blob: 24b2d0f0ca7e89ed87a480cb860bfda2a60b1180 [file] [log] [blame]
# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
import os
import subprocess
from autotest_lib.client.bin import test, utils
from autotest_lib.client.common_lib import error
OPENSSL = '/usr/bin/openssl'
VERIFY = OPENSSL + ' verify'
class security_OpenSSLBlacklist(test.test):
version = 1
def verify(self, blacklist='/dev/null'):
r = os.system('OPENSSL_BLACKLIST_PATH=%s %s -CAfile %s %s' %
(blacklist, VERIFY,, self.cert))
return r == 0
def fetch(self, blacklist='/dev/null'):
r = os.system('OPENSSL_BLACKLIST_PATH=%s curl --cacert %s -o /dev/null '
'' % (blacklist,
return r == 0
def run_once(self, opts=None):
self.blacklists = [
'%s/sha256_blacklist' % self.srcdir,
'%s/sha1_blacklist' % self.srcdir,
'%s/serial_blacklist' % self.srcdir,
self.bogus_blacklist = '%s/bogus_blacklist' % self.srcdir = '%s/ca.pem' % self.srcdir
self.cert = '%s/cert.pem' % self.srcdir
self.key = '%s/cert.key' % self.srcdir
if not self.verify():
raise error.TestFail('Certificate does not verify normally.')
for b in self.blacklists:
if self.verify(b):
raise error.TestFail('Certificate verified with %s' % b)
if not self.verify(self.bogus_blacklist):
raise error.TestFail('Certificate does not verify with nonempty blacklist.')
# Fire up an openssl s_server and have curl fetch from it
server = subprocess.Popen([OPENSSL, 's_server', '-www',
'-CAfile',, '-cert', self.cert,
'-key', self.key, '-port', '4433'])
# Need to wait for openssl to be ready to talk to us
error.TestFail('Fetch without blacklist fails.'))
for b in self.blacklists:
if self.fetch(b):
raise error.TestFail('Fetched with %s' % b)