NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitae81776

committed

Add TAP tests for contrib/sslinfo

This adds rudimentary coverage of the sslinfo extension into the SSLtest harness. The output is validated by comparing with pg_stat_sslto provide some level of test stability should the underlying certsbe slightly altered. A new cert is added to provide an extension totest against.Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>Reviewed-by: Andrew Dunstan <andrew@dunslane.net>Reviewed-by: Dagfinn Ilmari Mannsåker <ilmari@ilmari.org>Discussion:https://postgr.es/m/E23F9811-0C77-45DA-912F-D809AB140741@yesql.se

1 parent879fc1a commitae81776Copy full SHA for ae81776

File tree

7 files changed

+204

-1

lines changed

src/test/ssl
- Makefile
- README
- conf
  - client_ext.config
- sslfiles.mk
- ssl
  - client_ext.crt
  - client_ext.key
- t
  - 003_sslinfo.pl

7 files changed

+204

-1

lines changed

`‎src/test/ssl/Makefile‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,8 @@`
`9`	`9`	`#`
`10`	`10`	`#-------------------------------------------------------------------------`
`11`	`11`
	`12`	`+EXTRA_INSTALL = contrib/sslinfo`
	`13`	`+`
`12`	`14`	`subdir = src/test/ssl`
`13`	`15`	`top_builddir = ../../..`
`14`	`16`	`include$(top_builddir)/src/Makefile.global`

`‎src/test/ssl/README‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@ Running the tests`
`16`	`16`	`=================`
`17`	`17`
`18`	`18`	`NOTE: You must have given the --enable-tap-tests argument to configure.`
	`19`	`+Also, to use "make installcheck", you must have built and installed`
	`20`	`+contrib/sslinfo in addition to the core code.`
`19`	`21`
`20`	`22`	`Run`
`21`	`23`	`make check`

`‎src/test/ssl/conf/client_ext.config‎`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,16 @@`
	`1`	`+# An OpenSSL format CSR config file for creating a client certificate.`
	`2`	`+#`
	`3`	`+# The certificate is for user "ssltestuser" and intends to test client`
	`4`	`+# certificate with extensions.`
	`5`	`+`
	`6`	`+[ req ]`
	`7`	`+distinguished_name = req_distinguished_name`
	`8`	`+req_extensions = client_ext`
	`9`	`+prompt = no`
	`10`	`+`
	`11`	`+[ req_distinguished_name ]`
	`12`	`+CN = ssltestuser`
	`13`	`+`
	`14`	`+[ client_ext ]`
	`15`	`+basicConstraints = critical,CA:false`
	`16`	`+extendedKeyUsage = clientAuth`

`‎src/test/ssl/ssl/client_ext.crt‎`

Lines changed: 21 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,21 @@`
	`1`	`+-----BEGIN CERTIFICATE-----`
	`2`	`+MIIDezCCAmOgAwIBAgIIICEREAQyQQAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE`
	`3`	`+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNs`
	`4`	`+aWVudCBjZXJ0czAeFw0yMTExMTAwMzMyNDFaFw00OTAzMjgwMzMyNDFaMBYxFDAS`
	`5`	`+BgNVBAMMC3NzbHRlc3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC`
	`6`	`+AQEArCHikkEQLFITbn3ZfO8X2RW3fELeaImgy8W4Pkkc4LxdHCWjdCML/vtE/ZVu`
	`7`	`+Op74qrQQWT0HKXFVUiZLbjAgV2PONS6VFHhc3sTFxuTaBnVdY+K98hoFnXskINt/`
	`8`	`+wgwUhRcRZuKPcZvEHiqF6e3g3lQa99l1nVKPGPLOCvVhSgoV0Gwgxok0t7s25BCV`
	`9`	`+ZmpMAwSTxpeviLF0e2MsttuyClQ4nuD92EHZX3BuG0WNPLxiwikV96uMffpMRGsx`
	`10`	`+uiAHzD5ykYM7/b3eU0bjfi0J0qcfTSeytqFuRCNEukJpmtUmyYGqsFJ7HN7ejCY7`
	`11`	`+ObAlBn8h+4bgwBRaeZDZLTMaYQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwEwYD`
	`12`	`+VR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFPPv1n7k1Vd9BBC4eoGWPZwVz2Lx`
	`13`	`+MFkGA1UdIwRSMFChRKRCMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBmb3IgUG9z`
	`14`	`+dGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlggggIQMDFBIHATANBgkq`
	`15`	`+hkiG9w0BAQsFAAOCAQEAtqIeTmUhtHyCt5k2yx88F0dKshYq4Z+LQI+agyZ1fRE6`
	`16`	`+Ux5p+SBGbzvc+NcUvc7yGG6w2G/nTVnGwSHN9NtQa2T2XbHJysJ/dwCfmRsachKz`
	`17`	`+4kCp0zAHEDrEmZua0sy5BLwwVCk5WNBR0lZ35WmIEuRA+5G/2lCywtrb9W4YnbAM`
	`18`	`+nH7BtZE8qPbK4OicB40I2NXz6KhG3755oKN03VC1IaX9JFQxf37ac7jVK5bsjfaF`
	`19`	`+0xCAeuDN6wDiVHZj6q1GhhmNLzaF5zmU2e/cI1nTI5tfGKnygavlZIz2VvAlcypt`
	`20`	`+YZdMDy69VbTWUa57UPCspghgvm5M2/Hjmz50CXGMvw==`
	`21`	`+-----END CERTIFICATE-----`

