| #!/usr/bin/env bash |
| |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| |
| # Run a simple test over SSL |
| |
| source env.sh |
| |
| #set -x |
| |
| CONFIG=$(dirname $0)/qpidd-empty.conf |
| TEST_CERT_DIR=`pwd`/test_cert_dir |
| CERT_DB=${TEST_CERT_DIR}/test_cert_db |
| CERT_PW_FILE=`pwd`/cert.password |
| TEST_HOSTNAME=127.0.0.1 |
| TEST_CLIENT_CERT=rumplestiltskin |
| CA_PEM_FILE=${TEST_CERT_DIR}/ca_cert.pem |
| OTHER_CA_CERT_DB=${TEST_CERT_DIR}/x_ca_cert_db |
| OTHER_CA_PEM_FILE=${TEST_CERT_DIR}/other_ca_cert.pem |
| PY_PING_BROKER=$SOURCE_DIR/src/tests/ping_broker |
| COUNT=10 |
| |
| if [[ -a $AMQP_LIB ]] ; then |
| MODULES="--load-module $AMQP_LIB" |
| fi |
| |
| trap cleanup EXIT |
| |
| error() { echo $*; exit 1; } |
| |
| # create the test certificate database |
| # $1 = string used as Subject in server's certificate |
| # $2 = string used as SubjectAlternateName (SAN) in server's certificate |
| create_certs() { |
| |
| local CERT_SUBJECT=${1:-"CN=${TEST_HOSTNAME},O=MyCo,ST=Massachusetts,C=US"} |
| local CERT_SAN=${2:-"*.server.com"} |
| |
| mkdir -p ${TEST_CERT_DIR} |
| rm -rf ${TEST_CERT_DIR}/* |
| |
| # Set Up a CA with a self-signed Certificate |
| # |
| mkdir -p ${CERT_DB} |
| certutil -N -d ${CERT_DB} -f ${CERT_PW_FILE} |
| certutil -S -d ${CERT_DB} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1 |
| certutil -L -d ${CERT_DB} -n "Test-CA" -a -o ${CERT_DB}/rootca.crt -f ${CERT_PW_FILE} |
| #certutil -L -d ${CERT_DB} -f ${CERT_PW_FILE} |
| |
| # create server certificate signed by Test-CA |
| # |
| certutil -R -d ${CERT_DB} -s "${CERT_SUBJECT}" -o ${TEST_CERT_DIR}/server.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1 |
| certutil -C -d ${CERT_DB} -c "Test-CA" -8 "${CERT_SAN}" -i ${TEST_CERT_DIR}/server.req -o ${TEST_CERT_DIR}/server.crt -f ${CERT_PW_FILE} -m ${RANDOM} |
| certutil -A -d ${CERT_DB} -n ${TEST_HOSTNAME} -i ${TEST_CERT_DIR}/server.crt -t "Pu,," |
| |
| # create a certificate to identify the client |
| # |
| certutil -R -d ${CERT_DB} -s "CN=${TEST_CLIENT_CERT}" -o ${TEST_CERT_DIR}/client.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1 |
| certutil -C -d ${CERT_DB} -c "Test-CA" -8 "*.client.com" -i ${TEST_CERT_DIR}/client.req -o ${TEST_CERT_DIR}/client.crt -f ${CERT_PW_FILE} -m ${RANDOM} |
| certutil -A -d ${CERT_DB} -n ${TEST_CLIENT_CERT} -i ${TEST_CERT_DIR}/client.crt -t "Pu,," |
| ### |
| #certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE} |
| #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil |
| #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil |
| |
| # Set up a separate DB with its own CA for testing failure to validate scenario |
| # |
| mkdir -p ${OTHER_CA_CERT_DB} |
| certutil -N -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE} |
| certutil -S -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1 |
| certutil -L -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DB}/rootca.crt -f ${CERT_PW_FILE} |
| #certutil -L -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE} |
| } |
| |
| delete_certs() { |
| if [[ -e ${TEST_CERT_DIR} ]] ; then |
| rm -rf ${TEST_CERT_DIR} |
| fi |
| } |
| |
| # Don't need --no-module-dir or --no-data-dir as they are set as env vars in env.sh |
| COMMON_OPTS="--daemon --config $CONFIG --ssl-cert-db $CERT_DB --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME" |
| |
| # Start new brokers: |
| # $1 must be integer |
| # $2 = extra opts |
| # Append used ports to PORTS variable |
| start_brokers() { |
| local -a ports |
| for (( i=0; $i<$1; i++)) do |
| ports[$i]=$(qpidd --port 0 --interface 127.0.0.1 $COMMON_OPTS $2) || error "Could not start broker $i" |
| done |
| PORTS=( ${PORTS[@]} ${ports[@]} ) |
| } |
| |
| # Stop single broker: |
| # $1 is number of broker to stop (0 based) |
| stop_broker() { |
| qpidd -qp ${PORTS[$1]} |
| |
| # Remove from ports array |
| unset PORTS[$1] |
| } |
| |
| stop_brokers() { |
| for port in "${PORTS[@]}"; |
| do |
| qpidd -qp $port |
| done |
| PORTS=() |
| } |
| |
| pick_port() { |
| # We need a fixed port to set --cluster-url. Use qpidd to pick a free port. |
| PICK=`qpidd --no-module-dir --listen-disable ssl -dp0` |
| qpidd --no-module-dir -qp $PICK |
| echo $PICK |
| } |
| |
