#!/bin/bash # # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # # Run a simple test over SSL source ./test_env.sh #set -x CONFIG=$(dirname $0)/config.null TEST_CERT_DIR=`pwd`/test_cert_dir CERT_DB=${TEST_CERT_DIR}/test_cert_db CERT_PW_FILE=`pwd`/cert.password TEST_HOSTNAME=127.0.0.1 TEST_CLIENT_CERT=rumplestiltskin CA_PEM_FILE=${TEST_CERT_DIR}/ca_cert.pem OTHER_CA_CERT_DB=${TEST_CERT_DIR}/x_ca_cert_db OTHER_CA_PEM_FILE=${TEST_CERT_DIR}/other_ca_cert.pem PY_PING_BROKER=$top_srcdir/src/tests/ping_broker COUNT=10 trap cleanup EXIT error() { echo $*; exit 1; } # create the test certificate database # $1 = string used as Subject in server's certificate # $2 = string used as SubjectAlternateName (SAN) in server's certificate create_certs() { local CERT_SUBJECT=${1:-"CN=${TEST_HOSTNAME},O=MyCo,ST=Massachusetts,C=US"} local CERT_SAN=${2:-"*.server.com"} mkdir -p ${TEST_CERT_DIR} rm -rf ${TEST_CERT_DIR}/* # Set Up a CA with a self-signed Certificate # mkdir -p ${CERT_DB} certutil -N -d ${CERT_DB} -f ${CERT_PW_FILE} certutil -S -d ${CERT_DB} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1 certutil -L -d ${CERT_DB} -n "Test-CA" -a -o ${CERT_DB}/rootca.crt -f ${CERT_PW_FILE} #certutil -L -d ${CERT_DB} -f ${CERT_PW_FILE} # create server certificate signed by Test-CA # certutil -R -d ${CERT_DB} -s "${CERT_SUBJECT}" -o ${TEST_CERT_DIR}/server.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1 certutil -C -d ${CERT_DB} -c "Test-CA" -8 "${CERT_SAN}" -i ${TEST_CERT_DIR}/server.req -o ${TEST_CERT_DIR}/server.crt -f ${CERT_PW_FILE} -m ${RANDOM} certutil -A -d ${CERT_DB} -n ${TEST_HOSTNAME} -i ${TEST_CERT_DIR}/server.crt -t "Pu,," # create a certificate to identify the client # certutil -R -d ${CERT_DB} -s "CN=${TEST_CLIENT_CERT}" -o ${TEST_CERT_DIR}/client.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1 certutil -C -d ${CERT_DB} -c "Test-CA" -8 "*.client.com" -i ${TEST_CERT_DIR}/client.req -o ${TEST_CERT_DIR}/client.crt -f ${CERT_PW_FILE} -m ${RANDOM} certutil -A -d ${CERT_DB} -n ${TEST_CLIENT_CERT} -i ${TEST_CERT_DIR}/client.crt -t "Pu,," ### #certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE} #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil # Set up a separate DB with its own CA for testing failure to validate scenario # mkdir -p ${OTHER_CA_CERT_DB} certutil -N -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE} certutil -S -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1 certutil -L -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DB}/rootca.crt -f ${CERT_PW_FILE} #certutil -L -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE} } delete_certs() { if [[ -e ${TEST_CERT_DIR} ]] ; then rm -rf ${TEST_CERT_DIR} fi } # Don't need --no-module-dir or --no-data-dir as they are set as env vars in test_env.sh COMMON_OPTS="--daemon --config $CONFIG --ssl-cert-db $CERT_DB --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME" # Start new brokers: # $1 must be integer # $2 = extra opts # Append used ports to PORTS variable start_brokers() { local -a ports for (( i=0; $i<$1; i++)) do ports[$i]=$($QPIDD_EXEC --port 0 --interface 127.0.0.1 $COMMON_OPTS $2) || error "Could not start broker $i" done PORTS=( ${PORTS[@]} ${ports[@]} ) } # Stop single broker: # $1 is number of broker to stop (0 based) stop_broker() { $QPIDD_EXEC -qp ${PORTS[$1]} # Remove from ports array unset PORTS[$1] } stop_brokers() { for port in "${PORTS[@]}"; do $QPIDD_EXEC -qp $port done PORTS=() } pick_port() { # We need a fixed port to set --cluster-url. Use qpidd to pick a free port. PICK=`../qpidd --no-module-dir --listen-disable ssl -dp0` ../qpidd --no-module-dir -qp $PICK echo $PICK } cleanup() { stop_brokers delete_certs rm -f ${CERT_PW_FILE} } start_ssl_broker() { start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --auth no" } start_ssl_mux_broker() { ../qpidd $COMMON_OPTS --port $1 --ssl-port $1 --auth no PORTS=( ${PORTS[@]} $1 ) } sasl_config_dir=$builddir/sasl_config start_authenticating_broker() { start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --ssl-sasl-no-dict --ssl-require-client-authentication --auth yes --sasl-config=${sasl_config_dir}" } ssl_cluster_broker() { # $1 = port start_brokers 1 "--ssl-port $1 --auth no --load-module $CLUSTER_LIB --cluster-name ssl_test.$HOSTNAME.$$ --cluster-url amqp:ssl:$TEST_HOSTNAME:$1" # Wait for broker to be ready qpid-ping -Pssl -b $TEST_HOSTNAME -qp $1 || { echo "Cannot connect to broker on $1"; exit 1; } } CERTUTIL=$(type -p certutil) if [[ !(-x $CERTUTIL) ]] ; then echo "No certutil, skipping ssl test"; exit 0; fi if [[ !