Google Git
Sign in
apache / qpid-cpp / 3475d7e3bc0405fc16fa37020773ed1b70702540 / . / src / tests / ssl_test
blob: 7c85087ad1a708ef09d19cff76640ca4db177e3b [file] [log] [blame]
#!/usr/bin/env bash
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# Run a simple test over SSL
source env.sh
#set -x
CONFIG=$(dirname $0)/qpidd-empty.conf
TEST_CERT_DIR=`pwd`/test_cert_dir
CERT_DB=${TEST_CERT_DIR}/test_cert_db
CERT_PW_FILE=`pwd`/cert.password
TEST_HOSTNAME=127.0.0.1
TEST_CLIENT_CERT=rumplestiltskin
CA_PEM_FILE=${TEST_CERT_DIR}/ca_cert.pem
OTHER_CA_CERT_DB=${TEST_CERT_DIR}/x_ca_cert_db
OTHER_CA_PEM_FILE=${TEST_CERT_DIR}/other_ca_cert.pem
PY_PING_BROKER=$SOURCE_DIR/src/tests/ping_broker
COUNT=10
if [[ -a $AMQP_LIB ]] ; then
MODULES="--load-module $AMQP_LIB"
fi
trap cleanup EXIT
error() { echo $*; exit 1; }
# create the test certificate database
# $1 = string used as Subject in server's certificate
# $2 = string used as SubjectAlternateName (SAN) in server's certificate
create_certs() {
local CERT_SUBJECT=${1:-"CN=${TEST_HOSTNAME},O=MyCo,ST=Massachusetts,C=US"}
local CERT_SAN=${2:-"*.server.com"}
mkdir -p ${TEST_CERT_DIR}
rm -rf ${TEST_CERT_DIR}/*
# Set Up a CA with a self-signed Certificate
#
mkdir -p ${CERT_DB}
certutil -N -d ${CERT_DB} -f ${CERT_PW_FILE}
certutil -S -d ${CERT_DB} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
certutil -L -d ${CERT_DB} -n "Test-CA" -a -o ${CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
#certutil -L -d ${CERT_DB} -f ${CERT_PW_FILE}
# create server certificate signed by Test-CA
#
certutil -R -d ${CERT_DB} -s "${CERT_SUBJECT}" -o ${TEST_CERT_DIR}/server.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
certutil -C -d ${CERT_DB} -c "Test-CA" -8 "${CERT_SAN}" -i ${TEST_CERT_DIR}/server.req -o ${TEST_CERT_DIR}/server.crt -f ${CERT_PW_FILE} -m ${RANDOM}
certutil -A -d ${CERT_DB} -n ${TEST_HOSTNAME} -i ${TEST_CERT_DIR}/server.crt -t "Pu,,"
# create a certificate to identify the client
#
certutil -R -d ${CERT_DB} -s "CN=${TEST_CLIENT_CERT}" -o ${TEST_CERT_DIR}/client.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
certutil -C -d ${CERT_DB} -c "Test-CA" -8 "*.client.com" -i ${TEST_CERT_DIR}/client.req -o ${TEST_CERT_DIR}/client.crt -f ${CERT_PW_FILE} -m ${RANDOM}
certutil -A -d ${CERT_DB} -n ${TEST_CLIENT_CERT} -i ${TEST_CERT_DIR}/client.crt -t "Pu,,"
###
#certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}
#certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
#certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
# Set up a separate DB with its own CA for testing failure to validate scenario
#
mkdir -p ${OTHER_CA_CERT_DB}
certutil -N -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
certutil -S -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
certutil -L -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
#certutil -L -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
}
delete_certs() {
if [[ -e ${TEST_CERT_DIR} ]] ; then
rm -rf ${TEST_CERT_DIR}
fi
}
# Don't need --no-module-dir or --no-data-dir as they are set as env vars in env.sh
COMMON_OPTS="--daemon --config $CONFIG --ssl-cert-db $CERT_DB --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"
# Start new brokers:
# $1 must be integer
# $2 = extra opts
# Append used ports to PORTS variable
start_brokers() {
local -a ports
for (( i=0; $i<$1; i++)) do
ports[$i]=$(qpidd --port 0 --interface 127.0.0.1 $COMMON_OPTS $2) || error "Could not start broker $i"
done
PORTS=( ${PORTS[@]} ${ports[@]} )
}
# Stop single broker:
# $1 is number of broker to stop (0 based)
stop_broker() {
qpidd -qp ${PORTS[$1]}
# Remove from ports array
unset PORTS[$1]
}
stop_brokers() {
for port in "${PORTS[@]}";
do
qpidd -qp $port
done
PORTS=()
