diff --git a/osbuild/testutil/net.py b/osbuild/testutil/net.py index ec1e2929..bb8e2885 100644 --- a/osbuild/testutil/net.py +++ b/osbuild/testutil/net.py @@ -62,20 +62,23 @@ class DirHTTPServer(ThreadingHTTPServer): request, client_address, self, directory=self.directory) -def _httpd(rootdir, port, simulate_failures): - return DirHTTPServer( +def _httpd(rootdir, simulate_failures, ctx=None): + port = _get_free_port() + httpd = DirHTTPServer( ("localhost", port), http.server.SimpleHTTPRequestHandler, directory=rootdir, simulate_failures=simulate_failures, ) + if ctx: + httpd.socket = ctx.wrap_socket(httpd.socket, server_side=True) + threading.Thread(target=httpd.serve_forever).start() + return httpd @contextlib.contextmanager def http_serve_directory(rootdir, simulate_failures=0): - port = _get_free_port() - httpd = _httpd(rootdir, port, simulate_failures) - threading.Thread(target=httpd.serve_forever).start() + httpd = _httpd(rootdir, simulate_failures) try: yield httpd finally: @@ -84,14 +87,21 @@ def http_serve_directory(rootdir, simulate_failures=0): @contextlib.contextmanager def https_serve_directory(rootdir, certfile, keyfile, simulate_failures=0): - port = _get_free_port() - httpd = _httpd(rootdir, port, simulate_failures) - ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) ctx.load_cert_chain(certfile=certfile, keyfile=keyfile) - httpd.socket = ctx.wrap_socket(httpd.socket, server_side=True) - - threading.Thread(target=httpd.serve_forever).start() + httpd = _httpd(rootdir, simulate_failures, ctx) + try: + yield httpd + finally: + httpd.shutdown() + + +@contextlib.contextmanager +def https_serve_directory_mtls(rootdir, ca_cert, server_cert, server_key, simulate_failures=0): + ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=ca_cert) + ctx.load_cert_chain(certfile=server_cert, keyfile=server_key) + ctx.verify_mode = ssl.CERT_REQUIRED + httpd = _httpd(rootdir, simulate_failures, ctx) try: yield httpd finally: diff --git a/sources/test/test_curl_source.py b/sources/test/test_curl_source.py index 4527b9b5..21e4932e 100644 --- a/sources/test/test_curl_source.py +++ b/sources/test/test_curl_source.py @@ -11,7 +11,7 @@ from unittest.mock import patch import pytest import osbuild.testutil -from osbuild.testutil.net import http_serve_directory, https_serve_directory +from osbuild.testutil.net import http_serve_directory, https_serve_directory, https_serve_directory_mtls SOURCES_NAME = "org.osbuild.curl" @@ -106,7 +106,7 @@ def test_curl_download_many_fail(curl_parallel): assert 'http://localhost:9876/random-not-exists: error code 7' in str(exp.value) -def make_test_sources(fake_httpd_root, port, n_files, start_n=0, cacert=""): +def make_test_sources(fake_httpd_root, port, n_files, start_n=0, cacert="", secret_name=""): """ Create test sources for n_file. All files have the names 0,1,2... @@ -127,6 +127,8 @@ def make_test_sources(fake_httpd_root, port, n_files, start_n=0, cacert=""): } if cacert: val["secrets"] = {} + if secret_name != "": + val["secrets"]["name"] = secret_name val["secrets"]["ssl_ca_cert"] = cacert sources[key] = val (fake_httpd_root / name).write_text(name, encoding="utf8") @@ -401,3 +403,33 @@ def test_curl_download_many_mixed_certs(tmp_path, monkeypatch, sources_module, c assert httpds.reqs.count == 2 assert httpds2.reqs.count == 2 + + +def test_curl_download_mtls(tmp_path, monkeypatch, sources_service): + fake_httpd_root = tmp_path / "fake-httpd-root" + cert_dir = pathlib.Path(__file__).parent.parent.parent / "test/data/certs" + cacert = cert_dir / "test-ca.crt" + assert cacert.exists() + servercert = cert_dir / "localhost-server.crt" + assert servercert.exists() + serverkey = cert_dir / "localhost-server.key" + assert