`‎src/test/ssl/ssl/client_ext.key‎`

Lines changed: 28 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,28 @@`
	`1`	`+-----BEGIN PRIVATE KEY-----`
	`2`	`+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCsIeKSQRAsUhNu`
	`3`	`+fdl87xfZFbd8Qt5oiaDLxbg+SRzgvF0cJaN0Iwv++0T9lW46nviqtBBZPQcpcVVS`
	`4`	`+JktuMCBXY841LpUUeFzexMXG5NoGdV1j4r3yGgWdeyQg23/CDBSFFxFm4o9xm8Qe`
	`5`	`+KoXp7eDeVBr32XWdUo8Y8s4K9WFKChXQbCDGiTS3uzbkEJVmakwDBJPGl6+IsXR7`
	`6`	`+Yyy227IKVDie4P3YQdlfcG4bRY08vGLCKRX3q4x9+kxEazG6IAfMPnKRgzv9vd5T`
	`7`	`+RuN+LQnSpx9NJ7K2oW5EI0S6Qmma1SbJgaqwUnsc3t6MJjs5sCUGfyH7huDAFFp5`
	`8`	`+kNktMxphAgMBAAECggEAQlVWkmUHXgUNHvXZo8chyhMP4A+G1QNAl3Zs73fObJ66`
	`9`	`+RPgOOtmsrEjZh92XmnibvHDiofkeMu7NYfiG9gIO3I6GL0Fxyu8tXt22l9SmXnnJ`
	`10`	`+EQ6Wg19azZrgS9c6ryVnnPhMSPlDLRVJaRSbAZCdqSABOoUvSX7AzWz4UQnJwbVp`
	`11`	`+c9Le7DbXcD4IIhi+D2o6k46oGTm+P8kEAbw73tN7NmxBudwMhvGup3HlDNypbwPJ`
	`12`	`+0aWR+nxZbaAVnmYiENX7L68R9rweqDES8AgV030L4YF022C8TAuBLeCjuEQucdp4`
	`13`	`++ZcNUzAF2G1NN/VUpjBKK08+Pu0C0vV+fDrKWK+QnwKBgQC74THLylX/+7TJC24U`
	`14`	`+LXu/z5BjkejUr4GLHTZG9edGgaoSiKikXdseCI/RiDVXvtQ7kstFYflOZ+XGuc4l`
	`15`	`+GVAN52uRqg7uXw0R8F8bKpal08j4Rhe4rXKvH5h9hSeozOlxq7jrQ2xk96Guu3k7`
	`16`	`+ujqkkVoPX+dnwUVN6elWrMIUpwKBgQDqiwqaKk7Pmkqc5et4WKvKFLKYuTU/qOO6`
	`17`	`+fVEqGlgbLGNf+DVgKcTl5AVyhqtedh1hin0ij/dDHoYOmynmbe/zguSxF7kYUxdJ`
	`18`	`+STwWpQt/ccaWMfqgrjxXpWsPc1fRWgmACAaum04GXmBeZ4z0rVT4blwAVddgoLL8`
	`19`	`+q4lrSNbRtwKBgQClv4jnyaxPNecLCmtln66xzFMMlJe8ssztRqswtRYA7Ll2ultV`
	`20`	`+DnwVpeYDK1AsBe1EVT/BCSshEaXzyM3lisxGR+htTIL5pp9oORAeblcTGqEM7wFU`
	`21`	`+aqhneM9VxRf04jn8j0uHOicxeAmKllfg6m1768NxFuGWdjpG/1pcnfJmtwKBgAF8`
	`22`	`+Nen6AJvB710E+7O8ZAIYlXTwH00y5ZZFuuDYX9x0MIDoEnZ0bUHDauFpxuYHO3Jl`
	`23`	`+rRst7DPpmpG3G9HQumdBWe9hJhPoWsplA1NlYihBcS98S4j+8XTgoEftxA2YU10T`
	`24`	`+L++lHh5eNKAEadkWy+Xy1PRPltiOy/NbprgeMvYLAoGAKpt7DHcK8B0JdOnEzTuz`
	`25`	`+7mT6xRt2C9IASCiv92Fx1BPiPy4l9ukT4CJza/wpSpH3xyeB37afe0kQyU8lDrCF`
	`26`	`+iMU3RNTzTftwqO8GgtgntgW8ZKe9fuqzm9VLMQFyL+zdqEfGG6ROS8ipYLx9pn6x`
	`27`	`+FHc3UsmLmK0hfCr9B4Yo+C0=`
	`28`	`+-----END PRIVATE KEY-----`

