From fa89d7bfedd6448860196aa966ad623ea45ac9cf Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Fri, 12 Feb 2021 16:06:51 +0000 Subject: [PATCH] Add tests for PREFERRED_CHAIN --- docker-compose.yml | 1 + test/35-preferred-chain.bats | 95 ++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 test/35-preferred-chain.bats diff --git a/docker-compose.yml b/docker-compose.yml index ec5c24a..f2b1489 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,6 +7,7 @@ services: environment: # with Go 1.13.x which defaults TLS 1.3 to on GODEBUG: "tls13=1" + PEBBLE_ALTERNATE_ROOTS: 2 ports: - 14000:14000 # HTTPS ACME API - 15000:15000 # HTTPS Management API diff --git a/test/35-preferred-chain.bats b/test/35-preferred-chain.bats new file mode 100644 index 0000000..4389d3b --- /dev/null +++ b/test/35-preferred-chain.bats @@ -0,0 +1,95 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + if [ -z "$STAGING" ]; then + export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt + fi +} + + +@test "Use PREFERRED_CHAIN to select an alternate root" { + if [ -n "$STAGING" ]; then + PREFERRED_CHAIN="Fake LE Root X2" + else + PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | cut -d= -f2) + PREFERRED_CHAIN="${PREFERRED_CHAIN# }" # remove leading whitespace + fi + + CONFIG_FILE="getssl-dns01.cfg" + setup_environment + init_getssl + + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +PREFERRED_CHAIN="${PREFERRED_CHAIN}" +EOF + + create_certificate + assert_success + check_output_for_errors + + issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2) + # verify certificate is issued by preferred chain root + [ "$PREFERRED_CHAIN" = "$issuer" ] +} + + +@test "Use PREFERRED_CHAIN to select the default root" { + if [ -n "$STAGING" ]; then + PREFERRED_CHAIN="Fake LE Root X1" + else + PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/0 | openssl x509 -text -noout | grep Issuer: | cut -d= -f2 ) + PREFERRED_CHAIN="${PREFERRED_CHAIN# }" # remove leading whitespace + fi + + CONFIG_FILE="getssl-dns01.cfg" + setup_environment + init_getssl + + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +PREFERRED_CHAIN="${PREFERRED_CHAIN}" +EOF + + create_certificate + assert_success + check_output_for_errors + + issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2) + # verify certificate is issued by preferred chain root + [ "$PREFERRED_CHAIN" = "$issuer" ] +} + + +@test "Use PREFERRED_CHAIN to select an alternate root by suffix" { + if [ -n "$STAGING" ]; then + FULL_PREFERRED_CHAIN="Fake LE Root X2" + else + FULL_PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | cut -d= -f2) + FULL_PREFERRED_CHAIN="${FULL_PREFERRED_CHAIN# }" # remove leading whitespace + fi + + # Take the last word from FULL_PREFERRED_CHAIN as the chain to use + PREFERRED_CHAIN="${FULL_PREFERRED_CHAIN##* }" + CONFIG_FILE="getssl-dns01.cfg" + setup_environment + init_getssl + + cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg +PREFERRED_CHAIN="${PREFERRED_CHAIN}" +EOF + + create_certificate + assert_success + check_output_for_errors + + issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2) + # verify certificate is issued by preferred chain root + echo "# ${issuer}" + echo "# ${FULL_PREFERRED_CHAIN}" + [ "$FULL_PREFERRED_CHAIN" = "$issuer" ] +}