serverkey.exists() + clientcert = cert_dir / "client1-client.crt" + assert clientcert.exists() + clientkey = cert_dir / "client1-client.key" + assert clientkey.exists() + + monkeypatch.setenv("OSBUILD_SOURCES_CURL_SSL_CA_CERT", cacert.as_posix()) + monkeypatch.setenv("OSBUILD_SOURCES_CURL_SSL_CLIENT_CERT", clientcert.as_posix()) + monkeypatch.setenv("OSBUILD_SOURCES_CURL_SSL_CLIENT_KEY", clientkey.as_posix()) + + with https_serve_directory_mtls(fake_httpd_root, ca_cert=cacert, + server_cert=servercert, server_key=serverkey) as httpds: + test_sources = make_test_sources( + fake_httpd_root, httpds.server_port, 1, cacert=cacert, secret_name="org.osbuild.mtls") + + sources_service.cache = tmp_path / "curl-download-dir" + sources_service.cache.mkdir() + sources_service.fetch_all(test_sources) + + assert httpds.reqs.count == 1 diff --git a/sources/test/test_ostree_source.py b/sources/test/test_ostree_source.py new file mode 100644 index 00000000..cfa990c0 --- /dev/null +++ b/sources/test/test_ostree_source.py @@ -0,0 +1,70 @@ +#!/usr/bin/python3 + +import pathlib + +from osbuild.testutil.net import http_serve_directory, https_serve_directory +from osbuild.util import ostree + +SOURCES_NAME = "org.osbuild.ostree" + + +def test_ostree_source_not_exists(tmp_path, sources_service): + checksum = "sha256:1111111111111111111111111111111111111111111111111111111111111111" + sources_service.setup({"cache": tmp_path, "options": {}}) + assert not sources_service.exists(checksum, None) + + +def test_ostree_source_exists(tmp_path, sources_service): + sources_service.setup({"cache": tmp_path, "options": {}}) + repo = tmp_path / "org.osbuild.ostree" / "repo" + commit = ostree.cli("commit", f"--repo={repo}", "--orphan", "/var/empty") + assert sources_service.exists("sha256:" + commit.stdout, None) + + +def make_test_sources(proto, port, fake_commit, **secrets): + sources = { + fake_commit: { + "remote": { + "url": f"{proto}://localhost:{port}", + } + } + } + if secrets: + sources[fake_commit]["remote"]["secrets"] = secrets + return sources + + +def make_repo(root): + ostree.cli("init", f"--repo={root}") + return ostree.cli("commit", f"--repo={root}", "--orphan", "/var/empty").stdout.rstrip() + + +def test_ostree_pull_plain(tmp_path, sources_service): + fake_httpd_root = tmp_path / "fake-httpd-root" + fake_httpd_root.mkdir(exist_ok=True) + fake_commit = make_repo(fake_httpd_root) + + with http_serve_directory(fake_httpd_root) as httpd: + test_sources = make_test_sources("http", httpd.server_port, fake_commit) + sources_service.setup({"cache": tmp_path, "options": {}}) + sources_service.fetch_all(test_sources) + assert sources_service.exists("sha256:" + fake_commit, None) + + +def test_ostree_pull_plain_mtls(tmp_path, sources_service, monkeypatch): + fake_httpd_root = tmp_path / "fake-httpd-root" + fake_httpd_root.mkdir(exist_ok=True) + fake_commit = make_repo(fake_httpd_root) + + cert_dir = pathlib.Path(__file__).parent.parent.parent / "test" / "data" / "certs" + cert1 = cert_dir / "cert1.pem" + assert cert1.exists() + key1 = cert_dir / "key1.pem" + assert key1.exists() + + with https_serve_directory(fake_httpd_root, cert1, key1) as httpd: + monkeypatch.setenv("OSBUILD_SOURCES_OSTREE_INSECURE", "1") + test_sources = make_test_sources("https", httpd.server_port, fake_commit, name="org.osbuild.mtls") + sources_service.setup({"cache": tmp_path, "options": {}}) + sources_service.fetch_all(test_sources) + assert sources_service.exists("sha256:" + fake_commit, None) diff --git a/test/data/certs/README.md b/test/data/certs/README.md index 0040fd53..c7c4cd38 100644 --- a/test/data/certs/README.md +++ b/test/data/certs/README.md @@ -2,10 +2,20 @@ This directory contains custom self-signed and