From 7f52bf9af8c3704f9404fb5df66fd7034a3a3c9d Mon Sep 17 00:00:00 2001
From: Kenneth Anthony Giusti <kgiusti@apache.org>
Date: Wed, 27 Mar 2013 19:04:45 +0000
Subject: NO-JIRA: fix ssl_test to run in older python and nss environments.

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1461804 13f79535-47bb-0310-9956-ffa450edef68
---
 cpp/src/tests/ssl_test | 141 +++++++++++++++++++++++++------------------------
 1 file changed, 72 insertions(+), 69 deletions(-)

(limited to 'cpp/src')

diff --git a/cpp/src/tests/ssl_test b/cpp/src/tests/ssl_test
index 9ce2880caa..cfbd253ab8 100755
--- a/cpp/src/tests/ssl_test
+++ b/cpp/src/tests/ssl_test
@@ -26,13 +26,12 @@ source ./test_env.sh
 
 CONFIG=$(dirname $0)/config.null
 TEST_CERT_DIR=`pwd`/test_cert_dir
-SERVER_CERT_DIR=${TEST_CERT_DIR}/test_cert_db
-CA_CERT_DIR=${TEST_CERT_DIR}/ca_cert_db
-OTHER_CA_CERT_DIR=${TEST_CERT_DIR}/x_ca_cert_db
+CERT_DB=${TEST_CERT_DIR}/test_cert_db
 CERT_PW_FILE=`pwd`/cert.password
 TEST_HOSTNAME=127.0.0.1
 TEST_CLIENT_CERT=rumplestiltskin
 CA_PEM_FILE=${TEST_CERT_DIR}/ca_cert.pem
+OTHER_CA_CERT_DB=${TEST_CERT_DIR}/x_ca_cert_db
 OTHER_CA_PEM_FILE=${TEST_CERT_DIR}/other_ca_cert.pem
 PY_PING_BROKER=$top_srcdir/src/tests/ping_broker
 COUNT=10
@@ -41,53 +40,49 @@ trap cleanup EXIT
 
 error() { echo $*; exit 1; }
 
-create_ca_certs() {
-
-    # Set Up the CA DB and self-signed Certificate
-    #
-    mkdir -p ${CA_CERT_DIR}
-    certutil -N -d ${CA_CERT_DIR} -f ${CERT_PW_FILE}
-    certutil -S -d ${CA_CERT_DIR} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
-    certutil -L -d ${CA_CERT_DIR} -n "Test-CA" -a -o ${CA_CERT_DIR}/rootca.crt -f ${CERT_PW_FILE}
-    #certutil -L -d ${CA_CERT_DIR} -f ${CERT_PW_FILE}
-
-    # Set Up another CA DB for testing failure to validate scenario
-    #
-    mkdir -p ${OTHER_CA_CERT_DIR}
-    certutil -N -d ${OTHER_CA_CERT_DIR} -f ${CERT_PW_FILE}
-    certutil -S -d ${OTHER_CA_CERT_DIR} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
-    certutil -L -d ${OTHER_CA_CERT_DIR} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DIR}/rootca.crt -f ${CERT_PW_FILE}
-    #certutil -L -d ${OTHER_CA_CERT_DIR} -f ${CERT_PW_FILE}
-}
-
-# create server certificate signed by Test-CA
-#    $1 = string used as Subject in certificate
-#    $2 = string used as SubjectAlternateName (SAN) in certificate
-create_server_cert() {
-    mkdir -p ${SERVER_CERT_DIR}
-    rm -rf ${SERVER_CERT_DIR}/*
+# create the test certificate database
+#    $1 = string used as Subject in server's certificate
+#    $2 = string used as SubjectAlternateName (SAN) in server's certificate
+create_certs() {
 
     local CERT_SUBJECT=${1:-"CN=${TEST_HOSTNAME},O=MyCo,ST=Massachusetts,C=US"}
     local CERT_SAN=${2:-"*.server.com"}
 
-    # create database
-    certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}
-    # create certificate request
-    certutil -R -d ${SERVER_CERT_DIR} -s "${CERT_SUBJECT}" -8 "${CERT_SAN}" -o server.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
-    # have CA sign it
-    certutil -C -d ${CA_CERT_DIR} -c "Test-CA" -i server.req -o server.crt -f ${CERT_PW_FILE} -m ${RANDOM}
-    # add it to the database
-    certutil -A -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -i server.crt -t "Pu,,"
+    mkdir -p ${TEST_CERT_DIR}
+    rm -rf ${TEST_CERT_DIR}/*
+
+    # Set Up a CA with a self-signed Certificate
+    #
+    mkdir -p ${CERT_DB}
+    certutil -N -d ${CERT_DB} -f ${CERT_PW_FILE}
+    certutil -S -d ${CERT_DB} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
+    certutil -L -d ${CERT_DB} -n "Test-CA" -a -o ${CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
+    #certutil -L -d ${CERT_DB} -f ${CERT_PW_FILE}
+
+    # create server certificate signed by Test-CA
+    #
+    certutil -R -d ${CERT_DB} -s "${CERT_SUBJECT}" -o server.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
+    certutil -C -d ${CERT_DB} -c "Test-CA" -8 "${CERT_SAN}" -i server.req -o server.crt -f ${CERT_PW_FILE} -m ${RANDOM}
+    certutil -A -d ${CERT_DB} -n ${TEST_HOSTNAME} -i server.crt -t "Pu,,"
     rm server.req server.crt
 
