diff options
| author | Omar Polo <op@omarpolo.com> | 2021-02-09 22:30:04 +0000 |
|---|---|---|
| committer | Omar Polo <op@omarpolo.com> | 2021-02-09 22:30:04 +0000 |
| commit | 02be96c6ddfc34e448cccd095b4f3d0efe4de8a3 (patch) | |
| tree | bce70baf27334eaf46abfbb1101979db6fa9ba66 /regress | |
| parent | 2ff026b09b810efd8c52e13f0a4988c588c8ee09 (diff) | |
add `require client ca' rule to require certs signed by a CA
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/Makefile | 33 | ||||
| -rwxr-xr-x | regress/runtime | 27 |
2 files changed, 55 insertions, 5 deletions
diff --git a/regress/Makefile b/regress/Makefile index 56f3d55..e29e94c 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -2,7 +2,7 @@ include ../Makefile.local .PHONY: all clean runtime -all: puny-test testdata iri_test cert.pem +all: puny-test testdata iri_test cert.pem testca.pem valid.crt invalid.cert.pem ./puny-test ./runtime ./iri_test @@ -28,9 +28,38 @@ cert.pem: -days 365 -nodes @echo +testca.pem: + openssl genrsa -out testca.key 2048 + printf ".\n.\n.\n.\n.\ntestca\n.\n" | \ + openssl req -x509 -new -sha256 \ + -key testca.key \ + -out cert.pem \ + -days 365 -nodes \ + -out testca.pem + @echo + +valid.crt: testca.pem + openssl genrsa -out valid.key 2048 + printf ".\n.\n.\n.\n.\nvalid\n.\n\n" | \ + openssl req -new -key valid.key \ + -out valid.csr + @echo + openssl x509 -req -in valid.csr \ + -CA testca.pem \ + -CAkey testca.key \ + -CAcreateserial \ + -out valid.crt \ + -days 365 \ + -sha256 -extfile valid.ext + +invalid.cert.pem: cert.pem + cp cert.pem invalid.cert.pem + cp key.pem invalid.key.pem + clean: rm -f *.o iri_test cert.pem key.pem - rm -rf testdata + rm -f testca.* valid.* invalid.*pem + rm -rf testdata fill-file puny-test testdata: fill-file mkdir testdata diff --git a/regress/runtime b/regress/runtime index 1c991b3..a05184a 100755 --- a/regress/runtime +++ b/regress/runtime @@ -2,6 +2,8 @@ set -e +ggflags= + # usage: config <global config> <stuff for localhost> # generates a configuration file reg.conf config() { @@ -25,19 +27,19 @@ checkconf() { # usage: get <path> # return the body of the request on stdout get() { - ./../gg -b "gemini://localhost:10965/$1" + ./../gg -b $ggflags "gemini://localhost:10965/$1" } # usage: head <path> # return the meta response line on stdout head() { - ./../gg -h "gemini://localhost:10965/$1" + ./../gg -h $ggflags "gemini://localhost:10965/$1" } # usage: raw <path> # return both header and body raw() { - ./../gg "gemini://localhost:10965/$1" + ./../gg $ggflags "gemini://localhost:10965/$1" } run() { @@ -276,4 +278,23 @@ eq "$(head /foo/bar)" "20 text/plain; lang=en" "Unknown head for /foo/bar" eq "$(get /foo/bar|grep PATH_INFO)" "PATH_INFO=/foo/bar" "Unexpected PATH_INFO" echo OK GET /foo/bar with entrypoint +# test with require ca + +config '' 'require client ca "'$PWD'/testca.pem"' +checkconf +restart + +eq "$(head /)" "60 client certificate required" "Unexpected head for /" +echo OK GET / without client certificate + +ggflags="-C valid.crt -K valid.key" +eq "$(head /)" "20 text/gemini" "Unexpected head for /" +echo OK GET / with valid client certificate + +ggflags="-C invalid.cert.pem -K invalid.key.pem" +eq "$(head /)" "61 certificate not authorised" "Unexpected head for /" +echo OK GET / with invalid client certificate + +ggflags='' + quit |