Added bundle + root CA tests

apache/lib/symbiosis/ssl_configuration.rb

@@ -23,6 +23,7 @@ module Symbiosis
       @key = nil
       @bundle = nil
       @root_path = "/"
+      @ca_paths = []
     end
 
     #
@@ -39,6 +40,13 @@ module Symbiosis
       File.join(@root_path, "srv", @domain, "config")
     end
 
+    #
+    # Add a path with extra SSL certs for testing
+    #
+    def add_ca_path(path)
+      @ca_paths << path if File.directory?(path)
+    end
+
     #
     # Is SSL enabled for the domain?
     #
@@ -127,6 +135,7 @@ module Symbiosis
     def certificate_chain
       certificate_chain = OpenSSL::X509::Store.new
       certificate_chain.set_default_paths
+      @ca_paths.each{|path| certificate_chain.add_path(path)}
       certificate_chain.add_file(self.certificate_chain_file) unless self.certificate_chain_file.nil?
       certificate_chain
     end
@@ -280,15 +289,15 @@ module Symbiosis
     #
     #
     unless self.certificate.check_private_key(self.key)
-      raise OpenSSL::X509::CertificateError, "Private key does not match certificate."
+      raise OpenSSL::X509::CertificateError, "Private key does not match certificate )a."
     end
     
     # Now check the certificate can be verified by the key.  Well I *think*
     # that is what the Certificate#verify method is for.
     #
-    unless self.certificate.verify(self.key)
-      raise OpenSSL::X509::CertificateError, "Private key does not match certificate."
-    end
+    #unless self.certificate.verify(self.key)
+    #  raise OpenSSL::X509::CertificateError, "Private key does not match certificate (b)."
+    #end
 
     # At this point, return if certificate is self-signed
     #

apache/test/IntermediateCA/IntermediateCA.crt

+-----BEGIN CERTIFICATE-----
+MIICqDCCAlKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJHQjET
+MBEGA1UECBMKTWFuY2hlc3RlcjEOMAwGA1UEBxMFSHVsbWUxGzAZBgNVBAoTEkJ5
+dGVtYXJrIFN5bWJpb3NpczEQMA4GA1UECxMHUm9vdCBDQTEQMA4GA1UEAxMHUm9v
+dCBDQTAeFw0xMTAzMDQxMTM0NDRaFw0yMTAzMDExMTM0NDRaMGsxCzAJBgNVBAYT
+AkdCMRMwEQYDVQQIEwpNYW5jaGVzdGVyMRswGQYDVQQKExJCeXRlbWFyayBTeW1i
+aW9zaXMxEDAOBgNVBAsTB1Jvb3QgQ0ExGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBD
+QTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCqaCQ2dNqjJ+4F85DQx+ri/vUfECfc
+QOwSLjjFsIoGebc4OwugEXTaxpP/Oh1V+xIO2RjkMMr1zwJ1xoUeYfvbAgMBAAGj
+gdgwgdUwHQYDVR0OBBYEFK25OeEcQeAaihiGOmBgyZ+RENj1MIGlBgNVHSMEgZ0w
+gZqAFASyN4ORhkRe2x8CLIuGu/nGNH3roXekdTBzMQswCQYDVQQGEwJHQjETMBEG
+A1UECBMKTWFuY2hlc3RlcjEOMAwGA1UEBxMFSHVsbWUxGzAZBgNVBAoTEkJ5dGVt
+YXJrIFN5bWJpb3NpczEQMA4GA1UECxMHUm9vdCBDQTEQMA4GA1UEAxMHUm9vdCBD
+QYIJAK3nZ0hQC2qSMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADQQBwSnoR
+m5Dw/40UwqrcrIwPTVOsB0UpPTcKRUvqbPX9yOuyk6e+bI2DRcpWD102d9FK0zf6
+/3kFhQ8tGfE0kDTk
+-----END CERTIFICATE-----

apache/test/IntermediateCA/IntermediateCA.key

+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBAKpoJDZ02qMn7gXzkNDH6uL+9R8QJ9xA7BIuOMWwigZ5tzg7C6AR
+dNrGk/86HVX7Eg7ZGOQwyvXPAnXGhR5h+9sCAwEAAQJBAJ1zQBJ5AhNCr7EcDbB7
+J9K5lK8w9EOUUQuzXY17wuybQpPycfiR1eIbzhJ+Z/5BCQ13AEnIXdL51vGUYwyR
+rfECIQDjKBL1+THhTofRneb58GN4lvsJxfBpNnKcSA+jz2sHrwIhAMALXdfuvnAy
+VUzeH1baUA/7yUTDdMOLOioDbIntf22VAiEAxqbIFiYsUe4cZtthIFjylIXs2jop
+Kcm85yE51DbTUe8CIB8sOSlp2YPAx9PYYmHowgI2Lq94wqVTHjffomipInwZAiEA
+i9RPQH3zbX5Malk7E9O70wlOU63cT8VBGHKPsVC9Swc=
+-----END RSA PRIVATE KEY-----

