1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
#!/bin/bash
# simple set of tests to exercise the msva.
# these tests currently depend on the user having the following tools
# installed locally:
# monkeysphere (for pem2openpgp)
# openssl (for openssl req)
# openssh-client (for ssh-keygen)
# gpg (for obvious reasons)
# bash (yes, this test script isn't posix-compliant)
# note that this test requires the ability to bind on the loopback
# interface, which might not be possible in some build environments.
# Author: Daniel Kahn Gillmor
# Copyright: 2010
# License: This is licensed under the GPL v3 or later
# (see the top-level COPYING file in this distribution)
set -e
srcdir=$(dirname $0)/..
REPS=5
CERTTYPES="x509pem x509der opensshpubkey rfc4716"
printf "testing %d reps of simple/quick true/false:\n" "$REPS"
for n in $(seq 1 "$REPS") ; do
"${srcdir}"/test-msva msva-perl true
printf "+"
! "${srcdir}"/test-msva msva-perl false
printf "-"
done
printf "\ndone\n"
WORKDIR=$(mktemp -d)
mkdir -m 0700 "${WORKDIR}/"{pkc,sec,gnupg}
export GNUPGHOME="${WORKDIR}/gnupg"
if gpg --quick-random --version ; then
GPGQR=--quick-random
elif gpg --debug-quick-random --version ; then
GPGQR=--debug-quick-random
else
GPGQR=
fi
# make a CA
printf "Key-Type: RSA\nKey-Length: 1024\nKey-Usage: sign\nName-Real: MSVA Test Certificate Authority (DO NOT USE!)\n" | gpg --batch --no-tty $GPGQR --gen-key
# make 3 websites (X, Y, and Z) with self-signed certs:
for name in x y z ; do
openssl req -x509 -subj "/CN=${name}.example.net/" -nodes -sha256 -newkey rsa:1024 -keyout "${WORKDIR}/sec/${name}.key" -outform DER -out "${WORKDIR}/pkc/${name}.x509der"
chmod 0400 "${WORKDIR}/sec/${name}.key"
openssl x509 -inform DER -outform PEM < "${WORKDIR}/pkc/${name}.x509der" > "${WORKDIR}/pkc/${name}.x509pem"
ssh-keygen -y -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.opensshpubkey"
ssh-keygen -e -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.rfc4716"
done
# make 2 client certs (A and B) with self-signed certs
for name in a b ; do
openssl req -x509 -subj "/eMail=${name}@example.net/CN=${name}/" -nodes -sha256 -newkey rsa:1024 -keyout "${WORKDIR}/sec/${name}.key" -outform DER -out "${WORKDIR}/pkc/${name}.x509der"
chmod 0400 "${WORKDIR}/sec/${name}.key"
openssl x509 -inform DER -outform PEM < "${WORKDIR}/pkc/${name}.x509der" > "${WORKDIR}/pkc/${name}.x509pem"
ssh-keygen -y -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.opensshpubkey"
ssh-keygen -e -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.rfc4716"
done
# translate X and Y's keys into OpenPGP cert
for name in x y; do
PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "https://${name}.example.net" < "${WORKDIR}/sec/${name}.key" | gpg --import
done
# and the same for the clients A and B
for name in a b; do
PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "${name} <${name}@example.net>" < "${WORKDIR}/sec/${name}.key" | gpg --import
done
runtests() {
# X should not validate as X or Y or Z:
for name in x y z; do
for ctype in $CERTTYPES; do
! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
done
done
# A shouldn't validate as A or B:
for name in a b; do
for ctype in $CERTTYPES; do
! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name} <${name}@example.net>" "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}"
done
done
# certify X and A's OpenPGP cert with CA
gpg --batch --yes --sign-key https://x.example.net
gpg --batch --yes --sign-key a@example.net
echo "Testing bad data:"
# it should fail if we pass it the wrong kind of data:
! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "x509der" < "${WORKDIR}/pkc/x.x509pem"
! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "x509pem" < "${WORKDIR}/pkc/x.x509der"
echo "Done testing bad data."
for ctype in $CERTTYPES; do
# X should now validate as X
"${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
"${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https 'a <a@example.net>' "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}"
# but X should not validate as Y or Z:
for name in x y z; do
! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
done
# and A shouldn't validate as B:
! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "b <b@example.net>" "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}"
# neither Y nor Z should validate as any of them:
for src in y z; do
for targ in x y z; do
! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${targ}.example.net" "${ctype}" < "${WORKDIR}/pkc/${src}.${ctype}"
done
done
# B should also still not validate as itself:
! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "b <b@example.net>" "${ctype}" client < "${WORKDIR}/pkc/b.${ctype}"
done
}
set -x
MSVA_KEYSERVER_POLICY=never runtests
set +x
echo "Completed all tests as expected!"
rm -rf "$WORKDIR"
|
