RuhNetConsulting
/
getssl
mirror of https://github.com/srvrco/getssl
1
0
Fork 0
Code Issues 0 Projects 0 Releases 51 Wiki Activity
Browse Source

Add tests for PREFERRED_CHAIN

pull/640/head
Tim Kimber 5 years ago
parent
afabbc6506
commit
fa89d7bfed
No known key found for this signature in database GPG Key ID: 3E1804964E76BD18
2 changed files with 96 additions and 0 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -0
      docker-compose.yml
  2. +95
    -0
      test/35-preferred-chain.bats

+ 1
- 0
docker-compose.yml View File

@ -7,6 +7,7 @@ services:
environment: environment:
# with Go 1.13.x which defaults TLS 1.3 to on # with Go 1.13.x which defaults TLS 1.3 to on
GODEBUG: "tls13=1" GODEBUG: "tls13=1"
PEBBLE_ALTERNATE_ROOTS: 2
ports: ports:
- 14000:14000 # HTTPS ACME API - 14000:14000 # HTTPS ACME API
- 15000:15000 # HTTPS Management API - 15000:15000 # HTTPS Management API


+ 95
- 0
test/35-preferred-chain.bats View File

@ -0,0 +1,95 @@
#! /usr/bin/env bats
load '/bats-support/load.bash'
load '/bats-assert/load.bash'
load '/getssl/test/test_helper.bash'
# This is run for every test
setup() {
if [ -z "$STAGING" ]; then
export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
fi
}
@test "Use PREFERRED_CHAIN to select an alternate root" {
if [ -n "$STAGING" ]; then
PREFERRED_CHAIN="Fake LE Root X2"
else
PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | cut -d= -f2)
PREFERRED_CHAIN="${PREFERRED_CHAIN# }" # remove leading whitespace
fi
CONFIG_FILE="getssl-dns01.cfg"
setup_environment
init_getssl
cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
PREFERRED_CHAIN="${PREFERRED_CHAIN}"
EOF
create_certificate
assert_success
check_output_for_errors
issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2)
# verify certificate is issued by preferred chain root
[ "$PREFERRED_CHAIN" = "$issuer" ]
}
@test "Use PREFERRED_CHAIN to select the default root" {
if [ -n "$STAGING" ]; then
PREFERRED_CHAIN="Fake LE Root X1"
else
PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/0 | openssl x509 -text -noout | grep Issuer: | cut -d= -f2 )
PREFERRED_CHAIN="${PREFERRED_CHAIN# }" # remove leading whitespace
fi
CONFIG_FILE="getssl-dns01.cfg"
setup_environment
init_getssl
cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
PREFERRED_CHAIN="${PREFERRED_CHAIN}"
EOF
create_certificate
assert_success
check_output_for_errors
issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2)
# verify certificate is issued by preferred chain root
[ "$PREFERRED_CHAIN" = "$issuer" ]
}
@test "Use PREFERRED_CHAIN to select an alternate root by suffix" {
if [ -n "$STAGING" ]; then
FULL_PREFERRED_CHAIN="Fake LE Root X2"
else
FULL_PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | cut -d= -f2)
FULL_PREFERRED_CHAIN="${FULL_PREFERRED_CHAIN# }" # remove leading whitespace
fi
# Take the last word from FULL_PREFERRED_CHAIN as the chain to use
PREFERRED_CHAIN="${FULL_PREFERRED_CHAIN##* }"
CONFIG_FILE="getssl-dns01.cfg"
setup_environment
init_getssl
cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
PREFERRED_CHAIN="${PREFERRED_CHAIN}"
EOF
create_certificate
assert_success
check_output_for_errors
issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | cut -d= -f2)
# verify certificate is issued by preferred chain root
echo "# ${issuer}"
echo "# ${FULL_PREFERRED_CHAIN}"
[ "$FULL_PREFERRED_CHAIN" = "$issuer" ]
}

Write Preview
Loading…
Cancel
Save