From 02be96c6ddfc34e448cccd095b4f3d0efe4de8a3 Mon Sep 17 00:00:00 2001 From: Omar Polo Date: Tue, 9 Feb 2021 22:30:04 +0000 Subject: add `require client ca' rule to require certs signed by a CA --- regress/Makefile | 33 +++++++++++++++++++++++++++++++-- regress/runtime | 27 ++++++++++++++++++++++++--- 2 files changed, 55 insertions(+), 5 deletions(-) (limited to 'regress') diff --git a/regress/Makefile b/regress/Makefile index 56f3d55..e29e94c 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -2,7 +2,7 @@ include ../Makefile.local .PHONY: all clean runtime -all: puny-test testdata iri_test cert.pem +all: puny-test testdata iri_test cert.pem testca.pem valid.crt invalid.cert.pem ./puny-test ./runtime ./iri_test @@ -28,9 +28,38 @@ cert.pem: -days 365 -nodes @echo +testca.pem: + openssl genrsa -out testca.key 2048 + printf ".\n.\n.\n.\n.\ntestca\n.\n" | \ + openssl req -x509 -new -sha256 \ + -key testca.key \ + -out cert.pem \ + -days 365 -nodes \ + -out testca.pem + @echo + +valid.crt: testca.pem + openssl genrsa -out valid.key 2048 + printf ".\n.\n.\n.\n.\nvalid\n.\n\n" | \ + openssl req -new -key valid.key \ + -out valid.csr + @echo + openssl x509 -req -in valid.csr \ + -CA testca.pem \ + -CAkey testca.key \ + -CAcreateserial \ + -out valid.crt \ + -days 365 \ + -sha256 -extfile valid.ext + +invalid.cert.pem: cert.pem + cp cert.pem invalid.cert.pem + cp key.pem invalid.key.pem + clean: rm -f *.o iri_test cert.pem key.pem - rm -rf testdata + rm -f testca.* valid.* invalid.*pem + rm -rf testdata fill-file puny-test testdata: fill-file mkdir testdata diff --git a/regress/runtime b/regress/runtime index 1c991b3..a05184a 100755 --- a/regress/runtime +++ b/regress/runtime @@ -2,6 +2,8 @@ set -e +ggflags= + # usage: config # generates a configuration file reg.conf config() { @@ -25,19 +27,19 @@ checkconf() { # usage: get # return the body of the request on stdout get() { - ./../gg -b "gemini://localhost:10965/$1" + ./../gg -b $ggflags "gemini://localhost:10965/$1" } # usage: head # return the meta response line on stdout head() { - ./../gg -h "gemini://localhost:10965/$1" + ./../gg -h $ggflags "gemini://localhost:10965/$1" } # usage: raw # return both header and body raw() { - ./../gg "gemini://localhost:10965/$1" + ./../gg $ggflags "gemini://localhost:10965/$1" } run() { @@ -276,4 +278,23 @@ eq "$(head /foo/bar)" "20 text/plain; lang=en" "Unknown head for /foo/bar" eq "$(get /foo/bar|grep PATH_INFO)" "PATH_INFO=/foo/bar" "Unexpected PATH_INFO" echo OK GET /foo/bar with entrypoint +# test with require ca + +config '' 'require client ca "'$PWD'/testca.pem"' +checkconf +restart + +eq "$(head /)" "60 client certificate required" "Unexpected head for /" +echo OK GET / without client certificate + +ggflags="-C valid.crt -K valid.key" +eq "$(head /)" "20 text/gemini" "Unexpected head for /" +echo OK GET / with valid client certificate + +ggflags="-C invalid.cert.pem -K invalid.key.pem" +eq "$(head /)" "61 certificate not authorised" "Unexpected head for /" +echo OK GET / with invalid client certificate + +ggflags='' + quit -- cgit v1.2.3