-    # now create a certificate for the client
-    certutil -R -d ${SERVER_CERT_DIR} -s "CN=${TEST_CLIENT_CERT}" -8 "*.client.com" -o client.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
-    certutil -C -d ${CA_CERT_DIR} -c "Test-CA" -i client.req -o client.crt -f ${CERT_PW_FILE} -m ${RANDOM}
-    certutil -A -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -i client.crt -t "Pu,,"
+    # create a certificate to identify the client
+    #
+    certutil -R -d ${CERT_DB} -s "CN=${TEST_CLIENT_CERT}" -o client.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
+    certutil -C -d ${CERT_DB} -c "Test-CA" -8 "*.client.com" -i client.req -o client.crt -f ${CERT_PW_FILE} -m ${RANDOM}
+    certutil -A -d ${CERT_DB} -n ${TEST_CLIENT_CERT} -i client.crt -t "Pu,,"
     ###
     #certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}
     #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
     #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
+
+    # Set up a separate DB with its own CA for testing failure to validate scenario
+    #
+    mkdir -p ${OTHER_CA_CERT_DB}
+    certutil -N -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
+    certutil -S -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
+    certutil -L -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
+    #certutil -L -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
 }
 
 delete_certs() {
@@ -97,7 +92,7 @@ delete_certs() {
 }
 
 # Don't need --no-module-dir or --no-data-dir as they are set as env vars in test_env.sh
-COMMON_OPTS="--daemon --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $SERVER_CERT_DIR --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"
+COMMON_OPTS="--daemon --config $CONFIG --load-module $SSL_LIB --ssl-cert-db $CERT_DB --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"
 
 # Start new brokers:
 #   $1 must be integer
@@ -173,15 +168,14 @@ if [[ !(-e ${CERT_PW_FILE}) ]] ;  then
     echo password > ${CERT_PW_FILE}
 fi
 delete_certs
-create_ca_certs || error "Could not create test certificate"
-create_server_cert || error "Could not create server test certificate"
+create_certs || error "Could not create test certificate database"
 
 start_ssl_broker
 PORT=${PORTS[0]}
 echo "Running SSL test on port $PORT"
 export QPID_NO_MODULE_DIR=1
 export QPID_LOAD_MODULE=$SSLCONNECTOR_LIB
-export QPID_SSL_CERT_DB=${SERVER_CERT_DIR}
+export QPID_SSL_CERT_DB=${CERT_DB}
 export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE}
 
 ## Test connection via connection settings
@@ -260,9 +254,8 @@ if [[ !(-x $OPENSSL) ]] ; then
 fi
 
 ## verify python version > 2.5 (only 2.6+ does certificate checking)
-py_major=$(python -c "import sys; print sys.version_info[0]")
-py_minor=$(python -c "import sys; print sys.version_info[1]")
-if (( py_major < 2 || ( py_major == 2 &&  py_minor < 6 ) )); then
+PY_VERSION=$(python -c "import sys; print hex(sys.hexversion)")
+if (( PY_VERSION < 0x02060000 )); then
     echo >&2 "Detected python version < 2.6 - skipping certificate verification tests"
     exit 0
 fi
@@ -270,12 +263,14 @@ fi
 echo "Testing Certificate validation and Authentication with the Python Client..."
 
 # extract the CA's certificate as a PEM file
+get_ca_certs() {
+    $PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CERT_DB} -n "Test-CA"  -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
+    $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
+    $PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
+    $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
+}
 
-$PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CA_CERT_DIR} -n "Test-CA"  -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
-$OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
-$PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DIR} -n "Other-Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
-$OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
-
+get_ca_certs || error "Could not extract CA certificates as PEM files"
 start_ssl_broker
 PORT=${PORTS[0]}
 URL=amqps://$TEST_HOSTNAME:$PORT
@@ -285,25 +280,10 @@ if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Pa
 if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE} > /dev/null 2>&1`; then { echo "    Failed"; exit 1; }; else echo "    Passed"; fi
 stop_brokers
 
-# create a certificate with TEST_HOSTNAME only in SAN, should verify OK
-
-create_server_cert "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create server test certificate"
-start_ssl_broker
-PORT=${PORTS[0]}
-URL=amqps://$TEST_HOSTNAME:$PORT
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Passed"; else { echo "    Failed"; exit 1; }; fi
-stop_brokers
-
-create_server_cert "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate"
-start_ssl_broker
-PORT=${PORTS[0]}
-URL=amqps://$TEST_HOSTNAME:$PORT
-if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Passed"; else { echo "    Failed"; exit 1; }; fi
-stop_brokers
-
 # create a certificate without matching TEST_HOSTNAME, should fail to verify
 
-create_server_cert "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate"
+create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate"
+get_ca_certs || error "Could not extract CA certificates as PEM files"
 start_ssl_broker
 PORT=${PORTS[0]}
 URL=amqps://$TEST_HOSTNAME:$PORT
@@ -312,4 +292,27 @@ if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} > /dev/null 2>&1`;
 if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check`; then echo "    Passed"; else { echo "    Failed"; exit 1; }; fi
 stop_brokers
 
+# test SubjectAltName parsing
+
+if (( PY_VERSION >= 0x02070300 )); then
+    # python 2.7.3+ supports SubjectAltName extraction
+    # create a certificate with TEST_HOSTNAME only in SAN, should verify OK
+    create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create server test certificate"
+    get_ca_certs || error "Could not extract CA certificates as PEM files"
+    start_ssl_broker
+    PORT=${PORTS[0]}
+    URL=amqps://$TEST_HOSTNAME:$PORT
+    if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Passed"; else { echo "    Failed"; exit 1; }; fi
+    stop_brokers
+
+    create_certs "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate"
+    get_ca_certs || error "Could not extract CA certificates as PEM files"
+    start_ssl_broker
+    PORT=${PORTS[0]}
+    URL=amqps://$TEST_HOSTNAME:$PORT
+    if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Passed"; else { echo "    Failed"; exit 1; }; fi
+    stop_brokers
+fi
+
+
 
-- 
cgit v1.2.1