apache/test/RootCA/4d33d4e0.0

+RootCA.crt
\ No newline at end of file

apache/test/RootCA/RootCA.crt

+-----BEGIN CERTIFICATE-----
+MIICuDCCAmKgAwIBAgIJAK3nZ0hQC2qSMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
+BAYTAkdCMRMwEQYDVQQIEwpNYW5jaGVzdGVyMQ4wDAYDVQQHEwVIdWxtZTEbMBkG
+A1UEChMSQnl0ZW1hcmsgU3ltYmlvc2lzMRAwDgYDVQQLEwdSb290IENBMRAwDgYD
+VQQDEwdSb290IENBMB4XDTExMDMwNDEwNDUyNVoXDTIxMDMwMTEwNDUyNVowczEL
+MAkGA1UEBhMCR0IxEzARBgNVBAgTCk1hbmNoZXN0ZXIxDjAMBgNVBAcTBUh1bG1l
+MRswGQYDVQQKExJCeXRlbWFyayBTeW1iaW9zaXMxEDAOBgNVBAsTB1Jvb3QgQ0Ex
+EDAOBgNVBAMTB1Jvb3QgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA6Hz96yfF
+hOyyKukTfOKqZ/vzDo6YpeTqWvu5rfak42I77XpIpDqXQYmwz7Gm2tqkkL7yyJ5o
+MuQVilXu12IygQIDAQABo4HYMIHVMB0GA1UdDgQWBBQEsjeDkYZEXtsfAiyLhrv5
+xjR96zCBpQYDVR0jBIGdMIGagBQEsjeDkYZEXtsfAiyLhrv5xjR966F3pHUwczEL
+MAkGA1UEBhMCR0IxEzARBgNVBAgTCk1hbmNoZXN0ZXIxDjAMBgNVBAcTBUh1bG1l
+MRswGQYDVQQKExJCeXRlbWFyayBTeW1iaW9zaXMxEDAOBgNVBAsTB1Jvb3QgQ0Ex
+EDAOBgNVBAMTB1Jvb3QgQ0GCCQCt52dIUAtqkjAMBgNVHRMEBTADAQH/MA0GCSqG
+SIb3DQEBBQUAA0EA5f/yDutgCDPBxxX6M/w2z1p4P8d36op2F8PfXgwlxWkzstBq
+R0GBDsLY/Hlu2cQhQgm+4BvlmhJCnRiyhOV8Ig==
+-----END CERTIFICATE-----

apache/test/RootCA/RootCA.key

+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBAOh8/esnxYTssirpE3ziqmf78w6OmKXk6lr7ua32pONiO+16SKQ6
+l0GJsM+xptrapJC+8sieaDLkFYpV7tdiMoECAwEAAQJAI75z25+1woYRrn8/O8gt
+oucdq3NJDNhxH6PsHE77cunwa5QyKHsDYpOwCxzyFnj2PvTinh2qtx9EpneoylUA
+AQIhAP+bpt9JDd76ZG4HlUioTQ/j0zAY4IF6xvJ3PWjgqDMBAiEA6NhDdnLtALKw
+7qobBCuQnIC8KKT2SJEJ1WMRoahTf4ECIAJ5BQI/+Kxhi7ssw5ryVdyDfbWHaBSY
+lXgfAy8SjU4BAiAzXEDFR+RvWvscKfl7mgB0BRF8BactqpB4uTmSZwbEAQIgRblh
+r4ZDIbX1XSyqA3K9etaQITOgG2poUhIlB1zEVyE=
+-----END RSA PRIVATE KEY-----

apache/test/tc_ssl_configuration.rb

@@ -70,12 +70,20 @@ class SSLConfigTest < Test::Unit::TestCase
   #
   # Returns a new certificate given a key
   #
-  def do_generate_crt(domain, key=nil, ca=nil)
+  def do_generate_crt(domain, key=nil, ca_cert=nil, ca_key=nil)
     #
     # Generate a key if none has been specified
     #
     key = do_generate_key if key.nil?
 
+    #
+    # Check CA key and cert
+    #
+    if !ca_cert.nil? and !ca_key.nil? and !ca_cert.check_private_key(ca_key)
+      warn "CA certificate and key do not match -- not using." 
+      ca_cert = ca_key = nil
+    end
+  
     # Generate the request 
     csr            = OpenSSL::X509::Request.new
     csr.version    = 0
@@ -90,11 +98,11 @@ class SSLConfigTest < Test::Unit::TestCase
     #
     # Theoretically we could use a CA to sign the cert.
     #
-    if ca.nil?
+    if ca_cert.nil? or ca_key.nil?
+      warn "Not setting the issuer as the CA because the CA key is not set" if !ca_cert.nil? and ca_key.nil?
       crt.issuer    = csr.subject
     else
-      # FIXME
-      raise "Cannot sign cert with a CA yet.  FIXME!"
+      crt.issuer   = ca_cert.subject
     end
     crt.public_key = csr.public_key
     crt.not_before = Time.now
@@ -106,16 +114,23 @@ class SSLConfigTest < Test::Unit::TestCase
     crt.serial     = @@serial
     @@serial += 1
     crt.version    = 1 
-    crt.sign( key, OpenSSL::Digest::SHA1.new )
+
+    if ca_cert.nil? or ca_key.nil?
+      warn "Not signing certificate with CA key because the CA certificate is not set" if ca_cert.nil? and !ca_key.nil?
+      crt.sign( key, OpenSSL::Digest::SHA1.new )  
+    else
+      crt.sign( ca_key, OpenSSL::Digest::SHA1.new )
+    end
+
     crt
   end
   
