projects / certmaster.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
github-1: support for hashing functions other than sha1
[certmaster.git] / tests / test-certmaster.sh
1 #!/bin/bash
2 # shunit2 tests for certmaster
3 # (sorry bats, but I couldn't figure out how to push a command into the background with ya)
4
5 setUp()
6 {
7 /etc/init.d/certmaster stop >& /dev/null || true
8 mkdir -p /etc/certmaster
9 cp certmaster.conf.tst /etc/certmaster/certmaster.conf
10 cp minion.conf.tst /etc/certmaster/minion.conf
11 rm -rf /var/lib/certmaster
12 rm -rf /var/lib/certmaster/test
13 rm -rf /var/lib/certmaster/md5
14 rm -rf /var/lib/certmaster/sha1
15 rm -rf /var/lib/certmaster/sha224
16 rm -rf /etc/pki/certmaster
17 rm -rf /etc/pki/certmaster-test
18 rm -rf /etc/pki/certmaster-md5
19 rm -rf /etc/pki/certmaster-sha1
20 rm -rf /etc/pki/certmaster-sha224
21 /etc/init.d/certmaster start >& /dev/null
22 }
23
24 tearDown() {
25 /etc/init.d/certmaster stop >& /dev/null
26 }
27
28 test_CertmasterCaAvailable()
29 {
30 [[ -x "/usr/bin/certmaster-ca" ]]
31 assertTrue "certmaster-ca exists" $?
32 }
33
34 test_CertmasterRequestAvailable()
35 {
36 [[ -x "/usr/bin/certmaster-request" ]]
37 assertTrue "certmaster-request exists" $?
38 }
39
40 test_CertmasterDaemonRunning()
41 {
42 /etc/init.d/certmaster status
43 assertTrue "certmaster daemon running" $?
44 }
45
46 test_CertmasterRequestHelp()
47 {
48 actual=`certmaster-request --help`
49
50 expected=$(cat <<EOF
51 Usage: certmaster-request [options]
52
53 Options:
54 -h, --help show this help message and exit
55 --hostname=NAME hostname to use as the CN for the certificate
56 --ca=CA certificate authority used to sign the certificate
57 EOF
58 )
59
60 assertEquals "certmaster-request --help" "$actual" "$expected"
61
62 }
63
64 test_CertmasterRequestHFlag()
65 {
66 actual=`certmaster-request -h`
67
68 expected=$(cat <<EOF
69 Usage: certmaster-request [options]
70
71 Options:
72 -h, --help show this help message and exit
73 --hostname=NAME hostname to use as the CN for the certificate
74 --ca=CA certificate authority used to sign the certificate
75 EOF
76 )
77 assertEquals "certmaster-request -h" "$actual" "$expected"
78
79 }
80
81 test_CertmasterRequestBadFlag()
82 {
83
84 # backticks don't capture stderr...
85 actual=$(certmaster-request --blah 2>&1)
86
87 expected=$(cat <<EOF
88 Usage: certmaster-request [options]
89
90 certmaster-request: error: no such option: --blah
91 EOF
92 )
93 assertEquals "certmaster-request --blah" "$actual" "$expected"
94
95 }
96
97 test_CertmasterRequest_UnknownCA()
98 {
99 actual=$(certmaster-request --hostname unknown.pwan.co --ca unknown 2>&1)
100 expected=$(cat <<EOF
101 error: Unknown cert authority: unknown
102 EOF
103 )
104
105 assertEquals "certmaster-request --ca unknown" "$actual" "$expected"
106 }
107
108 test_CertmasterCAHelp()
109 {
110 actual=`certmaster-ca --help`
111 expected=$(cat <<EOF
112 Usage: certmaster-ca <option> [args]
113
114 Options:
115 --version show program's version number and exit
116 -h, --help show this help message and exit
117 --ca=CA certificate authority used to sign/list certs
118 -l, --list list signing requests remaining
119 -s, --sign sign requests of hosts specified
120 -c, --clean clean out all certs or csrs for the hosts specified
121 --list-signed list all signed certs
122 --list-cert-hash list the cert hash for signed certs
123 EOF
124 )
125 assertEquals "certmaster-ca --help" "$actual" "$expected"
126 }
127
128 test_CertmasterCAHFlag()
129 {
130 actual=`certmaster-ca -h`
131 expected=$(cat <<EOF
132 Usage: certmaster-ca <option> [args]
133
134 Options:
135 --version show program's version number and exit
136 -h, --help show this help message and exit
137 --ca=CA certificate authority used to sign/list certs
138 -l, --list list signing requests remaining
139 -s, --sign sign requests of hosts specified
140 -c, --clean clean out all certs or csrs for the hosts specified
141 --list-signed list all signed certs
142 --list-cert-hash list the cert hash for signed certs
143 EOF
144 )
145 assertEquals "certmaster-ca -h" "$actual" "$expected"
146 }
147
148 test_CertmasterCAVersion()
149 {
150 actual=`certmaster-ca --version`
151
152 [[ "$actual" == *"version:"* ]]
153 assertTrue "version includes a version" $?
