From f673e59b217471128ce66454358bd8f7c41481df Mon Sep 17 00:00:00 2001
From: Mattes D <github@xoft.cz>
Date: Wed, 10 May 2023 00:04:08 +0200
Subject: UrlClientTest: Added tests for root CA verification.

---
 tests/HTTP/UrlClientTest.cpp | 208 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 1 deletion(-)

(limited to 'tests/HTTP')

diff --git a/tests/HTTP/UrlClientTest.cpp b/tests/HTTP/UrlClientTest.cpp
index 94ea0ccaa..8c6af1355 100644
--- a/tests/HTTP/UrlClientTest.cpp
+++ b/tests/HTTP/UrlClientTest.cpp
@@ -110,6 +110,102 @@ protected:
 
 
 
+/** The trusted root CAs for individual servers. */
+namespace TrustedCAs
+{
+	// DigiCert Global Root CA (sessionserver.mojang.com, api.mojang.com)
+	// Downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm
+	// DigiCert Global Root CA
+	static const char MojangCom[] =
+		"-----BEGIN CERTIFICATE-----\n"
+		"MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n"
+		"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
+		"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n"
+		"QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\n"
+		"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n"
+		"b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n"
+		"9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\n"
+		"CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\n"
+		"nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n"
+		"43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\n"
+		"T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\n"
+		"gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\n"
+		"BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\n"
+		"TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\n"
+		"DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\n"
+		"hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n"
+		"06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\n"
+		"PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n"
+		"YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n"
+		"CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n"
+		"-----END CERTIFICATE-----\n";
+
+	// The root cert used by github.com
+	static const char GithubCom[] =
+		"-----BEGIN CERTIFICATE-----\n"
+		"MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBh\n"
+		"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
+		"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n"
+		"QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaMFYxCzAJBgNVBAYTAlVT\n"
+		"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBI\n"
+		"eWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA\n"
+		"BMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJ\n"
+		"qLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8v\n"
+		"c6OCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFAq8CCkXjKU5\n"
+		"bXoOzjPHLrPt+8N6MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4G\n"
+		"A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYI\n"
+		"KwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j\n"
+		"b20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp\n"
+		"Q2VydEdsb2JhbFJvb3RDQS5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2Ny\n"
+		"bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAE\n"
+		"NjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgG\n"
+		"BmeBDAECAzANBgkqhkiG9w0BAQwFAAOCAQEAR1mBf9QbH7Bx9phdGLqYR5iwfnYr\n"
+		"6v8ai6wms0KNMeZK6BnQ79oU59cUkqGS8qcuLa/7Hfb7U7CKP/zYFgrpsC62pQsY\n"
+		"kDUmotr2qLcy/JUjS8ZFucTP5Hzu5sn4kL1y45nDHQsFfGqXbbKrAjbYwrwsAZI/\n"
+		"BKOLdRHHuSm8EdCGupK8JvllyDfNJvaGEwwEqonleLHBTnm8dqMLUeTF0J5q/hos\n"
+		"Vq4GNiejcxwIfZMy0MJEGdqN9A57HSgDKwmKdsp33Id6rHtSJlWncg+d0ohP/rEh\n"
+		"xRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA==\n"
+		"-----END CERTIFICATE-----\n";
+
+	// The root cert used by cuberite.org
+	static const char CuberiteOrg[] =
+		"-----BEGIN CERTIFICATE-----\n"
+		"MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\n"
+		"MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n"
+		"DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\n"
+		"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
+		"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\n"
+		"AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\n"
+		"ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\n"
+		"wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\n"
+		"LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n"
+		"4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\n"
+		"bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\n"
+		"sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\n"
+		"Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\n"
+		"FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\n"
+		"SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\n"
+		"PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\n"
+		"TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
+		"SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\n"
+		"c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n"
+		"+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\n"
+		"ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\n"
+		"b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\n"
+		"U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\n"
+		"MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n"
+		"5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n"
+		"9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\n"
+		"WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\n"
+		"he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\n"
+		"Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n"
+		"-----END CERTIFICATE-----\n";
+}
+
+
+
+
+
 int TestRequest1()
 {
 	LOG("Running test 1");
@@ -197,7 +293,65 @@ int TestRequest4()
 	LOG("Running test 4");
 	auto evtFinished = std::make_shared<cEvent>();
 	auto callbacks = std::make_unique<cCallbacks>(evtFinished);
-	auto res = cUrlClient::Get("https://github.com", std::move(callbacks));
+	AStringMap options;
+	options["TrustedRootCAs"] = TrustedCAs::GithubCom;
+	auto res = cUrlClient::Get("https://github.com", std::move(callbacks), {}, {}, options);
+	if (res.first)
+	{
+		if (!evtFinished->Wait(10000))
+		{
+			LOG("Aborting the wait for response; failing the test.");
+			return 1;
+		}
+	}
+	else
+	{
+		LOG("Immediate error: %s", res.second.c_str());
+		return 1;
+	}
+	return 0;
+}
+
+
+
+
+
+int TestRequest5()
+{
+	LOG("Running test 5");
+	auto evtFinished = std::make_shared<cEvent>();
+	auto callbacks = std::make_unique<cCallbacks>(evtFinished);
+	AStringMap options;
+	options["TrustedRootCAs"] = TrustedCAs::CuberiteOrg;
+	auto res = cUrlClient::Get("https://cuberite.org", std::move(callbacks), {}, {}, options);
+	if (res.first)
+	{
+		if (!evtFinished->Wait(10000))
+		{
+			LOG("Aborting the wait for response; failing the test.");
+			return 1;
+		}
+	}
+	else
+	{
+		LOG("Immediate error: %s", res.second.c_str());
+		return 1;
+	}
+	return 0;
+}
+
+
+
+
+
+int TestRequest6()
+{
+	LOG("Running test 6");
+	auto evtFinished = std::make_shared<cEvent>();
+	auto callbacks = std::make_unique<cCallbacks>(evtFinished);
+	AStringMap options;
+	options["TrustedRootCAs"] = TrustedCAs::MojangCom;
+	auto res = cUrlClient::Get("https://sessionserver.mojang.com", std::move(callbacks), {}, {}, options);
 	if (res.first)
 	{
 		if (!evtFinished->Wait(10000))
@@ -218,6 +372,54 @@ int TestRequest4()
 
