public TLSIdentityTest()
#endif
{
_store = new X509Store(StoreName.My);
TLSIdentity.DeleteIdentity(_store, ClientCertLabel, null);
TLSIdentity.DeleteIdentity(_store, ServerCertLabel, null);
}
public void TestTLSIdentity()
{
// TLS is disabled
_listener = CreateListener(false);
_listener.TlsIdentity.Should().BeNull();
_listener.Stop();
_listener.TlsIdentity.Should().BeNull();
// Anonymous Identity
_listener = CreateListener(true);
_listener.TlsIdentity.Should().NotBeNull();
_listener.Stop();
_listener.TlsIdentity.Should().BeNull();
// User Identity
TLSIdentity.DeleteIdentity(_store, ServerCertLabel, null);
var id = TLSIdentity.CreateIdentity(false,
new Dictionary <string, string>()
{
{ Certificate.CommonNameAttribute, "CBL-Server" }
},
null,
_store,
ServerCertLabel,
null);
var config = CreateListenerConfig(true, true, null, id);
_listener = new URLEndpointListener(config);
_listener.TlsIdentity.Should().BeNull();
_listener.Start();
_listener.TlsIdentity.Should().NotBeNull();
_listener.TlsIdentity.Should().BeEquivalentTo(config.TlsIdentity);
_listener.Stop();
_listener.TlsIdentity.Should().BeNull();
}
public void TestCertificateExpiration()
{
TLSIdentity id;
// Delete
TLSIdentity.DeleteIdentity(_store, ServerCertLabel, null);
//Get
id = TLSIdentity.GetIdentity(_store, ServerCertLabel, null);
id.Should().BeNull();
var fiveMinToExpireCert = DateTimeOffset.UtcNow.AddMinutes(5);
id = TLSIdentity.CreateIdentity(true,
new Dictionary <string, string>()
{
{ Certificate.CommonNameAttribute, "CA-P2PTest" }
},
fiveMinToExpireCert,
_store,
ServerCertLabel,
null);
(id.Expiration - DateTimeOffset.UtcNow).Should().BeGreaterThan(TimeSpan.MinValue);
(id.Expiration - DateTimeOffset.UtcNow).Should().BeLessOrEqualTo(TimeSpan.FromMinutes(5));
// Delete
TLSIdentity.DeleteIdentity(_store, ServerCertLabel, null);
}
public void TestCreateIdentityWithNoAttributesOrEmptyAttributes()
{
// Delete
TLSIdentity.DeleteIdentity(_store, ServerCertLabel, null);
//Get
var id = TLSIdentity.GetIdentity(_store, ServerCertLabel, null);
id.Should().BeNull();
// Create id with empty Attributes
Action badAction = (() => TLSIdentity.CreateIdentity(true,
new Dictionary <string, string>()
{
},
null,
_store,
ServerCertLabel,
null));
badAction.Should().Throw <CouchbaseLiteException>(CouchbaseLiteErrorMessage.CreateCertAttributeEmpty);
// Create id with null Attributes
badAction = (() => TLSIdentity.CreateIdentity(true,
null,
null,
_store,
ServerCertLabel,
null));
badAction.Should().Throw <CouchbaseLiteException>(CouchbaseLiteErrorMessage.CreateCertAttributeEmpty);
}
protected override void Dispose(bool disposing)
{
base.Dispose(disposing);
TLSIdentity.DeleteIdentity(_store, ClientCertLabel, null);
TLSIdentity.DeleteIdentity(_store, ServerCertLabel, null);
_store.Dispose();
}
public ListenerViewModel()
{
Title = "Listener";
StartListenerCommand = new Command(() => ExecuteStartListenerCommand());
BroadcastCommand = new Command(() => Broadcast());
using (_store = new X509Store(StoreName.My)) {
TLSIdentity.DeleteIdentity(_store, ListenerCertLabel, null);
}
}
public void TestListenerWithImportIdentity()
{
byte[] serverData = null;
using (var stream = typeof(URLEndpointListenerTest).Assembly.GetManifestResourceStream("client.p12"))
using (var reader = new BinaryReader(stream)) {
serverData = reader.ReadBytes((int)stream.Length);
