aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2021-02-24 21:01:12 +0100
committerGuilhem Moulin <guilhem@fripost.org>2021-02-24 21:32:01 +0100
commitc612a7ff44995f4f9c39fa0fb68470d90c88decf (patch)
tree4b0a3fd2c44dbc25653a93b7ec692a003f0e133b /tests
parentcdd025133a306cd8d3e81aa832ac056119d65f3a (diff)
lacme: Default mode for certificate(-chain) creation is 0644 minus umask restrictions.
Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge response files.
Diffstat (limited to 'tests')
-rw-r--r--tests/cert-install45
1 files changed, 31 insertions, 14 deletions
diff --git a/tests/cert-install b/tests/cert-install
index 5d8a239..c49a294 100644
--- a/tests/cert-install
+++ b/tests/cert-install
@@ -149,40 +149,57 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)"
st="$(stat -c "%U:%G %#a" /etc/lacme/test5.crt)"
[ "$st" = "nobody:nogroup 0644" ]
-# chmod
+# umask restrictions (also test empty values)
openssl genpkey -algorithm RSA -out /etc/lacme/test6.key
cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF
[test6]
certificate-key = /etc/lacme/test6.key
- certificate = /etc/lacme/test6.pem
certificate-chain = /etc/lacme/test6.crt
- chmod = 0400
+ certificate =
+ chmod =
+ chown =
subject = $subject
EOF
-lacme newOrder test6 2>"$STDERR" || fail newOrder test6
-st="$(stat -c "%U:%G %#a" /etc/lacme/test6.pem)"
-[ "$st" = "root:root 0400" ]
+( umask 0077 && lacme newOrder test6 2>"$STDERR" || fail newOrder test6 )
+! test -e /etc/lacme/test6.pem
st="$(stat -c "%U:%G %#a" /etc/lacme/test6.crt)"
-[ "$st" = "root:root 0400" ]
+[ "$st" = "root:root 0600" ]
-# post-issuance notification
+# chmod
openssl genpkey -algorithm RSA -out /etc/lacme/test7.key
cat >"/etc/lacme/lacme-certs.conf.d/test7.conf" <<- EOF
[test7]
certificate-key = /etc/lacme/test7.key
+ certificate = /etc/lacme/test7.pem
certificate-chain = /etc/lacme/test7.crt
+ chmod = 0400
subject = $subject
- notify = touch /tmp/test7.notify
EOF
lacme newOrder test7 2>"$STDERR" || fail newOrder test7
-grepstderr -Fxq "Running notification command \`touch /tmp/test7.notify\`"
-test -e /tmp/test7.notify
+st="$(stat -c "%U:%G %#a" /etc/lacme/test7.pem)"
+[ "$st" = "root:root 0400" ]
+st="$(stat -c "%U:%G %#a" /etc/lacme/test7.crt)"
+[ "$st" = "root:root 0400" ]
-rm -f /tmp/test7.notify
-lacme newOrder test7 2>"$STDERR" || fail newOrder test7
+# post-issuance notification
+openssl genpkey -algorithm RSA -out /etc/lacme/test8.key
+cat >"/etc/lacme/lacme-certs.conf.d/test8.conf" <<- EOF
+ [test8]
+ certificate-key = /etc/lacme/test8.key
+ certificate-chain = /etc/lacme/test8.crt
+ subject = $subject
+ notify = touch /tmp/test8.notify
+EOF
+
+lacme newOrder test8 2>"$STDERR" || fail newOrder test8
+grepstderr -Fxq "Running notification command \`touch /tmp/test8.notify\`"
+test -e /tmp/test8.notify
+
+rm -f /tmp/test8.notify
+lacme newOrder test8 2>"$STDERR" || fail newOrder test8
ngrepstderr -Fq "Running notification command"
-! test -e /tmp/test7.notify
+! test -e /tmp/test8.notify
# vim: set filetype=sh :