 
 
+int TestRequest7()
+{
+	LOG("Running test 7");
+	auto evtFinished = std::make_shared<cEvent>();
+	auto callbacks = std::make_unique<cCallbacks>(evtFinished);
+	AStringMap options;
+	options["TrustedRootCAs"] = TrustedCAs::MojangCom;
+	auto res = cUrlClient::Get("https://api.mojang.com", std::move(callbacks), {}, {}, options);
+	if (res.first)
+	{
+		if (!evtFinished->Wait(10000))
+		{
+			LOG("Aborting the wait for response; failing the test.");
+			return 1;
+		}
+	}
+	else
+	{
+		LOG("Immediate error: %s", res.second.c_str());
+		return 1;
+	}
+	return 0;
+}
+
+
+
+
+
+int TestRequest8()
+{
+	LOG("Running test 8");
+	auto evtFinished = std::make_shared<cEvent>();
+	auto callbacks = std::make_unique<cCallbacks>(evtFinished);
+	AStringMap options;
+	options["TrustedRootCAs"] = TrustedCAs::GithubCom;
+	auto [isSuccess, response] = cUrlClient::BlockingGet("https://api.mojang.com", {}, {}, options);
+	if (isSuccess)
+	{
+		LOG("CA verification failure, should have rejected the connection due to bad root CA.");
+		return 1;
+	}
+	return 0;
+}
+
+
+
+
+
 int TestRequests()
 {
 	using func_t = int(void);
@@ -227,6 +429,10 @@ int TestRequests()
 		&TestRequest2,
 		&TestRequest3,
 		&TestRequest4,
+		&TestRequest5,
+		&TestRequest6,
+		&TestRequest7,
+		&TestRequest8,
 	};
 	for (auto test: tests)
 	{
-- 
cgit v1.2.3