From 34ad8c8ce4e4c90b1eb8c57c2d8d112be8d1f427 Mon Sep 17 00:00:00 2001 From: Vijo Cherian Date: Fri, 21 Apr 2017 12:34:16 -0700 Subject: [PATCH] Added new tests for SSL * tests/Test-https-badcerts.px : New file * tests/Test-https-clientcert.px : New file * tests/Test-https-crl.px : New file * tests/Test-https-weboftrust.px : New file * tests/certs/interca.conf : New file * tests/certs/rootca.conf : New file * tests/certs/test-ca-key.pem : New file Added all new SSL / HTTPS tests to make check Added Test for SSL Web of Trust, accept only if CA chain of trust is intact. Added a test script for client certificate Added Test for crlfile option of wget Added test to make sure that wget doesn't accept expired or invalid certs Some clean up : Removed cause of warnings from perl & other cosmetic changes --- tests/Makefile.am | 10 ++- tests/SSLServer.pm | 15 ++-- tests/Test-https-badcerts.px | 147 ++++++++++++++++++++++++++++++++++++++ tests/Test-https-clientcert.px | 142 +++++++++++++++++++++++++++++++++++++ tests/Test-https-crl.px | 142 +++++++++++++++++++++++++++++++++++++ tests/Test-https-pfs.px | 2 +- tests/Test-https-selfsigned.px | 10 ++- tests/Test-https-tlsv1.px | 2 +- tests/Test-https-tlsv1x.px | 2 +- tests/Test-https-weboftrust.px | 155 +++++++++++++++++++++++++++++++++++++++++ tests/certs/interca.conf | 64 +++++++++++++++++ tests/certs/rootca.conf | 64 +++++++++++++++++ tests/certs/test-ca-key.pem | 58 +++++++++++++++ 13 files changed, 799 insertions(+), 14 deletions(-) create mode 100755 tests/Test-https-badcerts.px create mode 100755 tests/Test-https-clientcert.px create mode 100755 tests/Test-https-crl.px create mode 100755 tests/Test-https-weboftrust.px create mode 100644 tests/certs/interca.conf create mode 100644 tests/certs/rootca.conf create mode 100644 tests/certs/test-ca-key.pem diff --git a/tests/Makefile.am b/tests/Makefile.am index c27c4ce..367a8c0 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -128,7 +128,15 @@ PX_TESTS = \ Test--start-pos--continue.px \ Test--httpsonly-r.px \ Test-204.px \ - Test-ftp-pasv-not-supported.px + Test-ftp-pasv-not-supported.px \ + Test-https-pfs.px \ + Test-https-tlsv1.px \ + Test-https-tlsv1x.px \ + Test-https-selfsigned.px \ + Test-https-weboftrust.px \ + Test-https-clientcert.px \ + Test-https-crl.px \ + Test-https-badcerts.px EXTRA_DIST = FTPServer.pm FTPTest.pm HTTPServer.pm HTTPTest.pm \ WgetTests.pm WgetFeature.pm WgetFeature.cfg $(PX_TESTS) \ diff --git a/tests/SSLServer.pm b/tests/SSLServer.pm index ed121b1..c0fabfd 100644 --- a/tests/SSLServer.pm +++ b/tests/SSLServer.pm @@ -30,12 +30,12 @@ my $sslsock; my $plaincon; my %args; -$HTTP::Daemon::DEBUG=5; +#$HTTP::Daemon::DEBUG=5; #*DEBUG = \$HTTP::Daemon::DEBUG; $args{SSL_error_trap} ||= \&ssl_error; -my $class = shift; +my $class = 'SSLServer'; my $self = {}; $self = bless $self, $class; @@ -86,7 +86,7 @@ sub accept if ($sock) { ${*$sock}{'httpd_daemon'} = $self; ${*$self}{'httpd_daemon'} = $sock; - my $fileno = ${*$self}{'_SSL_fileno'} = fileno($self); + my $fileno = ${*$self}{'_SSL_fileno'} = &fileno($self); my $f = $sock->fileno; return wantarray ? ($sock, $peer) : $sock; } @@ -157,19 +157,21 @@ sub run { my ($self, $urls, $synch_callback) = @_; my $initialized = 0; + my $sslsock; while (1) { if (!