ss: add test for OS trust store mdoe

It's already the case that leaving off the "tls_trust_store" member of the streamtype definition in the policy causes the streamtype to validate its tls connections via the OS trust store, usually a bundle OpenSSL has been configured to load at init automagically, but also literally the OS trust store in windows case. Add tests to confirm that.
2025-03-09 00:00:04 +01:00 · 2021-04-13 05:10:20 +01:00 · 2021-04-13 05:10:20 +01:00 · 5e7617ae9e
commit 5e7617ae9e
parent 1367c11e1e
2 changed files with 24 additions and 5 deletions
--- a/lib/secure-streams/README.md
+++ b/lib/secure-streams/README.md
@ -371,6 +371,9 @@ for the normal payloads, as they can appear inside normal payload messages.
 The name of the trust store described in the `trust_stores` section to apply
 to validate the remote server cert.

+If missing and tls is enabled on the streamtype, then validation is
+attempted using the OS trust store, otherwise the connection fails.
+
 ### `use_auth`

 Indicate that the streamtype should use the named auth type from the `auth`
--- a/minimal-examples/secure-streams/minimal-secure-streams/minimal-secure-streams.c
+++ b/minimal-examples/secure-streams/minimal-secure-streams/minimal-secure-streams.c
@ -24,6 +24,8 @@
 #include <string.h>
 #include <signal.h>

+// #define FORCE_OS_TRUST_STORE
+
 /*
 * uncomment to force network traffic through 127.0.0.1:1080
 *
@ -38,7 +40,7 @@
 // #define VIA_LOCALHOST_SOCKS

 static int interrupted, bad = 1, force_cpd_fail_portal,
-	   force_cpd_fail_no_internet, test_respmap, test_blob;
+	   force_cpd_fail_no_internet, test_respmap, test_blob, test_ots;
 static unsigned int timeout_ms = 3000;
 static lws_state_notify_link_t nl;

@ -82,6 +84,7 @@ static const char * const default_ss_policy =
 		 * We fetch the real policy from there using SS and switch to
 		 * using that.
 		 */
+#if !defined(FORCE_OS_TRUST_STORE)
 		"{\"dst_root_x3\": \""
 	"MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/"
 	"MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT"
@ -102,14 +105,17 @@ static const char * const default_ss_policy =
 	"JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo"
 	"Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ"
 		"\"}"
+#endif
 	  "],"
 	  "\"trust_stores\": [" /* named cert chains */
+#if !defined(FORCE_OS_TRUST_STORE)
 		"{"
 			"\"name\": \"le_via_dst\","
 			"\"stack\": ["
 				"\"dst_root_x3\""
 			"]"
 		"}"
+#endif
 	  "],"
 	  "\"s\": ["
 	  	/*
@ -129,8 +135,10 @@ static const char * const default_ss_policy =
 #endif
 			"\"tls\":"		"true,"
 			"\"opportunistic\":"	"true,"
-			"\"retry\":"		"\"default\","
-			"\"tls_trust_store\":"	"\"le_via_dst\""
+#if !defined(FORCE_OS_TRUST_STORE)
+			"\"tls_trust_store\":"	"\"le_via_dst\","
+#endif
+			"\"retry\":"		"\"default\""
 		"}},{"
 			/*
 			 * "captive_portal_detect" describes
@ -413,8 +421,9 @@ app_system_state_nf(lws_state_manager_t *mgr, lws_state_notify_link_t *link,
 			ssi.tx = myss_tx;
 			ssi.state = myss_state;
 			ssi.user_alloc = sizeof(myss_t);
-			ssi.streamtype = test_blob ? "bulkproxflow" :
-					(test_respmap ? "respmap" : "mintest");
+			ssi.streamtype = test_ots ? "mintest-ots" :
+					(test_blob ? "bulkproxflow" :
+					 (test_respmap ? "respmap" : "mintest"));

 			if (lws_ss_create(context, 0, &ssi, NULL, NULL,
 					  NULL, NULL)) {
@ -488,6 +497,13 @@ int main(int argc, const char **argv)
 	if (lws_cmdline_option(argc, argv, "--respmap"))
 		test_respmap = 1;

+	if (lws_cmdline_option(argc, argv, "--ots"))
+		/*
+		 * Use a streamtype that relies on the OS trust store for
+		 * validation
+		 */
+		test_ots = 1;
+
 	if ((p = lws_cmdline_option(argc, argv, "--timeout_ms")))
 		timeout_ms = (unsigned int)atoi(p);