   #
   # Returns a key and certificate
   #
-  def do_generate_key_and_crt(domain, ca=nil)
+  def do_generate_key_and_crt(domain, ca_cert=nil, ca_key=nil)
     key = do_generate_key
-    return [key, do_generate_crt(domain, key, ca)]
+    return [key, do_generate_crt(domain, key, ca_cert, ca_key)]
   end
   
   ####
@@ -265,6 +280,7 @@ class SSLConfigTest < Test::Unit::TestCase
 
   def test_certificate_chain_file
     # TODO: Requires setting up a dummy CA + intermediate bundle.
+    #
   end
 
   def test_certificate_chain
@@ -385,7 +401,7 @@ class SSLConfigTest < Test::Unit::TestCase
 
   end
 
-  def test_verify
+  def test_verify_self_signed
     #
     # Generate a key and cert
     #
@@ -401,6 +417,10 @@ class SSLConfigTest < Test::Unit::TestCase
     #
     assert_nothing_raised{ @ssl.certificate_file = @domain.directory+"/config/ssl.combined" }
     assert_nothing_raised{ @ssl.key_file         = @domain.directory+"/config/ssl.combined" }
+
+    #
+    # This should not verify yet
+    #
     assert_nothing_raised{ @ssl.verify }
 
     #
@@ -412,10 +432,78 @@ class SSLConfigTest < Test::Unit::TestCase
     #
     File.open(@domain.directory+"/config/ssl.combined","w+"){|fh| fh.write crt.to_pem+do_generate_key.to_pem}
     assert_raise(OpenSSL::X509::CertificateError){ @ssl.verify }
-   
+  end
+
+  def test_verify_with_root_ca
+    #
+    # Use our intermediate CA.
+    #
+    ca_cert = OpenSSL::X509::Certificate.new(File.read("RootCA/RootCA.crt"))
+    ca_key  = OpenSSL::PKey::RSA.new(File.read("RootCA/RootCA.key"))
+
+    #
+    # Add the Root CA path
+    # 
+    @ssl.add_ca_path("./RootCA/")
+
+    #
+    # Generate a key and cert
+    #
+    key = do_generate_key
+    crt = do_generate_crt(@domain.name, key, ca_cert, ca_key)
+
+    #
+    # Write a combined cert
+    #
+    File.open(@domain.directory+"/config/ssl.combined","w+"){|fh| fh.write crt.to_pem+key.to_pem}
+
+    #
+    # This should verify now 
     #
-    # TODO: Work out how to do bundled verifications. Ugh.
+    assert_nothing_raised{ @ssl.certificate_file = @domain.directory+"/config/ssl.combined" }
+    assert_nothing_raised{ @ssl.key_file         = @domain.directory+"/config/ssl.combined" }
+    assert_nothing_raised{ @ssl.verify }
+  end
+
+  def test_verify_with_intermediate_ca
+    #
+    # Use our intermediate CA.
+    #
+    ca_cert = OpenSSL::X509::Certificate.new(File.read("IntermediateCA/IntermediateCA.crt"))
+    ca_key  = OpenSSL::PKey::RSA.new(File.read("IntermediateCA/IntermediateCA.key"))
+
     #
+    # Add the Root CA path
+    # 
+    @ssl.add_ca_path("./RootCA/")
+
+    #
+    # Generate a key and cert
+    #
+    key = do_generate_key
+    crt = do_generate_crt(@domain.name, key, ca_cert, ca_key)
+
+    #
+    # Write a combined cert
+    #
+    File.open(@domain.directory+"/config/ssl.combined","w+"){|fh| fh.write crt.to_pem+key.to_pem}
+
+    #
+    # This should not verify yet, as the bundle hasn't been copied in place.
+    #
+    assert_nothing_raised{ @ssl.certificate_file = @domain.directory+"/config/ssl.combined" }
+    assert_nothing_raised{ @ssl.key_file         = @domain.directory+"/config/ssl.combined" }
+    assert_raise(OpenSSL::X509::CertificateError){ @ssl.verify }
+
+    #
+    # Now copy the bundle in place
+    #
+    FileUtils.cp("IntermediateCA/IntermediateCA.crt",@domain.directory+"/config/ssl.bundle")
+
+    #
+    # Now it should verify just fine.
+    #
+    assert_nothing_raised{ @ssl.verify }
   end
 
   def test_create_ssl_site