ICE-5625 tests for C++/JAVA/.NET

9 files changed, 210 insertions, 0 deletions

diff --git a/cpp/test/IceSSL/certs/cacert2.pfx b/cpp/test/IceSSL/certs/cacert2.pfx
new file mode 100644
index 00000000000..1c6ab273b9e
--- /dev/null
+++ b/cpp/test/IceSSL/certs/cacert2.pfx
diff --git a/cpp/test/IceSSL/certs/makecerts b/cpp/test/IceSSL/certs/makecerts
index 87993784581..1c6344a9dfb 100755
--- a/cpp/test/IceSSL/certs/makecerts
+++ b/cpp/test/IceSSL/certs/makecerts
@@ -37,6 +37,8 @@ if ! [ -f cakey1.pem ]; then
     openssl req -config test_ca2.cnf -x509 -days 3650 -newkey rsa:1024 -keyout cakey2.pem -out cacert2.pem \
         -outform PEM -nodes
 
+    openssl pkcs12 -in cacert2.pem -inkey cakey2.pem -export -out cacert2.pfx -passout pass:password
+    
     #
     # In order for OpenSSL to locate CA certificates dynamically at run time, the
     # directory containing the certificates must be indexed. Typically this is
@@ -55,6 +57,8 @@ if ! [ -f cakey1.pem ]; then
     #
     cp cacert1.pem `openssl x509 -subject_hash_old -noout -in cacert1.pem`.0
     cp cacert2.pem `openssl x509 -subject_hash_old -noout -in cacert2.pem`.0
+    
+    
 
     #
     # Create a server certificate and key (no password).
diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp
index 3fc3dac0a4a..371ade399cb 100644
--- a/cpp/test/IceSSL/configuration/AllTests.cpp
+++ b/cpp/test/IceSSL/configuration/AllTests.cpp
@@ -646,6 +646,85 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool pfx, b
         comm->destroy();
 
         //
+        // This should succeed because the self signed certificate used by the server is
+        // trusted. The IceSSL.DefaultDir setting in the client allows OpenSSL to find 
+        // the server's CA certificate.
+        //
+        initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost, pfx);
+        comm = initialize(initData);
+        fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
+        test(fact);
+        d = createServerProps(defaultProperties, defaultDir, defaultHost, pfx);
+        if(pfx)
+        {
+            d["IceSSL.CertFile"] = defaultDir + "/cacert2.pfx";
+        }
+        else
+        {
+            d["IceSSL.CertFile"] = defaultDir + "/cacert2.pem";
+            d["IceSSL.KeyFile"] = defaultDir + "/cakey2.pem";
+        }
+        d["IceSSL.VerifyPeer"] = "0";
+        server = fact->createServer(d);
+        try
+        {
+            server->ice_ping();
+        }
+        catch(const LocalException&)
+        {
+            test(false);
+        }
+        fact->destroyServer(server);
+
+        comm->destroy();
+        
+        //
+        // This should fail because the self signed certificate used by the server is not
+        // trusted.  The IceSSL.DefaultDir setting in the client allows OpenSSL to find 
+        // the server's CA certificate. We have to disable IceSSL.DefaultDir in the client 
+        // so that it can't find the server's CA certificate.
+        //
+        initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost, pfx);
+        initData.properties->setProperty("IceSSL.DefaultDir", "");
+        comm = initialize(initData);
+        fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
+        test(fact);
+        d = createServerProps(defaultProperties, defaultDir, defaultHost, pfx);
+        if(pfx)
+        {
+            d["IceSSL.CertFile"] = defaultDir + "/cacert2.pfx";
+        }
+        else
+        {
+            d["IceSSL.CertFile"] = defaultDir + "/cacert2.pem";
+            d["IceSSL.KeyFile"] = defaultDir + "/cakey2.pem";
+        }
+        d["IceSSL.VerifyPeer"] = "0";
+        server = fact->createServer(d);
+        try
+        {
+            server->ice_ping();
+            test(false);
+        }
+        catch(const ProtocolException&)
+        {
+            // Expected.
+        }
+#ifdef _WIN32
+        catch(const ConnectionLostException&)
+        {
+            // Expected.
+        }
+#endif
+        catch(const LocalException&)
+        {
+            test(false);
+        }
+        fact->destroyServer(server);
+
+        comm->destroy();
+
+        //
         // Verify that IceSSL.CheckCertName has no effect in a server.
         //
         initData.properties = createClientProps(defaultProperties, defaultDir, defaultHost, pfx);
diff --git a/cs/test/IceSSL/certs/cacert2.pfx b/cs/test/IceSSL/certs/cacert2.pfx
new file mode 100644
index 00000000000..63d4ddffb1a
--- /dev/null
+++ b/cs/test/IceSSL/certs/cacert2.pfx
diff --git a/cs/test/IceSSL/certs/makecerts.py b/cs/test/IceSSL/certs/makecerts.py
index b3666f68764..a228f21948e 100755
--- a/cs/test/IceSSL/certs/makecerts.py
+++ b/cs/test/IceSSL/certs/makecerts.py
@@ -73,6 +73,10 @@ for x in certs:
                   ".pfx -passout pass:password")
         print("Created " + x + ".pfx")
 
