You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kg...@apache.org on 2013/04/01 22:58:20 UTC
svn commit: r1463301 - in /qpid/branches/0.22/qpid/cpp/src/tests: ./ ssl_test
Author: kgiusti
Date: Mon Apr 1 20:58:19 2013
New Revision: 1463301
URL: http://svn.apache.org/r1463301
Log:
NO-JIRA: fix ssl_test to run in older python and nss environments (merge from trunk)
Modified:
qpid/branches/0.22/qpid/cpp/src/tests/ (props changed)
qpid/branches/0.22/qpid/cpp/src/tests/ssl_test
Propchange: qpid/branches/0.22/qpid/cpp/src/tests/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/cpp/src/tests:r1461804
Modified: qpid/branches/0.22/qpid/cpp/src/tests/ssl_test
URL: http://svn.apache.org/viewvc/qpid/branches/0.22/qpid/cpp/src/tests/ssl_test?rev=1463301&r1=1463300&r2=1463301&view=diff
==============================================================================
--- qpid/branches/0.22/qpid/cpp/src/tests/ssl_test (original)
+++ qpid/branches/0.22/qpid/cpp/src/tests/ssl_test Mon Apr 1 20:58:19 2013
@@ -26,13 +26,12 @@ source ./test_env.sh
CONFIG=$(dirname $0)/config.null
TEST_CERT_DIR=`pwd`/test_cert_dir
-SERVER_CERT_DIR=${TEST_CERT_DIR}/test_cert_db
-CA_CERT_DIR=${TEST_CERT_DIR}/ca_cert_db
-OTHER_CA_CERT_DIR=${TEST_CERT_DIR}/x_ca_cert_db
+CERT_DB=${TEST_CERT_DIR}/test_cert_db
CERT_PW_FILE=`pwd`/cert.password
TEST_HOSTNAME=127.0.0.1
TEST_CLIENT_CERT=rumplestiltskin
CA_PEM_FILE=${TEST_CERT_DIR}/ca_cert.pem
+OTHER_CA_CERT_DB=${TEST_CERT_DIR}/x_ca_cert_db
OTHER_CA_PEM_FILE=${TEST_CERT_DIR}/other_ca_cert.pem
PY_PING_BROKER=$top_srcdir/src/tests/ping_broker
COUNT=10
@@ -41,53 +40,49 @@ trap cleanup EXIT
error() { echo $*; exit 1; }
-create_ca_certs() {
-
- # Set Up the CA DB and self-signed Certificate
- #
- mkdir -p ${CA_CERT_DIR}
- certutil -N -d ${CA_CERT_DIR} -f ${CERT_PW_FILE}
- certutil -S -d ${CA_CERT_DIR} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
- certutil -L -d ${CA_CERT_DIR} -n "Test-CA" -a -o ${CA_CERT_DIR}/rootca.crt -f ${CERT_PW_FILE}
- #certutil -L -d ${CA_CERT_DIR} -f ${CERT_PW_FILE}
-
- # Set Up another CA DB for testing failure to validate scenario
- #
- mkdir -p ${OTHER_CA_CERT_DIR}
- certutil -N -d ${OTHER_CA_CERT_DIR} -f ${CERT_PW_FILE}
- certutil -S -d ${OTHER_CA_CERT_DIR} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
- certutil -L -d ${OTHER_CA_CERT_DIR} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DIR}/rootca.crt -f ${CERT_PW_FILE}
- #certutil -L -d ${OTHER_CA_CERT_DIR} -f ${CERT_PW_FILE}
-}
-
-# create server certificate signed by Test-CA
-# $1 = string used as Subject in certificate
-# $2 = string used as SubjectAlternateName (SAN) in certificate
-create_server_cert() {
- mkdir -p ${SERVER_CERT_DIR}
- rm -rf ${SERVER_CERT_DIR}/*
+# create the test certificate database
+# $1 = string used as Subject in server's certificate
+# $2 = string used as SubjectAlternateName (SAN) in server's certificate
+create_certs() {
local CERT_SUBJECT=${1:-"CN=${TEST_HOSTNAME},O=MyCo,ST=Massachusetts,C=US"}
local CERT_SAN=${2:-"*.server.com"}
- # create database
- certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}
- # create certificate request
- certutil -R -d ${SERVER_CERT_DIR} -s "${CERT_SUBJECT}" -8 "${CERT_SAN}" -o server.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
- # have CA sign it
- certutil -C -d ${CA_CERT_DIR} -c "Test-CA" -i server.req -o server.crt -f ${CERT_PW_FILE} -m ${RANDOM}
- # add it to the database
- certutil -A -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -i server.crt -t "Pu,,"
+ mkdir -p ${TEST_CERT_DIR}
+ rm -rf ${TEST_CERT_DIR}/*
+
+ # Set Up a CA with a self-signed Certificate
+ #
+ mkdir -p ${CERT_DB}
+ certutil -N -d ${CERT_DB} -f ${CERT_PW_FILE}
+ certutil -S -d ${CERT_DB} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
+ certutil -L -d ${CERT_DB} -n "Test-CA" -a -o ${CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
+ #certutil -L -d ${CERT_DB} -f ${CERT_PW_FILE}
+
+ # create server certificate signed by Test-CA
+ #
+ certutil -R -d ${CERT_DB} -s "${CERT_SUBJECT}" -o server.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
+ certutil -C -d ${CERT_DB} -c "Test-CA" -8 "${CERT_SAN}" -i server.req -o server.crt -f ${CERT_PW_FILE} -m ${RANDOM}
+ certutil -A -d ${CERT_DB} -n ${TEST_HOSTNAME} -i server.crt -t "Pu,,"
rm server.req server.crt
- # now create a certificate for the client
- certutil -R -d ${SERVER_CERT_DIR} -s "CN=${TEST_CLIENT_CERT}" -8 "*.client.com" -o client.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
- certutil -C -d ${CA_CERT_DIR} -c "Test-CA" -i client.req -o client.crt -f ${CERT_PW_FILE} -m ${RANDOM}
- certutil -A -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -i client.crt -t "Pu,,"
+ # create a certificate to identify the client
+ #
+ certutil -R -d ${CERT_DB} -s "CN=${TEST_CLIENT_CERT}" -o client.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
+ certutil -C -d ${CERT_DB} -c "Test-CA" -8 "*.client.com" -i client.req -o client.crt -f ${CERT_PW_FILE} -m ${RANDOM}
+ certutil -A -d ${CERT_DB} -n ${TEST_CLIENT_CERT} -i client.crt -t "Pu,,"