`‎src/test/ssl/sslfiles.mk‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ SERVERS := server-cn-and-alt-names \`
`27`	`27`	`server-multiple-alt-names\`
`28`	`28`	`server-no-names\`
`29`	`29`	`server-revoked`
`30`		`-CLIENTS := client client-dn client-revoked`
	`30`	`+CLIENTS := client client-dn client-revoked client_ext`
`31`	`31`
`32`	`32`	`#`
`33`	`33`	`# To add a new non-standard key, add it to SPECIAL_KEYS and then add a recipe`

`‎src/test/ssl/t/003_sslinfo.pl‎`

Lines changed: 134 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,134 @@`
	`1`	`+`
	`2`	`+# Copyright (c) 2021, PostgreSQL Global Development Group`
	`3`	`+`
	`4`	`+use strict;`
	`5`	`+use warnings;`
	`6`	`+use PostgreSQL::Test::Cluster;`
	`7`	`+use PostgreSQL::Test::Utils;`
	`8`	`+use Test::More;`
	`9`	`+`
	`10`	`+use File::Copy;`
	`11`	`+`
	`12`	`+use FindBin;`
	`13`	`+use lib$FindBin::RealBin;`
	`14`	`+`
	`15`	`+use SSLServer;`
	`16`	`+`
	`17`	`+if ($ENV{with_ssl}ne'openssl')`
	`18`	`+{`
	`19`	`+planskip_all=>'OpenSSL not supported by this build';`
	`20`	`+}`
	`21`	`+else`
	`22`	`+{`
	`23`	`+plantests=> 13;`
	`24`	`+}`
	`25`	`+`
	`26`	`+#### Some configuration`
	`27`	`+`
	`28`	`+# This is the hostname used to connect to the server. This cannot be a`
	`29`	`+# hostname, because the server certificate is always for the domain`
	`30`	`+# postgresql-ssl-regression.test.`
	`31`	`+my$SERVERHOSTADDR ='127.0.0.1';`
	`32`	`+# This is the pattern to use in pg_hba.conf to match incoming connections.`
	`33`	`+my$SERVERHOSTCIDR ='127.0.0.1/32';`
	`34`	`+`
	`35`	`+# Allocation of base connection string shared among multiple tests.`
	`36`	`+my$common_connstr;`
	`37`	`+`
	`38`	`+# The client's private key must not be world-readable, so take a copy`
	`39`	`+# of the key stored in the code tree and update its permissions.`
	`40`	`+my$client_tmp_key ="${PostgreSQL::Test::Utils::tmp_check}/client_ext.key";`
	`41`	`+copy("ssl/client_ext.key",$client_tmp_key)`
	`42`	`+ordie"couldn't copy ssl/client_ext.key to$client_tmp_key for permissions change:$!";`
	`43`	`+chmod 0600,$client_tmp_key`
	`44`	`+ordie"failed to change permissions on$client_tmp_key:$!";`
	`45`	`+`
	`46`	`+#### Set up the server.`
	`47`	`+`
	`48`	`+note"setting up data directory";`
	`49`	`+my$node = PostgreSQL::Test::Cluster->new('primary');`
	`50`	`+$node->init;`
	`51`	`+`
	`52`	`+# PGHOST is enforced here to set up the node, subsequent connections`
	`53`	`+# will use a dedicated connection string.`
	`54`	`+$ENV{PGHOST} =$node->host;`
	`55`	`+$ENV{PGPORT} =$node->port;`
	`56`	`+$node->start;`
	`57`	`+`
	`58`	`+configure_test_server_for_ssl($node,$SERVERHOSTADDR,$SERVERHOSTCIDR,`
	`59`	`+'trust',extensions=> [qw(sslinfo) ]);`
	`60`	`+`
	`61`	`+# We aren't using any CRL's in this suite so we can keep using server-revoked`
	`62`	`+# as server certificate for simple client.crt connection much like how the`
	`63`	`+# 001 test does.`
	`64`	`+switch_server_cert($node,'server-revoked');`
	`65`	`+`
	`66`	`+$common_connstr =`
	`67`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR" .`
	`68`	`+"user=ssltestuser sslcert=ssl/client_ext.crt sslkey=$client_tmp_key";`
	`69`	`+`
	`70`	`+# Make sure we can connect even though previous test suites have established this`
	`71`	`+$node->connect_ok(`
	`72`	`+$common_connstr,`
	`73`	`+"certificate authorization succeeds with correct client cert in PEM format",`
	`74`	`+);`
	`75`	`+`
	`76`	`+my$result;`
	`77`	`+`
