3 # simple set of tests to exercise the msva.
5 # these tests currently depend on the user having the following tools
8 # monkeysphere (for pem2openpgp)
9 # openssl (for openssl req)
10 # openssh-client (for ssh-keygen)
11 # gpg (for obvious reasons)
12 # bash (yes, this test script isn't posix-compliant)
14 # note that this test requires the ability to bind on the loopback
15 # interface, which might not be possible in some build environments.
17 # Author: Daniel Kahn Gillmor
19 # License: This is licensed under the GPL v3 or later
20 # (see the top-level COPYING file in this distribution)
24 srcdir=$(dirname $0)/..
28 printf "testing %d reps of simple/quick true/false:\n" "$REPS"
29 for n in $(seq 1 "$REPS") ; do
30 "${srcdir}"/test-msva msva-perl true
32 ! "${srcdir}"/test-msva msva-perl false
38 mkdir -m 0700 "${WORKDIR}/"{pkc,sec,gnupg}
39 export GNUPGHOME="${WORKDIR}/gnupg"
41 if gpg --quick-random --version ; then
43 elif gpg --debug-quick-random --version ; then
44 GPGQR=--debug-quick-random
50 printf "Key-Type: RSA\nKey-Length: 1024\nKey-Usage: sign\nName-Real: MSVA Test Certificate Authority (DO NOT USE!)\n" | gpg --batch --no-tty $GPGQR --gen-key
52 # make 3 websites (X, Y, and Z) with self-signed certs:
53 for name in x y z ; do
54 openssl req -x509 -subj "/CN=${name}.example.net/" -nodes -sha256 -newkey rsa:1024 -keyout "${WORKDIR}/sec/${name}.key" -outform DER -out "${WORKDIR}/pkc/${name}.x509der"
55 chmod 0400 "${WORKDIR}/sec/${name}.key"
56 openssl x509 -inform DER -outform PEM < "${WORKDIR}/pkc/${name}.x509der" > "${WORKDIR}/pkc/${name}.x509pem"
57 ssh-keygen -y -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.opensshpubkey"
60 # translate X and Y's keys into OpenPGP cert
62 PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "https://${name}.example.net" < "${WORKDIR}/sec/${name}.key" | gpg --import
66 # X should not validate as X or Y or Z:
68 for ctype in x509pem x509der opensshpubkey; do
69 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
73 # certify X's OpenPGP cert with CA
74 gpg --batch --yes --sign-key https://x.example.net
76 # it should fail if we pass it the wrong kind of data:
77 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "x509der" < "${WORKDIR}/pkc/x.x509pem"
78 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "x509pem" < "${WORKDIR}/pkc/x.x509der"
80 for ctype in x509pem x509der opensshpubkey; do
81 # X should now validate as X
82 "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
84 # but X should not validate as Y or Z:
86 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
89 # neither Y nor Z should validate as any of them:
92 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${targ}.example.net" "${ctype}" < "${WORKDIR}/pkc/${src}.${ctype}"
98 MSVA_KEYSERVER_POLICY=never runtests
100 echo "Completed all tests as expected!"