+if force or not os.path.exists("cacert2.pfx"):
+    cert = os.path.join(cppcerts, "cacert2.pem")
+    key = os.path.join(cppcerts, "cakey2.pem")
+    os.system("openssl pkcs12 -in " + cert + " -inkey " + key + " -export -out cacert2.pfx -passout pass:password")
 #
 # Done.
 #
diff --git a/cs/test/IceSSL/configuration/AllTests.cs b/cs/test/IceSSL/configuration/AllTests.cs
index 5ee37b3a67e..6e1f9780e03 100644
--- a/cs/test/IceSSL/configuration/AllTests.cs
+++ b/cs/test/IceSSL/configuration/AllTests.cs
@@ -395,6 +395,62 @@ public class AllTests
                 comm.destroy();
 
                 //
+                // This should succeed because the self signed certificate used by the server is
+                // trusted.
+                //
+                initData = createClientProps(defaultProperties, testDir, defaultHost);
+                comm = Ice.Util.initialize(ref args, initData);
+                fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+                test(fact != null);
+                d = createServerProps(defaultProperties, testDir, defaultHost);
+                d["IceSSL.CertFile"] = defaultDir + "/cacert2.pfx";
+                d["IceSSL.Password"] = "password";
+                d["IceSSL.VerifyPeer"] = "0";
+                server = fact.createServer(d);
+                store.Add(caCert2);
+                try
+                {
+                    server.ice_ping();
+                }
+                catch(Ice.LocalException)
+                {
+                    test(false);
+                }
+                fact.destroyServer(server);
+                store.Remove(caCert2);
+                comm.destroy();
+
+                //
+                // This should fail because the self signed certificate used by the server is not
+                // trusted.
+                //
+                initData = createClientProps(defaultProperties, testDir, defaultHost);
+                comm = Ice.Util.initialize(ref args, initData);
+                fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+                test(fact != null);
+                d = createServerProps(defaultProperties, testDir, defaultHost);
+                d["IceSSL.CertFile"] = defaultDir + "/cacert2.pfx";
+                d["IceSSL.Password"] = "password";
+                d["IceSSL.VerifyPeer"] = "0";
+                server = fact.createServer(d);
+                try
+                {
+                    server.ice_ping();
+                    test(false);
+                }
+                catch(Ice.SecurityException)
+                {
+                    // Expected.
+                }
+                catch(Ice.LocalException)
+                {
+                    test(false);
+                }
+                fact.destroyServer(server);
+                comm.destroy();
+
+
+                //
                 // Verify that IceSSL.CheckCertName has no effect in a server.
                 //
                 initData = createClientProps(defaultProperties, testDir, defaultHost);
diff --git a/java/test/IceSSL/certs/makecerts.py b/java/test/IceSSL/certs/makecerts.py
index c99ed267bc1..3aea85737c8 100755
--- a/java/test/IceSSL/certs/makecerts.py
+++ b/java/test/IceSSL/certs/makecerts.py
@@ -108,6 +108,17 @@ for x in certs:
         os.system("java -classpath ../../../../certs ImportKey " + p12  + " cert " + cacert + ".der " + ks + " password")
         os.remove(p12)
         print "Created " + ks
+        
+p12 = "cacert2.pfx"
+ks = "s_cacert2.jks"
+if force or not os.path.exists(ks):
+    cert = os.path.join(cppcerts, "cacert2.pem")
+    key = os.path.join(cppcerts, "cakey2.pem")
+    os.system("openssl pkcs12 -in " + cert + " -inkey " + key + " -export -out " + p12 + \
+              " -name cert -passout pass:password -certfile " + cert)
+    os.system("java -classpath ../../../../certs ImportKey " + p12  + " cert cacert2.der " + ks + " password")
+    os.remove(p12)
+    print "Created " + ks
 
