diff options
Diffstat (limited to 'qpid/cpp/src/tests/run_ssl_tests')
-rwxr-xr-x | qpid/cpp/src/tests/run_ssl_tests | 329 |
1 files changed, 329 insertions, 0 deletions
diff --git a/qpid/cpp/src/tests/run_ssl_tests b/qpid/cpp/src/tests/run_ssl_tests new file mode 100755 index 0000000000..896893eb3d --- /dev/null +++ b/qpid/cpp/src/tests/run_ssl_tests @@ -0,0 +1,329 @@ +#!/usr/bin/env bash + +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# Run a simple test over SSL + +source env.sh + +#set -x + +CONFIG=$(dirname $0)/qpidd-empty.conf +TEST_CERT_DIR=`pwd`/test_cert_dir +CERT_DB=${TEST_CERT_DIR}/test_cert_db +CERT_PW_FILE=`pwd`/cert.password +TEST_HOSTNAME=127.0.0.1 +TEST_CLIENT_CERT=rumplestiltskin +CA_PEM_FILE=${TEST_CERT_DIR}/ca_cert.pem +OTHER_CA_CERT_DB=${TEST_CERT_DIR}/x_ca_cert_db +OTHER_CA_PEM_FILE=${TEST_CERT_DIR}/other_ca_cert.pem +PY_PING_BROKER=$SOURCE_DIR/src/tests/ping_broker +COUNT=10 + +if [[ -a $AMQP_LIB ]] ; then + MODULES="--load-module $AMQP_LIB" +fi + +trap cleanup EXIT + +error() { echo $*; exit 1; } + +# create the test certificate database +# $1 = string used as Subject in server's certificate +# $2 = string used as SubjectAlternateName (SAN) in server's certificate +create_certs() { + + local CERT_SUBJECT=${1:-"CN=${TEST_HOSTNAME},O=MyCo,ST=Massachusetts,C=US"} + local CERT_SAN=${2:-"*.server.com"} + + mkdir -p ${TEST_CERT_DIR} + rm -rf ${TEST_CERT_DIR}/* + + # Set Up a CA with a self-signed Certificate + # + mkdir -p ${CERT_DB} + certutil -N -d ${CERT_DB} -f ${CERT_PW_FILE} + certutil -S -d ${CERT_DB} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1 + certutil -L -d ${CERT_DB} -n "Test-CA" -a -o ${CERT_DB}/rootca.crt -f ${CERT_PW_FILE} + #certutil -L -d ${CERT_DB} -f ${CERT_PW_FILE} + + # create server certificate signed by Test-CA + # + certutil -R -d ${CERT_DB} -s "${CERT_SUBJECT}" -o ${TEST_CERT_DIR}/server.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1 + certutil -C -d ${CERT_DB} -c "Test-CA" -8 "${CERT_SAN}" -i ${TEST_CERT_DIR}/server.req -o ${TEST_CERT_DIR}/server.crt -f ${CERT_PW_FILE} -m ${RANDOM} + certutil -A -d ${CERT_DB} -n ${TEST_HOSTNAME} -i ${TEST_CERT_DIR}/server.crt -t "Pu,," + + # create a certificate to identify the client + # + certutil -R -d ${CERT_DB} -s "CN=${TEST_CLIENT_CERT}" -o ${TEST_CERT_DIR}/client.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1 + certutil -C -d ${CERT_DB} -c "Test-CA" -8 "*.client.com" -i ${TEST_CERT_DIR}/client.req -o ${TEST_CERT_DIR}/client.crt -f ${CERT_PW_FILE} -m ${RANDOM} + certutil -A -d ${CERT_DB} -n ${TEST_CLIENT_CERT} -i ${TEST_CERT_DIR}/client.crt -t "Pu,," + ### + #certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE} + #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil + #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil + + # Set up a separate DB with its own CA for testing failure to validate scenario + # + mkdir -p ${OTHER_CA_CERT_DB} + certutil -N -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE} + certutil -S -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1 + certutil -L -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DB}/rootca.crt -f ${CERT_PW_FILE} + #certutil -L -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE} +} + +delete_certs() { + if [[ -e ${TEST_CERT_DIR} ]] ; then + rm -rf ${TEST_CERT_DIR} + fi +} + +# Don't need --no-module-dir or --no-data-dir as they are set as env vars in env.sh +COMMON_OPTS="--daemon --config $CONFIG --ssl-cert-db $CERT_DB --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME" + +# Start new brokers: +# $1 must be integer +# $2 = extra opts +# Append used ports to PORTS variable +start_brokers() { + local -a ports + for (( i=0; $i<$1; i++)) do + ports[$i]=$(qpidd --port 0 --interface 127.0.0.1 $COMMON_OPTS $2) || error "Could not start broker $i" + done + PORTS=( ${PORTS[@]} ${ports[@]} ) +} + +# Stop single broker: +# $1 is number of broker to stop (0 based) +stop_broker() { + qpidd -qp ${PORTS[$1]} + + # Remove from ports array + unset PORTS[$1] +} + +stop_brokers() { + for port in "${PORTS[@]}"; + do + qpidd -qp $port + done + PORTS=() +} + +pick_port() { + # We need a fixed port to set --cluster-url. Use qpidd to pick a free port. + PICK=`qpidd --no-module-dir --listen-disable ssl -dp0` + qpidd --no-module-dir -qp $PICK + echo $PICK +} + +cleanup() { + stop_brokers + delete_certs + rm -f ${CERT_PW_FILE} +} + +start_ssl_broker() { + start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --auth no $MODULES" +} + +start_ssl_mux_broker() { + qpidd $COMMON_OPTS --port $1 --ssl-port $1 --auth no + PORTS=( ${PORTS[@]} $1 ) +} + +sasl_config_dir=$BUILD_DIR/src/tests/sasl_config + +start_authenticating_broker() { + start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --ssl-sasl-no-dict --ssl-require-client-authentication --auth yes --sasl-config=${sasl_config_dir} $MODULES" +} + +ssl_cluster_broker() { # $1 = port + start_brokers 1 "--ssl-port $1 --auth no --load-module $CLUSTER_LIB --cluster-name ssl_test.$HOSTNAME.$$ --cluster-url amqp:ssl:$TEST_HOSTNAME:$1" + + # Wait for broker to be ready + qpid-ping -Pssl -b $TEST_HOSTNAME:$1 -q || { echo "Cannot connect to broker on $1"; exit 1; } +} + +CERTUTIL=$(type -p certutil) +if [[ !(-x $CERTUTIL) ]] ; then + echo "No certutil, skipping ssl test"; + exit 0; +fi + +if [[ !(-e ${CERT_PW_FILE}) ]] ; then + echo password > ${CERT_PW_FILE} +fi +delete_certs +create_certs || error "Could not create test certificate database" + +start_ssl_broker +PORT=${PORTS[0]} +echo "Running SSL test on port $PORT" +export QPID_NO_MODULE_DIR=1 +export QPID_SSL_CERT_DB=${CERT_DB} +export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE} + +## Test connection via connection settings +qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary + +## Test connection with a URL +URL=amqp:ssl:$TEST_HOSTNAME:$PORT +qpid-send -b $URL --content-string=hello -a "foo;{create:always}" +MSG=`qpid-receive -b $URL -a "foo;{create:always}" --messages 1` +test "$MSG" = "hello" || { echo "receive failed '$MSG' != 'hello'"; exit 1; } + +if [[ -a $AMQP_LIB ]] ; then + echo "Testing ssl over AMQP 1.0" + qpid-send --connection-options '{protocol:amqp1.0}' -b $URL --content-string=hello -a "foo;{create:always}" + MSG=`qpid-receive --connection-options '{protocol:amqp1.0}' -b $URL -a "foo;{create:always}" --messages 1` + test "$MSG" = "hello" || { echo "receive failed for AMQP 1.0 '$MSG' != 'hello'"; exit 1; } +fi + +## Test connection with a combination of URL and connection options (in messaging API) +URL=$TEST_HOSTNAME:$PORT +qpid-send -b $URL --connection-options '{transport:ssl,heartbeat:2}' --content-string='hello again' -a "foo;{create:always}" +MSG=`qpid-receive -b $URL --connection-options '{transport:ssl,heartbeat:2}' -a "foo;{create:always}" --messages 1` +test "$MSG" = "hello again" || { echo "receive failed '$MSG' != 'hello again'"; exit 1; } + +## Test using the Python client +if test -d $PYTHON_DIR; then + echo "Testing Non-Authenticating with Python Client..." + URL=amqps://$TEST_HOSTNAME:$PORT + if `$PY_PING_BROKER -b $URL`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi +else + echo "Skipping python part of ssl_test, no python dir." +fi + +#### Client Authentication tests + +start_authenticating_broker +PORT2=${PORTS[1]} +echo "Running SSL client authentication test on port $PORT2" +URL=amqp:ssl:$TEST_HOSTNAME:$PORT2 + +## See if you can set the SSL cert-name for the connection +qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" --content-string=hello -a "bar;{create:always}" +MSG2=`qpid-receive -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1` +test "$MSG2" = "hello" || { echo "receive failed '$MSG2' != 'hello'"; exit 1; } + +## Make sure that connect fails with an invalid SSL cert-name +qpid-send -b $URL --connection-options "{ssl-cert-name: pignose }" --content-string=hello -a "baz;{create:always}" 2>/dev/null 1>/dev/null +MSG3=`qpid-receive -b $URL --connection-options "{ssl-cert-name: pignose }" -a "baz;{create:always}" --messages 1 2>/dev/null` +test "$MSG3" = "" || { echo "receive succeeded without valid ssl cert '$MSG3' != ''"; exit 1; } + +stop_brokers + +# Test ssl muxed with plain TCP on the same connection + +# Test a specified port number - since tcp/ssl are the same port don't need to specify --transport ssl +PORT=`pick_port` +start_ssl_mux_broker $PORT || error "Could not start broker" +echo "Running SSL/TCP mux test on fixed port $PORT" + +## Test connection via connection settings +qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!" +qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!" + +# Test a broker chosen port - since ssl chooses port need to use --transport ssl here +start_ssl_broker +PORT=${PORTS[0]} +echo "Running SSL/TCP mux test on random port $PORT" + +## Test connection via connection settings +qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!" +qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!" + +stop_brokers + +### Additional tests that require 'openssl' and 'pk12util' to be installed (optional) + +PK12UTIL=$(type -p pk12util) +if [[ !(-x $PK12UTIL) ]] ; then + echo >&2 "'pk12util' command not available, skipping remaining tests" + exit 0 +fi + +OPENSSL=$(type -p openssl) +if [[ !(-x $OPENSSL) ]] ; then + echo >&2 "'openssl' command not available, skipping remaining tests" + exit 0 +fi + +## verify python version > 2.5 (only 2.6+ does certificate checking) +PY_VERSION=$(python -c "import sys; print hex(sys.hexversion)") +if (( PY_VERSION < 0x02060000 )); then + echo >&2 "Detected python version < 2.6 - skipping certificate verification tests" + exit 0 +fi + +echo "Testing Certificate validation and Authentication with the Python Client..." + +# extract the CA's certificate as a PEM file +get_ca_certs() { + $PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CERT_DB} -n "Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null + $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null + $PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null + $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null +} + +get_ca_certs || error "Could not extract CA certificates as PEM files" +start_ssl_broker +PORT=${PORTS[0]} +URL=amqps://$TEST_HOSTNAME:$PORT +# verify the python client can authenticate the broker using the CA +if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi +# verify the python client fails to authenticate the broker when using the other CA +if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi +stop_brokers + +# create a certificate without matching TEST_HOSTNAME, should fail to verify + +create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate" +get_ca_certs || error "Could not extract CA certificates as PEM files" +start_ssl_broker +PORT=${PORTS[0]} +URL=amqps://$TEST_HOSTNAME:$PORT +if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi +# but disabling the check for the hostname should pass +if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi +stop_brokers + +# test SubjectAltName parsing + +if (( PY_VERSION >= 0x02070300 )); then +# python 2.7.3+ supports SubjectAltName extraction +# create a certificate with TEST_HOSTNAME only in SAN, should verify OK + create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create server test certificate" + get_ca_certs || error "Could not extract CA certificates as PEM files" + start_ssl_broker + PORT=${PORTS[0]} + URL=amqps://$TEST_HOSTNAME:$PORT + if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi + stop_brokers + + create_certs "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate" + get_ca_certs || error "Could not extract CA certificates as PEM files" + start_ssl_broker + PORT=${PORTS[0]} + URL=amqps://$TEST_HOSTNAME:$PORT + if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi + stop_brokers +fi |