$initialized) { + $sslsock = $self->ssl_setup_conn(); + $sslsock || warn "Failed to get ssl sock"; + $initialized = 1; open (LOGFILE, '>', "/tmp/wgetserver.log"); LOGFILE->autoflush(1); print LOGFILE "Starting logging"; + $synch_callback->() if $synch_callback; } - my $sslsock = $self->ssl_setup_conn(); - $sslsock || warn "Failed to get ssl sock"; - $synch_callback->() if $synch_callback; my $con = $self->accept(); ${*$self}{'sslcon'} = $con; @@ -216,7 +218,6 @@ sub run print LOGFILE "Closing connection\n" if $log; close(LOGFILE); $con->close(); - last; } } diff --git a/tests/Test-https-badcerts.px b/tests/Test-https-badcerts.px new file mode 100755 index 0000000..97f11f5 --- /dev/null +++ b/tests/Test-https-badcerts.px @@ -0,0 +1,147 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use POSIX; + +use SSLTest; + +############################################################################### + +# code, msg, headers, content +my %urls = ( + '/somefile.txt' => { + code => "200", + msg => "Dontcare", + headers => { + "Content-type" => "text/plain", + }, + content => "blabla", + }, +); + +my $cdir = $ENV{'PWD'}; + +# HOSTALIASES env variable allows us to create hosts file alias. +my $testhostname = "wgettesterr"; +my $testhostfile = "$cdir/wgethosts"; +open(my $fh, '>', $testhostfile); +print $fh "$testhostname 127.0.0.1\n"; +close $fh; +$ENV{'HOSTALIASES'} = "$cdir/wgethosts"; + +# Create certindex +open CERTID, ">", "$cdir/certs/certindex" or + warn "Cannot overwrite file $cdir/certs/certindex"; +close CERTID; + +# Create certserial +open CERTSN, ">", "$cdir/certs/certserial" or + warn "Cannot overwrite file $cdir/certs/certserial"; +print CERTSN "1122"; +close CERTSN; + +# Create crlnumber +open CRLN, ">", "$cdir/certs/crlnumber" or + warn "Cannot overwrite file $cdir/certs/crlnumber"; +print CRLN "1122"; +close CRLN; + +my $caconf = "$cdir/certs/rootca.conf"; +my $cacrt = "$cdir/certs/test-ca-cert.pem"; +my $cakey = "$cdir/certs/test-ca-key.pem"; + +# Prepare expired server certificate +my $servercrt = "certs/tmpserver.crt"; +my $serverkey = "certs/tmpserver.key"; +my $servercsr = "$cdir/certs/tmpserver.csr"; +my $enddate = strftime "%y%m%d%H%M%S%z", localtime(time-86400); +my $startdate = strftime "%y%m%d%H%M%S%z", localtime(time+86400); +my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=". + "$testhostname/emailAddress=servertester"; +my $servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new". + " -sha256 -key $serverkey -out $servercsr -days 365 ". + " -subj \"$serversubj\" &&". + "openssl ca -batch -config $caconf -notext ". + "-enddate $enddate -in $servercsr". + " -out $servercrt"; +system($servercmd); + +my $servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ; + openssl rsa -noout -modulus -in $serverkey | openssl md5) | + uniq | wc -l`; +# Check if certificate and key are made correctly. +unless(-e $servercrt && -e $serverkey && $servercheck == 1) +{ + exit 77; # skip +} + +# Try Wget using SSL with expired cert. Expect Failure. +my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt". + " https://$testhostname:55443/somefile.txt"; +my $expected_error_code = 5; +my %existing_files = ( +); + +my %expected_downloaded_files = ( + 'somefile.txt' => { + content => "blabla", + }, +); + +my $sslsock = SSLTest->new(cmdline => $cmdline, + input => \%urls, + errcode => $expected_error_code, + existing => \%existing_files, + output => \%expected_downloaded_files, + certfile => $servercrt, + keyfile => $serverkey, + lhostname => $testhostname); +if ($sslsock->run() == 0) +{ + exit -1; +} +print "Test successful.\n"; + +system("/bin/rm $servercrt $serverkey $servercsr"); +$servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new". + " -sha256 -key $serverkey -out $servercsr -days 365 ". + " -subj \"$serversubj\" &&". + "openssl ca -batch -config $caconf -notext ". + " -startdate $startdate -in $servercsr". + " -out $servercrt"; +system($servercmd); + +$servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ; + openssl rsa -noout -modulus -in $serverkey | openssl md5) | + uniq | wc -l`; +# Check if certificate and key are made correctly. +unless(-e $servercrt && -e $serverkey && $servercheck == 1) +{ + exit 77; # skip +} + + +# Retry the test with --no-check-certificate. expect success +$cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt". + " https://$testhostname:55443/somefile.txt"; + +$expected_error_code = 5; + +my $retryssl = SSLTest->new(cmdline => $cmdline, + input => \%urls, + errcode => $expected_error_code, + existing => \%existing_files, + output => \%expected_downloaded_files, + certfile => $servercrt, + keyfile => $serverkey, + lhostname => $testhostname); +if ($retryssl->run() == 0) +{ + exit 0; +} +else +{ + exit -1; +} +# vim: et ts=4 sw=4 diff --git a/tests/Test-https-clientcert.px b/tests/Test-https-clientcert.px new file mode 100755 index 0000000..e069f8b --- /dev/null +++ b/tests/Test-https-clientcert.px @@ -0,0 +1,142 @@ +#!/usr/bin/env perl + +use strict; +use warnings; + +use SSLTest; + +############################################################################### + +# code, msg, headers, content +my %urls = ( + '/somefile.txt' => { + code => "200", + msg => "Dontcare", + headers => { + "Content-type" => "text/plain", + }, + content => "blabla", + }, +); + +my $cdir = $ENV{'PWD'}; + +# HOSTALIASES env variable allows us to create hosts file alias. +my $testhostname = "wgettesterr"; +my $testhostfile = "$cdir/wgethosts"; +open(my $fh, '>', $testhostfile); +print $fh "$testhostname 127.0.0.1\n"; +close $fh; +$ENV{'HOSTALIASES'} = "$cdir/wgethosts"; + +# Create certindex +open CERTID, ">", "$cdir/certs/certindex" or + warn "Cannot overwrite file $cdir/certs/certindex"; +close CERTID; + +# Create certserial +open CERTSN, ">", "$cdir/certs/certserial" or + warn "Cannot overwrite file $cdir/certs/certserial"; +print CERTSN "1122"; +close CERTSN; + +# Create crlnumber +open CRLN, ">", "$cdir/certs/crlnumber" or + warn "Cannot overwrite file $cdir/certs/crlnumber"; +close CRLN; + +my $caconf = "$cdir/certs/rootca.conf"; +my $cacrt = "$cdir/certs/test-ca-cert.pem"; +my $cakey = "$cdir/certs/test-ca-key.pem"; + +# Prepare server certificate +my $servercrt = "certs/tmpserver.crt"; +my $serverkey = "certs/tmpserver.key"; +my $servercsr = "$cdir/certs/tmpserver.csr"; +my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=". + "$testhostname/emailAddress=servertester"; +my $servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new". + " -sha256 -key $serverkey -out $servercsr -days 365 ". + " -subj \"$serversubj\" &&". + "openssl ca -batch -config $caconf -notext -in $servercsr". + " -out $servercrt"; + +system($servercmd); +my $servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ; + openssl rsa -noout -modulus -in $serverkey | openssl md5) | + uniq | wc -l`; +# Check if certificate and key are made correctly. +unless(-e $servercrt && -e $serverkey && $servercheck == 1) +{ + exit 77; # skip +} + +# Prepare client certifcate +my $clientcert = "$cdir/certs/client.crt"; +my $clientkey = "$cdir/certs/client.key"; +my $clientcsr = "$cdir/certs/client.csr"; +my $clientsubj = "/C=US/ST=CA/L=Client Mystery Spot/O=Client/CN=". + "Client Tester/emailAddress=clienttester"; +my $clientcertcmd = "openssl genrsa -out $clientkey 4096 &&". + " openssl req -new -key $clientkey -out $clientcsr". + " -subj \"$clientsubj\" &&". + " openssl ca -config $caconf -in $clientcsr ". + " -out $clientcert -batch"; + +system($clientcertcmd); +my $clientcheck=`(openssl x509 -noout -modulus -in $clientcert | openssl md5 ; + openssl rsa -noout -modulus -in $clientkey | openssl md5) | + uniq | wc -l`; + +# Check if signed certificate and key are made correctly. +unless(-e $clientcert && -e $clientkey && $clientcheck == 1) +{ + exit 77; # skip +} + +# Try Wget using SSL with mismatched client cert & key . Expect error +my $cmdline = $WgetTest::WGETPATH . " --certificate=$clientcert ". + " --private-key=$serverkey ". + " --ca-certificate=$cacrt". + " https://$testhostname:55443/somefile.txt"; +my $expected_error_code = 5; +my %existing_files = ( +); + +my %expected_downloaded_files = ( + 'somefile.txt' => { + content => "blabla", + }, +); + +my $sslsock = SSLTest->new(cmdline => $cmdline, + input => \%urls, + errcode => $expected_error_code, + existing => \%existing_files, + output => \%expected_downloaded_files, + certfile => $servercrt, + keyfile => $serverkey, + lhostname => $testhostname); +if ($sslsock->run() == 0) +{ + exit 0; +} + +# Retry wget using SSL with client certificate. Expect success +$cmdline = $WgetTest::WGETPATH . " --certificate=$clientcert". + " --private-key=$clientkey ". + " --ca-certificate=$cacrt". + " https://$testhostname:55443/somefile.txt"; + +$expected_error_code = 0; + +my $retryssl = SSLTest->new(cmdline => $cmdline, + input => \%urls, + errcode => $expected_error_code, + existing => \%existing_files, + output => \%expected_downloaded_files, + certfile => $servercrt, + keyfile => $serverkey, + lhostname => $testhostname); +exit $retryssl->run(); +# vim: et ts=4 sw=4 diff --git a/tests/Test-https-crl.px b/tests/Test-https-crl.px new file mode 100755 index 0000000..a63dc45 --- /dev/null +++ b/tests/Test-https-crl.px @@ -0,0 +1,142 @@ +#!/usr/bin/env perl + +use strict; +use warnings; + +use SSLTest; + +############################################################################### + +# code, msg, headers, content +my %urls = ( + '/somefile.txt' => { + code => "200", + msg => "Dontcare", + headers => { + "Content-type" => "text/plain", + }, + content => "blabla", + }, +); + +my $cdir = $ENV{'PWD'}; + +# HOSTALIASES env variable allows us to create hosts file alias. +my $testhostname = "wgettesterr"; +my $testhostfile = "$cdir/wgethosts"; +open(my $fh, '>', $testhostfile); +print $fh "$testhostname 127.0.0.1\n"; +close $fh; +$ENV{'HOSTALIASES'} = "$cdir/wgethosts"; + +# Create certindex +open CERTID, ">", "$cdir/certs/certindex" or + warn "Cannot overwrite file $cdir/certs/certindex"; +close CERTID; + +# Create certserial +open CERTSN, ">", "$cdir/certs/certserial" or + warn "Cannot overwrite file $cdir/certs/certserial"; +print CERTSN "1122"; +close CERTSN; + +# Create crlnumber +open CRLN, ">", "$cdir/certs/crlnumber" or + warn "Cannot overwrite file $cdir/certs/crlnumber"; +print CRLN "1122"; +close CRLN; + +my $caconf = "$cdir/certs/rootca.conf"; +my $cacrt = "$cdir/certs/test-ca-cert.pem"; +my $cakey = "$cdir/certs/test-ca-key.pem"; + +# Prepare server certificate +my $servercrt = "certs/tmpserver.crt"; +my $serverkey = "certs/tmpserver.key"; +my $servercsr = "$cdir/certs/tmpserver.csr"; +my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=". + "$testhostname/emailAddress=servertester"; +my $servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new". + " -sha256 -key $serverkey -out $servercsr -days 365 ". + " -subj \"$serversubj\" &&". + "openssl ca -batch -config $caconf -notext -in $servercsr". + " -out $servercrt"; + +system($servercmd); + +my $servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ; + openssl rsa -noout -modulus -in $serverkey | openssl md5) | + uniq | wc -l`; +# Check if certificate and key are made correctly. +unless(-e $servercrt && -e $serverkey && $servercheck == 1) +{ + exit 77; # skip +} + +# Try Wget using SSL first without --no-check-certificate. Expect Success. +my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt". + " https://$testhostname:55443/somefile.txt"; +my $expected_error_code = 0; +my %existing_files = ( +); + +my %expected_downloaded_files = ( + 'somefile.txt' => { + content => "blabla", + }, +); + +my $sslsock = SSLTest->new(cmdline => $cmdline, + input => \%urls, + errcode => $expected_error_code, + existing => \%existing_files, + output => \%expected_downloaded_files, + certfile => $servercrt, + keyfile => $serverkey, + lhostname => $testhostname); +if ($sslsock->run() != 0) +{ + exit -1; +} + +# Revoke the certificate +my $crlfile = "$cdir/certs/servercrl.pem"; +my $revokecmd = "openssl ca -config $caconf -revoke $servercrt && + openssl ca -config $caconf -gencrl -keyfile $cakey ". + "-cert $cacrt -out $crlfile"; + +system($revokecmd); +# Check if CRL file is generated. +unless(-e $crlfile) +{ + exit 77; # skip +} + +# To read a CRL file use the following command: +# openssl crl -text -in certs/root.crl.pem + +# Retry the test with CRL. Expect Failure. +$cmdline = $WgetTest::WGETPATH . " --crl-file=$crlfile ". + " --ca-certificate=$cacrt". + " https://$testhostname:55443/somefile.txt"; + +$expected_error_code = 5; + +my $retryssl = SSLTest->new(cmdline => $cmdline, + input => \%urls, + errcode => $expected_error_code, + existing => \%existing_files, + output => \%expected_downloaded_files, + certfile => $servercrt, + keyfile => $serverkey, + lhostname => $testhostname); +if ($retryssl->run() == 0) +{ + exit -1; +} +else +{ + print "Test successful.\n"; + exit 0; +} +# vim: et ts=4 sw=4 diff --git a/tests/Test-https-pfs.px b/tests/Test-https-pfs.px index f23dd37..6b43ccf 100755 --- a/tests/Test-https-pfs.px +++ b/tests/Test-https-pfs.px @@ -45,6 +45,6 @@ my $sslsock = SSLTest->new(cmdline => $cmdline, errcode => $expected_error_code, existing => \%existing_files, output => \%expected_downloaded_files); -$sslsock->run(); +exit $sslsock->run(); # vim: et ts=4 sw=4 diff --git a/tests/Test-https-selfsigned.px b/tests/Test-https-selfsigned.px index 30a6caa..79c9180 100755 --- a/tests/Test-https-selfsigned.px +++ b/tests/Test-https-selfsigned.px @@ -39,7 +39,8 @@ system($sscertcmd); my $sscheck=`(openssl x509 -noout -modulus -in $certfile | openssl md5 ; openssl rsa -noout -modulus -in $keyfile | openssl md5) | uniq|wc -l`; # Check if Self signed certificate and key are made correctly. -unless(-e $certfile && -e $keyfile && $sscheck == 1) { +unless(-e $certfile && -e $keyfile && $sscheck == 1) +{ exit 77; # skip } @@ -63,7 +64,10 @@ my $sslsock = SSLTest->new(cmdline => $cmdline, certfile => $certfile, keyfile => $keyfile, lhostname => $testhostname); -$sslsock->run(); +if ($sslsock->run() == 0) +{ + exit 0; +} # Retry the test with --no-check-certificate. expect success $cmdline = $WgetTest::WGETPATH . " --no-check-certificate --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt"; @@ -78,5 +82,5 @@ my $retryssl = SSLTest->new(cmdline => $cmdline, certfile => $certfile, keyfile => $keyfile, lhostname => $testhostname); -$retryssl->run(); +exit $retryssl->run(); # vim: et ts=4 sw=4 diff --git a/tests/Test-https-tlsv1.px b/tests/Test-https-tlsv1.px index 22665f5..3496513 100755 --- a/tests/Test-https-tlsv1.px +++ b/tests/Test-https-tlsv1.px @@ -45,6 +45,6 @@ my $sslsock = SSLTest->new(cmdline => $cmdline, errcode => $expected_error_code, existing => \%existing_files, output => \%expected_downloaded_files); -$sslsock->run(); +exit $sslsock->run(); # vim: et ts=4 sw=4 diff --git a/tests/Test-https-tlsv1x.px b/tests/Test-https-tlsv1x.px index 8dd57dc..7a25f47 100755 --- a/tests/Test-https-tlsv1x.px +++ b/tests/Test-https-tlsv1x.px @@ -45,6 +45,6 @@ my $sslsock = SSLTest->new(cmdline => $cmdline, errcode => $expected_error_code, existing => \%existing_files, output => \%expected_downloaded_files); -$sslsock->run(); +exit $sslsock->run(); # vim: et ts=4 sw=4 diff --git a/tests/Test-https-weboftrust.px b/tests/Test-https-weboftrust.px new file mode 100755 index 0000000..d3ff85a --- /dev/null +++ b/tests/Test-https-weboftrust.px @@ -0,0 +1,155 @@ +#!