qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kgiu...@apache.org
Subject svn commit: r1463301 - in /qpid/branches/0.22/qpid/cpp/src/tests: ./ ssl_test
Date Mon, 01 Apr 2013 20:58:20 GMT
Author: kgiusti
Date: Mon Apr  1 20:58:19 2013
New Revision: 1463301

URL: http://svn.apache.org/r1463301
Log:
NO-JIRA: fix ssl_test to run in older python and nss environments (merge from trunk)

Modified:
    qpid/branches/0.22/qpid/cpp/src/tests/   (props changed)
    qpid/branches/0.22/qpid/cpp/src/tests/ssl_test

Propchange: qpid/branches/0.22/qpid/cpp/src/tests/
------------------------------------------------------------------------------
  Merged /qpid/trunk/qpid/cpp/src/tests:r1461804

Modified: qpid/branches/0.22/qpid/cpp/src/tests/ssl_test
URL: http://svn.apache.org/viewvc/qpid/branches/0.22/qpid/cpp/src/tests/ssl_test?rev=1463301&r1=1463300&r2=1463301&view=diff
==============================================================================
--- qpid/branches/0.22/qpid/cpp/src/tests/ssl_test (original)
+++ qpid/branches/0.22/qpid/cpp/src/tests/ssl_test Mon Apr  1 20:58:19 2013
@@ -26,13 +26,12 @@ source ./test_env.sh
 
 CONFIG=$(dirname $0)/config.null
 TEST_CERT_DIR=`pwd`/test_cert_dir
-SERVER_CERT_DIR=${TEST_CERT_DIR}/test_cert_db
-CA_CERT_DIR=${TEST_CERT_DIR}/ca_cert_db
-OTHER_CA_CERT_DIR=${TEST_CERT_DIR}/x_ca_cert_db
+CERT_DB=${TEST_CERT_DIR}/test_cert_db
 CERT_PW_FILE=`pwd`/cert.password
 TEST_HOSTNAME=127.0.0.1
 TEST_CLIENT_CERT=rumplestiltskin
 CA_PEM_FILE=${TEST_CERT_DIR}/ca_cert.pem
+OTHER_CA_CERT_DB=${TEST_CERT_DIR}/x_ca_cert_db
 OTHER_CA_PEM_FILE=${TEST_CERT_DIR}/other_ca_cert.pem
 PY_PING_BROKER=$top_srcdir/src/tests/ping_broker
 COUNT=10
@@ -41,53 +40,49 @@ trap cleanup EXIT
 
 error() { echo $*; exit 1; }
 
-create_ca_certs() {
-
-    # Set Up the CA DB and self-signed Certificate
-    #
-    mkdir -p ${CA_CERT_DIR}
-    certutil -N -d ${CA_CERT_DIR} -f ${CERT_PW_FILE}
-    certutil -S -d ${CA_CERT_DIR} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US"
-t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
-    certutil -L -d ${CA_CERT_DIR} -n "Test-CA" -a -o ${CA_CERT_DIR}/rootca.crt -f ${CERT_PW_FILE}
-    #certutil -L -d ${CA_CERT_DIR} -f ${CERT_PW_FILE}
-
-    # Set Up another CA DB for testing failure to validate scenario
-    #
-    mkdir -p ${OTHER_CA_CERT_DIR}
-    certutil -N -d ${OTHER_CA_CERT_DIR} -f ${CERT_PW_FILE}
-    certutil -S -d ${OTHER_CA_CERT_DIR} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US"
-t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
-    certutil -L -d ${OTHER_CA_CERT_DIR} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DIR}/rootca.crt
-f ${CERT_PW_FILE}
-    #certutil -L -d ${OTHER_CA_CERT_DIR} -f ${CERT_PW_FILE}
-}
-
-# create server certificate signed by Test-CA
-#    $1 = string used as Subject in certificate
-#    $2 = string used as SubjectAlternateName (SAN) in certificate
-create_server_cert() {
-    mkdir -p ${SERVER_CERT_DIR}
-    rm -rf ${SERVER_CERT_DIR}/*
+# create the test certificate database
+#    $1 = string used as Subject in server's certificate
+#    $2 = string used as SubjectAlternateName (SAN) in server's certificate
+create_certs() {
 
     local CERT_SUBJECT=${1:-"CN=${TEST_HOSTNAME},O=MyCo,ST=Massachusetts,C=US"}
     local CERT_SAN=${2:-"*.server.com"}
 