	`78`	`+$result =$node->safe_psql("certdb","SELECT ssl_is_used();",`
	`79`	`+connstr=>$common_connstr);`
	`80`	`+is($result,'t',"ssl_is_used() for TLS connection");`
	`81`	`+`
	`82`	`+$result =$node->safe_psql("certdb","SELECT ssl_version();",`
	`83`	`+connstr=>$common_connstr ." ssl_min_protocol_version=TLSv1.2" .`
	`84`	`+"ssl_max_protocol_version=TLSv1.2");`
	`85`	`+is($result,'TLSv1.2',"ssl_version() correctly returning TLS protocol");`
	`86`	`+`
	`87`	`+$result =$node->safe_psql("certdb",`
	`88`	`+"SELECT ssl_cipher() = cipher FROM pg_stat_ssl WHERE pid = pg_backend_pid();",`
	`89`	`+connstr=>$common_connstr);`
	`90`	`+is($result,'t',"ssl_cipher() compared with pg_stat_ssl");`
	`91`	`+`
	`92`	`+$result =$node->safe_psql("certdb","SELECT ssl_client_cert_present();",`
	`93`	`+connstr=>$common_connstr);`
	`94`	`+is($result,'t',"ssl_client_cert_present() for connection with cert");`
	`95`	`+`
	`96`	`+$result =$node->safe_psql("trustdb","SELECT ssl_client_cert_present();",`
	`97`	`+connstr=>"sslrootcert=ssl/root+server_ca.crt sslmode=require" .`
	`98`	`+"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser");`
	`99`	`+is($result,'f',"ssl_client_cert_present() for connection without cert");`
	`100`	`+`
	`101`	`+$result =$node->safe_psql("certdb",`
	`102`	`+"SELECT ssl_client_serial() = client_serial FROM pg_stat_ssl WHERE pid = pg_backend_pid();",`
	`103`	`+connstr=>$common_connstr);`
	`104`	`+is($result,'t',"ssl_client_serial() compared with pg_stat_ssl");`
	`105`	`+`
	`106`	`+# Must not use safe_psql since we expect an error here`
	`107`	`+$result =$node->psql("certdb","SELECT ssl_client_dn_field('invalid');",`
	`108`	`+connstr=>$common_connstr);`
	`109`	`+is($result,'3',"ssl_client_dn_field() for an invalid field");`
	`110`	`+`
	`111`	`+$result =$node->safe_psql("trustdb","SELECT ssl_client_dn_field('commonName');",`
	`112`	`+connstr=>"sslrootcert=ssl/root+server_ca.crt sslmode=require" .`
	`113`	`+"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser");`
	`114`	`+is($result,'',"ssl_client_dn_field() for connection without cert");`
	`115`	`+`
	`116`	`+$result =$node->safe_psql("certdb",`
	`117`	`+"SELECT '/CN=' \|\| ssl_client_dn_field('commonName') = client_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();",`
	`118`	`+connstr=>$common_connstr);`
	`119`	`+is($result,'t',"ssl_client_dn_field() for commonName");`
	`120`	`+`
	`121`	`+$result =$node->safe_psql("certdb",`
	`122`	`+"SELECT ssl_issuer_dn() = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();",`
	`123`	`+connstr=>$common_connstr);`
	`124`	`+is($result,'t',"ssl_issuer_dn() for connection with cert");`
	`125`	`+`
	`126`	`+$result =$node->safe_psql("certdb",`
	`127`	`+"SELECT '/CN=' \|\| ssl_issuer_field('commonName') = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();",`
	`128`	`+connstr=>$common_connstr);`
	`129`	`+is($result,'t',"ssl_issuer_field() for commonName");`
	`130`	`+`
	`131`	`+$result =$node->safe_psql("certdb",`
	`132`	`+"SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';",`
	`133`	`+connstr=>$common_connstr);`
	`134`	`+is($result,'CA:FALSE\|t','extract extension from cert');`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitae81776

File tree

7 files changed

7 files changed

`‎src/test/ssl/Makefile‎`

`‎src/test/ssl/README‎`

`‎src/test/ssl/conf/client_ext.config‎`

`‎src/test/ssl/ssl/client_ext.crt‎`

`‎src/test/ssl/ssl/client_ext.key‎`

`‎src/test/ssl/sslfiles.mk‎`

`‎src/test/ssl/t/003_sslinfo.pl‎`

0 commit comments