From 1a13096c55fa84cb1794cb24c0b7589af6f52d2d Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Fri, 16 Feb 2018 15:55:05 +0100 Subject: [PATCH] Add TESTUSESSL option for "start_web_server" (#1376) --- Makefile | 24 +++++++- e2e-tests/apache2.conf | 6 ++ e2e-tests/cert.pem | 22 ++++++++ e2e-tests/key.pem | 28 ++++++++++ e2e-tests/lmConf-1.json | 1 + e2e-tests/openssl.cnf | 119 ++++++++++++++++++++++++++++++++++++++++ e2e-tests/ssl.conf | 6 ++ 7 files changed, 205 insertions(+), 1 deletion(-) create mode 100644 e2e-tests/cert.pem create mode 100644 e2e-tests/key.pem create mode 100644 e2e-tests/openssl.cnf create mode 100644 e2e-tests/ssl.conf diff --git a/Makefile b/Makefile index d1cad8083..f8ae849d6 100644 --- a/Makefile +++ b/Makefile @@ -113,6 +113,7 @@ PORT=80 VHOSTLISTEN="*:$(PORT)" TESTWEBSERVER=apache TESTWEBSERVERPORT=19876 +TESTUSESSL=0 # LDAP backend test LLNGTESTLDAP_SLAPD_BIN=/usr/sbin/slapd @@ -409,6 +410,10 @@ prepare_test_server: e2e-tests/conf/lmConf-1.json \ e2e-tests/conf/env.conf \ e2e-tests/conf/test-nginx.conf + @if test "$(TESTUSESSL)" = "1"; then \ + perl -i -pe 's#http://(test|mana|auth)#https://$$1#' e2e-tests/conf/lmConf-1.json e2e-tests/conf/handler-apache2.X.conf e2e-tests/conf/site/index.pl; \ + perl -i -pe 's#"https": 0#"https": 1#' e2e-tests/conf/lmConf-1.json; \ + fi e2e-tests/conf/apache2.pid: start_web_server @@ -451,7 +456,12 @@ start_web_server: all prepare_test_server -@[ -e e2e-tests/conf/llng-fastcgi.pid ] && kill `cat e2e-tests/conf/llng-fastcgi.pid` && rm -f e2e-tests/conf/llng-fastcgi.pid || true # Start web server (designed for Debian, path may be broken else) @if test "$(TESTWEBSERVER)" = "apache"; then \ - LLNG_DEFAULTCONFFILE=`pwd`/e2e-tests/conf/lemonldap-ng.ini /usr/sbin/apache2 -d `pwd`/e2e-tests -f apache2.conf -k start; \ + if test "$(TESTUSESSL)" = "1"; then \ + APACHEARGS=-DUseSSL; \ + else \ + APACHEARGS=; \ + fi; \ + LLNG_DEFAULTCONFFILE=`pwd`/e2e-tests/conf/lemonldap-ng.ini /usr/sbin/apache2 -d `pwd`/e2e-tests -f apache2.conf $$APACHEARGS -k start; \ elif test "$(TESTWEBSERVER)" = "nginx"; then \ echo "Testing nginx conf"; \ $(NGINX) -t -p `pwd`/e2e-tests \ @@ -1153,3 +1163,15 @@ spelling: if [ "$$text" != "" ]; then echo "### $$i ###"; echo $$text; fi \ fi \ done + +e2e_cert: + openssl req -x509 \ + -newkey rsa:2048 \ + -keyout e2e-tests/key.pem \ + -out e2e-tests/cert.pem \ + -days 3650 \ + -nodes \ + -subj "/C=PL/ST=Programming Republic of Perl/O=Security Dept/CN=auth.example.com" \ + -reqexts SAN \ + -extensions SAN \ + -config e2e-tests/openssl.cnf diff --git a/e2e-tests/apache2.conf b/e2e-tests/apache2.conf index 2fb22741c..18bf57f77 100644 --- a/e2e-tests/apache2.conf +++ b/e2e-tests/apache2.conf @@ -9,6 +9,9 @@ LoadModule cgi_module /usr/lib/apache2/modules/mod_cgi.so LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so LoadModule authz_host_module /usr/lib/apache2/modules/mod_authz_host.so LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so + + LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so + Options FollowSymLinks AllowOverride None @@ -55,6 +58,9 @@ AddLanguage fr .fr MaxConnectionsPerChild 0 + + Include ssl.conf + Include conf/manager-apache2.X.conf Include conf/portal-apache2.X.conf Include conf/handler-apache2.X.conf diff --git a/e2e-tests/cert.pem b/e2e-tests/cert.pem new file mode 100644 index 000000000..4552c1d2e --- /dev/null +++ b/e2e-tests/cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqzCCApOgAwIBAgIJALF/feDNX7Q/MA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV +BAYTAlBMMSUwIwYDVQQIDBxQcm9ncmFtbWluZyBSZXB1YmxpYyBvZiBQZXJsMRYw +FAYDVQQKDA1TZWN1cml0eSBEZXB0MRkwFwYDVQQDDBBhdXRoLmV4YW1wbGUuY29t +MB4XDTE4MDIxNjE0MDcyNloXDTI4MDIxNDE0MDcyNlowZzELMAkGA1UEBhMCUEwx +JTAjBgNVBAgMHFByb2dyYW1taW5nIFJlcHVibGljIG9mIFBlcmwxFjAUBgNVBAoM +DVNlY3VyaXR5IERlcHQxGTAXBgNVBAMMEGF1dGguZXhhbXBsZS5jb20wggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrpF9e1RBQrL0QDp0NKwNwpeHbmVka +qtSMRzHdxUNVgjf5fysk/aut6CbEib0vSTXNPOhxRxDnYCaIED31Zt5vHqiW3fvp +5b7RTQEOPl1uElYR1AmBL1qnv1YSUfQMlPEz9+E1H6K6K+bHz9ep+v7zqZJyal2v +el8n7nIo2yV4Shq0oOtjilNZlPrgMVUiXQEna+e9lFgPhfPApuzkMXPE8YOYSJIG +o9ZiPEQgGDkUFHYWaIjbmoID6aiFZmCGIeItwHXCiVDeteIgVLtlkhrT5Yss04sD +Zr6xEmvebaBom2yQwv911HxvXv8UhHMbN5UQht4qQBd/CgeHmPTsPJPxAgMBAAGj +WjBYMFYGA1UdEQRPME2CE21hbmFnZXIuZXhhbXBsZS5jb22CEXRlc3QxLmV4YW1w +bGUuY29tghBhdXRoLmV4YW1wbGUuY29tghF0ZXN0Mi5leGFtcGxlLmNvbTANBgkq +hkiG9w0BAQsFAAOCAQEAhmJrn/0OqGgT55TTQSnWQvH8SE9lceUsup3m2kIQnvZx +s4fDyTne0jlDmV+R/U00v4GC7YkfrnKl/IO/28ZCelD8oEwWf75p5BnwBVLRSzVU +ajOmHOgKeYuS4LuvtmxiC+RmsVD4kHPfcUcF4P77n0na7UFf+qX+9b1ISFVjw86e +0Vtkayghf4IAHl0G8ysrasZDEtWX9ouXKykLig/RI3MZAEJp4GquIqmNm4S1/HPI +tFRT1BPfngjy/J1NylfOLlpNEAC/Nf6J6AgdEQcCZMANDEOIXTFNNH4aXDwUbmuO +JX9PReAaCc5HYb9uVA8l0E4dX0FQpWkS9qaj6JeoHg== +-----END CERTIFICATE----- diff --git a/e2e-tests/key.pem b/e2e-tests/key.pem new file mode 100644 index 000000000..ea1503aaf --- /dev/null +++ b/e2e-tests/key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCrpF9e1RBQrL0Q +Dp0NKwNwpeHbmVkaqtSMRzHdxUNVgjf5fysk/aut6CbEib0vSTXNPOhxRxDnYCaI +ED31Zt5vHqiW3fvp5b7RTQEOPl1uElYR1AmBL1qnv1YSUfQMlPEz9+E1H6K6K+bH +z9ep+v7zqZJyal2vel8n7nIo2yV4Shq0oOtjilNZlPrgMVUiXQEna+e9lFgPhfPA +puzkMXPE8YOYSJIGo9ZiPEQgGDkUFHYWaIjbmoID6aiFZmCGIeItwHXCiVDeteIg +VLtlkhrT5Yss04sDZr6xEmvebaBom2yQwv911HxvXv8UhHMbN5UQht4qQBd/CgeH +mPTsPJPxAgMBAAECggEAZQHjGeSaqE8vJ47h/0jLynPkGR4CIL5dPHv9LXwTpvNt +y0Z59lfNuxa+EbTY/0W/ApuQUnE20mJz6mhcfdjel1fccIQL5lZMV9FQCLjMtKTX +v8AfI8XhPIxNs5RE4U6ZLzL1dhS654JEWlvGl4JcnLmys+BCZ6zE6LPavI5SW5mR +kDOFwe7GqFHLZNqS8dujHwn5ATzI1m7x7S6lJvL0mEbT6PudMVNvSS4fKlZPfAY4 +y3eZWrlrcIovoCIg72Jn2ElBpbIKsVYsyTmiQBCcnnpY8OmyslUCkyKdPr6+yKp1 +AMRjFQQcA6fSQW+V283LGQNgqVzmRydFLT6JzN/Z/QKBgQDX+Bf/L1+4awVkEX/V +RDJM6OUD5zDmLefKV6kMxqxljt/vZhjDjizZclixWfC39ERK8YcSIWyU//EgaQcp +4TXyvk4EVx/E6OkUOlU6RnUuUkefS47NPWFvF1vEbIsl8Eaz1lqnwTct6rrpuzk2 +XLAoQiSqo2FCYuIuj/13LYByJwKBgQDLdOz7K0L3+SiQ0osiZDhOGOjuFAPi99Kc +e28xmNRVck9+uwxMvefA6Ek1gondTswlsJqRDqkAuTEeKaz7QJ9Jf8FkunoolvyP +/Cpf8PD9iBve8O+ltheLq+ty2DTX5PNGNhtl8pO6aRT3ZbiNoUCB5wNotepZ9xYn +1YmWuGlQJwKBgCgIQMp4iZGxpMorxDpP7dL7yJe0nwfLso97OEa5/PLGTRQfJK/7 +Bq032ODm/wvaJ16M7rCZqXrlBlkvnrhQmqNoSyXa0HS7h5jMR0gKD2aKseQBKXM5 +0Xm6JrR+OjzKERD8xskZs5S7UfJJVg2RmMWdnRZUOo8HrU1cO2t/77M5AoGANl8W +/cB/8xjo2FsLx7MUwPozNXyv1TX5WMw72PtIs1ULHYkLLm8JwinRdrVd9oCaWfAq +Pl22mHTlRXRJwBNy/gdgPXUANFy1Ph1bjawsGvUGzbuBr71L6Y2WLGjPJmsPAFJx +W/tJs2Vlrv/GJENVo+GCrbb/2+8GQrr0PA0oR70CgYBYINlP5+Aht/NlxT3pTiHM +/GqTAD5IRykJ+pZ2tuKT4qAjN/yxckF29imrF6I6BEX0sMKwxlVymm2ddqR1EMuW +JfF6CS/60TtyAC5F4KplZOSae8zSlKJVil/cZpyK+QDKK9w4TL51CjUb7j4B5ZcP +uDltjUBog9Qtm1piF/+O/A== +-----END PRIVATE KEY----- diff --git a/e2e-tests/lmConf-1.json b/e2e-tests/lmConf-1.json index f8517a42e..0e8ec016a 100644 --- a/e2e-tests/lmConf-1.json +++ b/e2e-tests/lmConf-1.json @@ -1,4 +1,5 @@ { + "https": 0, "applicationList": { "0001-cat": { "catname": "Sample applications", diff --git a/e2e-tests/openssl.cnf b/e2e-tests/openssl.cnf new file mode 100644 index 000000000..dd02d046e --- /dev/null +++ b/e2e-tests/openssl.cnf @@ -0,0 +1,119 @@ +HOME = . +RANDFILE = $ENV::HOME/.rnd +oid_section = new_oids +[ new_oids ] +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 +[ ca ] +default_ca = CA_default # The default ca section +[ CA_default ] +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file +x509_extensions = usr_cert # The extensions to add to the cert +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering +policy = policy_match +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert +string_mask = utf8only +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State +localityName = Locality Name (eg, city) +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd +organizationalUnitName = Organizational Unit Name (eg, section) +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 +emailAddress = Email Address +emailAddress_max = 64 +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 +unstructuredName = An optional company name +[ usr_cert ] +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +basicConstraints = critical,CA:true +[ crl_ext ] +authorityKeyIdentifier=keyid:always +[ proxy_cert_ext ] +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo +[ tsa ] +default_tsa = tsa_config1 # the default TSA section +[ tsa_config1 ] +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +[SAN] +subjectAltName=DNS:manager.example.com,DNS:test1.example.com,DNS:auth.example.com,DNS:test2.example.com diff --git a/e2e-tests/ssl.conf b/e2e-tests/ssl.conf new file mode 100644 index 000000000..2e79ce074 --- /dev/null +++ b/e2e-tests/ssl.conf @@ -0,0 +1,6 @@ + + ServerName localhost + SSLEngine On + SSLCertificateFile cert.pem + SSLCertificateKeyFile key.pem +