3 # simple set of tests to exercise the msva.
5 # these tests currently depend on the user having the following tools
8 # monkeysphere (for pem2openpgp)
9 # openssl (for openssl req)
10 # openssh-client (for ssh-keygen)
11 # gpg (for obvious reasons)
12 # bash (yes, this test script isn't posix-compliant)
14 # note that this test requires the ability to bind on the loopback
15 # interface, which might not be possible in some build environments.
17 # Author: Daniel Kahn Gillmor
19 # License: This is licensed under the GPL v3 or later
20 # (see the top-level COPYING file in this distribution)
24 srcdir=$(dirname $0)/..
28 CERTTYPES="x509pem x509der opensshpubkey rfc4716"
30 printf "testing %d reps of simple/quick true/false:\n" "$REPS"
31 for n in $(seq 1 "$REPS") ; do
32 "${srcdir}"/test-msva msva-perl true
34 ! "${srcdir}"/test-msva msva-perl false
40 mkdir -m 0700 "${WORKDIR}/"{pkc,sec,gnupg}
41 export GNUPGHOME="${WORKDIR}/gnupg"
43 if gpg --quick-random --version ; then
45 elif gpg --debug-quick-random --version ; then
46 GPGQR=--debug-quick-random
52 printf "Key-Type: RSA\nKey-Length: 1024\nKey-Usage: sign\nName-Real: MSVA Test Certificate Authority (DO NOT USE!)\n" | gpg --batch --no-tty $GPGQR --gen-key
54 # make 3 websites (X, Y, and Z) with self-signed certs:
55 for name in x y z ; do
56 openssl req -x509 -subj "/CN=${name}.example.net/" -nodes -sha256 -newkey rsa:1024 -keyout "${WORKDIR}/sec/${name}.key" -outform DER -out "${WORKDIR}/pkc/${name}.x509der"
57 chmod 0400 "${WORKDIR}/sec/${name}.key"
58 openssl x509 -inform DER -outform PEM < "${WORKDIR}/pkc/${name}.x509der" > "${WORKDIR}/pkc/${name}.x509pem"
59 ssh-keygen -y -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.opensshpubkey"
60 ssh-keygen -e -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.rfc4716"
63 # make 2 client certs (A and B) with self-signed certs
65 openssl req -x509 -subj "/eMail=${name}@example.net/CN=${name}/" -nodes -sha256 -newkey rsa:1024 -keyout "${WORKDIR}/sec/${name}.key" -outform DER -out "${WORKDIR}/pkc/${name}.x509der"
66 chmod 0400 "${WORKDIR}/sec/${name}.key"
67 openssl x509 -inform DER -outform PEM < "${WORKDIR}/pkc/${name}.x509der" > "${WORKDIR}/pkc/${name}.x509pem"
68 ssh-keygen -y -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.opensshpubkey"
69 ssh-keygen -e -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.rfc4716"
72 # translate X and Y's keys into OpenPGP cert
74 PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "https://${name}.example.net" < "${WORKDIR}/sec/${name}.key" | gpg --import
76 # and the same for the clients A and B
78 PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "${name} <${name}@example.net>" < "${WORKDIR}/sec/${name}.key" | gpg --import
82 # X should not validate as X or Y or Z:
84 for ctype in $CERTTYPES; do
85 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
88 # A shouldn't validate as A or B:
90 for ctype in $CERTTYPES; do
91 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name} <${name}@example.net>" "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}"
95 # certify X and A's OpenPGP cert with CA
96 gpg --batch --yes --sign-key https://x.example.net
97 gpg --batch --yes --sign-key a@example.net
99 echo "Testing bad data:"
100 # it should fail if we pass it the wrong kind of data:
101 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "x509der" < "${WORKDIR}/pkc/x.x509pem"
102 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "x509pem" < "${WORKDIR}/pkc/x.x509der"
103 echo "Done testing bad data."
105 for ctype in $CERTTYPES; do
106 # X should now validate as X
107 "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
108 "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https 'a <a@example.net>' "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}"
110 # but X should not validate as Y or Z:
111 for name in x y z; do
112 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}"
114 # and A shouldn't validate as B:
115 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "b <b@example.net>" "${ctype}" client < "${WORKDIR}/pkc/a.${ctype}"
117 # neither Y nor Z should validate as any of them:
119 for targ in x y z; do
120 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${targ}.example.net" "${ctype}" < "${WORKDIR}/pkc/${src}.${ctype}"
123 # B should also still not validate as itself:
124 ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "b <b@example.net>" "${ctype}" client < "${WORKDIR}/pkc/b.${ctype}"
129 MSVA_KEYSERVER_POLICY=never runtests
131 echo "Completed all tests as expected!"