client/site_tests/security_OpenSSLBlacklist/security_OpenSSLBlacklist.py - mirrors/cros/chromiumos/third_party/autotest - Git at Google

 # Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 import os

 from autotest_lib.client.bin import test
 from autotest_lib.client.common_lib import error


 OPENSSL = '/usr/bin/openssl'
 VERIFY = OPENSSL + ' verify'
 BLACKLIST = '/etc/ssl/blacklist'

 class security_OpenSSLBlacklist(test.test):
     version = 1

     def blacklist(self, fingerprint):
         f = open(BLACKLIST, 'a+')
         f.write('%s\n' % fingerprint)

     def unblacklist(self, fingerprint):
         with open(BLACKLIST, 'r') as f:
             lines = f.readlines()
             lines = [x.strip() for x in lines]
             lines = [x for x in lines if x != fingerprint]
         for line in lines:
             print "'%s' != '%s'" % (line, fingerprint)
         with open(BLACKLIST, 'w') as f:
             f.writelines(lines)

     def verify(self):
         r = os.system('%s -CAfile %s %s' % (VERIFY, self.ca, self.cert))
         return r == 0

     def run_once(self, opts=None):
         self.ca = '%s/ca.pem' % self.srcdir
         self.cert = '%s/cert.pem' % self.srcdir
         # This fingerprint comes from 'openssl x509 -in foo.pem -fingerprint -sha256'
         self.certfp = 'f641c36cfef49bc071359ecf88eed9317b738b5989416ad401720c0a4e2e6352'
         # ... and this one comes from 'head -c 16 /dev/urandom | sha256sum' :)
         self.bogus_certfp = 'bb708578662b7202b7ac3f420013a8a765e0b8687109a2cbba2b5a625358788f'

         try:
             os.system('mv %s %s.old' % (BLACKLIST, BLACKLIST))
             os.system('touch %s' % BLACKLIST)
             if not self.verify():
                 raise error.TestFail('Certificate does not verify normally.')
             self.blacklist(self.certfp)
             if self.verify():
                 raise error.TestFail('Certificate verified when blacklisted.')
             self.unblacklist(self.certfp)
             if not self.verify():
                 raise error.TestFail('Certificate does not verify when unblacklisted.')
             self.blacklist(self.bogus_certfp)
             if not self.verify():
                 raise error.TestFail('Certificate does not verify with nonempty blacklist.')
         finally:
             os.system('mv %s.old %s' % (BLACKLIST, BLACKLIST))
	# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	import os

	from autotest_lib.client.bin import test
	from autotest_lib.client.common_lib import error


	OPENSSL = '/usr/bin/openssl'
	VERIFY = OPENSSL + ' verify'
	BLACKLIST = '/etc/ssl/blacklist'

	class security_OpenSSLBlacklist(test.test):
	version = 1

	def blacklist(self, fingerprint):
	f = open(BLACKLIST, 'a+')
	f.write('%s\n' % fingerprint)

	def unblacklist(self, fingerprint):
	with open(BLACKLIST, 'r') as f:
	lines = f.readlines()
	lines = [x.strip() for x in lines]
	lines = [x for x in lines if x != fingerprint]
	for line in lines:
	print "'%s' != '%s'" % (line, fingerprint)
	with open(BLACKLIST, 'w') as f:
	f.writelines(lines)

	def verify(self):
	r = os.system('%s -CAfile %s %s' % (VERIFY, self.ca, self.cert))
	return r == 0

	def run_once(self, opts=None):
	self.ca = '%s/ca.pem' % self.srcdir
	self.cert = '%s/cert.pem' % self.srcdir
	# This fingerprint comes from 'openssl x509 -in foo.pem -fingerprint -sha256'
	self.certfp = 'f641c36cfef49bc071359ecf88eed9317b738b5989416ad401720c0a4e2e6352'
	# ... and this one comes from 'head -c 16 /dev/urandom \| sha256sum' :)
	self.bogus_certfp = 'bb708578662b7202b7ac3f420013a8a765e0b8687109a2cbba2b5a625358788f'

	try:
	os.system('mv %s %s.old' % (BLACKLIST, BLACKLIST))
	os.system('touch %s' % BLACKLIST)
	if not self.verify():
	raise error.TestFail('Certificate does not verify normally.')
	self.blacklist(self.certfp)
	if self.verify():
	raise error.TestFail('Certificate verified when blacklisted.')
	self.unblacklist(self.certfp)
	if not self.verify():
	raise error.TestFail('Certificate does not verify when unblacklisted.')
	self.blacklist(self.bogus_certfp)
	if not self.verify():
	raise error.TestFail('Certificate does not verify with nonempty blacklist.')
	finally:
	os.system('mv %s.old %s' % (BLACKLIST, BLACKLIST))