39a1383de2
Wire OcspPeerVerify into the client-cert validation callback in TlsHelper so revocation is checked online when the flag is set. Add TlsHelper.BuildCertificateContext to build an SslStreamCertificateContext with offline:false, enabling the runtime to fetch and staple OCSP responses during the TLS handshake. NatsServer applies the context at startup when OcspConfig.Mode is not Never. Ten unit tests cover the config defaults, mode ordinals, and the null-return invariants of BuildCertificateContext.
98 lines
2.6 KiB
C#
98 lines
2.6 KiB
C#
using NATS.Server.Tls;
|
|
|
|
namespace NATS.Server.Tests;
|
|
|
|
public class OcspStaplingTests
|
|
{
|
|
[Fact]
|
|
public void OcspMode_Must_is_strictest()
|
|
{
|
|
var config = new OcspConfig { Mode = OcspMode.Must };
|
|
config.Mode.ShouldBe(OcspMode.Must);
|
|
}
|
|
|
|
[Fact]
|
|
public void OcspMode_Never_disables_all()
|
|
{
|
|
var config = new OcspConfig { Mode = OcspMode.Never };
|
|
config.Mode.ShouldBe(OcspMode.Never);
|
|
}
|
|
|
|
[Fact]
|
|
public void OcspPeerVerify_default_is_false()
|
|
{
|
|
var options = new NatsOptions();
|
|
options.OcspPeerVerify.ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void OcspConfig_default_mode_is_Auto()
|
|
{
|
|
var config = new OcspConfig();
|
|
config.Mode.ShouldBe(OcspMode.Auto);
|
|
}
|
|
|
|
[Fact]
|
|
public void OcspConfig_default_OverrideUrls_is_empty()
|
|
{
|
|
var config = new OcspConfig();
|
|
config.OverrideUrls.ShouldBeEmpty();
|
|
}
|
|
|
|
[Fact]
|
|
public void BuildCertificateContext_returns_null_when_no_tls()
|
|
{
|
|
var options = new NatsOptions
|
|
{
|
|
OcspConfig = new OcspConfig { Mode = OcspMode.Always },
|
|
};
|
|
// HasTls is false because TlsCert and TlsKey are not set
|
|
options.HasTls.ShouldBeFalse();
|
|
var context = TlsHelper.BuildCertificateContext(options);
|
|
context.ShouldBeNull();
|
|
}
|
|
|
|
[Fact]
|
|
public void BuildCertificateContext_returns_null_when_mode_is_Never()
|
|
{
|
|
var options = new NatsOptions
|
|
{
|
|
TlsCert = "server.pem",
|
|
TlsKey = "server-key.pem",
|
|
OcspConfig = new OcspConfig { Mode = OcspMode.Never },
|
|
};
|
|
// OcspMode.Never must short-circuit even when TLS cert paths are set
|
|
var context = TlsHelper.BuildCertificateContext(options);
|
|
context.ShouldBeNull();
|
|
}
|
|
|
|
[Fact]
|
|
public void BuildCertificateContext_returns_null_when_OcspConfig_is_null()
|
|
{
|
|
var options = new NatsOptions
|
|
{
|
|
TlsCert = "server.pem",
|
|
TlsKey = "server-key.pem",
|
|
OcspConfig = null,
|
|
};
|
|
var context = TlsHelper.BuildCertificateContext(options);
|
|
context.ShouldBeNull();
|
|
}
|
|
|
|
[Fact]
|
|
public void OcspPeerVerify_can_be_enabled()
|
|
{
|
|
var options = new NatsOptions { OcspPeerVerify = true };
|
|
options.OcspPeerVerify.ShouldBeTrue();
|
|
}
|
|
|
|
[Fact]
|
|
public void OcspMode_values_have_correct_ordinals()
|
|
{
|
|
((int)OcspMode.Auto).ShouldBe(0);
|
|
((int)OcspMode.Always).ShouldBe(1);
|
|
((int)OcspMode.Must).ShouldBe(2);
|
|
((int)OcspMode.Never).ShouldBe(3);
|
|
}
|
|
}
|