[Rt-commit] rt branch 5.0/update-smime-test-revoked-certs created. rt-5.0.3-77-g0b5ff85294
BPS Git Server
git at git.bestpractical.com
Fri Aug 5 17:26:43 UTC 2022
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/update-smime-test-revoked-certs has been created
at 0b5ff85294a676e1cb730c8124f034626ba0b595 (commit)
- Log -----------------------------------------------------------------
commit 0b5ff85294a676e1cb730c8124f034626ba0b595
Author: sunnavy <sunnavy at bestpractical.com>
Date: Fri Aug 5 23:54:34 2022 +0800
Update expired test revoked certs by generating them by ourselves
The previous cert was expired(2021-10-08), which caused tests to fail.
We can update the cert from its original source(revoked.badssl.com), but
its lifetime is too short(1 year) and we don't want to update so
frequently, not mentioning that it will still cause test failures in
not-so-old releases.
This commit dynamically generates revoked certs, which totally gets rid
of the expiry issue.
As tests don't rely on external resources any more(we supply ocsp and
crl servers locally), we can run them by default and there is no need to
keep the RT_TEST_SMIME_REVOCATION flag.
diff --git a/t/crypt/smime/revoked.t b/t/crypt/smime/revoked.t
index ec6d6d26b4..6629e6e5e3 100644
--- a/t/crypt/smime/revoked.t
+++ b/t/crypt/smime/revoked.t
@@ -1,74 +1,144 @@
use strict;
use warnings;
-use RT::Test::Crypt SMIME => 1, tests => undef;
+use RT::Test::Crypt SMIME => 1, tests => undef, actual_server => 1;
+
+if ( !RT::Crypt::SMIME->SupportsCRLfile ) {
+ RT::Test::plan( skip_all => 'This version of openssl does not support the -CRLfile option' );
+}
my $openssl = RT::Test->find_executable('openssl');
-my $keyring = File::Spec->catfile(RT::Test->temp_directory, "smime" );
-my $ca = RT::Test::find_relocatable_path(qw(data smime keys));
-$ca = File::Spec->catfile($ca, 'revoked-ca.pem');
+my $certs = File::Spec->catdir( RT::Test->temp_directory, 'certs' );
+mkdir $certs or die "Could not create $certs: $!";
-RT->Config->Set('SMIME', Enable => 1,
- Passphrase => {'revoked\@example.com' => '123456'},
- OpenSSL => $openssl,
- Keyring => $keyring,
- CAPath => $ca,
- CheckCRL => 1,
- CheckOCSP => 1,
-);
+my $ocsp_port = RT::Test->find_idle_port;
-RT::Test::Crypt->smime_import_key('revoked at example.com');
+use Cwd;
+my $cwd = getcwd;
+diag 'Generate revoked cert';
-if (!RT::Crypt::SMIME->SupportsCRLfile) {
- RT::Test::plan( skip_all => 'This version of openssl does not support the -CRLfile option');
-}
+chdir $certs;
-if (!$ENV{RT_TEST_SMIME_REVOCATION}) {
- RT::Test::plan( skip_all => 'Skipping tests that would download a CRL because RT_TEST_SMIME_REVOCATION environment variable not set to 1');
-}
+open my $fh, '>', 'revoked.ext' or die "Could not write to $certs/revoked.ext: $!";
+print $fh <<"EOF";
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+subjectAltName=\@alt_names
+authorityInfoAccess=OCSP;URI:http://localhost:$ocsp_port, CA Issuers;URI:http://localhost:$RT::Test::port/static/ca.pem
+crlDistributionPoints=URI:http://localhost:$RT::Test::port/static/example.crl
+[alt_names]
+DNS.1=revoked.example.com
+EOF
+close $fh;
+
+system( $openssl,
+ qw!req -newkey rsa:2048 -nodes -keyout revoked.key -text -out revoked.csr -subj /CN=revoked.example.com! )
+ && die "Could not create key/csr: $?";
+
+system( $openssl, qw!req -x509 -sha256 -nodes -newkey rsa:2048 -keyout ca.key -text -out ca.pem -subj /CN=example.com! )
+ && die "Could not create CA: $?";
+
+system( $openssl,
+ qw!x509 -req -CA ca.pem -CAkey ca.key -in revoked.csr -out revoked.pem -CAcreateserial -extfile revoked.ext!,
+) && die "Could not sign cert: $?";
my $crt;
{
local $/;
- if (open my $fh, "<" . File::Spec->catfile($keyring, 'revoked at example.com.pem')) {
- $crt = <$fh>;
- close($fh);
- } else {
- die("Could not read " . File::Spec->catfile($keyring, 'revoked at example.com.pem') . ": $!");
- }
+ open my $fh, '<', 'revoked.pem' or die "Could not read $certs/revoked.pem: $!";
+ $crt = <$fh>;
+ close($fh);
}
-my %res;
-%res = RT::Crypt::SMIME->GetCertificateInfo(Certificate => $crt);
-is ($res{info}[0]{Trust}, 'REVOKED certificate checked against OCSP URI http://ocsp.digicert.com', 'Trust info indicates revoked certificate using OCSP');
-is ($res{info}[0]{TrustTerse}, 'none (revoked certificate)', 'TrustTerse indicates revoked certificate');
-
-# Now disable OCSP
-RT->Config->Set('SMIME', Enable => 1,
