Home | History | Annotate | Download | only in security_OpenSSLBlacklist 
      1 # Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
      2 # Use of this source code is governed by a BSD-style license that can be
      3 # found in the LICENSE file.
      4 
      5 import os
      6 import subprocess
      7 
      8 from autotest_lib.client.bin import test, utils
      9 from autotest_lib.client.common_lib import error
     10 
     11 OPENSSL = '/usr/bin/openssl'
     12 VERIFY = OPENSSL + ' verify'
     13 
     14 class security_OpenSSLBlacklist(test.test):
     15     version = 1
     16 
     17     def verify(self, blacklist='/dev/null'):
     18         r = os.system('OPENSSL_BLACKLIST_PATH=%s %s -CAfile %s %s' %
     19             (blacklist, VERIFY, self.ca, self.cert))
     20         return r == 0
     21 
     22     def fetch(self, blacklist='/dev/null'):
     23         r = os.system('OPENSSL_BLACKLIST_PATH=%s curl --cacert %s -o /dev/null '
     24                       'https://127.0.0.1:4433/' % (blacklist, self.ca))
     25         return r == 0
     26 
     27     def run_once(self, opts=None):
     28         self.blacklists = [
     29             '%s/sha256_blacklist' % self.srcdir,
     30             '%s/sha1_blacklist' % self.srcdir,
     31             '%s/serial_blacklist' % self.srcdir,
     32         ]
     33         self.bogus_blacklist = '%s/bogus_blacklist' % self.srcdir
     34         self.ca = '%s/ca.pem' % self.srcdir
     35         self.cert = '%s/cert.pem' % self.srcdir
     36         self.key = '%s/cert.key' % self.srcdir
     37 
     38         if not self.verify():
     39             raise error.TestFail('Certificate does not verify normally.')
     40         for b in self.blacklists:
     41             if self.verify(b):
     42                 raise error.TestFail('Certificate verified with %s' % b)
     43         if not self.verify(self.bogus_blacklist):
     44             raise error.TestFail('Certificate does not verify with nonempty blacklist.')
     45 
     46         # Fire up an openssl s_server and have curl fetch from it
     47         server = subprocess.Popen([OPENSSL, 's_server', '-www',
     48                                    '-CAfile', self.ca, '-cert', self.cert,
     49                                    '-key', self.key, '-port', '4433'])
     50         try:
     51             # Need to wait for openssl to be ready to talk to us
     52             utils.poll_for_condition(
     53                 self.fetch,
     54                 error.TestFail('Fetch without blacklist fails.'))
     55             for b in self.blacklists:
     56                 if self.fetch(b):
     57                     raise error.TestFail('Fetched with %s' % b)
     58         finally:
     59             server.terminate()
     60