worthless certs used during testing. They are not dynamically generated to avoid the extra compuation time during tests (but they could be). -Generated via: +Files `cert{1,2}.pem` and `key{1,2}.pem` were generated via: + ``` $ openssl req -new -newkey rsa:2048 -nodes -x509 \ -subj "/C=DE/ST=Berlin/L=Berlin/O=Org/CN=localhost" \ -days 36500 \ -keyout "key1.pem" -out "cert1.pem" ``` + +The following files were generated via a shell script named `generate-test-certs` and can be used for MTLS testing: + +* `test-ca.crt`: Certificate Authority +* `test-ca.key`: Certificate Authority key without any password +* `localhost-server.crt`: MTLS server certificate signed by `test-ca.crt` +* `localhost-server.key`: MTLS server certificate key without any password +* `client1-client.crt`: MTLS client certificate signed by `test-ca.crt` +* `client1-client.key`: MTLS client certificate key without any password diff --git a/test/data/certs/client1-client.crt b/test/data/certs/client1-client.crt new file mode 100644 index 00000000..9ba75c1e --- /dev/null +++ b/test/data/certs/client1-client.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFWjCCA0KgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzEL +MAkGA1UECAwCQ0ExFDASBgNVBAoMC0V4YW1wbGUuY29tMRMwEQYDVQQDDApFeGFt +cGxlIENBMCAXDTI0MTAyMzEzMDM0NFoYDzIwNTIwMzA5MTMwMzQ0WjBCMQswCQYD +VQQGEwJVUzELMAkGA1UECAwCQ0ExFDASBgNVBAoMC0V4YW1wbGUuY29tMRAwDgYD +VQQDDAdjbGllbnQxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuuy4 +iQt9bvKByyjS5Ij/TquuoKzGhyhCgzECF17K7EcbWNUhsC37g3OZgSgE2kONYSrl +vZ2aKJNcZiIa33uXA8iQH0ewtPMWFujMlCs4ehQsbOflthwSqWymmIsSuazvEaEj +o1IqmQ5nJGDiNsF1IP5KN3mpSiQllweNlqXrWZZ2oUwBFhLt0bJ13GYhNLYMYHmU +QSgBj2XxvXwpwAcpNHrxZ7goboJAVaCiYXPDQUtOqs4GfNE85LqIrXcE70RXDq1z +7MYoKKrlMWD9Nk2+0qhIbB4azSmqTkDARG1iMAfBfZrDQcPGl4SHr2+cvk9uek/C +srYMJ6HkebZ9e4zhpm9z0rUy485pcmvmLuVbm+JHi/oUcPVvByOtxt1QB23fYg6z +oGkz7s4ABvrNP7HloWJ4hx+l/dmlc5Yn/WWsTYScmkzNCGmtvhS/EcVGKFiBTjGP +px71hakaJnhRz0Jj0/yFe2Ib0AaaSEC+bzYa5OM4/wPMPJs9j7aigrrFsq/Qdqwl +nuKXmFfo90QEa+tjJPtgupb+EDp1xSerZI6WmvVGvpoIg24n+PajNYpOEadfE8w8 +JeM5jkCQ9no49iPdQCwEOajrLvt+KgiEackhS0SqbzqAKQ0TVXLP4rrwMwZ7lZVN +IxP2OwdyyAmWfavBLMJ+xs+zWGFpsTqfeZ4Fbk8CAwEAAaNWMFQwEgYDVR0RBAsw +CYIHY2xpZW50MTAdBgNVHQ4EFgQUMLJqkrtwFTHSQNU3SQfhRZi4UUYwHwYDVR0j +BBgwFoAUnz8o3kOYsSYcCP6Bm4vPuERJN2kwDQYJKoZIhvcNAQELBQADggIBAI3O +Tu/wKEt+HDd3wZyvfPMortWcxAEm1B5fLW5OeWeyU44xLW8AJqmyKxmHJM+Eq0tW +jVDiiZWcqPfCJFNEL+DNacM1beC7lzR63H4JltQLG8j3MLSZK+t6mIC/erov1Ql/ +P7T9qvAoUSfS3n7g6yW5uKiQjaFW6lX0HOr9IfxZFdqfHOJ+nVblNREoyTDfYUAK +HZgxrGYO/0/hPB6zziFchfigWD0QQVL1s3+cJNfTmNhw3Xu0/sOMLzhKIKuNYAak +ohON2HXpgZViOdLeA79vKsVQ/rf6VrwU+Ev3oLTp2Gsiqp/h4E21OE9/27Co9wDi +khVA5eaHudciOZo1XgDS8beZmcI+IgYZTEiEkpC1yLqfg1Y4t7ubEq/OikmF8L55 +9Zt/sZxz8TSIzG7m+1j8Tv/EgqA3sQ96gTIQe8y4hGp7jYbsOINLrOc7W0y5N+Yb +zt/beUYso0CLZQ+ys25rfYK1uWFgYFCYOqw83yud0oMNndOeKTs4MuP5ozPVa0wm +4BdEfwQViTR+Ush9t8C+mtfYhV78odOivt61AGyo8gU+SS4fw4VdTkt085UkwlOx +5bCAJCcy5PLx8nq7o4Aq8gNoMmRCgwLgKfohv2cqxbWCw9VyxkxaGpC7mCs0SPXP +DnIPOwuJpf1vmhgmc5RfT9FbZSUTLvtGf5a5q5e0 +-----END CERTIFICATE----- diff --git a/test/data/certs/client1-client.key b/test/data/certs/client1-client.key new file mode 100644 index 00000000..cdfd6872 --- /dev/null +++ b/test/data/certs/client1-client.