/usr/bin/env perl + +use strict; +use warnings; + +use SSLTest; + +############################################################################### + +# code, msg, headers, content +my %urls = ( + '/somefile.txt' => { + code => "200", + msg => "Dontcare", + headers => { + "Content-type" => "text/plain", + }, + content => "blabla", + }, +); + +my $cdir = $ENV{'PWD'}; + +# HOSTALIASES env variable allows us to create hosts file alias. +my $testhostname = "wgettesterr"; +my $testhostfile = "$cdir/wgethosts"; +open(my $fh, '>', $testhostfile); +print $fh "$testhostname 127.0.0.1\n"; +close $fh; +$ENV{'HOSTALIASES'} = "$cdir/wgethosts"; + +# Create certindex +open CERTID, ">", "$cdir/certs/certindex" or + warn "Cannot overwrite file $cdir/certs/certindex"; +close CERTID; + +# Create certserial +open CERTSN, ">", "$cdir/certs/certserial" or + warn "Cannot overwrite file $cdir/certs/certserial"; +print CERTSN "1122"; +close CERTSN; + +# Create crlnumber +open CRLN, ">", "$cdir/certs/crlnumber" or + warn "Cannot overwrite file $cdir/certs/crlnumber"; +close CRLN; + +# Create Intermediate CA +my $caconf = "certs/rootca.conf"; +my $icrtfile = "certs/interca.crt"; +my $ikeyfile = "certs/interca.key"; +my $icsrfile = "certs/interca.csr"; +my $icasubj = "/C=US/ST=CA/L=Intermediate Mystery Spot/O=Int/CN=". + "ica-$testhostname/emailAddress=icatester"; +my $icacmd = "openssl genrsa -out $ikeyfile 4096 && openssl req -new". + " -sha256 -key $ikeyfile -out $icsrfile -days 365 ". + " -subj \"$icasubj\" &&". + "openssl ca -batch -config $caconf -notext -in $icsrfile". + " -out $icrtfile"; + +system($icacmd); +my $icacheck=`(openssl x509 -noout -modulus -in $icrtfile | openssl md5 ; + openssl rsa -noout -modulus -in $ikeyfile | openssl md5) | + uniq | wc -l`; +# Check if certificate and key are made correctly. +unless(-e $icrtfile && -e $ikeyfile && $icacheck == 1) +{ + exit 77; # skip +} + +# Now create web of trust - Root CA + Intermediate CA +open WOT, ">", "$cdir/certs/wotca.pem" or + die "Cannot overwrite file $cdir/certs/wotca"; +open ICA, "<", $icrtfile or die "Cannot read file $icrtfile"; +while () +{ + print WOT $_; +} +print WOT "\n"; +close ICA; +open RCA, "<", "$cdir/certs/test-ca-cert.pem" or + die "Cannot read file $cdir/certs/test-ca-cert.pem"; +while () +{ + print WOT $_; +} +print WOT "\n"; +close RCA; +close WOT; + +# Create Test certificate using intermediate CA +my $icaconf = "certs/interca.conf"; +my $usrcrt = "certs/user.crt"; +my $usrkey = "certs/user.key"; +my $usrcsr = "certs/user.csr"; +my $usrsubj = "/C=US/ST=CA/L=User Mystery Spot/O=Int/CN=$testhostname/". + "emailAddress=usertester"; +my $usrcmd = "openssl genrsa -out $usrkey 4096 && ". + "openssl req -new -sha256 -key $usrkey -out $usrcsr -days". + " 365 -subj \"$usrsubj\" && ". + "openssl ca -batch -config $icaconf -notext -in $usrcsr ". + "-out $usrcrt"; + +system($usrcmd); +my $usrcheck=`(openssl x509 -noout -modulus -in $usrcrt | openssl md5 ; + openssl rsa -noout -modulus -in $usrkey | openssl md5) | + uniq | wc -l`; +# Check if certificate and key are made correctly. +unless(-e $usrcrt && -e $ikeyfile && $usrcheck == 1) +{ + exit 77; # skip +} + +# Try Wget using SSL using certificate signed by intermediate CA. Expect error. +my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/". + "test-ca-cert.pem https://$testhostname:55443/somefile.txt"; +my $expected_error_code = 5; +my %existing_files = ( +); + +my %expected_downloaded_files = ( + 'somefile.txt' => { + content => "blabla", + }, +); + +my $sslsock = SSLTest->new(cmdline => $cmdline, + input => \%urls, + errcode => $expected_error_code, + existing => \%existing_files, + output => \%expected_downloaded_files, + certfile => $usrcrt, + keyfile => $usrkey, + lhostname => $testhostname); +if ($sslsock->run() == 0) +{ + exit 0; +} + +# Retry the test with --no-check-certificate. expect success +$cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/wotca.pem". + " https://$testhostname:55443/somefile.txt"; + +$expected_error_code = 0; + +my $retryssl = SSLTest->new(cmdline => $cmdline, + input => \%urls, + errcode => $expected_error_code, + existing => \%existing_files, + output => \%expected_downloaded_files, + certfile => $usrcrt, + keyfile => $usrkey, + lhostname => $testhostname); +exit $retryssl->run(); +# vim: et ts=4 sw=4 diff --git a/tests/certs/interca.conf b/tests/certs/interca.conf new file mode 100644 index 0000000..125565e --- /dev/null +++ b/tests/certs/interca.conf @@ -0,0 +1,64 @@ +[ ca ] +default_ca = myca + +[ crl_ext ] +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + + [ myca ] + dir = ./certs/ + new_certs_dir = $dir + unique_subject = no + certificate = $dir/interca.crt + database = $dir/certindex + private_key = $dir/interca.key + serial = $dir/certserial + default_days = 730 + default_md = sha1 + policy = myca_policy + x509_extensions = myca_extensions + crlnumber = $dir/crlnumber + default_crl_days = 730 + + [ myca_policy ] + commonName = supplied + stateOrProvinceName = supplied + countryName = optional + emailAddress = optional + organizationName = supplied + organizationalUnitName = optional + + [ myca_extensions ] + basicConstraints = critical,CA:TRUE + keyUsage = critical,any + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer + keyUsage = digitalSignature,keyEncipherment + extendedKeyUsage = serverAuth + crlDistributionPoints = @crl_section + subjectAltName = @alt_names + authorityInfoAccess = @ocsp_section + + [ v3_ca ] + basicConstraints = critical,CA:TRUE,pathlen:0 + keyUsage = critical,any + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer + keyUsage = digitalSignature,keyEncipherment + extendedKeyUsage = serverAuth + crlDistributionPoints = @crl_section + subjectAltName = @alt_names + authorityInfoAccess = @ocsp_section + + [alt_names] + DNS.0 = wgettesterr + + [crl_section] + URI.0 = http://intertest.wgettest.org/Bogus.crl + URI.1 = http://intertest.wgettest.org/Bogus.crl + + [ocsp_section] + caIssuers;URI.0 = http://intertest.wgettest.com/Bogus.crt + caIssuers;URI.1 = http://intertest.wgettest.com/Bogus.crt + OCSP;URI.0 = http://intertest.wgettest.com/ocsp/ + OCSP;URI.1 = http://intertest.wgettest.com/ocsp/ diff --git a/tests/certs/rootca.conf b/tests/certs/rootca.conf new file mode 100644 index 0000000..0dd0b4f --- /dev/null +++ b/tests/certs/rootca.conf @@ -0,0 +1,64 @@ +[ ca ] +default_ca = myca + +[ crl_ext ] +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + + [ myca ] + dir = ./certs/ + new_certs_dir = $dir + unique_subject = no + certificate = $dir/test-ca-cert.pem + database = $dir/certindex + private_key = $dir/test-ca-key.pem + serial = $dir/certserial + default_days = 730 + default_md = sha1 + policy = myca_policy + x509_extensions = myca_extensions + crlnumber = $dir/crlnumber + default_crl_days = 730 + + [ myca_policy ] + commonName = supplied + stateOrProvinceName = supplied + countryName = optional + emailAddress = optional + organizationName = supplied + organizationalUnitName = optional + + [ myca_extensions ] + basicConstraints = critical,CA:TRUE + keyUsage = critical,any + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer + keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign + extendedKeyUsage = serverAuth + crlDistributionPoints = @crl_section + subjectAltName = @alt_names + authorityInfoAccess = @ocsp_section + + [ v3_ca ] + basicConstraints = critical,CA:TRUE,pathlen:0 + keyUsage = critical,any + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer + keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign + extendedKeyUsage = serverAuth + crlDistributionPoints = @crl_section + subjectAltName = @alt_names + authorityInfoAccess = @ocsp_section + + [alt_names] + DNS.0 = wgettesterr + + [crl_section] + URI.0 = http://test.wgettest.org/Bogus.crl + URI.1 = http://test.wgettest.org/Bogus.crl + + [ocsp_section] + caIssuers;URI.0 = http://test.wgettest.com/Bogus.crt + caIssuers;URI.1 = http://test.wgettest.com/Bogus.crt + OCSP;URI.0 = http://test.wgettest.com/ocsp/ + OCSP;URI.1 = http://test.wgettest.com/ocsp/ diff --git a/tests/certs/test-ca-key.pem b/tests/certs/test-ca-key.pem new file mode 100644 index 0000000..0bef904 --- /dev/null +++ b/tests/certs/test-ca-key.pem @@ -0,0 +1,58 @@ +!!!!!DO NOT USE THIS KEY FOR ANYTHING !!!!!!! +!!!!THIS FILE IS FOR TESTING WGET ONLY!!!!!! + +-----BEGIN RSA PRIVATE KEY----- +MIIJKgIBAAKCAgEArx5p0JWOfE/z3GXkd57QaemGBC8ZmE463Yhy6WtR7ww5MGMl +QmlsYYvEeZj/3FLe2mdAazTAlU8uf3BM5f8PUVahESgwevGVNJLtgOGJgxXp5csl +LlWYZ+a3qL1FJYVqPKfiK/tb8BsgzzPyECmlCerXw1lQ+34Fc36bw5vFw6igegb8 +yz5N59yvZp3b9iooU1J5yRTGTpEmGhUrUNdUc2MEe2bwLiEgffVmX9oc2mIqLwfR +tFjJMvNb6Zr42yllWC5aVeSJ86tkIhuLRQRD/nmy3NR/Txne764BhNnJ+/INV16U +fJz1A2BeFBhbPdH7T6jQx3BxRDQew66Qe8ESGuWa6SsjWwhiCl/lJ1UeUWt9pjDN +qT4kfeWQzZKnbMoC7hwLMmmo9fsL65jPNR9iclf5FXBap39/gtWl9vobuTi+6yLJ +BGBvB4FsFsRNDVu0PM06wUew/d9oTP+3/GKI8UnqiT+76RlC3lcyRdAk5LKFofg9 +bPkNm/dw6aDFtfFTE4oNjRXrUK9w3SZsknne2oOveKoGOYg79T/wlgUo++Uwwa8N +yYujycVhEvqMdvX68awlrQIxMFSOcyeaiGVuZ/gWIq/7VZaDJGEpnm8vXkpkyxhD +Wa3qQcLqHKbydckEaLHc2BuNjI3yNiYZUxVr8MHRgrBarEXLHz0yarvNNUECAwEA +AQKCAgEApUnNkoU3QfqtMCA0bvvFt9IlHpneTLW6NhNucwdLBJjC+fr61h5vn/qu +bh+NkMXfdsHyOb5G8CcWuk6jJouCR8G+sVT/vWt862yrI/S9OK9cX/tIkt1Txu4r +9+b99xZgWfQUNHNCKfVRGIHtPngwQJYbJVWObHJcbtDX8N984Nqu7b7eqG+cVPcl +z3O8hDLycQLt1G/5ZXr3PbMxeVJlcavKNTfKB6BY7MrN4Dcc+LujGVUGCHWtIpw0 +6t/Nd/8wmvTVazEVTJs/HjplT7VhADaaLnmb2GuQ0yWoZV6zmUy0bvzkpmH3mUJC +SjFbHZSu4ldzCGwHXNrdFtITqdtoW81Tj+b3EsqNlB2u1I8DpOMR8vMGy5f0rYhs +Lf4Vmpvggw4bzLeu9A6XStxiB/wExn1QlQd54X1zfhssoF/pbu2RtCujn+y3zYCd +2c9gqdN5MaGsr1NSYUPilj39E4S4FwtGnZGIYhClglToy0sMB/8lQvGIz0WRRfSG +g+LUuiWuqn95ZrnSJvTSYCvsH0OB64IWpd9sHtu/P8Cjms3B/nIYjbG5gj68m319 +AsK1uFAqVmlGYVJVzgND9B9Egd4cODlTSsncEUQlS8PUZaym50FoBuO4vN+IYrZO +H/yL6+hq3l/va/xlr4ZMEiBdEAiSj7g6XqQGzTgOz47RJn1FAGECggEBAOi8Moix +SGHhxpJZgeHuL2FgBuNT9GVDoTNbUtEoZ7NsJd4BG3MjbZFluFoSfFiawAqJ3e6c +ptUSiZ1KXN1gvMwVkget3MyenEzohYczwYOQeREAeRVr25Wq8cegvLaDFejMclCs +ILC80BaGbVcAmJMdOBzLVqtY/7lps0LWpGd/6KYXTm41erhWJkvx+Vt0uPKVzGqx +Ijjh/DSc5eX5BIdn2bYHLRu/xqfnX2kSH37PSto55ROSu8D8YwjaOdyQ1Hha6+O1 +Q6E4d2HliYqv1WaDHjyAXjmlP/3ob5f3QdXbqpB1smGPimK3hiZB0sYgdUI3yW9c +NkynqGBeoTSPjG0CggEBAMCfyVJnG1fCnFZFCtPawYKK/IoMNyYzgIKomlcBdF/8 +J8Gwr6jcFBbdefT+VypVO0DywPrIFppDzjGEmZarFRgXsspGBenQQrZTPG1eUldY +U89ODTsYNk0AXdctkMvAFSfVbA/4pnXAiXzKeEDk2YOhDYP1Y/T9eZQ3AI+LNeGO +1Oqd9hGgsW0rqVgW+rCbUTezFE5J+2zbzMu2XnJieueG33iaVMpHzqnLLe27SYcI +7VmgttZL4eL6/klPHSKC8x3y1c2T88d+HAuW+mB+bQ2iQWYfM82SyxjTER/7jpTy +Zpj/mibgt2cQxVowWFmMMOLXczhpu/GOgRxxCXVQn6UCggEBAOa30vzxiskGMn1Y +4EpifnPw50MrMkfFEKRB70rL3GnhV3TK8jRlNbSC+4vHcZ/A4YpQ/EMU5sqp0uSs +GH2Z7e//nkGgmRf8UQRpKh5LL5bGfU5egqq6vveTfJajARGJyAl9zAGvccTjmQIL +h49NVvPYbo0VAzlgRDrBz2T+NgMoqTEmP6k/uQXO2a5GFiYVA1fxKrHGIh/z37sk +o0Aladj2Gby7RnuQ1VYUJ+CYh8KFqzXFWRPbTefWDDN1axD+PrOFpv2Y749+09Kn +438qKsqyRyJBO6e360VBzIcBJjHkzyTgmNLgopaUSxfX/yRMfxIDDd0os+ev+Vp3 +1SWu/M0CggEAWSvfZCFNPCRggWN27rpPaOJ0pGehRDMFY/cvc+W9fQ3bTcRAnXg8 +aJVg9vSjX3qTcq6ufaoRJJsNIklTXLeYjU2zPAaMiEAcEhGYYL0Qe1Ttf4OPhnLf ++GeaCZoTdO9YG9emLgKa9NoMC9QjNU98Dn6JJjR8cJbDKMUJomn8qI2ZrX8wwdpV +KMfUnm4M4aMVRybE2LVRCoT6WrfzIxrJ8NK0Mz2m0PnLBzmC6pIQKM4OKrbGzY/V +Y2F0RHW2dBqQ96VKKuA6M3kC/K6I/BCq5WvewKrjLWCuWrCjNd4blIJe0qdJMoRH +AxR1eBn3XIUUwH6i3VO9aMbiqEr/6OpI7QKCAQEAslqWEcRSL8bxXTVs1Jqip4wW +lbJoym+zXhMLiqxCbMukClkkCdaI+lxNVdxs4MpACHYRAhHwVvAujz5JcgiMjSRC +IK/JGu9uVkSriA/YJxmmMPvTYI1bmT1lT99HUqhzM5COuSFJh9D8cfpHJSUC+6rF +1U/YcdcrZAMl3UH30XdsJLc6l3L/0gyseohwWT76dSqqOOathvNM5PsE8jNzPEo7 +VUdfrrDpEw0dPjk4IF8cpC389H1j8lnwxkWQtHHhXZTXHJlC9xYPa3PRsRn18pJy +vxz9r76vJ3YJiQTxv8MKw/AaQrNDZng0Ff5kqQAqc/q/CvHdb2pur8NTsS/09w== +-----END RSA PRIVATE KEY----- +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!!!!!DO NOT USE THIS KEY FOR ANYTHING !!!!!!! +!!!!THIS FILE IS FOR TESTING WGET ONLY!!!!!! \ No newline at end of file -- 2.7.4