###
#certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}
#certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
#certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
+
+ # Set up a separate DB with its own CA for testing failure to validate scenario
+ #
+ mkdir -p ${OTHER_CA_CERT_DB}
+ certutil -N -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
+ certutil -S -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
+ certutil -L -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
+ #certutil -L -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
}
delete_certs() {
@@ -97,7 +92,7 @@ delete_certs() {
}
# Don't need --no-module-dir or --no-data-dir as they are set as env vars in test_env.sh
-COMMON_OPTS="--daemon --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $SERVER_CERT_DIR --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"
+COMMON_OPTS="--daemon --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $CERT_DB --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"
# Start new brokers:
# $1 must be integer
@@ -173,15 +168,14 @@ if [[ !(-e ${CERT_PW_FILE}) ]] ; then
echo password > ${CERT_PW_FILE}
fi
delete_certs
-create_ca_certs || error "Could not create test certificate"
-create_server_cert || error "Could not create server test certificate"
+create_certs || error "Could not create test certificate database"
start_ssl_broker
PORT=${PORTS[0]}
echo "Running SSL test on port $PORT"
export QPID_NO_MODULE_DIR=1
export QPID_LOAD_MODULE=$SSLCONNECTOR_LIB
-export QPID_SSL_CERT_DB=${SERVER_CERT_DIR}
+export QPID_SSL_CERT_DB=${CERT_DB}
export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE}
## Test connection via connection settings
@@ -260,9 +254,8 @@ if [[ !(-x $OPENSSL) ]] ; then
fi
## verify python version > 2.5 (only 2.6+ does certificate checking)
-py_major=$(python -c "import sys; print sys.version_info[0]")
-py_minor=$(python -c "import sys; print sys.version_info[1]")
-if (( py_major < 2 || ( py_major == 2 && py_minor < 6 ) )); then
+PY_VERSION=$(python -c "import sys; print hex(sys.hexversion)")
+if (( PY_VERSION < 0x02060000 )); then
echo >&2 "Detected python version < 2.6 - skipping certificate verification tests"
exit 0
fi
@@ -270,12 +263,14 @@ fi
echo "Testing Certificate validation and Authentication with the Python Client..."
# extract the CA's certificate as a PEM file
+get_ca_certs() {
+ $PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CERT_DB} -n "Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
+ $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
+ $PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
+ $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
+}
-$PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CA_CERT_DIR} -n "Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
-$OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
-$PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DIR} -n "Other-Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
-$OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
-
+get_ca_certs || error "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
@@ -285,25 +280,10 @@ if `${PY_PING_BROKER} -b $URL --ssl-trus
if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi
stop_brokers
-# create a certificate with TEST_HOSTNAME only in SAN, should verify OK
-
-create_server_cert "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create server test certificate"
-start_ssl_broker
-PORT=${PORTS[0]}
-URL=amqps://$TEST_HOSTNAME:$PORT
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
-stop_brokers
-
-create_server_cert "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate"
-start_ssl_broker
-PORT=${PORTS[0]}
-URL=amqps://$TEST_HOSTNAME:$PORT
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
-stop_brokers
-
# create a certificate without matching TEST_HOSTNAME, should fail to verify
-create_server_cert "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate"
+create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate"
+get_ca_certs || error "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
@@ -312,4 +292,27 @@ if `${PY_PING_BROKER} -b $URL --ssl-trus
if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
stop_brokers
+# test SubjectAltName parsing
+
+if (( PY_VERSION >= 0x02070300 )); then
+ # python 2.7.3+ supports SubjectAltName extraction
+ # create a certificate with TEST_HOSTNAME only in SAN, should verify OK
+ create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create server test certificate"
+ get_ca_certs || error "Could not extract CA certificates as PEM files"
+ start_ssl_broker
+ PORT=${PORTS[0]}
+ URL=amqps://$TEST_HOSTNAME:$PORT
+ if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
+ stop_brokers
+
+ create_certs "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate"
+ get_ca_certs || error "Could not extract CA certificates as PEM files"
+ start_ssl_broker
+ PORT=${PORTS[0]}
+ URL=amqps://$TEST_HOSTNAME:$PORT
+ if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
+ stop_brokers
+fi
+
+
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org