Commit f120620d authored by Patrick J Cherry's avatar Patrick J Cherry
Browse files

Added bundle + root CA tests

parent 3a0093a2
......@@ -23,6 +23,7 @@ module Symbiosis
@key = nil
@bundle = nil
@root_path = "/"
@ca_paths = []
end
#
......@@ -39,6 +40,13 @@ module Symbiosis
File.join(@root_path, "srv", @domain, "config")
end
#
# Add a path with extra SSL certs for testing
#
def add_ca_path(path)
@ca_paths << path if File.directory?(path)
end
#
# Is SSL enabled for the domain?
#
......@@ -127,6 +135,7 @@ module Symbiosis
def certificate_chain
certificate_chain = OpenSSL::X509::Store.new
certificate_chain.set_default_paths
@ca_paths.each{|path| certificate_chain.add_path(path)}
certificate_chain.add_file(self.certificate_chain_file) unless self.certificate_chain_file.nil?
certificate_chain
end
......@@ -280,15 +289,15 @@ module Symbiosis
#
#
unless self.certificate.check_private_key(self.key)
raise OpenSSL::X509::CertificateError, "Private key does not match certificate."
raise OpenSSL::X509::CertificateError, "Private key does not match certificate )a."
end
# Now check the certificate can be verified by the key. Well I *think*
# that is what the Certificate#verify method is for.
#
unless self.certificate.verify(self.key)
raise OpenSSL::X509::CertificateError, "Private key does not match certificate."
end
#unless self.certificate.verify(self.key)
# raise OpenSSL::X509::CertificateError, "Private key does not match certificate (b)."
#end
# At this point, return if certificate is self-signed
#
......
-----BEGIN CERTIFICATE-----
MIICqDCCAlKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJHQjET
MBEGA1UECBMKTWFuY2hlc3RlcjEOMAwGA1UEBxMFSHVsbWUxGzAZBgNVBAoTEkJ5
dGVtYXJrIFN5bWJpb3NpczEQMA4GA1UECxMHUm9vdCBDQTEQMA4GA1UEAxMHUm9v
dCBDQTAeFw0xMTAzMDQxMTM0NDRaFw0yMTAzMDExMTM0NDRaMGsxCzAJBgNVBAYT
AkdCMRMwEQYDVQQIEwpNYW5jaGVzdGVyMRswGQYDVQQKExJCeXRlbWFyayBTeW1i
aW9zaXMxEDAOBgNVBAsTB1Jvb3QgQ0ExGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBD
QTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCqaCQ2dNqjJ+4F85DQx+ri/vUfECfc
QOwSLjjFsIoGebc4OwugEXTaxpP/Oh1V+xIO2RjkMMr1zwJ1xoUeYfvbAgMBAAGj
gdgwgdUwHQYDVR0OBBYEFK25OeEcQeAaihiGOmBgyZ+RENj1MIGlBgNVHSMEgZ0w
gZqAFASyN4ORhkRe2x8CLIuGu/nGNH3roXekdTBzMQswCQYDVQQGEwJHQjETMBEG
A1UECBMKTWFuY2hlc3RlcjEOMAwGA1UEBxMFSHVsbWUxGzAZBgNVBAoTEkJ5dGVt
YXJrIFN5bWJpb3NpczEQMA4GA1UECxMHUm9vdCBDQTEQMA4GA1UEAxMHUm9vdCBD
QYIJAK3nZ0hQC2qSMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADQQBwSnoR
m5Dw/40UwqrcrIwPTVOsB0UpPTcKRUvqbPX9yOuyk6e+bI2DRcpWD102d9FK0zf6
/3kFhQ8tGfE0kDTk
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAKpoJDZ02qMn7gXzkNDH6uL+9R8QJ9xA7BIuOMWwigZ5tzg7C6AR
dNrGk/86HVX7Eg7ZGOQwyvXPAnXGhR5h+9sCAwEAAQJBAJ1zQBJ5AhNCr7EcDbB7
J9K5lK8w9EOUUQuzXY17wuybQpPycfiR1eIbzhJ+Z/5BCQ13AEnIXdL51vGUYwyR
