diff options
| author | Peter Eisentraut <peter@eisentraut.org> | 2021-02-18 07:59:10 +0100 |
|---|---|---|
| committer | Peter Eisentraut <peter@eisentraut.org> | 2021-02-18 07:59:10 +0100 |
| commit | f5465fade90827534fbd0b795d18dc62e56939e9 (patch) | |
| tree | 71a2cc9b6804e78c2b2911f1c7426d096c9ca7af /src/test/ssl/t | |
| parent | 128dd901a5c87e11c6a8cbe227a806cdc3afd10d (diff) | |
| download | postgresql-f5465fade90827534fbd0b795d18dc62e56939e9.tar.gz | |
Allow specifying CRL directory
Add another method to specify CRLs, hashed directory method, for both
server and client side. This offers a means for server or libpq to
load only CRLs that are required to verify a certificate. The CRL
directory is specifed by separate GUC variables or connection options
ssl_crl_dir and sslcrldir, alongside the existing ssl_crl_file and
sslcrl, so both methods can be used at the same time.
Author: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Discussion: https://www.postgresql.org/message-id/flat/20200731.173911.904649928639357911.horikyota.ntt@gmail.com
Diffstat (limited to 'src/test/ssl/t')
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 32 | ||||
| -rw-r--r-- | src/test/ssl/t/SSLServer.pm | 14 |
2 files changed, 43 insertions, 3 deletions
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 7928de4e7c..864f6e209f 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -17,7 +17,7 @@ if ($ENV{with_ssl} ne 'openssl') } else { - plan tests => 93; + plan tests => 100; } #### Some configuration @@ -215,12 +215,25 @@ test_connect_fails( qr/SSL error/, "CRL belonging to a different CA"); +# The same for CRL directory +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir", + qr/SSL error/, + "directory CRL belonging to a different CA"); + # With the correct CRL, succeeds (this cert is not revoked) test_connect_ok( $common_connstr, "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl", "CRL with a non-revoked cert"); +# The same for CRL directory +test_connect_ok( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir", + "directory CRL with a non-revoked cert"); + # Check that connecting with verify-full fails, when the hostname doesn't # match the hostname in the server's certificate. $common_connstr = @@ -346,7 +359,12 @@ test_connect_fails( $common_connstr, "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl", qr/SSL error/, - "does not connect with client-side CRL"); + "does not connect with client-side CRL file"); +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir", + qr/SSL error/, + "does not connect with client-side CRL directory"); # pg_stat_ssl command_like( @@ -545,6 +563,16 @@ test_connect_ok( test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt", qr/SSL error/, "intermediate client certificate is missing"); +# test server-side CRL directory +switch_server_cert($node, 'server-cn-only', undef, undef, 'root+client-crldir'); + +# revoked client cert +test_connect_fails( + $common_connstr, + "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key", + qr/SSL error/, + "certificate authorization fails with revoked client cert with server-side CRL directory"); + # clean up foreach my $key (@keys) { diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm index f5987a003e..5ec5e0dac8 100644 --- a/src/test/ssl/t/SSLServer.pm +++ b/src/test/ssl/t/SSLServer.pm @@ -150,6 +150,8 @@ sub configure_test_server_for_ssl copy_files("ssl/root+client_ca.crt", $pgdata); copy_files("ssl/root_ca.crt", $pgdata); copy_files("ssl/root+client.crl", $pgdata); + mkdir("$pgdata/root+client-crldir"); + copy_files("ssl/root+client-crldir/*", "$pgdata/root+client-crldir/"); # Stop and restart server to load new listen_addresses. $node->restart; @@ -167,14 +169,24 @@ sub switch_server_cert my $node = $_[0]; my $certfile = $_[1]; my $cafile = $_[2] || "root+client_ca"; + my $crlfile = "root+client.crl"; + my $crldir; my $pgdata = $node->data_dir; + # defaults to use crl file + if (defined $_[3] || defined $_[4]) + { + $crlfile = $_[3]; + $crldir = $_[4]; + } + open my $sslconf, '>', "$pgdata/sslconfig.conf"; print $sslconf "ssl=on\n"; print $sslconf "ssl_ca_file='$cafile.crt'\n"; print $sslconf "ssl_cert_file='$certfile.crt'\n"; print $sslconf "ssl_key_file='$certfile.key'\n"; - print $sslconf "ssl_crl_file='root+client.crl'\n"; + print $sslconf "ssl_crl_file='$crlfile'\n" if defined $crlfile; + print $sslconf "ssl_crl_dir='$crldir'\n" if defined $crldir; close $sslconf; $node->restart; |