Add TLS_INSECURE weak hash test

7 files changed, 163 insertions, 1 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index b00e77c..85bd866 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -13,6 +13,8 @@ EXP_KEY  := $(CERT_DIR)/exp-key.pem
 EXP_CERT := $(CERT_DIR)/exp-cert.pem
 NEW_KEY  := $(CERT_DIR)/new-key.pem
 NEW_CERT := $(CERT_DIR)/new-cert.pem
+INS_KEY  := $(CERT_DIR)/ins-key.pem
+INS_CERT := $(CERT_DIR)/ins-cert.pem
 TLS_KEY  := $(CERT_DIR)/tls-key.pem
 TLS_CERT := $(CERT_DIR)/tls-cert.pem
 WILD_KEY := $(CERT_DIR)/wild-key.pem
@@ -34,6 +36,8 @@ TLSDEFS  := -DTLS_CA_KEY_FILE='"$(CA_KEY)"'      \
             -DTLS_NEW_CRT_FILE='"$(NEW_CERT)"'   \
             -DTLS_REV_KEY_FILE='"$(REV_KEY)"'    \
             -DTLS_REV_CRT_FILE='"$(REV_CERT)"'   \
+            -DTLS_INS_KEY_FILE='"$(INS_KEY)"'    \
+            -DTLS_INS_CRT_FILE='"$(INS_CERT)"'   \
             -DTLS_UNKNOWN_KEY_FILE='"$(UNKNOWN_KEY)"'  \
             -DTLS_UNKNOWN_CRT_FILE='"$(UNKNOWN_CERT)"' \
             -DTLS_SERVER_KEY_FILE='"$(TLS_KEY)"' \
@@ -45,12 +49,15 @@ TLSDEFS  := -DTLS_CA_KEY_FILE='"$(CA_KEY)"'      \
             -DTLS_CRL_DIR='"$(CRL_DIR)"'         \
             -DTLS_CA_DIR='"$(CA_DIR)"'
 
-CA0S = $(BADWILD_CERT) $(WILD_CERT) $(TLS_CERT) $(NEW_CERT) $(EXP_CERT) $(REV_CERT) $(SS_CERT)
+CA0S = $(BADWILD_CERT) $(WILD_CERT) $(TLS_CERT) $(NEW_CERT) $(EXP_CERT) $(REV_CERT) $(SS_CERT) $(INS_CERT)
 
 certs: $(CA0S)
 
 $(CA0S): $(CERT_DIR)/%-cert.pem: $(CERT_DIR)/%-cert.cfg $(CA_CERT) $(CA_KEY)
 	certtool --generate-certificate --template $< --outfile $@ --load-privkey certs/$*-key.pem --load-ca-certificate $(CA_CERT) --load-ca-privkey $(CA_KEY)
+
+$(INS_CERT): $(CERT_DIR)/ins-cert.cfg $(INS_KEY) $(CA_CERT) $(CA_KEY)
+	certtool --generate-certificate --template $< --outfile $@ --load-privkey certs/$*-key.pem --load-ca-certificate $(CA_CERT) --load-ca-privkey $(CA_KEY) --hash SHA1
 ############################################################################
 TEST_PROGS = \
   wocky-bare-contact-test \
diff --git a/tests/certs/ins-cert.cfg b/tests/certs/ins-cert.cfg
new file mode 100644
index 0000000..6c2e1a3
--- /dev/null
+++ b/tests/certs/ins-cert.cfg
@@ -0,0 +1,89 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Collabora"
+
+# The organizational unit of the subject.
+unit = "Wocky Test Suite"
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+state = "Dazed"
+
+# The country of the subject. Two letter code.
+country = UK
+
+# The common name of the certificate owner.
+cn = "Wocky XMPP Library"
+
+# A user id of the certificate owner.
+#uid = "clauper"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal"
+
+# This is deprecated and should not be used in new
+# certificates.
+# pkcs9_email = "none@none.org"
+
+# The serial number of the certificate
+serial = 004
+
+# In how many days, counting from today, this certificate will expire.
+expiration_days = 10220
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+dns_name = "weasel-juice.org"
+#dns_name = "www.morethanone.org"
+
+# An IP address in case of a server.
+ip_address = "127.0.0.1"
+
+# An email in case of a person
+#email = "postmaster@collabora.co.uk"
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+#crl_dist_points = "file:///tmp/wocky-tests/crl"
+
+# Whether this is a CA certificate or not
+#ca
+
+# Whether this certificate will be used for a TLS client
+tls_www_client
+
+# Whether this certificate will be used for a TLS server
+tls_www_server
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites).
+#signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is prefered to use different
+# keys for encryption and signing.
+encryption_key
+
+# Whether this key will be used to sign other certificates.
+#cert_signing_key
+
+# Whether this key will be used to sign CRLs.
+#crl_signing_key
+
+# Whether this key will be used to sign code.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data.
+#ocsp_signing_key
+
+# Whether this key will be used for time stamping.
+time_stamping_key
diff --git a/tests/certs/ins-cert.pem b/tests/certs/ins-cert.pem
new file mode 100644
index 0000000..b3413a1
--- /dev/null
+++ b/tests/certs/ins-cert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELTCCAxWgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJVSzES
+MBAGA1UEChMJQ29sbGFib3JhMRkwFwYDVQQLExBXb2NreSBUZXN0IFN1aXRlMREw
+DwYDVQQIEwhDb25mdXNlZDEbMBkGA1UEAxMSV29ja3kgWE1QUCBMaWJyYXJ5MB4X
+DTIwMDUxMTE4MzI0NFoXDTQ4MDUwNDE4MzI0NFowaTEbMBkGA1UEAxMSV29ja3kg
+WE1QUCBMaWJyYXJ5MRkwFwYDVQQLExBXb2NreSBUZXN0IFN1aXRlMRIwEAYDVQQK
+EwlDb2xsYWJvcmExDjAMBgNVBAgTBURhemVkMQswCQYDVQQGEwJVSzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKL22MCJWN3b3t+FBpCyECjaZqK3V6eK
+hoJKUeif7DIrerm6jLwLmj4wwgrdIMPX1iDw4cGs360Mk7hcMFWQU9DGnRz+MEjI
+dov0PV92S/j0v82EXct1ShTnZM4lknz52q1hqEhIekmyW2ZJrn2cdnxlML9CnKOc
+380hOhcSz7hXsXr8FhmCvIi63DwopW4/95W0J/uER7Iz/GeJUvGbRDZHVORV3QTb
+TGz6iaEQ/TBEkwRB3c8CNN6uiqrlcwwkl+/OXPNlKE4zNZPm4zWD+zeCPRgMdddW
+7ATPIyODy5KCs+h2PM/wLLjlNMtke38yT+PBOA2pW1YYZG5IK/unU/0CAwEAAaOB
+3DCB2TAMBgNVHRMBAf8EAjAAMCcGA1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcD
+AQYIKwYBBQUHAwgwIQYDVR0RBBowGIIQd2Vhc2VsLWp1aWNlLm9yZ4cEfwAAATAP
+BgNVHQ8BAf8EBQMDByAAMB0GA1UdDgQWBBQCf5kwZxkTwfvI3Rwlrign1scf+jAf
+BgNVHSMEGDAWgBRJMCYIjJrWac2LwMwOXAKOSh+mjDAsBgNVHR8EJTAjMCGgH6Ad
+hhtmaWxlOi8vL3RtcC93b2NreS10ZXN0cy9jcmwwDQYJKoZIhvcNAQEFBQADggEB
+ALmGhFsGI6qYettdU+gqy8rrm/9X6IIkrAf05nbIksIAmUd4tBGezmlDzNtiEhvX
+33ZRN728RL6XPpC7utQkM9hlan7Whkx9Yk6bCdpzvO/nx4eyO5RvwJLxXhFFGKto
+DKDgoPUJ3tz/mLTGR/ZGjZi1z5ARj0R4O3+VSF56XrekqUeM6wDNgq3SaOuFfe2z
+qdN7GRG+9QZeQY6t3WtAlpVe/T7el3pnyK03HjyM2JXvPxBbVPNvqrQvsZx4fqx8
+XkyT2dsR3NTjxwYRIAg+OELomNskDcc30KkPN43FS04cJ10sWlutvDVq/UDyrn2m
+VHPeV22ZWpWn626Z7X+uV/w=
+-----END CERTIFICATE-----
diff --git a/tests/certs/ins-key.pem b/tests/certs/ins-key.pem
new file mode 100644
index 0000000..79971b7
--- /dev/null
+++ b/tests/certs/ins-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAovbYwIlY3dve34UGkLIQKNpmordXp4qGgkpR6J/sMit6ubqM
+vAuaPjDCCt0gw9fWIPDhwazfrQyTuFwwVZBT0MadHP4wSMh2i/Q9X3ZL+PS/zYRd
+y3VKFOdkziWSfPnarWGoSEh6SbJbZkmufZx2fGUwv0Kco5zfzSE6FxLPuFexevwW
+GYK8iLrcPCilbj/3lbQn+4RHsjP8Z4lS8ZtENkdU5FXdBNtMbPqJoRD9MESTBEHd
+zwI03q6KquVzDCSX785c82UoTjM1k+bjNYP7N4I9GAx111bsBM8jI4PLkoKz6HY8
+z/AsuOU0y2R7fzJP48E4DalbVhhkbkgr+6dT/QIDAQABAoIBAGkn4cuzlN1sUE9p
+NkhOLjE+ZLYgmnYo5AzUyi/SagYhmkqYftGkpv30VnHOKKNW9fxBk1t3Iso2cGep
+TSMZQ4xXbPBVcXC1shEzJBsiaXmW7OE/xYpQ/+GnQpvnELSGQT5Z4s3pvscpSOMj
+Lm4tdSNl5GO2Jv9Ibf2esC5NXC41mCePrKPrgMN/x24qs4vZCVoGIClgmBwBmJEN
+v/nLieNEGiEUpIRJjgqBxaeaHejUgRHtiH9vb53yea4ougU72N0NLXwYDvVUYknm
+btS0GLe1U2bJmliRVsjPXjLdYCx74RUNS05ZAEQYDB1GjMw3Ca9qM0GWvzHPPv/B
+agAZK50CgYEAxDADqJQrLEnjXpxtqW83VYI9HaUYZFXJx94nPOq49ieImN0huM8+
+xksH3icgRD9yBdJ8pvqBSKQ55AIA4mOx8GdSgUDzN+M8+t+7RBfR6E8EOFYDpm8g
+MqEUzBA/tPos+VNjnWVo5H5MEyQSJFGAVdlMhT9JcOGgfRI0qlWM7LcCgYEA1KXU
+ZtcVLPwfNskFZx37b2IJogHP3b1YvLbRxkSDLkohemf708/sQoBowAONQL23Mi0Z
+cn0EglramHp4s4PIOKNeFufPZ/lHjjL7iJPi3ocW/38nhndndBGuyKa0HZsgEQJ+
+u0PInWDGtrP2q7GqEkO5M+sTHxNMtN9uLz6OOOsCgYEAreyzEZxpudW3UIT1YyRJ
+tfDEJafbO/gh7qKvvn2IhBEANCS2ZJS2XizeSL//BwIIH8k+4Plr6+5LtCtihVFE
+yo+OwS/Hb2BxCyeVaQSE/qIuZ5M5oS8bKEdNnKs7D0JK5K5cvYjNuOOOpdlwi+oF
+EBaYk/hLL1uXX8noDqnRSXkCgYB28AnNO5/seVg8HFOZSXvI4NzicIEDVVS8uMS8
+ULXOvkfbXy3LWxCaYZg1TcdD3tkIh5EkKCjNgGOjxVydi6gBhd6qkR3A2fzb3Eg0
+LANI0+ZZIZXJ8B89HGbWc+dqZ8mXuf2IYHFlFSwQJLhjcAvgC2EbWPBpATJ2OEI4
+ypRh4QKBgQCvdZTYwll0YwnGjiJJMkFXaPHmlyRtNbrP9ds7W93YHw6sbJ99hLD2
+mJSnmG5UofbQmss5x7pzTtXo9p8sGEdRWY/6eiFvZDXDlWry+NdG2OLoQn5P4+k8
+ZGxOOyty1Iy6+JCKYOMjJuCjf9L/Xr3eMIi56cU/on48adRIs3wfNA==
+-----END RSA PRIVATE KEY-----
diff --git a/tests/wocky-connector-test.c b/tests/wocky-connector-test.c
index f985406..b451fbe 100644
--- a/tests/wocky-connector-test.c
+++ b/tests/wocky-connector-test.c
@@ -2909,6 +2909,18 @@ test_t tests[] =
           { "moose@weasel-juice.org", "something", PLAIN, TLS },
           { NULL, 0, XMPP_V1, OLD_SSL } } },
 
