#!/bin/bash # simple set of tests to exercise the msva. # these tests currently depend on the user having the following tools # installed locally: # monkeysphere (for pem2openpgp) # openssl (for openssl req) # openssh-client (for ssh-keygen) # gpg (for obvious reasons) # bash (yes, this test script isn't posix-compliant) # note that this test requires the ability to bind on the loopback # interface, which might not be possible in some build environments. # Author: Daniel Kahn Gillmor # Copyright: 2010 # License: This is licensed under the GPL v3 or later # (see the top-level COPYING file in this distribution) set -e srcdir=$(dirname $0)/.. REPS=5 CERTTYPES="x509pem x509der opensshpubkey rfc4716" printf "testing %d reps of simple/quick true/false:\n" "$REPS" for n in $(seq 1 "$REPS") ; do "${srcdir}"/test-msva msva-perl true printf "+" ! "${srcdir}"/test-msva msva-perl false printf "-" done printf "\ndone\n" WORKDIR=$(mktemp -d) mkdir -m 0700 "${WORKDIR}/"{pkc,sec,gnupg} export GNUPGHOME="${WORKDIR}/gnupg" if gpg --quick-random --version ; then GPGQR=--quick-random elif gpg --debug-quick-random --version ; then GPGQR=--debug-quick-random else GPGQR= fi # make a CA printf "Key-Type: RSA\nKey-Length: 1024\nKey-Usage: sign\nName-Real: MSVA Test Certificate Authority (DO NOT USE!)\n" | gpg --batch --no-tty $GPGQR --gen-key # make 3 websites (X, Y, and Z) with self-signed certs: for name in x y z ; do openssl req -x509 -subj "/CN=${name}.example.net/" -nodes -sha256 -newkey rsa:1024 -keyout "${WORKDIR}/sec/${name}.key" -outform DER -out "${WORKDIR}/pkc/${name}.x509der" chmod 0400 "${WORKDIR}/sec/${name}.key" openssl x509 -inform DER -outform PEM < "${WORKDIR}/pkc/${name}.x509der" > "${WORKDIR}/pkc/${name}.x509pem" ssh-keygen -y -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.opensshpubkey" ssh-keygen -e -P '' -f "${WORKDIR}/sec/${name}.key" > "${WORKDIR}/pkc/${name}.rfc4716" done # translate X and Y's keys into OpenPGP cert for name in x y; do PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "https://${name}.example.net" < "${WORKDIR}/sec/${name}.key" | gpg --import done runtests() { # X should not validate as X or Y or Z: for name in x y z; do for ctype in $CERTTYPES; do ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}" done done # certify X's OpenPGP cert with CA gpg --batch --yes --sign-key https://x.example.net echo "Testing bad data:" # it should fail if we pass it the wrong kind of data: ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "x509der" < "${WORKDIR}/pkc/x.x509pem" ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "x509pem" < "${WORKDIR}/pkc/x.x509der" echo "Done testing bad data." for ctype in $CERTTYPES; do # X should now validate as X "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https x.example.net "${ctype}" < "${WORKDIR}/pkc/x.${ctype}" # but X should not validate as Y or Z: for name in x y z; do ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${name}.example.net" "${ctype}" < "${WORKDIR}/pkc/x.${ctype}" done # neither Y nor Z should validate as any of them: for src in y z; do for targ in x y z; do ! "${srcdir}"/test-msva msva-perl "${srcdir}"/test-msva msva-query-agent https "${targ}.example.net" "${ctype}" < "${WORKDIR}/pkc/${src}.${ctype}" done done done } set -x MSVA_KEYSERVER_POLICY=never runtests set +x echo "Completed all tests as expected!" rm -rf "$WORKDIR"