Added new tests for SSL

* tests/Test-https-badcerts.px : New file
* tests/Test-https-clientcert.px : New file
* tests/Test-https-crl.px : New file
* tests/Test-https-weboftrust.px : New file
* tests/certs/interca.conf : New file
* tests/certs/rootca.conf : New file
* tests/certs/test-ca-key.pem : New file

Added all new SSL / HTTPS tests to make check
Added Test for SSL Web of Trust, accept only if CA chain of trust is intact.
Added a test script for client certificate
Added Test for crlfile option of wget
Added test to make sure that wget doesn't accept expired or invalid certs

Some clean up : 1, Removed cause of warnings from perl & other cosmetic changes
                2, Fix  make -j 4 check such that it passes all tests
This commit is contained in:
Vijo Cherian 2017-04-21 12:34:16 -07:00 committed by Tim Rühsen
parent 0b41c7543a
commit 2a96249469
12 changed files with 145 additions and 47 deletions

View File

@ -46,6 +46,7 @@ sub init
%ssl_params = %sargs;
unless (exists($ssl_params{'lhostname'}) &&
exists($ssl_params{'sslport'}) &&
exists($ssl_params{'ciphers'}) &&
exists($ssl_params{'cafile'}) &&
exists($ssl_params{'certfile'}) &&
@ -57,7 +58,7 @@ sub init
sub ssl_setup_conn
{
$sslsock = IO::Socket::SSL->new(LocalAddr => $ssl_params{'lhostname'},
LocalPort => 55443,
LocalPort => $ssl_params{'sslport'},
Listen => 10,
Timeout => 30,
ReuseAddr => 1,

View File

@ -16,6 +16,7 @@ my %ssl_defaults = (
_cafile => "certs/test-ca-cert.pem",
_ciphers => 'ALL',
_lhostname => 'wgettestingserver',
_sslport => 55443,
);
{

View File

@ -20,10 +20,17 @@ my %urls = (
},
);
# Skip the test if openssl is not available
my $ossl = `openssl version`;
unless ($ossl =~ m/OpenSSL 1/)
{
exit 77;
}
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "wgettesterr";
my $testhostname = "WgetTestingServer";
my $testhostfile = "$cdir/wgethosts";
open(my $fh, '>', $testhostfile);
print $fh "$testhostname 127.0.0.1\n";
@ -52,9 +59,9 @@ my $cacrt = "$cdir/certs/test-ca-cert.pem";
my $cakey = "$cdir/certs/test-ca-key.pem";
# Prepare expired server certificate
my $servercrt = "certs/tmpserver.crt";
my $serverkey = "certs/tmpserver.key";
my $servercsr = "$cdir/certs/tmpserver.csr";
my $servercrt = "certs/tmpserver3.crt";
my $serverkey = "certs/tmpserver3.key";
my $servercsr = "$cdir/certs/tmpserver3.csr";
my $enddate = strftime "%y%m%d%H%M%S%z", localtime(time-86400);
my $startdate = strftime "%y%m%d%H%M%S%z", localtime(time+86400);
my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=".
@ -77,8 +84,9 @@ unless(-e $servercrt && -e $serverkey && $servercheck == 1)
}
# Try Wget using SSL with expired cert. Expect Failure.
my $port = 60443;
my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt".
" https://$testhostname:55443/somefile.txt";
" https://$testhostname:$port/somefile.txt";
my $expected_error_code = 5;
my %existing_files = (
);
@ -96,7 +104,8 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
output => \%expected_downloaded_files,
certfile => $servercrt,
keyfile => $serverkey,
lhostname => $testhostname);
lhostname => $testhostname,
sslport => $port);
if ($sslsock->run() == 0)
{
exit -1;
@ -123,8 +132,9 @@ unless(-e $servercrt && -e $serverkey && $servercheck == 1)
# Retry the test with --no-check-certificate. expect success
$port = 50443;
$cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt".
" https://$testhostname:55443/somefile.txt";
" https://$testhostname:$port/somefile.txt";
$expected_error_code = 5;
@ -135,7 +145,8 @@ my $retryssl = SSLTest->new(cmdline => $cmdline,
output => \%expected_downloaded_files,
certfile => $servercrt,
keyfile => $serverkey,
lhostname => $testhostname);
lhostname => $testhostname,
sslport => $port);
if ($retryssl->run() == 0)
{
exit 0;

