Hello, I am about to include a test-case for CRL support. It's almost finished, only the the CRL file is missing in the patch. I am unable to generate it without touching the other files in "tests/certs" since I don't know the passpharase for the key of EdelCurlRoot.
Who is actually the current holder of that CA? It's possible to regenarete all the files using a new passphrase, but I don't want to pollute git repo with such noop changes. Note the test fails with NSS as the CRL support is completely broken there. I have already patches for this flaw and I am going to post them as soon as the test-case works, so that it's easy to verify it. Kamil
From 508e63c8713e4604b22bf14b08031817935ac5be Mon Sep 17 00:00:00 2001 From: Kamil Dudka <[email protected]> Date: Thu, 15 Apr 2010 17:57:57 +0200 Subject: [PATCH] test313: check if CRL support works Signed-off-by: Kamil Dudka <[email protected]> --- tests/certs/EdelCurlRoot-ca.cnf | 11 +++++++++++ tests/certs/scripts/genserv.sh | 12 +++++++++++- tests/data/Makefile.am | 2 +- tests/data/test313 | 39 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 tests/certs/EdelCurlRoot-ca.cnf create mode 100644 tests/data/test313 diff --git a/tests/certs/EdelCurlRoot-ca.cnf b/tests/certs/EdelCurlRoot-ca.cnf new file mode 100644 index 0000000..ba99881 --- /dev/null +++ b/tests/certs/EdelCurlRoot-ca.cnf @@ -0,0 +1,11 @@ +[ ca ] +default_ca = EdelCurlRoot + +[ EdelCurlRoot ] +database = EdelCurlRoot-ca.db +certificate = EdelCurlRoot-ca.crt +private_key = EdelCurlRoot-ca.key +crlnumber = EdelCurlRoot-ca.cnt +default_md = sha1 +default_days = 365 +default_crl_days = 30 diff --git a/tests/certs/scripts/genserv.sh b/tests/certs/scripts/genserv.sh index 61145d8..a7876e7 100755 --- a/tests/certs/scripts/genserv.sh +++ b/tests/certs/scripts/genserv.sh @@ -39,7 +39,7 @@ if [ ".$CAPREFIX" = . ] ; then NOTOK=1 else if [ ! -f $CAPREFIX-ca.cacert ] ; then - echo No CA certficate file $PREFIX-ca.caert + echo No CA certficate file $CAPREFIX-ca.caert NOTOK=1 fi if [ ! -f $CAPREFIX-ca.key ] ; then @@ -92,6 +92,16 @@ fi echo "openssl x509 -noout -text -hash -in $PREFIX-sv.selfcert -nameopt multiline" $OPENSSL x509 -noout -text -hash -in $PREFIX-sv.crt -nameopt multiline +# revoke server cert +touch $CAPREFIX-ca.db +echo 01 > $CAPREFIX-ca.cnt +echo "openssl ca -config $CAPREFIX-ca.cnf -revoke $PREFIX-sv.crt" +$OPENSSL ca -config $CAPREFIX-ca.cnf -revoke $PREFIX-sv.crt + +# issue CRL +echo "openssl ca -config $CAPREFIX-ca.cnf -gencrl -out $PREFIX-sv.crl" +$OPENSSL ca -config $CAPREFIX-ca.cnf -gencrl -out $PREFIX-sv.crl + echo "openssl x509 -in $PREFIX-sv.crt -outform der -out $PREFIX-sv.der " $OPENSSL x509 -in $PREFIX-sv.crt -outform der -out $PREFIX-sv.der read diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index 6f2c090..66ada48 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -65,7 +65,7 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46 \ test564 test1101 test1102 test1103 test1104 test299 test310 test311 \ test312 test1105 test565 test800 test1106 test801 test566 test802 test803 \ test1107 test1108 test1109 test1110 test1111 test1112 test129 test567 \ - test568 test569 test570 test571 test804 test572 + test568 test569 test570 test571 test804 test572 test313 filecheck: @mkdir test-place; \ diff --git a/tests/data/test313 b/tests/data/test313 new file mode 100644 index 0000000..c54495a --- /dev/null +++ b/tests/data/test313 @@ -0,0 +1,39 @@ +<testcase> +<info> +<keywords> +HTTPS +HTTP GET +PEM certificate +CRL +</keywords> +</info> + +# +# Client-side +<client> +<features> +SSL +</features> +<server> +https Server-localhost-sv.pem +</server> + <name> +CRL test + </name> + <command> +--cacert %SRCDIR/certs/EdelCurlRoot-ca.crt --crlfile %SRCDIR/certs/Server-localhost-sv.crl https://localhost:%HTTPSPORT/313 +</command> +# Ensure that we're running on localhost because we're checking the host name +<precheck> +perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0.0.1' );" +</precheck> +</client> + +# +# Verify data after the test has been "shot" +<verify> +<errorcode> +60 +</errorcode> +</verify> +</testcase> -- 1.6.6.1
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