}
pick_port() {
# We need a fixed port to set --cluster-url. Use qpidd to pick a free port.
PICK=`qpidd --no-module-dir --listen-disable ssl -dp0`
qpidd --no-module-dir -qp $PICK
echo $PICK
}
cleanup() {
stop_brokers
delete_certs
rm -f ${CERT_PW_FILE}
}
start_ssl_broker() {
start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --auth no $MODULES"
}
start_ssl_mux_broker() {
qpidd $COMMON_OPTS --port $1 --ssl-port $1 --auth no
PORTS=( ${PORTS[@]} $1 )
}
sasl_config_dir=$BUILD_DIR/src/tests/sasl_config
start_authenticating_broker() {
start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --ssl-sasl-no-dict --ssl-require-client-authentication --auth yes --sasl-config=${sasl_config_dir} $MODULES"
}
ssl_cluster_broker() { # $1 = port
start_brokers 1 "--ssl-port $1 --auth no --load-module $CLUSTER_LIB --cluster-name ssl_test.$HOSTNAME.$$ --cluster-url amqp:ssl:$TEST_HOSTNAME:$1"
# Wait for broker to be ready
qpid-ping -Pssl -b $TEST_HOSTNAME:$1 -q || { echo "Cannot connect to broker on $1"; exit 1; }
}
CERTUTIL=$(type -p certutil)
if [[ !(-x $CERTUTIL) ]] ; then
echo "No certutil, skipping ssl test";
exit 0;
fi
if [[ !(-e ${CERT_PW_FILE}) ]] ; then
echo password > ${CERT_PW_FILE}
fi
delete_certs
create_certs || error "Could not create test certificate database"
start_ssl_broker
PORT=${PORTS[0]}
echo "Running SSL test on port $PORT"
export QPID_NO_MODULE_DIR=1
export QPID_SSL_CERT_DB=${CERT_DB}
export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE}
## Test connection via connection settings
qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary
## Test connection with a URL
URL=amqp:ssl:$TEST_HOSTNAME:$PORT
qpid-send -b $URL --content-string=hello -a "foo;{create:always}"
MSG=`qpid-receive -b $URL -a "foo;{create:always}" --messages 1`
test "$MSG" = "hello" || { echo "receive failed '$MSG' != 'hello'"; exit 1; }
if [[ -a $AMQP_LIB ]] ; then
echo "Testing ssl over AMQP 1.0"
qpid-send --connection-options '{protocol:amqp1.0}' -b $URL --content-string=hello -a "foo;{create:always}"
MSG=`qpid-receive --connection-options '{protocol:amqp1.0}' -b $URL -a "foo;{create:always}" --messages 1`
test "$MSG" = "hello" || { echo "receive failed for AMQP 1.0 '$MSG' != 'hello'"; exit 1; }
fi
## Test connection with a combination of URL and connection options (in messaging API)
URL=$TEST_HOSTNAME:$PORT
qpid-send -b $URL --connection-options '{transport:ssl,heartbeat:2}' --content-string='hello again' -a "foo;{create:always}"
MSG=`qpid-receive -b $URL --connection-options '{transport:ssl,heartbeat:2}' -a "foo;{create:always}" --messages 1`
test "$MSG" = "hello again" || { echo "receive failed '$MSG' != 'hello again'"; exit 1; }
## Test using the Python client
if test -d $PYTHON_DIR; then
echo "Testing Non-Authenticating with Python Client..."