(-e ${CERT_PW_FILE}) ]] ; then echo password > ${CERT_PW_FILE} fi delete_certs create_certs || error "Could not create test certificate database" start_ssl_broker PORT=${PORTS[0]} echo "Running SSL test on port $PORT" export QPID_NO_MODULE_DIR=1 export QPID_SSL_CERT_DB=${CERT_DB} export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE} ## Test connection via connection settings ./qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary ## Test connection with a URL URL=amqp:ssl:$TEST_HOSTNAME:$PORT ./qpid-send -b $URL --content-string=hello -a "foo;{create:always}" MSG=`./qpid-receive -b $URL -a "foo;{create:always}" --messages 1` test "$MSG" = "hello" || { echo "receive failed '$MSG' != 'hello'"; exit 1; } ## Test connection with a combination of URL and connection options (in messaging API) URL=$TEST_HOSTNAME:$PORT ./qpid-send -b $URL --connection-options '{transport:ssl,heartbeat:2}' --content-string='hello again' -a "foo;{create:always}" MSG=`./qpid-receive -b $URL --connection-options '{transport:ssl,heartbeat:2}' -a "foo;{create:always}" --messages 1` test "$MSG" = "hello again" || { echo "receive failed '$MSG' != 'hello again'"; exit 1; } ## Test using the Python client if test -d $PYTHON_DIR; then echo "Testing Non-Authenticating with Python Client..." URL=amqps://$TEST_HOSTNAME:$PORT if `$PY_PING_BROKER -b $URL`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi else echo "Skipping python part of ssl_test, no python dir." fi #### Client Authentication tests start_authenticating_broker PORT2=${PORTS[1]} echo "Running SSL client authentication test on port $PORT2" URL=amqp:ssl:$TEST_HOSTNAME:$PORT2 ## See if you can set the SSL cert-name for the connection ./qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" --content-string=hello -a "bar;{create:always}" MSG2=`./qpid-receive -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1` test "$MSG2" = "hello" || { echo "receive failed '$MSG2' != 'hello'"; exit 1; } ## Make sure that connect fails with an invalid SSL cert-name ./qpid-send -b $URL --connection-options "{ssl-cert-name: pignose }" --content-string=hello -a "baz;{create:always}" 2>/dev/null 1>/dev/null MSG3=`./qpid-receive -b $URL --connection-options "{ssl-cert-name: pignose }" -a "baz;{create:always}" --messages 1 2>/dev/null` test "$MSG3" = "" || { echo "receive succeeded without valid ssl cert '$MSG3' != ''"; exit 1; } stop_brokers # Test ssl muxed with plain TCP on the same connection # Test a specified port number - since tcp/ssl are the same port don't need to specify --transport ssl PORT=`pick_port` start_ssl_mux_broker $PORT || error "Could not start broker" echo "Running SSL/TCP mux test on fixed port $PORT" ## Test connection via connection settings ./qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!" ./qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!" # Test a broker chosen port - since ssl chooses port need to use --transport ssl here start_ssl_broker PORT=${PORTS[0]} echo "Running SSL/TCP mux test on random port $PORT" ## Test connection via connection settings ./qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!" ./qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!" stop_brokers ### Additional tests that require 'openssl' and 'pk12util' to be installed (optional) PK12UTIL=$(type -p pk12util) if [[ !(-x $PK12UTIL) ]] ; then echo >&2 "'pk12util' command not available, skipping remaining tests" exit 0 fi OPENSSL=$(type -p openssl) if [[ !(-x $OPENSSL) ]] ; then echo >&2 "'openssl' command not available, skipping remaining tests" exit 0 fi if test -d $PYTHON_DIR; then ## verify python version > 2.5 (only 2.6+ does certificate checking) PY_VERSION=$(python -c "import sys; print hex(sys.hexversion)") if (( PY_VERSION < 0x02060000 )); then echo >&2 "Detected python version < 2.6 - skipping certificate verification tests" exit 0 fi echo "Testing Certificate validation and Authentication with the Python Client..." # extract the CA's certificate as a PEM file get_ca_certs() { $PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CERT_DB} -n "Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null $PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null } get_ca_certs || error "Could not extract CA certificates as PEM files" start_ssl_broker PORT=${PORTS[0]} URL=amqps://$TEST_HOSTNAME:$PORT # verify the python client can authenticate the broker using the CA if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi # verify the python client fails to authenticate the broker when using the other CA if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi stop_brokers # create a certificate without matching TEST_HOSTNAME, should fail to verify create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate" get_ca_certs || error "Could not extract CA certificates as PEM files" start_ssl_broker PORT=${PORTS[0]} URL=amqps://$TEST_HOSTNAME:$PORT if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} > /dev/null 2>&1`; then { echo " Failed"; exit 1; }; else echo " Passed"; fi # but disabling the check for the hostname should pass if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi stop_brokers # test SubjectAltName parsing if (( PY_VERSION >= 0x02070300 )); then # python 2.7.3+ supports SubjectAltName extraction # create a certificate with TEST_HOSTNAME only in SAN, should verify OK create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create server test certificate" get_ca_certs || error "Could not extract CA certificates as PEM files" start_ssl_broker PORT=${PORTS[0]} URL=amqps://$TEST_HOSTNAME:$PORT if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi stop_brokers create_certs "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate" get_ca_certs || error "Could not extract CA certificates as PEM files" start_ssl_broker PORT=${PORTS[0]} URL=amqps://$TEST_HOSTNAME:$PORT if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo " Passed"; else { echo " Failed"; exit 1; }; fi stop_brokers fi fi