From 77a6c87add3e05cce91a68c65eba61fc75451234 Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Sun, 3 Apr 2016 22:23:16 -0400 Subject: [PATCH 2/2] Implement tests for new pinnedpubkey option --- testenv/Makefile.am | 6 +++ testenv/README | 1 + testenv/Test-pinnedpubkey-der-https.py | 59 +++++++++++++++++++++ testenv/Test-pinnedpubkey-der-no-check-https.py | 58 ++++++++++++++++++++ testenv/Test-pinnedpubkey-hash-https.py | 58 ++++++++++++++++++++ .../Test-pinnedpubkey-hash-no-check-fail-https.py | 53 ++++++++++++++++++ testenv/Test-pinnedpubkey-pem-fail-https.py | 55 +++++++++++++++++++ testenv/Test-pinnedpubkey-pem-https.py | 59 +++++++++++++++++++++ testenv/certs/README | 10 ++++ testenv/certs/server-pubkey.der | Bin 0 -> 294 bytes testenv/certs/server-pubkey.pem | 9 ++++ 11 files changed, 368 insertions(+) create mode 100755 testenv/Test-pinnedpubkey-der-https.py create mode 100755 testenv/Test-pinnedpubkey-der-no-check-https.py create mode 100755 testenv/Test-pinnedpubkey-hash-https.py create mode 100755 testenv/Test-pinnedpubkey-hash-no-check-fail-https.py create mode 100755 testenv/Test-pinnedpubkey-pem-fail-https.py create mode 100755 testenv/Test-pinnedpubkey-pem-https.py create mode 100644 testenv/certs/server-pubkey.der create mode 100644 testenv/certs/server-pubkey.pem diff --git a/testenv/Makefile.am b/testenv/Makefile.am index 370c404..cf8cec4 100644 --- a/testenv/Makefile.am +++ b/testenv/Makefile.am @@ -61,6 +61,12 @@ if HAVE_PYTHON3 Test-Head.py \ Test--https.py \ Test--https-crl.py \ + Test-pinnedpubkey-der-https.py \ + Test-pinnedpubkey-der-no-check-https.py \ + Test-pinnedpubkey-hash-https.py \ + Test-pinnedpubkey-hash-no-check-fail-https.py \ + Test-pinnedpubkey-pem-fail-https.py \ + Test-pinnedpubkey-pem-https.py \ Test-hsts.py \ Test-O.py \ Test-Post.py \ diff --git a/testenv/README b/testenv/README index 50baf3d..3fee6ad 100644 --- a/testenv/README +++ b/testenv/README @@ -97,6 +97,7 @@ Environment Variables: the test suite will execute all the tests via this command. If it is set to "1", valgrind memcheck is enabled with hard coded options. This variable is set by ./configure --enable-valgrind-tests. +* SSL_TESTS: This must be set to run any https tests. File Structure: diff --git a/testenv/Test-pinnedpubkey-der-https.py b/testenv/Test-pinnedpubkey-der-https.py new file mode 100755 index 0000000..d8cb869 --- /dev/null +++ b/testenv/Test-pinnedpubkey-der-https.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python3 +from sys import exit +from test.http_test import HTTPTest +from test.base_test import HTTP, HTTPS +from misc.wget_file import WgetFile +import os + +""" + This test ensures that Wget can download files from HTTPS Servers +""" +TEST_NAME = "HTTPS Downloads" +if os.getenv('SSL_TESTS') is None: + exit (77) + +############# File Definitions ############################################### +File1 = "Would you like some Tea?" +File2 = "With lemon or cream?" +File3 = "Sure you're joking Mr. Feynman" + +A_File = WgetFile ("File1", File1) +B_File = WgetFile ("File2", File2) +C_File = WgetFile ("File3", File3) + +CAFILE = os.path.abspath(os.path.join(os.getenv('srcdir', '.'), 'certs', 'ca-cert.pem')) +PINNEDPUBKEY = os.path.abspath(os.path.join(os.getenv('srcdir', '.'), 'certs', 'server-pubkey.der')) +WGET_OPTIONS = "--pinnedpubkey=" + PINNEDPUBKEY + " --ca-certificate=" + CAFILE +WGET_URLS = [["File1", "File2"]] + +Files = [[A_File, B_File]] +Existing_Files = [C_File] + +Servers = [HTTPS] + +ExpectedReturnCode = 0 +ExpectedDownloadedFiles = [A_File, B_File, C_File] + +################ Pre and Post Test Hooks ##################################### +pre_test = { + "ServerFiles" : Files, + "LocalFiles" : Existing_Files +} +test_options = { + "WgetCommands" : WGET_OPTIONS, + "Urls" : WGET_URLS +} +post_test = { + "ExpectedFiles" : ExpectedDownloadedFiles, + "ExpectedRetcode" : ExpectedReturnCode +} + +err = HTTPTest ( + name=TEST_NAME, + pre_hook=pre_test, + test_params=test_options, + post_hook=post_test, + protocols=Servers +).begin () + +exit (err) diff --git a/testenv/Test-pinnedpubkey-der-no-check-https.py b/testenv/Test-pinnedpubkey-der-no-check-https.py new file mode 100755 index 0000000..ac09328 --- /dev/null +++ b/testenv/Test-pinnedpubkey-der-no-check-https.py @@ -0,0 +1,58 @@ +#!/usr/bin/env python3 +from sys import exit +from test.http_test import HTTPTest +from test.base_test import HTTP, HTTPS +from misc.wget_file import WgetFile +import os + +""" + This test ensures that Wget can download files from HTTPS Servers +""" +TEST_NAME = "HTTPS Downloads" +if os.getenv('SSL_TESTS') is None: + exit (77) + +############# File Definitions ############################################### +File1 = "Would you like some Tea?" +File2 = "With lemon or cream?" +File3 = "Sure you're joking Mr. Feynman" + +A_File = WgetFile ("File1", File1) +B_File = WgetFile ("File2", File2) +C_File = WgetFile ("File3", File3) + +PINNEDPUBKEY = os.path.abspath(os.path.join(os.getenv('srcdir', '.'), 'certs', 'server-pubkey.der')) +WGET_OPTIONS = "--no-check-certificate --pinnedpubkey=" + PINNEDPUBKEY +WGET_URLS = [["File1", "File2"]] + +Files = [[A_File, B_File]] +Existing_Files = [C_File] + +Servers = [HTTPS] + +ExpectedReturnCode = 0 +ExpectedDownloadedFiles = [A_File, B_File, C_File] + +################ Pre and Post Test Hooks ##################################### +pre_test = { + "ServerFiles" : Files, + "LocalFiles" : Existing_Files +} +test_options = { + "WgetCommands" : WGET_OPTIONS, + "Urls" : WGET_URLS +} +post_test = { + "ExpectedFiles" : ExpectedDownloadedFiles, + "ExpectedRetcode" : ExpectedReturnCode +} + +err = HTTPTest ( + name=TEST_NAME, + pre_hook=pre_test, + test_params=test_options, + post_hook=post_test, + protocols=Servers +).begin () + +exit (err) diff --git a/testenv/Test-pinnedpubkey-hash-https.py b/testenv/Test-pinnedpubkey-hash-https.py new file mode 100755 index 0000000..c85fe85 --- /dev/null +++ b/testenv/Test-pinnedpubkey-hash-https.py @@ -0,0 +1,58 @@ +#!/usr/bin/env python3 +from sys import exit +from test.http_test import HTTPTest +from test.base_test import HTTP, HTTPS +from misc.wget_file import WgetFile +import os + +""" + This test ensures that Wget can download files from HTTPS Servers +""" +TEST_NAME = "HTTPS Downloads" +if os.getenv('SSL_TESTS') is None: + exit (77) + +############# File Definitions ############################################### +File1 = "Would you like some Tea?" +File2 = "With lemon or cream?" +File3 = "Sure you're joking Mr. Feynman" + +A_File = WgetFile ("File1", File1) +B_File = WgetFile ("File2", File2) +C_File = WgetFile ("File3", File3) + +CAFILE = os.path.abspath(os.path.join(os.getenv('srcdir', '.'), 'certs', 'ca-cert.pem')) +WGET_OPTIONS = "--pinnedpubkey=sha256//mHiEhWHvusnzP7COZk+SzSJ+Gl7nZT+ADx0PUnDD7mM= --ca-certificate=" + CAFILE +WGET_URLS = [["File1", "File2"]] + +Files = [[A_File, B_File]] +Existing_Files = [C_File] + +Servers = [HTTPS] + +ExpectedReturnCode = 0 +ExpectedDownloadedFiles = [A_File, B_File, C_File] + +################ Pre and Post Test Hooks ##################################### +pre_test = { + "ServerFiles" : Files, + "LocalFiles" : Existing_Files +} +test_options = { + "WgetCommands" : WGET_OPTIONS, + "Urls" : WGET_URLS +} +post_test = { + "ExpectedFiles" : ExpectedDownloadedFiles, + "ExpectedRetcode" : ExpectedReturnCode +} + +err = HTTPTest ( + name=TEST_NAME, + pre_hook=pre_test, + test_params=test_options, + post_hook=post_test, + protocols=Servers +).begin () + +exit (err) diff --git a/testenv/Test-pinnedpubkey-hash-no-check-fail-https.py b/testenv/Test-pinnedpubkey-hash-no-check-fail-https.py new file mode 100755 index 0000000..5ae4df7 --- /dev/null +++ b/testenv/Test-pinnedpubkey-hash-no-check-fail-https.py @@ -0,0 +1,53 @@ +#!/usr/bin/env python3 +from sys import exit +from test.http_test import HTTPTest +from test.base_test import HTTP, HTTPS +from misc.wget_file import WgetFile +import os + +""" + This test ensures that Wget can download files from HTTPS Servers +""" +TEST_NAME = "HTTPS Downloads" +if os.getenv('SSL_TESTS') is None: + exit (77) + +############# File Definitions ############################################### +File1 = "Would you like some Tea?" +File2 = "With lemon or cream?" + +A_File = WgetFile ("File1", File1) +B_File = WgetFile ("File2", File2) + +WGET_OPTIONS = "--no-check-certificate --pinnedpubkey=sha256//mHiEhWHvusnzP7COZk+SzSJ+Gl7ZZT+ADx0PUnDD7mM=" +WGET_URLS = [["File1", "File2"]] + +Files = [[A_File, B_File]] + +Servers = [HTTPS] + +ExpectedReturnCode = 5 +ExpectedDownloadedFiles = [] + +################ Pre and Post Test Hooks ##################################### +pre_test = { + "ServerFiles" : Files +} +test_options = { + "WgetCommands" : WGET_OPTIONS, + "Urls" : WGET_URLS +} +post_test = { + "ExpectedFiles" : ExpectedDownloadedFiles, + "ExpectedRetcode" : ExpectedReturnCode +} + +err = HTTPTest ( + name=TEST_NAME, + pre_hook=pre_test, + test_params=test_options, + post_hook=post_test, + protocols=Servers +).begin () + +exit (err) diff --git a/testenv/Test-pinnedpubkey-pem-fail-https.py b/testenv/Test-pinnedpubkey-pem-fail-https.py new file mode 100755 index 0000000..5336509 --- /dev/null +++ b/testenv/Test-pinnedpubkey-pem-fail-https.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 +from sys import exit +from test.http_test import HTTPTest +from test.base_test import HTTP, HTTPS +from misc.wget_file import WgetFile +import os + +""" + This test ensures that Wget can download files from HTTPS Servers +""" +TEST_NAME = "HTTPS Downloads" +if os.getenv('SSL_TESTS') is None: + exit (77) + +############# File Definitions ############################################### +File1 = "Would you like some Tea?" +File2 = "With lemon or cream?" + +A_File = WgetFile ("File1", File1) +B_File = WgetFile ("File2", File2) + +CAFILE = os.path.abspath(os.path.join(os.getenv('srcdir', '.'), 'certs', 'ca-cert.pem')) +PINNEDPUBKEY = os.path.abspath(os.path.join(os.getenv('srcdir', '.'), 'certs', 'ca-key.pem')) +WGET_OPTIONS = "--pinnedpubkey=" + PINNEDPUBKEY + " --ca-certificate=" + CAFILE +WGET_URLS = [["File1", "File2"]] + +Files = [[A_File, B_File]] + +Servers = [HTTPS] + +ExpectedReturnCode = 5 +ExpectedDownloadedFiles = [] + +################ Pre and Post