| cleanup() { |
| stop_brokers |
| delete_certs |
| rm -f ${CERT_PW_FILE} |
| } |
| |
| start_ssl_broker() { |
| start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --auth no $MODULES" |
| } |
| |
| start_ssl_mux_broker() { |
| qpidd $COMMON_OPTS --port $1 --ssl-port $1 --auth no |
| PORTS=( ${PORTS[@]} $1 ) |
| } |
| |
| sasl_config_dir=$BUILD_DIR/src/tests/sasl_config |
| |
| start_authenticating_broker() { |
| start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --ssl-sasl-no-dict --ssl-require-client-authentication --auth yes --sasl-config=${sasl_config_dir} $MODULES" |
| } |
| |
| ssl_cluster_broker() { # $1 = port |
| start_brokers 1 "--ssl-port $1 --auth no --load-module $CLUSTER_LIB --cluster-name ssl_test.$HOSTNAME.$$ --cluster-url amqp:ssl:$TEST_HOSTNAME:$1" |
| |
| # Wait for broker to be ready |
| qpid-ping -Pssl -b $TEST_HOSTNAME:$1 -q || { echo "Cannot connect to broker on $1"; exit 1; } |
| } |
| |
| CERTUTIL=$(type -p certutil) |
| if [[ !(-x $CERTUTIL) ]] ; then |
| echo "No certutil, skipping ssl test"; |
| exit 0; |
| fi |
| |
| if [[ !(-e ${CERT_PW_FILE}) ]] ; then |
| echo password > ${CERT_PW_FILE} |
| fi |
| delete_certs |
| create_certs || error "Could not create test certificate database" |
| |
| start_ssl_broker |
| PORT=${PORTS[0]} |
| echo "Running SSL test on port $PORT" |
| export QPID_NO_MODULE_DIR=1 |
| export QPID_SSL_CERT_DB=${CERT_DB} |
| export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE} |
| |
| ## Test connection via connection settings |
| qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary |
| |
| ## Test connection with a URL |
| URL=amqp:ssl:$TEST_HOSTNAME:$PORT |
| qpid-send -b $URL --content-string=hello -a "foo;{create:always}" |
| MSG=`qpid-receive -b $URL -a "foo;{create:always}" --messages 1` |
| test "$MSG" = "hello" || { echo "receive failed '$MSG' != 'hello'"; exit 1; } |
| |
| if [[ -a $AMQP_LIB ]] ; then |
| echo "Testing ssl over AMQP 1.0" |
| qpid-send --connection-options '{protocol:amqp1.0}' -b $URL --content-string=hello -a "foo;{create:always}" |
| MSG=`qpid-receive --connection-options '{protocol:amqp1.0}' -b $URL -a "foo;{create:always}" --messages 1` |
| test "$MSG" = "hello" || { echo "receive failed for AMQP 1.0 '$MSG' != 'hello'"; exit 1; } |
| fi |
| |
| ## Test connection with a combination of URL and connection options (in messaging API) |
| URL=$TEST_HOSTNAME:$PORT |
| qpid-send -b $URL --connection-options '{transport:ssl,heartbeat:2}' --content-string='hello again' -a "foo;{create:always}" |
| MSG=`qpid-receive -b $URL --connection-options '{transport:ssl,heartbeat:2}' -a "foo;{create:always}" --messages 1` |
| test "$MSG" = "hello again" || { echo "receive failed '$MSG' != 'hello again'"; exit 1; } |
| |
| ## Test using the Python client |
| if test -d $PYTHON_DIR; then |
| echo "Testing Non-Authenticating with Python Client..." |
| URL=amqps://$TEST_HOSTNAME:$PORT |
| if `$PY_PING_BROKER -b $URL`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi |
| else |
| echo "Skipping python part of ssl_test, no python dir." |
| fi |
| |
| #### Client Authentication tests |
| |
| start_authenticating_broker |
| PORT2=${PORTS[1]} |
| echo "Running SSL client authentication test on port $PORT2" |
| URL=amqp:ssl:$TEST_HOSTNAME:$PORT2 |
| |
| ## See if you can set the SSL cert-name for the connection |
| qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" --content-string=hello -a "bar;{create:always}" |
| MSG2=`qpid-receive -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1` |
| test "$MSG2" = "hello" || { echo "receive failed '$MSG2' != 'hello'"; exit 1; } |
| |
| |
| ## Make sure that connect fails with an invalid SSL cert-name |
| qpid-send -b $URL --connection-options "{ssl-cert-name: pignose }" --content-string=hello -a "baz;{create:always}" 2>/dev/null 1>/dev/null |
| MSG3=`qpid-receive -b $URL --connection-options "{ssl-cert-name: pignose }" -a "baz;{create:always}" --messages 1 2>/dev/null` |
| test "$MSG3" = "" || { echo "receive succeeded without valid ssl cert '$MSG3' != ''"; exit 1; } |
| |
| ## Set the userid in the message to the authenticated username |
| ./qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" --auto-user-id true --content-string=hello -a "bar;{create:always}" |