}
// Cleanup
TLSIdentity.DeleteIdentity(_store, ClientCertLabel, null);
// Import identity
var id = TLSIdentity.ImportIdentity(_store, serverData, "123", ServerCertLabel, null);
// Create listener and start
var config = CreateListenerConfig(true, true, null, id);
_listener = Listen(config);
_listener.TlsIdentity.Should().NotBeNull();
using (var doc1 = new MutableDocument("doc1")) {
doc1.SetString("name", "Sam");
Db.Save(doc1);
}
OtherDb.Count.Should().Be(0);
RunReplication(
_listener.LocalEndpoint(),
ReplicatorType.PushAndPull,
false,
null, //authenticator
false, //accept only self signed server cert
_listener.TlsIdentity.Certs[0], //server cert
0,
0
);
OtherDb.Count.Should().Be(1);
_listener.Stop();
}
public void TestClientCertAuthRootCertsError()
{
byte[] caData;
using (var stream = typeof(URLEndpointListenerTest).Assembly.GetManifestResourceStream("client-ca.der"))
using (var reader = new BinaryReader(stream)) {
caData = reader.ReadBytes((int)stream.Length);
}
var rootCert = new X509Certificate2(caData);
var auth = new ListenerCertificateAuthenticator(new X509Certificate2Collection(rootCert));
_listener = CreateListener(true, true, auth);
TLSIdentity.DeleteIdentity(_store, ClientCertLabel, null);
// Create wrong client identity
var id = TLSIdentity.CreateIdentity(false,
new Dictionary <string, string>()
{
{ Certificate.CommonNameAttribute, "daniel" }
},
null,
_store,
ClientCertLabel,
null);
id.Should().NotBeNull();
RunReplication(
_listener.LocalEndpoint(),
ReplicatorType.PushAndPull,
false,
new ClientCertificateAuthenticator(id),
true,
_listener.TlsIdentity.Certs[0],
(int)CouchbaseLiteError.TLSHandshakeFailed, //not TLSClientCertRejected as mac has..
CouchbaseLiteErrorType.CouchbaseLite
);
TLSIdentity.DeleteIdentity(_store, ClientCertLabel, null);
_listener.Stop();
}
private void CreateGetDeleteServerIdentity(bool isServer)
{
string commonName = isServer ? "CBL-Server" : "CBL-Client";
string label = isServer ? ServerCertLabel : ClientCertLabel;
TLSIdentity id;
// Delete
TLSIdentity.DeleteIdentity(_store, label, null);
//Get
id = TLSIdentity.GetIdentity(_store, label, null);
id.Should().BeNull();
// Create
id = TLSIdentity.CreateIdentity(isServer,
new Dictionary <string, string>()
{
{ Certificate.CommonNameAttribute, commonName }
},
null,
_store,
label,
null);
id.Should().NotBeNull();
id.Certs.Count.Should().Be(1);
ValidateCertsInStore(id.Certs, _store).Should().BeTrue();
// Get
id = TLSIdentity.GetIdentity(_store, label, null);
id.Should().NotBeNull();
id.Certs.Count.Should().Be(1);
ValidateCertsInStore(id.Certs, _store).Should().BeTrue();
// Delete
TLSIdentity.DeleteIdentity(_store, label, null);
// Get
id = TLSIdentity.GetIdentity(_store, label, null);
id.Should().BeNull();
}
public void TestClientCertAuthenticatorRootCerts()
{
byte[] caData, clientData;
using (var stream = typeof(URLEndpointListenerTest).Assembly.GetManifestResourceStream("client-ca.der"))
using (var reader = new BinaryReader(stream)) {
caData = reader.ReadBytes((int)stream.Length);
}
using (var stream = typeof(URLEndpointListenerTest).Assembly.GetManifestResourceStream("client.p12"))
using (var reader = new BinaryReader(stream)) {
clientData = reader.ReadBytes((int)stream.Length);
}
var rootCert = new X509Certificate2(caData);
var auth = new ListenerCertificateAuthenticator(new X509Certificate2Collection(rootCert));