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC67LiJC31u8oHL +KNLkiP9Oq66grMaHKEKDMQIXXsrsRxtY1SGwLfuDc5mBKATaQ41hKuW9nZook1xm +Ihrfe5cDyJAfR7C08xYW6MyUKzh6FCxs5+W2HBKpbKaYixK5rO8RoSOjUiqZDmck +YOI2wXUg/ko3ealKJCWXB42WpetZlnahTAEWEu3RsnXcZiE0tgxgeZRBKAGPZfG9 +fCnAByk0evFnuChugkBVoKJhc8NBS06qzgZ80TzkuoitdwTvRFcOrXPsxigoquUx +YP02Tb7SqEhsHhrNKapOQMBEbWIwB8F9msNBw8aXhIevb5y+T256T8KytgwnoeR5 +tn17jOGmb3PStTLjzmlya+Yu5Vub4keL+hRw9W8HI63G3VAHbd9iDrOgaTPuzgAG ++s0/seWhYniHH6X92aVzlif9ZaxNhJyaTM0Iaa2+FL8RxUYoWIFOMY+nHvWFqRom +eFHPQmPT/IV7YhvQBppIQL5vNhrk4zj/A8w8mz2PtqKCusWyr9B2rCWe4peYV+j3 +RARr62Mk+2C6lv4QOnXFJ6tkjpaa9Ua+mgiDbif49qM1ik4Rp18TzDwl4zmOQJD2 +ejj2I91ALAQ5qOsu+34qCIRpySFLRKpvOoApDRNVcs/iuvAzBnuVlU0jE/Y7B3LI +CZZ9q8Eswn7Gz7NYYWmxOp95ngVuTwIDAQABAoICABJdR2lPaQIJbpmtvRUZezEY +yjicQN+ZI6UNSjikO34oeOtVT9Cl89vfnj6DgVaK5HeeEKF8Zl+DesRzUqiPf9qt ++FraXuX9gTdm+me5h1GXFyDr94mDYIynUVwTQxey1xn9oX6zh96EUmXPOZT06gj/ +x/2DRQ/fqpcX9Yp4v+fhUcOvBTxMnR4eUQNXlVOUacrgpvbFHhd0heIpMgDdCJNQ +sNQ70jJpNuDdaJaib5XD9vVDoHzgIay8bB5+tEwS2Wq7vR6PU/VgNNGRHHoappto ++mnaMKU6FAf0HJpHFNUbLfX6dSHKQNc0p2VOVdvspIdSZr0gCDmskhcocqjnbRO9 +zVC1EOVTZYHL/HEtF5WW76CbtghfHDCSp0gq2nNSBdAxyOJE75xzApX5cwRZ93cW ++mHV0S2E02JMYsL4icFWmtaT+dHlwTlmEh9HEXynGEdI25MAb1TB/IVhgtaBOCNl +KCC6q8WHNTr50laJtwF2hFLyDuv7JZ3Zals678rt0+Gflt8DT7biDJjvTak5/ecI +SBDdIdr1iYlLxjd8qwBGEFm3arCDRTC6BRGPl2Vul2fGVMIZxY3qYRkVb+GEeZFC +PC/0RQFWdUSue/MZkcpPPbUhvUX8B74KuyNJF7SGWia7u+CZr3jTRPCFZegpTU38 +9kLEzHbkgFy6Raiix6qhAoIBAQDuerqsu2PNMCcwFrlfzwt48eqYw1YiIbjRjUZF +NYa3ZEY7WQ4xFoY5ATMDgD0QEIgFGi4d+uNA6Zgx4zEj2V7/xDWmGu2DM4pG7dk/ +WCgDZsKq7fM61o6bmlP3vq/aUADeu1FUCyyz+N+DmxlzsCNiyw06hrj3eSc6fiUk +NrujP1tyeF9J1Uo08OKQKBoxMvFsZLX5qTOdQA+jcWRZryW6795MThaJmhBZBrqe +wTDZf8EJ9AjKQ3m6lF/hzHjpSkjLvbwzKZsHLZeUlV5wp2aiN3c9rPZ45zzL6OFG +98eeqLW8MIWrwEuTLPHMWg1bPxH8j2acxYCA6kdxTMUFQD/dAoIBAQDIqFx7+LQo +cmT92uqsKlSQx+RBgpALeTad8P8ausfj+VnCxVZZHsjolRSxjJt7kHVMWIlz2D6Q +2hv4gQvY/QCilB5MBxBC948RRNd2QqyaCWFV2h06R8pql6Z5QAz0q0IuIv3+77V+ +amaaXLvcR23JW32lXEghPRRJIqS7tNkjaOQqcT1+1U17u8rb/otrVunIl6v7bXTJ +I06Q6oK3UsWbOO67gIm0/KctC9MAZj5zxRgBIkxWasY5ywrbtkWanfoj/rq5kyCs +HQZL1K/Wc+hN8hRD+pjlKRkjAxNPKpySqGu6Qqo6I7SALv8gFqGl6C7T+T81jqTk +m/3M1URZx1obAoIBAAOLU2bpygvsoUh3rf2ciCEeB0yJ6qfLNIH4xYiVyRDErr6H +DkzwdsI2IFn29/FbLYpV30WWyvXWAusK41oTCvRmKB313H3MsEtpkYb9emrChjYg +HzNKqQfq/UB7VwW5lqm4wvaqy9lI45mDHpe3kG8RcXrjMbCL3mdiJI8rORKuCF/l +JhVk1BuBUPyve+QrS6c+v+2b9CZsI09cig9DKR5kHjuoFXGqFoAcN33QhTdWTLon +JFJNOmvpdJtYfJuK/RX6Fef0wFcU+GG+7o5iDoZuqJkEDw2w8hhdt6tkV1UmUL0h +Q3tP+k+PpXBSDkzC3TORtgaycLx5vuISMANp9wkCggEACveYxnXbcvJ9rppOhUZz +BM7IHQSD1vyzDYLkjpNy5XT1gP3EMG7MUFoFnYav4NsObjPQn3JMSSKCsNxsx1lc +tYYe+czRCLf7K9h1ZlNSl8C3fzfCrTLLT3Qmdy4XBzBtF5R2CX8UjmpGXV2ALxQA +XicQAP/AOYDbIPwxwMirrZHIFsHFuK7z4zVqawfImv9PG9WeYsmivnOdkbIfnuF5 +R3ifI8RswmWkxYOF7tmnxDAblcRII9kGKJZ+a2/U8hR8XYdIsWfnO0EC3RYs3i3L +nqcCkIyb2rqaUx2R6pvLnwBxkuad4zucW/01mI1kHGtKU++lksnPHWehQZbOe5G3 +zQKCAQEAvclCB7rC3ZuFFYAaAdyb8eIji0nnbLh/kGXHiLZMjkAvrIPy5bXxD+BH +xPde2VBGo5HgG6xiUTthw7CcpU33Z31+bYhmTLnYl2BhIWsgzEJpamVLHzOJRIG5 +0QBuL26yAdDd2vLHfvtjGpGWtQc8NCgV37KdkjWq/b7Hi0MoeeWQd1T3c/jhegWU +9GV9hc4A+Y9Dtu7JM2TR2PmgWHMTlAYOzHWRUjO8P6B/laSREC2SZ7Isx6v+Rx2y +tpWJk+LqRg5eRMPQ4C0p3GK0lzTO8K0YioP9J7Y7Y1uJKlnSmRiTRCpT1RpTwLPo +P9go6JeM/tWfrt16799jK62c6g9CDQ== +-----END PRIVATE KEY----- diff --git a/test/data/certs/generate-test-certs b/test/data/certs/generate-test-certs new file mode 100755 index 00000000..84ac996b --- /dev/null +++ b/test/data/certs/generate-test-certs @@ -0,0 +1,56 @@ +#!/bin/bash -e + +# Script tested only on Fedora, CentOS or RHEL + +# server certificate common name (hostname) +SERVER_CN=${1:-server.example.com} + +# client certificate common name (hostname, uuid) +CLIENT_CN=${2:-client.example.com} + +SUBJECT="/C=US/ST=CA/O=Example.com" +CA_CN="Example CA" +DAYS=9999 +PASSCA=pass:temporary_password +PASSSV=pass:temporary_password +PASSCT=pass:temporary_password + +# test-ca.crt +openssl genrsa -passout $PASSCA -des3 -out test-ca.key 4096 +openssl req -passin $PASSCA -new -x509 -days $DAYS \ + -key test-ca.key -out test-ca.crt -subj "$SUBJECT/CN=${CA_CN}" +openssl x509 -purpose -in test-ca.crt +openssl x509 -in test-ca.crt -out test-ca.pem -outform