 #
 # Create a keystore that contains both RSA and DSS certificates.
diff --git a/java/test/IceSSL/certs/s_cacert2.jks b/java/test/IceSSL/certs/s_cacert2.jks
new file mode 100644
index 00000000000..7d55050b1a5
--- /dev/null
+++ b/java/test/IceSSL/certs/s_cacert2.jks
diff --git a/java/test/IceSSL/configuration/AllTests.java b/java/test/IceSSL/configuration/AllTests.java
index fbc290db790..64ecac628ff 100644
--- a/java/test/IceSSL/configuration/AllTests.java
+++ b/java/test/IceSSL/configuration/AllTests.java
@@ -281,6 +281,62 @@ public class AllTests
             }
             fact.destroyServer(server);
             comm.destroy();
+            
+            //
+            // This should succeed because the self signed certificate used by the server is
+            // trusted.
+            //
+            initData = createClientProps(defaultProperties, defaultDir, defaultHost);
+            initData.properties.setProperty("IceSSL.VerifyPeer", "1");
+            initData.properties.setProperty("IceSSL.Truststore", "cacert2.jks");
+            comm = Ice.Util.initialize(args, initData);
+            fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+            test(fact != null);
+            d = createServerProps(defaultProperties, defaultDir, defaultHost);
+            d.put("IceSSL.Keystore", "s_cacert2.jks");
+            d.put("IceSSL.Password", "password");
+            d.put("IceSSL.VerifyPeer", "0");
+            server = fact.createServer(d);
+            try
+            {
+                server.ice_ping();
+            }
+            catch(Ice.LocalException ex)
+            {
+                test(false);
+            }
+            fact.destroyServer(server);
+            comm.destroy();
+            
+            //
+            // This should fail because the self signed certificate used by the server is not
+            // trusted.
+            //
+            initData = createClientProps(defaultProperties, defaultDir, defaultHost);
+            initData.properties.setProperty("IceSSL.VerifyPeer", "1");
+            comm = Ice.Util.initialize(args, initData);
+            fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+            test(fact != null);
+            d = createServerProps(defaultProperties, defaultDir, defaultHost);
+            d.put("IceSSL.Keystore", "s_cacert2.jks");
+            d.put("IceSSL.Password", "password");
+            d.put("IceSSL.VerifyPeer", "0");
+            server = fact.createServer(d);
+            try
+            {
+                server.ice_ping();
+                test(false);
+            }
+            catch(Ice.SecurityException ex)
+            {
+                // Expected.
+            }
+            catch(Ice.LocalException ex)
+            {
+                test(false);
+            }
+            fact.destroyServer(server);
+            comm.destroy();
 
             //
             // Test IceSSL.VerifyPeer=1. Client has a certificate.