-    # create database
-    certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}
-    # create certificate request
-    certutil -R -d ${SERVER_CERT_DIR} -s "${CERT_SUBJECT}" -8 "${CERT_SAN}" -o server.req
-f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
-    # have CA sign it
-    certutil -C -d ${CA_CERT_DIR} -c "Test-CA" -i server.req -o server.crt -f ${CERT_PW_FILE}
-m ${RANDOM}
-    # add it to the database
-    certutil -A -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -i server.crt -t "Pu,,"
+    mkdir -p ${TEST_CERT_DIR}
+    rm -rf ${TEST_CERT_DIR}/*
+
+    # Set Up a CA with a self-signed Certificate
+    #
+    mkdir -p ${CERT_DB}
+    certutil -N -d ${CERT_DB} -f ${CERT_PW_FILE}
+    certutil -S -d ${CERT_DB} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t
"CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
+    certutil -L -d ${CERT_DB} -n "Test-CA" -a -o ${CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
+    #certutil -L -d ${CERT_DB} -f ${CERT_PW_FILE}
+
+    # create server certificate signed by Test-CA
+    #
+    certutil -R -d ${CERT_DB} -s "${CERT_SUBJECT}" -o server.req -f ${CERT_PW_FILE} -z /bin/sh
> /dev/null 2>&1
+    certutil -C -d ${CERT_DB} -c "Test-CA" -8 "${CERT_SAN}" -i server.req -o server.crt -f
${CERT_PW_FILE} -m ${RANDOM}
+    certutil -A -d ${CERT_DB} -n ${TEST_HOSTNAME} -i server.crt -t "Pu,,"
     rm server.req server.crt
 
-    # now create a certificate for the client
-    certutil -R -d ${SERVER_CERT_DIR} -s "CN=${TEST_CLIENT_CERT}" -8 "*.client.com" -o client.req
-f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
-    certutil -C -d ${CA_CERT_DIR} -c "Test-CA" -i client.req -o client.crt -f ${CERT_PW_FILE}
-m ${RANDOM}
-    certutil -A -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -i client.crt -t "Pu,,"
+    # create a certificate to identify the client
+    #
+    certutil -R -d ${CERT_DB} -s "CN=${TEST_CLIENT_CERT}" -o client.req -f ${CERT_PW_FILE}
-z /bin/sh > /dev/null 2>&1
+    certutil -C -d ${CERT_DB} -c "Test-CA" -8 "*.client.com" -i client.req -o client.crt
-f ${CERT_PW_FILE} -m ${RANDOM}
+    certutil -A -d ${CERT_DB} -n ${TEST_CLIENT_CERT} -i client.crt -t "Pu,,"
     ###
     #certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}
     #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,,"
-x -f ${CERT_PW_FILE} -z /usr/bin/certutil
     #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}"
-t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
+
+    # Set up a separate DB with its own CA for testing failure to validate scenario
+    #
+    mkdir -p ${OTHER_CA_CERT_DB}
+    certutil -N -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
+    certutil -S -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US"
-t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
+    certutil -L -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DB}/rootca.crt
-f ${CERT_PW_FILE}
+    #certutil -L -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
 }
 
 delete_certs() {
@@ -97,7 +92,7 @@ delete_certs() {
 }
 
 # Don't need --no-module-dir or --no-data-dir as they are set as env vars in test_env.sh
-COMMON_OPTS="--daemon --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $SERVER_CERT_DIR
--ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"
+COMMON_OPTS="--daemon --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $CERT_DB --ssl-cert-password-file
$CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"
 
 # Start new brokers:
 #   $1 must be integer
@@ -173,15 +168,14 @@ if [[ !(-e ${CERT_PW_FILE}) ]] ;  then
     echo password > ${CERT_PW_FILE}
 fi
 delete_certs
-create_ca_certs || error "Could not create test certificate"
-create_server_cert || error "Could not create server test certificate"
+create_certs || error "Could not create test certificate database"
 
 start_ssl_broker
 PORT=${PORTS[0]}
 echo "Running SSL test on port $PORT"
 export QPID_NO_MODULE_DIR=1
 export QPID_LOAD_MODULE=$SSLCONNECTOR_LIB
-export QPID_SSL_CERT_DB=${SERVER_CERT_DIR}
+export QPID_SSL_CERT_DB=${CERT_DB}
 export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE}
 
