diff --git a/include/envoy/ssl/connection.h b/include/envoy/ssl/connection.h index 3b66ddef00b1..61ea9575ddf9 100644 --- a/include/envoy/ssl/connection.h +++ b/include/envoy/ssl/connection.h @@ -15,39 +15,45 @@ class Connection { virtual ~Connection() {} /** - * @return whether the peer certificate is presented. + * @return bool whether the peer certificate is presented. **/ virtual bool peerCertificatePresented() const PURE; /** - * @return the URI in the SAN feld of the local certificate. Returns "" if there is no local - * certificate, or no SAN field, or no URI. + * @return std::string the URI in the SAN feld of the local certificate. Returns "" if there is no + * local certificate, or no SAN field, or no URI. **/ virtual std::string uriSanLocalCertificate() PURE; /** - * @return the subject field of the local certificate in RFC 2253 format. Returns "" if there is - * no local certificate, or no subject. + * @return std::string the subject field of the local certificate in RFC 2253 format. Returns "" + * if there is no local certificate, or no subject. **/ virtual std::string subjectLocalCertificate() const PURE; /** - * @return the SHA256 digest of the peer certificate. Returns "" if there is no peer certificate - * which can happen in TLS (non mTLS) connections. + * @return std::string the SHA256 digest of the peer certificate. Returns "" if there is no peer + * certificate which can happen in TLS (non mTLS) connections. */ virtual std::string sha256PeerCertificateDigest() PURE; /** - * @return the subject field of the peer certificate in RFC 2253 format. Returns "" if there is - * no peer certificate, or no subject. + * @return std::string the subject field of the peer certificate in RFC 2253 format. Returns "" if + * there is no peer certificate, or no subject. **/ virtual std::string subjectPeerCertificate() const PURE; /** - * @return the URI in the SAN field of the peer certificate. Returns "" if there is no peer - * certificate, or no SAN field, or no URI. + * @return std::string the URI in the SAN field of the peer certificate. Returns "" if there is no + * peer certificate, or no SAN field, or no URI. **/ virtual std::string uriSanPeerCertificate() PURE; + + /** + * @return std::string the URL-encoded PEM-encoded representation of the peer certificate. Returns + * "" if there is no peer certificate or encoding fails. + **/ + virtual std::string urlEncodedPemEncodedPeerCertificate() const PURE; }; } // namespace Ssl diff --git a/source/common/http/conn_manager_impl.h b/source/common/http/conn_manager_impl.h index 43dd2c4d3383..6933c6b05b1a 100644 --- a/source/common/http/conn_manager_impl.h +++ b/source/common/http/conn_manager_impl.h @@ -160,7 +160,7 @@ enum class ForwardClientCertType { * Configuration for the fields of the client cert, used for populating the current client cert * information to the next hop. */ -enum class ClientCertDetailsType { Subject, SAN }; +enum class ClientCertDetailsType { Cert, Subject, SAN }; /** * Abstract configuration for the connection manager. diff --git a/source/common/http/conn_manager_utility.cc b/source/common/http/conn_manager_utility.cc index eee1b37438db..959684a83da7 100644 --- a/source/common/http/conn_manager_utility.cc +++ b/source/common/http/conn_manager_utility.cc @@ -188,11 +188,13 @@ void ConnectionManagerUtility::mutateXfccRequestHeader(Http::HeaderMap& request_ // the XFCC header. if (config.forwardClientCert() == Http::ForwardClientCertType::AppendForward || config.forwardClientCert() == Http::ForwardClientCertType::SanitizeSet) { - if (!connection.ssl()->uriSanLocalCertificate().empty()) { - client_cert_details.push_back("By=" + connection.ssl()->uriSanLocalCertificate()); + const std::string uri_san_local_cert = connection.ssl()->uriSanLocalCertificate(); + if (!uri_san_local_cert.empty()) { + client_cert_details.push_back("By=" + uri_san_local_cert); } - if (!connection.ssl()->sha256PeerCertificateDigest().empty()) { - client_cert_details.push_back("Hash=" + connection.ssl()->sha256PeerCertificateDigest()); + const std::string cert_digest = connection.ssl()->sha256PeerCertificateDigest(); + if (!cert_digest.empty()) { + client_cert_details.push_back("Hash=" + cert_digest); } for (const auto& detail : config.setCurrentClientCertDetails()) { switch (detail) { @@ -205,6 +207,13 @@ void ConnectionManagerUtility::mutateXfccRequestHeader(Http::HeaderMap& request_ // Currently, we only support a single SAN field with URI type. // The "SAN" key still exists even if the SAN is empty. client_cert_details.push_back("SAN=" + connection.ssl()->uriSanPeerCertificate()); + break; + case Http::ClientCertDetailsType::Cert: + const std::string peer_cert = connection.ssl()->urlEncodedPemEncodedPeerCertificate(); + if (!peer_cert.empty()) { + client_cert_details.push_back("Cert=\"" + peer_cert + "\""); + } + break; } } } diff --git a/source/common/ssl/ssl_socket.cc b/source/common/ssl/ssl_socket.cc index 6ac121caaefe..9fd5e0cae115 100644 --- a/source/common/ssl/ssl_socket.cc +++ b/source/common/ssl/ssl_socket.cc @@ -5,6 +5,7 @@ #include "common/common/hex.h" #include "common/http/headers.h" +#include "absl/strings/str_replace.h" #include "openssl/err.h" #include "openssl/x509v3.h" @@ -227,6 +228,26 @@ std::string SslSocket::sha256PeerCertificateDigest() { return Hex::encode(computed_hash); } +// TODO: Cache this result and possibly other methods in this class +std::string SslSocket::urlEncodedPemEncodedPeerCertificate() const { + bssl::UniquePtr cert(SSL_get_peer_certificate(ssl_.get())); + if (!cert) { + return ""; + } + + bssl::UniquePtr buf(BIO_new(BIO_s_mem())); + RELEASE_ASSERT(buf != nullptr); + RELEASE_ASSERT(PEM_write_bio_X509(buf.get(), cert.get()) == 1); + const uint8_t* output; + size_t length; + RELEASE_ASSERT(BIO_mem_contents(buf.get(), &output, &length) == 1); + std::string pem = std::string(reinterpret_cast(output), length); + // URL encoding shortcut + absl::StrReplaceAll({{"\n", "%0A"}, {" ", "%20"}, {"+", "%2B"}, {"/", "%2F"}, {"=", "%3D"}}, + &pem); + return pem; +} + std::string SslSocket::uriSanPeerCertificate() { bssl::UniquePtr cert(SSL_get_peer_certificate(ssl_.get())); if (!cert) { diff --git a/source/common/ssl/ssl_socket.h b/source/common/ssl/ssl_socket.h index 27540cb9eb5f..6437fa89c54a 100644 --- a/source/common/ssl/ssl_socket.h +++ b/source/common/ssl/ssl_socket.h @@ -28,6 +28,7 @@ class SslSocket : public Network::TransportSocket, std::string subjectPeerCertificate() const override; std::string subjectLocalCertificate() const override; std::string uriSanPeerCertificate() override; + std::string urlEncodedPemEncodedPeerCertificate() const override; // Network::TransportSocket void setTransportSocketCallbacks(Network::TransportSocketCallbacks& callbacks) override; diff --git a/source/server/config/network/http_connection_manager.cc b/source/server/config/network/http_connection_manager.cc index f7f8d1098dbb..14d46c76215a 100644 --- a/source/server/config/network/http_connection_manager.cc +++ b/source/server/config/network/http_connection_manager.cc @@ -157,6 +157,9 @@ HttpConnectionManagerConfig::HttpConnectionManagerConfig( if (PROTOBUF_GET_WRAPPED_OR_DEFAULT(set_current_client_cert_details, san, false)) { set_current_client_cert_details_.push_back(Http::ClientCertDetailsType::SAN); } + if (set_current_client_cert_details.cert()) { + set_current_client_cert_details_.push_back(Http::ClientCertDetailsType::Cert); + } if (config.has_add_user_agent() && config.add_user_agent().value()) { user_agent_.value(context_.localInfo().clusterName()); diff --git a/test/common/http/conn_manager_utility_test.cc b/test/common/http/conn_manager_utility_test.cc index ce88ea1bda52..03f5fd0275af 100644 --- a/test/common/http/conn_manager_utility_test.cc +++ b/test/common/http/conn_manager_utility_test.cc @@ -485,14 +485,16 @@ TEST_F(ConnectionManagerUtilityTest, MtlsForwardOnlyClientCert) { TEST_F(ConnectionManagerUtilityTest, MtlsAppendForwardClientCert) { NiceMock ssl; ON_CALL(ssl, peerCertificatePresented()).WillByDefault(Return(true)); - EXPECT_CALL(ssl, uriSanLocalCertificate()).Times(2).WillRepeatedly(Return("test://foo.com/be")); - EXPECT_CALL(ssl, sha256PeerCertificateDigest()).Times(2).WillRepeatedly(Return("abcdefg")); + EXPECT_CALL(ssl, uriSanLocalCertificate()).WillOnce(Return("test://foo.com/be")); + EXPECT_CALL(ssl, sha256PeerCertificateDigest()).WillOnce(Return("abcdefg")); EXPECT_CALL(ssl, uriSanPeerCertificate()).WillOnce(Return("test://foo.com/fe")); + EXPECT_CALL(ssl, urlEncodedPemEncodedPeerCertificate()).WillOnce(Return("%3D%3Dabc%0Ade%3D")); ON_CALL(connection_, ssl()).WillByDefault(Return(&ssl)); ON_CALL(config_, forwardClientCert()) .WillByDefault(Return(Http::ForwardClientCertType::AppendForward)); std::vector details = std::vector(); details.push_back(Http::ClientCertDetailsType::SAN); + details.push_back(Http::ClientCertDetailsType::Cert); ON_CALL(config_, setCurrentClientCertDetails()).WillByDefault(ReturnRef(details)); TestHeaderMapImpl headers{ {"x-forwarded-client-cert", "By=test://foo.com/fe;SAN=test://bar.com/be"}}; @@ -501,7 +503,7 @@ TEST_F(ConnectionManagerUtilityTest, MtlsAppendForwardClientCert) { callMutateRequestHeaders(headers, Protocol::Http2)); EXPECT_TRUE(headers.has("x-forwarded-client-cert")); EXPECT_EQ("By=test://foo.com/fe;SAN=test://bar.com/be,By=test://foo.com/" - "be;Hash=abcdefg;SAN=test://foo.com/fe", + "be;Hash=abcdefg;SAN=test://foo.com/fe;Cert=\"%3D%3Dabc%0Ade%3D\"", headers.get_("x-forwarded-client-cert")); } @@ -513,7 +515,7 @@ TEST_F(ConnectionManagerUtilityTest, MtlsAppendForwardClientCertLocalSanEmpty) { NiceMock ssl; ON_CALL(ssl, peerCertificatePresented()).WillByDefault(Return(true)); EXPECT_CALL(ssl, uriSanLocalCertificate()).WillOnce(Return("")); - EXPECT_CALL(ssl, sha256PeerCertificateDigest()).Times(2).WillRepeatedly(Return("abcdefg")); + EXPECT_CALL(ssl, sha256PeerCertificateDigest()).WillOnce(Return("abcdefg")); EXPECT_CALL(ssl, uriSanPeerCertificate()).WillOnce(Return("test://foo.com/fe")); ON_CALL(connection_, ssl()).WillByDefault(Return(&ssl)); ON_CALL(config_, forwardClientCert()) @@ -539,17 +541,19 @@ TEST_F(ConnectionManagerUtilityTest, MtlsAppendForwardClientCertLocalSanEmpty) { TEST_F(ConnectionManagerUtilityTest, MtlsSanitizeSetClientCert) { NiceMock ssl; ON_CALL(ssl, peerCertificatePresented()).WillByDefault(Return(true)); - EXPECT_CALL(ssl, uriSanLocalCertificate()).Times(2).WillRepeatedly(Return("test://foo.com/be")); - EXPECT_CALL(ssl, sha256PeerCertificateDigest()).Times(2).WillRepeatedly(Return("abcdefg")); + EXPECT_CALL(ssl, uriSanLocalCertificate()).WillOnce(Return("test://foo.com/be")); + EXPECT_CALL(ssl, sha256PeerCertificateDigest()).WillOnce(Return("abcdefg")); EXPECT_CALL(ssl, subjectPeerCertificate()) .WillOnce(Return("/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=test.lyft.com")); EXPECT_CALL(ssl, uriSanPeerCertificate()).WillOnce(Return("test://foo.com/fe")); + EXPECT_CALL(ssl, urlEncodedPemEncodedPeerCertificate()).WillOnce(Return("abcde=")); ON_CALL(connection_, ssl()).WillByDefault(Return(&ssl)); ON_CALL(config_, forwardClientCert()) .WillByDefault(Return(Http::ForwardClientCertType::SanitizeSet)); std::vector