diff options
| author | Guilhem Moulin <guilhem@debian.org> | 2023-01-25 03:32:04 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@debian.org> | 2023-01-25 03:32:04 +0100 |
| commit | 33687a2e3aea5ae69add7812315445ad23748fab (patch) | |
| tree | 952a06618d7da373043debef8a8c28d4c8371385 /tests | |
| parent | 2a981ac3829f27d3179eb6b6e682dc17cc9c4225 (diff) | |
| parent | b3af3526b293f396da02a6276ea86ca17dcd2d03 (diff) | |
Merge tag 'v0.8.1' into debian/latest
Release version 0.8.1
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/accountd | 7 | ||||
| -rw-r--r-- | tests/accountd-kid | 14 | ||||
| -rw-r--r-- | tests/accountd-remote | 2 | ||||
| -rw-r--r-- | tests/accountd-validate | 36 | ||||
| -rw-r--r-- | tests/cert-install | 65 | ||||
| -rw-r--r-- | tests/cert-revoke | 4 | ||||
| -rw-r--r-- | tests/cert-verify | 2 | ||||
| -rw-r--r-- | tests/drop-privileges | 18 | ||||
| -rw-r--r-- | tests/old-accountd | 1 | ||||
| -rw-r--r-- | tests/old-lacme | 1 |
10 files changed, 115 insertions, 35 deletions
diff --git a/tests/accountd b/tests/accountd index a603c16..433f8ad 100644 --- a/tests/accountd +++ b/tests/accountd @@ -65,6 +65,7 @@ grep -F "Error: " ~lacme-account/.local/share/lacme/accountd.log # rotate the log and start accountd rm -f ~lacme-account/.local/share/lacme/accountd.log runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$! +sleep 1 # run lacme(8) multiple times using that single lacme-accountd(1) instance lacme --socket="$SOCKET" --debug account 2>"$STDERR" || fail @@ -79,9 +80,9 @@ wait # ensure signature requests are logged grep -Fq "Starting lacme Account Key Manager at /home/lacme-account/S.lacme" ~lacme-account/.local/share/lacme/accountd.log -grep -Fq "[0] >>> Accepted new connection" ~lacme-account/.local/share/lacme/accountd.log -grep -Fq "[1] >>> Accepted new connection" ~lacme-account/.local/share/lacme/accountd.log +grep -Fq "[0] Accepted new connection" ~lacme-account/.local/share/lacme/accountd.log +grep -Fq "[1] Accepted new connection" ~lacme-account/.local/share/lacme/accountd.log grep -Fq "Shutting down and closing lacme Account Key Manager" ~lacme-account/.local/share/lacme/accountd.log -grep -F ">>> OK signing request:" ~lacme-account/.local/share/lacme/accountd.log +grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log # vim: set filetype=sh : diff --git a/tests/accountd-kid b/tests/accountd-kid index e1bd63d..8a4b53c 100644 --- a/tests/accountd-kid +++ b/tests/accountd-kid @@ -23,13 +23,14 @@ EOF SOCKET=~lacme-account/S.lacme runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$! +sleep 1 # newAccount resource fails as per RFC 8555 sec. 6.2 it requires a JWK ! lacme --socket="$SOCKET" account 2>"$STDERR" || fail -grepstderr -Fxq "WARNING: lacme-accountd supplied an empty JWK; try removing 'keyid' setting from lacme-accountd.conf if the ACME resource request fails." +grepstderr -Fxq "Warning: lacme-accountd supplied an empty JWK; try removing 'keyid' setting from lacme-accountd.conf if the ACME resource request fails." grepstderr -Fxq "400 Bad Request (Parse error reading JWS)" -! grep -F ">>> OK signing request: header=" ~lacme-account/.local/share/lacme/accountd.log | \ - grep -vF ">>> OK signing request: header=base64url({\"alg\":\"RS256\",\"jwk\":{}," || exit 1 +grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log >/tmp/signed +! grep -vF "] SIGNED header=base64url({\"alg\":\"RS256\",\"jwk\":{}," </tmp/signed # rotate log and restart accountd kill $PID @@ -37,6 +38,7 @@ wait rm ~lacme-account/.local/share/lacme/accountd.log runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$! +sleep 1 # newOrder works fine without JWK lacme --socket="$SOCKET" newOrder @@ -46,14 +48,14 @@ test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt ! lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt 2>"$STDERR" || fail