SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT,
+    );
+    server.accept(listener);
+
+    let client = Client::new(
+        None,
+        None,
+        Some(String::from("../../tests/tls/ca/ca_cert.pem")),
+        SslVerifyMode::PEER,
+    );
+    client.connect(addr);
+}
+
+#[should_panic]
+#[test]
+fn test_handshake_client_authentication_with_no_client_key() {
+    let listener = TcpListener::bind("127.0.0.1:0").unwrap();
+    let addr = listener.local_addr().unwrap();
+
+    let server = Server::new(
+        Some(String::from("../../tests/tls/server/server_cert.pem")),
+        Some(String::from("../../tests/tls/server/server_priv_key.pem")),
+        Some(String::from("../../tests/tls/ca/ca_cert.pem")),
+        SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT,
+    );
+    server.accept(listener);
+
+    let client = Client::new(
+        Some(String::from("../../tests/tls/client/client_cert.pem")),
+        None,
+        Some(String::from("../../tests/tls/ca/ca_cert.pem")),
+        SslVerifyMode::PEER,
+    );
+    client.connect(addr);
+}
+
+#[test]
+fn test_handshake_client_authentication() {
+    let socket = TcpListener::bind("127.0.0.1:0").unwrap();
+    let addr = socket.local_addr().unwrap();
+
+    let server = Server::new(
+        Some(String::from("../../tests/tls/server/server_cert.pem")),
+        Some(String::from("../../tests/tls/server/server_priv_key.pem")),
+        Some(String::from("../../tests/tls/ca/ca_cert.pem")),
+        SslVerifyMode::FAIL_IF_NO_PEER_CERT | SslVerifyMode::PEER,
+    );
+    server.accept(socket);
+
+    let client = Client::new(
+        Some(String::from("../../tests/tls/client/client_cert.pem")),
+        Some(String::from("../../tests/tls/client/client_priv_key.pem")),
+        Some(String::from("../../tests/tls/ca/ca_cert.pem")),
+        SslVerifyMode::PEER,
+    );
+    client.connect(addr);
+}
+
+#[should_panic]
+#[test]
+fn test_handshake_client_authentication_with_fake_ca() {
+    let socket = TcpListener::bind("127.0.0.1:0").unwrap();
+    let addr = socket.local_addr().unwrap();
+
+    let server = Server::new(
+        Some(String::from("../../tests/tls/server/server_cert.pem")),
+        Some(String::from("../../tests/tls/server/server_priv_key.pem")),
+        Some(String::from("../../tests/tls/ca/ca_cert.pem")),
+        SslVerifyMode::FAIL_IF_NO_PEER_CERT | SslVerifyMode::PEER,
+    );
+    server.accept(socket);
+
+    let client = Client::new(
+        Some(String::from("../../tests/tls/fake_client/client_cert.pem")),
+        Some(String::from(
+            "../../tests/tls/fake_client/client_priv_key.pem",
+        )),
+        Some(String::from("../../tests/tls/fake_ca/ca_cert.pem")),
+        SslVerifyMode::PEER,
+    );
+    client.connect(addr);
+}
diff --git a/parsec-openssl-provider-shared/e2e_tests/tests/mod.rs b/parsec-openssl-provider-shared/e2e_tests/tests/mod.rs
@@ -1,6 +1,7 @@
 // Copyright 2024 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 
+mod handshake;
 mod keys;
 mod provider;
 mod sign;