URL=amqps://$TEST_HOSTNAME:$PORT
if `$PY_PING_BROKER -b $URL`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
else
echo "Skipping python part of ssl_test, no python dir."
fi
#### Client Authentication tests
start_authenticating_broker
PORT2=${PORTS[1]}
echo "Running SSL client authentication test on port $PORT2"
URL=amqp:ssl:$TEST_HOSTNAME:$PORT2
## See if you can set the SSL cert-name for the connection
qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" --content-string=hello -a "bar;{create:always}"
MSG2=`qpid-receive -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1`
test "$MSG2" = "hello" || { echo "receive failed '$MSG2' != 'hello'"; exit 1; }
## Make sure that connect fails with an invalid SSL cert-name
qpid-send -b $URL --connection-options "{ssl-cert-name: pignose }" --content-string=hello -a "baz;{create:always}" 2>/dev/null 1>/dev/null
MSG3=`qpid-receive -b $URL --connection-options "{ssl-cert-name: pignose }" -a "baz;{create:always}" --messages 1 2>/dev/null`
test "$MSG3" = "" || { echo "receive succeeded without valid ssl cert '$MSG3' != ''"; exit 1; }
## Set the userid in the message to the authenticated username
./qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" --auto-user-id true --content-string=hello -a "bar;{create:always}"
RECEIVED_USER=`./qpid-receive -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1 --print-headers true | awk '/UserId/{print $2}'`
test "$RECEIVED_USER" = $TEST_CLIENT_CERT || { echo "user id not as expected: $RECEIVED_USER"; exit 1; }
stop_brokers
# Test ssl muxed with plain TCP on the same connection
# Test a specified port number - since tcp/ssl are the same port don't need to specify --transport ssl
PORT=`pick_port`
start_ssl_mux_broker $PORT || error "Could not start broker"
echo "Running SSL/TCP mux test on fixed port $PORT"
## Test connection via connection settings
qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!"
qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!"
# Test a broker chosen port - since ssl chooses port need to use --transport ssl here
start_ssl_broker
PORT=${PORTS[0]}
echo "Running SSL/TCP mux test on random port $PORT"
## Test connection via connection settings
qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!"
qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!"
stop_brokers
### Additional tests that require 'openssl' and 'pk12util' to be installed (optional)
PK12UTIL=$(type -p pk12util)
if [[ !(-x $PK12UTIL) ]] ; then
echo >&2 "'pk12util' command not available, skipping remaining tests"
exit 0
fi
OPENSSL=$(type -p openssl)
if [[ !(-x $OPENSSL) ]] ; then
echo >&2 "'openssl' command not available, skipping remaining tests"
exit 0
fi
## verify python version > 2.5 (only 2.6+ does certificate checking)
PY_VERSION=$(python -c "import sys; print hex(sys.hexversion)")
if (( PY_VERSION < 0x02060000 )); then
echo >&2 "Detected python version < 2.6 - skipping certificate verification tests"
exit 0
fi
echo "Testing Certificate validation and Authentication with the Python Client..."
# extract the CA's certificate as a PEM file
get_ca_certs() {
$PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CERT_DB} -n "Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
$OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
$PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
$OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
}
get_ca_certs || error "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
# verify the python client can authenticate the broker using the CA
if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
# verify the python client fails to authenticate the broker when using the other CA
if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi
stop_brokers
# create a certificate without matching TEST_HOSTNAME, should fail to verify
create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate"
get_ca_certs || error "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi
# but disabling the check for the hostname should pass
if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
stop_brokers
# test SubjectAltName parsing
if (( PY_VERSION >= 0x02070300 )); then
# python 2.7.3+ supports SubjectAltName extraction
# create a certificate with TEST_HOSTNAME only in SAN, should verify OK
create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create server test certificate"
get_ca_certs || error "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
stop_brokers
create_certs "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate"
get_ca_certs || error "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi
stop_brokers
fi