| # Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| import os |
| import subprocess |
| |
| from autotest_lib.client.bin import test, utils |
| from autotest_lib.client.common_lib import error |
| |
| OPENSSL = '/usr/bin/openssl' |
| VERIFY = OPENSSL + ' verify' |
| |
| class security_OpenSSLBlacklist(test.test): |
| version = 1 |
| |
| def verify(self, blacklist='/dev/null'): |
| r = os.system('OPENSSL_BLACKLIST_PATH=%s %s -CAfile %s %s' % |
| (blacklist, VERIFY, self.ca, self.cert)) |
| return r == 0 |
| |
| def fetch(self, blacklist='/dev/null'): |
| r = os.system('OPENSSL_BLACKLIST_PATH=%s curl --cacert %s -o /dev/null ' |
| 'https://127.0.0.1:4433/' % (blacklist, self.ca)) |
| return r == 0 |
| |
| def run_once(self, opts=None): |
| self.blacklists = [ |
| '%s/sha256_blacklist' % self.srcdir, |
| '%s/sha1_blacklist' % self.srcdir, |
| '%s/serial_blacklist' % self.srcdir, |
| ] |
| self.bogus_blacklist = '%s/bogus_blacklist' % self.srcdir |
| self.ca = '%s/ca.pem' % self.srcdir |
| self.cert = '%s/cert.pem' % self.srcdir |
| self.key = '%s/cert.key' % self.srcdir |
| |
| if not self.verify(): |
| raise error.TestFail('Certificate does not verify normally.') |
| for b in self.blacklists: |
| if self.verify(b): |
| raise error.TestFail('Certificate verified with %s' % b) |
| if not self.verify(self.bogus_blacklist): |
| raise error.TestFail('Certificate does not verify with nonempty blacklist.') |
| |
| # Fire up an openssl s_server and have curl fetch from it |
| server = subprocess.Popen([OPENSSL, 's_server', '-www', |
| '-CAfile', self.ca, '-cert', self.cert, |
| '-key', self.key, '-port', '4433']) |
| try: |
| # Need to wait for openssl to be ready to talk to us |
| utils.poll_for_condition( |
| self.fetch, |
| error.TestFail('Fetch without blacklist fails.')) |
| for b in self.blacklists: |
| if self.fetch(b): |
| raise error.TestFail('Fetched with %s' % b) |
| finally: |
| server.terminate() |