Added test for restconf tls too weak ca using md5

2021-05-07 14:05:40 +02:00 · 2021-05-07 14:05:40 +02:00 · c50f9f8056
commit c50f9f8056
parent ac51cb0293
2 changed files with 42 additions and 10 deletions
--- a/test/lib.sh
+++ b/test/lib.sh
@ -854,7 +854,7 @@ subjectAltName = DNS:clicon.org
 EOF

    # Generate server key
-    openssl genrsa -out $srvkey ${CERTKEYLEN}  || err "Generate server key"
+    openssl genpkey -algorithm RSA -out $srvkey  || err "Generate server key"

    # Generate CSR (signing request)
    openssl req -new -config $tmpdir/srv.cnf -key $srvkey -out $tmpdir/srv_csr.pem || err "Generate signing request"
@ -864,3 +864,4 @@ EOF

    rm -rf $tmpdir
 }
+
--- a/test/test_restconf_ssl_certs.sh
+++ b/test/test_restconf_ssl_certs.sh
@ -37,7 +37,8 @@ xcacert=$certdir/xca_cert.pem
 users="andy guest" # generate certs for some users in nacm.sh

 x1users="limited"   # Set invalid cert
-x2users="invalid"   # Wrong CA
+#x2users="invalid"   # Wrong CA
+x3users="mymd5"     # Too weak ca 

 # Whether to generate new keys or not (only if $dir is not removed)
 # Here dont generate keys if restconf started stand-alone (RC=0)
@ -117,21 +118,46 @@ L = Stockholm
 C = SE
 EOF
 	# Create client key
-	openssl genrsa -out "$certdir/$name.key" 2048
+	openssl genpkey -algorithm RSA -out "$certdir/$name.key" ||  err "Generate client key"

 	# Generate CSR (signing request)
 	openssl req -new -config $dir/$name.cnf -key $certdir/$name.key -out $certdir/$name.csr

 	# Sign by CA
-	openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt
+	openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt  ||  err "Generate signing client cert"
    done # client key

    # invalid (days = 0)
    for name in $x1users; do
-	openssl x509 -req -extfile $dir/$name.cnf -days 0 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt
+	openssl x509 -req -extfile $dir/$name.cnf -days 0 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt ||  err "Generate signing client cert"
    done # invalid

-        # create client certs from invalid CA
+    
+        # create client certs with md5 -- too weak ca
+    for name in $x3users; do
+	cat<<EOF > $dir/$name.cnf
+[req]
+prompt = no
+distinguished_name = dn
+[dn]
+CN = $name # This can be verified using SSL_set1_host
+emailAddress = $name@foo.bar
+O = Clixon
+L = Stockholm
+C = SE
+EOF
+	# Create client key
+	openssl genpkey -algorithm RSA -out "$certdir/$name.key" ||  err "Generate client key"
+
+	# Generate CSR (signing request)
+	openssl req -new -config $dir/$name.cnf -key $certdir/$name.key -out $certdir/$name.csr
+
+	# Sign by CA
+	openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -md5 -out $certdir/$name.crt  ||  err "Generate signing client cert"
+    done # too weak ca
+    
+    if false; then # XXX: How do you generate an "invalid" cert?
+    # create client certs from invalid CA
    for name in $x2users; do
 	cat<<EOF > $dir/$name.cnf
 [req]
@ -145,14 +171,15 @@ L = Stockholm
 C = SE
 EOF
 	# Create client key
-	openssl genrsa -out "$certdir/$name.key" 2048
+	openssl genpkey -algorithm RSA -out "$certdir/$name.key" ||  err "Generate client key"

 	# Generate CSR (signing request)
 	openssl req -new -config $dir/$name.cnf -key $certdir/$name.key -out $certdir/$name.csr

 	# Sign by CA
 	openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $xcacert -CAkey $xcakey -CAcreateserial -out $certdir/$name.crt
-    done # client key
+    done # invalid ca
+    fi # XXX

 fi # genkeys

@ -255,8 +282,12 @@ EOF
    new "limited invalid cert"
    expectpart "$(curl $CURLOPTS --key $certdir/limited.key --cert $certdir/limited.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" "35 55 56" # 55 "certificate expired"

-    new "invalid cert from wrong CA"
-    expectpart "$(curl $CURLOPTS --key $certdir/invalid.key --cert $certdir/limited.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" 58 "unable to set private key file" # 58 unable to set private key file
+    new "too weak cert (sign w md5)"
+    expectpart "$(curl $CURLOPTS --key $certdir/mymd5.key --cert $certdir/mymd5.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" 58 "md too weak"
+
+# Havent been able to generate "wrong CA"
+#    new "invalid cert from wrong CA"
+#    expectpart "$(curl $CURLOPTS --key $certdir/invalid.key --cert $certdir/invalid.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" 0 foo # 58 "unable to set private key file" # 58 unable to set private key file

    # Just ensure all is OK
    new "admin get x 42"