Add client authentication tests

2017-01-04 15:40:07 -05:00 · 2017-01-04 15:40:07 -05:00 · 2189d3fa44
commit 2189d3fa44
parent 3ebf9c2765
3 changed files with 50 additions and 6 deletions
--- a/examples/utils.py
+++ b/examples/utils.py
@ -126,6 +126,7 @@ def process_connection(connection, my_socket):
            connection.close()
    return True

+
 # Map the send callback status to a string
 SEND_STATUS = {
    pyngus.SenderLink.ABORTED: "Aborted",
--- a/tests/unit_tests/connection.py
+++ b/tests/unit_tests/connection.py
@ -28,6 +28,7 @@ from string import Template
 from proton import Condition
 from proton import Message
 from proton import SSLUnavailable
+from proton import SSLException
 from proton import SASL
 import pyngus

@ -348,7 +349,9 @@ class APITest(common.Test):

    def _test_ssl(self,
                  server_password="server-password",
-                  server_dns="some.server.com"):
+                  server_dns="some.server.com",
+                  client_password=None,
+                  client_dns=None):

        def _testpath(file):
            """ Set the full path to the PEM files."""
@ -359,12 +362,21 @@ class APITest(common.Test):
                   "x-ssl-identity": (_testpath("server-certificate.pem"),
                                      _testpath("server-private-key.pem"),
                                      server_password)}
+        if client_dns:
+            s_props['x-ssl-ca-file'] = _testpath("ca-certificate.pem")
+            s_props['x-ssl-verify-mode'] = 'verify-peer'
+            s_props['x-ssl-peer-name'] = client_dns
+
        server = self.container1.create_connection("server",
                                                   properties=s_props)

        c_props = {"x-ssl-ca-file": _testpath("ca-certificate.pem"),
                   "x-ssl-verify-mode": "verify-peer",
                   "x-ssl-peer-name": server_dns}
+        if client_password:
+            c_props['x-ssl-identity'] = (_testpath("client-certificate.pem"),
+                                         _testpath("client-private-key.pem"),
+                                         client_password)
        client = self.container2.create_connection("client",
                                                   properties=c_props)
        server.open()
@ -384,7 +396,8 @@ class APITest(common.Test):
            assert False, "error expected!"
        except SSLUnavailable:
            raise common.Skipped("SSL not available.")
-        except Exception:
+        except SSLException:
+            # should fail to open the certificate
            pass

    def test_ssl_name_fail(self):
@ -393,7 +406,37 @@ class APITest(common.Test):
            assert False, "error expected!"
        except SSLUnavailable:
            raise common.Skipped("SSL not available.")
-        except Exception:
+        except AssertionError:
+            # connection setup should fail
+            pass
+
+    def test_ssl_client_auth_ok(self):
+        try:
+            self._test_ssl(client_password="client-password",
+                           client_dns="my.client.com")
+        except SSLUnavailable:
+            raise common.Skipped("SSL not available.")
+
+    def test_ssl_client_pw_fail(self):
+        try:
+            self._test_ssl(client_password="bad password",
+                           client_dns="my.client.com")
+            assert False, "error expected!"
+        except SSLUnavailable:
+            raise common.Skipped("SSL not available.")
+        except SSLException:
+            # should fail to open the certificate
+            pass
+
+    def test_ssl_client_name_fail(self):
+        try:
+            self._test_ssl(client_password="client-password",
+                           client_dns="my.Xclient.com")
+            assert False, "error expected!"
+        except SSLUnavailable:
+            raise common.Skipped("SSL not available.")
+        except AssertionError:
+            # connection setup should fail
            pass

    def test_io_input_close(self):
--- a/tests/unit_tests/ssl_db/setup_ssl.sh
+++ b/tests/unit_tests/ssl_db/setup_ssl.sh
@ -68,9 +68,9 @@ $OPENSSL pkcs12 -nocerts -passin pass:server-password -in server.pkcs12 -passout
 CLIENT_COMMON_NAME="my.client.com"
 # Create a certificate request for the client certificate.  Use the CA's certificate to sign it:
 $KEYTOOL -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -genkey  -dname "CN=$CLIENT_COMMON_NAME" -validity 99999
-keytool -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -certreq -file client-request.pem
-keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile client-request.pem -outfile client-certificate.pem
-openssl pkcs12 -nocerts -passin pass:client-password -in client.pkcs12 -passout pass:client-password -out client-private-key.pem
+$KEYTOOL -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -certreq -file client-request.pem
+$KEYTOOL -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile client-request.pem -outfile client-certificate.pem
+$OPENSSL pkcs12 -nocerts -passin pass:client-password -in client.pkcs12 -passout pass:client-password -out client-private-key.pem

 # clean up all the unnecessary stuff
 rm *.pkcs12 *-request.pem