154
155 [[ "$actual" == *"release:"* ]]
156 assertTrue "version includes a release" $?
157 }
158
159 test_CertmasterCA_UnknownCA()
160 {
161 actual=$(certmaster-ca --list --ca unknown 2>&1)
162
163 expected=$(cat <<EOF
164 Unknown ca unknown: check /etc/certmaster.cfg
165 EOF
166 )
167
168 assertEquals "certmaster-ca --ca unknown" "$actual" "$expected"
169 }
170
171 test_TestCA_Autosigning()
172 {
173 certmaster-request --hostname testcert.pwan.co --ca test
174
175 [[ -e /etc/pki/certmaster-test ]]
176 assertTrue "/etc/pki/certmaster-test exists" $?
177 [[ -e /etc/pki/certmaster-test/testcert.pwan.co.cert ]]
178 assertTrue "testcert.pwan.co.cert exists" $?
179 [[ -e /etc/pki/certmaster-test/testcert.pwan.co.pem ]]
180 assertTrue "testcert.pwan.co.pem exists" $?
181 [[ -e /etc/pki/certmaster-test/testcert.pwan.co.csr ]]
182 assertTrue "testcert.pwan.co.csr exists" $?
183
184 subject=`openssl x509 -in /etc/pki/certmaster-test/testcert.pwan.co.cert -subject -noout`
185 [[ $subject == *"CN=testcert.pwan.co"* ]]
186
187 openssl x509 -in /etc/pki/certmaster-test/testcert.pwan.co.cert -text | grep Signature | grep sha256 > /dev/null 2>&1
188 assertTrue "testcert.pwan.co.cert has a sha256 hash" $?
189
190 openssl rsa -in /etc/pki/certmaster-test/testcert.pwan.co.pem -check > /dev/null 2>&1
191 assertTrue "test.pwan.co.pem OK" $?
192 openssl req -text -noout -verify -in /etc/pki/certmaster-test/testcert.pwan.co.csr > /dev/null 2>&1
193 assertTrue "test.pwan.co.csr OK" $?
194
195 # Verify there are no certs left to sign
196 output=`certmaster-ca --list --ca test`
197 assertEquals "nothing to sign" "$output" "No certificates to sign"
198
199 # Verify the cert shows up in the signed list
200 output=`certmaster-ca --list-signed --ca test`
201 [[ $output == *"testcert.pwan.co"* ]]
202 assertTrue "--list-signed includes testcert" $?
203
204 # Verify the cert shows up in the list-cert-hash command
205 output=`certmaster-ca --list-cert-hash --ca test`
206 [[ $output == *"testcert.pwan.co"* ]]
207 assertTrue "--list-cert-hash includes testcert" $?