View File

@ -19,10 +19,17 @@ my %urls = (
},
);
# Skip the test if openssl is not available
my $ossl = `openssl version`;
unless ($ossl =~ m/OpenSSL 1/)
{
exit 77;
}
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "wgettesterr";
my $testhostname = "WgetTestingServer";
my $testhostfile = "$cdir/wgethosts";
open(my $fh, '>', $testhostfile);
print $fh "$testhostname 127.0.0.1\n";
@ -50,8 +57,8 @@ my $cacrt = "$cdir/certs/test-ca-cert.pem";
my $cakey = "$cdir/certs/test-ca-key.pem";
# Prepare server certificate
my $servercrt = "certs/tmpserver.crt";
my $serverkey = "certs/tmpserver.key";
my $servercrt = "certs/tmpserver1.crt";
my $serverkey = "certs/tmpserver1.key";
my $servercsr = "$cdir/certs/tmpserver.csr";
my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=".
"$testhostname/emailAddress=servertester";
@ -95,10 +102,11 @@ unless(-e $clientcert && -e $clientkey && $clientcheck == 1)
}
# Try Wget using SSL with mismatched client cert & key . Expect error
my $port = 51443;
my $cmdline = $WgetTest::WGETPATH . " --certificate=$clientcert ".
" --private-key=$serverkey ".
" --ca-certificate=$cacrt".
" https://$testhostname:55443/somefile.txt";
" https://$testhostname:$port/somefile.txt";
my $expected_error_code = 5;
my %existing_files = (
);
@ -116,17 +124,19 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
output => \%expected_downloaded_files,
certfile => $servercrt,
keyfile => $serverkey,
lhostname => $testhostname);
lhostname => $testhostname,
sslport => $port);
if ($sslsock->run() == 0)
{
exit 0;
}
# Retry wget using SSL with client certificate. Expect success
$port = 52443;
$cmdline = $WgetTest::WGETPATH . " --certificate=$clientcert".
" --private-key=$clientkey ".
" --ca-certificate=$cacrt".
" https://$testhostname:55443/somefile.txt";
" https://$testhostname:$port/somefile.txt";
$expected_error_code = 0;
@ -137,6 +147,7 @@ my $retryssl = SSLTest->new(cmdline => $cmdline,
output => \%expected_downloaded_files,
certfile => $servercrt,
keyfile => $serverkey,
lhostname => $testhostname);
lhostname => $testhostname,
sslport => $port);
exit $retryssl->run();
# vim: et ts=4 sw=4

View File

@ -19,10 +19,17 @@ my %urls = (
},
);
# Skip the test if openssl is not available
my $ossl = `openssl version`;
unless ($ossl =~ m/OpenSSL 1/)
{
exit 77;
}
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "wgettesterr";
my $testhostname = "WgetTestingServer";
my $testhostfile = "$cdir/wgethosts";
open(my $fh, '>', $testhostfile);
print $fh "$testhostname 127.0.0.1\n";
@ -51,8 +58,8 @@ my $cacrt = "$cdir/certs/test-ca-cert.pem";
my $cakey = "$cdir/certs/test-ca-key.pem";
# Prepare server certificate
my $servercrt = "certs/tmpserver.crt";
my $serverkey = "certs/tmpserver.key";
my $servercrt = "certs/tmpserver2.crt";
my $serverkey = "certs/tmpserver2.key";
my $servercsr = "$cdir/certs/tmpserver.csr";
my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=".
"$testhostname/emailAddress=servertester";
@ -74,8 +81,9 @@ unless(-e $servercrt && -e $serverkey && $servercheck == 1)
}
# Try Wget using SSL first without --no-check-certificate. Expect Success.
my $port = 62443;
my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt".
" https://$testhostname:55443/somefile.txt";
" https://$testhostname:$port/somefile.txt";
my $expected_error_code = 0;
my %existing_files = (
);
@ -93,7 +101,8 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
output => \%expected_downloaded_files,
certfile => $servercrt,
keyfile => $serverkey,
lhostname => $testhostname);
lhostname => $testhostname,
sslport => $port);
if ($sslsock->run() != 0)
{
exit -1;
@ -101,7 +110,7 @@ if ($sslsock->run() != 0)
# Revoke the certificate
my $crlfile = "$cdir/certs/servercrl.pem";
my $revokecmd = "openssl ca -config $caconf -revoke $servercrt &&
my $revokecmd = "openssl ca -config $caconf -revoke $servercrt &&
openssl ca -config $caconf -gencrl -keyfile $cakey ".
"-cert $cacrt -out $crlfile";
@ -116,9 +125,10 @@ unless(-e $crlfile)
# openssl crl -text -in certs/root.crl.pem
# Retry the test with CRL. Expect Failure.
$port = 53443;
$cmdline = $WgetTest::WGETPATH . " --crl-file=$crlfile ".
" --ca-certificate=$cacrt".
" https://$testhostname:55443/somefile.txt";
" https://$testhostname:$port/somefile.txt";
$expected_error_code = 5;
@ -129,7 +139,8 @@ my $retryssl = SSLTest->new(cmdline => $cmdline,
output => \%expected_downloaded_files,
certfile => $servercrt,
keyfile => $serverkey,
lhostname => $testhostname);
lhostname => $testhostname,
sslport => $port);
if ($retryssl->run() == 0)
{
exit -1;