grepstderr -Fxq "Revoking /etc/lacme/simpletest.rsa.crt" -grepstderr -Fxq "400 Bad Request (Certificate already revoked)" +grepstderr -Fq "400 Bad Request (unable to revoke" grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.rsa.crt" kill $PID wait # make sure all signing requests have a KID -! grep -F ">>> OK signing request: header=" ~lacme-account/.local/share/lacme/accountd.log | \ - grep -vF ">>> OK signing request: header=base64url({\"alg\":\"RS256\",\"kid\":\"$keyid\"," || exit 1 +grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log >/tmp/signed +! grep -vF "] SIGNED header=base64url({\"alg\":\"RS256\",\"kid\":\"$keyid\"," </tmp/signed # vim: set filetype=sh : diff --git a/tests/accountd-remote b/tests/accountd-remote index 9e7f812..ce2b54e 100644 --- a/tests/accountd-remote +++ b/tests/accountd-remote @@ -50,6 +50,6 @@ lacme newOrder test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key # ensure signature requests are logged -grep -F ">>> OK signing request:" ~lacme-account/.local/share/lacme/accountd.log +grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log # vim: set filetype=sh : diff --git a/tests/accountd-validate b/tests/accountd-validate new file mode 100644 index 0000000..d4be5ee --- /dev/null +++ b/tests/accountd-validate @@ -0,0 +1,36 @@ +# JWS Signing Input (RFC 7515) validation + +# missing or empty protected header +printf "\\r\\n" | lacme-accountd --stdio 2>"$STDERR" +grepstderr -Fq "] NOSIGN [malformed JWS Protected Header]" +printf ".foo\\r\\n" | lacme-accountd --stdio 2>"$STDERR" +grepstderr -Fq "] NOSIGN [malformed JWS Protected Header]" + +# invalid base64url-encoded protected header +printf "foo/bar.baz\\r\\n" | lacme-accountd --stdio 2>"$STDERR" +grepstderr -Fq "] NOSIGN [malformed JWS Protected Header]" + +# missing payload +printf "foo\\r\\n" | lacme-accountd --stdio 2>"$STDERR" +grepstderr -Fq "] NOSIGN [malformed JWS Payload]" + +# invalid base64url-encoded payload +printf "foo.bar/baz\\r\\n" | lacme-accountd --stdio 2>"$STDERR" +grepstderr -Fq "] NOSIGN [malformed JWS Payload]" + +# invalid JWS Protected Header: not a JSON object; missing fields "alg", +# "nonce", "url", or either "jwk" or "kid" +for s in "null" "\"str\"" "{}" "{\"alg\":\"\",\"nonce\":\"\",\"url\":\"\"}" "{\"jwk\":{}}"; do + s="$(printf "%s" "$s" | base64 -w0 | sed "s/=*$//" | tr "+/" "-_")" + printf "%s.\\r\\n" "$s" | lacme-accountd --stdio 2>"$STDERR" + grepstderr -F "] NOSIGN [invalid JWS Protected Header]" +done + +# valid JWS Protected Header and Payload +h="{\"alg\":\"\",\"nonce\":\"\",\"url\":\"\",\"jwk\":{}}" +s="$(printf "%s" "$h" | base64 -w0 | sed "s/=*$//" | tr "+/" "-_")" +p="$(printf "%s" "JWS Payload" | base64 -w0 | sed "s/=*$//" | tr "+/" "-_")" +printf "%s.%s\\r\\n" "$s" "$p" | lacme-accountd --stdio 2>"$STDERR" +grepstderr -F "] SIGNED header=base64url($h) playload=base64url(JWS Payload)" + +# vim: set filetype=sh : diff --git a/tests/cert-install b/tests/cert-install index f2147d2..4b3e820 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -103,74 +103,103 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test3.pem)" st="$(stat -c "%U:%G %#a" /etc/lacme/test3.crt)" [ "$st" = "root:root 0644" ] -# chmod user +# owner user openssl genpkey -algorithm RSA -out /etc/lacme/test4.key cat >"/etc/lacme/lacme-certs.conf.d/test4.conf" <<- EOF [test4] certificate-key = /etc/lacme/test4.key certificate = /etc/lacme/test4.pem certificate-chain = /etc/lacme/test4.crt - chown = nobody + owner = nonexistent-user subject = $subject EOF +! lacme newOrder test4 2>"$STDERR" || fail newOrder test4 +grepstderr -Fxq "getpwnam(nonexistent-user)" +! test -e /etc/lacme/test4.pem +! test -e /etc/lacme/test4.crt + +sed -ri "s/^owner\\s*=.*/owner = nobody/" /etc/lacme/lacme-certs.conf.d/test4.conf lacme newOrder test4 2>"$STDERR" || fail newOrder test4 st="$(stat -c "%U:%G %#a" /etc/lacme/test4.pem)" [ "$st" = "nobody:root 0644" ] st="$(stat -c "%U:%G %#a" /etc/lacme/test4.crt)" [ "$st" = "nobody:root 0644" ] -# chmod user:group +# owner user:group openssl genpkey -algorithm RSA -out /etc/lacme/test5.key cat >"/etc/lacme/lacme-certs.conf.d/test5.conf" <<- EOF [test5] certificate-key = /etc/lacme/test5.key certificate = /etc/lacme/test5.pem certificate-chain = /etc/lacme/test5.crt - chown = nobody:nogroup + owner = nobody:nonexistent-group subject = $subject EOF +! lacme newOrder test5 2>"$STDERR" || fail newOrder test5 +grepstderr -Fxq "getgrnam(nonexistent-group)" +! test -e /etc/lacme/test5.pem +! test -e /etc/lacme/test5.crt + +sed -ri "s/^owner\\s*=.*/owner = nobody:nogroup/" /etc/lacme/lacme-certs.conf.d/test5.conf lacme newOrder test5 2>"$STDERR" || fail newOrder test5 st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)" [ "$st" = "nobody:nogroup 0644" ] st="$(stat -c "%U:%G %#a" /etc/lacme/test5.crt)" [ "$st" = "nobody:nogroup 0644" ] -# chown +# umask restrictions (also test empty values) openssl genpkey -algorithm RSA -out /etc/lacme/test6.key cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF [test6] certificate-key = /etc/lacme/test6.key - certificate = /etc/lacme/test6.pem certificate-chain = /etc/lacme/test6.crt - chmod = 0400 + certificate = + mode = + owner = subject = $subject EOF -lacme newOrder test6 2>"$STDERR" || fail newOrder test6 -st="$(stat -c "%U:%G %#a" /etc/lacme/test6.pem)" -[ "$st" = "root:root 0400" ] +( umask 0077 && lacme newOrder test6 2>"$STDERR" || fail newOrder test6 ) +! test -e /etc/lacme/test6.pem st="$(stat -c "%U:%G %#a" /etc/lacme/test6.crt)" -[ "$st" = "root:root 0400" ] +[ "$st" = "root:root 0600" ] -# post-issuance notification +# mode openssl genpkey -algorithm RSA -out /etc/lacme/test7.key cat >"/etc/lacme/lacme-certs.conf.d/test7.conf" <<- EOF [test7] certificate-key = /etc/lacme/test7.key + certificate = /etc/lacme/test7.pem certificate-chain = /etc/lacme/test7.crt + mode = 0400 subject = $subject - notify = touch /tmp/test7.notify EOF lacme newOrder test7 2>"$STDERR" || fail newOrder test7 -grepstderr -Fxq "Running notification command \`touch /tmp/test7.notify\`" -test -e /tmp/test7.notify +st="$(stat -c "%U:%G %#a" /etc/lacme/test7.pem)" +[ "$st" = "root:root 0400" ] +st="$(stat -c "%U:%G %#a" /etc/lacme/test7.crt)" +[ "$st" = "root:root 0400" ] -rm -f /tmp/test7.notify -lacme newOrder test7 2>"$STDERR" || fail newOrder test7 +# post-issuance notification +openssl genpkey -algorithm RSA -out /etc/lacme/test8.key +cat >"/etc/lacme/lacme-certs.conf.d/test8.conf" <<- EOF + [test8] + certificate-key = /etc/lacme/test8.key + certificate-chain = /etc/lacme/test8.crt + subject = $subject + notify = touch /tmp/test8.notify +EOF + +lacme newOrder test8 2>"$STDERR" || fail newOrder test8 +grepstderr -Fxq "Running notification command \`touch /tmp/test8.notify\`" +test -e /tmp/test8.notify + +rm -f /tmp/test8.notify +lacme newOrder test8 2>"$STDERR" || fail newOrder test8 ngrepstderr -Fq "Running notification command" -! test -e /tmp/test7.notify +! test -e /tmp/test8.notify # vim: set filetype=sh : diff --git a/tests/cert-revoke b/tests/cert-revoke index f3d585e..179ccba 100644 --- a/tests/cert-revoke +++ b/tests/cert-revoke @@ -18,7 +18,7 @@ test /etc/lacme/simpletest.ecdsa.crt -nt /etc/lacme/simpletest.ecdsa.key lacme revokeCert /etc/lacme/simpletest.ecdsa.crt ! lacme revokeCert /etc/lacme/simpletest.ecdsa.crt 2>"$STDERR" || fail grepstderr -Fxq "Revoking /etc/lacme/simpletest.ecdsa.crt" -grepstderr -Fxq "400 Bad Request (Certificate already revoked)" +grepstderr -Fq "400 Bad Request (unable to revoke" grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.ecdsa.crt" # and the RSA certificate using the service key @@ -26,7 +26,7 @@ mv -vfT /etc/lacme/simpletest.rsa.key /etc/lacme/account.key lacme revokeCert /etc/lacme/simpletest.rsa.crt ! lacme revokeCert /etc/lacme/simpletest.rsa.crt 2>"$STDERR" || fail grepstderr -Fxq "Revoking /etc/lacme/simpletest.rsa.crt" -grepstderr -Fxq "400 Bad Request (Certificate already revoked)" +grepstderr -Fq "400 Bad Request (unable to revoke" grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.rsa.crt" # vim: set filetype=sh : diff --git a/tests/cert-verify b/tests/cert-verify index 49629f2..4d254c6 100644 --- a/tests/cert-verify +++ b/tests/cert-verify @@ -14,7 +14,7 @@ openssl verify -no-CApath -CAfile /etc/ssl/certs/ca-certificates.crt -show_chain mv /usr/share/lacme/ca-certificates.crt /usr/share/lacme/ca-certificates.crt.back ! lacme newOrder 2>"$STDERR" || fail -grepstderr -Fxq "Can't open /usr/share/lacme/ca-certificates.crt for reading, No such file or directory" +grepstderr -Fxq "Could not open file or uri for loading certs of trusted certificates from /usr/share/lacme/ca-certificates.crt" grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!" # verification error for unrelated CA bundle diff --git a/tests/drop-privileges b/tests/drop-privileges index 0596e31..8deb8f1 100644 --- a/tests/drop-privileges +++ b/tests/drop-privileges @@ -1,6 +1,17 @@ # Check privilige drop: UID/GID changes, chdir, environment, and file # descriptors +# ensure failure to drop privileges doesn't retain root privileges +sed -ri 's/^#(user|group)\s*=\s*$/\1 = nonexistent-\1/' /etc/lacme/lacme.conf +! lacme account 2>"$STDERR" || fail +grepstderr -Fxq "getgrnam(nonexistent-group)" +grepstderr -Fxq "Error: Invalid client version" + +sed -ri 's/^group\s*=\s*nonexistent.*/#&/' /etc/lacme/lacme.conf +! lacme account 2>"$STDERR" || fail +grepstderr -Fxq "getpwnam(nonexistent-user)" +grepstderr -Fxq "Error: Invalid client version" + # create wrapper to inspect processes STATUSDIR="/dev/shm/lacme-wrap" install -oroot -groot -m0755 /dev/stdin /run/lacme-wrap <<-EOF @@ -24,8 +35,7 @@ adduser --system --group \ --home /nonexistent --no-create-home \ --gecos "lacme account user" \ --quiet lacme-account -sed -ri 's|^#user\s*=\s*$|user = lacme-account|' /etc/lacme/lacme.conf -sed -ri 's|^#group\s*=\s*$|group = lacme-account|' /etc/lacme/lacme.conf +sed -ri 's/^#?(user|group)\s*=\s*nonexistent.*/\1 = lacme-account/' /etc/lacme/lacme.conf chown lacme-account: /etc/lacme/account.key install -oroot -groot -dm0755 -- "$STATUSDIR" @@ -113,8 +123,8 @@ check_client() { grep -Exq "[0-9]+ 0700 $UID:$GID socket:\[[0-9]+\]" "$prefix/fd" || return 1 sed -ri '0,\#^[0-9]+ .* socket:\[[0-9]+\]$# {//d}' "$prefix/fd" - grep -Exq "[0-9]+ 0500 $UID:$GID /etc/lacme/lacme\.conf" "$prefix/fd" || return 1 - sed -ri '0,\#^[0-9]+ .* /etc/lacme/lacme\.conf$# {//d}' "$prefix/fd" + grep -Eq "^[0-9]+ 0500 $UID:$GID /tmp/lacme-client.conf\.json-" "$prefix/fd" || return 1 + sed -ri '0,\#^[0-9]+ .* /tmp/lacme-client.conf\.json-# {//d}' "$prefix/fd" ! test -s "$prefix/fd" || return 1 } check_webserver() { diff --git a/tests/old-accountd b/tests/old-accountd index b44f7ec..abd330d 100644 --- a/tests/old-accountd +++ b/tests/old-accountd @@ -21,6 +21,7 @@ DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends \ SOCKET=~lacme-account/S.lacme runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" & PID=$! +sleep 1 lacme --socket="$SOCKET" account lacme --socket="$SOCKET" newOrder diff --git a/tests/old-lacme b/tests/old-lacme index fa7d827..b1c9f88 100644 --- a/tests/old-lacme +++ b/tests/old-lacme @@ -26,6 +26,7 @@ mv -f /usr/share/lacme/ca-certificates.crt.back /usr/share/lacme/ca-certificates SOCKET=~lacme-account/S.lacme runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" & PID=$! +sleep 1 sed -ri "s/^\[accountd]$/#&/" /etc/lacme/lacme.conf # https://bugs.debian.org/955767 lacme --socket="$SOCKET" account lacme --socket="$SOCKET" newOrder |