-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy path07-verify-trusted-cert.t
133 lines (111 loc) · 4.6 KB
/
07-verify-trusted-cert.t
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
use strict;
use warnings;
use Crypt::OpenSSL::Verify;
use Crypt::OpenSSL::X509;
use IO::Socket::SSL;
use Net::SSLeay;
use Data::Dumper;
use File::Slurp qw{ write_file };
use Test::More;
my $openssl_version = `openssl version`;
$openssl_version =~ /OpenSSL ([\d\.]+)/;
$openssl_version = $1;
my %chain = ();
my $inter_cnt = 1;
my $server_name = 'www.google.com';
sub verify_callback {
my $cert = $_[4];
my $subject = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($cert));
my $issuer = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($cert));
$subject =~ /CN=(.*$)/;
$subject = $1;
$issuer =~ /CN=(.*$)/;
$issuer = $1;
if ( $subject eq $server_name ) {
$chain{'server'} = { name => $subject, x509 => Net::SSLeay::PEM_get_string_X509($cert), };
} elsif ( $subject ne $issuer ) {
my $int = 'intermediate' . $inter_cnt;
$chain{'intermediates'} = $inter_cnt;
$chain{$int} = { 'name' => $subject, 'x509' => Net::SSLeay::PEM_get_string_X509($cert), };
$inter_cnt++;
} elsif ( $subject eq $issuer ) {
$chain{'root'} = { 'name' => $subject, 'x509' => Net::SSLeay::PEM_get_string_X509($cert), };
}
return 1;
}
sub get_cert_chain {
my $peer = shift;
IO::Socket::SSL->new(
PeerHost => $peer . ":443",
SSL_verify_callback => \&verify_callback
) or die $SSL_ERROR||$!;
}
get_cert_chain($server_name);
my $cert = $chain{'server'}{'x509'};
my $intermediate = '';
for ( my $i = 1; $i <= $chain{intermediates}; $i++ ) {
$intermediate = $intermediate . $chain{"intermediate$i"}{'x509'} ."\n";
}
write_file('intermediate.pem', $intermediate);
write_file('cert.pem', $cert);
my $ret;
SKIP: {
skip "openSSL not installed", 1 unless `which openssl`;
#say 'OpenSSL verification:';
eval {
$ret = `openssl verify -CAfile intermediate.pem cert.pem`;
};
like($ret, qr/OK/, "OpenSSL verification - OK");
}
#say 'Crypt::OpenSSL::Verify verification:';
my $verifier = Crypt::OpenSSL::Verify->new('intermediate.pem',{strict_certs=>0});
my $cert_object = Crypt::OpenSSL::X509->new_from_string($cert);
my $verify = $verifier->verify($cert_object);
ok($verify, "Crypt::OpenSSL::Verify verification - OK");
$verifier = Crypt::OpenSSL::Verify->new('intermediate.pem',{strict_certs=>1});
$cert_object = Crypt::OpenSSL::X509->new_from_string($cert);
$verify = $verifier->verify($cert_object);
ok($verify, "Crypt::OpenSSL::Verify strict verification - OK");
SKIP: {
skip "Incorrect/missing version of openSSL", 2 unless (($openssl_version ge '1.1.1') and (`which openssl`));
#say 'OpenSSL verification - noCApath:';
eval {
$ret = `openssl verify -no-CApath -CAfile intermediate.pem cert.pem 2>&1`;
};
like ($ret, qr/error 2 at 1 depth lookup: .* issuer certificate/s, "OpenSSL verification no-CApath - OK");
$verifier = Crypt::OpenSSL::Verify->new('intermediate.pem', {noCApath =>1, strict_certs=>1});
$cert_object = Crypt::OpenSSL::X509->new_from_string($cert);
eval {
$ret = $verifier->verify($cert_object);
};
like($ret, qr/error 2 at 1 depth lookup: .* issuer certificate/s, "Crypt::OpenSSL::Verify - noCApath failed to find root - OK");
}
SKIP: {
skip "Incorrect/missing version of openSSL", 2 unless (($openssl_version ge '1.1.1') and (`which openssl`));;
#say 'OpenSSL verification intermediate:';
eval {
$ret = `openssl verify intermediate.pem`;
};
like ($ret, qr/intermediate.pem: OK/s, "OpenSSL verification intermediate - OK");
}
$verifier = Crypt::OpenSSL::Verify->new('', { strict_certs=>1});
$cert_object = Crypt::OpenSSL::X509->new_from_string($intermediate);
eval {
$ret = $verifier->verify($cert_object);
};
ok($ret, "Crypt::OpenSSL::Verify intermediate - OK");
SKIP: {
skip "Incorrect/missing version of openSSL", 2 unless (($openssl_version ge '1.1.1') and (`which openssl`));;
#say 'OpenSSL verification intermediate - noCAfile & noCApath:';
eval {
$ret = `openssl verify -no-CApath -no-CAfile intermediate.pem 2>&1`;
};
like ($ret, qr/error 20 at 0 depth lookup: unable to get local issuer certificate/s, "OpenSSL verification intermediate no-CAfile & no-CApath - OK");
$verifier = Crypt::OpenSSL::Verify->new('', {noCAfile =>1, noCApath =>1, strict_certs=>1});
$cert_object = Crypt::OpenSSL::X509->new_from_string($intermediate);
eval {
$ret = $verifier->verify($cert_object);
};
like($ret, qr/error 20 at 0 depth lookup: unable to get local issuer certificate/s, "Crypt::OpenSSL::Verify intermediate - noCAfile & noCApath failed to find root - OK");
}
done_testing;