details = std::vector(); details.push_back(Http::ClientCertDetailsType::Subject); details.push_back(Http::ClientCertDetailsType::SAN); + details.push_back(Http::ClientCertDetailsType::Cert); ON_CALL(config_, setCurrentClientCertDetails()).WillByDefault(ReturnRef(details)); TestHeaderMapImpl headers{ {"x-forwarded-client-cert", "By=test://foo.com/fe;SAN=test://bar.com/be"}}; @@ -558,7 +562,7 @@ TEST_F(ConnectionManagerUtilityTest, MtlsSanitizeSetClientCert) { callMutateRequestHeaders(headers, Protocol::Http2)); EXPECT_TRUE(headers.has("x-forwarded-client-cert")); EXPECT_EQ("By=test://foo.com/be;Hash=abcdefg;Subject=\"/C=US/ST=CA/L=San " - "Francisco/OU=Lyft/CN=test.lyft.com\";SAN=test://foo.com/fe", + "Francisco/OU=Lyft/CN=test.lyft.com\";SAN=test://foo.com/fe;Cert=\"abcde=\"", headers.get_("x-forwarded-client-cert")); } @@ -569,8 +573,8 @@ TEST_F(ConnectionManagerUtilityTest, MtlsSanitizeSetClientCert) { TEST_F(ConnectionManagerUtilityTest, MtlsSanitizeSetClientCertPeerSanEmpty) { NiceMock ssl; ON_CALL(ssl, peerCertificatePresented()).WillByDefault(Return(true)); - EXPECT_CALL(ssl, uriSanLocalCertificate()).Times(2).WillRepeatedly(Return("test://foo.com/be")); - EXPECT_CALL(ssl, sha256PeerCertificateDigest()).Times(2).WillRepeatedly(Return("abcdefg")); + EXPECT_CALL(ssl, uriSanLocalCertificate()).WillOnce(Return("test://foo.com/be")); + EXPECT_CALL(ssl, sha256PeerCertificateDigest()).WillOnce(Return("abcdefg")); EXPECT_CALL(ssl, subjectPeerCertificate()) .WillOnce(Return("/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=test.lyft.com")); EXPECT_CALL(ssl, uriSanPeerCertificate()).WillOnce(Return("")); diff --git a/test/common/ssl/ssl_socket_test.cc b/test/common/ssl/ssl_socket_test.cc index e5f321e79cc6..fd81a8143a01 100644 --- a/test/common/ssl/ssl_socket_test.cc +++ b/test/common/ssl/ssl_socket_test.cc @@ -42,8 +42,9 @@ namespace { void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_json, const std::string& expected_digest, const std::string& expected_uri, const std::string& expected_local_uri, const std::string& expected_subject, - const std::string& expected_local_subject, const std::string& expected_stats, - bool expect_success, const Network::Address::IpVersion version) { + const std::string& expected_local_subject, const std::string& expected_peer_cert, + const std::string& expected_stats, bool expect_success, + const Network::Address::IpVersion version) { Stats::IsolatedStoreImpl stats_store; Runtime::MockLoader runtime; @@ -97,6 +98,10 @@ void testUtil(const std::string& client_ctx_json, const std::string& server_ctx_ if (!expected_local_subject.empty()) { EXPECT_EQ(expected_local_subject, server_connection->ssl()->subjectLocalCertificate()); } + if (!expected_peer_cert.empty()) { + EXPECT_EQ(expected_peer_cert, + server_connection->ssl()->urlEncodedPemEncodedPeerCertificate()); + } server_connection->close(Network::ConnectionCloseType::NoFlush); client_connection->close(Network::ConnectionCloseType::NoFlush); dispatcher.exit(); @@ -268,7 +273,7 @@ TEST_P(SslSocketTest, GetCertDigest) { )EOF"; testUtil(client_ctx_json, server_ctx_json, - "4444fbca965d916475f04fb4dd234dd556adb028ceb4300fa8ad6f2983c6aaa3", "", "", "", "", + "4444fbca965d916475f04fb4dd234dd556adb028ceb4300fa8ad6f2983c6aaa3", "", "", "", "", "", "ssl.handshake", true, GetParam()); } @@ -428,7 +433,7 @@ TEST_P(SslSocketTest, GetCertDigestServerCertWithIntermediateCA) { )EOF"; testUtil(client_ctx_json, server_ctx_json, - "4444fbca965d916475f04fb4dd234dd556adb028ceb4300fa8ad6f2983c6aaa3", "", "", "", "", + "4444fbca965d916475f04fb4dd234dd556adb028ceb4300fa8ad6f2983c6aaa3", "", "", "", "", "", "ssl.handshake", true, GetParam()); } @@ -449,7 +454,7 @@ TEST_P(SslSocketTest, GetCertDigestServerCertWithoutCommonName) { )EOF"; testUtil(client_ctx_json, server_ctx_json, - "4444fbca965d916475f04fb4dd234dd556adb028ceb4300fa8ad6f2983c6aaa3", "", "", "", "", + "4444fbca965d916475f04fb4dd234dd556adb028ceb4300fa8ad6f2983c6aaa3", "", "", "", "", "", "ssl.handshake", true, GetParam()); } @@ -470,7 +475,7 @@ TEST_P(SslSocketTest, GetUriWithUriSan) { } )EOF"; - testUtil(client_ctx_json, server_ctx_json, "", "spiffe://lyft.com/test-team", "", "", "", + testUtil(client_ctx_json, server_ctx_json, "", "spiffe://lyft.com/test-team", "", "", "", "", "ssl.handshake", true, GetParam()); } @@ -491,7 +496,8 @@ TEST_P(SslSocketTest, GetNoUriWithDnsSan) { )EOF"; // The SAN field only has DNS, expect "" for uriSanPeerCertificate(). - testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "ssl.handshake", true, GetParam()); + testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "", "ssl.handshake", true, + GetParam()); } TEST_P(SslSocketTest, NoCert) { @@ -504,7 +510,7 @@ TEST_P(SslSocketTest, NoCert) { } )EOF"; - testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "ssl.no_certificate", true, + testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "", "ssl.no_certificate", true, GetParam()); } @@ -524,7 +530,7 @@ TEST_P(SslSocketTest, GetUriWithLocalUriSan) { } )EOF"; - testUtil(client_ctx_json, server_ctx_json, "", "", "spiffe://lyft.com/test-team", "", "", + testUtil(client_ctx_json, server_ctx_json, "", "", "spiffe://lyft.com/test-team", "", "", "", "ssl.handshake", true, GetParam()); } @@ -547,7 +553,48 @@ TEST_P(SslSocketTest, GetSubjectsWithBothCerts) { testUtil(client_ctx_json, server_ctx_json, "", "", "", "CN=Test Server,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US", + "CN=Test Server,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US", "", + "ssl.handshake", true, GetParam()); +} + +TEST_P(SslSocketTest, GetPeerCert) { + std::string client_ctx_json = R"EOF( + { + "cert_chain_file": "{{ test_rundir }}/test/common/ssl/test_data/no_san_cert.pem", + "private_key_file": "{{ test_rundir }}/test/common/ssl/test_data/no_san_key.pem" + } + )EOF"; + + std::string server_ctx_json = R"EOF( + { + "cert_chain_file": "{{ test_rundir }}/test/common/ssl/test_data/san_uri_cert.pem", + "private_key_file": "{{ test_rundir }}/test/common/ssl/test_data/san_uri_key.pem", + "ca_cert_file": "{{ test_rundir }}/test/common/ssl/test_data/ca_cert.pem", + "require_client_certificate": true + } + )EOF"; + + testUtil(client_ctx_json, server_ctx_json, "", "", "", "CN=Test Server,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US", + "CN=Test Server,OU=Lyft Engineering,O=Lyft,L=San