From 443d13e9b2c127230fde2733959eaa4d41eb355d Mon Sep 17 00:00:00 2001
From: thekuwayama <thekuwayama@gmail.com>
Date: Tue, 31 Dec 2019 21:48:52 +0900
Subject: modify ossl_sslctx_add_certificate_chain_file() to raise Error and to
 return self

add test_add_certificate_chain_file_multiple_certs
---
 test/test_ssl.rb | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 75 insertions(+), 1 deletion(-)

(limited to 'test')

diff --git a/test/test_ssl.rb b/test/test_ssl.rb
index 07484769..cc89ab6e 100644
--- a/test/test_ssl.rb
+++ b/test/test_ssl.rb
@@ -194,7 +194,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
     ctx_proc = -> ctx {
       # Unset values set by start_server
       ctx.cert = ctx.key = ctx.extra_chain_cert = nil
-      assert ctx.add_certificate_chain_file(certs.path, pkey.path)
+      assert_nothing_raised { ctx.add_certificate_chain_file(certs.path, pkey.path) }
     }
 
     start_server(ctx_proc: ctx_proc) { |port|
@@ -211,6 +211,80 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
     pkey&.close
   end
 
+  def test_add_certificate_chain_file_multiple_certs
+    pend "EC is not supported" unless defined?(OpenSSL::PKey::EC)
+    pend "TLS 1.2 is not supported" unless tls12_supported?
+
+    # SSL_CTX_set0_chain() is needed for setting multiple certificate chains
+    add0_chain_supported = openssl?(1, 0, 2)
+
+    if add0_chain_supported
+      ca2_key = Fixtures.pkey("rsa2048")
+      ca2_exts = [
+        ["basicConstraints", "CA:TRUE", true],
+        ["keyUsage", "cRLSign, keyCertSign", true],
+      ]
+      ca2_dn = OpenSSL::X509::Name.parse_rfc2253("CN=CA2")
+      ca2_cert = issue_cert(ca2_dn, ca2_key, 123, ca2_exts, nil, nil)
+    else
+      # Use the same CA as @svr_cert
+      ca2_key = @ca_key; ca2_cert = @ca_cert
+    end
+
+    ecdsa_key = Fixtures.pkey("p256")
+    exts = [
+      ["keyUsage", "digitalSignature", false],
+    ]
+    ecdsa_dn = OpenSSL::X509::Name.parse_rfc2253("CN=localhost2")
+    ecdsa_cert = issue_cert(ecdsa_dn, ecdsa_key, 456, exts, ca2_cert, ca2_key)
+
+    # Create chain certificates file
+    GC.disable # for tempfile
+    certs1 = Tempfile.open { |f| f << @svr_cert.to_pem << @ca_cert.to_pem; f }
+    pkey1 = Tempfile.open { |f| f << @svr_key.to_pem; f }
+    certs2 = Tempfile.open { |f| f << ecdsa_cert.to_pem << ca2_cert.to_pem; f }
+    pkey2 = Tempfile.open { |f| f << ecdsa_key.to_pem; f }
+
+    ctx_proc = -> ctx {
+      # Unset values set by start_server
+      ctx.cert = ctx.key = ctx.extra_chain_cert = nil
+      ctx.ecdh_curves = "P-256" unless openssl?(1, 0, 2)
+      assert_nothing_raised {
+        ctx.add_certificate_chain_file(certs1.path, pkey1.path) # RSA
+        ctx.add_certificate_chain_file(certs2.path, pkey2.path) # ECDSA
+      }
+    }
+
+    start_server(ctx_proc: ctx_proc) do |port|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.max_version = :TLS1_2
+      ctx.ciphers = "aRSA"
+      server_connect(port, ctx) { |ssl|
+        assert_equal @svr_cert.subject, ssl.peer_cert.subject
+        assert_equal [@svr_cert.subject, @ca_cert.subject],
+          ssl.peer_cert_chain.map(&:subject)
+
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+      }
+
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.max_version = :TLS1_2
+      ctx.ciphers = "aECDSA"
+      server_connect(port, ctx) { |ssl|
+        assert_equal ecdsa_cert.subject, ssl.peer_cert.subject
+        assert_equal [ecdsa_cert.subject, ca2_cert.subject],
+          ssl.peer_cert_chain.map(&:subject)
+
+        ssl.puts "123"; assert_equal "123\n", ssl.gets
+      }
+    end
+  ensure
+    certs1&.close
+    pkey1&.close
+    certs2&.close
+    pkey2&.close
+  end
+
   def test_sysread_and_syswrite
     start_server { |port|
       server_connect(port) { |ssl|
-- 
cgit v1.2.3