Test Hooks ##################################### +pre_test = { + "ServerFiles" : Files +} +test_options = { + "WgetCommands" : WGET_OPTIONS, + "Urls" : WGET_URLS +} +post_test = { + "ExpectedFiles" : ExpectedDownloadedFiles, + "ExpectedRetcode" : ExpectedReturnCode +} + +err = HTTPTest ( + name=TEST_NAME, + pre_hook=pre_test, + test_params=test_options, + post_hook=post_test, + protocols=Servers +).begin () + +exit (err) diff --git a/testenv/Test-pinnedpubkey-pem-https.py b/testenv/Test-pinnedpubkey-pem-https.py new file mode 100755 index 0000000..ada4eb0 --- /dev/null +++ b/testenv/Test-pinnedpubkey-pem-https.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python3 +from sys import exit +from test.http_test import HTTPTest +from test.base_test import HTTP, HTTPS +from misc.wget_file import WgetFile +import os + +""" + This test ensures that Wget can download files from HTTPS Servers +""" +TEST_NAME = "HTTPS Downloads" +if os.getenv('SSL_TESTS') is None: + exit (77) + +############# File Definitions ############################################### +File1 = "Would you like some Tea?" +File2 = "With lemon or cream?" +File3 = "Sure you're joking Mr. Feynman" + +A_File = WgetFile ("File1", File1) +B_File = WgetFile ("File2", File2) +C_File = WgetFile ("File3", File3) + +CAFILE = os.path.abspath(os.path.join(os.getenv('srcdir', '.'), 'certs', 'ca-cert.pem')) +PINNEDPUBKEY = os.path.abspath(os.path.join(os.getenv('srcdir', '.'), 'certs', 'server-pubkey.pem')) +WGET_OPTIONS = "--pinnedpubkey=" + PINNEDPUBKEY + " --ca-certificate=" + CAFILE +WGET_URLS = [["File1", "File2"]] + +Files = [[A_File, B_File]] +Existing_Files = [C_File] + +Servers = [HTTPS] + +ExpectedReturnCode = 0 +ExpectedDownloadedFiles = [A_File, B_File, C_File] + +################ Pre and Post Test Hooks ##################################### +pre_test = { + "ServerFiles" : Files, + "LocalFiles" : Existing_Files +} +test_options = { + "WgetCommands" : WGET_OPTIONS, + "Urls" : WGET_URLS +} +post_test = { + "ExpectedFiles" : ExpectedDownloadedFiles, + "ExpectedRetcode" : ExpectedReturnCode +} + +err = HTTPTest ( + name=TEST_NAME, + pre_hook=pre_test, + test_params=test_options, + post_hook=post_test, + protocols=Servers +).begin () + +exit (err) diff --git a/testenv/certs/README b/testenv/certs/README index 8d62ad6..58bd1f0 100644 --- a/testenv/certs/README +++ b/testenv/certs/README @@ -75,3 +75,13 @@ Generating a signed CRL... Update times. The certificate will expire in (days): -1 CRL Number (default: 6080006793650397145): + +To generate a public key in PEM format: +$ openssl x509 -noout -pubkey < server-cert.pem > server-pubkey.pem + +To generate a public key in DER format: +$ openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out server-pubkey.der + +To generate a sha256 hash of the public key: +$ openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out /dev/stdout | openssl dgst -sha256 -binary | openssl base64 +mHiEhWHvusnzP7COZk+SzSJ+Gl7nZT+ADx0PUnDD7mM= diff --git a/testenv/certs/server-pubkey.der b/testenv/certs/server-pubkey.der new file mode 100644 index 0000000000000000000000000000000000000000..6db082a2bb18bfd9aaf251c96fa4d5c0e2fb19f8 GIT binary patch literal 294 zcmV+>0ondAf&n5h4F(address@hidden&mHwf&l>l$im!fdE`gZwqB+a ze)am0_x;LI$CrSgny;26}Kd>@~2mG&Y_nY`N}V*b)b z(UA>{2=bJF;address@hidden|KOj~6`PAxPlAWb2HB_j#%_$L(f-B=lDT}F%i>csr zNu^D`=7ZcyYG)z`&`wfj28a%+HZ%l_x&YqosiGq1zqY zL}f2P$