PEM + +# server.crt +openssl genrsa -passout $PASSSV -des3 -out $SERVER_CN-server.key 4096 +openssl req -passin $PASSSV -new -key $SERVER_CN-server.key -out server.csr \ + -addext "subjectAltName = DNS:${SERVER_CN}" \ + -subj "$SUBJECT/CN=${SERVER_CN}" +openssl x509 -req -passin $PASSCA -extfile /etc/pki/tls/openssl.cnf \ + -extensions usr_cert -days $DAYS -in server.csr \ + -extensions SAN -extfile <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:${SERVER_CN}\n")) \ + -CA test-ca.crt -CAkey test-ca.key -set_serial 01 -out $SERVER_CN-server.crt +openssl x509 -purpose -in $SERVER_CN-server.crt +openssl rsa -passin $PASSSV -in $SERVER_CN-server.key -out $SERVER_CN-server.key +openssl x509 -in $SERVER_CN-server.crt -out $SERVER_CN-server.pem -outform PEM + +# client.crt +openssl genrsa -passout $PASSCT -des3 -out $CLIENT_CN-client.key 4096 +openssl req -passin $PASSCT -new -key $CLIENT_CN-client.key \ + -addext "subjectAltName = DNS:${CLIENT_CN}" \ + -out client.csr -subj "$SUBJECT/CN=${CLIENT_CN}" +openssl x509 -req -passin $PASSCA -days $DAYS \ + -extfile /etc/pki/tls/openssl.cnf -extensions usr_cert \ + -extensions SAN -extfile <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:${CLIENT_CN}\n")) \ + -in client.csr -CA test-ca.crt -CAkey test-ca.key -set_serial 02 -out $CLIENT_CN-client.crt +openssl x509 -purpose -in $CLIENT_CN-client.crt +openssl rsa -passin $PASSCT -in $CLIENT_CN-client.key -out $CLIENT_CN-client.key +openssl x509 -in $CLIENT_CN-client.crt -out $CLIENT_CN-client.pem -outform PEM + +# print and verify +openssl x509 -in test-ca.crt -text -noout +openssl x509 -in $SERVER_CN-server.crt -text -noout +openssl x509 -in $CLIENT_CN-client.crt -text -noout +openssl verify -CAfile test-ca.crt $SERVER_CN-server.crt +openssl verify -CAfile test-ca.crt $CLIENT_CN-client.crt diff --git a/test/data/certs/localhost-server.crt b/test/data/certs/localhost-server.crt new file mode 100644 index 00000000..acc3951a --- /dev/null +++ b/test/data/certs/localhost-server.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFXjCCA0agAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzEL +MAkGA1UECAwCQ0ExFDASBgNVBAoMC0V4YW1wbGUuY29tMRMwEQYDVQQDDApFeGFt +cGxlIENBMCAXDTI0MTAyMzEzMDM0M1oYDzIwNTIwMzA5MTMwMzQzWjBEMQswCQYD +VQQGEwJVUzELMAkGA1UECAwCQ0ExFDASBgNVBAoMC0V4YW1wbGUuY29tMRIwEAYD +VQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCh +AVR/jYDEx5LrdrnFf+qicMkDsiYiHJf5K5sXsaJmH6wCGnXrNElHApEzhM6i+vMS +LF6b87aTNaMyIKDuF5/UaLxe9LwE9SJYv8MKaLq64f+38NhI8cOuseiclLtfgW2h +RDtdLi60geywpmCpNY3WmaAqPBy/ZLP+UZLLQuHj7Mbe+/zSTJOvauIuQfi46L02 +n3menynPpPj6U6fR+z5gRYAAhdEMCK41UujVgoWEJ7jn9Mkj7DnqdgpWT7IkIS3o +C9b63D+qAoXNIKoNxsOv+HRKaAZ3kIT8F/n7/U4cYw/TiAVIqs7uGkCLaCh0OWMI +TlRxJQU7kzRoaCzc0XL89JHOEnSOCCFkNSbPobpdK0CHNxpJ4LB/U1ctMI4Sn2XB +17IgbLyTGVLZOQhJKIMCvbEoUpngjYygJK2FdCbkFakgP7RQHAjQ7wayJdRqfoOs +UsBAAMiGoCvstuvYcdfBs/XTJr++0D4H2HOm7saALhmfqNVVPUIQXcm5NazeIpnw +Ck9LpeyVrouP/KcI1CtK5rm5BCDfT/oK9nczTkGCSRHLp/jxzsMTNY8LD52Dj3/f +y9fy+D6ifxlRz6htTNG4FoWtwbRjaAPmX8n4GPrFcmqglmtUHQ1vs252Qyk+NDoa +74kzXoLr9g2/gEB4I6X67eE/vIQ8Z/z7iEA+zDiGHwIDAQABo1gwVjAUBgNVHREE +DTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFJkwfQk1qwA2ac6j0XkmV+9MLYLZMB8G +A1UdIwQYMBaAFJ8/KN5DmLEmHAj+gZuLz7hESTdpMA0GCSqGSIb3DQEBCwUAA4IC +AQBwEvBjEONESrKRhtHFxKhzZ4etPLPHI2hCKpJ7xiABfTkd366povDAyhNQCD5Y +tmexcLiYTmfPaHamcUzMDUFNuaAz1pbF7SGJxt5ppr8OwK/Gr1cSaUIq23UzQW9e +FqE94gdkYf7+mjYU68TR2BLwqqCQDJvb+/XO5uqXwzxMoRDXwDapT4Pt507odHMp +AmP/n2JKRysFP2PNc4vc5pphvWtQ44eX2K0Nl0eVdZiCdS7sKc1eFmkwupvenq8x +Pgdu9oh7PQFn7TGGcV4P1EsF7HbpwYJc7CBFxMd+E0uoNhcSDXoyjHLQzV1Wjykg +STh44YzSzeMsWf3jiKQKx1/ky4ZSy/cq+iaNuowY2Nqb+mdtQ8ukU71eAiRinqRt +YALcUuexLFsnYKbVxob3eryIm7kesxuJ7nroyiWmfa6w6cArcZoBM7P1devM+1h9 +lxIyFKRWONvzqm+5wGx+U1TIiYI78zJ1oTwzQGBbhSz94QvHzjqj9a1i77cgl6uX +q+AVHMb6JW+SojrpROxjNA0Iwqki8b4COIpjzoN7x+dpLo6bqXatv+9aGZZ6MRk6 +koFMwKFHzpCqd1Uoqp9MntyiYL1WvNVLxM+nrql1HfBcrUuAg2PYMU/qNI/i7Hkg +Wa8s4P8Y7I5s4PfC9rih2XqBaaDDOinLaZJHBEHoX3sXpQ== +-----END CERTIFICATE----- diff --git a/test/data/certs/localhost-server.key b/test/data/certs/localhost-server.key new file mode 100644 index 00000000..88f44a68 --- /dev/null +++ b/test/data/certs/localhost-server.