 ## Test connection via connection settings
@@ -260,9 +254,8 @@ if [[ !(-x $OPENSSL) ]] ; then
 fi
 
 ## verify python version > 2.5 (only 2.6+ does certificate checking)
-py_major=$(python -c "import sys; print sys.version_info[0]")
-py_minor=$(python -c "import sys; print sys.version_info[1]")
-if (( py_major < 2 || ( py_major == 2 &&  py_minor < 6 ) )); then
+PY_VERSION=$(python -c "import sys; print hex(sys.hexversion)")
+if (( PY_VERSION < 0x02060000 )); then
     echo >&2 "Detected python version < 2.6 - skipping certificate verification
tests"
     exit 0
 fi
@@ -270,12 +263,14 @@ fi
 echo "Testing Certificate validation and Authentication with the Python Client..."
 
 # extract the CA's certificate as a PEM file
+get_ca_certs() {
+    $PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CERT_DB} -n "Test-CA"  -w ${CERT_PW_FILE}
-k ${CERT_PW_FILE} > /dev/null
+    $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin
file:${CERT_PW_FILE} >/dev/null
+    $PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA"
-w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
+    $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys
-passin file:${CERT_PW_FILE} >/dev/null
+}
 
-$PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CA_CERT_DIR} -n "Test-CA"  -w ${CERT_PW_FILE}
-k ${CERT_PW_FILE} > /dev/null
-$OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE}
>/dev/null
-$PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DIR} -n "Other-Test-CA"
-w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
-$OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys
-passin file:${CERT_PW_FILE} >/dev/null
-
+get_ca_certs || error "Could not extract CA certificates as PEM files"
 start_ssl_broker
 PORT=${PORTS[0]}
 URL=amqps://$TEST_HOSTNAME:$PORT
@@ -285,25 +280,10 @@ if `${PY_PING_BROKER} -b $URL --ssl-trus
 if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE} > /dev/null 2>&1`;
then { echo "    Failed"; exit 1; }; else echo "    Passed"; fi
 stop_brokers
 
-# create a certificate with TEST_HOSTNAME only in SAN, should verify OK
-
-create_server_cert "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create
server test certificate"
-start_ssl_broker
-PORT=${PORTS[0]}
-URL=amqps://$TEST_HOSTNAME:$PORT
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Passed"; else
{ echo "    Failed"; exit 1; }; fi
-stop_brokers
-
-create_server_cert "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate"
-start_ssl_broker
-PORT=${PORTS[0]}
-URL=amqps://$TEST_HOSTNAME:$PORT
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Passed"; else
{ echo "    Failed"; exit 1; }; fi
-stop_brokers
-
 # create a certificate without matching TEST_HOSTNAME, should fail to verify
 
-create_server_cert "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test
certificate"
+create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate"
+get_ca_certs || error "Could not extract CA certificates as PEM files"
 start_ssl_broker
 PORT=${PORTS[0]}
 URL=amqps://$TEST_HOSTNAME:$PORT
@@ -312,4 +292,27 @@ if `${PY_PING_BROKER} -b $URL --ssl-trus
 if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check`;
then echo "    Passed"; else { echo "    Failed"; exit 1; }; fi
 stop_brokers
 
+# test SubjectAltName parsing
+
+if (( PY_VERSION >= 0x02070300 )); then
+    # python 2.7.3+ supports SubjectAltName extraction
+    # create a certificate with TEST_HOSTNAME only in SAN, should verify OK
+    create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create
server test certificate"
+    get_ca_certs || error "Could not extract CA certificates as PEM files"
+    start_ssl_broker
+    PORT=${PORTS[0]}
+    URL=amqps://$TEST_HOSTNAME:$PORT
+    if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Passed";
else { echo "    Failed"; exit 1; }; fi
+    stop_brokers
+
+    create_certs "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate"
+    get_ca_certs || error "Could not extract CA certificates as PEM files"
+    start_ssl_broker
+    PORT=${PORTS[0]}
+    URL=amqps://$TEST_HOSTNAME:$PORT
+    if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Passed";
else { echo "    Failed"; exit 1; }; fi
+    stop_brokers
+fi
+
+
 



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message