Commit ddb43420 authored by Patrick J Cherry's avatar Patrick J Cherry
Browse files

Rationalised self-signed and CA signed certificate tests.

parent f120620d
......@@ -289,28 +289,33 @@ module Symbiosis
#
#
unless self.certificate.check_private_key(self.key)
raise OpenSSL::X509::CertificateError, "Private key does not match certificate )a."
raise OpenSSL::X509::CertificateError, "Private key does not match certificate."
end
# Now check the certificate can be verified by the key. Well I *think*
# that is what the Certificate#verify method is for.
#
#unless self.certificate.verify(self.key)
# raise OpenSSL::X509::CertificateError, "Private key does not match certificate (b)."
#end
# At this point, return if certificate is self-signed
#
#
# Now check the signature
#
return true if self.certificate.issuer.to_s == self.certificate.subject.to_s
if self.certificate.issuer.to_s == self.certificate.subject.to_s
#
# Firstly for a self-signed certificate check the signature on the
# certificate was made by our key.
#
# This should never fail!
unless self.certificate.verify(self.key)
raise OpenSSL::X509::CertificateError, "Private key does not match that on the certificate's signature."
end
else
#
# Otherwise for a CA-signed certificate, make sure the signature can be
# verified using the usual store of certificates on the machine,
# including any bundle that has been left lying around.
#
unless self.certificate_chain.verify(self.certificate)
raise OpenSSL::X509::CertificateError, "Certificate does not verify -- maybe a bundle is missing?"
end
end
# Now validate the certificate, using a bundle if needed.
#
#
raise OpenSSL::X509::CertificateError, "Certificate does not verify -- maybe a bundle is missing?" unless self.certificate_chain.verify(self.certificate)
#
#
return true
true
end
#
......
......@@ -419,18 +419,34 @@ class SSLConfigTest < Test::Unit::TestCase
assert_nothing_raised{ @ssl.key_file = @domain.directory+"/config/ssl.combined" }
#
# This should not verify yet
# This should verify.
#
assert_nothing_raised{ @ssl.verify }
#
# TODO: test expired certificate
# Generate another key
#
new_key = do_generate_key
#
# Now write a combined cert with this new key. This should not verify.
#
File.open(@domain.directory+"/config/ssl.combined","w+"){|fh| fh.write crt.to_pem+new_key.to_pem}
assert_raise(OpenSSL::X509::CertificateError){ @ssl.verify }
#
# Now sign the certificate with this new key. This should cause the verification to fail.
#
crt.sign( new_key, OpenSSL::Digest::SHA1.new )
File.open(@domain.directory+"/config/ssl.combined","w+"){|fh| fh.write crt.to_pem+key.to_pem}
assert_raise(OpenSSL::X509::CertificateError){ @ssl.verify }
#
# Now write a combined cert with a duff key. This should not verify.
# Now write a combined cert with the new key. This should still not
# verify, as the public key on the certificate will not match the private
# key, even though we've signed the cert with this new private key.
#
File.open(@domain.directory+"/config/ssl.combined","w+"){|fh| fh.write crt.to_pem+do_generate_key.to_pem}
File.open(@domain.directory+"/config/ssl.combined","w+"){|fh| fh.write crt.to_pem+new_key.to_pem}
assert_raise(OpenSSL::X509::CertificateError){ @ssl.verify }
end
......@@ -458,7 +474,7 @@ class SSLConfigTest < Test::Unit::TestCase
File.open(@domain.directory+"/config/ssl.combined","w+"){|fh| fh.write crt.to_pem+key.to_pem}
#
# This should verify now
# This should verify just fine.
#
assert_nothing_raised{ @ssl.certificate_file = @domain.directory+"/config/ssl.combined" }
assert_nothing_raised{ @ssl.key_file = @domain.directory+"/config/ssl.combined" }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment