diff options
author | Ruslan N. Marchenko <me@ruff.mobi> | 2020-05-11 20:48:46 +0200 |
---|---|---|
committer | Ruslan N. Marchenko <me@ruff.mobi> | 2020-05-17 22:39:35 +0200 |
commit | 58fde5ea4b0b9fbeb931a37c501aa06f93e5c0c1 (patch) | |
tree | 00b497802af197935fd0e5521f1e81845b0cabaa | |
parent | 73786b209c3b3e5bde342986a13b5b549eb818ec (diff) |
Add TLS_INSECURE weak hash test
-rw-r--r-- | tests/Makefile.am | 9 | ||||
-rw-r--r-- | tests/certs/ins-cert.cfg | 89 | ||||
-rw-r--r-- | tests/certs/ins-cert.pem | 25 | ||||
-rw-r--r-- | tests/certs/ins-key.pem | 27 | ||||
-rw-r--r-- | tests/wocky-connector-test.c | 12 | ||||
-rw-r--r-- | tests/wocky-test-connector-server.c | 1 | ||||
-rw-r--r-- | tests/wocky-test-connector-server.h | 1 |
7 files changed, 163 insertions, 1 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index b00e77c..85bd866 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -13,6 +13,8 @@ EXP_KEY := $(CERT_DIR)/exp-key.pem EXP_CERT := $(CERT_DIR)/exp-cert.pem NEW_KEY := $(CERT_DIR)/new-key.pem NEW_CERT := $(CERT_DIR)/new-cert.pem +INS_KEY := $(CERT_DIR)/ins-key.pem +INS_CERT := $(CERT_DIR)/ins-cert.pem TLS_KEY := $(CERT_DIR)/tls-key.pem TLS_CERT := $(CERT_DIR)/tls-cert.pem WILD_KEY := $(CERT_DIR)/wild-key.pem @@ -34,6 +36,8 @@ TLSDEFS := -DTLS_CA_KEY_FILE='"$(CA_KEY)"' \ -DTLS_NEW_CRT_FILE='"$(NEW_CERT)"' \ -DTLS_REV_KEY_FILE='"$(REV_KEY)"' \ -DTLS_REV_CRT_FILE='"$(REV_CERT)"' \ + -DTLS_INS_KEY_FILE='"$(INS_KEY)"' \ + -DTLS_INS_CRT_FILE='"$(INS_CERT)"' \ -DTLS_UNKNOWN_KEY_FILE='"$(UNKNOWN_KEY)"' \ -DTLS_UNKNOWN_CRT_FILE='"$(UNKNOWN_CERT)"' \ -DTLS_SERVER_KEY_FILE='"$(TLS_KEY)"' \ @@ -45,12 +49,15 @@ TLSDEFS := -DTLS_CA_KEY_FILE='"$(CA_KEY)"' \ -DTLS_CRL_DIR='"$(CRL_DIR)"' \ -DTLS_CA_DIR='"$(CA_DIR)"' -CA0S = $(BADWILD_CERT) $(WILD_CERT) $(TLS_CERT) $(NEW_CERT) $(EXP_CERT) $(REV_CERT) $(SS_CERT) +CA0S = $(BADWILD_CERT) $(WILD_CERT) $(TLS_CERT) $(NEW_CERT) $(EXP_CERT) $(REV_CERT) $(SS_CERT) $(INS_CERT) certs: $(CA0S) $(CA0S): $(CERT_DIR)/%-cert.pem: $(CERT_DIR)/%-cert.cfg $(CA_CERT) $(CA_KEY) certtool --generate-certificate --template $< --outfile $@ --load-privkey certs/$*-key.pem --load-ca-certificate $(CA_CERT) --load-ca-privkey $(CA_KEY) + +$(INS_CERT): $(CERT_DIR)/ins-cert.cfg $(INS_KEY) $(CA_CERT) $(CA_KEY) + certtool --generate-certificate --template $< --outfile $@ --load-privkey certs/$*-key.pem --load-ca-certificate $(CA_CERT) --load-ca-privkey $(CA_KEY) --hash SHA1 ############################################################################ TEST_PROGS = \ wocky-bare-contact-test \ diff --git a/tests/certs/ins-cert.cfg b/tests/certs/ins-cert.cfg new file mode 100644 index 0000000..6c2e1a3 --- /dev/null +++ b/tests/certs/ins-cert.cfg @@ -0,0 +1,89 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Collabora" + +# The organizational unit of the subject. +unit = "Wocky Test Suite" + +# The locality of the subject. +# locality = + +# The state of the certificate owner. +state = "Dazed" + +# The country of the subject. Two letter code. +country = UK + +# The common name of the certificate owner. +cn = "Wocky XMPP Library" + +# A user id of the certificate owner. +#uid = "clauper" + +# If the supported DN OIDs are not adequate you can set +# any OID here. +# For example set the X.520 Title and the X.520 Pseudonym +# by using OID and string pairs. +#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal" + +# This is deprecated and should not be used in new +# certificates. +# pkcs9_email = "none@none.org" + +# The serial number of the certificate +serial = 004 + +# In how many days, counting from today, this certificate will expire. +expiration_days = 10220 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "weasel-juice.org" +#dns_name = "www.morethanone.org" + +# An IP address in case of a server. +ip_address = "127.0.0.1" + +# An email in case of a person +#email = "postmaster@collabora.co.uk" + +# An URL that has CRLs (certificate revocation lists) +# available. Needed in CA certificates. +#crl_dist_points = "file:///tmp/wocky-tests/crl" + +# Whether this is a CA certificate or not +#ca + +# Whether this certificate will be used for a TLS client +tls_www_client + +# Whether this certificate will be used for a TLS server +tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +#signing_key + +# Whether this certificate will be used to encrypt data (needed +# in TLS RSA ciphersuites). Note that it is prefered to use different +# keys for encryption and signing. +encryption_key + +# Whether this key will be used to sign other certificates. +#cert_signing_key + +# Whether this key will be used to sign CRLs. +#crl_signing_key + +# Whether this key will be used to sign code. +#code_signing_key + +# Whether this key will be used to sign OCSP data. +#ocsp_signing_key + +# Whether this key will be used for time stamping. +time_stamping_key diff --git a/tests/certs/ins-cert.pem b/tests/certs/ins-cert.pem new file mode 100644 index 0000000..b3413a1 --- /dev/null +++ b/tests/certs/ins-cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELTCCAxWgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJVSzES +MBAGA1UEChMJQ29sbGFib3JhMRkwFwYDVQQLExBXb2NreSBUZXN0IFN1aXRlMREw +DwYDVQQIEwhDb25mdXNlZDEbMBkGA1UEAxMSV29ja3kgWE1QUCBMaWJyYXJ5MB4X +DTIwMDUxMTE4MzI0NFoXDTQ4MDUwNDE4MzI0NFowaTEbMBkGA1UEAxMSV29ja3kg +WE1QUCBMaWJyYXJ5MRkwFwYDVQQLExBXb2NreSBUZXN0IFN1aXRlMRIwEAYDVQQK +EwlDb2xsYWJvcmExDjAMBgNVBAgTBURhemVkMQswCQYDVQQGEwJVSzCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKL22MCJWN3b3t+FBpCyECjaZqK3V6eK +hoJKUeif7DIrerm6jLwLmj4wwgrdIMPX1iDw4cGs360Mk7hcMFWQU9DGnRz+MEjI +dov0PV92S/j0v82EXct1ShTnZM4lknz52q1hqEhIekmyW2ZJrn2cdnxlML9CnKOc +380hOhcSz7hXsXr8FhmCvIi63DwopW4/95W0J/uER7Iz/GeJUvGbRDZHVORV3QTb +TGz6iaEQ/TBEkwRB3c8CNN6uiqrlcwwkl+/OXPNlKE4zNZPm4zWD+zeCPRgMdddW +7ATPIyODy5KCs+h2PM/wLLjlNMtke38yT+PBOA2pW1YYZG5IK/unU/0CAwEAAaOB +3DCB2TAMBgNVHRMBAf8EAjAAMCcGA1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcD +AQYIKwYBBQUHAwgwIQYDVR0RBBowGIIQd2Vhc2VsLWp1aWNlLm9yZ4cEfwAAATAP +BgNVHQ8BAf8EBQMDByAAMB0GA1UdDgQWBBQCf5kwZxkTwfvI3Rwlrign1scf+jAf +BgNVHSMEGDAWgBRJMCYIjJrWac2LwMwOXAKOSh+mjDAsBgNVHR8EJTAjMCGgH6Ad +hhtmaWxlOi8vL3RtcC93b2NreS10ZXN0cy9jcmwwDQYJKoZIhvcNAQEFBQADggEB +ALmGhFsGI6qYettdU+gqy8rrm/9X6IIkrAf05nbIksIAmUd4tBGezmlDzNtiEhvX +33ZRN728RL6XPpC7utQkM9hlan7Whkx9Yk6bCdpzvO/nx4eyO5RvwJLxXhFFGKto +DKDgoPUJ3tz/mLTGR/ZGjZi1z5ARj0R4O3+VSF56XrekqUeM6wDNgq3SaOuFfe2z +qdN7GRG+9QZeQY6t3WtAlpVe/T7el3pnyK03HjyM2JXvPxBbVPNvqrQvsZx4fqx8 +XkyT2dsR3NTjxwYRIAg+OELomNskDcc30KkPN43FS04cJ10sWlutvDVq/UDyrn2m +VHPeV22ZWpWn626Z7X+uV/w= +-----END CERTIFICATE----- diff --git a/tests/certs/ins-key.pem b/tests/certs/ins-key.pem new file mode 100644 index 0000000..79971b7 --- /dev/null +++ b/tests/certs/ins-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAovbYwIlY3dve34UGkLIQKNpmordXp4qGgkpR6J/sMit6ubqM +vAuaPjDCCt0gw9fWIPDhwazfrQyTuFwwVZBT0MadHP4wSMh2i/Q9X3ZL+PS/zYRd +y3VKFOdkziWSfPnarWGoSEh6SbJbZkmufZx2fGUwv0Kco5zfzSE6FxLPuFexevwW +GYK8iLrcPCilbj/3lbQn+4RHsjP8Z4lS8ZtENkdU5FXdBNtMbPqJoRD9MESTBEHd +zwI03q6KquVzDCSX785c82UoTjM1k+bjNYP7N4I9GAx111bsBM8jI4PLkoKz6HY8 +z/AsuOU0y2R7fzJP48E4DalbVhhkbkgr+6dT/QIDAQABAoIBAGkn4cuzlN1sUE9p +NkhOLjE+ZLYgmnYo5AzUyi/SagYhmkqYftGkpv30VnHOKKNW9fxBk1t3Iso2cGep +TSMZQ4xXbPBVcXC1shEzJBsiaXmW7OE/xYpQ/+GnQpvnELSGQT5Z4s3pvscpSOMj +Lm4tdSNl5GO2Jv9Ibf2esC5NXC41mCePrKPrgMN/x24qs4vZCVoGIClgmBwBmJEN +v/nLieNEGiEUpIRJjgqBxaeaHejUgRHtiH9vb53yea4ougU72N0NLXwYDvVUYknm +btS0GLe1U2bJmliRVsjPXjLdYCx74RUNS05ZAEQYDB1GjMw3Ca9qM0GWvzHPPv/B +agAZK50CgYEAxDADqJQrLEnjXpxtqW83VYI9HaUYZFXJx94nPOq49ieImN0huM8+ +xksH3icgRD9yBdJ8pvqBSKQ55AIA4mOx8GdSgUDzN+M8+t+7RBfR6E8EOFYDpm8g +MqEUzBA/tPos+VNjnWVo5H5MEyQSJFGAVdlMhT9JcOGgfRI0qlWM7LcCgYEA1KXU +ZtcVLPwfNskFZx37b2IJogHP3b1YvLbRxkSDLkohemf708/sQoBowAONQL23Mi0Z +cn0EglramHp4s4PIOKNeFufPZ/lHjjL7iJPi3ocW/38nhndndBGuyKa0HZsgEQJ+ +u0PInWDGtrP2q7GqEkO5M+sTHxNMtN9uLz6OOOsCgYEAreyzEZxpudW3UIT1YyRJ +tfDEJafbO/gh7qKvvn2IhBEANCS2ZJS2XizeSL//BwIIH8k+4Plr6+5LtCtihVFE +yo+OwS/Hb2BxCyeVaQSE/qIuZ5M5oS8bKEdNnKs7D0JK5K5cvYjNuOOOpdlwi+oF +EBaYk/hLL1uXX8noDqnRSXkCgYB28AnNO5/seVg8HFOZSXvI4NzicIEDVVS8uMS8 +ULXOvkfbXy3LWxCaYZg1TcdD3tkIh5EkKCjNgGOjxVydi6gBhd6qkR3A2fzb3Eg0 +LANI0+ZZIZXJ8B89HGbWc+dqZ8mXuf2IYHFlFSwQJLhjcAvgC2EbWPBpATJ2OEI4 +ypRh4QKBgQCvdZTYwll0YwnGjiJJMkFXaPHmlyRtNbrP9ds7W93YHw6sbJ99hLD2 +mJSnmG5UofbQmss5x7pzTtXo9p8sGEdRWY/6eiFvZDXDlWry+NdG2OLoQn5P4+k8 +ZGxOOyty1Iy6+JCKYOMjJuCjf9L/Xr3eMIi56cU/on48adRIs3wfNA== +-----END RSA PRIVATE KEY----- diff --git a/tests/wocky-connector-test.c b/tests/wocky-connector-test.c index f985406..b451fbe 100644 --- a/tests/wocky-connector-test.c +++ b/tests/wocky-connector-test.c @@ -2909,6 +2909,18 @@ test_t tests[] = { "moose@weasel-juice.org", "something", PLAIN, TLS }, { NULL, 0, XMPP_V1, OLD_SSL } } }, + { "/connector/cert-verification/ssl/insecure/fail", + QUIET, + { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_INSECURE, -1 }, + { { TLS, NULL }, + { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, + { "moose", "something" }, + PORT_XMPP, CERT_INSECURE }, + { "weasel-juice.org", PORT_XMPP, "thud.org", REACHABLE, UNREACHABLE }, + { PLAINTEXT_OK, + { "moose@weasel-juice.org", "something", PLAIN, TLS }, + { NULL, 0, XMPP_V1, OLD_SSL } } }, + { "/connector/cert-verification/ssl/inactive/fail", QUIET, { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_NOT_ACTIVE, -1 }, diff --git a/tests/wocky-test-connector-server.c b/tests/wocky-test-connector-server.c index 1d512bc..4f663d5 100644 --- a/tests/wocky-test-connector-server.c +++ b/tests/wocky-test-connector-server.c @@ -84,6 +84,7 @@ static struct { CertSet set; const gchar *key; const gchar *crt; } certs[] = { CERT_REVOKED, TLS_REV_KEY_FILE, TLS_REV_CRT_FILE }, { CERT_WILDCARD, TLS_WILD_KEY_FILE, TLS_WILD_CRT_FILE }, { CERT_BADWILD, TLS_BADWILD_KEY_FILE, TLS_BADWILD_CRT_FILE }, + { CERT_INSECURE, TLS_INS_KEY_FILE, TLS_INS_CRT_FILE }, { CERT_NONE, NULL, NULL } }; struct _TestConnectorServerPrivate diff --git a/tests/wocky-test-connector-server.h b/tests/wocky-test-connector-server.h index 15169d4..20c2993 100644 --- a/tests/wocky-test-connector-server.h +++ b/tests/wocky-test-connector-server.h @@ -122,6 +122,7 @@ typedef enum CERT_REVOKED, CERT_WILDCARD, CERT_BADWILD, + CERT_INSECURE, CERT_NONE, } CertSet; |