Francisco,ST=California,C=US", + "-----BEGIN%20CERTIFICATE-----%0A" + "MIIC6jCCAlOgAwIBAgIJAPOCjrJP13nPMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV%0A" + "BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNp%0A" + "c2NvMQ0wCwYDVQQKEwRMeWZ0MRkwFwYDVQQLExBMeWZ0IEVuZ2luZWVyaW5nMRAw%0A" + "DgYDVQQDEwdUZXN0IENBMB4XDTE3MDcwOTAxMzkzMloXDTE5MDcwOTAxMzkzMlow%0A" + "ejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh%0A" + "biBGcmFuY2lzY28xDTALBgNVBAoTBEx5ZnQxGTAXBgNVBAsTEEx5ZnQgRW5naW5l%0A" + "ZXJpbmcxFDASBgNVBAMTC1Rlc3QgU2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GN%0A" + "ADCBiQKBgQDf1VIHYrJdYK8EfmABALrN%2F4sD38I%2FJqWsxMHHwf7CGwktBMDDY3C2%0A" + "DHHJ7Y2h4xa04jJ6tCMHF9qIzIRtgbhpwGMb%2FBcJVat6cGGKMfCSxqrYHyXo%2FEY7%0A" + "g7qJOMzW4ds6L787auhLsZHU8Mf9XF9vMrPyZ0EwM8Cehxz9JW2tAQIDAQABo3ww%0A" + "ejAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD%0A" + "AgYIKwYBBQUHAwEwHQYDVR0OBBYEFAWIhh5J7hfKJcdpsJz4oM0VqXIWMB8GA1Ud%0A" + "IwQYMBaAFDt4pFFPFoSTHEgoegytK5ZByn15MA0GCSqGSIb3DQEBCwUAA4GBAI2q%0A" + "KKsieXM9jr8Zthls1W83YIcquaO9XLnKFRZwfQk4yU3t7erQwAroq9wXm6T6NS23%0A" + "oHhHNYIF91JP%2BA9jcY2rJCTKibTUk21mVxrmr9qxKhAPJyhWoaAnEoVBgU9R9%2Bos%0A" + "ARHpgiMhyCDvnWCdHY5Y64oVyiWdL9aHv5s82GrV%0A" + "-----END%20CERTIFICATE-----%0A", "ssl.handshake", true, GetParam()); } @@ -563,8 +610,8 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerificationNoClientCert) { } )EOF"; - testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "ssl.fail_verify_no_cert", false, - GetParam()); + testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "", "ssl.fail_verify_no_cert", + false, GetParam()); } TEST_P(SslSocketTest, FailedClientAuthCaVerification) { @@ -583,7 +630,7 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerification) { } )EOF"; - testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "ssl.fail_verify_error", false, + testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "", "ssl.fail_verify_error", false, GetParam()); } @@ -599,8 +646,8 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerificationNoClientCert) { } )EOF"; - testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "ssl.fail_verify_no_cert", false, - GetParam()); + testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "", "ssl.fail_verify_no_cert", + false, GetParam()); } TEST_P(SslSocketTest, FailedClientAuthSanVerification) { @@ -620,7 +667,7 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerification) { } )EOF"; - testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "ssl.fail_verify_san", false, + testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "", "ssl.fail_verify_san", false, GetParam()); } @@ -636,8 +683,8 @@ TEST_P(SslSocketTest, FailedClientAuthHashVerificationNoClientCert) { } )EOF"; - testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "ssl.fail_verify_no_cert", false, - GetParam()); + testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "", "ssl.fail_verify_no_cert", + false, GetParam()); } TEST_P(SslSocketTest, FailedClientAuthHashVerification) { @@ -657,8 +704,8 @@ TEST_P(SslSocketTest, FailedClientAuthHashVerification) { } )EOF"; - testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "ssl.fail_verify_cert_hash", false, - GetParam()); + testUtil(client_ctx_json, server_ctx_json, "", "", "", "", "", "", "ssl.fail_verify_cert_hash", + false, GetParam()); } // Make sure that we do not flush code and do an immediate close if we have not completed the diff --git a/test/mocks/ssl/mocks.h b/test/mocks/ssl/mocks.h index a0d199b56b6f..567f8cfad90a 100644 --- a/test/mocks/ssl/mocks.h +++ b/test/mocks/ssl/mocks.h @@ -54,6 +54,7 @@ class MockConnection : public Connection { MOCK_CONST_METHOD0(subjectPeerCertificate, std::string()); MOCK_METHOD0(uriSanPeerCertificate, std::string()); MOCK_CONST_METHOD0(subjectLocalCertificate, std::string()); + MOCK_CONST_METHOD0(urlEncodedPemEncodedPeerCertificate, std::string()); }; class MockClientContext : public ClientContext {