_listener = CreateListener(true, true, auth);
var serverCert = _listener.TlsIdentity.Certs[0];
// Cleanup
TLSIdentity.DeleteIdentity(_store, ClientCertLabel, null);
// Create client identity
var id = TLSIdentity.ImportIdentity(_store, clientData, "123", ClientCertLabel, null);
RunReplication(
_listener.LocalEndpoint(),
ReplicatorType.PushAndPull,
false,
new ClientCertificateAuthenticator(id),
true,
serverCert,
0,
0
);
TLSIdentity.DeleteIdentity(_store, ClientCertLabel, null);
_listener.Stop();
}
public void TestGetIdentityWithCertCollection()
{
TLSIdentity id;
TLSIdentity.DeleteIdentity(_store, ClientCertLabel, null);
TLSIdentity identity = TLSIdentity.CreateIdentity(false,
new Dictionary <string, string>()
{
{ Certificate.CommonNameAttribute, "CA-P2PTest1" }
},
null,
_store,
ClientCertLabel,
null);
var certs = identity.Certs;
id = TLSIdentity.GetIdentity(certs);
id.Should().NotBeNull();
// Delete
TLSIdentity.DeleteIdentity(_store, ClientCertLabel, null);
}
private void CreateDuplicateServerIdentity(bool isServer)
{
string commonName = isServer ? "CBL-Server" : "CBL-Client";
string label = isServer ? ServerCertLabel : ClientCertLabel;
TLSIdentity id;
Dictionary <string, string> attr = new Dictionary <string, string>()
{
{ Certificate.CommonNameAttribute, commonName }
};
// Delete
TLSIdentity.DeleteIdentity(_store, label, null);
// Create
id = TLSIdentity.CreateIdentity(isServer,
attr,
null,
_store,
label,
null);
id.Should().NotBeNull();
id.Certs.Count.Should().Be(1);
//Get - Need to check why CryptographicException: Invalid provider type specified
//id = TLSIdentity.GetIdentity(_store, label, null);
//id.Should().NotBeNull();
// Create again with the same label
Action badAction = (() => TLSIdentity.CreateIdentity(isServer,
attr,
null,
_store,
label,
null));
badAction.Should().Throw <CouchbaseLiteException>(CouchbaseLiteErrorMessage.DuplicateCertificate);
}
public void TestClientCertAuthWithCallback()
{
var auth = new ListenerCertificateAuthenticator((sender, cert) =>
{
if (cert.Count != 1)
{
return(false);
}
return(cert[0].SubjectName.Name?.Replace("CN=", "") == "daniel");
});
var badAuth = new ListenerCertificateAuthenticator((sender, cert) =>
{
return(cert.Count == 100); // Obviously fail
});
_listener = CreateListener(true, true, auth);
// User Identity
TLSIdentity.DeleteIdentity(_store, ClientCertLabel, null);
var id = TLSIdentity.CreateIdentity(false,
new Dictionary <string, string>()
{
{ Certificate.CommonNameAttribute, "daniel" }
},
null,
_store,
ClientCertLabel,
null);
RunReplication(
_listener.LocalEndpoint(),
ReplicatorType.PushAndPull,
false,
new ClientCertificateAuthenticator(id),
false,
_listener.TlsIdentity.Certs[0],
0,
0
);
RunReplication(
_listener.LocalEndpoint(),
ReplicatorType.PushAndPull,
false,
null, // Don't send client cert
false,
_listener.TlsIdentity.Certs[0],
(int)CouchbaseLiteError.TLSHandshakeFailed,
CouchbaseLiteErrorType.CouchbaseLite
);
_listener.Stop();
_listener = CreateListener(true, true, badAuth);
RunReplication(
_listener.LocalEndpoint(),
ReplicatorType.PushAndPull,
false,
new ClientCertificateAuthenticator(id), // send wrong client cert
false,
_listener.TlsIdentity.Certs[0],
(int)CouchbaseLiteError.TLSHandshakeFailed,
CouchbaseLiteErrorType.CouchbaseLite
);
TLSIdentity.DeleteIdentity(_store, ClientCertLabel, null);
}