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQChAVR/jYDEx5Lr +drnFf+qicMkDsiYiHJf5K5sXsaJmH6wCGnXrNElHApEzhM6i+vMSLF6b87aTNaMy +IKDuF5/UaLxe9LwE9SJYv8MKaLq64f+38NhI8cOuseiclLtfgW2hRDtdLi60geyw +pmCpNY3WmaAqPBy/ZLP+UZLLQuHj7Mbe+/zSTJOvauIuQfi46L02n3menynPpPj6 +U6fR+z5gRYAAhdEMCK41UujVgoWEJ7jn9Mkj7DnqdgpWT7IkIS3oC9b63D+qAoXN +IKoNxsOv+HRKaAZ3kIT8F/n7/U4cYw/TiAVIqs7uGkCLaCh0OWMITlRxJQU7kzRo +aCzc0XL89JHOEnSOCCFkNSbPobpdK0CHNxpJ4LB/U1ctMI4Sn2XB17IgbLyTGVLZ +OQhJKIMCvbEoUpngjYygJK2FdCbkFakgP7RQHAjQ7wayJdRqfoOsUsBAAMiGoCvs +tuvYcdfBs/XTJr++0D4H2HOm7saALhmfqNVVPUIQXcm5NazeIpnwCk9LpeyVrouP +/KcI1CtK5rm5BCDfT/oK9nczTkGCSRHLp/jxzsMTNY8LD52Dj3/fy9fy+D6ifxlR +z6htTNG4FoWtwbRjaAPmX8n4GPrFcmqglmtUHQ1vs252Qyk+NDoa74kzXoLr9g2/ +gEB4I6X67eE/vIQ8Z/z7iEA+zDiGHwIDAQABAoICAAIOZ0rdvshEmD7DnGnGUXPT +pu2SJ+SFovc+tFNgJGfTfbnlJp5jY5AxmzMiPhVcyR/xSyAIw8srgzMPsZ541MS8 +tbMswv35N4AUquQGJGRgoIhz3f9IfyxK/2KIj8APghvuKCfvgA80HZa/+ToQAgi8 +m4wOintzSM01s38/Em17x6pvY3I4Iia6YbsfgpKx/kClVsNM2xbYz4k66kjHQauv +F4xqKRpTPg5WSbz4VsYyT60+thbsXGz/JvClQewuNEzjYdKAX5vHPng5M5LLeBJW +RP3ySCrcwKYLlFjAim/YYApekVq1O8FUuoBNSz74wKgJgBCV3XQ+VAwFUJVdY2+M +ZNUgXIm3WuHlxj9Bo9PeLr1v3EVmerwoIJP8P/qPE5TS4bXeRzZRWddIfloXZAOk +UQuu8Cg+Ljo+NIB/gnbp22Jq2vL7pHRz1k5nzxGj4Oy3qu8mTLgNpu37x/vnQ5Z1 +OxCLCcSUw24ufqHCwBkwEXAt2DyL/XldfVMV7Mkhsk1il5VvraygLO2deCvyx0b2 +Wt8ydzwlcHO+EIvZpOq8rp0wrrcjFbjFfnJUf6hRYYXJkBQuFKbLZGJVRJjPRioA +Wrtye5PjC2kHxe8X3VLNn1d3vMjvwW3IYYh9XhBnFx1JaAXuo2gGiN6yNoWp4CmP +9f+0vk00d+oyYmT5oH9RAoIBAQDiEa13vuRbRt1wS+CiHVzKMSk6qChGcZPvVYqe +p04Kka3UWQnB2naICk82SHF1NjXxdslgxfVTPplNYeWxa9Fi7lGXZ8t7WjO2hxMA +iDDIBsPy60KUNQR1fRloMoMAzgSN1E27R0q7GDpIttkYE5ERvxs0DGDWtNumivcp +L4i+bTXciP8qREDEKb4JS5aJ4HLXhLEz7F4a0pPN5a26zqjlD/5ww8wOnJB04Q30 +TQl2wLVvY4He2EEjekuIGEuz8bCkCGajZ2vadiuZGIvjK5d4yX9VbqNBDeCeWw7c +4Z23YOpXUaCKKVSeV+NztAN2XgD5VcZV3q8igmbBJqjuXCwZAoIBAQC2UmVcuU8s +0s2GuPlunNidbuj3Vem1Hpw3bspiMvvskNIc4FpDySe2PkCA33j23Iqhz1Jo2peg +UPSpzRdYnFuy8cbwEAInH8BN+2sdgZzTXw67FUZzpqtX9F2kX4JThpzIr4G31sXj +mIPfn10q2hovblKD81lDXzgXYNZ291ojM25b99amIzEtMd1zk0o9ElcZ9nenFqZQ +zctqi25F1Te3ZdrjbrQIrlqeqcK0jReZj2aWm6t39d03K37kfNazzF7DUP1XfN+B +iNAhPKCSqVrzxhxWA4T093EqseA+CyNYmXTyWWt6U0VkSEsMe12dvF92Di0EKMd0 +POanuNNWOQr3AoIBAH9OiStH2nz0WTsl36grdNd/+8HGdHfG+hHrUBasDKyzAPr1 +8SKzjdBqTdU50nq5PoNt61WN5Ost81K6cIkLOGzH3DaxAsvCLiD5y9+e0imydaJU +jbe8a3hmLGqbF17apYHhLqzqJtFZgWj1XyfJzQX7Yqxa1CXUz2ToGOuekxj5kz1Q +ALGiof5Vq2i8oleeh82KMegVkaD1OLrYPo9WVZI5AYYrHLyVulu3aQ5MW6n+N640 +kSwXCAeclPBdDjSVRG37NSGL2ha6OS8Lvar+H1yrzAMmPNUjpXxHtwT4IMLl1tG5 +a/ih8b8Bq1q64sBDi7TdcsVkk6eRW6Alzzf7u/ECggEAdERNMXlW/U2dFVnmbtyE +4ri0xe26sO7JTixP0ZmTwAOGijWkOnAP7A780XIxULPJkHCGrCkh4nFd5N7OEYr8 +izvV0odS6CI+XzyCzXk3Si/nU/S4Tc4unFNQWB80HBHO78fEYDkNTxuWlUeqgUY+ +xpqC8nSAKw+Q1I/DlHAewi3tJacB8kak+J5BC5AVGqcUdpEPMrWl8AecveAWvV/A +PSsuEDUriBGv5lh5uuvy7dFd6ZNyIHjgzmrla84UmOouUD3YoS8X1SIrH9bqyzxG +rQhcT5nE8vbM6x4t00MFEl4iDt5pRMPPj6juexI82/chpUZa/LkIoJ6ptLGPy/9q +dwKCAQA8W6KNjkbk36luNCw8CLZJQ8DT7ZKCjGM3sz6wY8ZKO+JVtPWq/Q74F2rH +ooClOf9+HOw/AxmfAMV9lW+epibHOXGTfs59UQ2rfXsS7sCZpMimtAQMjSQx4443 +jUh+3OqW1cTGyPxKvPPvnftwpEvTEigIJAjUQcSF9w/MjKM2M4FQBgFxcfaooh1E ++/sDBbHsGYGaXC5vfW9wMbsfhj6Un8Z+gLWR0qmpOU/RrVmXIGqoTnOt7MWrueyF +r8xDXM/qz8mCaY4pLB/AU4krBUEUBFPOC6QG7y3bSfd+mgwbsAQ7a7Qc2QhUDACY +PBk7BpRR/G/0yKuCfCA2+aCaIdpP +-----END PRIVATE KEY----- diff --git a/test/data/certs/test-ca.crt b/test/data/certs/test-ca.crt new file mode 100644 index 00000000..e4852da6 --- /dev/null +++ b/test/data/certs/test-ca.