From c50f9f8056cfaedd0e99296b1d4d396e3d90caae Mon Sep 17 00:00:00 2001 From: Olof hagsand Date: Fri, 7 May 2021 14:05:40 +0200 Subject: [PATCH] Added test for restconf tls too weak ca using md5 --- test/lib.sh | 3 +- test/test_restconf_ssl_certs.sh | 49 +++++++++++++++++++++++++++------ 2 files changed, 42 insertions(+), 10 deletions(-) diff --git a/test/lib.sh b/test/lib.sh index 0ca88932..84462504 100755 --- a/test/lib.sh +++ b/test/lib.sh @@ -854,7 +854,7 @@ subjectAltName = DNS:clicon.org EOF # Generate server key - openssl genrsa -out $srvkey ${CERTKEYLEN} || err "Generate server key" + openssl genpkey -algorithm RSA -out $srvkey || err "Generate server key" # Generate CSR (signing request) openssl req -new -config $tmpdir/srv.cnf -key $srvkey -out $tmpdir/srv_csr.pem || err "Generate signing request" @@ -864,3 +864,4 @@ EOF rm -rf $tmpdir } + diff --git a/test/test_restconf_ssl_certs.sh b/test/test_restconf_ssl_certs.sh index 2dd748eb..a907f036 100755 --- a/test/test_restconf_ssl_certs.sh +++ b/test/test_restconf_ssl_certs.sh @@ -37,7 +37,8 @@ xcacert=$certdir/xca_cert.pem users="andy guest" # generate certs for some users in nacm.sh x1users="limited" # Set invalid cert -x2users="invalid" # Wrong CA +#x2users="invalid" # Wrong CA +x3users="mymd5" # Too weak ca # Whether to generate new keys or not (only if $dir is not removed) # Here dont generate keys if restconf started stand-alone (RC=0) @@ -117,21 +118,46 @@ L = Stockholm C = SE EOF # Create client key - openssl genrsa -out "$certdir/$name.key" 2048 + openssl genpkey -algorithm RSA -out "$certdir/$name.key" || err "Generate client key" # Generate CSR (signing request) openssl req -new -config $dir/$name.cnf -key $certdir/$name.key -out $certdir/$name.csr # Sign by CA - openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt + openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt || err "Generate signing client cert" done # client key # invalid (days = 0) for name in $x1users; do - openssl x509 -req -extfile $dir/$name.cnf -days 0 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt + openssl x509 -req -extfile $dir/$name.cnf -days 0 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -out $certdir/$name.crt || err "Generate signing client cert" done # invalid - # create client certs from invalid CA + + # create client certs with md5 -- too weak ca + for name in $x3users; do + cat< $dir/$name.cnf +[req] +prompt = no +distinguished_name = dn +[dn] +CN = $name # This can be verified using SSL_set1_host +emailAddress = $name@foo.bar +O = Clixon +L = Stockholm +C = SE +EOF + # Create client key + openssl genpkey -algorithm RSA -out "$certdir/$name.key" || err "Generate client key" + + # Generate CSR (signing request) + openssl req -new -config $dir/$name.cnf -key $certdir/$name.key -out $certdir/$name.csr + + # Sign by CA + openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $cacert -CAkey $cakey -CAcreateserial -md5 -out $certdir/$name.crt || err "Generate signing client cert" + done # too weak ca + + if false; then # XXX: How do you generate an "invalid" cert? + # create client certs from invalid CA for name in $x2users; do cat< $dir/$name.cnf [req] @@ -145,14 +171,15 @@ L = Stockholm C = SE EOF # Create client key - openssl genrsa -out "$certdir/$name.key" 2048 + openssl genpkey -algorithm RSA -out "$certdir/$name.key" || err "Generate client key" # Generate CSR (signing request) openssl req -new -config $dir/$name.cnf -key $certdir/$name.key -out $certdir/$name.csr # Sign by CA openssl x509 -req -extfile $dir/$name.cnf -days 1 -passin "pass:password" -in $certdir/$name.csr -CA $xcacert -CAkey $xcakey -CAcreateserial -out $certdir/$name.crt - done # client key + done # invalid ca + fi # XXX fi # genkeys @@ -255,8 +282,12 @@ EOF new "limited invalid cert" expectpart "$(curl $CURLOPTS --key $certdir/limited.key --cert $certdir/limited.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" "35 55 56" # 55 "certificate expired" - new "invalid cert from wrong CA" - expectpart "$(curl $CURLOPTS --key $certdir/invalid.key --cert $certdir/limited.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" 58 "unable to set private key file" # 58 unable to set private key file + new "too weak cert (sign w md5)" + expectpart "$(curl $CURLOPTS --key $certdir/mymd5.key --cert $certdir/mymd5.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" 58 "md too weak" + +# Havent been able to generate "wrong CA" +# new "invalid cert from wrong CA" +# expectpart "$(curl $CURLOPTS --key $certdir/invalid.key --cert $certdir/invalid.crt -X GET $RCPROTO://localhost/restconf/data/example:x 2>&1)" 0 foo # 58 "unable to set private key file" # 58 unable to set private key file # Just ensure all is OK new "admin get x 42"