View File

@ -19,6 +19,13 @@ my %urls = (
},
);
# Skip the test if openssl is not available
my $ossl = `openssl version`;
unless ($ossl =~ m/OpenSSL 1/)
{
exit 77;
}
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "WgetTestingServer";
@ -27,7 +34,11 @@ open(my $fh, '>', $testhostfile);
print $fh "$testhostname 127.0.0.1\n";
close $fh;
$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=PFS --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt";
my $port = 54443;
my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=PFS".
" --ca-certificate=$cdir/certs/test-ca-cert.pem".
" https://$testhostname:$port/somefile.txt";
my $expected_error_code = 0;
@ -44,7 +55,8 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
input => \%urls,
errcode => $expected_error_code,
existing => \%existing_files,
output => \%expected_downloaded_files);
output => \%expected_downloaded_files,
sslport => $port);
exit $sslsock->run();
# vim: et ts=4 sw=4

View File

@ -19,10 +19,17 @@ my %urls = (
},
);
# Skip the test if openssl is not available
my $ossl = `openssl version`;
unless ($ossl =~ m/OpenSSL 1/)
{
exit 77;
}
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "wgettesterr";
my $testhostname = "WgetTestingServer";
my $testhostfile = "$cdir/wgethosts";
open(my $fh, '>', $testhostfile);
print $fh "$testhostname 127.0.0.1\n";
@ -33,10 +40,13 @@ $ENV{'HOSTALIASES'} = "$cdir/wgethosts";
my $certfile="tmpsscert.pem";
my $keyfile="tmpsskey.pem";
my $certsubj="/C=US/ST=CA/L=Mystery Spot/O=Dis/CN=$testhostname/emailAddress=tester";
my $sscertcmd="openssl req -x509 -nodes -newkey rsa:4096 -keyout $keyfile -out $certfile -days 365 -subj \"$certsubj\"";
my $sscertcmd="openssl req -x509 -nodes -newkey rsa:4096 -keyout $keyfile ".
" -out $certfile -days 365 -subj \"$certsubj\"";
system($sscertcmd);
my $sscheck=`(openssl x509 -noout -modulus -in $certfile | openssl md5 ; openssl rsa -noout -modulus -in $keyfile | openssl md5) | uniq|wc -l`;
my $sscheck=`(openssl x509 -noout -modulus -in $certfile | openssl md5 ;
openssl rsa -noout -modulus -in $keyfile | openssl md5) |
uniq|wc -l`;
# Check if Self signed certificate and key are made correctly.
unless(-e $certfile && -e $keyfile && $sscheck == 1)
@ -45,7 +55,9 @@ unless(-e $certfile && -e $keyfile && $sscheck == 1)
}
# Try Wget using SSL first without --no-check-certificate. expect error
my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt";
my $port = 56443;
my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/test-ca-cert.pem".
" https://$testhostname:$port/somefile.txt";
my $expected_error_code = 5;
my %existing_files = (
);
@ -63,14 +75,18 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
output => \%expected_downloaded_files,
certfile => $certfile,
keyfile => $keyfile,
lhostname => $testhostname);
lhostname => $testhostname,
sslport => $port);
if ($sslsock->run() == 0)
{
exit 0;
}
# Retry the test with --no-check-certificate. expect success
$cmdline = $WgetTest::WGETPATH . " --no-check-certificate --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt";
$port = 57443;
$cmdline = $WgetTest::WGETPATH . " --no-check-certificate ".
" --ca-certificate=$cdir/certs/test-ca-cert.pem".
" https://$testhostname:$port/somefile.txt";
$expected_error_code = 0;
@ -81,6 +97,7 @@ my $retryssl = SSLTest->new(cmdline => $cmdline,
output => \%expected_downloaded_files,
certfile => $certfile,
keyfile => $keyfile,
lhostname => $testhostname);
lhostname => $testhostname,
sslport => $port);
exit $retryssl->run();
# vim: et ts=4 sw=4