rfECIQDjKBL1+THhTofRneb58GN4lvsJxfBpNnKcSA+jz2sHrwIhAMALXdfuvnAy
VUzeH1baUA/7yUTDdMOLOioDbIntf22VAiEAxqbIFiYsUe4cZtthIFjylIXs2jop
Kcm85yE51DbTUe8CIB8sOSlp2YPAx9PYYmHowgI2Lq94wqVTHjffomipInwZAiEA
i9RPQH3zbX5Malk7E9O70wlOU63cT8VBGHKPsVC9Swc=
-----END RSA PRIVATE KEY-----
RootCA.crt
\ No newline at end of file
-----BEGIN CERTIFICATE-----
MIICuDCCAmKgAwIBAgIJAK3nZ0hQC2qSMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
BAYTAkdCMRMwEQYDVQQIEwpNYW5jaGVzdGVyMQ4wDAYDVQQHEwVIdWxtZTEbMBkG
A1UEChMSQnl0ZW1hcmsgU3ltYmlvc2lzMRAwDgYDVQQLEwdSb290IENBMRAwDgYD
VQQDEwdSb290IENBMB4XDTExMDMwNDEwNDUyNVoXDTIxMDMwMTEwNDUyNVowczEL
MAkGA1UEBhMCR0IxEzARBgNVBAgTCk1hbmNoZXN0ZXIxDjAMBgNVBAcTBUh1bG1l
MRswGQYDVQQKExJCeXRlbWFyayBTeW1iaW9zaXMxEDAOBgNVBAsTB1Jvb3QgQ0Ex
EDAOBgNVBAMTB1Jvb3QgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA6Hz96yfF
hOyyKukTfOKqZ/vzDo6YpeTqWvu5rfak42I77XpIpDqXQYmwz7Gm2tqkkL7yyJ5o
MuQVilXu12IygQIDAQABo4HYMIHVMB0GA1UdDgQWBBQEsjeDkYZEXtsfAiyLhrv5
xjR96zCBpQYDVR0jBIGdMIGagBQEsjeDkYZEXtsfAiyLhrv5xjR966F3pHUwczEL
MAkGA1UEBhMCR0IxEzARBgNVBAgTCk1hbmNoZXN0ZXIxDjAMBgNVBAcTBUh1bG1l
MRswGQYDVQQKExJCeXRlbWFyayBTeW1iaW9zaXMxEDAOBgNVBAsTB1Jvb3QgQ0Ex
EDAOBgNVBAMTB1Jvb3QgQ0GCCQCt52dIUAtqkjAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBQUAA0EA5f/yDutgCDPBxxX6M/w2z1p4P8d36op2F8PfXgwlxWkzstBq
R0GBDsLY/Hlu2cQhQgm+4BvlmhJCnRiyhOV8Ig==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIBOQIBAAJBAOh8/esnxYTssirpE3ziqmf78w6OmKXk6lr7ua32pONiO+16SKQ6
l0GJsM+xptrapJC+8sieaDLkFYpV7tdiMoECAwEAAQJAI75z25+1woYRrn8/O8gt
oucdq3NJDNhxH6PsHE77cunwa5QyKHsDYpOwCxzyFnj2PvTinh2qtx9EpneoylUA
AQIhAP+bpt9JDd76ZG4HlUioTQ/j0zAY4IF6xvJ3PWjgqDMBAiEA6NhDdnLtALKw
7qobBCuQnIC8KKT2SJEJ1WMRoahTf4ECIAJ5BQI/+Kxhi7ssw5ryVdyDfbWHaBSY
lXgfAy8SjU4BAiAzXEDFR+RvWvscKfl7mgB0BRF8BactqpB4uTmSZwbEAQIgRblh
r4ZDIbX1XSyqA3K9etaQITOgG2poUhIlB1zEVyE=
-----END RSA PRIVATE KEY-----
......@@ -70,12 +70,20 @@ class SSLConfigTest < Test::Unit::TestCase
#
# Returns a new certificate given a key
#
def do_generate_crt(domain, key=nil, ca=nil)
def do_generate_crt(domain, key=nil, ca_cert=nil, ca_key=nil)
#
# Generate a key if none has been specified
#
key = do_generate_key if key.nil?
#
# Check CA key and cert
#
if !ca_cert.nil? and !ca_key.nil? and !ca_cert.check_private_key(ca_key)
warn "CA certificate and key do not match -- not using."
ca_cert = ca_key = nil
end
# Generate the request
csr = OpenSSL::X509::Request.new
csr.version = 0
......@@ -90,11 +98,11 @@ class SSLConfigTest < Test::Unit::TestCase
#
# Theoretically we could use a CA to sign the cert.
#
if ca.nil?
if ca_cert.nil? or ca_key.nil?
warn "Not setting the issuer as the CA because the CA key is not set" if !ca_cert.nil? and ca_key.nil?
crt.issuer = csr.subject
else
# FIXME
raise "Cannot sign cert with a CA yet. FIXME!"
