Added two tests for Verifier, covering Tofu success cases.

TODO: implement failing tests and check that the proper errors are returned.
2023-05-26 18:58:38 -04:00 · 2023-05-26 18:58:38 -04:00 · 799ff9ef17
commit 799ff9ef17
parent 6e5ba46c26
2 changed files with 35 additions and 3 deletions
--- a/src/sender/verifier.rs
+++ b/src/sender/verifier.rs
@ -13,7 +13,21 @@ use {

 #[derive(Debug)]
 /// A verifier is used to verify certificates sent by the receiving server
-/// during the tls handshake.
+/// during the tls handshake. For convenience the [CertificateStore] trait
+/// is implemented for [std::collections::HashMap<String, String>] and
+/// [std::collections::BTreeMap<String, String>], so a Verifier can easily
+/// be constructed from those types.
+///
+/// This type is passed to [rustls::client::DangerousClientConfig::set_certificate_verifier]
+/// in order to allow Tofu certificate validation.
+/// # Examples
+/// Create a Verifier from a HashMap
+/// ```
+/// use std::collections::HashMap;
+/// use dory::prelude::{CertificateStore, Verifier};
+///
+/// let verifier: Verifier<HashMap<String, String>> = HashMap::new().into();
+/// ```
 pub struct Verifier<S: CertificateStore> {
    /// An item which serves as storage for certificates
    pub store: Arc<Mutex<S>>,
@ -86,6 +100,8 @@ mod tests {
    use super::*;

    const CERT: &[u8] = include_bytes!("../../test/certificates/gemini.example.org/cert.der");
+    const FP: &'static str =
+        include_str!("../../test/certificates/gemini.example.org/fingerprint.txt");

    #[test]
    fn tofu() {
@ -93,7 +109,22 @@ mod tests {
        let cert = rustls::Certificate(CERT.into());
        let name = rustls::ServerName::try_from("gemini.example.org").unwrap();
        let now = time::SystemTime::now();
-        let mut scts: Vec<&[u8]> = vec![];
-        let res = verifier.verify_server_cert(&cert, &[], &name, &mut scts.iter(), &[], now);
+        let scts: Vec<&[u8]> = vec![];
+        let res =
+            verifier.verify_server_cert(&cert, &[], &name, &mut scts.iter().copied(), &[], now);
+        assert!(res.is_ok());
+    }
+
+    #[test]
+    fn verify_previously_trusted() {
+        let verifier: Verifier<HashMap<String, String>> =
+            HashMap::from([("gemini.example.org".to_string(), FP.to_string())]).into();
+        let cert = rustls::Certificate(CERT.into());
+        let name = rustls::ServerName::try_from("gemini.example.org").unwrap();
+        let now = time::SystemTime::now();
+        let scts: Vec<&[u8]> = vec![];
+        let res =
+            verifier.verify_server_cert(&cert, &[], &name, &mut scts.iter().copied(), &[], now);
+        assert!(res.is_ok());
    }
 }
--- a/test/certificates/gemini.example.org/fingerprint.txt
+++ b/test/certificates/gemini.example.org/fingerprint.txt
@ -0,0 +1 @@
+018a3210fe625b380e2021c1c3a5a6b0092f105e9350b62b72b97b73206fee69
				`@ -0,0 +1 @@`
				`018a3210fe625b380e2021c1c3a5a6b0092f105e9350b62b72b97b73206fee69`