diff options
| -rw-r--r-- | tests/accountd-kid | 4 | ||||
| -rw-r--r-- | tests/cert-extensions | 31 | ||||
| -rw-r--r-- | tests/cert-revoke | 4 | ||||
| -rw-r--r-- | tests/cert-verify | 2 | ||||
| -rw-r--r-- | tests/drop-privileges | 15 |
5 files changed, 17 insertions, 39 deletions
diff --git a/tests/accountd-kid b/tests/accountd-kid index 8a4b53c..e6f5ca4 100644 --- a/tests/accountd-kid +++ b/tests/accountd-kid @@ -28,7 +28,7 @@ sleep 1 # newAccount resource fails as per RFC 8555 sec. 6.2 it requires a JWK ! lacme --socket="$SOCKET" account 2>"$STDERR" || fail grepstderr -Fxq "Warning: lacme-accountd supplied an empty JWK; try removing 'keyid' setting from lacme-accountd.conf if the ACME resource request fails." -grepstderr -Fxq "400 Bad Request (Parse error reading JWS)" +grepstderr -Fxq "400 Bad Request (Unable to validate JWS :: Parse error reading JWS)" grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log >/tmp/signed ! grep -vF "] SIGNED header=base64url({\"alg\":\"RS256\",\"jwk\":{}," </tmp/signed @@ -48,7 +48,7 @@ test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt ! lacme --socket="$SOCKET" revokeCert /etc/lacme/simpletest.rsa.crt 2>"$STDERR" || fail grepstderr -Fxq "Revoking /etc/lacme/simpletest.rsa.crt" -grepstderr -Fq "400 Bad Request (unable to revoke" +grepstderr -Eq "400 Bad Request \\(Unable to revoke :: no certificate with serial [0-9a-fA-F]+ and status other than revoked\\)" grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.rsa.crt" kill $PID diff --git a/tests/cert-extensions b/tests/cert-extensions index d7e7855..9c5b977 100644 --- a/tests/cert-extensions +++ b/tests/cert-extensions @@ -25,7 +25,7 @@ x509_check /etc/lacme/test1.crt <<-EOF X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication + TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Alternative Name: @@ -54,38 +54,11 @@ x509_check /etc/lacme/test2.crt <<-EOF X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication + TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Alternative Name: DNS:$(echo "$commonName" "$subjectAltName" | tr " " "\\n" | sort -u | paste -sd" " | sed -r "s/ /, DNS:/g") EOF -# tlsfeature -openssl genpkey -algorithm RSA -out /etc/lacme/test3.key -commonName="$(head -c10 /dev/urandom | base32 -w0 | tr "A-Z" "a-z").$DOMAINNAME" -cat >"/etc/lacme/lacme-certs.conf.d/test3.conf" <<- EOF - [test3] - certificate-key = /etc/lacme/test3.key - certificate-chain = /etc/lacme/test3.crt - subject = /CN=$commonName - tlsfeature = status_request -EOF - -lacme newOrder test3 -test /etc/lacme/test3.crt -nt /etc/lacme/test3.key -x509_check /etc/lacme/test3.crt <<-EOF - subject=/CN=$commonName - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Subject Alternative Name: - DNS:$commonName - TLS Feature: - status_request -EOF - # vim: set filetype=sh : diff --git a/tests/cert-revoke b/tests/cert-revoke index 179ccba..ead6723 100644 --- a/tests/cert-revoke +++ b/tests/cert-revoke @@ -18,7 +18,7 @@ test /etc/lacme/simpletest.ecdsa.crt -nt /etc/lacme/simpletest.ecdsa.key lacme revokeCert /etc/lacme/simpletest.ecdsa.crt ! lacme revokeCert /etc/lacme/simpletest.ecdsa.crt 2>"$STDERR" || fail grepstderr -Fxq "Revoking /etc/lacme/simpletest.ecdsa.crt" -grepstderr -Fq "400 Bad Request (unable to revoke" +grepstderr -Fq "400 Bad Request (Unable to revoke ::" grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.ecdsa.crt" # and the RSA certificate using the service key @@ -26,7 +26,7 @@ mv -vfT /etc/lacme/simpletest.rsa.key /etc/lacme/account.key lacme revokeCert /etc/lacme/simpletest.rsa.crt ! lacme revokeCert /etc/lacme/simpletest.rsa.crt 2>"$STDERR" || fail grepstderr -Fxq "Revoking /etc/lacme/simpletest.rsa.crt" -grepstderr -Fq "400 Bad Request (unable to revoke" +grepstderr -Fq "400 Bad Request (Unable to revoke ::" grepstderr -Fxq "Warning: Couldn't revoke /etc/lacme/simpletest.rsa.crt" # vim: set filetype=sh : diff --git a/tests/cert-verify b/tests/cert-verify index a6cd336..2138e29 100644 --- a/tests/cert-verify +++ b/tests/cert-verify @@ -20,7 +20,7 @@ grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from # verification error for unrelated CA bundle cat /etc/ssl/certs/ssl-cert-snakeoil.pem >/usr/share/lacme/ca-certificates.crt ! lacme newOrder 2>"$STDERR" || fail -grepstderr -Fxq "error 20 at 1 depth lookup: unable to get local issuer certificate" +grepstderr -Eq "^error 20 at [1-9][0-9]* depth lookup: unable to get local issuer certificate$" grepstderr -Fxq "[simpletest-rsa] Error: Received invalid X.509 certificate from ACME server!" # use saved bundle as custom CAfile diff --git a/tests/drop-privileges b/tests/drop-privileges index 8deb8f1..3589ee3 100644 --- a/tests/drop-privileges +++ b/tests/drop-privileges @@ -81,7 +81,8 @@ check_accountd() { USER=lacme-account EOF - stderr="$(readlink -e "/proc/$$/fd/2")" + stderr="$(readlink -f "/proc/$$/fd/2")" + test -n "$stderr" || return -1 socket_ino="$(sed -rn '/^0 .* socket:\[([0-9]+)\]$/ {s//\1/p;q}' "$prefix/fd")" [ -n "$socket_ino" ] || return 1 grep -Fxq "0 0700 $UID:$GID socket:[$socket_ino]" "$prefix/fd" || return 1 @@ -106,8 +107,10 @@ check_client() { USER=_lacme-client EOF - stdout="$(readlink -e "/proc/$$/fd/1")" - stderr="$(readlink -e "/proc/$$/fd/2")" + stdout="$(readlink -f "/proc/$$/fd/1")" + stderr="$(readlink -f "/proc/$$/fd/2")" + test -n "$stdout" || return -1 + test -n "$stderr" || return -1 if [ "$command" = "account" ]; then # no pipe grep -Fxq "0 0500 $UID:$GID /dev/null" "$prefix/fd" || return 1 grep -Fxq "1 0700 $UID:$GID $stdout" "$prefix/fd" || return 1 @@ -143,8 +146,10 @@ check_webserver() { USER=_lacme-www EOF - stdout="$(readlink -e "/proc/$$/fd/1")" - stderr="$(readlink -e "/proc/$$/fd/2")" + stdout="$(readlink -f "/proc/$$/fd/1")" + stderr="$(readlink -f "/proc/$$/fd/2")" + test -n "$stdout" || return -1 + test -n "$stderr" || return -1 grep -Fxq "0 0500 $UID:$GID /dev/null" "$prefix/fd" || return 1 grep -Fxq "1 0700 $UID:$GID $stdout" "$prefix/fd" || return 1 grep -Fxq "2 0700 $UID:$GID $stderr" "$prefix/fd" || return 1 |