View File

@ -19,6 +19,13 @@ my %urls = (
},
);
# Skip the test if openssl is not available
my $ossl = `openssl version`;
unless ($ossl =~ m/OpenSSL 1/)
{
exit 77;
}
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "WgetTestingServer";
@ -27,7 +34,11 @@ open(my $fh, '>', $testhostfile);
print $fh "$testhostname 127.0.0.1\n";
close $fh;
$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=TLSv1 --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt";
my $port = 58443;
my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=TLSv1".
" --ca-certificate=$cdir/certs/test-ca-cert.pem".
" https://$testhostname:$port/somefile.txt";
my $expected_error_code = 0;
@ -44,7 +55,8 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
input => \%urls,
errcode => $expected_error_code,
existing => \%existing_files,
output => \%expected_downloaded_files);
output => \%expected_downloaded_files,
sslport => $port);
exit $sslsock->run();
# vim: et ts=4 sw=4

View File

@ -19,6 +19,13 @@ my %urls = (
},
);
# Skip the test if openssl is not available
my $ossl = `openssl version`;
unless ($ossl =~ m/OpenSSL 1/)
{
exit 77;
}
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "WgetTestingServer";
@ -27,7 +34,11 @@ open(my $fh, '>', $testhostfile);
print $fh "$testhostname 127.0.0.1\n";
close $fh;
$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=TLSv1_1 --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt";
my $port = 59443;
my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=TLSv1_1".
" --ca-certificate=$cdir/certs/test-ca-cert.pem".
" https://$testhostname:$port/somefile.txt";
my $expected_error_code = 0;
@ -44,7 +55,8 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
input => \%urls,
errcode => $expected_error_code,
existing => \%existing_files,
output => \%expected_downloaded_files);
output => \%expected_downloaded_files,
sslport => $port);
exit $sslsock->run();
# vim: et ts=4 sw=4

View File

@ -19,10 +19,17 @@ my %urls = (
},
);
# Skip the test if openssl is not available
my $ossl = `openssl version`;
unless ($ossl =~ m/OpenSSL 1/)
{
exit 77;
}
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "wgettesterr";
my $testhostname = "WgetTestingServer";
my $testhostfile = "$cdir/wgethosts";
open(my $fh, '>', $testhostfile);
print $fh "$testhostname 127.0.0.1\n";
@ -112,8 +119,9 @@ unless(-e $usrcrt && -e $ikeyfile && $usrcheck == 1)
}
# Try Wget using SSL using certificate signed by intermediate CA. Expect error.
my $port = 60443;
my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/".
"test-ca-cert.pem https://$testhostname:55443/somefile.txt";
"test-ca-cert.pem https://$testhostname:$port/somefile.txt";
my $expected_error_code = 5;
my %existing_files = (
);
@ -138,8 +146,9 @@ if ($sslsock->run() == 0)
}
# Retry the test with --no-check-certificate. expect success
$port = 61443;
$cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/wotca.pem".
" https://$testhostname:55443/somefile.txt";
" https://$testhostname:$port/somefile.txt";
$expected_error_code = 0;
@ -150,6 +159,7 @@ my $retryssl = SSLTest->new(cmdline => $cmdline,
output => \%expected_downloaded_files,
certfile => $usrcrt,
keyfile => $usrkey,
lhostname => $testhostname);
lhostname => $testhostname,
sslport => $port);
exit $retryssl->run();
# vim: et ts=4 sw=4

View File

@ -2,14 +2,14 @@
default_ca = myca
[ crl_ext ]
issuerAltName=issuer:copy
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ myca ]
dir = ./certs/
new_certs_dir = $dir
unique_subject = no
certificate = $dir/interca.crt
certificate = $dir/interca.crt
database = $dir/certindex
private_key = $dir/interca.key
serial = $dir/certserial
@ -51,7 +51,7 @@ authorityKeyIdentifier=keyid:always
authorityInfoAccess = @ocsp_section
[alt_names]
DNS.0 = wgettesterr
DNS.0 = WgetTestingServer
[crl_section]
URI.0 = http://intertest.wgettest.org/Bogus.crl

View File

@ -2,14 +2,14 @@
default_ca = myca
[ crl_ext ]
issuerAltName=issuer:copy
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ myca ]
dir = ./certs/
new_certs_dir = $dir
unique_subject = no
certificate = $dir/test-ca-cert.pem
certificate = $dir/test-ca-cert.pem
database = $dir/certindex
private_key = $dir/test-ca-key.pem
serial = $dir/certserial
@ -51,7 +51,7 @@ authorityKeyIdentifier=keyid:always
authorityInfoAccess = @ocsp_section
[alt_names]
DNS.0 = wgettesterr
DNS.0 = WgetTestingServer
[crl_section]
URI.0 = http://test.wgettest.org/Bogus.crl