208
209 }
210
211 test_MD5CA_Attempt() {
212
213 # TODO: Verify attempts to create MD5 certs fail
214 actual=$(certmaster-request --hostname badmd5req.pwan.co --ca md5 2>&1)
215 expected=$(cat <<EOF
216 error: md5 hash function is unsupported: md5
217 EOF
218 )
219 assertEquals "MD5CA Attempt" "$actual" "$expected"
220 }
221
222 test_Sha1CA_Autosigning() {
223
224 actual=$(certmaster-request --hostname testcert.pwan.co --ca sha1 2>&1)
225 expected=$(cat <<EOF
226 Deprecated hash function of sha1: sha1
227 EOF
228 )
229 assertEquals "deprecated sha1 warning" "$actual" "$expected"
230 openssl x509 -in /etc/pki/certmaster-sha1/testcert.pwan.co.cert -text | grep Signature | grep sha1 > /dev/null 2>&1
231 assertTrue "testcert.pwan.co.cert has a sha1 hash" $?
232
233 }
234
235 test_Sha224CA_Autosigning() {
236
237 # TODO: Verify /etc/pki/certmaster-test/testcert.pwan.co.cert is using sha224
238 certmaster-request --hostname testcert.pwan.co --ca sha224
239 openssl x509 -in /etc/pki/certmaster-sha224/testcert.pwan.co.cert -text | grep Signature | grep sha224 > /dev/null 2>&1
240 assertTrue "testcert.pwan.co.cert has a sha224 hash" $?
241
242 }
243
244 test_DefaultCA_NonAutosigning() {
245
246 # Turn on job control, so 'fg' is available
247 set -m
248
249 # Request a cert
250 certmaster-request --hostname defaultcert.pwan.co &
251 sleep 1
252 echo "...patience grasshopper..."
253
254 # Verify the cert is waiting to be signed
255 output=`certmaster-ca --list`
256 [[ $output == *"defaultcert.pwan.co"* ]]
257 assertTrue "$output includes defaultcert" $?
258
259 # Sign the cert
260 output=`certmaster-ca --sign defaultcert.pwan.co`
261 sleep 1
262
263 # Bring the request back to the foreground so it can finish
264 fg
265
266 # Verify there are no certs left to sign
267 output=`certmaster-ca --list`
268 assertEquals "nothing to sign" "$output" "No certificates to sign"
269
270 # Verify the cert shows up in the signed list
271 output=`certmaster-ca --list-signed`
272 [[ $output == *"defaultcert.pwan.co"* ]]
273 assertTrue "--list-signed includes defaultcert" $?
274
275 # Verify the cert shows up in the list-cert-hash command
276 output=`certmaster-ca --list-cert-hash`
277 [[ $output == *"defaultcert.pwan.co"* ]]
278 assertTrue "--list-cert-hash includes defaultcert" $?
279
280 # Verify all the expected files exist
281 [[ -e /etc/pki/certmaster ]]
282 assertTrue "/etc/pki/certmaster exists" $?
283 [[ -e /etc/pki/certmaster/defaultcert.pwan.co.cert ]]
284 assertTrue "defaultcert.pwan.co.cert.exists" $?
285 [[ -e /etc/pki/certmaster/defaultcert.pwan.co.pem ]]
286 assertTrue "defaultcert.pwan.co.pem exists" $?
287 [[ -e /etc/pki/certmaster/defaultcert.pwan.co.csr ]]
288 assertTrue "default.pwan.co.csr exists" $?
289
290 # Verify the cert's CN
291 subject=`openssl x509 -in /etc/pki/certmaster/defaultcert.pwan.co.cert -subject -noout`
292 [[ $subject == *"CN=defaultcert.pwan.co"* ]]
293
294 # Verify the key and signing request are valid
295 openssl rsa -in /etc/pki/certmaster/defaultcert.pwan.co.pem -check > /dev/null 2>&1
296 assertTrue "default.pwan.co.pem OK" $?
297 openssl req -text -noout -verify -in /etc/pki/certmaster/defaultcert.pwan.co.csr > /dev/nulla 2>&1
298 assertTrue "defaultcert.pwan.co.csr OK" $?
299
300 set +m
301 }
302
303
304 # load shunit2
305 . /usr/share/shunit2/shunit2
Fedora's certmaster (https://fedorahosted.org/certmaster/) with multiple CA support