| RECEIVED_USER=`./qpid-receive -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1 --print-headers true | awk '/UserId/{print $2}'` |
| test "$RECEIVED_USER" = $TEST_CLIENT_CERT || { echo "user id not as expected: $RECEIVED_USER"; exit 1; } |
| |
| stop_brokers |
| |
| # Test ssl muxed with plain TCP on the same connection |
| |
| # Test a specified port number - since tcp/ssl are the same port don't need to specify --transport ssl |
| PORT=`pick_port` |
| start_ssl_mux_broker $PORT || error "Could not start broker" |
| echo "Running SSL/TCP mux test on fixed port $PORT" |
| |
| ## Test connection via connection settings |
| qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!" |
| qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!" |
| |
| # Test a broker chosen port - since ssl chooses port need to use --transport ssl here |
| start_ssl_broker |
| PORT=${PORTS[0]} |
| echo "Running SSL/TCP mux test on random port $PORT" |
| |
| ## Test connection via connection settings |
| qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!" |
| qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!" |
| |
| stop_brokers |
| |
| ### Additional tests that require 'openssl' and 'pk12util' to be installed (optional) |
| |
| PK12UTIL=$(type -p pk12util) |
| if [[ !(-x $PK12UTIL) ]] ; then |
| echo >&2 "'pk12util' command not available, skipping remaining tests" |
| exit 0 |
| fi |
| |
| OPENSSL=$(type -p openssl) |
| if [[ !(-x $OPENSSL) ]] ; then |
| echo >&2 "'openssl' command not available, skipping remaining tests" |
| exit 0 |
| fi |
| |
| ## verify python version > 2.5 (only 2.6+ does certificate checking) |
| PY_VERSION=$(python -c "import sys; print hex(sys.hexversion)") |
| if (( PY_VERSION < 0x02060000 )); then |
| echo >&2 "Detected python version < 2.6 - skipping certificate verification tests" |
| exit 0 |
| fi |
| |
| echo "Testing Certificate validation and Authentication with the Python Client..." |
| |
| # extract the CA's certificate as a PEM file |
| get_ca_certs() { |
| $PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CERT_DB} -n "Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null |
| $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null |
| $PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null |
| $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null |
| } |
| |
| get_ca_certs || error "Could not extract CA certificates as PEM files" |
| start_ssl_broker |
| PORT=${PORTS[0]} |
| URL=amqps://$TEST_HOSTNAME:$PORT |
| # verify the python client can authenticate the broker using the CA |
| if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi |
| # verify the python client fails to authenticate the broker when using the other CA |
| if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi |
| stop_brokers |
| |
| # create a certificate without matching TEST_HOSTNAME, should fail to verify |
| |
| create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate" |
| get_ca_certs || error "Could not extract CA certificates as PEM files" |
| start_ssl_broker |
| PORT=${PORTS[0]} |
| URL=amqps://$TEST_HOSTNAME:$PORT |
| if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi |
| # but disabling the check for the hostname should pass |
| if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi |
| stop_brokers |
| |
| # test SubjectAltName parsing |
| |
| if (( PY_VERSION >= 0x02070300 )); then |
| # python 2.7.3+ supports SubjectAltName extraction |
| # create a certificate with TEST_HOSTNAME only in SAN, should verify OK |
| create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create server test certificate" |
| get_ca_certs || error "Could not extract CA certificates as PEM files" |
| start_ssl_broker |
| PORT=${PORTS[0]} |
| URL=amqps://$TEST_HOSTNAME:$PORT |
| if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi |
| stop_brokers |
| |
| create_certs "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate" |
| get_ca_certs || error "Could not extract CA certificates as PEM files" |
| start_ssl_broker |
| PORT=${PORTS[0]} |
| URL=amqps://$TEST_HOSTNAME:$PORT |
| if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi |
| stop_brokers |
| fi |