+    { "/connector/cert-verification/ssl/insecure/fail",
+      QUIET,
+      { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_INSECURE, -1 },
+      { { TLS, NULL },
+        { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } },
+        { "moose", "something" },
+        PORT_XMPP, CERT_INSECURE },
+        { "weasel-juice.org", PORT_XMPP, "thud.org", REACHABLE, UNREACHABLE },
+        { PLAINTEXT_OK,
+          { "moose@weasel-juice.org", "something", PLAIN, TLS },
+          { NULL, 0, XMPP_V1, OLD_SSL } } },
+
     { "/connector/cert-verification/ssl/inactive/fail",
       QUIET,
       { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_NOT_ACTIVE, -1 },
diff --git a/tests/wocky-test-connector-server.c b/tests/wocky-test-connector-server.c
index 1d512bc..4f663d5 100644
--- a/tests/wocky-test-connector-server.c
+++ b/tests/wocky-test-connector-server.c
@@ -84,6 +84,7 @@ static struct { CertSet set; const gchar *key; const gchar *crt; } certs[] =
     { CERT_REVOKED,  TLS_REV_KEY_FILE,     TLS_REV_CRT_FILE     },
     { CERT_WILDCARD, TLS_WILD_KEY_FILE,    TLS_WILD_CRT_FILE    },
     { CERT_BADWILD,  TLS_BADWILD_KEY_FILE, TLS_BADWILD_CRT_FILE },
+    { CERT_INSECURE, TLS_INS_KEY_FILE,     TLS_INS_CRT_FILE     },
     { CERT_NONE,     NULL,                 NULL                 } };
 
 struct _TestConnectorServerPrivate
diff --git a/tests/wocky-test-connector-server.h b/tests/wocky-test-connector-server.h
index 15169d4..20c2993 100644
--- a/tests/wocky-test-connector-server.h
+++ b/tests/wocky-test-connector-server.h
@@ -122,6 +122,7 @@ typedef enum
   CERT_REVOKED,
   CERT_WILDCARD,
   CERT_BADWILD,
+  CERT_INSECURE,
   CERT_NONE,
 } CertSet;