crt.issuer = ca_cert.subject
end
crt.public_key = csr.public_key
crt.not_before = Time.now
......@@ -106,16 +114,23 @@ class SSLConfigTest < Test::Unit::TestCase
crt.serial = @@serial
@@serial += 1
crt.version = 1
crt.sign( key, OpenSSL::Digest::SHA1.new )
if ca_cert.nil? or ca_key.nil?
warn "Not signing certificate with CA key because the CA certificate is not set" if ca_cert.nil? and !ca_key.nil?
crt.sign( key, OpenSSL::Digest::SHA1.new )
else
crt.sign( ca_key, OpenSSL::Digest::SHA1.new )
end
crt
end
#
# Returns a key and certificate
#
def do_generate_key_and_crt(domain, ca=nil)
def do_generate_key_and_crt(domain, ca_cert=nil, ca_key=nil)
key = do_generate_key
return [key, do_generate_crt(domain, key, ca)]
return [key, do_generate_crt(domain, key, ca_cert, ca_key)]
end
####
......@@ -265,6 +280,7 @@ class SSLConfigTest < Test::Unit::TestCase
def test_certificate_chain_file
# TODO: Requires setting up a dummy CA + intermediate bundle.
#
end
def test_certificate_chain
......@@ -385,7 +401,7 @@ class SSLConfigTest < Test::Unit::TestCase
end
def test_verify
def test_verify_self_signed
#
# Generate a key and cert
#
......@@ -401,6 +417,10 @@ class SSLConfigTest < Test::Unit::TestCase
#
assert_nothing_raised{ @ssl.certificate_file = @domain.directory+"/config/ssl.combined" }
assert_nothing_raised{ @ssl.key_file = @domain.directory+"/config/ssl.combined" }
#
# This should not verify yet
#
assert_nothing_raised{ @ssl.verify }
#
......@@ -412,10 +432,78 @@ class SSLConfigTest < Test::Unit::TestCase
#
File.open(@domain.directory+"/config/ssl.combined","w+"){|fh| fh.write crt.to_pem+do_generate_key.to_pem}
assert_raise(OpenSSL::X509::CertificateError){ @ssl.verify }
end
def test_verify_with_root_ca
#
# Use our intermediate CA.
#
ca_cert = OpenSSL::X509::Certificate.new(File.read("RootCA/RootCA.crt"))
ca_key = OpenSSL::PKey::RSA.new(File.read("RootCA/RootCA.key"))
#
# Add the Root CA path
#
@ssl.add_ca_path("./RootCA/")
#
# Generate a key and cert
#
key = do_generate_key
crt = do_generate_crt(@domain.name, key, ca_cert, ca_key)
#
# Write a combined cert
#
File.open(@domain.directory+"/config/ssl.combined","w+"){|fh| fh.write crt.to_pem+key.to_pem}
#
# This should verify now
#
# TODO: Work out how to do bundled verifications. Ugh.
assert_nothing_raised{ @ssl.certificate_file = @domain.directory+"/config/ssl.combined" }
assert_nothing_raised{ @ssl.key_file = @domain.directory+"/config/ssl.combined" }
assert_nothing_raised{ @ssl.verify }
end
def test_verify_with_intermediate_ca
#
# Use our intermediate CA.
#
ca_cert = OpenSSL::X509::Certificate.new(File.read("IntermediateCA/IntermediateCA.crt"))
ca_key = OpenSSL::PKey::RSA.new(File.read("IntermediateCA/IntermediateCA.key"))
#
# Add the Root CA path
#
@ssl.add_ca_path("./RootCA/")
#
# Generate a key and cert
#
key = do_generate_key
crt = do_generate_crt(@domain.name, key, ca_cert, ca_key)
#
# Write a combined cert
#
File.open(@domain.directory+"/config/ssl.combined","w+"){|fh| fh.write crt.to_pem+key.to_pem}
#
# This should not verify yet, as the bundle hasn't been copied in place.
#
assert_nothing_raised{ @ssl.certificate_file = @domain.directory+"/config/ssl.combined" }
assert_nothing_raised{ @ssl.key_file = @domain.directory+"/config/ssl.combined" }
assert_raise(OpenSSL::X509::CertificateError){ @ssl.verify }
#
# Now copy the bundle in place
#
FileUtils.cp("IntermediateCA/IntermediateCA.crt",@domain.directory+"/config/ssl.bundle")
#
# Now it should verify just fine.
#
assert_nothing_raised{ @ssl.verify }
end
def test_create_ssl_site
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment