test: ✅ add client cert verification tests

Author: dergecko

README.md

@@ -2,6 +2,7 @@
 
 # test-certs
 A simple tool to generate a root certificate authority (CA), intermediate, client, and server certificates for testing purposes.
+This tool relies on [`rcgen`](https://docs.rs/rcgen/latest/rcgen/index.html) to generate x509 certificates.
 
 > This tool is not intended for production use. Please use a dedicated certificate infrastructure!
 

test-certs/Cargo.toml

@@ -22,7 +22,7 @@ clap-stdin = "0.5"
 
 [dev-dependencies]
 testdir = "0.9"
+rustls = "0.23"
 
 [lints]
 workspace = true
-

test-certs/src/configuration/certificates.rs

@@ -152,8 +152,25 @@ pub mod fixtures {
 
     use super::*;
 
+    /// Provides a [`CertificateRoot`] with a root ca, an intermediate ca, and a client cert.
+    pub fn ca_with_intermediate_and_client_certificate() -> CertificateRoot {
+        let certs = CertificateRoot {
+            certificates: HashMap::from([(
+                "root-ca".to_string(),
+                CertificateType::CertificateAuthority(CertificateAuthorityConfiguration {
+                    export_key: false,
+                    certificates: HashMap::from_iter([(
+                        "intermediate-ca".to_string(),
+                        ca_with_client_certificate_type(),
+                    )]),
+                }),
+            )]),
+        };
+        certs
+    }
+
     /// Provides a [`CertificateRoot`] with only one ca certificate.
-    pub fn single_ca_certificate() -> CertificateRoot {
+    pub fn ca_certificate() -> CertificateRoot {
         let certs = CertificateRoot {
             certificates: HashMap::from([(
                 "ca".to_string(),
@@ -172,7 +189,7 @@ pub mod fixtures {
     }
 
     /// Provides a [`CertificateRoot`] with only a client certificate.
-    pub fn single_client_certificate() -> CertificateRoot {
+    pub fn client_certificate() -> CertificateRoot {
         let certs = CertificateRoot {
             certificates: HashMap::from([("client".to_string(), client_certificate_type())]),
         };

test-certs/src/generation.rs

@@ -163,8 +163,15 @@ fn certificate_params(
 mod tests {
     use std::net::{IpAddr, Ipv4Addr};
 
-    use crate::configuration::certificates::fixtures::{
-        ca_certificate_type, client_certificate_type, server_certificate_type,
+    use rustls::{RootCertStore, pki_types::UnixTime, server::WebPkiClientVerifier};
+
+    use crate::{
+        configuration::certificates::fixtures::{
+            ca_certificate_type, ca_with_client_certificates,
+            ca_with_intermediate_and_client_certificate, client_certificate_type,
+            server_certificate_type,
+        },
+        generate,
     };
 
     use super::*;
@@ -220,5 +227,39 @@ mod tests {
         assert!(client_cert.issuer.is_none());
     }
 
-    // TODO: write test to check wether client/server certs are really issued by a ca
+    #[test]
+    fn should_verify_client_with_ca() {
+        let root = ca_with_client_certificates();
+        let mut certs = generate(&root).unwrap();
+        let ca = certs.pop().unwrap();
+        let client = certs.pop().unwrap();
+        let mut roots = RootCertStore::empty();
+        roots.add(ca.certificate.der().clone()).unwrap();
+
+        let client_verifier = WebPkiClientVerifier::builder(roots.into()).build().unwrap();
+        let result =
+            client_verifier.verify_client_cert(client.certificate.der(), &[], UnixTime::now());
+
+        assert!(result.is_ok());
+    }
+
+    #[test]
+    fn should_verify_client_with_intermediate_ca() {
+        let root = ca_with_intermediate_and_client_certificate();
+        let mut certs = generate(&root).unwrap();
+        let root_ca = certs.pop().unwrap();
+        let intermediate_ca = certs.pop().unwrap();
+        let client = certs.pop().unwrap();
+        let mut roots = RootCertStore::empty();
+        roots.add(root_ca.certificate.der().clone()).unwrap();
+
+        let client_verifier = WebPkiClientVerifier::builder(roots.into()).build().unwrap();
+        let result = client_verifier.verify_client_cert(
+            client.certificate.der(),
+            &[intermediate_ca.certificate.der().clone()],
+            UnixTime::now(),
+        );
+
+        assert!(result.is_ok());
+    }
 }