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFbTCCA1WgAwIBAgIUfmIUyNZnBGs3PDW2fDd/l1PID0UwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQKDAtFeGFtcGxl +LmNvbTETMBEGA1UEAwwKRXhhbXBsZSBDQTAgFw0yNDEwMjMxMzAzNDNaGA8yMDUy +MDMwOTEzMDM0M1owRTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQK +DAtFeGFtcGxlLmNvbTETMBEGA1UEAwwKRXhhbXBsZSBDQTCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAI9FWBUReh4Kg/Mz1WrdKn9fJGuDVFzSWQ2mGt3Z +WjEkICRwKS4KaiO+oO/DgUaWb7/cAx3nlhmpRBcsE+eqpdsYlTpo5o0+NwLPR31U +4a0Tjsjcc9MYUO/YNnqSNuncZUDHxL34Nrha4Czf4nGWtHuDJT5sNkdbOb5KocWC +jO7Nx+wWCJVrranAoZ7RDQjA+A/n8i5TLg9SykGpbDomqMviXpzzpBYnqvBgf4sD +3DlWdFoz9H3LdZmUHTirsRRNVMrB6qB+f/nkAsMu8+oWhAbS9leY7aZe3ULTkhHm +5mprHnsbgFdJgV1thE7Hcu7X0CPNOe+zCny8XNDt92g6vu5nKy+/rLn7Jmc0allg +Hub4ALvWbgmNQDdk6eqWqKxebmsBUlj6yw0Ayn2n//M67YD79jrz8zUu2hb8ajbN +sOfzw0cDUz/gBcC7I16j4D4I4LTuj9VDd7pFDXuupYjOC7RVCHe5MDHNyrLdv2x6 +niM8cPzzfpz65YG6FiN/bPpAjTbvuxs8vFYd3hmSQRrD1BQWWk4m2dMbc9LEDGIE +KxUJw7QWezHEebYhswVFlDN+DIYiva4K/sUZMa6GiEhNrZPgmHmzFNRciHJtGCIe +8O3roIqiECs+a+JADlzxBn4DDk/W896Jm0UYTEFpzrH0h4U0wlN7+UI2xNkngFe1 +W4kfAgMBAAGjUzBRMB0GA1UdDgQWBBSfPyjeQ5ixJhwI/oGbi8+4REk3aTAfBgNV +HSMEGDAWgBSfPyjeQ5ixJhwI/oGbi8+4REk3aTAPBgNVHRMBAf8EBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4ICAQBTGQXFh1Bdwex4xgqRpCPW5Rl7jfcnzCObRUXDjS6j +UC+2YMu7U3kA7MOQoCGUHHRsaFQbziFdJv1vpLDI7/kd1QV4g9jTQVeOIE22mpV0 +zR298FFz8bt9H9FCcF4of1bF1Qttrlt7DuIWRe+IPCLs23wPIR0jqD5WnErwd2V7 +LkVZxeXkizjTAslS4DPb5ZhvpJ8QeDWumVZu5WS896HAhUouavnCbXBR3MnmTwqB +v7I6EhpGe218Mw5FKbnng4LdA+cgocl0NRg8712Iz6o1cf+v457M+pilWU1ZuUl3 +h6E7VqSZ/RTWEVTGd9EJRsFBBzMmOIkK2z0wyddEFXvomBOdwmGIGs8YnjK7ZF36 +9oEIF/mBF8bNeIcOqzURsKIFHdJZB0juSgKhIeb3WKd6DSnoa+cx59/kfg+xSYrK +IfJYwIX0x4xtvfdXq4OFa4XFh1p0pvtwkaBctOrJt4sQIsmFwGbQzxANVsc0Rtjc +B2aEtEHF5s5Z9EQL1STQSbUuYWpACbnAflzHtrZIFxmKZxgmjLQs8x4mIrMy2gFY +I3wMx3BimIrL6nGPGUApYcb5V45Yf1lMJUmu2/nRIAA/IZP03S7QBjhiOAduw9rq +Pzm5vrxfK3o8doLPz2omJfRyyr5ClYBOlthS0htNS21XSuh0sBYaDPJVRp07dWzR +jQ== +-----END CERTIFICATE----- diff --git a/test/data/certs/test-ca.key b/test/data/certs/test-ca.key new file mode 100644 index 00000000..8be66b86 --- /dev/null +++ b/test/data/certs/test-ca.key @@ -0,0 +1,54 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIJpDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQOxW0fGTkM6tmk3dq +t1X9lgICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIuCORh6w1b9wEgglI +uIBIC7MrSwHTgWyRgoROC8Rj8hl2Djg93JcoGPBw3C//nnjIwFf1PRLtpIORK5bX +WEKeW+FDOyzA4IKBiDNEg/YQXMOwg3ZwIZPUqsVY/ql3lBLWdV0cMWvYUcg1H3Lm +zQfI+dQM9aVzDsWJyAgx5j1xsKpK8DrGOVUaqdCPbLSwqccn9vExieiZRuHvscwt +kkxU9hsR3qGDQV1sRaiRXkA2woShV6R/cvMNmvCJfQ3uZS8FbSxVKHrnxKmUjSEN +2vGLtRiIE+R1I5dZ32Cl5awm7GOdGjBagNKqnhTILyDAVDfG6alhrVhz5Reyq15/ +O5fhm+9oZ6EsG3/rz9JJNyHzWn5ifyeYNYfKqWkKmSXZ2wPJZRnogUHh5PYEbK7f +Z1cUJjzpcN8jjab9gkBhYiZws0iBHYd8n4ywisSBZejQL61UYz+rokWw3PaoJH2i +AwKo3Wvo5+ihxZcdV1U6n+FQyq0CR6ZtBxAtjDDW2V9qMwvBXBhwNAUMRL6lMkGu +42Ubq8ivlg34078UCGWaI/IM/N/gLXKBoDavSNvV9C9GTg7MKXWk/Js3vfbW9WZD +RXVRQV0q/YaKWEZaWhHc7eOQMF9t3+kV92vuNixggOjy11oJpzJWENihkL2Z/OJn +o49CU1YAtiTfZiILK1wS8c1rbv2U/wODvKL5Dv0sI2N/8wwDM2JwftCGbxVz5V5S +huOtX3DXUVL89Jw+7Njo+JhgLH5Xx714w8PkHpwmbgtcbBi/eAyVyxrJeGA6HxwV +a5f8cfxmYQNN1vPOv9VzCIFEcky14p/lpttEXFKHpA6sk1Ed3DOtTj3jglVamYeh +G0RCpFginNfyHBtLQHE7LpwM69F6PNrzhh5mS7+almZy46nSFUEbtrpROgu1U9cK +Kj2BctHnlOYlIfELtwQVaC/iUbq622yuZLWHhuu6xmkN9xxknWs0CexGDlROBx/W +bGGoJLiXwo8kFINxw5UtlQJ/52NNvx4dsf/f93P0opY8oG+tw6sJ77Gs+oSuXbiE +dqS/HwLtwfYPX4pSMpSeVT1Z8Z5OIvJlwINszRJr/zNCSL5+nqvVCrl8tNmYPrx0 +bCfmwrtD4ulwo1IwGi1EKlIQh4izjvpND1fLtu57OnsmIF0/jeXOMYysPLPKyOXT +a9LJUW1vEyIDSPGYdQW8NoTr4+Dc7WwzMBEbdFR1jTuf7TTDFLLBevRFkzx3fwCn +ugJS/vvsw5khGXp5rK4cJWLnBSuyxGos44WDpEvHTdIImSfKU4os+C9qBwhrnkBC +rFqrOmNxEuP7yF9rSj1vCBtpwlmZ4N5GKb7gcrJ3EPFu0aUkkF9HV20RLxlewOru +IIEzEKkRmTFyRCdI8IbjIzYTZUZq3Pf3I5hejPtCHOiW8dkJjONyvS0Gr9Ybs77S +glxx0b+GReAs3IokAt3aW/MLSJlOQnc7ez94YLor82uCBg2s65e6cnl8nW9nLudT +3gZ8UrBHhr4VuI9q0ghBp/J794VNl2idTjTO3shSTj+0Lyz1klZQ40/vU964JEdo +qScP5EyJysuZUepx4FkL+7WozbCxoTnoxkrXKkfEMlQnkGbb08h4NIxpW8+vICBb +gqyQZqqz42+4WIaxh1ZZD0W8KwpzmNZrMGzG+4jhe+ZyyEotDvSDyQUxzsYErX4A +ANKqA6BGtHEpfzjnofTpGhKo8pUvfbwGpehchNzGpm2JC1Qw7XD4D03fi2sZHhMH +s8xOF+ggihqj4nQxe5rqoyjwyXkaieNafF/6/aIkFb63B5muugn5Zklh3dyqnHZd +BxFmKjqhh4gZOByBS2ARxip4BN5/UEFqX8S8qYqzhUsJoBjVJVP0+Jt6VKxlfH6j +DmJ58s0udD6HV6/tjf/bW4Q2GStQwtw6Qurw2DQhXq5F+3oCsnrQZWoEiX3a3rs/ +83gNJ88FpcXz48NDHyPud9ZnKU48NAQuOHcxqAYNNHcxq1Y7GSBT9N6mAbu7ncwB +htYA20FcNkXcfxaAO1e9oXes5pIf0eXNVyTbgN6GT0qE+4oAPTAoRb1guyIqRCHR +optiouwNOdv6rYxDyjzfDvWb89pRwixExz+duyAqxor5Lue41ctr9AVKRw+2ZrIU +qHjA1/mXGjNX4MedtwHkYld9igETlmWPAFLgGkYgiWHRyQg0mnVHJUue+7dczmxz +w2NkCjUcLEOlj46OIv1l7b2A5mbksFodlQbf7byFiLRYEgQWbNCOhGaObjIubgjM +h2AC9lLDYGIfW80p77eaRTEWypNcLu7BpW9egUHDHizWi4lI8RzCmiY99dBAY4QG +6pUPMecX8ElFn26DxMmmb72mCWBSbTXc4va5JGjiR0g3xtyRTyGOHJey4uI2CAjG +fbRcXSkyfhLvrFhYUwSbDV3k3NeKjSPSQyDBdj0+ym1/e5seHAc7lc5MafpKOENO +bEvzzPt60Zxv+dt34zaLM4Fm8FI+XRzm1IzKCxntvM804GbINTHPRbTbKhfVBKfS +/auuaXUNkvAc3HPuvBwatqL7DkaTUlXAQSDYxnWOoN7a2dZiXEwtTuTY3Yu3+gih +eLFpGLOT6G14Q3GtZlygqISYcwE7vy2T1OMlAPpao6o2N3GQvqI/kZh6ex+MD4aF +/22kjUSjf0rzBEDuwNCuCiT38oV9QCv3qqB/ciLiGRCmEvtsI/wOPc0uGEjDSfDG +P6zHoLbnVbzWJjfTB/CHZiNShxSVgte4Vv+IZFWVchRRzI83fMyyqxJmBlqAQPnX +gdgQlksqtxa+ihTi1h0GygZY536/B0GEQqGYx4VWbgpA4vZhWYwLZGUaqHf9ORYs +6A/wSH0vaFoal0rVQYqEh1TcTDUU9784MmWKtNjVJzhJqX1r4OQY7BYB8KLL4AmZ +xpihWPo07qu4NlsIeOeVarM+F8MDfW9BUm9ixUjfyxL6PKWQ0sItDegtf9vEJyz+ +3dOHbnHopftK0nDp+arQuip+bQaGXsKBrohf8MZzjVWegXqZd5eRx07gVfjqalSA +Op3P9yZVygZ3KtiKZjpppX0I8buatUgSnYT6yDbocbayfucZJA+28t7w01YZGVeZ +iu99XkTwqyO/c2vapcJi9R6ERwtOKjdhyQu94T13Q94seezYPQ5GgPl/4/v4wH4H +dMdS0MZ7dwa4ZNQeUxzOV3aEbiA763Oo +-----END ENCRYPTED PRIVATE KEY----- diff --git a/test/mod/test_testutil_net.py b/test/mod/test_testutil_net.py index 9dd04009..beb2f159 100644 --- a/test/mod/test_testutil_net.py +++ b/test/mod/test_testutil_net.py @@ -3,7 +3,7 @@ import pathlib import subprocess from osbuild.testutil import make_fake_tree -from osbuild.testutil.net import http_serve_directory, https_serve_directory +from osbuild.testutil.net import http_serve_directory, https_serve_directory, https_serve_directory_mtls def test_http_serve_directory_smoke(tmp_path): @@ -37,3 +37,30 @@ def test_https_serve_directory_smoke(tmp_path): f"https://localhost:{httpd.server_port}/file1"], ) assert output == b"file1 content" + + +def test_https_serve_directory_mtls_smoke(tmp_path): + make_fake_tree(tmp_path, { + "file1": "file1 content", + }) + cert_dir = pathlib.Path(__file__).parent.parent / "data/certs" + cacert = cert_dir / "test-ca.crt" + assert cacert.exists() + servercert = cert_dir / "localhost-server.crt" + assert servercert.exists() + serverkey = cert_dir / "localhost-server.key" + assert serverkey.exists() + clientcert = cert_dir / "client1-client.crt" + assert clientcert.exists() + clientkey = cert_dir / "client1-client.key" + assert clientkey.exists() + + with https_serve_directory_mtls(tmp_path, cacert, servercert, serverkey) as httpd: + output = subprocess.check_output( + ["curl", + "--cacert", os.fspath(cacert), + "--cert", os.fspath(clientcert), + "--key", os.fspath(clientkey), + f"https://localhost:{httpd.server_port}/file1"], + ) + assert output == b"file1 content"