- Passphrase => {'revoked\@example.com' => '123456'},
- OpenSSL => $openssl,
- Keyring => $keyring,
- CAPath => $ca,
- CheckCRL => 1,
- CheckOCSP => 0,
-);
-
-%res = RT::Crypt::SMIME->GetCertificateInfo(Certificate => $crt);
-is ($res{info}[0]{Trust}, 'REVOKED certificate from CA DigiCert SHA2 Secure Server CA', 'Trust info indicates revoked certificate using CRL');
-is ($res{info}[0]{TrustTerse}, 'none (revoked certificate)', 'TrustTerse indicates revoked certificate');
-
-# Disable both OCSP and CRL... cert should verify
-RT->Config->Set('SMIME', Enable => 1,
- Passphrase => {'revoked\@example.com' => '123456'},
- OpenSSL => $openssl,
- Keyring => $keyring,
- CAPath => $ca,
- CheckCRL => 0,
- CheckOSCP => 0,
-);
-%res = RT::Crypt::SMIME->GetCertificateInfo(Certificate => $crt);
-is ($res{info}[0]{Trust}, 'Signed by trusted CA DigiCert SHA2 Secure Server CA');
-is ($res{info}[0]{TrustTerse}, 'full');
-
-done_testing;
+# default CA dir
+mkdir 'demoCA' or die "Could not create $certs/demoCA: $!";
+
+# Create empty index.txt for OCSP
+open $fh, '>', File::Spec->catfile( 'demoCA', 'index.txt' ) or die "Could not write to $certs/demoCA/index.txt: $!";
+close $fh;
+
+system( $openssl, qw!ca -revoke revoked.pem -keyfile ca.key -cert ca.pem! ) && die "Could not revoke cert: $?";
+
+
+open $fh, '>', File::Spec->catfile( 'demoCA', 'crlnumber' ) or die "Could not write to $certs/demoCA/crlnumber: $!";
+print $fh '01'; # initial crlnumber
+close $fh;
+
+system( $openssl, qw!ca -gencrl -out example.crl -keyfile ca.key -cert ca.pem!, )
+ && die "Could not generate example.crl: $?";
+
+if ( my $pid = fork() ) {
+ chdir $cwd; # get back from temp dir that will be cleaned up
+ my $ca = File::Spec->catfile( $certs, 'ca.pem' );
+ my $keyring = File::Spec->catfile( RT::Test->temp_directory, 'smime' );
+ RT->Config->Set(
+ 'SMIME',
+ Enable => 1,
+ OpenSSL => $openssl,
+ Keyring => $keyring,
+ CAPath => $ca,
+ CheckCRL => 1,
+ CheckOCSP => 1,
+ );
+
+ # so openssl can download ca.pem and example.crl
+ RT->Config->Set( LocalStaticPath => $certs );
+
+ RT::Test->started_ok;
+
+ my %res;
+ %res = RT::Crypt::SMIME->GetCertificateInfo( Certificate => $crt );
+ is(
+ $res{info}[0]{Trust},
+ "REVOKED certificate checked against OCSP URI http://localhost:$ocsp_port",
+ 'Trust info indicates revoked certificate using OCSP'
+ );
+ is( $res{info}[0]{TrustTerse}, 'none (revoked certificate)', 'TrustTerse indicates revoked certificate' );
+
+ # Now disable OCSP
+ RT::Test->stop_server;
+ RT->Config->Set(
+ 'SMIME',
+ Enable => 1,
+ OpenSSL => $openssl,
+ Keyring => $keyring,
+ CAPath => $ca,
+ CheckCRL => 1,
+ CheckOCSP => 0,
+ );
+ RT::Test->started_ok;
+
+ %res = RT::Crypt::SMIME->GetCertificateInfo( Certificate => $crt );
+ is(
+ $res{info}[0]{Trust},
+ 'REVOKED certificate from CA example.com',
+ 'Trust info indicates revoked certificate using CRL'
+ );
+ is( $res{info}[0]{TrustTerse}, 'none (revoked certificate)', 'TrustTerse indicates revoked certificate' );
+
+ # Disable both OCSP and CRL... cert should verify
+ RT::Test->stop_server;
+ RT->Config->Set(
+ 'SMIME',
+ Enable => 1,
+ OpenSSL => $openssl,
+ Keyring => $keyring,
+ CAPath => $ca,
+ CheckCRL => 0,
+ CheckOSCP => 0,
+ );
+ RT::Test->started_ok;
+
+ %res = RT::Crypt::SMIME->GetCertificateInfo( Certificate => $crt );
+ is( $res{info}[0]{Trust}, 'Signed by trusted CA example.com' );
+ is( $res{info}[0]{TrustTerse}, 'full' );
+
+ kill 'KILL', $pid;
+ waitpid $pid, 0;
+ done_testing;
+}
+else {
+ # start ocsp server
+ exec( $openssl, qw!ocsp -index demoCA/index.txt -CA ca.pem -rsigner ca.pem -rkey ca.key -port!, $ocsp_port );
+}
diff --git a/t/data/smime/keys/revoked-ca.pem b/t/data/smime/keys/revoked-ca.pem
deleted file mode 100644
index dcf27d9a5f..0000000000
--- a/t/data/smime/keys/revoked-ca.pem
+++ /dev/null
@@ -1,49 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
-QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
-U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
-nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
-KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
-/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
-kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
-/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
-AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
-aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
-Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
-oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
-QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
-d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
-xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
-CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
-5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
-8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
-2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
-c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
-j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
-QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
-b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
-CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
-nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
-43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
-T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
-gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
-BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
-TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
-DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
-hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
-06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
-PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
-YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
-CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
------END CERTIFICATE-----
diff --git a/t/data/smime/keys/revoked at example.com.pem b/t/data/smime/keys/revoked at example.com.pem
deleted file mode 100644
index 7c96dc9d6e..0000000000
--- a/t/data/smime/keys/revoked at example.com.pem
+++ /dev/null
@@ -1,39 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIGvzCCBaegAwIBAgIQA3G1iob2zpw+y3v0L5II/DANBgkqhkiG9w0BAQsFADBN
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
-aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMDA0MDAwMDAwWhcN
-MjExMDA4MTIwMDAwWjB0MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
-YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRwwGgYDVQQKExNMdWNhcyBHYXJyb24g
-VG9ycmVzMRswGQYDVQQDExJyZXZva2VkLmJhZHNzbC5jb20wggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQC0Ljkn9nZW+vmCL6At8tAyGZlV3IlElvdzI6/3
-pF4+dL9Zec1fC+eP+wMZv4+eY9L/Anx2/hbpAvyGkF+YXNaaui6V6NilxfScnae5
-3rhKcWL9Kih9Aq9G1g0dcWHZTNuXFQA09FOBvI6UOd7YvkJ/JOoCU8ZbgD4RLtLZ
-C20Yhqwh1nfZSKlPo1sd86U2ZNZNH0a38zUQ9XtFOt2kGNu9o07DEJsZhOWWlZtd
-51ZyqyeFaRTc4V42zWnKc8CCB338fo0u+8vJeS6XNkMPFpRFDr3TCWvZ4AP+KgAQ
-m5c48FMRXo165qG+LjKp/2NPoMbqNbhZ5KtDokjAGggRvmzDAgMBAAGjggNyMIID
-bjAfBgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUOE25
-xq19bGjCX3XXG27LpumeOq0wNQYDVR0RBC4wLIIScmV2b2tlZC5iYWRzc2wuY29t
-ghZ3d3cucmV2b2tlZC5iYWRzc2wuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
-FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDov
-L2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6
-Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwGA1UdIARFMEMw
-NwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0
-LmNvbS9DUFMwCAYGZ4EMAQIDMHwGCCsGAQUFBwEBBHAwbjAkBggrBgEFBQcwAYYY
-aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpodHRwOi8vY2Fj
-ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0
-MAwGA1UdEwEB/wQCMAAwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AKS5CZC0
-GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABbZjwwc8AAAQDAEYwRAIgWPi8
-7t5MzJnvLDJGmCppeQwyHa1VkvAG811Mg19KbcsCIDpbsejn8Feo/pD1g3xUHm9y
-2a5K3ZT2qOI+FfwaNcm7AHYAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16g
-gw8AAAFtmPDCOgAABAMARzBFAiEAmciNTmK3x9F52b+jyQonojj5PR3UTX7I1EY2
-yrbyDVsCIDhrUCuwgpjKzdEkKXC8pTrPT750awtW28nCTZLaCVb1AHYARJRlLrDu
-zq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAFtmPDBQQAABAMARzBFAiEAwXnV
-kwbWLzukEmOVbs8IQHiQaERcC3RD7IrKHt4dUvMCIFfUv6IL18E/ROuuFQYDwZrv
-DpbCjJdvFw9Cb++GhzzBMA0GCSqGSIb3DQEBCwUAA4IBAQAXzncD0qMluMFZDLOx
-Pzev4B56a0EW7X5YJnyy32UVms+VAp5TDDN1kAxmphecVWRc5DpEn+acXM3hHzx0
-hBfbYYpAANy96MRgGg3qYIN14OV8QzGIIxCRVDzH3f7kQR1bgZvCQC6fs3JnRJ8l
-OhCFNnktylrwV1p48DxxBULjI1oYtXKikEdxs7ZgulOIoVFCSPtzF+MeSwyqYv8I
-OCMAvbctgnsuo0eekLyVlJOTe7Cw+hjz5nYX5yCc2wFu0vlL0kw8d6DaS1isZBZ5
-p7fCfVZfW4WLJdgxYgATKoTkxVFpcTOr4TodGE3G8fOu6G/BknS9r3g5pLpWaNc6
-NtqK
------END CERTIFICATE-----
-----------------------------------------------------------------------
hooks/post-receive
--
rt
More information about the rt-commit
mailing list